Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.SMB_NT_MS03-043.NASL
HistoryOct 15, 2003 - 12:00 a.m.

MS03-043: Buffer Overrun in Messenger Service (828035)

2003-10-1500:00:00
This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
www.tenable.com
96
JSON

The remote version of Windows contains a Heap Overflow in the Messenger service that could allow an attacker to execute arbitrary code on the remote host with the SYSTEM privileges.

A series of worms (Gaobot, Agobot, …) are known to exploit this vulnerability in the wild.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(11888);
 script_version("1.51");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2003-0717");
 script_bugtraq_id(8826);
 script_xref(name:"MSFT", value:"MS03-043");
 script_xref(name:"CERT", value:"575892");
 script_xref(name:"MSKB", value:"828035");

 script_name(english:"MS03-043: Buffer Overrun in Messenger Service (828035)");
 script_summary(english:"Checks for hotfix Q828035");

 script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host.");
 script_set_attribute(attribute:"description", value:
"The remote version of Windows contains a Heap Overflow in the Messenger
service that could allow an attacker to execute arbitrary code on the
remote host with the SYSTEM privileges.

A series of worms (Gaobot, Agobot, ...) are known to exploit this
vulnerability in the wild.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2003/ms03-043");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows NT, 2000, XP and
2003.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploited_by_malware", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2003/10/15");
 script_set_attribute(attribute:"patch_publication_date", value:"2003/10/15");
 script_set_attribute(attribute:"plugin_publication_date", value:"2003/10/15");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS03-043';
kb = '828035';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(nt:'6', win2k:'2,4', xp:'0,1', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"5.2", sp:0, file:"Msgsvc.dll", version:"5.2.3790.90", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:1, file:"Msgsvc.dll", version:"5.1.2600.1309", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:0, file:"Msgsvc.dll", version:"5.1.2600.121", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0", file:"Msgsvc.dll", version:"5.0.2195.6861", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"4.0", file:"Msgsvc.dll", version:"4.0.1381.7236", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"4.0", file:"Msgsvc.dll", version:"4.0.1381.33553", min_version:"4.0.1381.33000", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}
VendorProductVersionCPE
microsoftwindowscpe:/o:microsoft:windows

Related

nessus 1
checkpoint_advisories 1
cert 1
openvas 2
seebug 1
securityvulns 1
cve 1
nessus
nessus
MS03-043: Buffer Overrun in Messenger Service (828035) (uncredentialed check)
2003-10-16 00:00:00
checkpoint_advisories
checkpoint_advisories
Microsoft Windows Messenger Service Buffer Overrun Code Execution (CVE-2003-0717)
2011-11-08 00:00:00
cert
cert
Buffer overflow in Microsoft Messenger Service
2003-10-16 00:00:00
openvas
openvas
Buffer Overrun in Messenger Service (828035)
2005-11-03 00:00:00
Buffer Overrun in Messenger Service (828035)
2005-11-03 00:00:00
seebug
seebug
MS Messenger Denial of Service Exploit (MS03-043) (linux ver)
2004-08-08 00:00:00
securityvulns
securityvulns
Microsoft Security Bulletin MS03-043
2003-10-16 00:00:00
cve
cve
CVE-2003-0717
2003-11-17 05:00:00
JSON
Related for SMB_NT_MS03-043.NASL
nessus1checkpoint_advisories1cert1openvas2seebug1securityvulns1cve1