Vulnerabilities > CVE-2005-0045 - Remote Buffer Overflow vulnerability in Microsoft Windows Server Message Block Handlers

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
microsoft
nessus
exploit available
NVD
Published: 2005-05-02
Updated: 2019-04-30

Summary

The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields.

Vulnerable Configurations

Part Description Count
OS
Microsoft
49

Exploit-Db

descriptionMS Windows (SMB) Transaction Response Handling Exploit (MS05-011). CVE-2005-0045. Dos exploit for windows platform
idEDB-ID:1065
last seen2016-01-31
modified2005-06-23
published2005-06-23
reportercybertronic
sourcehttps://www.exploit-db.com/download/1065/
titleMicrosoft Windows - SMB Transaction Response Handling Exploit MS05-011

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS05-011.NASL
descriptionThe remote version of Windows contains a flaw in the Server Message Block (SMB) implementation that could allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need to send malformed responses to the remote SMB client, and would be able to either execute arbitrary code on the remote host or to perform a denial of service.
last seen2020-06-01
modified2020-06-02
plugin id16326
published2005-02-08
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/16326
titleMS05-011: Vulnerability in SMB may allow remote code execution (885250)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(16326);
 script_version("1.35");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2005-0045");
 script_bugtraq_id(12484);
 script_xref(name:"MSFT", value:"MS05-011");
 script_xref(name:"CERT", value:"652537");
 script_xref(name:"EDB-ID", value:"1065");
 script_xref(name:"MSKB", value:"885250");

 script_name(english:"MS05-011: Vulnerability in SMB may allow remote code execution (885250)");
 script_summary(english:"Determines if hotfix 885250 has been installed");

 script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host.");
 script_set_attribute(attribute:"description", value:
"The remote version of Windows contains a flaw in the Server Message
Block (SMB) implementation that could allow an attacker to execute
arbitrary code on the remote host.

To exploit this flaw, an attacker would need to send malformed responses
to the remote SMB client, and would be able to either execute arbitrary
code on the remote host or to perform a denial of service.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-011");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, XP and
2003.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');

 script_set_attribute(attribute:"vuln_publication_date", value:"2005/02/08");
 script_set_attribute(attribute:"patch_publication_date", value:"2005/02/08");
 script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/08");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS05-011';
kb = '885250';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'3,4', xp:'1,2', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"5.2", sp:0, file:"Mrxsmb.sys", version:"5.2.3790.252", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:1, file:"Mrxsmb.sys", version:"5.1.2600.1620", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:2, file:"Mrxsmb.sys", version:"5.1.2600.2598", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0", file:"Mrxsmb.sys", version:"5.0.2195.7023", dir:"\system32\drivers", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

  • accepted2011-05-16T04:01:26.260-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameJeff Cheng
      organizationOpsware, Inc.
    • nameDragos Prisaca
      organizationGideon Technologies, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionThe Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields.
    familywindows
    idoval:org.mitre.oval:def:1606
    statusaccepted
    submitted2005-02-15T12:00:00.000-04:00
    titleSMB Code Execution Vulnerability (32-bit XP)
    version41
  • accepted2007-11-13T12:01:02.315-05:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameJeff Cheng
      organizationOpsware, Inc.
    descriptionThe Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields.
    familywindows
    idoval:org.mitre.oval:def:1847
    statusaccepted
    submitted2005-02-15T12:00:00.000-04:00
    titleSMB Code Execution Vulnerability (Server 2003 / 64-bit XP)
    version37
  • accepted2011-05-16T04:02:00.377-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameJeff Cheng
      organizationOpsware, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionThe Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields.
    familywindows
    idoval:org.mitre.oval:def:1889
    statusaccepted
    submitted2005-03-29T12:00:00.000-04:00
    titleSMB Code Execution Vulnerability (XP,SP1)
    version40
  • accepted2011-05-16T04:02:56.870-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameAndrew Buttner
      organizationThe MITRE Corporation
    • nameJeff Cheng
      organizationOpsware, Inc.
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionThe Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields.
    familywindows
    idoval:org.mitre.oval:def:4043
    statusaccepted
    submitted2005-02-15T12:00:00.000-04:00
    titleSMB Code Execution Vulnerability (Windows 2000)
    version42

Seebug

bulletinFamilyexploit
description<p><strong>漏洞描述:</strong></p><p>Windows SMB客户端在处理SMB响应时存在一个缓冲区溢出漏洞。恶意的SMB服务器可以利用这个漏洞在连接该服务器的SMB客户端主机上执行任意命令。MRXSMB.SYS驱动负责执行SMB客户端操作以及处理SMB服务器返回的响应。一些重要的Windows文件共享操作以及所有的RPC-over-named-pipes操作使用SMB命令Trans(25h)和Trans2(32h)。一个恶意的SMB服务器通过发送特殊的Transaction响应数据可能导致一个缓冲区溢出漏洞。溢出可能发生在任何这个数据被处理的地方,例如MRXSMB.SYS或其他客户端代码中。例如,如果Trans2 FIND_FIRST2响应报文中的文件名和短文件名长度字段被设置为一个过大的值,就可能导致一个缓冲区溢出。攻击者也可以通过设置一个恶意的file://链接,当远程用户点击这个链接时,导致代码被执行。</p><p><strong>漏洞影响:</strong></p><p>受影响的软件:</p><p>&nbsp;•Microsoft Windows 2000 Service Pack 3 和 Microsoft Windows 2000 Service Pack 4 </p><p>•Microsoft Windows XP Service Pack 1 和 Microsoft Windows XP Service Pack 2 </p><p>•Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) </p><p>•Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) </p><p>•Microsoft Windows Server 2003</p><p>•Microsoft Windows Server 2003(用于基于 Itanium 的系统</p><p>不受影响的软件: </p><p>•Microsoft Windows 98、Microsoft Windows 98 Second Edition (SE) 和 Microsoft Windows Millennium Edition (ME)</p><p><strong>CVE-ID:CVE-2005-0045 </strong></p><p>&nbsp;</p><p><strong>CNNVD-ID:CNNVD-200505-518</strong></p><p>&nbsp;</p><p><strong>CNVD-ID:CNVD-2005-0403 </strong></p><p>微软编号:MS05-011/KB885250</p><p><a href="https://technet.microsoft.com/library/security/MS05-011" rel="nofollow">https://technet.microsoft.com/library/security/MS05-011</a></p><p><strong>解决方案:</strong></p><p>Microsoft </p><p>--------- </p><p>Microsoft已经为此发布了一个安全公告(MS05-011)以及相应补丁:</p><p>MS05-011:Vulnerability in Server Message Block Could Allow Remote Code Execution (885250)链接:<a href="http://www.microsoft.com/technet/security/bulletin/MS05-011.mspx">http://www.microsoft.com/technet/security/bulletin/MS05-011.mspx</a></p><p>补丁下载:</p><p>* Microsoft Windows 2000 Service Pack 3和Microsoft Windows 2000 Service Pack 4 <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=656BDDA5-672B-4A6B-B192-24A2171C7355">http://www.microsoft.com/downloads/details.aspx?FamilyId=656BDDA5-672B-4A6B-B192-24A2171C7355</a> </p><p>* Microsoft Windows XP Service Pack 1和Microsoft Windows XP Service Pack 2 <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=6DF9B2D9-B86E-4924-B677-978EC6B81B54">http://www.microsoft.com/downloads/details.aspx?FamilyId=6DF9B2D9-B86E-4924-B677-978EC6B81B54</a></p><p>&nbsp;* Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=E5043926-0B79-489B-8EA1-85512828C6F4">http://www.microsoft.com/downloads/details.aspx?FamilyId=E5043926-0B79-489B-8EA1-85512828C6F4</a> </p><p>* Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=8DA45DD0-882E-417C-A7F2-4AABAD675129">http://www.microsoft.com/downloads/details.aspx?FamilyId=8DA45DD0-882E-417C-A7F2-4AABAD675129</a> </p><p>* Microsoft Windows Server 2003 <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=1B703115-54C0-445C-B5CE-E9A53C45B36A">http://www.microsoft.com/downloads/details.aspx?FamilyId=1B703115-54C0-445C-B5CE-E9A53C45B36A</a></p><p>&nbsp;* Microsoft Windows Server 2003 for Itanium-based Systems <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=8DA45DD0-882E-417C-A7F2-4AABAD675129">http://www.microsoft.com/downloads/details.aspx?FamilyId=8DA45DD0-882E-417C-A7F2-4AABAD675129</a></p>
idSSV:15611
last seen2017-11-19
modified2005-06-23
published2005-06-23
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-15611
titleMS Windows (SMB) Transaction Response Handling Exploit (MS05-011)

References