Vulnerabilities > CVE-2007-3039 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Message Queuing
Attack vector
NETWORK Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Stack-based buffer overflow in the Microsoft Message Queuing (MSMQ) service in Microsoft Windows 2000 Server SP4, Windows 2000 Professional SP4, and Windows XP SP2 allows attackers to execute arbitrary code via a long string in an opnum 0x06 RPC call to port 2103. NOTE: this is remotely exploitable on Windows 2000 Server.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 3 | |
| Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
description MS Windows 2000 AS SP4 Message Queue Exploit (MS07-065). CVE-2007-3039. Remote exploit for windows platform file exploits/windows/remote/4760.txt id EDB-ID:4760 last seen 2016-01-31 modified 2007-12-21 platform windows port published 2007-12-21 reporter Andres Tarasco source https://www.exploit-db.com/download/4760/ title Microsoft Windows 2000 - AS SP4 - Message Queue Exploit MS07-065 type remote description MS Windows Message Queuing Service RPC BOF Exploit (dnsname). CVE-2007-3039. Remote exploit for windows platform file exploits/windows/remote/4934.c id EDB-ID:4934 last seen 2016-01-31 modified 2008-01-18 platform windows port published 2008-01-18 reporter Marcin Kozlowski source https://www.exploit-db.com/download/4934/ title Microsoft Windows Message Queuing Service RPC BoF Exploit dnsname type remote description MS Windows Message Queuing Service RPC BOF Exploit (MS07-065). CVE-2007-3039. Remote exploit for windows platform file exploits/windows/remote/4745.cpp id EDB-ID:4745 last seen 2016-01-31 modified 2007-12-18 platform windows port published 2007-12-18 reporter axis source https://www.exploit-db.com/download/4745/ title Microsoft Windows Message Queuing Service - RPC BoF Exploit MS07-065 type remote description Microsoft Message Queueing Service DNS Name Path Overflow. CVE-2007-3039. Remote exploit for windows platform id EDB-ID:16750 last seen 2016-02-02 modified 2010-07-25 published 2010-07-25 reporter metasploit source https://www.exploit-db.com/download/16750/ title Microsoft Message Queueing Service DNS Name Path Overflow
Metasploit
| description | This module exploits a stack buffer overflow in the RPC interface to the Microsoft Message Queueing service. This exploit requires the target system to have been configured with a DNS name and for that name to be supplied in the 'DNAME' option. This name does not need to be served by a valid DNS server, only configured on the target machine. |
| id | MSF:EXPLOIT/WINDOWS/DCERPC/MS07_065_MSMQ |
| last seen | 2020-03-06 |
| modified | 2017-07-24 |
| published | 2007-12-12 |
| references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3039 |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/dcerpc/ms07_065_msmq.rb |
| title | MS07-065 Microsoft Message Queueing Service DNS Name Path Overflow |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS07-065.NASL description The remote version of Windows is affected by a vulnerability in Microsoft Message Queuing Service (MSMQ). An attacker may exploit this flaw to execute arbitrary code on the remote host with the SYSTEM privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 29309 published 2007-12-11 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29309 title MS07-065: Vulnerability in Message Queuing Could Allow Remote Code Execution (937894) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(29309); script_version("1.31"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2007-3039"); script_bugtraq_id(26797); script_xref(name:"TRA", value:"TRA-2007-11"); script_xref(name:"MSFT", value:"MS07-065"); script_xref(name:"MSKB", value:"937894"); script_xref(name:"EDB-ID", value:"4745"); script_xref(name:"EDB-ID", value:"4760"); script_xref(name:"EDB-ID", value:"4934"); script_xref(name:"EDB-ID", value:"16750"); script_name(english:"MS07-065: Vulnerability in Message Queuing Could Allow Remote Code Execution (937894)"); script_summary(english:"Determines if hotfix 937894 has been installed"); script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host."); script_set_attribute(attribute:"description", value: "The remote version of Windows is affected by a vulnerability in Microsoft Message Queuing Service (MSMQ). An attacker may exploit this flaw to execute arbitrary code on the remote host with the SYSTEM privileges."); script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2007-11"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-065"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-07-076/"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000 and XP."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS07-065 Microsoft Message Queueing Service DNS Name Path Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(119); script_set_attribute(attribute:"vuln_publication_date", value:"2007/12/11"); script_set_attribute(attribute:"patch_publication_date", value:"2007/12/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/11"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl" , "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS07-065'; kb = '937894'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', xp:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"5.1", sp:2, file:"Mqqm.dll", version:"5.1.0.1109", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.0", file:"Mqqm.dll", version:"5.0.0.805", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }NASL family Windows NASL id MSMQS_OVERFLOW2.NASL description The remote version of Windows is affected by a vulnerability in the Microsoft Message Queuing Service (MSMQ). An attacker may exploit this flaw to execute arbitrary code on the remote host with SYSTEM privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 29314 published 2007-12-12 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29314 title MS07-065: Vulnerability in Message Queuing Could Allow Remote Code Execution (937894) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # # The non-credentialed check only works against Windows 2000 include("compat.inc"); if (description) { script_id(29314); script_version("1.24"); script_cvs_date("Date: 2018/11/15 20:50:27"); script_cve_id("CVE-2007-3039"); script_bugtraq_id(26797); script_xref(name:"TRA", value:"TRA-2007-11"); script_xref(name:"MSFT", value:"MS07-065"); script_xref(name:"MSKB", value:"937894"); script_name(english:"MS07-065: Vulnerability in Message Queuing Could Allow Remote Code Execution (937894) (uncredentialed check)"); script_summary(english:"Determines if hotfix 937894 has been installed (remote check)"); script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host."); script_set_attribute(attribute:"description", value: "The remote version of Windows is affected by a vulnerability in the Microsoft Message Queuing Service (MSMQ). An attacker may exploit this flaw to execute arbitrary code on the remote host with SYSTEM privileges."); script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2007-11"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-065"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000 and XP."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS07-065 Microsoft Message Queueing Service DNS Name Path Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(119); script_set_attribute(attribute:"vuln_publication_date", value:"2007/12/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/12"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:message_queuing"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_family(english:"Windows"); script_dependencies("smb_nativelanman.nasl"); script_require_keys("Host/OS/smb"); script_require_ports(2103); exit(0); } # include ('smb_func.inc'); os = get_kb_item("Host/OS/smb"); if ( "Windows 5.0" >!< os ) exit (0); port = 2103; if ( ! get_port_state(port) ) exit(0); soc = open_sock_tcp (port); if (!soc) exit (0); host_ip = get_host_ip(); ret = dce_rpc_bind(cid:session_get_cid(), uuid:"41208ee0-e970-11d1-9b9e-00e02c064c39", vers:1); send (socket:soc, data:ret); resp = recv (socket:soc, length:4096); if (!resp) { close (soc); exit (0); } ret = dce_rpc_parse_bind_ack (data:resp); if (isnull (ret) || (ret != 0)) { close (soc); exit (0); } session_set_unicode(unicode:1); name = class_name(name:"nessus"); data = raw_word(w:3) + raw_word(w:3) + raw_dword(d:0) + name; ret = dce_rpc_request (code:0x01, data:data); send (socket:soc, data:ret); resp = recv (socket:soc, length:4096); close (soc); resp = dce_rpc_parse_response (data:resp); if (strlen(resp) != 4) exit (0); # patched = 0xC00E0006 # not patched = 0xC00E0025 val = get_dword (blob:resp, pos:strlen(resp)-4); if (val == 0xC00E0025) security_hole(port);
Oval
| accepted | 2014-03-17T04:00:19.635-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | Stack-based buffer overflow in the Microsoft Message Queuing (MSMQ) service in Microsoft Windows 2000 Server SP4, Windows 2000 Professional SP4, and Windows XP SP2 allows attackers to execute arbitrary code via a long string in an opnum 0x06 RPC call to port 2103. NOTE: this is remotely exploitable on Windows 2000 Server. | ||||||||||||
| family | windows | ||||||||||||
| id | oval:org.mitre.oval:def:4474 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2007-12-13T08:28:45 | ||||||||||||
| title | Vulnerability in Message Queuing Could Allow Remote Code Execution | ||||||||||||
| version | 74 |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/83060/ms07_065_msmq.rb.txt |
| id | PACKETSTORM:83060 |
| last seen | 2016-12-05 |
| published | 2009-11-26 |
| reporter | H D Moore |
| source | https://packetstormsecurity.com/files/83060/Microsoft-Message-Queueing-Service-DNS-Name-Path-Overflow.html |
| title | Microsoft Message Queueing Service DNS Name Path Overflow |
Saint
| bid | 26797 |
| description | Microsoft Message Queuing queue name buffer overflow |
| id | win_patch_msmq2 |
| osvdb | 39123 |
| title | windows_msmq_queue_name |
| type | remote |
Seebug
bulletinFamily exploit description BUGTRAQ ID: 26797 CVE(CAN) ID: CVE-2007-3039 Microsoft Windows是微软发布的非常流行的操作系统。 Windows的消息队列服务在处理畸形请求数据时存在漏洞,远程攻击者可能利用此漏洞控制服务器。 Windows的消息队列服务在将输入字符串传递到缓冲区之前没有执行正确地验证。具体来讲,漏洞存在于2103端口上所定义的UUID为fdb3a030-065f-11d1-bb9b-00a024ea5525的RPC接口。在处理opnum 0x06时服务将用户提供的信息拷贝到了固定大小的栈缓冲区,由于wcscat()调用攻击者发送300字节以上的消息就可以触发栈溢出。 攻击者可以通过构建特制的MSMQ消息来利用该漏洞,这种消息在远程攻击情形下可能允许在Windows 2000 Server上远程执行代码,而在本地攻击情形下可能允许在Windows XP上进行本地权限提升。成功利用此漏洞的攻击者可以完全控制受影响的系统。 Microsoft Windows XP SP2 Microsoft Windows 2000SP4 临时解决方法: * 在防火墙处阻止大于1024的端口上的所有非法入站通信和任何其他特殊配置的RPC端口。 * 禁用消息队列服务: 1. 单击“开始”,然后单击“控制面板”。 或者,指向“设置”,然后单击“控制面板”。 2. 双击“管理工具”。 或者,单击切换到“经典视图”,然后双击“管理工具”。 3. 双击“服务”。 4. 双击“消息队列”。 5. 在“启动类型”列表中,单击“禁用”。 6. 单击“停止”,然后单击“确定”。 您也可以通过在命令提示符处使用以下命令来停止和禁用MSMQ服务: sc stop MSMQ & sc config MSMQ start= disabled 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS07-065)以及相应补丁: MS07-065:Vulnerability in Message Queuing Could Allow Remote Code Execution (937894) 链接:<a href=http://www.microsoft.com/technet/security/Bulletin/MS07-065.mspx?pf=true target=_blank>http://www.microsoft.com/technet/security/Bulletin/MS07-065.mspx?pf=true</a> 补丁下载: <a href=http://www.microsoft.com/downloads/details.aspx?displaylang=zh-cn&FamilyID=bda9d0b4-f7cb-4d9d-b030-043d7437734b target=_blank>http://www.microsoft.com/downloads/details.aspx?displaylang=zh-cn&FamilyID=bda9d0b4-f7cb-4d9d-b030-043d7437734b</a> <a href=http://www.microsoft.com/downloads/details.aspx?displaylang=zh-cn&FamilyID=09d4e6ae-5d19-4f11-bb7e-60cee8263bc8 target=_blank>http://www.microsoft.com/downloads/details.aspx?displaylang=zh-cn&FamilyID=09d4e6ae-5d19-4f11-bb7e-60cee8263bc8</a> id SSV:2582 last seen 2017-11-19 modified 2007-12-13 published 2007-12-13 reporter Root title Microsoft消息队列服务栈溢出漏洞(MS07-065) bulletinFamily exploit description No description provided by source. id SSV:7699 last seen 2017-11-19 modified 2007-12-23 published 2007-12-23 reporter Root source https://www.seebug.org/vuldb/ssvid-7699 title MS Windows 2000 AS SP4 Message Queue Exploit (MS07-065)
References
- http://secunia.com/advisories/28011
- http://secunia.com/advisories/28051
- http://www.securityfocus.com/archive/1/484891/100/0/threaded
- http://www.securityfocus.com/archive/1/485268/100/0/threaded
- http://www.securityfocus.com/bid/26797
- http://www.securitytracker.com/id?1019077
- http://www.us-cert.gov/cas/techalerts/TA07-345A.html
- http://www.vupen.com/english/advisories/2007/4181
- http://www.zerodayinitiative.com/advisories/ZDI-07-076.html
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-065
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4474
- https://www.exploit-db.com/exploits/4745
- https://www.exploit-db.com/exploits/4760
- https://www.exploit-db.com/exploits/4934