Vulnerabilities > CVE-2004-0900 - Unspecified vulnerability in Microsoft Windows NT 4.0

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
microsoft
critical
nessus

Summary

The DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition does not properly validate the length of certain messages, which allows remote attackers to execute arbitrary code via a malformed DHCP message, aka the "DHCP Request Vulnerability."

Vulnerable Configurations

Part Description Count
OS
Microsoft
40

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS04-042.NASL
    descriptionThe remote host has the Windows DHCP server installed. There is a flaw in the remote version of this server that could allow an attacker to execute arbitrary code on the remote host with SYSTEM privileges.
    last seen2020-06-01
    modified2020-06-02
    plugin id15965
    published2004-12-14
    reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15965
    titleMS04-042: Windows NT Multiple DHCP Vulnerabilities (885249)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(15965);
     script_version("1.35");
     script_cvs_date("Date: 2018/11/15 20:50:29");
    
     script_cve_id("CVE-2004-0899", "CVE-2004-0900");
     script_bugtraq_id(11919, 11920);
     script_xref(name:"MSFT", value:"MS04-042");
     script_xref(name:"MSKB", value:"885249");
    
     script_name(english:"MS04-042: Windows NT Multiple DHCP Vulnerabilities (885249)");
     script_summary(english:"Checks version of Dhcpssvc.dll");
    
     script_set_attribute(attribute:"synopsis", value:
    "Arbitrary code can be executed on the remote host via the DHCP
    service.");
     script_set_attribute(attribute:"description", value:
    "The remote host has the Windows DHCP server installed.
    
    There is a flaw in the remote version of this server that could allow an
    attacker to execute arbitrary code on the remote host with SYSTEM
    privileges.");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-042");
     script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows NT.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/14");
     script_set_attribute(attribute:"patch_publication_date", value:"2004/12/14");
     script_set_attribute(attribute:"plugin_publication_date", value:"2004/12/14");
    
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows : Microsoft Bulletins");
    
     script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
     script_require_keys("SMB/MS_Bulletin_Checks/Possible");
     script_require_ports(139, 445, 'Host/patch_management_checks');
     exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS04-042';
    kb = '885249';
    
    kbs = make_list(kb);
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(nt:'6') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    if (hotfix_check_nt_server() <= 0) exit(0, "The Windows host is not an NT Server.");
    
    if (hotfix_check_dhcpserver_installed() <= 0) audit(AUDIT_NOT_INST, "The DHCP Server service");
    
    rootfile = hotfix_get_systemroot();
    if (!rootfile) exit(1, "Failed to get the system root.");
    
    share = hotfix_path2share(path:rootfile);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (hotfix_is_vulnerable(os:"4.0", file:"Dhcpssvc.dll", version:"4.0.1381.7304", dir:"\system32", bulletin:bulletin, kb:kb))
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
  • NASL familyWindows
    NASL idSMB_KB885249.NASL
    descriptionThe remote host has the Windows DHCP server installed. There is a flaw in the remote version of this server that may allow an attacker to execute arbitrary code on the remote host with SYSTEM privileges.
    last seen2020-06-01
    modified2020-06-02
    plugin id20368
    published2006-01-03
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20368
    titleMS04-042: Windows NT Multiple DHCP Vulnerabilities (885249) (uncredentialed check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(20368);
     script_version("1.24");
     script_cvs_date("Date: 2018/11/15 20:50:28");
    
     script_cve_id("CVE-2004-0899", "CVE-2004-0900");
     script_bugtraq_id(11919, 11920);
     script_xref(name:"MSFT", value:"MS04-042");
     script_xref(name:"MSKB", value:"885249");
    
     script_name(english:"MS04-042: Windows NT Multiple DHCP Vulnerabilities (885249) (uncredentialed check)");
     script_summary(english:"Checks if MS04-042 is installed");
    
     script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host through the DHCP service.");
     script_set_attribute(attribute:"description", value:
    "The remote host has the Windows DHCP server installed.
    
    There is a flaw in the remote version of this server that may allow an
    attacker to execute arbitrary code on the remote host with SYSTEM
    privileges." );
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-042");
     script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows NT.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/14");
     script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/03");
    
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
    
     script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows");
    
     script_dependencies("dcetest.nasl", "smb_nativelanman.nasl");
     script_require_keys("Host/OS/smb", "Services/DCE/6bffd098-a112-3610-9833-46c3f874532d");
     exit(0);
    }
    
    #
    
    include ('smb_func.inc');
    
    os = get_kb_item ("Host/OS/smb") ;
    if ( !os || "Windows 4.0" >!< os )
      exit(0);
    
    # DHCPSERVER Service
    port = get_kb_item ("Services/DCE/6bffd098-a112-3610-9833-46c3f874532d");
    if (!port)
      exit (0);
    
    if (!get_port_state (port))
      exit (0);
    
    soc = open_sock_tcp (port);
    if (!soc) exit (0);
    
    ret = dce_rpc_bind(cid:session_get_cid(), uuid:"6bffd098-a112-3610-9833-46c3f874532d", vers:1);
    send (socket:soc, data:ret);
    resp = recv (socket:soc, length:4096);
    
    if (!resp)
    {
     close (soc);
     exit (0);
    }
    
    ret = dce_rpc_parse_bind_ack (data:resp);
    if (isnull (ret) || (ret != 0))
    {
     close (soc);
     exit (0);
    }
    
    
    # DhcpGetVersion - opcode : 0x1C
    #
    # long  DhcpGetVersion (
    #  [in][unique][string] wchar_t * arg_1,
    #  [in] long arg_2,
    #  [in, out] long * arg_3,
    #  [in] long arg_4,
    #  [out] struct_1 ** arg_5,
    #  [out] long * arg_6,
    #  [out] long * arg_7
    # );
    
    
    data = class_parameter (ref_id:0x20000, name:get_host_ip()) +
           raw_dword (d:0) +
           raw_dword (d:0) +
           raw_dword (d:0) ;
    
    
    ret = dce_rpc_request (code:0x1C, data:data);
    send (socket:soc, data:ret);
    resp = recv (socket:soc, length:4096);
    
    close (soc);
    
    resp = dce_rpc_parse_response (data:resp);
    if (strlen(resp) != 12)
      exit (0);
    
    val = get_dword (blob:resp, pos:strlen(resp)-4);
    if (val != 0)
      exit (0);
    
    major = get_dword (blob:resp, pos:0);
    minor = get_dword (blob:resp, pos:4);
    
    # patched version 4.1
    # vulnerable 1.1
    
    if (major < 4)
      security_hole(port);
    

Oval

  • accepted2008-03-24T04:00:29.998-04:00
    classvulnerability
    contributors
    • nameIngrid Skoog
      organizationThe MITRE Corporation
    • nameJohn Hoyland
      organizationCentennial Software
    • nameJonathan Baker
      organizationThe MITRE Corporation
    definition_extensions
    commentMicrosoft Windows NT is installed
    ovaloval:org.mitre.oval:def:36
    descriptionThe DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition does not properly validate the length of certain messages, which allows remote attackers to execute arbitrary code via a malformed DHCP message, aka the "DHCP Request Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:3577
    statusaccepted
    submitted2005-01-27T12:00:00.000-04:00
    titleWindows NT DHCP Request Code Execution Vulnerability
    version72
  • accepted2008-03-24T04:00:37.993-04:00
    classvulnerability
    contributors
    • nameIngrid Skoog
      organizationThe MITRE Corporation
    • nameJonathan Baker
      organizationThe MITRE Corporation
    definition_extensions
    commentMicrosoft Windows NT is installed
    ovaloval:org.mitre.oval:def:36
    descriptionThe DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition does not properly validate the length of certain messages, which allows remote attackers to execute arbitrary code via a malformed DHCP message, aka the "DHCP Request Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:4846
    statusaccepted
    submitted2004-12-16T12:00:00.000-04:00
    titleWindows NT DHCP Request Code Execution Vulnerability (Terminal Server)
    version71