MS04-036: Microsoft NNTP Component Remote Overflow (883935) (uncredentialed check)

2004-10-1200:00:00

www.tenable.com

The remote host is running a version of Microsoft NNTP server that is vulnerable to a buffer overflow issue.

An attacker may exploit this flaw to execute arbitrary commands on the remote host with the privileges of the NNTP server process.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(15465);
 script_version("1.28");
 script_cvs_date("Date: 2018/11/15 20:50:27");

 script_cve_id("CVE-2004-0574");
 script_bugtraq_id(11379);
 script_xref(name:"MSFT", value:"MS04-036");
 script_xref(name:"MSKB", value:"883935");

 script_name(english:"MS04-036: Microsoft NNTP Component Remote Overflow (883935) (uncredentialed check)");
 script_summary(english:"Checks the remote NNTP daemon version");

 script_set_attribute(attribute:"synopsis", value:"The remote NNTP server is susceptible to a buffer overflow attack.");
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of Microsoft NNTP server that is
vulnerable to a buffer overflow issue. 

An attacker may exploit this flaw to execute arbitrary commands on the
remote host with the privileges of the NNTP server process." );
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-036");
 script_set_attribute(attribute:"solution", value:"Microsoft has released patches for Windows NT, 2000, and 2003.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2004/10/12");
 script_set_attribute(attribute:"patch_publication_date", value:"2004/10/12");
 script_set_attribute(attribute:"plugin_publication_date", value:"2004/10/12");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:exchange_server");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows");

 script_dependencie("nntpserver_detect.nasl");
 script_require_ports("Services/nntp", 119);
 exit(0);
}

#
# The script code starts here
#



port = get_kb_item("Services/nntp");
if(!port)port = 119;
if (! get_port_state(port) ) exit(0);
soc = open_sock_tcp(port);
if ( ! soc ) exit(0);
banner = recv_line(socket:soc, length:8192);
if ( ! banner ) exit(0);
close(soc);

if ( "200 NNTP Service" >< banner )
{
 version = egrep(string:banner, pattern:"^200 NNTP Service");
 version = ereg_replace(string:version, pattern:"^200 NNTP Service .* Version: (.*) ", replace:"\1");
 ver = split(version, sep:".", keep:0);
 if ( int(ver[0]) == 6 )
 {
  if ( int(ver[1]) == 0 && ( int(ver[2]) < 3790 || ( int(ver[2]) == 3790 && int(ver[3]) < 206 ) ) ) security_hole(port);
 }

 if ( int(ver[0]) == 5 )
 {
  if ( int(ver[1]) == 0 && ( int(ver[2]) < 2195 || ( int(ver[2]) == 2195 && int(ver[3]) < 6972 ) ) ) security_hole(port);
 }
}

VendorProductVersionCPE
microsoftexchange_servercpe:/a:microsoft:exchange_server
microsoftwindowscpe:/o:microsoft:windows

Vendor	Product	Version	CPE
microsoft	exchange_server		cpe:/a:microsoft:exchange_server
microsoft	windows		cpe:/o:microsoft:windows

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0574

docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-036

JSON

Related for MSNNTP_CODE_EXECUTION.NASL