Vulnerabilities > CVE-2004-0209 - Remote Buffer Overflow vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
microsoft
critical
nessus
exploit available

Summary

Unknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer."

Vulnerable Configurations

Part Description Count
OS
Microsoft
3

Exploit-Db

descriptionMS Windows Metafile (.emf) Heap Overflow Exploit (MS04-032). CVE-2004-0209. Remote exploit for windows platform
idEDB-ID:584
last seen2016-01-31
modified2004-10-20
published2004-10-20
reporterhouseofdabus
sourcehttps://www.exploit-db.com/download/584/
titleMicrosoft Windows Metafile .emf Heap Overflow Exploit MS04-032

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS04-032.NASL
descriptionThe remote host is missing a security update for Microsoft Windows (840987). The missing security update fixes issues in the following areas : - Window Management - Virtual DOS Machine - Graphics Rendering Engine - Windows Kernel A local attacker could exploit any of these vulnerabilities to cause a local denial of service or obtain higher privileges on the remote host.
last seen2020-06-01
modified2020-06-02
plugin id15457
published2004-10-12
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/15457
titleMS04-032: Security Update for Microsoft Windows (840987)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(15457);
 script_version("1.43");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id(
  "CVE-2004-0207",
  "CVE-2004-0208",
  "CVE-2004-0209",
  "CVE-2004-0211"
 );
 script_bugtraq_id(11365, 11369, 11375, 11378);
 script_xref(name:"CERT", value:"806278");
 script_xref(name:"MSFT", value:"MS04-032");
 script_xref(name:"MSKB", value:"840987");

 script_name(english:"MS04-032: Security Update for Microsoft Windows (840987)");
 script_summary(english:"Determines if hotfix 840987 has been installed");

 script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host.");
 script_set_attribute(attribute:"description", value:
"The remote host is missing a security update for Microsoft Windows
(840987).  The missing security update fixes issues in the following
areas :

  - Window Management
  - Virtual DOS Machine
  - Graphics Rendering Engine
  - Windows Kernel

A local attacker could exploit any of these vulnerabilities to cause a
local denial of service or obtain higher privileges on the remote host.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-032");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows NT, 2000, XP and
2003.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2004/10/12");
 script_set_attribute(attribute:"patch_publication_date", value:"2004/10/12");
 script_set_attribute(attribute:"plugin_publication_date", value:"2004/10/12");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS04-032';
kb = '840987';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(nt:'6', win2k:'3,4', xp:'0,1', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"5.2", sp:0, file:"Win32k.sys", version:"5.2.3790.198", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:1, file:"Win32k.sys", version:"5.1.2600.1581", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:0, file:"Win32k.sys", version:"5.1.2600.166", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0", file:"Win32k.sys", version:"5.0.2195.6966", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"4.0", file:"Win32k.sys", version:"4.0.1381.7292", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"4.0", file:"Win32k.sys", version:"4.0.1381.33580", min_version:"4.0.1381.33000", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

  • accepted2004-12-09T08:46:00.000-04:00
    classvulnerability
    contributors
    nameIngrid Skoog
    organizationThe MITRE Corporation
    descriptionUnknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer."
    familywindows
    idoval:org.mitre.oval:def:1872
    statusaccepted
    submitted2004-10-14T09:59:00.000-04:00
    titleWindows XP Enhanced Metafile Image Format Rendering Buffer Overflow
    version64
  • accepted2004-11-17T10:00:00.000-04:00
    classvulnerability
    contributors
    nameIngrid Skoog
    organizationThe MITRE Corporation
    descriptionUnknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer."
    familywindows
    idoval:org.mitre.oval:def:2114
    statusaccepted
    submitted2004-10-13T11:11:00.000-04:00
    titleWindows 2000 Enhanced Metafile Image Format Rendering Buffer Overflow
    version65
  • accepted2004-11-17T10:00:00.000-04:00
    classvulnerability
    contributors
    • nameIngrid Skoog
      organizationThe MITRE Corporation
    • nameIngrid Skoog
      organizationThe MITRE Corporation
    descriptionUnknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer."
    familywindows
    idoval:org.mitre.oval:def:2428
    statusaccepted
    submitted2004-10-13T11:29:00.000-04:00
    titleWindows XP/Server 2003 (64-Bit) Enhanced Metafile Image Format Rendering Buffer Overflow
    version65

Saint

bid11375
descriptionWindows Metafile rendering buffer overflow
idwin_patch_wmf
osvdb10692
titlewindows_metafile
typeclient

Seebug

bulletinFamilyexploit
descriptionNo description provided by source.
idSSV:8643
last seen2017-11-19
modified2008-06-05
published2008-06-05
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-8643
titleMS Windows Metafile (.emf) Heap Overflow Exploit (MS04-032)