Vulnerabilities > CVE-2007-3039 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Message Queuing

047910
CVSS 9.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
microsoft
CWE-119
critical
nessus
exploit available
metasploit

Summary

Stack-based buffer overflow in the Microsoft Message Queuing (MSMQ) service in Microsoft Windows 2000 Server SP4, Windows 2000 Professional SP4, and Windows XP SP2 allows attackers to execute arbitrary code via a long string in an opnum 0x06 RPC call to port 2103. NOTE: this is remotely exploitable on Windows 2000 Server.

Vulnerable Configurations

Part Description Count
OS
Microsoft
3
Application
Microsoft
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

  • descriptionMS Windows 2000 AS SP4 Message Queue Exploit (MS07-065). CVE-2007-3039. Remote exploit for windows platform
    fileexploits/windows/remote/4760.txt
    idEDB-ID:4760
    last seen2016-01-31
    modified2007-12-21
    platformwindows
    port
    published2007-12-21
    reporterAndres Tarasco
    sourcehttps://www.exploit-db.com/download/4760/
    titleMicrosoft Windows 2000 - AS SP4 - Message Queue Exploit MS07-065
    typeremote
  • descriptionMS Windows Message Queuing Service RPC BOF Exploit (dnsname). CVE-2007-3039. Remote exploit for windows platform
    fileexploits/windows/remote/4934.c
    idEDB-ID:4934
    last seen2016-01-31
    modified2008-01-18
    platformwindows
    port
    published2008-01-18
    reporterMarcin Kozlowski
    sourcehttps://www.exploit-db.com/download/4934/
    titleMicrosoft Windows Message Queuing Service RPC BoF Exploit dnsname
    typeremote
  • descriptionMS Windows Message Queuing Service RPC BOF Exploit (MS07-065). CVE-2007-3039. Remote exploit for windows platform
    fileexploits/windows/remote/4745.cpp
    idEDB-ID:4745
    last seen2016-01-31
    modified2007-12-18
    platformwindows
    port
    published2007-12-18
    reporteraxis
    sourcehttps://www.exploit-db.com/download/4745/
    titleMicrosoft Windows Message Queuing Service - RPC BoF Exploit MS07-065
    typeremote
  • descriptionMicrosoft Message Queueing Service DNS Name Path Overflow. CVE-2007-3039. Remote exploit for windows platform
    idEDB-ID:16750
    last seen2016-02-02
    modified2010-07-25
    published2010-07-25
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16750/
    titleMicrosoft Message Queueing Service DNS Name Path Overflow

Metasploit

descriptionThis module exploits a stack buffer overflow in the RPC interface to the Microsoft Message Queueing service. This exploit requires the target system to have been configured with a DNS name and for that name to be supplied in the 'DNAME' option. This name does not need to be served by a valid DNS server, only configured on the target machine.
idMSF:EXPLOIT/WINDOWS/DCERPC/MS07_065_MSMQ
last seen2020-03-06
modified2017-07-24
published2007-12-12
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3039
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/dcerpc/ms07_065_msmq.rb
titleMS07-065 Microsoft Message Queueing Service DNS Name Path Overflow

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS07-065.NASL
    descriptionThe remote version of Windows is affected by a vulnerability in Microsoft Message Queuing Service (MSMQ). An attacker may exploit this flaw to execute arbitrary code on the remote host with the SYSTEM privileges.
    last seen2020-06-01
    modified2020-06-02
    plugin id29309
    published2007-12-11
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/29309
    titleMS07-065: Vulnerability in Message Queuing Could Allow Remote Code Execution (937894)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(29309);
     script_version("1.31");
     script_cvs_date("Date: 2018/11/15 20:50:30");
    
     script_cve_id("CVE-2007-3039");
     script_bugtraq_id(26797);
     script_xref(name:"TRA", value:"TRA-2007-11");
     script_xref(name:"MSFT", value:"MS07-065");
     script_xref(name:"MSKB", value:"937894");
     
     script_xref(name:"EDB-ID", value:"4745");
     script_xref(name:"EDB-ID", value:"4760");
     script_xref(name:"EDB-ID", value:"4934");
     script_xref(name:"EDB-ID", value:"16750");
    
     script_name(english:"MS07-065: Vulnerability in Message Queuing Could Allow Remote Code Execution (937894)");
     script_summary(english:"Determines if hotfix 937894 has been installed");
    
     script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host.");
     script_set_attribute(attribute:"description", value:
    "The remote version of Windows is affected by a vulnerability in
    Microsoft Message Queuing Service (MSMQ).
    
    An attacker may exploit this flaw to execute arbitrary code on the
    remote host with the SYSTEM privileges.");
     script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2007-11");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-065");
     script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-07-076/");
     script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000 and XP.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploit_framework_core", value:"true");
     script_set_attribute(attribute:"metasploit_name", value:'MS07-065 Microsoft Message Queueing Service DNS Name Path Overflow');
     script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
     script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
     script_set_attribute(attribute:"canvas_package", value:'CANVAS');
     script_cwe_id(119);
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2007/12/11");
     script_set_attribute(attribute:"patch_publication_date", value:"2007/12/11");
     script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/11");
    
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
    
     script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows : Microsoft Bulletins");
    
     script_dependencies("smb_hotfixes.nasl" , "ms_bulletin_checks_possible.nasl");
     script_require_keys("SMB/MS_Bulletin_Checks/Possible");
     script_require_ports(139, 445, 'Host/patch_management_checks');
     exit(0);
    }
    
    
    include("audit.inc");
    include("smb_func.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS07-065';
    kb = '937894';
    
    kbs = make_list(kb);
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win2k:'4,5', xp:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    rootfile = hotfix_get_systemroot();
    if (!rootfile) exit(1, "Failed to get the system root.");
    
    share = hotfix_path2share(path:rootfile);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      hotfix_is_vulnerable(os:"5.1", sp:2, file:"Mqqm.dll", version:"5.1.0.1109", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.0", file:"Mqqm.dll", version:"5.0.0.805", dir:"\system32", bulletin:bulletin, kb:kb)
    )
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
  • NASL familyWindows
    NASL idMSMQS_OVERFLOW2.NASL
    descriptionThe remote version of Windows is affected by a vulnerability in the Microsoft Message Queuing Service (MSMQ). An attacker may exploit this flaw to execute arbitrary code on the remote host with SYSTEM privileges.
    last seen2020-06-01
    modified2020-06-02
    plugin id29314
    published2007-12-12
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/29314
    titleMS07-065: Vulnerability in Message Queuing Could Allow Remote Code Execution (937894) (uncredentialed check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The non-credentialed check only works against Windows 2000
    
    include("compat.inc");
    
    if (description)
    {
     script_id(29314);
     script_version("1.24");
     script_cvs_date("Date: 2018/11/15 20:50:27");
    
     script_cve_id("CVE-2007-3039");
     script_bugtraq_id(26797);
     script_xref(name:"TRA", value:"TRA-2007-11");
     script_xref(name:"MSFT", value:"MS07-065");
     script_xref(name:"MSKB", value:"937894");
    
     script_name(english:"MS07-065: Vulnerability in Message Queuing Could Allow Remote Code Execution (937894) (uncredentialed check)");
     script_summary(english:"Determines if hotfix 937894 has been installed (remote check)");
    
     script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host.");
     script_set_attribute(attribute:"description", value:
    "The remote version of Windows is affected by a vulnerability in the
    Microsoft Message Queuing Service (MSMQ).
    
    An attacker may exploit this flaw to execute arbitrary code on the
    remote host with SYSTEM privileges.");
     script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2007-11");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-065");
     script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000 and XP.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploit_framework_core", value:"true");
     script_set_attribute(attribute:"metasploit_name", value:'MS07-065 Microsoft Message Queueing Service DNS Name Path Overflow');
     script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
     script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
     script_set_attribute(attribute:"canvas_package", value:'CANVAS');
     script_cwe_id(119);
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2007/12/12");
     script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/12");
    
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:message_queuing");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows");
    
     script_dependencies("smb_nativelanman.nasl");
     script_require_keys("Host/OS/smb");
     script_require_ports(2103);
     exit(0);
    }
    
    #
    
    include ('smb_func.inc');
    
    os = get_kb_item("Host/OS/smb");
    if ( "Windows 5.0" >!< os ) exit (0);
    
    port = 2103;
    if ( ! get_port_state(port) ) exit(0);
    soc = open_sock_tcp (port);
    if (!soc) exit (0);
    
    host_ip = get_host_ip();
    
    ret = dce_rpc_bind(cid:session_get_cid(), uuid:"41208ee0-e970-11d1-9b9e-00e02c064c39", vers:1);
    send (socket:soc, data:ret);
    resp = recv (socket:soc, length:4096);
    
    if (!resp)
    {
     close (soc);
     exit (0);
    }
    
    ret = dce_rpc_parse_bind_ack (data:resp);
    if (isnull (ret) || (ret != 0))
    {
     close (soc);
     exit (0);
    }
    
    session_set_unicode(unicode:1);
    name = class_name(name:"nessus");
    
    data =
         raw_word(w:3) +
         raw_word(w:3) +
         raw_dword(d:0) +
         name;
    
    ret = dce_rpc_request (code:0x01, data:data);
    send (socket:soc, data:ret);
    resp = recv (socket:soc, length:4096);
    
    close (soc);
    
    resp = dce_rpc_parse_response (data:resp);
    if (strlen(resp) != 4)
      exit (0);
    
    # patched = 0xC00E0006
    # not patched = 0xC00E0025
    
    val = get_dword (blob:resp, pos:strlen(resp)-4);
    if (val == 0xC00E0025)
      security_hole(port);
    

Oval

accepted2014-03-17T04:00:19.635-04:00
classvulnerability
contributors
  • nameRobert L. Hollis
    organizationThreatGuard, Inc.
  • nameShane Shaffer
    organizationG2, Inc.
  • nameMaria Mikhno
    organizationALTX-SOFT
definition_extensions
  • commentMicrosoft Windows 2000 SP4 or later is installed
    ovaloval:org.mitre.oval:def:229
  • commentMicrosoft Windows XP SP2 or later is installed
    ovaloval:org.mitre.oval:def:521
descriptionStack-based buffer overflow in the Microsoft Message Queuing (MSMQ) service in Microsoft Windows 2000 Server SP4, Windows 2000 Professional SP4, and Windows XP SP2 allows attackers to execute arbitrary code via a long string in an opnum 0x06 RPC call to port 2103. NOTE: this is remotely exploitable on Windows 2000 Server.
familywindows
idoval:org.mitre.oval:def:4474
statusaccepted
submitted2007-12-13T08:28:45
titleVulnerability in Message Queuing Could Allow Remote Code Execution
version74

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/83060/ms07_065_msmq.rb.txt
idPACKETSTORM:83060
last seen2016-12-05
published2009-11-26
reporterH D Moore
sourcehttps://packetstormsecurity.com/files/83060/Microsoft-Message-Queueing-Service-DNS-Name-Path-Overflow.html
titleMicrosoft Message Queueing Service DNS Name Path Overflow

Saint

bid26797
descriptionMicrosoft Message Queuing queue name buffer overflow
idwin_patch_msmq2
osvdb39123
titlewindows_msmq_queue_name
typeremote

Seebug

  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 26797 CVE(CAN) ID: CVE-2007-3039 Microsoft Windows是微软发布的非常流行的操作系统。 Windows的消息队列服务在处理畸形请求数据时存在漏洞,远程攻击者可能利用此漏洞控制服务器。 Windows的消息队列服务在将输入字符串传递到缓冲区之前没有执行正确地验证。具体来讲,漏洞存在于2103端口上所定义的UUID为fdb3a030-065f-11d1-bb9b-00a024ea5525的RPC接口。在处理opnum 0x06时服务将用户提供的信息拷贝到了固定大小的栈缓冲区,由于wcscat()调用攻击者发送300字节以上的消息就可以触发栈溢出。 攻击者可以通过构建特制的MSMQ消息来利用该漏洞,这种消息在远程攻击情形下可能允许在Windows 2000 Server上远程执行代码,而在本地攻击情形下可能允许在Windows XP上进行本地权限提升。成功利用此漏洞的攻击者可以完全控制受影响的系统。 Microsoft Windows XP SP2 Microsoft Windows 2000SP4 临时解决方法: * 在防火墙处阻止大于1024的端口上的所有非法入站通信和任何其他特殊配置的RPC端口。 * 禁用消息队列服务: 1. 单击“开始”,然后单击“控制面板”。 或者,指向“设置”,然后单击“控制面板”。 2. 双击“管理工具”。 或者,单击切换到“经典视图”,然后双击“管理工具”。 3. 双击“服务”。 4. 双击“消息队列”。 5. 在“启动类型”列表中,单击“禁用”。 6. 单击“停止”,然后单击“确定”。 您也可以通过在命令提示符处使用以下命令来停止和禁用MSMQ服务: sc stop MSMQ &amp; sc config MSMQ start= disabled 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS07-065)以及相应补丁: MS07-065:Vulnerability in Message Queuing Could Allow Remote Code Execution (937894) 链接:<a href=http://www.microsoft.com/technet/security/Bulletin/MS07-065.mspx?pf=true target=_blank>http://www.microsoft.com/technet/security/Bulletin/MS07-065.mspx?pf=true</a> 补丁下载: <a href=http://www.microsoft.com/downloads/details.aspx?displaylang=zh-cn&amp;FamilyID=bda9d0b4-f7cb-4d9d-b030-043d7437734b target=_blank>http://www.microsoft.com/downloads/details.aspx?displaylang=zh-cn&amp;FamilyID=bda9d0b4-f7cb-4d9d-b030-043d7437734b</a> <a href=http://www.microsoft.com/downloads/details.aspx?displaylang=zh-cn&amp;FamilyID=09d4e6ae-5d19-4f11-bb7e-60cee8263bc8 target=_blank>http://www.microsoft.com/downloads/details.aspx?displaylang=zh-cn&amp;FamilyID=09d4e6ae-5d19-4f11-bb7e-60cee8263bc8</a>
    idSSV:2582
    last seen2017-11-19
    modified2007-12-13
    published2007-12-13
    reporterRoot
    titleMicrosoft消息队列服务栈溢出漏洞(MS07-065)
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:7699
    last seen2017-11-19
    modified2007-12-23
    published2007-12-23
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-7699
    titleMS Windows 2000 AS SP4 Message Queue Exploit (MS07-065)