Vulnerabilities > CVE-2004-0894 - Unspecified vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
microsoft
nessus
exploit available
NVD
Published: 2005-01-10
Updated: 2019-04-30

Summary

LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program.

Vulnerable Configurations

Part Description Count
OS
Microsoft
26

Exploit-Db

descriptionMS Windows Improper Token Validation Local Exploit (working). CVE-2004-0894. Local exploit for windows platform
idEDB-ID:749
last seen2016-01-31
modified2005-01-11
published2005-01-11
reporterCesar Cerrudo
sourcehttps://www.exploit-db.com/download/749/
titleMicrosoft Windows - Improper Token Validation Local Exploit

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS04-044.NASL
descriptionThe remote host is running version of the NT kernel and LSASS which could allow a local user to gain elevated privileged. An attacker who has the ability to execute arbitrary commands on the remote host could exploit these flaws to gain SYSTEM privileges.
last seen2020-06-01
modified2020-06-02
plugin id15963
published2004-12-14
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/15963
titleMS04-044: Vulnerabilities in Windows Kernel and LSASS (885835)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(15963);
 script_version("1.35");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2004-0893", "CVE-2004-0894");
 script_bugtraq_id(11913, 11914);
 script_xref(name:"MSFT", value:"MS04-044");
 script_xref(name:"MSKB", value:"885835");

 script_name(english:"MS04-044: Vulnerabilities in Windows Kernel and LSASS (885835)");
 script_summary(english:"Checks the remote registry for MS04-044");

 script_set_attribute(attribute:"synopsis", value:"Local users can elevate their privileges on the remote host.");
 script_set_attribute(attribute:"description", value:
"The remote host is running version of the NT kernel and LSASS which
could allow a local user to gain elevated privileged.

An attacker who has the ability to execute arbitrary commands on the
remote host could exploit these flaws to gain SYSTEM privileges.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-044");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows NT, 2000, XP and
2003.");
 script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');

 script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/14");
 script_set_attribute(attribute:"patch_publication_date", value:"2004/12/14");
 script_set_attribute(attribute:"plugin_publication_date", value:"2004/12/14");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS04-044';
kb = '885835';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(nt:'6', win2k:'3,4', xp:'1,2', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"5.2", sp:0, file:"Lsasrv.dll", version:"5.2.3790.220", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:1, file:"Lsasrv.dll", version:"5.1.2600.1597", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:2, file:"Lsasrv.dll", version:"5.1.2600.2525", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0", file:"Lsasrv.dll", version:"5.0.2195.6987", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"4.0", file:"Ntoskrnl.exe", version:"4.0.1381.7268", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

  • accepted2005-02-23T09:25:00.000-04:00
    classvulnerability
    contributors
    nameChristine Walzer
    organizationThe MITRE Corporation
    descriptionLSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program.
    familywindows
    idoval:org.mitre.oval:def:1888
    statusaccepted
    submitted2005-01-04T12:00:00.000-04:00
    titleLSASS Privilege Escalation Vulnerability (64-bit Server 2003)
    version65
  • accepted2011-05-16T04:02:22.067-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionLSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program.
    familywindows
    idoval:org.mitre.oval:def:2062
    statusaccepted
    submitted2005-01-04T12:00:00.000-04:00
    titleLSASS Privilege Escalation Vulnerability (64-bit XP, SP1)
    version68
  • accepted2005-02-23T09:25:00.000-04:00
    classvulnerability
    contributors
    nameIngrid Skoog
    organizationThe MITRE Corporation
    descriptionLSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program.
    familywindows
    idoval:org.mitre.oval:def:3312
    statusaccepted
    submitted2005-01-05T12:00:00.000-04:00
    titleLSASS Privilege Escalation Vulnerability (Server 2003/64-bit XP)
    version65
  • accepted2011-05-16T04:02:44.893-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionLSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program.
    familywindows
    idoval:org.mitre.oval:def:3325
    statusaccepted
    submitted2004-12-28T12:00:00.000-04:00
    titleLSASS Privilege Escalation Vulnerability (32-bit XP, SP1)
    version68
  • accepted2011-05-16T04:02:57.789-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameDragos Prisaca
      organizationGideon Technologies, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionLSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program.
    familywindows
    idoval:org.mitre.oval:def:4368
    statusaccepted
    submitted2004-12-28T12:00:00.000-04:00
    titleLSASS Privilege Escalation Vulnerability (32-bit XP, SP2)
    version69
  • accepted2011-05-16T04:03:27.063-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameAndrew Buttner
      organizationThe MITRE Corporation
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionLSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program.
    familywindows
    idoval:org.mitre.oval:def:778
    statusaccepted
    submitted2004-12-28T12:00:00.000-04:00
    titleLSASS Privilege Escalation Vulnerability (Windows 2000)
    version70

References