Vulnerabilities > CVE-2004-0900 - Unspecified vulnerability in Microsoft Windows NT 4.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
The DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition does not properly validate the length of certain messages, which allows remote attackers to execute arbitrary code via a malformed DHCP message, aka the "DHCP Request Vulnerability."
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 40 |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS04-042.NASL description The remote host has the Windows DHCP server installed. There is a flaw in the remote version of this server that could allow an attacker to execute arbitrary code on the remote host with SYSTEM privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 15965 published 2004-12-14 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15965 title MS04-042: Windows NT Multiple DHCP Vulnerabilities (885249) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(15965); script_version("1.35"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id("CVE-2004-0899", "CVE-2004-0900"); script_bugtraq_id(11919, 11920); script_xref(name:"MSFT", value:"MS04-042"); script_xref(name:"MSKB", value:"885249"); script_name(english:"MS04-042: Windows NT Multiple DHCP Vulnerabilities (885249)"); script_summary(english:"Checks version of Dhcpssvc.dll"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host via the DHCP service."); script_set_attribute(attribute:"description", value: "The remote host has the Windows DHCP server installed. There is a flaw in the remote version of this server that could allow an attacker to execute arbitrary code on the remote host with SYSTEM privileges."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-042"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows NT."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/14"); script_set_attribute(attribute:"patch_publication_date", value:"2004/12/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/12/14"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS04-042'; kb = '885249'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(nt:'6') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (hotfix_check_nt_server() <= 0) exit(0, "The Windows host is not an NT Server."); if (hotfix_check_dhcpserver_installed() <= 0) audit(AUDIT_NOT_INST, "The DHCP Server service"); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if (hotfix_is_vulnerable(os:"4.0", file:"Dhcpssvc.dll", version:"4.0.1381.7304", dir:"\system32", bulletin:bulletin, kb:kb)) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }
NASL family Windows NASL id SMB_KB885249.NASL description The remote host has the Windows DHCP server installed. There is a flaw in the remote version of this server that may allow an attacker to execute arbitrary code on the remote host with SYSTEM privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 20368 published 2006-01-03 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20368 title MS04-042: Windows NT Multiple DHCP Vulnerabilities (885249) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20368); script_version("1.24"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2004-0899", "CVE-2004-0900"); script_bugtraq_id(11919, 11920); script_xref(name:"MSFT", value:"MS04-042"); script_xref(name:"MSKB", value:"885249"); script_name(english:"MS04-042: Windows NT Multiple DHCP Vulnerabilities (885249) (uncredentialed check)"); script_summary(english:"Checks if MS04-042 is installed"); script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host through the DHCP service."); script_set_attribute(attribute:"description", value: "The remote host has the Windows DHCP server installed. There is a flaw in the remote version of this server that may allow an attacker to execute arbitrary code on the remote host with SYSTEM privileges." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-042"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows NT."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/03"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_family(english:"Windows"); script_dependencies("dcetest.nasl", "smb_nativelanman.nasl"); script_require_keys("Host/OS/smb", "Services/DCE/6bffd098-a112-3610-9833-46c3f874532d"); exit(0); } # include ('smb_func.inc'); os = get_kb_item ("Host/OS/smb") ; if ( !os || "Windows 4.0" >!< os ) exit(0); # DHCPSERVER Service port = get_kb_item ("Services/DCE/6bffd098-a112-3610-9833-46c3f874532d"); if (!port) exit (0); if (!get_port_state (port)) exit (0); soc = open_sock_tcp (port); if (!soc) exit (0); ret = dce_rpc_bind(cid:session_get_cid(), uuid:"6bffd098-a112-3610-9833-46c3f874532d", vers:1); send (socket:soc, data:ret); resp = recv (socket:soc, length:4096); if (!resp) { close (soc); exit (0); } ret = dce_rpc_parse_bind_ack (data:resp); if (isnull (ret) || (ret != 0)) { close (soc); exit (0); } # DhcpGetVersion - opcode : 0x1C # # long DhcpGetVersion ( # [in][unique][string] wchar_t * arg_1, # [in] long arg_2, # [in, out] long * arg_3, # [in] long arg_4, # [out] struct_1 ** arg_5, # [out] long * arg_6, # [out] long * arg_7 # ); data = class_parameter (ref_id:0x20000, name:get_host_ip()) + raw_dword (d:0) + raw_dword (d:0) + raw_dword (d:0) ; ret = dce_rpc_request (code:0x1C, data:data); send (socket:soc, data:ret); resp = recv (socket:soc, length:4096); close (soc); resp = dce_rpc_parse_response (data:resp); if (strlen(resp) != 12) exit (0); val = get_dword (blob:resp, pos:strlen(resp)-4); if (val != 0) exit (0); major = get_dword (blob:resp, pos:0); minor = get_dword (blob:resp, pos:4); # patched version 4.1 # vulnerable 1.1 if (major < 4) security_hole(port);
Oval
accepted 2008-03-24T04:00:29.998-04:00 class vulnerability contributors name Ingrid Skoog organization The MITRE Corporation name John Hoyland organization Centennial Software name Jonathan Baker organization The MITRE Corporation
definition_extensions comment Microsoft Windows NT is installed oval oval:org.mitre.oval:def:36 description The DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition does not properly validate the length of certain messages, which allows remote attackers to execute arbitrary code via a malformed DHCP message, aka the "DHCP Request Vulnerability." family windows id oval:org.mitre.oval:def:3577 status accepted submitted 2005-01-27T12:00:00.000-04:00 title Windows NT DHCP Request Code Execution Vulnerability version 72 accepted 2008-03-24T04:00:37.993-04:00 class vulnerability contributors name Ingrid Skoog organization The MITRE Corporation name Jonathan Baker organization The MITRE Corporation
definition_extensions comment Microsoft Windows NT is installed oval oval:org.mitre.oval:def:36 description The DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition does not properly validate the length of certain messages, which allows remote attackers to execute arbitrary code via a malformed DHCP message, aka the "DHCP Request Vulnerability." family windows id oval:org.mitre.oval:def:4846 status accepted submitted 2004-12-16T12:00:00.000-04:00 title Windows NT DHCP Request Code Execution Vulnerability (Terminal Server) version 71
References
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-042
- https://exchange.xforce.ibmcloud.com/vulnerabilities/18342
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3577
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4846