Lucene search
Copyright (C) 2008 Greenbone AGOPENVAS:1361412562310900056HistoryOct 30, 2008 - 12:00 a.m.
Vulnerability in Server Service Could Allow Remote Code Execution (958644)
2008-10-3000:00:00
Copyright (C) 2008 Greenbone AG
plugins.openvas.org
29
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
AI Score
9.5
Confidence
High
EPSS
0.975
Percentile
100.0%
This host is missing a critical security update according to
Microsoft Bulletin MS08-067.
# SPDX-FileCopyrightText: 2008 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
#############################################################################
# Based on the work of Tim Brown <[email protected]> as published
# here, http://www.nth-dimension.org.uk/blog.php?id=72
############################################################################
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.900056");
script_version("2023-07-21T05:05:22+0000");
script_cve_id("CVE-2008-4250");
script_tag(name:"last_modification", value:"2023-07-21 05:05:22 +0000 (Fri, 21 Jul 2023)");
script_tag(name:"creation_date", value:"2008-10-30 14:46:44 +0100 (Thu, 30 Oct 2008)");
script_tag(name:"cvss_base", value:"10.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_copyright("Copyright (C) 2008 Greenbone AG");
script_category(ACT_DENIAL);
script_family("Windows : Microsoft Bulletins");
script_name("Vulnerability in Server Service Could Allow Remote Code Execution (958644)");
script_dependencies("os_detection.nasl", "smb_nativelanman.nasl", "netbios_name_get.nasl");
script_require_ports(139, 445);
script_mandatory_keys("Host/runs_windows");
script_exclude_keys("SMB/samba");
script_xref(name:"URL", value:"http://www.kb.cert.org/vuls/id/827267");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/31874");
script_xref(name:"URL", value:"http://xforce.iss.net/xforce/xfdb/46040");
script_xref(name:"URL", value:"http://www.securitytracker.com/id?1021091");
script_xref(name:"URL", value:"http://blogs.securiteam.com/index.php/archives/1150");
script_xref(name:"URL", value:"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067");
script_xref(name:"URL", value:"https://web.archive.org/web/20170817031417/https://technet.microsoft.com/en-us/security/dd452420.aspx");
script_tag(name:"affected", value:"- Microsoft Windows 2K Service Pack 4 and prior
- Microsoft Windows XP Service Pack 3 and prior
- Microsoft Windows 2003 Service Pack 2 and prior");
script_tag(name:"insight", value:"Flaw is due to an error in the Server Service, that does not properly
handle specially crafted RPC requests.");
script_tag(name:"solution", value:"The vendor has released updates. Please see the references for more information.");
script_tag(name:"summary", value:"This host is missing a critical security update according to
Microsoft Bulletin MS08-067.");
script_tag(name:"impact", value:"Successful exploitation could allow remote attackers to take
complete control of an affected system.
Variants of Conficker worm are based on the above described vulnerability.
More details regarding the worm and means to resolve this can be found at,
the linked references.");
script_tag(name:"qod_type", value:"remote_analysis");
script_tag(name:"solution_type", value:"VendorFix");
exit(0);
}
include("smb_nt.inc");
include("host_details.inc");
if(kb_smb_is_samba())
exit(0);
name = kb_smb_name();
port = kb_smb_transport();
soc = open_sock_tcp(port);
if(!soc)
exit(0);
r = smb_session_request(soc:soc, remote:name);
if(!r) {
close(soc);
exit(0);
}
prot = smb_neg_prot(soc:soc);
if(!prot) {
close(soc);
exit(0);
}
login = kb_smb_login();
if(!login)
login = "";
pass = kb_smb_password();
if(!pass)
pass = "";
domain = kb_smb_domain();
r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain, prot:prot);
if(!r) {
close(soc);
exit(0);
}
uid = session_extract_uid(reply:r);
if(!uid) {
close(soc);
exit(0);
}
r = smb_tconx(soc:soc, uid:uid, share:"IPC$", name:name);
if(!r) {
close(soc);
exit(0);
}
tid = tconx_extract_tid(reply:r);
if(!tid) {
close(soc);
exit(0);
}
tid_high = tid / 256;
tid_low = tid % 256;
uid_high = uid / 256;
uid_low = uid % 256;
## SMB NT Create AndX Request, Path: \browser
smb_nt_andx_req = raw_string(0x00, 0x00, 0x00, 0x66, 0xff, 0x53, 0x4d, 0x42,
0xa2, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, tid_low, tid_high, 0xd9,
0x46, uid_low, uid_high, 0x00, 0x01, 0x18, 0xff,
0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x16, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9f, 0x01,
0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00,
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00,
0x40, 0x00, 0x02, 0x00, 0x00, 0x00, 0x03, 0x13,
0x00, 0x00, 0x5c, 0x00, 0x62, 0x00, 0x72, 0x00,
0x6f, 0x00, 0x77, 0x00, 0x73, 0x00, 0x65, 0x00,
0x72, 0x00, 0x00, 0x00);
send(socket:soc, data:smb_nt_andx_req);
smb_nt_andx_resp = smb_recv(socket:soc);
if(!smb_nt_andx_resp || strlen(smb_nt_andx_resp) < 107) {
close(soc);
exit(0);
}
fid_low = ord(smb_nt_andx_resp[42]);
fid_high = ord(smb_nt_andx_resp[43]);
## DCERPC Bind: call_id: 0 SRVSVC V3.0
dcerpc_bind_srvsvc_req = raw_string(0x00, 0x00, 0x00, 0x88, 0xff, 0x53, 0x4d,
0x42, 0x2f, 0x00, 0x00, 0x00, 0x00, 0x18,
0x03, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
tid_low, tid_high, 0xd9, 0x46, uid_low,
uid_high, 0x40, 0x01, 0x0e, 0xff, 0x00,
0x00, 0x00, fid_low, fid_high, 0x00, 0x00,
0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x08,
0x00, 0x48, 0x00, 0x00, 0x00, 0x48, 0x00,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,
0x00, 0x00, 0x05, 0x00, 0x0b, 0x03, 0x10,
0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xb8, 0x10, 0xb8,
0x10, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0xc8,
0x4f, 0x32, 0x4b, 0x70, 0x16, 0xd3, 0x01,
0x12, 0x78, 0x5a, 0x47, 0xbf, 0x6e, 0xe1,
0x88, 0x03, 0x00, 0x00, 0x00, 0x04, 0x5d,
0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f,
0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60,
0x02, 0x00, 0x00, 0x00);
send(socket:soc, data:dcerpc_bind_srvsvc_req);
dcerpc_bind_srvsvc_resp = smb_recv(socket:soc);
if(!dcerpc_bind_srvsvc_resp) {
close(soc);
exit(0);
}
## SMB Read AndX Request
smb_andx_req = raw_string(0x00, 0x00, 0x00, 0x3c, 0xff, 0x53, 0x4d, 0x42,
0x2e, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, tid_low, tid_high, 0xd9,
0x46, uid_low, uid_high, 0x80, 0x01, 0x0c, 0xff,
0x00, 0x00, 0x00, fid_low, fid_high, 0x00, 0x00,
0x00, 0x00, 0x00, 0x04, 0x00, 0x04, 0xff, 0xff,
0xff, 0xff, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00);
send(socket:soc, data:smb_andx_req);
smb_andx_resp = smb_recv(socket:soc);
if(!smb_andx_resp) {
close(soc);
exit(0);
}
## SMB NT Create AndX Request, Path: \browser
smb_nt_andx_req1 = raw_string(0x00, 0x00, 0x00, 0x66, 0xff, 0x53, 0x4d, 0x42,
0xa2, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, tid_low, tid_high, 0xd9,
0x46, uid_low, uid_high, 0x00, 0x01, 0x18, 0xff,
0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x16, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9f, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00,
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00,
0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x03, 0x13,
0x00, 0x00, 0x5c, 0x00, 0x62, 0x00, 0x72, 0x00,
0x6f, 0x00, 0x77, 0x00, 0x73, 0x00, 0x65, 0x00,
0x72, 0x00, 0x00, 0x00);
send(socket:soc, data:smb_nt_andx_req1);
smb_nt_andx_resp1 = smb_recv(socket:soc);
if(!smb_nt_andx_resp1 || strlen(smb_nt_andx_resp1) < 107) {
close(soc);
exit(0);
}
fid2_low = ord(smb_nt_andx_resp1[42]);
fid2_high = ord(smb_nt_andx_resp1[43]);
## DCERPC Bind: call_id: 1 WKSSVC V1.0
dcerpc_bind_wkssvc_req = raw_string(0x00, 0x00, 0x00, 0x88, 0xff, 0x53, 0x4d,
0x42, 0x2f, 0x00, 0x00, 0x00, 0x00, 0x18,
0x03, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
tid_low, tid_high, 0xd9, 0x46, uid_low,
uid_high, 0x00, 0x02, 0x0e, 0xff, 0x00,
0x00, 0x00, fid2_low, fid2_high, 0x00,
0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
0x08, 0x00, 0x48, 0x00, 0x00, 0x00, 0x48,
0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x49, 0x00, 0x00, 0x05, 0x00, 0x0b, 0x03,
0x10, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00,
0x00, 0x01, 0x00, 0x00, 0x00, 0xb8, 0x10,
0xb8, 0x10, 0x00, 0x00, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
0x98, 0xd0, 0xff, 0x6b, 0x12, 0xa1, 0x10,
0x36, 0x98, 0x33, 0x46, 0xc3, 0xf8, 0x7e,
0x34, 0x5a, 0x01, 0x00, 0x00, 0x00, 0x04,
0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11,
0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48,
0x60, 0x02, 0x00, 0x00, 0x00);
send(socket:soc, data:dcerpc_bind_wkssvc_req);
dcerpc_bind_wkssvc_resp = smb_recv(socket:soc);
if(!dcerpc_bind_wkssvc_resp) {
close(soc);
exit(0);
}
## SMB Read AndX Request
smb_andx_req1 = raw_string(0x00, 0x00, 0x00, 0x3c, 0xff, 0x53, 0x4d, 0x42,
0x2e, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, tid_low, tid_high, 0xd9,
0x46, uid_low, uid_high, 0x40, 0x02, 0x0c, 0xff,
0x00, 0x00, 0x00, fid2_low, fid2_high, 0x00, 0x00,
0x00, 0x00, 0x00, 0x04, 0x00, 0x04, 0xff, 0xff,
0xff, 0xff, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00);
send(socket:soc, data:smb_andx_req1);
smb_andx_resp1 = smb_recv(socket:soc);
if(!smb_andx_resp1) {
close(soc);
exit(0);
}
## SRVSVC NetPathCompare request
netpath_cmp_req= raw_string(0x00, 0x00, 0x01, 0x10, 0xff, 0x53, 0x4d, 0x42,
0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, tid_low, tid_high, 0xd9,
0x46, uid_low, uid_high, 0xc0, 0x02, 0x10, 0x00,
0x00, 0xbc, 0x00, 0x00, 0x00, 0xff, 0xff, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x54, 0x00, 0xbc, 0x00, 0x54,
0x00, 0x02, 0x00, 0x26, 0x00, fid_low, fid_high,
0xcd, 0x00, 0x00, 0x5c, 0x00, 0x50, 0x00, 0x49,
0x00, 0x50, 0x00, 0x45, 0x00, 0x5c, 0x00, 0x00,
0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x03, 0x10,
0x00, 0x00, 0x00, 0xbc, 0x00, 0x00, 0x00, 0x03,
0x00, 0x00, 0x00, 0xa4, 0x00, 0x00, 0x00, 0x00,
0x00, 0x20, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2f,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2f,
0x00, 0x00, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x41,
0x00, 0x41, 0x00, 0x41, 0x00, 0x41, 0x00, 0x41,
0x00, 0x41, 0x00, 0x41, 0x00, 0x41, 0x00, 0x41,
0x00, 0x41, 0x00, 0x41, 0x00, 0x41, 0x00, 0x41,
0x00, 0x41, 0x00, 0x41, 0x00, 0x41, 0x00, 0x41,
0x00, 0x41, 0x00, 0x41, 0x00, 0x41, 0x00, 0x41,
0x00, 0x41, 0x00, 0x41, 0x00, 0x41, 0x00, 0x41,
0x00, 0x41, 0x00, 0x41, 0x00, 0x41, 0x00, 0x41,
0x00, 0x41, 0x00, 0x41, 0x00, 0x41, 0x00, 0x41,
0x00, 0x41, 0x00, 0x5c, 0x00, 0x2e, 0x00, 0x2e,
0x00, 0x5c, 0x00, 0x4f, 0x00, 0x70, 0x00, 0x65,
0x00, 0x6e, 0x00, 0x56, 0x41, 0x53, 0x00, 0x00,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x5c,
0x00, 0x4f, 0x00, 0x70, 0x00, 0x65, 0x00, 0x6e,
0x00, 0x56, 0x41, 0x53, 0x00, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00);
send(socket:soc, data:netpath_cmp_req);
netpath_cmp_resp = smb_recv(socket:soc);
if(!netpath_cmp_resp) {
close(soc);
exit(0);
}
## SMB Tree Disconnect Request
smb_tree_dis_req = raw_string(0x00, 0x00, 0x00, 0x23, 0xff, 0x53, 0x4d, 0x42,
0x71, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, tid_low, tid_high, 0xd9,
0x46, uid_low, uid_high, 0x00, 0x03, 0x00, 0x00,
0x00);
send(socket:soc, data:smb_tree_dis_req);
smb_tree_dis_resp = smb_recv(socket:soc);
if(!smb_tree_dis_resp) {
close(soc);
exit(0);
}
## SMB Logoff AndX Request
smb_logoff_req = raw_string(0x00, 0x00, 0x00, 0x27, 0xff, 0x53, 0x4d, 0x42,
0x74, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd9, 0x46,
uid_low, uid_high, 0x40, 0x03, 0x02, 0xff, 0x00,
0x00, 0x00, 0x00, 0x00);
send(socket:soc, data:smb_logoff_req);
smb_logoff_resp = smb_recv(socket:soc);
close(soc);
if(!smb_logoff_resp)
exit(0);
## nb: Checking netpath_cmp_resp, to confirm the vuln. After applying the patch, netpath_cmp_resp contains Windows Error: WERR_INVALID_NAME (0x0000007b)
if(ord(netpath_cmp_resp[84]) == 00 && ord(netpath_cmp_resp[85]) == 00 &&
ord(netpath_cmp_resp[86]) == 00 && ord(netpath_cmp_resp[87]) == 00) {
security_message(port:port);
exit(0);
}
exit(99);
References
blogs.securiteam.com/index.php/archives/1150
www.kb.cert.org/vuls/id/827267
www.securityfocus.com/bid/31874
www.securitytracker.com/id?1021091
xforce.iss.net/xforce/xfdb/46040
docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067
web.archive.org/web/20170817031417/https://technet.microsoft.com/en-us/security/dd452420.aspx
Related
cert
cert
Microsoft Server service RPC stack buffer overflow vulnerability
2008-10-23 00:00:00
saint
saint
Windows Server Service buffer overflow MS08-067
2008-10-24 00:00:00
Windows Server Service buffer overflow MS08-067
2008-10-24 00:00:00
Windows Server Service buffer overflow MS08-067
2008-10-24 00:00:00
exploitdb
exploitdb
Microsoft Windows Server - Service Relative Path Stack Corruption (MS08-067) (Metasploit)
2011-01-21 00:00:00
Microsoft Windows Server - Code Execution (MS08-067)
2008-11-12 00:00:00
prion
prion
Design/Logic Flaw
2008-10-23 22:00:00
openvas
openvas
Huawei Data Communication: RCE Vulnerability in Microsoft Windows Server Service (huawei-sa-20171129-01-windows)
2020-06-05 00:00:00
Vulnerability in Server Service Could Allow Remote Code Execution (958644)
2008-10-30 00:00:00
Server Service Could Allow Remote Code Execution Vulnerability (958644)
2008-10-24 00:00:00
securityvulns
securityvulns
Microsoft Windows code execution
2008-11-04 00:00:00
checkpoint_advisories
checkpoint_advisories
nessus
nessus
MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (ECLIPSEDWING) (uncredentialed check)
2008-10-23 00:00:00
MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Unspecified Remote Code Execution (958644) (ECLIPSEDWING)
2008-10-23 00:00:00
Windows Server 2008 Critical RCE Vulnerabilities (uncredentialed) (PCI/DSS)
2018-04-03 00:00:00
seebug
seebug
Windows ms08-067 缓冲区溢出漏洞
2012-10-15 00:00:00
Windows Server服务RPC请求缓冲区溢出漏洞(MS08-067)
2008-10-24 00:00:00
canvas
canvas
Immunity Canvas: MS08_067
2008-10-23 22:00:00
attackerkb
attackerkb
Microsoft RPC Code Execution MS08-067
2020-04-13 00:00:00
cve
cve
CVE-2008-4250
2008-10-23 22:00:01
nvd
nvd
CVE-2008-4250
2008-10-23 22:00:01
cvelist
cvelist
CVE-2008-4250
2008-10-23 21:00:00
zdt
zdt
Microsoft Windows - NetAPI32.dll Code Execution (Python) (MS08-067) Exploit
2016-02-26 00:00:00
huawei
huawei
ics
ics
Siemens Molecular Imaging Vulnerabilities
2017-08-03 12:00:00
nmap
nmap
smb-vuln-ms08-067 NSE Script
2015-10-03 06:07:49
trendmicroblog
trendmicroblog
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
AI Score
9.5
Confidence
High
EPSS
0.975
Percentile
100.0%
Related for OPENVAS:1361412562310900056