Vulnerabilities > CVE-2004-0900 - Unspecified vulnerability in Microsoft Windows NT 4.0

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

microsoft

critical

nessus

NVD

Published: 2005-01-10

Updated: 2018-10-12

Summary

The DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition does not properly validate the length of certain messages, which allows remote attackers to execute arbitrary code via a malformed DHCP message, aka the "DHCP Request Vulnerability."

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows NT 4.0	40

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS04-042.NASL
description	The remote host has the Windows DHCP server installed. There is a flaw in the remote version of this server that could allow an attacker to execute arbitrary code on the remote host with SYSTEM privileges.
last seen	2020-06-01
modified	2020-06-02
plugin id	15965
published	2004-12-14
reporter	This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/15965
title	MS04-042: Windows NT Multiple DHCP Vulnerabilities (885249)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(15965); script_version("1.35"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id("CVE-2004-0899", "CVE-2004-0900"); script_bugtraq_id(11919, 11920); script_xref(name:"MSFT", value:"MS04-042"); script_xref(name:"MSKB", value:"885249"); script_name(english:"MS04-042: Windows NT Multiple DHCP Vulnerabilities (885249)"); script_summary(english:"Checks version of Dhcpssvc.dll"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host via the DHCP service."); script_set_attribute(attribute:"description", value: "The remote host has the Windows DHCP server installed. There is a flaw in the remote version of this server that could allow an attacker to execute arbitrary code on the remote host with SYSTEM privileges."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-042"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows NT."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/14"); script_set_attribute(attribute:"patch_publication_date", value:"2004/12/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/12/14"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS04-042'; kb = '885249'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(nt:'6') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (hotfix_check_nt_server() <= 0) exit(0, "The Windows host is not an NT Server."); if (hotfix_check_dhcpserver_installed() <= 0) audit(AUDIT_NOT_INST, "The DHCP Server service"); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if (hotfix_is_vulnerable(os:"4.0", file:"Dhcpssvc.dll", version:"4.0.1381.7304", dir:"\system32", bulletin:bulletin, kb:kb)) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

NASL family	Windows
NASL id	SMB_KB885249.NASL
description	The remote host has the Windows DHCP server installed. There is a flaw in the remote version of this server that may allow an attacker to execute arbitrary code on the remote host with SYSTEM privileges.
last seen	2020-06-01
modified	2020-06-02
plugin id	20368
published	2006-01-03
reporter	This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/20368
title	MS04-042: Windows NT Multiple DHCP Vulnerabilities (885249) (uncredentialed check)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20368); script_version("1.24"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2004-0899", "CVE-2004-0900"); script_bugtraq_id(11919, 11920); script_xref(name:"MSFT", value:"MS04-042"); script_xref(name:"MSKB", value:"885249"); script_name(english:"MS04-042: Windows NT Multiple DHCP Vulnerabilities (885249) (uncredentialed check)"); script_summary(english:"Checks if MS04-042 is installed"); script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host through the DHCP service."); script_set_attribute(attribute:"description", value: "The remote host has the Windows DHCP server installed. There is a flaw in the remote version of this server that may allow an attacker to execute arbitrary code on the remote host with SYSTEM privileges." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-042"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows NT."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/03"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_family(english:"Windows"); script_dependencies("dcetest.nasl", "smb_nativelanman.nasl"); script_require_keys("Host/OS/smb", "Services/DCE/6bffd098-a112-3610-9833-46c3f874532d"); exit(0); } # include ('smb_func.inc'); os = get_kb_item ("Host/OS/smb") ; if ( !os \|\| "Windows 4.0" >!< os ) exit(0); # DHCPSERVER Service port = get_kb_item ("Services/DCE/6bffd098-a112-3610-9833-46c3f874532d"); if (!port) exit (0); if (!get_port_state (port)) exit (0); soc = open_sock_tcp (port); if (!soc) exit (0); ret = dce_rpc_bind(cid:session_get_cid(), uuid:"6bffd098-a112-3610-9833-46c3f874532d", vers:1); send (socket:soc, data:ret); resp = recv (socket:soc, length:4096); if (!resp) { close (soc); exit (0); } ret = dce_rpc_parse_bind_ack (data:resp); if (isnull (ret) \|\| (ret != 0)) { close (soc); exit (0); } # DhcpGetVersion - opcode : 0x1C # # long DhcpGetVersion ( # [in][unique][string] wchar_t * arg_1, # [in] long arg_2, # [in, out] long * arg_3, # [in] long arg_4, # [out] struct_1 ** arg_5, # [out] long * arg_6, # [out] long * arg_7 # ); data = class_parameter (ref_id:0x20000, name:get_host_ip()) + raw_dword (d:0) + raw_dword (d:0) + raw_dword (d:0) ; ret = dce_rpc_request (code:0x1C, data:data); send (socket:soc, data:ret); resp = recv (socket:soc, length:4096); close (soc); resp = dce_rpc_parse_response (data:resp); if (strlen(resp) != 12) exit (0); val = get_dword (blob:resp, pos:strlen(resp)-4); if (val != 0) exit (0); major = get_dword (blob:resp, pos:0); minor = get_dword (blob:resp, pos:4); # patched version 4.1 # vulnerable 1.1 if (major < 4) security_hole(port);

Oval

accepted

2008-03-24T04:00:29.998-04:00

class

vulnerability

contributors

name Ingrid Skoog
organization The MITRE Corporation
name John Hoyland
organization Centennial Software
name Jonathan Baker
organization The MITRE Corporation

definition_extensions

comment	Microsoft Windows NT is installed
oval	oval:org.mitre.oval:def:36

description

family

windows

oval:org.mitre.oval:def:3577

status

accepted

submitted

2005-01-27T12:00:00.000-04:00

title

Windows NT DHCP Request Code Execution Vulnerability

version

accepted

2008-03-24T04:00:37.993-04:00

class

vulnerability

contributors

name Ingrid Skoog
organization The MITRE Corporation
name Jonathan Baker
organization The MITRE Corporation

definition_extensions

comment	Microsoft Windows NT is installed
oval	oval:org.mitre.oval:def:36

description

family

windows

oval:org.mitre.oval:def:4846

status

accepted

submitted

2004-12-16T12:00:00.000-04:00

title

Windows NT DHCP Request Code Execution Vulnerability (Terminal Server)

version

Summary

Vulnerable Configurations

Nessus

Oval

References