Vulnerabilities > CVE-2005-0688 - Unspecified vulnerability in Microsoft Windows 2003 Server and Windows XP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Windows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016).
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 2 |
Exploit-Db
description MS Windows Malformed IP Options DoS Exploit (MS05-019). CVE-2004-0230,CVE-2004-0790,CVE-2004-1060,CVE-2005-0048,CVE-2005-0688. Dos exploit for windows platform id EDB-ID:942 last seen 2016-01-31 modified 2005-04-17 published 2005-04-17 reporter Yuri Gushin source https://www.exploit-db.com/download/942/ title Microsoft Windows - Malformed IP Options DoS Exploit MS05-019 description MS Windows XP/2003 Remote Denial of Service Exploit. CVE-2005-0688,CVE-2005-1649. Dos exploit for windows platform id EDB-ID:861 last seen 2016-01-31 modified 2005-03-07 published 2005-03-07 reporter RusH source https://www.exploit-db.com/download/861/ title Microsoft Windows 2003/XP - Remote Denial of Service Exploit
Nessus
NASL family Windows NASL id SMB_KB893066.NASL description The remote host runs a version of Windows that has a flaw in its TCP/IP stack. The flaw may allow an attacker to execute arbitrary code with SYSTEM privileges on the remote host or to perform a denial of service attack against the remote host. Proof of concept code is available to perform a denial of service attack against a vulnerable system. last seen 2020-06-01 modified 2020-06-02 plugin id 18028 published 2005-04-12 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18028 title MS05-019: Vulnerabilities in TCP/IP Could Allow Remote Code Execution (893066) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(18028); script_version("1.37"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2005-0048", "CVE-2004-0790", "CVE-2004-1060", "CVE-2004-0230", "CVE-2005-0688"); script_bugtraq_id(13124, 13116); script_xref(name:"MSFT", value:"MS05-019"); script_xref(name:"MSKB", value:"893066"); script_name(english:"MS05-019: Vulnerabilities in TCP/IP Could Allow Remote Code Execution (893066) (uncredentialed check)"); script_summary(english:"Checks for hotfix KB893066"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host due to a flaw in the TCP/IP stack."); script_set_attribute(attribute:"description", value: "The remote host runs a version of Windows that has a flaw in its TCP/IP stack. The flaw may allow an attacker to execute arbitrary code with SYSTEM privileges on the remote host or to perform a denial of service attack against the remote host. Proof of concept code is available to perform a denial of service attack against a vulnerable system."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-019"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/04/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/12"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_family(english:"Windows"); script_dependencies("tcp_seq_window.nasl", "os_fingerprint.nasl"); script_require_keys("TCP/seq_window_flaw", "Host/OS", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); os = get_kb_item_or_exit("Host/OS") ; conf = get_kb_item_or_exit("Host/OS/Confidence"); if (conf <= 70) exit(1, "Can't determine the host's OS with sufficient confidence."); if ("Windows" >!< os) exit(0, "The host is not running Windows."); if ("Windows 4.0" >< os) exit(0, "Windows NT is not reported to be affected."); if ("Windows Server 2003 Service Pack" >< os) exit(0, "Windows 2003 SP1 and later are not reported to be affected."); if (ereg(pattern:"Windows (95|98|ME|XP|Server 2003)", string:os)) { if (get_kb_item("TCP/seq_window_flaw")) { security_hole(port:get_kb_item("SMB/transport")); exit(0); } else exit(0, "The host is not affected."); } else exit(0, "The host is not running one of the versions of Windows reportedly affected.");NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS05-019.NASL description The remote host runs a version of Windows that has a flaw in its TCP/IP stack. The flaw could allow an attacker to execute arbitrary code with SYSTEM privileges on the remote host, or to perform a denial of service attack against the remote host. Proof of concept code is available to perform a Denial of Service against a vulnerable system. last seen 2020-06-01 modified 2020-06-02 plugin id 18023 published 2005-04-12 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18023 title MS05-019: Vulnerabilities in TCP/IP Could Allow Remote Code Execution (893066) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(18023); script_version("1.43"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id( "CVE-2004-0230", "CVE-2004-0790", "CVE-2004-1060", "CVE-2005-0048", "CVE-2005-0065", "CVE-2005-0066", "CVE-2005-0067", "CVE-2005-0068", "CVE-2005-0688" ); script_bugtraq_id(13116, 13124, 13658); script_xref(name:"MSFT", value:"MS05-019"); script_xref(name:"CERT", value:"222750"); script_xref(name:"CERT", value:"233754"); script_xref(name:"CERT", value:"396645"); script_xref(name:"CERT", value:"415294"); script_xref(name:"EDB-ID", value:"276"); script_xref(name:"EDB-ID", value:"291"); script_xref(name:"EDB-ID", value:"861"); script_xref(name:"EDB-ID", value:"948"); script_xref(name:"EDB-ID", value:"24030"); script_xref(name:"EDB-ID", value:"24031"); script_xref(name:"EDB-ID", value:"24032"); script_xref(name:"EDB-ID", value:"24033"); script_xref(name:"EDB-ID", value:"25383"); script_xref(name:"EDB-ID", value:"25388"); script_xref(name:"EDB-ID", value:"25389"); script_xref(name:"MSKB", value:"893066"); script_name(english:"MS05-019: Vulnerabilities in TCP/IP Could Allow Remote Code Execution (893066)"); script_summary(english:"Checks the remote registry for 893066"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host due to a flaw in the TCP/IP stack."); script_set_attribute(attribute:"description", value: "The remote host runs a version of Windows that has a flaw in its TCP/IP stack. The flaw could allow an attacker to execute arbitrary code with SYSTEM privileges on the remote host, or to perform a denial of service attack against the remote host. Proof of concept code is available to perform a Denial of Service against a vulnerable system."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-019"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/03/05"); script_set_attribute(attribute:"patch_publication_date", value:"2005/04/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS05-019'; kb = '893066'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'3,4', xp:'1,2', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"5.2", sp:0, file:"Tcpip.sys", version:"5.2.3790.336", dir:"\system32\drivers", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:1, file:"Tcpip.sys", version:"5.1.2600.1693", dir:"\system32\drivers", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:2, file:"Tcpip.sys", version:"5.1.2600.2685", dir:"\system32\drivers", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.0", file:"Tcpip.sys", version:"5.0.2195.7049", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS06-064.NASL description The remote host runs a version of Windows that has a flaw in its TCP/IP IPv6 stack. The flaw could allow an attacker to perform a denial of service attack against the remote host. To exploit this vulnerability, an attacker needs to send a specially crafted ICMP or TCP packet to the remote host. last seen 2020-06-01 modified 2020-06-02 plugin id 22537 published 2006-10-10 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22537 title MS06-064: Vulnerability in TCP/IP IPv6 Could Allow Denial of Service (922819) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(22537); script_version("1.31"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2004-0790","CVE-2004-0230","CVE-2005-0688"); script_bugtraq_id(13124, 13658); script_xref(name:"CERT", value:"415294"); script_xref(name:"CERT", value:"222750"); script_xref(name:"CERT", value:"396645"); script_xref(name:"MSFT", value:"MS06-064"); script_xref(name:"MSKB", value:"922819"); script_name(english:"MS06-064: Vulnerability in TCP/IP IPv6 Could Allow Denial of Service (922819)"); script_summary(english:"Checks the remote registry for 922819"); script_set_attribute(attribute:"synopsis", value: "It is possible to crash the remote host due to a flaw in the TCP/IP IPv6 stack."); script_set_attribute(attribute:"description", value: "The remote host runs a version of Windows that has a flaw in its TCP/IP IPv6 stack. The flaw could allow an attacker to perform a denial of service attack against the remote host. To exploit this vulnerability, an attacker needs to send a specially crafted ICMP or TCP packet to the remote host."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-064"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/12/22"); script_set_attribute(attribute:"patch_publication_date", value:"2006/10/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/10"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS06-064'; kb = '922819'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"5.2", sp:0, file:"Tcpip6.sys", version:"5.2.3790.576", dir:"\system32\drivers", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.2", sp:1, file:"Tcpip6.sys", version:"5.2.3790.2771", dir:"\system32\drivers", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:1, file:"Tcpip6.sys", version:"5.1.2600.1886", dir:"\system32\drivers", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:2, file:"Tcpip6.sys", version:"5.1.2600.2975", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_warning(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }
Oval
accepted 2011-05-16T04:00:46.822-04:00 class vulnerability contributors name Matthew Burton organization The MITRE Corporation name John Hoyland organization Centennial Software name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Windows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016). family windows id oval:org.mitre.oval:def:1288 status accepted submitted 2005-04-22T12:00:00.000-04:00 title Win2k Land Vulnerability version 39 accepted 2011-05-16T04:01:35.481-04:00 class vulnerability contributors name Matthew Burton organization The MITRE Corporation name John Hoyland organization Centennial Software name Dragos Prisaca organization Gideon Technologies, Inc. name Brendan Miles organization The MITRE Corporation name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Windows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016). family windows id oval:org.mitre.oval:def:1685 status accepted submitted 2005-08-18T04:00:00.000-04:00 title WinXP Land Vulnerability version 42 accepted 2011-05-09T04:01:35.065-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Shane Shaffer organization G2, Inc.
definition_extensions comment Microsoft Windows XP SP1 (32-bit) is installed oval oval:org.mitre.oval:def:1 comment Microsoft Windows XP SP2 or later is installed oval oval:org.mitre.oval:def:521 comment Microsoft Windows XP SP1 (64-bit) is installed oval oval:org.mitre.oval:def:480 comment Microsoft Windows Server 2003 (x86) Gold is installed oval oval:org.mitre.oval:def:165 comment Microsoft Windows Server 2003 SP1 (x86) is installed oval oval:org.mitre.oval:def:565
description Windows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016). family windows id oval:org.mitre.oval:def:482 status accepted submitted 2006-10-11T05:29:41 title Spoofed Connection Request Vulnerability version 42 accepted 2013-09-02T04:05:46.786-04:00 class vulnerability contributors name Matthew Burton organization The MITRE Corporation name John Hoyland organization Centennial Software name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc. name Dragos Prisaca organization G2, Inc.
description Windows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016). family windows id oval:org.mitre.oval:def:4978 status accepted submitted 2005-08-18T04:00:00.000-04:00 title Server 2003 Object Management Vulnerability version 41
References
- http://marc.info/?l=bugtraq&m=111005099504081&w=2
- http://secunia.com/advisories/22341
- http://www.securityfocus.com/archive/1/449179/100/0/threaded
- http://www.vupen.com/english/advisories/2006/3983
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-019
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-064
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1288
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1685
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A482
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4978