Vulnerabilities > CVE-2008-4114 - Resource Management Errors vulnerability in Microsoft products

047910
CVSS 7.1 - HIGH
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
microsoft
CWE-399
nessus
exploit available
metasploit

Summary

srv.sys in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via an SMB WRITE_ANDX packet with an offset that is inconsistent with the packet size, related to "insufficiently validating the buffer size," as demonstrated by a request to the \PIPE\lsarpc named pipe, aka "SMB Validation Denial of Service Vulnerability."

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionMS Windows WRITE_ANDX SMB command handling Kernel DoS (meta). CVE-2008-4114. Dos exploit for windows platform
fileexploits/windows/dos/6463.rb
idEDB-ID:6463
last seen2016-01-31
modified2008-09-15
platformwindows
port
published2008-09-15
reporterJavier Vicente Vallejo
sourcehttps://www.exploit-db.com/download/6463/
titleMicrosoft Windows - WRITE_ANDX SMB command handling Kernel DoS meta
typedos

Metasploit

descriptionThis module exploits a denial of service vulnerability in the SRV.SYS driver of the Windows operating system. This module has been tested successfully against Windows Vista.
idMSF:AUXILIARY/DOS/WINDOWS/SMB/MS09_001_WRITE
last seen2020-01-04
modified2017-07-24
published2009-03-08
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4114
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/smb/ms09_001_write.rb
titleMicrosoft SRV.SYS WriteAndX Invalid DataOffset

Msbulletin

bulletin_idMS09-001
bulletin_url
date2009-01-13T00:00:00
impactRemote Code Execution
knowledgebase_id958687
knowledgebase_url
severityCritical
titleVulnerabilities in SMB Could Allow Remote Code Execution

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS09-001.NASL
    descriptionThe remote host is affected by a memory corruption vulnerability in SMB that may allow an attacker to execute arbitrary code or perform a denial of service against the remote host.
    last seen2020-06-01
    modified2020-06-02
    plugin id35361
    published2009-01-13
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/35361
    titleMS09-001: Vulnerabilities in SMB Could Allow Remote Code Execution (958687)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(35361);
     script_version("1.34");
     script_cvs_date("Date: 2018/11/15 20:50:30");
    
     script_cve_id("CVE-2008-4834", "CVE-2008-4835", "CVE-2008-4114");
     script_bugtraq_id(31179, 33121, 33122);
     script_xref(name:"MSFT", value:"MS09-001");
     script_xref(name:"MSKB", value:"958687");
     script_xref(name:"EDB-ID", value:"6463");
    
     script_name(english:"MS09-001: Vulnerabilities in SMB Could Allow Remote Code Execution (958687)");
     script_summary(english:"Determines the presence of update 958687");
    
     script_set_attribute(attribute:"synopsis", value:
    "It may be possible to execute arbitrary code on the remote host due to
    a flaw in SMB.");
     script_set_attribute(attribute:"description", value:
    "The remote host is affected by a memory corruption vulnerability in SMB
    that may allow an attacker to execute arbitrary code or perform a denial
    of service against the remote host.");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-001");
     script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-09-001/");
     script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-09-002/");
     script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for Windows 2000, XP, 2003,
    Vista and 2008.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploit_framework_core", value:"true");
     script_cwe_id(94, 119, 399);
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2008/09/14");
     script_set_attribute(attribute:"patch_publication_date", value:"2009/01/13");
     script_set_attribute(attribute:"plugin_publication_date", value:"2009/01/13");
    
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
    
     script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows : Microsoft Bulletins");
    
     script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
     script_require_keys("SMB/MS_Bulletin_Checks/Possible");
     script_require_ports(139, 445, 'Host/patch_management_checks');
     exit(0);
    }
    
    
    include("audit.inc");
    include("smb_func.inc");
    include("smb_hotfixes.inc");
    include("smb_hotfixes_fcheck.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS09-001';
    kb = "958687";
    
    kbs = make_list(kb);
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'1,2', vista:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    rootfile = hotfix_get_systemroot();
    if (!rootfile) exit(1, "Failed to get the system root.");
    
    share = hotfix_path2share(path:rootfile);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      hotfix_is_vulnerable(os:"6.0", sp:0, file:"Srv.sys", version:"6.0.6000.16789", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.0", sp:0, file:"Srv.sys", version:"6.0.6000.20976", min_version:"6.0.6000.20000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.0", sp:1, file:"Srv.sys", version:"6.0.6001.18185", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.0", sp:1, file:"Srv.sys", version:"6.0.6001.22331", min_version:"6.0.6001.20000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
    
      hotfix_is_vulnerable(os:"5.2", sp:2, file:"Srv.sys", version:"5.2.3790.4425", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.2", sp:1, file:"Srv.sys", version:"5.2.3790.3260", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
    
      hotfix_is_vulnerable(os:"5.1", sp:3, file:"Srv.sys", version:"5.1.2600.5725", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.1", sp:2, file:"Srv.sys", version:"5.1.2600.3491", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
    
      hotfix_is_vulnerable(os:"5.0", file:"Srv.sys", version:"5.0.2195.7222", dir:"\system32\drivers", bulletin:bulletin, kb:kb)
    )
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
  • NASL familyWindows
    NASL idWIN_SERVER_2008_NTLM_PCI.NASL
    descriptionAccording to the version number obtained by NTLM the remote host has Windows Server 2008 installed. The host may be vulnerable to a number of vulnerabilities including remote unauthenticated code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id108811
    published2018-04-03
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108811
    titleWindows Server 2008 Critical RCE Vulnerabilities (uncredentialed) (PCI/DSS)

Oval

  • accepted2008-11-03T04:00:16.555-05:00
    classvulnerability
    contributors
    • nameChandan S
      organizationSecPod Technologies
    • nameJ. Daniel Brown
      organizationDTCC
    definition_extensions
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista (32-bit) Service Pack 1 is installed
      ovaloval:org.mitre.oval:def:4873
    descriptionsrv.sys in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via an SMB WRITE_ANDX packet with an offset that is inconsistent with the packet size, related to "insufficiently validating the buffer size," as demonstrated by a request to the \PIPE\lsarpc named pipe, aka "SMB Validation Denial of Service Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:5262
    statusdeprecated
    submitted2008-09-18T18:44:44
    titleMicrosoft Windows WRITE_ANDX SMB command handling Kernel DoS
    version41
  • accepted2009-03-09T04:00:09.929-04:00
    classvulnerability
    contributors
    • nameSudhir Gandhe
      organizationSecure Elements, Inc.
    • nameTimothy Harrison
      organizationNational Institute of Standards and Technology
    definition_extensions
    • commentMicrosoft Windows 2000 SP4 or later is installed
      ovaloval:org.mitre.oval:def:229
    • commentMicrosoft Windows XP (x86) SP2 is installed
      ovaloval:org.mitre.oval:def:754
    • commentMicrosoft Windows XP (x86) SP3 is installed
      ovaloval:org.mitre.oval:def:5631
    • commentMicrosoft Windows Server 2003 SP1 (x86) is installed
      ovaloval:org.mitre.oval:def:565
    • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
      ovaloval:org.mitre.oval:def:1935
    • commentMicrosoft Windows Server 2003 SP1 (x64) is installed
      ovaloval:org.mitre.oval:def:4386
    • commentMicrosoft Windows XP Professional x64 Edition SP1 is installed
      ovaloval:org.mitre.oval:def:720
    • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
      ovaloval:org.mitre.oval:def:2161
    • commentMicrosoft Windows XP x64 Edition SP2 is installed
      ovaloval:org.mitre.oval:def:4193
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista (32-bit) Service Pack 1 is installed
      ovaloval:org.mitre.oval:def:4873
    • commentMicrosoft Windows Server 2008 (32-bit) is installed
      ovaloval:org.mitre.oval:def:4870
    • commentMicrosoft Windows Vista (32-bit) Service Pack 1 is installed
      ovaloval:org.mitre.oval:def:4873
    • commentMicrosoft Windows Server 2008 (32-bit) is installed
      ovaloval:org.mitre.oval:def:4870
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Vista x64 Edition Service Pack 1 is installed
      ovaloval:org.mitre.oval:def:5254
    • commentMicrosoft Windows Server 2008 (64-bit) is installed
      ovaloval:org.mitre.oval:def:5356
    • commentMicrosoft Windows Vista x64 Edition Service Pack 1 is installed
      ovaloval:org.mitre.oval:def:5254
    • commentMicrosoft Windows Server 2008 (64-bit) is installed
      ovaloval:org.mitre.oval:def:5356
    descriptionsrv.sys in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via an SMB WRITE_ANDX packet with an offset that is inconsistent with the packet size, related to "insufficiently validating the buffer size," as demonstrated by a request to the \PIPE\lsarpc named pipe, aka "SMB Validation Denial of Service Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:6044
    statusaccepted
    submitted2009-01-13T13:07:00
    titleSMB Validation Denial of Service Vulnerability
    version43