Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.SMB_NT_MS05-048.NASL
HistoryOct 11, 2005 - 12:00 a.m.

MS05-048: Vulnerability in the Microsoft Collaboration Data Objects Could Allow Remote Code Execution (907245)

2005-10-1100:00:00
This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
www.tenable.com
14

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.901 High

EPSS

Percentile

98.8%

JSON

An unchecked buffer condition could allow an attacker to execute arbitrary code on the remote host.

To execute this flaw, an attacker would need to send a malformed message via SMTP to the remote host, either by using the SMTP server (if Exchange is installed) or by sending an email to a user on the remote host.

When the email is processed by CDO, an unchecked buffer may allow cause code execution.

#
# Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(20001);
 script_version("1.33");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2005-1987");
 script_bugtraq_id(15067);
 script_xref(name:"MSFT", value:"MS05-048");
 script_xref(name:"CERT", value:"883460");
 script_xref(name:"MSKB", value:"901017");
 script_xref(name:"MSKB", value:"906780");

 script_name(english:"MS05-048: Vulnerability in the Microsoft Collaboration Data Objects Could Allow Remote Code Execution (907245)");
 script_summary(english:"Determines the presence of update 907245");

 script_set_attribute(attribute:"synopsis", value:
"A flaw in the Microsoft Collaboration Data Object could allow an
attacker to execute arbitrary code on the remote host.");
 script_set_attribute(attribute:"description", value:
"An unchecked buffer condition could allow an attacker to execute
arbitrary code on the remote host.

To execute this flaw, an attacker would need to send a malformed message
via SMTP to the remote host, either by using the SMTP server (if
Exchange is installed) or by sending an email to a user on the remote
host.

When the email is processed by CDO, an unchecked buffer may allow cause
code execution.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-048");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, XP and
2003.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/11");
 script_set_attribute(attribute:"patch_publication_date", value:"2005/10/11");
 script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/11");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS05-048';
kbs = make_list("901017", "906780");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);


vuln = 0;

kb = '901017';
if (
  hotfix_is_vulnerable(os:"5.2", sp:0, file:"cdosys.dll", version:"6.5.6749.0", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.2", sp:1, file:"cdosys.dll", version:"6.5.6756.0", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:1, file:"cdosys.dll", version:"6.1.1002.0", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:2, file:"cdosys.dll", version:"6.2.4.0", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0", file:"cdosys.dll", version:"6.1.3940.42", dir:"\system32", bulletin:bulletin, kb:kb)
) vuln++;


kb = '906780';
version = get_kb_item("SMB/Exchange/Version");
if (version == 60)
{
  sp = get_kb_item("SMB/Exchange/SP");
  if (sp && sp >= 4) exit(0, "The host has Exchange 2000 SP "+sp+" and is not affected.");

  path = get_kb_item("SMB/Exchange/Path");
  if (!path) exit(1, "Failed to get the installation directory of Exchange 2000.");

  share = hotfix_path2share(path:path);
  if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

  path = path + "\bin";
  if (hotfix_check_fversion(path:path, file:"cdoex.dll", version:"6.0.6617.86", bulletin:bulletin, kb:kb) == HCF_OLDER) vuln++;
}


if (vuln)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}
VendorProductVersionCPE
microsoftwindowscpe:/o:microsoft:windows

Related

nvd 1
checkpoint_advisories 1
securityvulns 2
cvelist 1
cve 1
cert 1
nvd
nvd
CVE-2005-1987
2005-10-13 10:02:00
checkpoint_advisories
checkpoint_advisories
Microsoft Collaboration Data Objects Buffer Overflow (MS05-048; CVE-2005-1987)
2011-04-27 00:00:00
securityvulns
securityvulns
[SEC-1 Advisory] Collaboration Data Objects Buffer Overflow Vulnerability
2005-10-13 00:00:00
Microsoft Security Bulletin MS05-048 Vulnerability in the Microsoft Collaboration Data Objects Could Allow Remote Code Execution &#40;907245&#41;
2005-10-12 00:00:00
cvelist
cvelist
CVE-2005-1987
2005-10-13 04:00:00
cve
cve
CVE-2005-1987
2005-10-13 10:02:00
cert
cert
Microsoft Collaboration Data Objects buffer overflow
2005-10-11 00:00:00

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.901 High

EPSS

Percentile

98.8%

JSON
Related for SMB_NT_MS05-048.NASL
nvd1checkpoint_advisories1securityvulns2cvelist1cve1cert1