Vulnerabilities > CVE-2011-1965 - Resource Management Errors vulnerability in Microsoft Windows 7 and Windows Server 2008
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
COMPLETE Summary
Tcpip.sys in the TCP/IP stack in Microsoft Windows 7 Gold and SP1 and Windows Server 2008 R2 and R2 SP1 does not properly implement URL-based QoS, which allows remote attackers to cause a denial of service (reboot) via a crafted URL to a web server, aka "TCP/IP QOS Denial of Service Vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 7 |
Common Weakness Enumeration (CWE)
Exploit-Db
| description | Windows - TCP/IP Stack Denial of Service (MS11-064). CVE-2011-1965. Dos exploit for windows platform |
| id | EDB-ID:17981 |
| last seen | 2016-02-02 |
| modified | 2011-10-15 |
| published | 2011-10-15 |
| reporter | Byoungyoung Lee |
| source | https://www.exploit-db.com/download/17981/ |
| title | Windows - TCP/IP Stack Denial of Service MS11-064 |
Msbulletin
| bulletin_id | MS11-064 |
| bulletin_url | |
| date | 2011-08-09T00:00:00 |
| impact | Denial of Service |
| knowledgebase_id | 2563894 |
| knowledgebase_url | |
| severity | Important |
| title | Vulnerabilities in TCP/IP Stack Could Allow Denial of Service |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS11-064.NASL description The TCP/IP stack in use on the remote Windows host is potentially affected by the following denial of service vulnerabilities : - By sending a sequence of specially crafted ICMP messages, an unauthenticated, remote attacker could cause the affected host to stop responding and automatically reboot. (CVE-2011-1871) - By sending a request with a specially crafted URL, an unauthenticated, remote attacker may be able to cause the affected host to stop responding and automatically reboot if it is serving web content and has URL-based QoS (Quality of Service) enabled. (CVE-2011-1965) last seen 2020-06-01 modified 2020-06-02 plugin id 55794 published 2011-08-09 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55794 title MS11-064: Vulnerabilities in TCP/IP Stack Could Allow Denial of Service (2563894) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(55794); script_version("1.15"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id("CVE-2011-1871", "CVE-2011-1965"); script_bugtraq_id(48987, 48990); script_xref(name:"EDB-ID", value:"17981"); script_xref(name:"MSFT", value:"MS11-064"); script_xref(name:"MSKB", value:"2563894"); script_name(english:"MS11-064: Vulnerabilities in TCP/IP Stack Could Allow Denial of Service (2563894)"); script_summary(english:"Checks version of tcpip.sys"); script_set_attribute( attribute:"synopsis", value:"The remote Windows host is susceptible to denial of service attacks." ); script_set_attribute( attribute:"description", value: "The TCP/IP stack in use on the remote Windows host is potentially affected by the following denial of service vulnerabilities : - By sending a sequence of specially crafted ICMP messages, an unauthenticated, remote attacker could cause the affected host to stop responding and automatically reboot. (CVE-2011-1871) - By sending a request with a specially crafted URL, an unauthenticated, remote attacker may be able to cause the affected host to stop responding and automatically reboot if it is serving web content and has URL-based QoS (Quality of Service) enabled. (CVE-2011-1965)" ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-064"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for Windows Vista, 2008, 7, and 2008 R2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/08/09"); script_set_attribute(attribute:"patch_publication_date", value:"2011/08/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/08/09"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS11-064'; kb = "2563894"; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows 7 / 2008 R2 hotfix_is_vulnerable(os:"6.1", sp:1, file:"tcpip.sys", version:"6.1.7601.21754", min_version:"6.1.7601.21000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:1, file:"tcpip.sys", version:"6.1.7601.17638", min_version:"6.1.7601.17000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:0, file:"tcpip.sys", version:"6.1.7600.20992", min_version:"6.1.7600.20000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:0, file:"tcpip.sys", version:"6.1.7600.16839", min_version:"6.1.7600.16000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) || # Windows Vista / 2008 hotfix_is_vulnerable(os:"6.0", sp:2, file:"tcpip.sys", version:"6.0.6002.22662", min_version:"6.0.6002.22000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"tcpip.sys", version:"6.0.6002.18484", min_version:"6.0.6002.18000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }NASL family Windows NASL id QOS_KB2563894.NASL description The TCP/IP stack in use on the remote Windows host is potentially affected by a denial of service vulnerability. By sending a request with a specially crafted URL, an unauthenticated, remote attacker may be able to cause the affected host to stop responding and automatically reboot if it is serving web content and has URL-based QoS (Quality of Service) enabled. last seen 2020-06-01 modified 2020-06-02 plugin id 56044 published 2011-09-01 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56044 title MS11-064: Vulnerabilities in TCP/IP Stack Could Allow Denial of Service (2563894) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(56044); script_version("1.13"); script_cvs_date("Date: 2019/03/06 18:38:55"); script_cve_id("CVE-2011-1871", "CVE-2011-1965"); script_bugtraq_id(48987, 48990); script_xref(name:"MSFT", value:"MS11-064"); script_xref(name:"MSKB", value:"2563894"); script_name(english:"MS11-064: Vulnerabilities in TCP/IP Stack Could Allow Denial of Service (2563894) (uncredentialed check)"); script_summary(english:"Checks for the Differential Service Code Point (DSCP) value in reply."); script_set_attribute(attribute:"synopsis", value:"The remote Windows host is susceptible to denial of service attacks."); script_set_attribute(attribute:"description", value: "The TCP/IP stack in use on the remote Windows host is potentially affected by a denial of service vulnerability. By sending a request with a specially crafted URL, an unauthenticated, remote attacker may be able to cause the affected host to stop responding and automatically reboot if it is serving web content and has URL-based QoS (Quality of Service) enabled."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-064"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 7 and 2008 R2."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/08/09"); script_set_attribute(attribute:"patch_publication_date", value:"2011/08/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/09/01"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc."); script_dependencies("http_version.nasl", "webmirror.nasl","os_fingerprint.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_keys("Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("byte_func.inc"); include("http.inc"); ## # get the Differential Service Code Point (DSCP) in the reply packet for an URL reqeust # # @param url - requested URL path # # @return DSCP value, or NULL # ## function get_dscp(url, port) { local_var req,res, filter, dscp; local_var ret, soc,shost, sport, dhost, dport; soc = open_sock_tcp(port); if(! soc) exit(0, 'Failed to open port '+port+'.'); shost = compat::this_host(); sport = get_source_port(soc); dhost = get_host_ip(); dport = port; req = 'GET '+url+ ' HTTP/1.1\r\n' + 'Host: ' + dhost + '\r\n' + 'Connection: keep-alive\r\n' + '\r\n'; # first reply packet with data filter = 'tcp' + ' and src host ' + dhost + ' and src port '+dport+ ' and dst host ' + shost + ' and dst port '+sport+ ' and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'; res = send_capture(socket:soc, data: req,pcap_filter:filter); if(isnull(res))return NULL; dscp = getbyte(blob:res, pos:1) >> 2; #display('port:'+port+',dscp:'+dscp+',transport:'+get_port_transport(port)+',url:'+url+'\n'); return dscp; } ## # gather a list (some) of URLs (diretories) found by mirror.nasl # # @param port - http port # # @return url list # # ## function gather_url_list(port) { local_var url_list,list; url_list = make_list(); # # add directories found # list = get_kb_list('www/'+ port+ '/content/directories'); if(! isnull(list)) url_list = make_list(url_list, list); # # other possible sources # return url_list; } # # Main # if ( TARGET_IS_IPV6 ) exit(0, 'The target host is IPv6.'); if(islocalhost()) exit(0, 'The target host is the local host.'); # check for OS # URL-based QoS is only available on computers running Windows 7 or 2008 R2 os = get_kb_item("Host/OS"); if(! isnull(os)) { if("Windows" >!< os) exit(0, 'Remote host OS is not Windows.'); # # TODO: # add future Windows versions if(! ("7" >< os || "2008 R2" >< os)) exit(0, 'Remote host OS is not Windows 7 or Windows Server 2008 R2.'); } else exit(0, 'Unable to determine remote host OS.'); # check for IIS # only IIS supports QoS port = get_http_port(default:80); banner = get_http_banner(port:port); if(! isnull(banner)) { if("IIS" >!< banner) exit(0, 'The HTTP server on port '+port+ ' does not appear to be Microsoft IIS.'); } else exit(0, 'Failed to get http banner for port ' + port+'.'); if (report_paranoia < 2) audit(AUDIT_PARANOID); url_list = gather_url_list(port:port); # # find a URL-based policy with DSCP >0 and the "Include subdirectories and files" option enabled # # if the reply packet for some URLs has a DSCP>0, and some with DSCP=0 # it probably means a URL-based QoS policy has been enabled. # test_url = NULL; count = 0; misses = 0; foreach url (url_list) { dscp = get_dscp(url:url, port:port); if(isnull(dscp)) continue; # test up to 100 URLs if(count++ > 100) break; if(dscp > 0) { # check for "Include subdirectories and files" subdir_url = url +'/PPP/QQQ'; dscp = get_dscp(url:subdir_url, port:port); if(dscp > 0) { if(misses >0) { test_url = url; break; } } } else if(dscp == 0) misses++; } if(isnull(test_url)) exit(0, 'Could not find a suitable URL on the web server running on port '+port+' for testing.'); need = 0x4000 - strlen(test_url); while(need >0) { if(need > 255) len = 255; else len = need -1; test_url += '/'; need -= 1; test_url +=crap(data:'A',length:len); need -= len ; } # # check whether the webserver supports longer URL length # http_disable_keep_alive(); res = http_send_recv3(method:'GET',port:port, item:test_url, exit_on_fail:TRUE); if(res[0] =~"HTTP/1\..* 414") exit(0, 'The web server on port '+port+' does not support a URL length of '+strlen(test_url)+'.'); # # fill the kernel lookaside nonpaged memory with a URL that will most likely fail # a URL match test. This is done so because the same lookaside memory might be re-used # if the allocation length is less than 256 bytes in unicode. This memory might contain # a matched URL from runs of the URL-based QoS policy searcher above. # # allocation length is computed as: # alloc_len = (pPath - pUrl) + // distance btw the url path and the beginning of the url # // ie. http://some.host.name.com/url_path # # url_path_len + # sid_len; // seen 0x20 # # if we specify url_path_len = 0x4000, it will be 0x8000 bytes in unicode, # the vulnerable function doubles the url_path_len and becomes 0x10000, because # url_path_len is a unsigned short, it wraps to 0. # # # the end result is that the path to compare with the one in the policy is: # # UNICODE_STRING url_path # # url_path.length = url_path.maxlength = 0x8000; # url_path.buffer = some_unitialized_memory # # http_send_recv3(method:'GET',port:port, item:'/'+rand_str(length:20), exit_on_fail:TRUE); dscp = get_dscp(url:test_url, port:port); if(isnull(dscp)) exit(1, 'Could not get the DSCP value in the reply packet.'); if(dscp == 0) security_hole(port:port); else exit(0, 'The host appears to be patched.');
Oval
| accepted | 2011-09-26T04:00:05.155-04:00 | ||||||||||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||||||||||
| description | Tcpip.sys in the TCP/IP stack in Microsoft Windows 7 Gold and SP1 and Windows Server 2008 R2 and R2 SP1 does not properly implement URL-based QoS, which allows remote attackers to cause a denial of service (reboot) via a crafted URL to a web server, aka "TCP/IP QOS Denial of Service Vulnerability." | ||||||||||||||||||||||||||||||||
| family | windows | ||||||||||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:12318 | ||||||||||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||||||||||
| submitted | 2011-08-10T13:00:00 | ||||||||||||||||||||||||||||||||
| title | TCP/IP QOS Denial of Service Vulnerability | ||||||||||||||||||||||||||||||||
| version | 43 |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/105866/MS11-064.txt |
| id | PACKETSTORM:105866 |
| last seen | 2016-12-05 |
| published | 2011-10-16 |
| reporter | Byoungyoung Lee |
| source | https://packetstormsecurity.com/files/105866/MS11-064-TCP-IP-Stack-Denial-Of-Service.html |
| title | MS11-064 TCP/IP Stack Denial Of Service |
Seebug
bulletinFamily exploit description No description provided by source. id SSV:23102 last seen 2017-11-19 modified 2011-10-16 published 2011-10-16 reporter Root source https://www.seebug.org/vuldb/ssvid-23102 title MS11-064 TCP/IP Stack Denial of Service bulletinFamily exploit description Bugtraq ID: 48990 CVE ID:CVE-2011-1965 Microsoft Windows是一款流行的操作系统。 处理URLs时TCP/IP栈(Tcpip.sys)存在错误,通过构建特制URL,向提供基于URL QoS的网页内容服务系统提供恶意请求,可导致系统停止响应或重新启动 Microsoft Windows Server 2008 R2 x64 SP1 Microsoft Windows Server 2008 R2 x64 0 Microsoft Windows Server 2008 R2 Itanium SP1 Microsoft Windows Server 2008 R2 Itanium 0 Microsoft Windows 7 for x64-based Systems SP1 Microsoft Windows 7 for x64-based Systems 0 Microsoft Windows 7 for 32-bit Systems SP1 Microsoft Windows 7 for 32-bit Systems 厂商解决方案 用户可参考如下供应商提供的安全公告获得补丁信息: http://www.microsoft.com/technet/security/bulletin/ms11-064.mspx id SSV:20824 last seen 2017-11-19 modified 2011-08-10 published 2011-08-10 reporter Root title Microsoft Windows TCP/IP QOS 远程拒绝服务漏洞(CVE-2011-1965)