MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (ECLIPSEDWING) (uncredentialed check)

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(34477);
 script_version("1.53");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/08/05");

  script_cve_id("CVE-2008-4250");
 script_bugtraq_id(31874);
 script_xref(name:"MSFT", value:"MS08-067");
 script_xref(name:"CERT", value:"827267");
 script_xref(name:"IAVA", value:"2008-A-0081-S");
 script_xref(name:"EDB-ID", value:"6824");
 script_xref(name:"EDB-ID", value:"7104");
 script_xref(name:"EDB-ID", value:"7132");
 script_xref(name:"MSKB", value:"958644");

 script_name(english:"MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (ECLIPSEDWING) (uncredentialed check)");
 script_summary(english:"Determines the presence of update 958644.");

 script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by a remote code execution
vulnerability.");
 script_set_attribute(attribute:"description", value:
"The remote Windows host is affected by a remote code execution
vulnerability in the 'Server' service due to improper handling of RPC
requests. An unauthenticated, remote attacker can exploit this, via a
specially crafted RPC request, to execute arbitrary code with 'System'
privileges.

ECLIPSEDWING is one of multiple Equation Group vulnerabilities and
exploits disclosed on 2017/04/14 by a group known as the Shadow
Brokers.");
  # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-067
  script_set_attribute(attribute:"see_also", value:"https://www.nessus.org/u?adf86aac");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, XP, 2003,
Vista and 2008.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2008-4250");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"exploited_by_malware", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'MS08-067 Microsoft Server Service Relative Path Stack Corruption');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');
 script_cwe_id(94);

 script_set_attribute(attribute:"vuln_publication_date", value:"2008/10/23");
 script_set_attribute(attribute:"patch_publication_date", value:"2008/10/23");
 script_set_attribute(attribute:"plugin_publication_date", value:"2008/10/23");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_set_attribute(attribute:"stig_severity", value:"I");
 script_set_attribute(attribute:"in_the_news", value:"true");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2008-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
 script_family(english:"Windows");

 script_dependencies("smb_nativelanman.nasl","smb_login.nasl");
 if ( NASL_LEVEL >= 3200 )
  script_dependencies("smb_kb958644_ips.nbin");
 script_require_keys("Host/OS/smb");
 script_exclude_keys("SMB/Missing/MS08-067");
 script_require_ports(139, 445);
 exit(0);
}

#

include ('smb_func.inc');

if ( get_kb_item("SMB/KB958644/34821/Vulnerable") ) security_hole(kb_smb_transport());
if ( get_kb_item("SMB/KB958644/34821") ) exit(0);
if ( get_kb_item("SMB/Missing/MS08-067") ) exit(0);

function  NetPathCanonicalize ()
{
 local_var data, data2, fid, fid2, rep, ret;

 fid = bind_pipe (pipe:"\browser", uuid:"4b324fc8-1670-01d3-1278-5a47bf6ee188", vers:3);
 if (isnull (fid))
   return 0;

 fid2 = bind_pipe (pipe:"\browser", uuid:"6bffd098-a112-3610-9833-46c3f87e345a", vers:1);
 if (isnull (fid2))
   return 0;

 data2 = class_parameter (name:"", ref_id:0x20000) +
        class_name (name:crap(data:"\A", length:0x100)) +
	raw_dword (d:0) ;

 data = class_parameter (name:"", ref_id:0x20000) +
        class_name (name:"\" + crap(data:"A", length:0x23) + "\..\nessus") +
	class_name (name:"\nessus") +
	raw_dword (d:1) +
	raw_dword (d:0) ;

 data2 = dce_rpc_pipe_request (fid:fid2, code:0x0A, data:data2);
 if (!data2)
   return 0;

 data = dce_rpc_pipe_request (fid:fid, code:0x20, data:data);
 if (!data)
   return 0;


 rep = dce_rpc_parse_response (fid:fid, data:data);
 if (!rep || (strlen(rep) != 4))
   return 0;

 ret = get_dword (blob:rep, pos:strlen(rep)-4);
 if (ret == 0)
   return 1;

 return 0;
}

os = get_kb_item ("Host/OS/smb") ;
if ("Windows" >!< os) exit(0);

name	= kb_smb_name();
port	= kb_smb_transport();

if ( ! get_port_state(port) ) exit(0);
soc = open_sock_tcp(port);
if ( ! soc ) exit(0);

session_init(socket:soc, hostname:name);

r = NetUseAdd(share:"IPC$");
if ( r == 1 )
{
 ret = NetPathCanonicalize ();
 if (ret == 1)
   security_hole(port:port);
 else
   set_kb_item(name:"SMB/KB958644/34477", value:TRUE);
 NetUseDel();
}