Vulnerabilities > CVE-2005-0051 - Remote Information Disclosure vulnerability in Microsoft Windows Named Pipe

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
microsoft
nessus

Summary

The Server service (srvsvc.dll) in Windows XP SP1 and SP2 allows remote attackers to obtain sensitive information (users who are accessing resources) via an anonymous logon using a named pipe, which is not properly authenticated, aka the "Named Pipe Vulnerability."

Vulnerable Configurations

Part Description Count
OS
Microsoft
3

Nessus

  • NASL familyWindows
    NASL idSMB_KB888302.NASL
    descriptionThe remote version of Windows contains a flaw that may allow an attacker to cause it to disclose information over the use of a named pipe through a NULL session. An attacker may exploit this flaw to gain more knowledge about the remote host.
    last seen2020-06-01
    modified2020-06-02
    plugin id16337
    published2005-02-10
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16337
    titleMS05-007: Vulnerability in Windows Could Allow Information Disclosure (888302) (uncredentialed check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(16337);
     script_version("1.25");
     script_cvs_date("Date: 2018/11/15 20:50:28");
    
     script_cve_id("CVE-2005-0051");
     script_bugtraq_id(12486);
     script_xref(name:"MSFT", value:"MS05-007");
     script_xref(name:"MSKB", value:"888302");
    
     script_name(english:"MS05-007: Vulnerability in Windows Could Allow Information Disclosure (888302) (uncredentialed check)");
     script_summary(english:"Determines if hotfix 888302 has been installed");
    
     script_set_attribute(attribute:"synopsis", value:
    "System information about the remote host can be obtained by an
    anonymous user.");
     script_set_attribute(attribute:"description", value:
    "The remote version of Windows contains a flaw that may allow an
    attacker to cause it to disclose information over the use of a named
    pipe through a NULL session.
    
    An attacker may exploit this flaw to gain more knowledge about the
    remote host.");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-007");
     script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows XP.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2005/02/08");
     script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/10");
    
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
    
     script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows");
     script_dependencies("smb_nativelanman.nasl");
     script_require_ports(139,445);
     exit(0);
    }
    
    #
    
    include ("smb_func.inc");
    include("audit.inc");
    
    os = get_kb_item ("Host/OS/smb") ;
    
    # 'Officially', only XP is affected.
    if ( ! os || "Windows 5.1" >!< os ) exit(0);
    
    port = int(get_kb_item("SMB/transport"));
    if (!port) port = 445;
    
    if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
    NetUseAdd (share:"IPC$");
    
    if ( NetSessionEnum(level:SESSION_INFO_10) )
      security_warning(port);
    
    NetUseDel ();
    
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS05-007.NASL
    descriptionThe remote version of Windows contains a flaw that could allow an attacker to cause it to disclose information over the use of a named pipe through a NULL session. An attacker may exploit this flaw to gain more knowledge about the remote host.
    last seen2020-06-01
    modified2020-06-02
    plugin id16331
    published2005-02-09
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16331
    titleMS05-007: Vulnerability in Windows Could Allow Information Disclosure (888302)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(16331);
     script_version("1.33");
     script_cvs_date("Date: 2018/11/15 20:50:29");
    
     script_cve_id("CVE-2005-0051");
     script_bugtraq_id(12486);
     script_xref(name:"MSFT", value:"MS05-007");
     script_xref(name:"CERT", value:"939074");
     script_xref(name:"MSKB", value:"888302");
    
     script_name(english:"MS05-007: Vulnerability in Windows Could Allow Information Disclosure (888302)");
     script_summary(english:"Determines if hotfix 888302 has been installed");
    
     script_set_attribute(attribute:"synopsis", value:"It is possible to disclose information about the remote host.");
     script_set_attribute(attribute:"description", value:
    "The remote version of Windows contains a flaw that could allow an
    attacker to cause it to disclose information over the use of a named
    pipe through a NULL session.
    
    An attacker may exploit this flaw to gain more knowledge about the
    remote host.");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-007");
     script_set_attribute(attribute:"solution", value:"Microsoft has released a patch for Windows XP.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2005/02/08");
     script_set_attribute(attribute:"patch_publication_date", value:"2005/02/08");
     script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/09");
    
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
    
     script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows : Microsoft Bulletins");
    
     script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
     script_require_keys("SMB/MS_Bulletin_Checks/Possible");
     script_require_ports(139, 445, 'Host/patch_management_checks');
     exit(0);
    }
    
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS05-007';
    kb = '888302';
    
    kbs = make_list(kb);
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(xp:'1,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    rootfile = hotfix_get_systemroot();
    if (!rootfile) exit(1, "Failed to get the system root.");
    
    share = hotfix_path2share(path:rootfile);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      hotfix_is_vulnerable(os:"5.1", sp:1, file:"Srvsvc.dll", version:"5.1.2600.1613", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.1", sp:2, file:"Srvsvc.dll", version:"5.1.2600.2577", dir:"\system32", bulletin:bulletin, kb:kb)
    )
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_warning();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    

Oval

  • accepted2011-05-16T04:02:27.926-04:00
    classvulnerability
    contributors
    • nameJonathan Baker
      organizationThe MITRE Corporation
    • nameJonathan Baker
      organizationThe MITRE Corporation
    • nameDragos Prisaca
      organizationGideon Technologies, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionThe Server service (srvsvc.dll) in Windows XP SP1 and SP2 allows remote attackers to obtain sensitive information (users who are accessing resources) via an anonymous logon using a named pipe, which is not properly authenticated, aka the "Named Pipe Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:2292
    statusaccepted
    submitted2005-02-10T12:00:00.000-04:00
    titleWindows XP Named Pipe Vulnerability (32-bit architecture)
    version70
  • accepted2011-05-16T04:02:41.614-04:00
    classvulnerability
    contributors
    • nameJonathan Baker
      organizationThe MITRE Corporation
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionThe Server service (srvsvc.dll) in Windows XP SP1 and SP2 allows remote attackers to obtain sensitive information (users who are accessing resources) via an anonymous logon using a named pipe, which is not properly authenticated, aka the "Named Pipe Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:3055
    statusaccepted
    submitted2005-02-10T12:00:00.000-04:00
    titleWindows XP Named Pipe Vulnerability (64-bit architecture)
    version68