Vulnerabilities > CVE-2008-4114 - Resource Management Errors vulnerability in Microsoft products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
srv.sys in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via an SMB WRITE_ANDX packet with an offset that is inconsistent with the packet size, related to "insufficiently validating the buffer size," as demonstrated by a request to the \PIPE\lsarpc named pipe, aka "SMB Validation Denial of Service Vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 16 |
Common Weakness Enumeration (CWE)
Exploit-Db
| description | MS Windows WRITE_ANDX SMB command handling Kernel DoS (meta). CVE-2008-4114. Dos exploit for windows platform |
| file | exploits/windows/dos/6463.rb |
| id | EDB-ID:6463 |
| last seen | 2016-01-31 |
| modified | 2008-09-15 |
| platform | windows |
| port | |
| published | 2008-09-15 |
| reporter | Javier Vicente Vallejo |
| source | https://www.exploit-db.com/download/6463/ |
| title | Microsoft Windows - WRITE_ANDX SMB command handling Kernel DoS meta |
| type | dos |
Metasploit
| description | This module exploits a denial of service vulnerability in the SRV.SYS driver of the Windows operating system. This module has been tested successfully against Windows Vista. |
| id | MSF:AUXILIARY/DOS/WINDOWS/SMB/MS09_001_WRITE |
| last seen | 2020-01-04 |
| modified | 2017-07-24 |
| published | 2009-03-08 |
| references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4114 |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/smb/ms09_001_write.rb |
| title | Microsoft SRV.SYS WriteAndX Invalid DataOffset |
Msbulletin
| bulletin_id | MS09-001 |
| bulletin_url | |
| date | 2009-01-13T00:00:00 |
| impact | Remote Code Execution |
| knowledgebase_id | 958687 |
| knowledgebase_url | |
| severity | Critical |
| title | Vulnerabilities in SMB Could Allow Remote Code Execution |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS09-001.NASL description The remote host is affected by a memory corruption vulnerability in SMB that may allow an attacker to execute arbitrary code or perform a denial of service against the remote host. last seen 2020-06-01 modified 2020-06-02 plugin id 35361 published 2009-01-13 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35361 title MS09-001: Vulnerabilities in SMB Could Allow Remote Code Execution (958687) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(35361); script_version("1.34"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2008-4834", "CVE-2008-4835", "CVE-2008-4114"); script_bugtraq_id(31179, 33121, 33122); script_xref(name:"MSFT", value:"MS09-001"); script_xref(name:"MSKB", value:"958687"); script_xref(name:"EDB-ID", value:"6463"); script_name(english:"MS09-001: Vulnerabilities in SMB Could Allow Remote Code Execution (958687)"); script_summary(english:"Determines the presence of update 958687"); script_set_attribute(attribute:"synopsis", value: "It may be possible to execute arbitrary code on the remote host due to a flaw in SMB."); script_set_attribute(attribute:"description", value: "The remote host is affected by a memory corruption vulnerability in SMB that may allow an attacker to execute arbitrary code or perform a denial of service against the remote host."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-001"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-09-001/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-09-002/"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(94, 119, 399); script_set_attribute(attribute:"vuln_publication_date", value:"2008/09/14"); script_set_attribute(attribute:"patch_publication_date", value:"2009/01/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/01/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS09-001'; kb = "958687"; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'1,2', vista:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"6.0", sp:0, file:"Srv.sys", version:"6.0.6000.16789", dir:"\system32\drivers", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:0, file:"Srv.sys", version:"6.0.6000.20976", min_version:"6.0.6000.20000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:1, file:"Srv.sys", version:"6.0.6001.18185", dir:"\system32\drivers", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:1, file:"Srv.sys", version:"6.0.6001.22331", min_version:"6.0.6001.20000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.2", sp:2, file:"Srv.sys", version:"5.2.3790.4425", dir:"\system32\drivers", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.2", sp:1, file:"Srv.sys", version:"5.2.3790.3260", dir:"\system32\drivers", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:3, file:"Srv.sys", version:"5.1.2600.5725", dir:"\system32\drivers", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:2, file:"Srv.sys", version:"5.1.2600.3491", dir:"\system32\drivers", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.0", file:"Srv.sys", version:"5.0.2195.7222", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }NASL family Windows NASL id WIN_SERVER_2008_NTLM_PCI.NASL description According to the version number obtained by NTLM the remote host has Windows Server 2008 installed. The host may be vulnerable to a number of vulnerabilities including remote unauthenticated code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 108811 published 2018-04-03 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108811 title Windows Server 2008 Critical RCE Vulnerabilities (uncredentialed) (PCI/DSS)
Oval
accepted 2008-11-03T04:00:16.555-05:00 class vulnerability contributors name Chandan S organization SecPod Technologies name J. Daniel Brown organization DTCC
definition_extensions comment Microsoft Windows Vista (32-bit) is installed oval oval:org.mitre.oval:def:1282 comment Microsoft Windows Vista (32-bit) Service Pack 1 is installed oval oval:org.mitre.oval:def:4873
description srv.sys in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via an SMB WRITE_ANDX packet with an offset that is inconsistent with the packet size, related to "insufficiently validating the buffer size," as demonstrated by a request to the \PIPE\lsarpc named pipe, aka "SMB Validation Denial of Service Vulnerability." family windows id oval:org.mitre.oval:def:5262 status deprecated submitted 2008-09-18T18:44:44 title Microsoft Windows WRITE_ANDX SMB command handling Kernel DoS version 41 accepted 2009-03-09T04:00:09.929-04:00 class vulnerability contributors name Sudhir Gandhe organization Secure Elements, Inc. name Timothy Harrison organization National Institute of Standards and Technology
definition_extensions comment Microsoft Windows 2000 SP4 or later is installed oval oval:org.mitre.oval:def:229 comment Microsoft Windows XP (x86) SP2 is installed oval oval:org.mitre.oval:def:754 comment Microsoft Windows XP (x86) SP3 is installed oval oval:org.mitre.oval:def:5631 comment Microsoft Windows Server 2003 SP1 (x86) is installed oval oval:org.mitre.oval:def:565 comment Microsoft Windows Server 2003 SP2 (x86) is installed oval oval:org.mitre.oval:def:1935 comment Microsoft Windows Server 2003 SP1 (x64) is installed oval oval:org.mitre.oval:def:4386 comment Microsoft Windows XP Professional x64 Edition SP1 is installed oval oval:org.mitre.oval:def:720 comment Microsoft Windows Server 2003 SP2 (x64) is installed oval oval:org.mitre.oval:def:2161 comment Microsoft Windows XP x64 Edition SP2 is installed oval oval:org.mitre.oval:def:4193 comment Microsoft Windows Vista (32-bit) is installed oval oval:org.mitre.oval:def:1282 comment Microsoft Windows Vista (32-bit) is installed oval oval:org.mitre.oval:def:1282 comment Microsoft Windows Vista (32-bit) Service Pack 1 is installed oval oval:org.mitre.oval:def:4873 comment Microsoft Windows Server 2008 (32-bit) is installed oval oval:org.mitre.oval:def:4870 comment Microsoft Windows Vista (32-bit) Service Pack 1 is installed oval oval:org.mitre.oval:def:4873 comment Microsoft Windows Server 2008 (32-bit) is installed oval oval:org.mitre.oval:def:4870 comment Microsoft Windows Vista x64 Edition is installed oval oval:org.mitre.oval:def:2041 comment Microsoft Windows Vista x64 Edition is installed oval oval:org.mitre.oval:def:2041 comment Microsoft Windows Vista x64 Edition Service Pack 1 is installed oval oval:org.mitre.oval:def:5254 comment Microsoft Windows Server 2008 (64-bit) is installed oval oval:org.mitre.oval:def:5356 comment Microsoft Windows Vista x64 Edition Service Pack 1 is installed oval oval:org.mitre.oval:def:5254 comment Microsoft Windows Server 2008 (64-bit) is installed oval oval:org.mitre.oval:def:5356
description srv.sys in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via an SMB WRITE_ANDX packet with an offset that is inconsistent with the packet size, related to "insufficiently validating the buffer size," as demonstrated by a request to the \PIPE\lsarpc named pipe, aka "SMB Validation Denial of Service Vulnerability." family windows id oval:org.mitre.oval:def:6044 status accepted submitted 2009-01-13T13:07:00 title SMB Validation Denial of Service Vulnerability version 43
References
- http://www.securityfocus.com/bid/31179
- http://www.reversemode.com/index.php?option=com_content&task=view&id=54&Itemid=1
- http://www.vallejo.cc/proyectos/vista_SMB_write_DoS.htm
- http://www.securitytracker.com/id?1020887
- http://secunia.com/advisories/31883
- http://www.us-cert.gov/cas/techalerts/TA09-013A.html
- http://www.vupen.com/english/advisories/2008/2583
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45146
- https://www.exploit-db.com/exploits/6463
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6044
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5262
- http://www.securityfocus.com/archive/1/496354/100/0/threaded
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-001