Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nmapRon Bowes, Jiayi Ye, Paulino Calderon <calderon()websec.mx>NMAP:SMB-VULN-MS06-025.NSE
HistoryOct 03, 2015 - 6:07 a.m.

smb-vuln-ms06-025 NSE Script

2015-10-0306:07:49
Ron Bowes, Jiayi Ye, Paulino Calderon <calderon()websec.mx>
nmap.org
225

EPSS

0.973

Percentile

99.9%

JSON

Detects Microsoft Windows systems with Ras RPC service vulnerable to MS06-025.

MS06-025 targets the RasRpcSumbitRequest() RPC method which is a part of RASRPC interface that serves as a RPC service for configuring and getting information from the Remote Access and Routing service. RASRPC can be accessed using either “\ROUTER” SMB pipe or the “\SRVSVC” SMB pipe (usually on Windows XP machines). This is in RPC world known as “ncan_np” RPC transport. RasRpcSumbitRequest() method is a generic method which provides different functionalities according to the RequestBuffer structure and particularly the RegType field within that structure. RegType field is of enum ReqTypes type. This enum type lists all the different available operation that can be performed using the RasRpcSubmitRequest() RPC method. The one particular operation that this vuln targets is the REQTYPE_GETDEVCONFIG request to get device information on the RRAS.

This script was previously part of smb-check-vulns.

Script Arguments

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

randomseed, smbbasic, smbport, smbsign

See the documentation for the smb library.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap --script smb-vuln-ms06-025.nse -p445 &lt;host&gt;
nmap -sU --script smb-vuln-ms06-025.nse -p U:137,T:139 &lt;host&gt;

Script Output

| smb-vuln-ms06-025:
|   VULNERABLE:
|   RRAS Memory Corruption vulnerability (MS06-025)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2006-2370
|           A buffer overflow vulnerability in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1
|           and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to
|           execute arbitrary code via certain crafted "RPC related requests" aka the "RRAS Memory Corruption Vulnerability."
|
|     Disclosure date: 2006-6-27
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms06-025.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2370

Requires

local msrpc = require "msrpc"
local smb = require "smb"
local stdnse = require "stdnse"
local vulns = require "vulns"
local rand = require "rand"

description = [[
Detects Microsoft Windows systems with Ras RPC service vulnerable to MS06-025.

MS06-025 targets the <code>RasRpcSumbitRequest()</code> RPC method which is
a part of RASRPC interface that serves as a RPC service for configuring and
getting information from the Remote Access and Routing service. RASRPC can be
accessed using either "\ROUTER" SMB pipe or the "\SRVSVC" SMB pipe (usually on Windows XP machines).
This is in RPC world known as "ncan_np" RPC transport. <code>RasRpcSumbitRequest()</code>
method is a generic method which provides different functionalities according
to the <code>RequestBuffer</code> structure and particularly the <code>RegType</code> field within that
structure. <code>RegType</code> field is of <code>enum ReqTypes</code> type. This enum type lists all
the different available operation that can be performed using the <code>RasRpcSubmitRequest()</code>
RPC method. The one particular operation that this vuln targets is the <code>REQTYPE_GETDEVCONFIG</code>
request to get device information on the RRAS.

This script was previously part of smb-check-vulns.
]]
---
--@usage
-- nmap --script smb-vuln-ms06-025.nse -p445 <host>
-- nmap -sU --script smb-vuln-ms06-025.nse -p U:137,T:139 <host>
--
--@output
--| smb-vuln-ms06-025:
--|   VULNERABLE:
--|   RRAS Memory Corruption vulnerability (MS06-025)
--|     State: VULNERABLE
--|     IDs:  CVE:CVE-2006-2370
--|           A buffer overflow vulnerability in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1
--|           and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to
--|           execute arbitrary code via certain crafted "RPC related requests" aka the "RRAS Memory Corruption Vulnerability."
--|
--|     Disclosure date: 2006-6-27
--|     References:
--|       https://technet.microsoft.com/en-us/library/security/ms06-025.aspx
--|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2370
---

author = {"Ron Bowes", "Jiayi Ye", "Paulino Calderon <calderon()websec.mx>"}
copyright = "Ron Bowes"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive","exploit","dos","vuln"}
-- run after all smb-* scripts (so if it DOES crash something, it doesn't kill
-- other scans have had a chance to run)
dependencies = {
  "smb-brute", "smb-enum-sessions", "smb-security-mode",
  "smb-enum-shares", "smb-server-stats",
  "smb-enum-domains", "smb-enum-users", "smb-system-info",
  "smb-enum-groups", "smb-os-discovery", "smb-enum-processes",
  "smb-psexec",
};

hostrule = function(host)
  return smb.get_port(host) ~= nil
end

local VULNERABLE = 1
local PATCHED    = 2
local UNKNOWN    = 3
local NOTUP      = 8

---Check the existence of ms06_025 vulnerability in Microsoft Remote Routing
--and Access Service. This check is not safe as it crashes the RRAS service and
--its dependencies.
--@param host Host object.
--@return (status, result)
--* <code>status == false</code> -> <code>result == NOTUP</code> which designates
--that the targeted Ras RPC service is not active.
--* <code>status == true</code> ->
-- ** <code>result == VULNERABLE</code> for vulnerable.
-- ** <code>result == PATCHED</code> for not vulnerable.
function check_ms06_025(host)
  --create the SMB session
  --first we try with the "\router" pipe, then the "\srvsvc" pipe.
  local status, smb_result, smbstate, err_msg
  status, smb_result = msrpc.start_smb(host, msrpc.ROUTER_PATH)
  if(status == false) then
    err_msg = smb_result
    status, smb_result = msrpc.start_smb(host, msrpc.SRVSVC_PATH) --rras is also accessible across SRVSVC pipe
    if(status == false) then
      return false, NOTUP --if not accessible across both pipes then service is inactive
    end
  end
  smbstate = smb_result
  --bind to RRAS service
  local bind_result
  status, bind_result = msrpc.bind(smbstate, msrpc.RASRPC_UUID, msrpc.RASRPC_VERSION, nil)
  if(status == false) then
    msrpc.stop_smb(smbstate)
    return false, UNKNOWN --if bind operation results with a false status we can't conclude anything.
  end
  if(bind_result['ack_result'] == 0x02) then --0x02 == PROVIDER_REJECTION
    msrpc.stop_smb(smbstate)
    return false, NOTUP --if bind operation results with true but PROVIDER_REJECTION, then the service is inactive.
  end
  local req, buff, sr_result
  req = msrpc.RRAS_marshall_RequestBuffer(
    0x01,
    msrpc.RRAS_RegTypes['GETDEVCONFIG'],
    rand.random_string(3000, "0123456789abcdefghijklmnoprstuvzxwyABCDEFGHIJKLMNOPRSTUVZXWY"))
  status, sr_result = msrpc.RRAS_SubmitRequest(smbstate, req)
  msrpc.stop_smb(smbstate)
  --sanity check
  if(status == false) then
    stdnse.debug3("check_ms06_025: RRAS_SubmitRequest failed")
    if(sr_result == "NT_STATUS_PIPE_BROKEN") then
      return true, VULNERABLE
    else
      return true, PATCHED
    end
  else
    return true, PATCHED
  end
end

action = function(host)
  local status, result, message
  local response = {}
  local vuln_report = vulns.Report:new(SCRIPT_NAME, host)
  local vuln_table = {
    title = 'RRAS Memory Corruption vulnerability (MS06-025)',
    state = vulns.STATE.NOT_VULN,
    description = [[
    A buffer overflow vulnerability in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1
    and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to
    execute arbitrary code via certain crafted "RPC related requests" aka the "RRAS Memory Corruption Vulnerability."
    ]],
    IDS = {CVE = 'CVE-2006-2370'},
    references = {
      'https://technet.microsoft.com/en-us/library/security/ms06-025.aspx'
    },
    dates = {
      disclosure = {year = '2006', month = '6', day = '27'},
    }
  }

  -- Check for ms06-025
  status, result = check_ms06_025(host)
  if(status == false) then
    if(result == NOTUP) then
      vuln_table.extra_info = "Ras RPC service is not enabled."
      vuln_table.state = vulns.STATE.NOT_VULN
    else
      vuln_table.state = vulns.STATE.NOT_VULN
    end
  else
    if(result == VULNERABLE) then
      vuln_table.state = vulns.STATE.VULN
    elseif(result == NOTUP) then
      vuln_table.extra_info = "Ras RPC service is not enabled."
      vuln_table.state = vulns.STATE.NOT_VULN
   else
      vuln_table.state = vulns.STATE.NOT_VULN
    end
  end
  return vuln_report:make_output(vuln_table)
end

Related

nmap 199
nmap
nmap
http-cisco-anyconnect NSE Script
2014-05-26 01:28:38
ftp-proftpd-backdoor NSE Script
2010-12-07 00:22:01
http-iis-webdav-vuln NSE Script
2009-05-20 00:43:30

EPSS

0.973

Percentile

99.9%

JSON
Related for NMAP:SMB-VULN-MS06-025.NSE
nmap199