Vulnerabilities > CVE-2005-1985 - Unspecified vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
microsoft
nessus

Summary

The Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages.

Nessus

  • NASL familyWindows
    NASL idSMB_KB899589.NASL
    descriptionThe remote host contains a version of the Client Service for NetWare that is vulnerable to a buffer overflow. An attacker may exploit this flaw by connecting to the NetWare RPC service (possibly over IP) and triggering the overflow by sending a malformed RPC request.
    last seen2020-06-01
    modified2020-06-02
    plugin id20006
    published2005-10-11
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20006
    titleMS05-046: Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution (899589) (uncredentialed check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(20006);
     script_version("1.26");
     script_cvs_date("Date: 2018/11/15 20:50:28");
    
     script_cve_id("CVE-2005-1985");
     script_bugtraq_id(15066);
     script_xref(name:"MSFT", value:"MS05-046");
     script_xref(name:"MSKB", value:"899589");
    
     script_name(english:"MS05-046: Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution (899589) (uncredentialed check)");
     script_summary(english:"Determines the presence of update 899589 (remote check)");
    
     script_set_attribute(attribute:"synopsis", value:
    "A flaw in the client service for NetWare may allow an attacker to
    execute arbitrary code on the remote host.");
     script_set_attribute(attribute:"description", value:
    "The remote host contains a version of the Client Service for NetWare
    that is vulnerable to a buffer overflow.
    
    An attacker may exploit this flaw by connecting to the NetWare RPC
    service (possibly over IP) and triggering the overflow by sending a
    malformed RPC request.");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-046");
     script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for Windows 2000, XP and
    2003.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploit_framework_core", value:"true");
     script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
     script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/11");
     script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/11");
    
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"x-cpe:/a:microsoft:windows:netwareclnt");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows");
    
     script_dependencies("smb_nativelanman.nasl","smb_login.nasl");
     script_require_keys("Host/OS/smb");
     script_require_ports(139,445);
     exit(0);
    }
    
    #
    
    include ('smb_func.inc');
    
    global_var rpipe;
    
    function RPC_Request (pipe)
    {
     local_var fid, data, rep, ret;
    
     fid = bind_pipe (pipe:"\browser", uuid:"e67ab081-9844-3521-9d32-834f038001c0", vers:1);
     if (isnull (fid))
       return 0;
    
     data = class_parameter (ref_id:0x20000, name:"tns1") +
    	class_parameter (ref_id:0x20004, name:"tns2") +
    	raw_dword (d:0);
    
     session_set_timeout (timeout:20);
    
     data = dce_rpc_pipe_request (fid:fid, code:0x2d, data:data);
     if (!data)
       return 0;
    
     rep = dce_rpc_parse_response (fid:fid, data:data);
    
     if (!rep || (strlen(rep) != 8))
       return 0;
    
     ret = get_dword (blob:rep, pos:4);
     if ((ret == ERROR_INVALID_PARAMETER) || (ret == ERROR_ACCESS_DENIED))
       return 0;
    
     return 1;
    }
    
    os = get_kb_item ("Host/OS/smb") ;
    if ("Windows" >!< os) exit(0);
    
    port = get_kb_item("SMB/transport");
    if(!port)port = 445;
    
    if ( ! get_port_state(port) ) exit(0);
    soc = open_sock_tcp(port);
    if ( ! soc ) exit(0);
    
    name	= kb_smb_name();
    
    session_init(socket:soc, hostname:name);
    
    r = NetUseAdd(share:"IPC$");
    if ( r == 1 )
    {
     ret = RPC_Request();
     if (ret == 1)
       security_hole(port:port);
    
     NetUseDel();
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS05-046.NASL
    descriptionThe remote host contains a version of the Client Service for NetWare that is vulnerable to a buffer overflow. An attacker could exploit this flaw by connecting to the NetWare RPC service (possibly over IP) and trigger the overflow by sending a malformed RPC request.
    last seen2020-06-01
    modified2020-06-02
    plugin id19999
    published2005-10-11
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19999
    titleMS05-046: Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution (899589)

Oval

  • accepted2011-05-16T04:00:19.694-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionThe Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages.
    familywindows
    idoval:org.mitre.oval:def:1106
    statusaccepted
    submitted2005-10-12T12:00:00.000-04:00
    titleCSNW Remote Buffer Overflow via Network Messages (WinXP,SP1)
    version68
  • accepted2011-05-16T04:00:33.573-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameDragos Prisaca
      organizationGideon Technologies, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages.
    familywindows
    idoval:org.mitre.oval:def:1210
    statusaccepted
    submitted2005-10-12T12:00:00.000-04:00
    titleCSNW Remote Buffer Overflow via Network Messages (WinXP,SP2)
    version69
  • accepted2011-05-16T04:01:15.712-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJohn Hoyland
      organizationCentennial Software
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionThe Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages.
    familywindows
    idoval:org.mitre.oval:def:1536
    statusaccepted
    submitted2005-10-12T12:00:00.000-04:00
    titleCSNW Remote Buffer Overflow via Network Messages (Win2k,SP4)
    version68
  • accepted2011-05-16T04:01:17.285-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJonathan Baker
      organizationThe MITRE Corporation
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionThe Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages.
    familywindows
    idoval:org.mitre.oval:def:1544
    statusaccepted
    submitted2005-10-12T12:00:00.000-04:00
    titleCSNW Remote Buffer Overflow via Network Messages (Server 2003)
    version68
  • accepted2011-05-16T04:03:35.840-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionThe Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages.
    familywindows
    idoval:org.mitre.oval:def:910
    statusaccepted
    submitted2005-10-12T12:00:00.000-04:00
    titleCSNW Remote Buffer Overflow via Network Messages (Server 2003,SP1)
    version68