Vulnerabilities > CVE-2010-0478 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Windows 2000
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Stack-based buffer overflow in nsum.exe in the Windows Media Unicast Service in Media Services for Microsoft Windows 2000 Server SP4 allows remote attackers to execute arbitrary code via crafted packets associated with transport information, aka "Media Services Stack-based Buffer Overflow Vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
| description | Windows Media Services ConnectFunnel Stack Buffer Overflow. CVE-2010-0478. Remote exploit for windows platform |
| id | EDB-ID:16333 |
| last seen | 2016-02-01 |
| modified | 2010-04-28 |
| published | 2010-04-28 |
| reporter | metasploit |
| source | https://www.exploit-db.com/download/16333/ |
| title | Windows Media Services ConnectFunnel Stack Buffer Overflow |
Metasploit
| description | This module exploits a stack buffer overflow in the Windows Media Unicast Service version 4.1.0.3930 (NUMS.exe). By sending a specially crafted FunnelConnect request, an attacker can execute arbitrary code under the "NetShowServices" user account. Windows Media Services 4.1 ships with Windows 2000 Server, but is not installed by default. NOTE: This service does NOT restart automatically. Successful, as well as unsuccessful exploitation attempts will kill the service which prevents additional attempts. |
| id | MSF:EXPLOIT/WINDOWS/MMSP/MS10_025_WMSS_CONNECT_FUNNEL |
| last seen | 2020-01-08 |
| modified | 2017-07-24 |
| published | 2010-04-17 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/mmsp/ms10_025_wmss_connect_funnel.rb |
| title | Windows Media Services ConnectFunnel Stack Buffer Overflow |
Msbulletin
| bulletin_id | MS10-025 |
| bulletin_url | |
| date | 2010-04-13T00:00:00 |
| impact | Remote Code Execution |
| knowledgebase_id | 980858 |
| knowledgebase_url | |
| severity | Critical |
| title | Vulnerability in Microsoft Windows Media Services Could Allow Remote Code Execution |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS10-025.NASL description The version of Windows Media Services running on the remote host has a buffer overflow vulnerability. This issue is related to the way the Windows Media Unicast Service handles specially crafted transport information packets. A remote attacker could exploit this to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 45512 published 2010-04-13 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/45512 title MS10-025: Vulnerability in Microsoft Windows Media Services Could Allow Remote Code Execution (980858) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(45512); script_version("1.26"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2010-0478"); script_bugtraq_id(39356); script_xref(name:"MSFT", value:"MS10-025"); script_xref(name:"MSKB", value:"980858"); script_name(english:"MS10-025: Vulnerability in Microsoft Windows Media Services Could Allow Remote Code Execution (980858)"); script_summary(english:"Checks the version of nsum.exe"); script_set_attribute( attribute:"synopsis", value:"The remote media service has a buffer overflow vulnerability." ); script_set_attribute( attribute:"description", value: "The version of Windows Media Services running on the remote host has a buffer overflow vulnerability. This issue is related to the way the Windows Media Unicast Service handles specially crafted transport information packets. A remote attacker could exploit this to execute arbitrary code." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-025"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Windows Media Services ConnectFunnel Stack Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2010/04/13"); script_set_attribute(attribute:"patch_publication_date", value:"2010/04/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/04/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS10-025'; kbs = make_list("980858"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); kb = "980858"; if (hotfix_is_vulnerable(os:"5.0", file:"nsum.exe", version:"4.1.0.3939", dir:"\system32\windows media\server", bulletin:bulletin, kb:kb)) { set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }NASL family Windows NASL id SMB_KB_980858.NASL description The version of Windows Media Services running on the remote host is affected by a stack-based buffer overflow condition in the Unicast Service component due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this, via specially crafted transport information packets, to execute arbitrary code. Note that Windows Media Services is not enabled by default on Windows 2000 Server. For the server to be vulnerable, it would have to be configured as a streaming media server by adding the Windows Media Services component in the Windows Components Wizard. last seen 2020-06-01 modified 2020-06-02 plugin id 46017 published 2010-04-27 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/46017 title MS10-025: Vulnerability in Microsoft Windows Media Services Could Allow Remote Code Execution (980858) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(46017); script_version("1.22"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2010-0478"); script_bugtraq_id(39356); script_xref(name:"MSFT", value:"MS10-025"); script_xref(name:"MSKB", value:"980858"); script_name(english:"MS10-025: Vulnerability in Microsoft Windows Media Services Could Allow Remote Code Execution (980858) (uncredentialed check)"); script_summary(english:"Checks the version of Windows Media Services."); script_set_attribute(attribute:"synopsis", value: "The remote media service is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The version of Windows Media Services running on the remote host is affected by a stack-based buffer overflow condition in the Unicast Service component due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this, via specially crafted transport information packets, to execute arbitrary code. Note that Windows Media Services is not enabled by default on Windows 2000 Server. For the server to be vulnerable, it would have to be configured as a streaming media server by adding the Windows Media Services component in the Windows Components Wizard."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-025"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Windows Media Services ConnectFunnel Stack Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2010/04/13"); script_set_attribute(attribute:"patch_publication_date", value:"2010/04/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/04/27"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows_2000"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_dependencies("windows_media_services_detect.nasl", "os_fingerprint.nasl"); script_exclude_keys("Host/not_windows"); script_require_keys("ms-streaming/1755/version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); if (get_kb_item("SMB/not_windows")) audit(AUDIT_OS_NOT, "Windows"); os = get_kb_item_or_exit("Host/OS"); if ("Windows 2000" >!< os) audit(AUDIT_OS_NOT, "Windows 2000"); port = 1755; version = get_kb_item("ms-streaming/"+port+"/version"); if (isnull(version)) audit(AUDIT_NOT_LISTEN, 'Windows Media Services', port); fixed_version = "4.1.0.3939"; if (ver_compare(ver:version, fix:fixed_version) == -1) { report = '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; security_report_v4(port:port, extra:report, severity:SECURITY_HOLE); } else audit(AUDIT_LISTEN_NOT_VULN, 'Windows Media Services', port, version);
Oval
| accepted | 2010-06-07T04:00:21.758-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | Stack-based buffer overflow in nsum.exe in the Windows Media Unicast Service in Media Services for Microsoft Windows 2000 Server SP4 allows remote attackers to execute arbitrary code via crafted packets associated with transport information, aka "Media Services Stack-based Buffer Overflow Vulnerability." | ||||||||||||
| family | windows | ||||||||||||
| id | oval:org.mitre.oval:def:7001 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-03-13T13:00:00 | ||||||||||||
| title | Media Services Stack-based Buffer Overflow Vulnerability | ||||||||||||
| version | 39 |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/88649/ms10_025_wmss_connect_funnel.rb.txt |
| id | PACKETSTORM:88649 |
| last seen | 2016-12-05 |
| published | 2010-04-19 |
| reporter | jduck |
| source | https://packetstormsecurity.com/files/88649/Windows-Media-Services-ConnectFunnel-Stack-Buffer-Overflow.html |
| title | Windows Media Services ConnectFunnel Stack Buffer Overflow |
Saint
| description | Windows Media Unicast Service transport information packet buffer overflow |
| id | win_patch_nsum |
| title | windows_media_unicast_transportinfo |
| type | remote |
Seebug
bulletinFamily exploit description BUGTRAQ ID: 39356 CVE ID: CVE-2010-0478 Microsoft Windows是微软发布的非常流行的操作系统。 Windows媒体单播服务(nsum.exe)处理传输信息网络报文的方式存在栈溢出漏洞。远程攻击者可以通过向运行可选Windows Media Services组件(非默认安装)的Windows 2000 Server SP4系统发送畸形报文触发这个溢出,导致执行任意代码。 Microsoft Windows 2000 Server SP4 临时解决方法: * 停止和禁用Windows媒体单播服务。 * 使用Windows组件向导卸载Windows Media Services组件。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS10-025)以及相应补丁: MS10-025:Vulnerability in Microsoft Windows Media Services Could Allow Remote Code Execution (980858) 链接:http://www.microsoft.com/technet/security/bulletin/MS10-025.mspx?pf=true 补丁下载: http://www.microsoft.com/downloads/details.aspx?familyid=73B3D681-26BB-49C1-849E-1F72484CB978 id SSV:19457 last seen 2017-11-19 modified 2010-04-14 published 2010-04-14 reporter Root title Microsoft Windows nsum.exe服务远程栈溢出漏洞(MS10-025) bulletinFamily exploit description No description provided by source. id SSV:70850 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-70850 title Windows Media Services ConnectFunnel Stack Buffer Overflow