Vulnerabilities > CVE-2004-1080 - Remote Memory Corruption vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows NT

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
microsoft
critical
nessus
exploit available
metasploit

Summary

The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."

Exploit-Db

  • descriptionMicrosoft WINS Service Memory Overwrite. CVE-2004-1080. Remote exploit for windows platform
    idEDB-ID:16359
    last seen2016-02-01
    modified2010-09-20
    published2010-09-20
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16359/
    titleMicrosoft WINS Service Memory Overwrite
  • descriptionMS Windows (WINS) Remote Buffer Overflow Exploit (v.3). CVE-2004-1080. Remote exploit for windows platform
    idEDB-ID:909
    last seen2016-01-31
    modified2005-04-12
    published2005-04-12
    reporterclass101
    sourcehttps://www.exploit-db.com/download/909/
    titleMicrosoft Windows - WINS Remote Buffer Overflow Exploit 3

Metasploit

descriptionThis module exploits an arbitrary memory write flaw in the WINS service. This exploit has been tested against Windows 2000 only.
idMSF:EXPLOIT/WINDOWS/WINS/MS04_045_WINS
last seen2020-01-14
modified2017-07-24
published2005-12-25
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1080
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/wins/ms04_045_wins.rb
titleMS04-045 Microsoft WINS Service Memory Overwrite

Nessus

  • NASL familyWindows
    NASL idWINS_REPLICATION_OVERFLOW.NASL
    descriptionThe remote Windows Internet Naming Service (WINS) is vulnerable to a flaw that could allow an attacker to execute arbitrary code on this host. To exploit this flaw, an attacker needs to send a specially crafted packet on port 42 of the remote host.
    last seen2020-06-01
    modified2020-06-02
    plugin id15970
    published2004-12-15
    reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15970
    titleMS04-035: WINS Code Execution (870763) (uncredentialed check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15970);
      script_version("1.31");
      script_cvs_date("Date: 2018/11/15 20:50:29");
    
      script_cve_id("CVE-2004-0567", "CVE-2004-1080");
      script_bugtraq_id(11763, 11922);
      script_xref(name:"MSFT", value:"MS04-035");
      script_xref(name:"MSFT", value:"MS04-045");
      script_xref(name:"MSKB", value:"885881");
      script_xref(name:"MSKB", value:"870763");
    
      script_name(english:"MS04-035: WINS Code Execution (870763) (uncredentialed check)");
      script_summary(english:"Determines if hotfix 870763 has been installed");
    
      script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows Internet Naming Service (WINS) is vulnerable to a
    flaw that could allow an attacker to execute arbitrary code on this
    host.
    
    To exploit this flaw, an attacker needs to send a specially crafted
    packet on port 42 of the remote host.");
      script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-045");
      script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows NT, 2000 and 2003.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'MS04-045 Microsoft WINS Service Memory Overwrite');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/12/15");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
      script_family(english:"Windows");
    
      script_dependencies("netbios_name_get.nasl");
      script_require_ports(42);
      exit(0);
    }
    
    #
    
    include("byte_func.inc");
    port = 42;
    if ( ! get_port_state(port) ) exit(0, "WINS server is not running");
    
    soc = open_sock_tcp(port);
    if ( ! soc ) exit(0, "WINS server is not running");
    
    request = raw_string (0x00,0x00,0x00,0x29,0x00,0x00,0x78,0x00,0x00,0x00,0x00,0x00,
    		      0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x02,0x00,0x05,
    	    	      0x00,0x00,0x00,0x00,0x60,0x56,0x02,0x01,0x00,0x1F,0x6E,0x03,
    	    	      0x00,0x1F,0x6E,0x03,0x08,0xFE,0x66,0x03,0x00);
    
    send(socket:soc, data:request);
    
    
    r = recv(socket:soc, length:4);
    if (!r || strlen(r) != 4 ) exit (0, "WINS server shut the connection down");
    len = getdword(blob:r, pos:0);
    if ( len > 256 ) exit(1, "Invalid WINS reply");
    r += recv(socket:soc, length:len);
    
    if (strlen(r) < 20) exit (1, "Invalid WINS reply");
    
    if (ord(r[6]) != 0x78) exit (1, "Invalid WINS reply");
    
    pointer = substr(r,16,19);
    
    request = raw_string (0x00,0x00,0x00,0x0F,0x00,0x00,0x78,0x00) + pointer + raw_string(
    		      0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x00);
    
    send(socket:soc, data:request);
    
    r = recv(socket:soc, length:4);
    if (!r || strlen(r) != 4 ) exit (0, "WINS server is patched");
    len = getdword(blob:r, pos:0);
    if ( len > 256 ) exit(1, "Invalid WINS reply");
    r += recv(socket:soc, length:len);
    
    if (strlen(r) < 8) exit (0, "WINS server is patched");
    
    if (ord(r[6]) == 0x78)
      security_hole(port);
    else
      exit(0, "WINS server is patched");
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS04-045.NASL
    descriptionThe remote Windows Internet Naming Service (WINS) server is prone to a heap overflow attack that could allow an attacker to execute arbitrary code on this host. To exploit this flaw, an attacker would need to send a specially crafted packet to port 42 of the remote host.
    last seen2020-06-01
    modified2020-06-02
    plugin id15962
    published2004-12-14
    reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15962
    titleMS04-045: WINS Code Execution (870763)

Oval

  • accepted2005-02-23T09:25:00.000-04:00
    classvulnerability
    contributors
    nameMatthew Burton
    organizationThe MITRE Corporation
    descriptionThe WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:1549
    statusaccepted
    submitted2005-01-03T12:00:00.000-04:00
    titleWINS Association Context Vulnerability (64-bit Server 2003, Test 1)
    version65
  • accepted2011-05-16T04:02:30.956-04:00
    classvulnerability
    contributors
    • nameMatthew Burton
      organizationThe MITRE Corporation
    • nameJohn Hoyland
      organizationCentennial Software
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionThe WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:2541
    statusaccepted
    submitted2005-01-03T12:00:00.000-04:00
    titleWINS Association Context Vulnerability (Windows 2000)
    version68
  • accepted2005-06-29T06:49:00.000-04:00
    classvulnerability
    contributors
    • nameMatthew Burton
      organizationThe MITRE Corporation
    • nameChristine Walzer
      organizationThe MITRE Corporation
    descriptionThe WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:2734
    statusaccepted
    submitted2004-12-17T12:00:00.000-04:00
    titleWINS Association Context Vulnerability (Terminal Server Test 1)
    version65
  • accepted2005-02-23T09:25:00.000-04:00
    classvulnerability
    contributors
    nameMatthew Burton
    organizationThe MITRE Corporation
    descriptionThe WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:3677
    statusaccepted
    submitted2005-01-03T12:00:00.000-04:00
    titleWINS Association Context Vulnerability (64-bit Server 2003, Test 2)
    version64
  • accepted2008-03-24T04:00:35.137-04:00
    classvulnerability
    contributors
    • nameMatthew Burton
      organizationThe MITRE Corporation
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameJonathan Baker
      organizationThe MITRE Corporation
    definition_extensions
    commentMicrosoft Windows NT is installed
    ovaloval:org.mitre.oval:def:36
    descriptionThe WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:4372
    statusaccepted
    submitted2004-12-16T12:00:00.000-04:00
    titleWINS Association Context Vulnerability (Terminal Server Test 2)
    version72
  • accepted2008-03-24T04:00:37.591-04:00
    classvulnerability
    contributors
    • nameMatthew Burton
      organizationThe MITRE Corporation
    • nameJohn Hoyland
      organizationCentennial Software
    • nameJonathan Baker
      organizationThe MITRE Corporation
    definition_extensions
    commentMicrosoft Windows NT is installed
    ovaloval:org.mitre.oval:def:36
    descriptionThe WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:4831
    statusaccepted
    submitted2005-01-03T12:00:00.000-04:00
    titleWINS Association Context Vulnerability (NT 4.0)
    version72

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/83138/ms04_045_wins.rb.txt
idPACKETSTORM:83138
last seen2016-12-05
published2009-11-26
reporterH D Moore
sourcehttps://packetstormsecurity.com/files/83138/Microsoft-WINS-Service-Memory-Overwrite.html
titleMicrosoft WINS Service Memory Overwrite

Saint

bid11763
descriptionMicrosoft WINS replication service pointer corruption
idwin_patch_winsrep
osvdb12378
titlewins_replication_service_pointer
typeremote