Lucene search
This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.SMB2_PID_HIGH_VULN.NASLHistorySep 08, 2009 - 12:00 a.m.
MS09-050: Microsoft Windows SMB2 _Smb2ValidateProviderCallback() Vulnerability (975497) (EDUCATEDSCHOLAR) (uncredentialed check)
2009-09-0800:00:00
This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
1874
The remote host is running a version of Microsoft Windows Vista or Windows Server 2008 that contains a vulnerability in its SMBv2 implementation. An attacker can exploit this flaw to disable the remote host or to execute arbitrary code on it.
EDUCATEDSCHOLAR is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(40887);
script_version("1.36");
script_cvs_date("Date: 2019/11/26");
script_cve_id("CVE-2009-2532", "CVE-2009-3103");
script_bugtraq_id(36299, 36594);
script_xref(name:"MSFT", value:"MS09-050");
script_xref(name:"CERT", value:"135940");
script_xref(name:"EDB-ID", value:"9594");
script_xref(name:"EDB-ID", value:"10005");
script_xref(name:"EDB-ID", value:"12524");
script_xref(name:"EDB-ID", value:"14674");
script_xref(name:"EDB-ID", value:"16363");
script_xref(name:"MSKB", value:"975497");
script_name(english:"MS09-050: Microsoft Windows SMB2 _Smb2ValidateProviderCallback() Vulnerability (975497) (EDUCATEDSCHOLAR) (uncredentialed check)");
script_summary(english:"Determines if the remote host is affected by a SMBv2 vulnerability");
script_set_attribute(attribute:"synopsis", value:
"Arbitrary code may be executed on the remote host through the SMB
port");
script_set_attribute(attribute:"description", value:
"The remote host is running a version of Microsoft Windows Vista or
Windows Server 2008 that contains a vulnerability in its SMBv2
implementation. An attacker can exploit this flaw to disable the
remote host or to execute arbitrary code on it.
EDUCATEDSCHOLAR is one of multiple Equation Group vulnerabilities and
exploits disclosed on 2017/04/14 by a group known as the Shadow
Brokers.");
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0f72ec72");
# https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-050
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3e7748a1");
script_set_attribute(attribute:"solution", value:
"Microsoft has released a patch for Windows Vista and Windows Server
2008.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2009-3103");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:'CANVAS');
script_cwe_id(94, 399);
script_set_attribute(attribute:"vuln_publication_date", value:"2009/09/08");
script_set_attribute(attribute:"patch_publication_date", value:"2009/10/13");
script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/08");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_set_attribute(attribute:"in_the_news", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_require_ports(139, 445);
exit(0);
}
#
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("smb_func.inc");
port = 445;
if ( ! get_port_state(port) ) exit(0);
soc = open_sock_tcp(port);
if ( ! soc ) exit(0);
session_set_socket(socket:soc);
#---------------------------------------------------------#
# struct { #
# BYTE Protocol[4]; # "\xFFSMB" #
# BYTE Command; #
# DWORD Status; # Or BYTE ErrorClass; #
# # BYTE Reserved; #
# # WORD Error; #
# BYTE Flags; #
# WORD Flags2; #
# WORD PidHigh; #
# BYTE Signature[8]; #
# WORD Reserved; #
# WORD Tid; # Tree ID #
# WORD Pid; # Process ID #
# WORD Uid; # User ID #
# WORD Mid; # Multiplex ID #
# } #
#---------------------------------------------------------#
header = '\xFFSMB';
header += raw_byte(b:SMB_COM_NEGOTIATE);
header += nt_status(Status:STATUS_SUCCESS);
header += raw_byte (b:0x18);
header += raw_word (w:0xc853);
header += raw_word(w:0x0001); # Process ID high
header += raw_dword (d:session_get_sequencenumber()) + raw_dword (d:0);
header += raw_word (w:0);
header += raw_word (w:session_get_tid());
header += raw_word (w:session_get_pid());
header += raw_word (w:session_get_uid());
header += raw_word (w:session_get_mid());
parameters = smb_parameters(data:NULL);
ns = supported_protocol;
protocol[0] = "TENABLE_NETWORK_SECURITY";
data = NULL;
for (i = 0; i < ns; i++)
data += raw_byte (b:0x02) + ascii (string:protocol[i]);
data = smb_data (data:data);
packet = netbios_packet (header:header, parameters:parameters, data:data);
r = smb_sendrecv(data:packet);
close(soc);
if ( !isnull(r) && "ORK_SECURITY" >< r )
{
report = 'Sent:\n';
report += ereg_replace(pattern:"([0-9a-f]{1,80})", replace:'\\1\n', string:hexstr(packet)) + '\n';
report += 'Received:\n';
report += ereg_replace(pattern:"([0-9a-f]{1,80})", replace:'\\1\n', string:hexstr(r));
security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
}
else
audit(AUDIT_RESP_BAD, port, 'the exploit request');
Related
checkpoint_advisories
checkpoint_advisories
openvas
openvas
Nmap NSE net: smb-check-vulns
2011-06-01 00:00:00
Nmap NSE 6.01: smb-check-vulns
2013-02-28 00:00:00
zdt
zdt
nessus
nessus
securityvulns
securityvulns
cve
cve
CVE-2009-2532
2009-10-14 10:30:00
CVE-2009-3103
2009-09-08 22:30:00
seebug
seebug
Microsoft Windows SMBv2εεθΏη¨δ»£η ζ§θ‘ζΌζ΄(MS09-050)
2009-10-14 00:00:00
Microsoft Windows SMB2ε½δ»€εΌθΏη¨δ»£η ζ§θ‘ζΌζ΄(MS09-050)
2009-10-14 00:00:00
packetstorm
packetstorm
Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
2009-09-29 00:00:00
Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
2010-02-26 00:00:00
threatpost
threatpost
Microsoft Ships Temporary Fix-It for Critical Vista Flaw
2009-09-23 22:39:03
Microsoft Confirms SMB2 Flaw, Heightens Severity
2009-09-11 12:12:04
saint
saint
Windows SMB2 buffer overflow
2010-09-20 00:00:00
Windows SMB2 buffer overflow
2010-09-20 00:00:00
Windows SMB2 buffer overflow
2010-09-20 00:00:00
cert
cert
Windows SMB version 2 vulnerability
2009-09-10 00:00:00
canvas
canvas
Immunity Canvas: SMB2_NEGOTIATE_REMOTE
2009-09-08 18:30:00
Immunity Canvas: SMB2_NEGOTIATE_LOCAL
2009-09-08 22:30:00
prion
prion
Out-of-bounds
2009-09-08 22:30:00
Design/Logic Flaw
2009-10-14 10:30:00
nmap
nmap
smb-vuln-cve2009-3103 NSE Script
2015-10-03 06:07:49
Related for SMB2_PID_HIGH_VULN.NASL