Vulnerabilities > CVE-2005-0045 - Remote Buffer Overflow vulnerability in Microsoft Windows Server Message Block Handlers
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 49 |
Exploit-Db
description | MS Windows (SMB) Transaction Response Handling Exploit (MS05-011). CVE-2005-0045. Dos exploit for windows platform |
id | EDB-ID:1065 |
last seen | 2016-01-31 |
modified | 2005-06-23 |
published | 2005-06-23 |
reporter | cybertronic |
source | https://www.exploit-db.com/download/1065/ |
title | Microsoft Windows - SMB Transaction Response Handling Exploit MS05-011 |
Nessus
NASL family | Windows : Microsoft Bulletins |
NASL id | SMB_NT_MS05-011.NASL |
description | The remote version of Windows contains a flaw in the Server Message Block (SMB) implementation that could allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need to send malformed responses to the remote SMB client, and would be able to either execute arbitrary code on the remote host or to perform a denial of service. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 16326 |
published | 2005-02-08 |
reporter | This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. |
source | https://www.tenable.com/plugins/nessus/16326 |
title | MS05-011: Vulnerability in SMB may allow remote code execution (885250) |
code |
|
Oval
accepted 2011-05-16T04:01:26.260-04:00 class vulnerability contributors name Christine Walzer organization The MITRE Corporation name Jeff Cheng organization Opsware, Inc. name Dragos Prisaca organization Gideon Technologies, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields. family windows id oval:org.mitre.oval:def:1606 status accepted submitted 2005-02-15T12:00:00.000-04:00 title SMB Code Execution Vulnerability (32-bit XP) version 41 accepted 2007-11-13T12:01:02.315-05:00 class vulnerability contributors name Christine Walzer organization The MITRE Corporation name Jeff Cheng organization Opsware, Inc.
description The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields. family windows id oval:org.mitre.oval:def:1847 status accepted submitted 2005-02-15T12:00:00.000-04:00 title SMB Code Execution Vulnerability (Server 2003 / 64-bit XP) version 37 accepted 2011-05-16T04:02:00.377-04:00 class vulnerability contributors name Christine Walzer organization The MITRE Corporation name Jeff Cheng organization Opsware, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields. family windows id oval:org.mitre.oval:def:1889 status accepted submitted 2005-03-29T12:00:00.000-04:00 title SMB Code Execution Vulnerability (XP,SP1) version 40 accepted 2011-05-16T04:02:56.870-04:00 class vulnerability contributors name Christine Walzer organization The MITRE Corporation name Andrew Buttner organization The MITRE Corporation name Jeff Cheng organization Opsware, Inc. name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields. family windows id oval:org.mitre.oval:def:4043 status accepted submitted 2005-02-15T12:00:00.000-04:00 title SMB Code Execution Vulnerability (Windows 2000) version 42
Seebug
bulletinFamily | exploit |
description | <p><strong>漏洞描述:</strong></p><p>Windows SMB客户端在处理SMB响应时存在一个缓冲区溢出漏洞。恶意的SMB服务器可以利用这个漏洞在连接该服务器的SMB客户端主机上执行任意命令。MRXSMB.SYS驱动负责执行SMB客户端操作以及处理SMB服务器返回的响应。一些重要的Windows文件共享操作以及所有的RPC-over-named-pipes操作使用SMB命令Trans(25h)和Trans2(32h)。一个恶意的SMB服务器通过发送特殊的Transaction响应数据可能导致一个缓冲区溢出漏洞。溢出可能发生在任何这个数据被处理的地方,例如MRXSMB.SYS或其他客户端代码中。例如,如果Trans2 FIND_FIRST2响应报文中的文件名和短文件名长度字段被设置为一个过大的值,就可能导致一个缓冲区溢出。攻击者也可以通过设置一个恶意的file://链接,当远程用户点击这个链接时,导致代码被执行。</p><p><strong>漏洞影响:</strong></p><p>受影响的软件:</p><p> •Microsoft Windows 2000 Service Pack 3 和 Microsoft Windows 2000 Service Pack 4 </p><p>•Microsoft Windows XP Service Pack 1 和 Microsoft Windows XP Service Pack 2 </p><p>•Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) </p><p>•Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) </p><p>•Microsoft Windows Server 2003</p><p>•Microsoft Windows Server 2003(用于基于 Itanium 的系统</p><p>不受影响的软件: </p><p>•Microsoft Windows 98、Microsoft Windows 98 Second Edition (SE) 和 Microsoft Windows Millennium Edition (ME)</p><p><strong>CVE-ID:CVE-2005-0045 </strong></p><p> </p><p><strong>CNNVD-ID:CNNVD-200505-518</strong></p><p> </p><p><strong>CNVD-ID:CNVD-2005-0403 </strong></p><p>微软编号:MS05-011/KB885250</p><p><a href="https://technet.microsoft.com/library/security/MS05-011" rel="nofollow">https://technet.microsoft.com/library/security/MS05-011</a></p><p><strong>解决方案:</strong></p><p>Microsoft </p><p>--------- </p><p>Microsoft已经为此发布了一个安全公告(MS05-011)以及相应补丁:</p><p>MS05-011:Vulnerability in Server Message Block Could Allow Remote Code Execution (885250)链接:<a href="http://www.microsoft.com/technet/security/bulletin/MS05-011.mspx">http://www.microsoft.com/technet/security/bulletin/MS05-011.mspx</a></p><p>补丁下载:</p><p>* Microsoft Windows 2000 Service Pack 3和Microsoft Windows 2000 Service Pack 4 <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=656BDDA5-672B-4A6B-B192-24A2171C7355">http://www.microsoft.com/downloads/details.aspx?FamilyId=656BDDA5-672B-4A6B-B192-24A2171C7355</a> </p><p>* Microsoft Windows XP Service Pack 1和Microsoft Windows XP Service Pack 2 <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=6DF9B2D9-B86E-4924-B677-978EC6B81B54">http://www.microsoft.com/downloads/details.aspx?FamilyId=6DF9B2D9-B86E-4924-B677-978EC6B81B54</a></p><p> * Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=E5043926-0B79-489B-8EA1-85512828C6F4">http://www.microsoft.com/downloads/details.aspx?FamilyId=E5043926-0B79-489B-8EA1-85512828C6F4</a> </p><p>* Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=8DA45DD0-882E-417C-A7F2-4AABAD675129">http://www.microsoft.com/downloads/details.aspx?FamilyId=8DA45DD0-882E-417C-A7F2-4AABAD675129</a> </p><p>* Microsoft Windows Server 2003 <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=1B703115-54C0-445C-B5CE-E9A53C45B36A">http://www.microsoft.com/downloads/details.aspx?FamilyId=1B703115-54C0-445C-B5CE-E9A53C45B36A</a></p><p> * Microsoft Windows Server 2003 for Itanium-based Systems <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=8DA45DD0-882E-417C-A7F2-4AABAD675129">http://www.microsoft.com/downloads/details.aspx?FamilyId=8DA45DD0-882E-417C-A7F2-4AABAD675129</a></p> |
id | SSV:15611 |
last seen | 2017-11-19 |
modified | 2005-06-23 |
published | 2005-06-23 |
reporter | Root |
source | https://www.seebug.org/vuldb/ssvid-15611 |
title | MS Windows (SMB) Transaction Response Handling Exploit (MS05-011) |
References
- http://marc.info/?l=bugtraq&m=110792638401852&w=2
- http://marc.info/?l=bugtraq&m=111040962600205&w=2
- http://marc.info/?l=ntbugtraq&m=110795643831169&w=2
- http://www.kb.cert.org/vuls/id/652537
- http://www.securityfocus.com/bid/12484
- http://www.us-cert.gov/cas/techalerts/TA05-039A.html
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-011
- https://exchange.xforce.ibmcloud.com/vulnerabilities/19089
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1606
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1847
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1889
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4043