Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2004-2022 Tenable Network Security, Inc.SMB_NT_MS04-028.NASL
HistorySep 14, 2004 - 12:00 a.m.

MS04-028: Buffer Overrun in JPEG Processing (833987)

2004-09-1400:00:00
This script is Copyright (C) 2004-2022 Tenable Network Security, Inc.
www.tenable.com
66

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.957 High

EPSS

Percentile

99.4%

JSON

The remote host is running a version of Windows that is vulnerable to a buffer overrun attack when viewing a JPEG file which could allow an attacker to execute arbitrary code on the remote host.

To exploit this flaw, an attacker would need to send a malformed JPEG file to a user on the remote host and wait for him to open it using an affected Microsoft application.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(14724);
  script_version("1.55");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2004-0200");
  script_bugtraq_id(11173);
  script_xref(name:"CERT", value:"297462");
  script_xref(name:"MSFT", value:"MS04-028");
  script_xref(name:"MSKB", value:"833987");

  script_name(english:"MS04-028: Buffer Overrun in JPEG Processing (833987)");

  script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host.");
  script_set_attribute(attribute:"description", value:
"The remote host is running a version of Windows that is vulnerable to
a buffer overrun attack when viewing a JPEG file which could allow an
attacker to execute arbitrary code on the remote host.

To exploit this flaw, an attacker would need to send a malformed JPEG
file to a user on the remote host and wait for him to open it using an
affected Microsoft application.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-028");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows NT, 2000, XP and
2003.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2004/09/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2004/09/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2004-2022 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("smb_hotfixes_fcheck.inc");


include("misc_func.inc");
get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS04-028';
kbs = make_list("833987");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);


global_var report;

if (!get_kb_item("SMB/Registry/Enumerated")) exit(1, "KB 'SMB/Registry/Enumerated' not set to TRUE.");


if ( hotfix_check_sp(xp:2, win2003:1) > 0 )
{
if ( hotfix_missing(name:"KB833987") > 0 )
	{
	 {
 set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
 hotfix_security_hole();
 }
	exit(0);
	}
}

if ( ! thorough_tests ) audit(AUDIT_THOROUGH, code:0);

# Crawl through %ProgramFiles% to get the list of affected files
report = make_list();
function add_file(file, version)
{
 report = make_list(report, file + " (version " + version[0] + "." + version[1] + "." + version[2] + "." + version[3] + ")");
}


function get_dirs(basedir, level)
{
 local_var ret, subdirs, subsub, array;


 if(level > 3)
 	return NULL;

 subdirs = NULL;
 ret = FindFirstFile(pattern:basedir + "\*");
 if(isnull(ret))
 	return NULL;


 array = make_list();

 while ( ! isnull(ret[1]) )
 {
  array = make_list(array, basedir + "\" + ret[1]);
  subsub = NULL;
  if("." >!< ret[1])
  	subsub  = get_dirs(basedir:basedir + "\" + ret[1], level:level + 1);
  if(!isnull(subsub))
  {
  	if(isnull(subdirs))subdirs = make_list(subsub);
  	else	subdirs = make_list(subdirs, subsub);
  }

  ret = FindNextFile(handle:ret);
 }

 if(isnull(subdirs))
 	return array;
 else
 	return make_list(array, subdirs);
}



global_var port;
function list_gdiplus_files()
{
 local_var dir, dirs, gdi_plus_file, num_gdi_plus_files, programfiles, r, share;

 num_gdi_plus_files = 0;

 programfiles = hotfix_get_programfilesdir();
 if ( ! programfiles ) exit(1, "Failed to get the Program Files directory.");

 if(! smb_session_init()) audit(AUDIT_FN_FAIL, "smb_session_init");

 dir = ereg_replace(pattern:"^[A-Za-z]:\\(.*)", replace:"\1", string:programfiles);
 share = ereg_replace(pattern:"^([A-Za-z]):\\.*", replace:"\1$", string:programfiles);
 gdi_plus_file = NULL;

 r = NetUseAdd(login:kb_smb_login(), password:kb_smb_password(), domain:kb_smb_domain(), share:share);
 if ( r != 1 )
 {
    NetUseDel();
    audit(AUDIT_SHARE_FAIL,share);
 }
 dirs = get_dirs(basedir:dir, level:0);
 foreach dir (dirs)
   {
    if(ereg(pattern:"\\(gdiplus|mso)\.dll", string:dir, icase:TRUE))
    {
     if(isnull(gdi_plus_file)) gdi_plus_file = make_list(dir);
     else gdi_plus_file = make_list(gdi_plus_file, dir);
     num_gdi_plus_files ++;
     if (num_gdi_plus_files >= 10 )
     {
      return gdi_plus_file;
     }
    }
   }
  return(gdi_plus_file);
}

function CheckVersion(file)
{
 local_var i, handle, v;
 handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
 if(!isnull(handle))
 {
  v = GetFileVersion(handle:handle);
  CloseFile(handle:handle);
  if ( ! v ) return 0;
  if ( egrep(pattern:"gdiplus\.dll", icase:TRUE, string:file) )
   {
     # Older than 5.x or 5.1
     if ( v[0] < 5 || v[0] == 5 && v[1] < 1 ) add_file(file:file, version:v);
     # < 5.1.310.1355
     else if ( v[0] == 5 && v[1] == 1 && ( v[2] < 3102 || (v[2] == 3102 && v[3] < 1355 ))) add_file(file:file, version:v);
     # < 5.2.3790.136
     else if ( v[0] == 5 && v[1] == 2 && ( v[2] < 3790 || (v[2] == 3790 && v[3] < 136  ))) add_file(file:file, version:v);
     # < 6.0.3264.0
     else if ( v[0] == 6 && v[1] == 0 && v[2] < 3264 ) add_file(file:file, version:v);
   }
   else if ( egrep(pattern:"mso\.dll", icase:TRUE, string:file) )
   {
     # Older than 10.0.6714
     if ( v[0] < 10 || (v[0] == 10 && v[1] == 0 && v[2] < 6714 )) add_file(file:file, version:v);
   }
 }
}


#
# Here we go
#


port = kb_smb_transport();
login = kb_smb_login();
pass =  kb_smb_password();
dom = kb_smb_domain();

files = list_gdiplus_files();
if(!isnull(files))
 {
  foreach f (files)
  {
   if ( "\Macromedia\" >!< f ) CheckVersion(file:f);
  }
}


NetUseDel();

flag = 0;
foreach file (report)
{
 flag ++;
 str += file + '\n';
}


kb       = '833987';

if ( flag > 0 )
{
 report = string (
   "The following files need to be updated :\n\n",
   str
 );
 hotfix_add_report(report, bulletin:bulletin, kb:kb);
 {
 set_kb_item(name:"SMB/Missing/MS04-028", value:TRUE);
 hotfix_security_hole();
 }
}
VendorProductVersionCPE
microsoftwindowscpe:/o:microsoft:windows

Related

nessus 2
nvd 1
cve 1
securityvulns 2
checkpoint_advisories 2
cvelist 1
cert 1
nessus
nessus
MS04-028 Exploitation Backdoor Account Detection
2004-09-24 00:00:00
Radmin (Remote Administrator) Port 10002 - Possible GDI Compromise
2004-09-28 00:00:00
nvd
nvd
CVE-2004-0200
2004-09-28 04:00:00
cve
cve
CVE-2004-0200
2004-09-28 04:00:00
securityvulns
securityvulns
Microsoft Security Bulletin MS04-028 Buffer Overrun in JPEG Processing &#40;GDI+&#41; Could Allow Code Execution &#40;833987&#41;
2004-09-15 00:00:00
US-CERT Technical Cyber Security Alert TA04-260A -- Microsoft Windows JPEG component buffer overflow
2004-09-17 00:00:00
checkpoint_advisories
checkpoint_advisories
Microsoft Windows GDI JPEG Processing Buffer Overrun (MS04-028; CVE-2004-0200)
2005-03-27 00:00:00
Microsoft Windows GDI JPEG Processing Buffer Overrun (MS04-028) - Ver2 (CVE-2004-0200)
2014-03-03 00:00:00
cvelist
cvelist
CVE-2004-0200
2004-09-17 04:00:00
cert
cert
Microsoft Windows GDI+ contains a buffer overflow vulnerability in the JPEG parsing component
2004-09-14 00:00:00

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.957 High

EPSS

Percentile

99.4%

JSON
Related for SMB_NT_MS04-028.NASL
nessus2nvd1cve1securityvulns2checkpoint_advisories2cvelist1cert1