Vulnerabilities > CVE-2007-2228 - Remote Denial Of Service vulnerability in Microsoft Windows RPC NTLMSSP

CVSS 7.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

COMPLETE

network

low complexity

microsoft

nessus

NVD

Published: 2007-10-09

Updated: 2018-10-16

Summary

rpcrt4.dll (aka the RPC runtime library) in Microsoft Windows XP SP2, XP Professional x64 Edition, Server 2003 SP1 and SP2, Server 2003 x64 Edition and x64 Edition SP2, and Vista and Vista x64 Edition allows remote attackers to cause a denial of service (RPCSS service stop and system restart) via an RPC request that uses NTLMSSP PACKET authentication with a zero-valued verification trailer signature, which triggers an invalid dereference. NOTE: this also affects Windows 2000 SP4, although the impact is an information leak.

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows 2000 * Microsoft Windows 2003 Server * Microsoft Windows Vista * Microsoft Windows XP *	9

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS07-058.NASL
description	The remote version of Windows contains a version of the RPC library protocol that is vulnerable to a denial of service attack in the NTLM authentication field. An attacker may exploit this flaw to crash the remote RPC server (and the remote system).
last seen	2020-06-01
modified	2020-06-02
plugin id	26964
published	2007-10-09
reporter	This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/26964
title	MS07-058: Vulnerability in RPC Could Allow Denial of Service (933729)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(26964); script_version("1.31"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2007-2228"); script_bugtraq_id(25974); script_xref(name:"MSFT", value:"MS07-058"); script_xref(name:"MSKB", value:"933729"); script_name(english:"MS07-058: Vulnerability in RPC Could Allow Denial of Service (933729)"); script_summary(english:"Determines the presence of update 933729"); script_set_attribute(attribute:"synopsis", value:"It is possible to crash the remote server."); script_set_attribute(attribute:"description", value: "The remote version of Windows contains a version of the RPC library protocol that is vulnerable to a denial of service attack in the NTLM authentication field. An attacker may exploit this flaw to crash the remote RPC server (and the remote system)."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-058"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-07-055/"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP, 2003 and Vista."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/10/09"); script_set_attribute(attribute:"patch_publication_date", value:"2007/10/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/09"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS07-058'; kb = '933729'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', xp:'2', win2003:'1,2', vista:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"6.0", sp:0, file:"Rpcrt4.dll", version:"6.0.6000.20641", min_version:"6.0.6000.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:0, file:"Rpcrt4.dll", version:"6.0.6000.16525", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", sp:1, file:"Rpcrt4.dll", version:"5.2.3790.2971", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", sp:2, file:"Rpcrt4.dll", version:"5.2.3790.4115", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:2, file:"Rpcrt4.dll", version:"5.1.2600.3173", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.0", file:"Rpcrt4.dll", version:"5.0.2195.7090", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Oval

accepted

2012-09-10T04:00:51.347-04:00

class

vulnerability

contributors

name Robert L. Hollis
organization ThreatGuard, Inc.
name Shane Shaffer
organization G2, Inc.
name Chandan S
organization SecPod Technologies

definition_extensions

comment Microsoft Windows 2000 SP4 or later is installed
oval oval:org.mitre.oval:def:229
comment Microsoft Windows XP SP2 or later is installed
oval oval:org.mitre.oval:def:521
comment Microsoft Windows XP SP1 (64-bit) is installed
oval oval:org.mitre.oval:def:480
comment Microsoft Windows XP x64 Edition SP2 is installed
oval oval:org.mitre.oval:def:4193
comment Microsoft Windows Server 2003 SP1 (x86) is installed
oval oval:org.mitre.oval:def:565
comment Microsoft Windows Server 2003 SP2 (x86) is installed
oval oval:org.mitre.oval:def:1935
comment Microsoft Windows Vista is installed
oval oval:org.mitre.oval:def:228

description

family

windows

oval:org.mitre.oval:def:2310

status

accepted

submitted

2007-10-10T04:39:42

title

Vulnerability in RPC Could Allow Denial of Service

version

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 25974 CVE(CAN) ID: CVE-2007-2228 Microsoft Windows是微软发布的非常流行的操作系统。 Windows系统在处理RPC认证时存在漏洞，远程攻击者可能利用此漏洞导致系统拒绝服务。漏洞具体存在于RPC运行时库rpcrt4.dll解析RPC级认证消息期间。在解析认证类型为NTLMSSP且认证级别为PACKET的报文时，如果验证尾部签名被初始化为0而不是标准的NTLM签名，就会出现无效的内存引用。成功利用这个漏洞可能导致RPC服务及整个操作系统崩溃。 Microsoft Windows XP SP2 Microsoft Windows Vista Microsoft Windows Server 2003 SP2 Microsoft Windows Server 2003 SP1 Microsoft Windows 2000SP4 临时解决方法： * 在防火墙处阻止以下内容： UDP端口135、137、138、445；TCP端口135、139、445、593 端口号大于1024的端口上的所有非法入站通信任何其他特殊配置的RPC端口 * 使用个人防火墙。 * 在支持高级TCP/IP过滤功能的系统上启用此功能。 * 通过在受影响的系统上使用IPSec来阻止受影响的端口。厂商补丁： Microsoft --------- Microsoft已经为此发布了一个安全公告（MS07-058）以及相应补丁: MS07-058：Vulnerability in RPC Could Allow Denial of Service (933729) 链接：<a href="http://www.microsoft.com/technet/security/Bulletin/MS07-058.mspx?pf=true" target="_blank">http://www.microsoft.com/technet/security/Bulletin/MS07-058.mspx?pf=true</a>
id	SSV:2286
last seen	2017-11-19
modified	2007-10-12
published	2007-10-12
reporter	Root
title	Microsoft Windows RPC认证远程拒绝服务漏洞（MS07-058）

Summary

Vulnerable Configurations

Nessus

Oval

Seebug

References