Vulnerabilities > CVE-2007-5351 - Code Injection vulnerability in Microsoft Windows Vista
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Unspecified vulnerability in Server Message Block Version 2 (SMBv2) signing support in Microsoft Windows Vista allows remote attackers to force signature re-computation and execute arbitrary code via a crafted SMBv2 packet, aka "SMBv2 Signing Vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 2 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Manipulating User-Controlled Variables This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS07-063.NASL description The remote version of Windows contains a version of SMBv2 (Server Message Block) protocol that has several vulnerabilities. An attacker may exploit these flaws to elevate his privileges and gain control of the remote host. last seen 2020-06-01 modified 2020-06-02 plugin id 29307 published 2007-12-11 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29307 title MS07-063: Vulnerability in SMBv2 Could Allow Remote Code Execution (942624) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(29307); script_version("1.27"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2007-5351"); script_bugtraq_id(26777); script_xref(name:"MSFT", value:"MS07-063"); script_xref(name:"MSKB", value:"942624"); script_xref(name:"IAVT", value:"2007-T-0049"); script_xref(name:"CERT", value:"520465"); script_name(english:"MS07-063: Vulnerability in SMBv2 Could Allow Remote Code Execution (942624)"); script_summary(english:"Determines the presence of update 942624"); script_set_attribute(attribute:"synopsis", value:"It is possible to execute code on the remote host."); script_set_attribute(attribute:"description", value: "The remote version of Windows contains a version of SMBv2 (Server Message Block) protocol that has several vulnerabilities. An attacker may exploit these flaws to elevate his privileges and gain control of the remote host."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-063"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows Vista."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(94); script_set_attribute(attribute:"vuln_publication_date", value:"2007/12/11"); script_set_attribute(attribute:"patch_publication_date", value:"2007/12/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/11"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS07-063'; kb = '942624'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(vista:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"6.0", sp:0, file:"Mrxsmb.sys", version:"6.0.6000.16586", dir:"\system32\drivers", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:0, file:"Mrxsmb.sys", version:"6.0.6000.20709", min_version:"6.0.6000.20000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }NASL family Windows NASL id SMB_KB942624.NASL description The remote version of Windows contains a version of SMBv2 (Server Message Block) protocol that is affected by several vulnerabilities. An attacker may exploit these flaws to elevate his privileges and gain control of the remote host. last seen 2020-03-18 modified 2008-01-07 plugin id 29855 published 2008-01-07 reporter This script is Copyright (C) 2007-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/29855 title MS07-063: Vulnerability in SMBv2 Could Allow Remote Code Execution (942624) (uncredentialed check)
Oval
| accepted | 2008-02-04T10:16:28.689-05:00 | ||||
| class | vulnerability | ||||
| contributors |
| ||||
| definition_extensions |
| ||||
| description | Unspecified vulnerability in Server Message Block Version 2 (SMBv2) signing support in Microsoft Windows Vista allows remote attackers to force signature re-computation and execute arbitrary code via a crafted SMBv2 packet, aka "SMBv2 Signing Vulnerability." | ||||
| family | windows | ||||
| id | oval:org.mitre.oval:def:4208 | ||||
| status | accepted | ||||
| submitted | 2007-12-13T08:28:45 | ||||
| title | Vulnerability in SMBv2 Could Allow Remote Code Execution | ||||
| version | 40 |
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 26777 CVE(CAN) ID: CVE-2007-5351 Microsoft Windows Vista是微软发布的非常流行的操作系统。 Windows Vista处理SMBv2的签名时存在漏洞,远程攻击者可能利用此漏洞篡改SMB数据。 Vista没有正确地实现SMBv2签名,可能允许攻击者修改SMBv2数据包,并重新计算签名。成功利用这个漏洞的攻击者可以篡改通过SMBv2传输的数据,从而在与SMBv2通信的域配置中远程执行代码。但在在Vista中SMB签名默认情况下是禁用的。 Microsoft Windows Vista 临时解决方法: * 禁用SMBv2,请执行下列步骤: 1. 创建一个包含下列内容的 .reg 文件: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation] "DependOnService"=hex(7):42,00,6f,00,77,00,73,00,65,00,72,00,00,00,4d,00,52, 00,78,00,53,00,6d,00,62,00,31,00,30,00,00,00,4e,00,53,00,49,00,00,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters] "Smb2"=dword:00000000 2. 单击运行.reg文件。 3. 以管理员身份打开命令提示符。 4. 运行下列命令: sc config mrxsmb20 start= disabled 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS07-063)以及相应补丁: MS07-063:Vulnerability in SMBv2 Could Allow Remote Code Execution (942624) 链接:<a href=http://www.microsoft.com/technet/security/Bulletin/MS07-063.mspx?pf=true target=_blank>http://www.microsoft.com/technet/security/Bulletin/MS07-063.mspx?pf=true</a> 补丁下载: <a href=http://www.microsoft.com/downloads/details.aspx?displaylang=zh-cn&FamilyID=9d22a9ee-cc08-4b2d-af4e-55d326f82761 target=_blank>http://www.microsoft.com/downloads/details.aspx?displaylang=zh-cn&FamilyID=9d22a9ee-cc08-4b2d-af4e-55d326f82761</a> <a href=http://www.microsoft.com/downloads/details.aspx?FamilyId=05a9501c-4da3-4fa1-901e-99cb262e5e36 target=_blank>http://www.microsoft.com/downloads/details.aspx?FamilyId=05a9501c-4da3-4fa1-901e-99cb262e5e36</a> |
| id | SSV:2581 |
| last seen | 2017-11-19 |
| modified | 2007-12-13 |
| published | 2007-12-13 |
| reporter | Root |
| title | Windows Vista SMBv2签名远程代码执行漏洞(MS07-063) |
References
- http://secunia.com/advisories/27997
- http://www.kb.cert.org/vuls/id/520465
- http://www.securityfocus.com/archive/1/485268/100/0/threaded
- http://www.securityfocus.com/bid/26777
- http://www.securitytracker.com/id?1019072
- http://www.us-cert.gov/cas/techalerts/TA07-345A.html
- http://www.vupen.com/english/advisories/2007/4179
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-063
- https://exchange.xforce.ibmcloud.com/vulnerabilities/38725
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4208