Vulnerabilities > CVE-2004-0568 - Unspecified vulnerability in Microsoft products

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
microsoft
critical
nessus

Summary

HyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS04-043.NASL
descriptionThe remote host contains a version of the HyperTerminal software that could allow an attacker to execute arbitrary code on the remote host by tricking a victim into using Hyperterminal to log into a rogue host.
last seen2020-06-01
modified2020-06-02
plugin id15964
published2004-12-14
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/15964
titleMS04-043: Vulnerabilities in HyperTerminal (873339)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(15964);
 script_version("1.34");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2004-0568");
 script_bugtraq_id(11916);
 script_xref(name:"MSFT", value:"MS04-043");
 script_xref(name:"MSKB", value:"873339");

 script_name(english:"MS04-043: Vulnerabilities in HyperTerminal (873339)");
 script_summary(english:"Checks the remote registry for MS04-043");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through
HyperTerminal.");
 script_set_attribute(attribute:"description", value:
"The remote host contains a version of the HyperTerminal software that
could allow an attacker to execute arbitrary code on the remote host by
tricking a victim into using Hyperterminal to log into a rogue host.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-043");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows NT, 2000, XP and
2003.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/14");
 script_set_attribute(attribute:"patch_publication_date", value:"2004/12/14");
 script_set_attribute(attribute:"plugin_publication_date", value:"2004/12/14");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS04-043';
kb = '873339';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(nt:'6', win2k:'3,4', xp:'1,2', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"5.2", sp:0, file:"Hypertrm.dll", version:"5.2.3790.233", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:1, file:"Hypertrm.dll", version:"5.1.2600.1609", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:2, file:"Hypertrm.dll", version:"5.1.2600.2563", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0", file:"Hypertrm.dll", version:"5.0.2195.7000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"4.0", file:"Hypertrm.dll", version:"4.0.1381.7323", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

  • accepted2013-04-15T04:00:15.404-04:00
    classvulnerability
    contributors
    • nameHarvey Rubinovitz
      organizationThe MITRE Corporation
    • nameHarvey Rubinovitz
      organizationThe MITRE Corporation
    • nameHarvey Rubinovitz
      organizationThe MITRE Corporation
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameDavid Proulx
      organizationThe MITRE Corporation
    • nameDaniel Tarnu
      organizationGFI Software
    • nameMike Lah
      organizationThe MITRE Corporation
    • nameMike Lah
      organizationThe MITRE Corporation
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    • nameDragos Prisaca
      organizationG2, Inc.
    descriptionHyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.
    familywindows
    idoval:org.mitre.oval:def:1603
    statusaccepted
    submitted2004-12-17T12:00:00.000-04:00
    titleHyperTerminal Session File Vulnerability (Windows XP,SP1)
    version73
  • accepted2013-04-15T04:00:18.818-04:00
    classvulnerability
    contributors
    • nameHarvey Rubinovitz
      organizationThe MITRE Corporation
    • nameHarvey Rubinovitz
      organizationThe MITRE Corporation
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameDavid Proulx
      organizationThe MITRE Corporation
    • nameDaniel Tarnu
      organizationGFI Software
    • nameDragos Prisaca
      organizationGideon Technologies, Inc.
    • nameMike Lah
      organizationThe MITRE Corporation
    • nameMike Lah
      organizationThe MITRE Corporation
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    • nameDragos Prisaca
      organizationG2, Inc.
    descriptionHyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.
    familywindows
    idoval:org.mitre.oval:def:2545
    statusaccepted
    submitted2004-12-17T12:00:00.000-04:00
    titleHyperTerminal Session File Vulnerability (Windows XP,SP2)
    version74
  • accepted2013-04-15T04:00:19.523-04:00
    classvulnerability
    contributors
    • nameHarvey Rubinovitz
      organizationThe MITRE Corporation
    • nameHarvey Rubinovitz
      organizationThe MITRE Corporation
    • nameHarvey Rubinovitz
      organizationThe MITRE Corporation
    • nameJohn Hoyland
      organizationCentennial Software
    • nameMike Lah
      organizationThe MITRE Corporation
    • nameMike Lah
      organizationThe MITRE Corporation
    • nameDragos Prisaca
      organizationG2, Inc.
    descriptionHyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.
    familywindows
    idoval:org.mitre.oval:def:3138
    statusaccepted
    submitted2005-01-07T12:00:00.000-04:00
    titleHyperTerminal Session File Vulnerability (Server 2003)
    version68
  • accepted2013-04-15T04:00:20.487-04:00
    classvulnerability
    contributors
    • nameHarvey Rubinovitz
      organizationThe MITRE Corporation
    • nameHarvey Rubinovitz
      organizationThe MITRE Corporation
    • nameJohn Hoyland
      organizationCentennial Software
    • nameJohn Hoyland
      organizationCentennial Software
    • nameDaniel Tarnu
      organizationGFI Software
    • nameJonathan Baker
      organizationThe MITRE Corporation
    • nameMike Lah
      organizationThe MITRE Corporation
    • nameMike Lah
      organizationThe MITRE Corporation
    • nameDragos Prisaca
      organizationG2, Inc.
    definition_extensions
    commentMicrosoft Windows NT is installed
    ovaloval:org.mitre.oval:def:36
    descriptionHyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.
    familywindows
    idoval:org.mitre.oval:def:3973
    statusaccepted
    submitted2004-12-21T12:00:00.000-04:00
    titleHyperTerminal Session File Vulnerability (NT 4.0)
    version76
  • accepted2013-04-15T04:00:22.496-04:00
    classvulnerability
    contributors
    • nameHarvey Rubinovitz
      organizationThe MITRE Corporation
    • nameHarvey Rubinovitz
      organizationThe MITRE Corporation
    • nameJohn Hoyland
      organizationCentennial Software
    • nameDaniel Tarnu
      organizationGFI Software
    • nameJonathan Baker
      organizationThe MITRE Corporation
    • nameMike Lah
      organizationThe MITRE Corporation
    • nameMike Lah
      organizationThe MITRE Corporation
    • nameDragos Prisaca
      organizationG2, Inc.
    definition_extensions
    commentMicrosoft Windows NT is installed
    ovaloval:org.mitre.oval:def:36
    descriptionHyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.
    familywindows
    idoval:org.mitre.oval:def:4508
    statusaccepted
    submitted2004-12-21T12:00:00.000-04:00
    titleHyperTerminal Session File Vulnerability (Terminal Server)
    version75
  • accepted2013-04-15T04:00:23.463-04:00
    classvulnerability
    contributors
    • nameHarvey Rubinovitz
      organizationThe MITRE Corporation
    • nameHarvey Rubinovitz
      organizationThe MITRE Corporation
    • nameJohn Hoyland
      organizationCentennial Software
    • nameDaniel Tarnu
      organizationGFI Software
    • nameMike Lah
      organizationThe MITRE Corporation
    • nameMike Lah
      organizationThe MITRE Corporation
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    • nameDragos Prisaca
      organizationG2, Inc.
    descriptionHyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.
    familywindows
    idoval:org.mitre.oval:def:4741
    statusaccepted
    submitted2004-12-21T12:00:00.000-04:00
    titleHyperTerminal Session File Vulnerability (Windows 2000)
    version71