Vulnerabilities > CVE-2004-1080 - Remote Memory Corruption vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows NT
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."
Vulnerable Configurations
Exploit-Db
description Microsoft WINS Service Memory Overwrite. CVE-2004-1080. Remote exploit for windows platform id EDB-ID:16359 last seen 2016-02-01 modified 2010-09-20 published 2010-09-20 reporter metasploit source https://www.exploit-db.com/download/16359/ title Microsoft WINS Service Memory Overwrite description MS Windows (WINS) Remote Buffer Overflow Exploit (v.3). CVE-2004-1080. Remote exploit for windows platform id EDB-ID:909 last seen 2016-01-31 modified 2005-04-12 published 2005-04-12 reporter class101 source https://www.exploit-db.com/download/909/ title Microsoft Windows - WINS Remote Buffer Overflow Exploit 3
Metasploit
| description | This module exploits an arbitrary memory write flaw in the WINS service. This exploit has been tested against Windows 2000 only. |
| id | MSF:EXPLOIT/WINDOWS/WINS/MS04_045_WINS |
| last seen | 2020-01-14 |
| modified | 2017-07-24 |
| published | 2005-12-25 |
| references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1080 |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/wins/ms04_045_wins.rb |
| title | MS04-045 Microsoft WINS Service Memory Overwrite |
Nessus
NASL family Windows NASL id WINS_REPLICATION_OVERFLOW.NASL description The remote Windows Internet Naming Service (WINS) is vulnerable to a flaw that could allow an attacker to execute arbitrary code on this host. To exploit this flaw, an attacker needs to send a specially crafted packet on port 42 of the remote host. last seen 2020-06-01 modified 2020-06-02 plugin id 15970 published 2004-12-15 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15970 title MS04-035: WINS Code Execution (870763) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(15970); script_version("1.31"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id("CVE-2004-0567", "CVE-2004-1080"); script_bugtraq_id(11763, 11922); script_xref(name:"MSFT", value:"MS04-035"); script_xref(name:"MSFT", value:"MS04-045"); script_xref(name:"MSKB", value:"885881"); script_xref(name:"MSKB", value:"870763"); script_name(english:"MS04-035: WINS Code Execution (870763) (uncredentialed check)"); script_summary(english:"Determines if hotfix 870763 has been installed"); script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host."); script_set_attribute(attribute:"description", value: "The remote Windows Internet Naming Service (WINS) is vulnerable to a flaw that could allow an attacker to execute arbitrary code on this host. To exploit this flaw, an attacker needs to send a specially crafted packet on port 42 of the remote host."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-045"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows NT, 2000 and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS04-045 Microsoft WINS Service Memory Overwrite'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/12/15"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_family(english:"Windows"); script_dependencies("netbios_name_get.nasl"); script_require_ports(42); exit(0); } # include("byte_func.inc"); port = 42; if ( ! get_port_state(port) ) exit(0, "WINS server is not running"); soc = open_sock_tcp(port); if ( ! soc ) exit(0, "WINS server is not running"); request = raw_string (0x00,0x00,0x00,0x29,0x00,0x00,0x78,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x02,0x00,0x05, 0x00,0x00,0x00,0x00,0x60,0x56,0x02,0x01,0x00,0x1F,0x6E,0x03, 0x00,0x1F,0x6E,0x03,0x08,0xFE,0x66,0x03,0x00); send(socket:soc, data:request); r = recv(socket:soc, length:4); if (!r || strlen(r) != 4 ) exit (0, "WINS server shut the connection down"); len = getdword(blob:r, pos:0); if ( len > 256 ) exit(1, "Invalid WINS reply"); r += recv(socket:soc, length:len); if (strlen(r) < 20) exit (1, "Invalid WINS reply"); if (ord(r[6]) != 0x78) exit (1, "Invalid WINS reply"); pointer = substr(r,16,19); request = raw_string (0x00,0x00,0x00,0x0F,0x00,0x00,0x78,0x00) + pointer + raw_string( 0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x00); send(socket:soc, data:request); r = recv(socket:soc, length:4); if (!r || strlen(r) != 4 ) exit (0, "WINS server is patched"); len = getdword(blob:r, pos:0); if ( len > 256 ) exit(1, "Invalid WINS reply"); r += recv(socket:soc, length:len); if (strlen(r) < 8) exit (0, "WINS server is patched"); if (ord(r[6]) == 0x78) security_hole(port); else exit(0, "WINS server is patched");NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS04-045.NASL description The remote Windows Internet Naming Service (WINS) server is prone to a heap overflow attack that could allow an attacker to execute arbitrary code on this host. To exploit this flaw, an attacker would need to send a specially crafted packet to port 42 of the remote host. last seen 2020-06-01 modified 2020-06-02 plugin id 15962 published 2004-12-14 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15962 title MS04-045: WINS Code Execution (870763)
Oval
accepted 2005-02-23T09:25:00.000-04:00 class vulnerability contributors name Matthew Burton organization The MITRE Corporation description The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability." family windows id oval:org.mitre.oval:def:1549 status accepted submitted 2005-01-03T12:00:00.000-04:00 title WINS Association Context Vulnerability (64-bit Server 2003, Test 1) version 65 accepted 2011-05-16T04:02:30.956-04:00 class vulnerability contributors name Matthew Burton organization The MITRE Corporation name John Hoyland organization Centennial Software name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability." family windows id oval:org.mitre.oval:def:2541 status accepted submitted 2005-01-03T12:00:00.000-04:00 title WINS Association Context Vulnerability (Windows 2000) version 68 accepted 2005-06-29T06:49:00.000-04:00 class vulnerability contributors name Matthew Burton organization The MITRE Corporation name Christine Walzer organization The MITRE Corporation
description The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability." family windows id oval:org.mitre.oval:def:2734 status accepted submitted 2004-12-17T12:00:00.000-04:00 title WINS Association Context Vulnerability (Terminal Server Test 1) version 65 accepted 2005-02-23T09:25:00.000-04:00 class vulnerability contributors name Matthew Burton organization The MITRE Corporation description The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability." family windows id oval:org.mitre.oval:def:3677 status accepted submitted 2005-01-03T12:00:00.000-04:00 title WINS Association Context Vulnerability (64-bit Server 2003, Test 2) version 64 accepted 2008-03-24T04:00:35.137-04:00 class vulnerability contributors name Matthew Burton organization The MITRE Corporation name Christine Walzer organization The MITRE Corporation name Jonathan Baker organization The MITRE Corporation
definition_extensions comment Microsoft Windows NT is installed oval oval:org.mitre.oval:def:36 description The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability." family windows id oval:org.mitre.oval:def:4372 status accepted submitted 2004-12-16T12:00:00.000-04:00 title WINS Association Context Vulnerability (Terminal Server Test 2) version 72 accepted 2008-03-24T04:00:37.591-04:00 class vulnerability contributors name Matthew Burton organization The MITRE Corporation name John Hoyland organization Centennial Software name Jonathan Baker organization The MITRE Corporation
definition_extensions comment Microsoft Windows NT is installed oval oval:org.mitre.oval:def:36 description The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability." family windows id oval:org.mitre.oval:def:4831 status accepted submitted 2005-01-03T12:00:00.000-04:00 title WINS Association Context Vulnerability (NT 4.0) version 72
Packetstorm
| data source | https://packetstormsecurity.com/files/download/83138/ms04_045_wins.rb.txt |
| id | PACKETSTORM:83138 |
| last seen | 2016-12-05 |
| published | 2009-11-26 |
| reporter | H D Moore |
| source | https://packetstormsecurity.com/files/83138/Microsoft-WINS-Service-Memory-Overwrite.html |
| title | Microsoft WINS Service Memory Overwrite |
Saint
| bid | 11763 |
| description | Microsoft WINS replication service pointer corruption |
| id | win_patch_winsrep |
| osvdb | 12378 |
| title | wins_replication_service_pointer |
| type | remote |
References
- http://marc.info/?l=bugtraq&m=110150370506704&w=2
- http://secunia.com/advisories/13328/
- http://securitytracker.com/id?1012516
- http://support.microsoft.com/kb/890710
- http://www.ciac.org/ciac/bulletins/p-054.shtml
- http://www.immunitysec.com/downloads/instantanea.pdf
- http://www.kb.cert.org/vuls/id/145134
- http://www.osvdb.org/12378
- http://www.securityfocus.com/bid/11763
- http://xforce.iss.net/xforce/alerts/id/184
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-045
- https://exchange.xforce.ibmcloud.com/vulnerabilities/18259
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1549
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2541
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2734
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3677
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4372
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4831