Vulnerabilities > CVE-2004-0574 - Out-Of-Bounds Write vulnerability in Microsoft products

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
microsoft
CWE-787
critical
nessus
exploit available
NVD
Published: 2004-11-03
Updated: 2020-04-09

Summary

The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows.

Vulnerable Configurations

Part Description Count
Application
Microsoft
2
OS
Microsoft
3

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionMS Windows NNTP Service (XPAT) Denial of Service Exploit (MS04-036). CVE-2004-0574. Dos exploit for windows platform
idEDB-ID:578
last seen2016-01-31
modified2004-10-16
published2004-10-16
reporterLucas Lavarello
sourcehttps://www.exploit-db.com/download/578/
titleMicrosoft Windows NNTP Service XPAT Denial of Service Exploit MS04-036

Nessus

NASL familyWindows
NASL idMSNNTP_CODE_EXECUTION.NASL
descriptionThe remote host is running a version of Microsoft NNTP server that is vulnerable to a buffer overflow issue. An attacker may exploit this flaw to execute arbitrary commands on the remote host with the privileges of the NNTP server process.
last seen2020-06-01
modified2020-06-02
plugin id15465
published2004-10-12
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/15465
titleMS04-036: Microsoft NNTP Component Remote Overflow (883935) (uncredentialed check)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(15465);
 script_version("1.28");
 script_cvs_date("Date: 2018/11/15 20:50:27");

 script_cve_id("CVE-2004-0574");
 script_bugtraq_id(11379);
 script_xref(name:"MSFT", value:"MS04-036");
 script_xref(name:"MSKB", value:"883935");

 script_name(english:"MS04-036: Microsoft NNTP Component Remote Overflow (883935) (uncredentialed check)");
 script_summary(english:"Checks the remote NNTP daemon version");

 script_set_attribute(attribute:"synopsis", value:"The remote NNTP server is susceptible to a buffer overflow attack.");
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of Microsoft NNTP server that is
vulnerable to a buffer overflow issue. 

An attacker may exploit this flaw to execute arbitrary commands on the
remote host with the privileges of the NNTP server process." );
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-036");
 script_set_attribute(attribute:"solution", value:"Microsoft has released patches for Windows NT, 2000, and 2003.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2004/10/12");
 script_set_attribute(attribute:"patch_publication_date", value:"2004/10/12");
 script_set_attribute(attribute:"plugin_publication_date", value:"2004/10/12");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:exchange_server");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows");

 script_dependencie("nntpserver_detect.nasl");
 script_require_ports("Services/nntp", 119);
 exit(0);
}

#
# The script code starts here
#



port = get_kb_item("Services/nntp");
if(!port)port = 119;
if (! get_port_state(port) ) exit(0);
soc = open_sock_tcp(port);
if ( ! soc ) exit(0);
banner = recv_line(socket:soc, length:8192);
if ( ! banner ) exit(0);
close(soc);

if ( "200 NNTP Service" >< banner )
{
 version = egrep(string:banner, pattern:"^200 NNTP Service");
 version = ereg_replace(string:version, pattern:"^200 NNTP Service .* Version: (.*) ", replace:"\1");
 ver = split(version, sep:".", keep:0);
 if ( int(ver[0]) == 6 )
 {
  if ( int(ver[1]) == 0 && ( int(ver[2]) < 3790 || ( int(ver[2]) == 3790 && int(ver[3]) < 206 ) ) ) security_hole(port);
 }

 if ( int(ver[0]) == 5 )
 {
  if ( int(ver[1]) == 0 && ( int(ver[2]) < 2195 || ( int(ver[2]) == 2195 && int(ver[3]) < 6972 ) ) ) security_hole(port);
 }
}

Oval

  • accepted2007-11-13T12:01:09.183-05:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameJeff Cheng
      organizationOpsware, Inc.
    • nameJeff Cheng
      organizationOpsware, Inc.
    descriptionThe Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows.
    familywindows
    idoval:org.mitre.oval:def:246
    statusaccepted
    submitted2004-10-26T09:17:00.000-04:00
    titleNetwork News Transfer Protocol Buffer Overflow
    version30
  • accepted2016-02-19T10:00:00.000-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameJeff Cheng
      organizationOpsware, Inc.
    • nameMaria Mikhno
      organizationALTX-SOFT
    descriptionThe Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows.
    familywindows
    idoval:org.mitre.oval:def:4392
    statusaccepted
    submitted2004-10-14T08:47:00.000-04:00
    titleWindows Server 2003 NNTP Component Buffer Overflow
    version29
  • accepted2007-11-13T12:01:18.060-05:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameJohn Hoyland
      organizationCentennial Software
    • nameJeff Cheng
      organizationOpsware, Inc.
    descriptionThe Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows.
    familywindows
    idoval:org.mitre.oval:def:5021
    statusaccepted
    submitted2004-10-13T12:21:00.000-04:00
    titleVulnerability in NNTP Could Allow Remote Code Execution
    version31
  • accepted2016-02-19T10:00:00.000-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameJonathan Baker
      organizationThe MITRE Corporation
    • nameMaria Mikhno
      organizationALTX-SOFT
    definition_extensions
    commentMicrosoft Windows NT is installed
    ovaloval:org.mitre.oval:def:36
    descriptionThe Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows.
    familywindows
    idoval:org.mitre.oval:def:5070
    statusaccepted
    submitted2004-10-14T01:15:00.000-04:00
    titleWindows NT NNTP Component Buffer Overflow
    version39
  • accepted2016-02-19T10:00:00.000-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameJohn Hoyland
      organizationCentennial Software
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    • nameMaria Mikhno
      organizationALTX-SOFT
    descriptionThe Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows.
    familywindows
    idoval:org.mitre.oval:def:5926
    statusaccepted
    submitted2004-10-14T08:58:00.000-04:00
    titleWindows 2000 NNTP Component Buffer Overflow
    version34

References