MS05-051: Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400)

2005-10-1100:00:00

www.tenable.com

The remote version of Windows contains a version of MSDTC and COM+ that is affected by several remote code execution, local privilege escalation and denial of service vulnerabilities.

An attacker may exploit these flaws to obtain the complete control of the remote host.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(20004);
 script_version("1.38");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2005-2119", "CVE-2005-1978", "CVE-2005-1979", "CVE-2005-1980");
 script_bugtraq_id(15059, 15058, 15057, 15056);
 script_xref(name:"MSFT", value:"MS05-051");
 script_xref(name:"CERT", value:"180868");
 script_xref(name:"CERT", value:"950516");
 script_xref(name:"EDB-ID", value:"1341");
 script_xref(name:"MSKB", value:"902400");

 script_name(english:"MS05-051: Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400)");
 script_summary(english:"Determines the presence of update 902400");

 script_set_attribute(attribute:"synopsis", value:"A vulnerability in MSDTC and COM+ could allow remote code execution.");
 script_set_attribute(attribute:"description", value:
"The remote version of Windows contains a version of MSDTC and COM+ that
is affected by several remote code execution, local privilege escalation
and denial of service vulnerabilities.

An attacker may exploit these flaws to obtain the complete control of
the remote host.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-051");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, XP and
2003.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/11");
 script_set_attribute(attribute:"patch_publication_date", value:"2005/10/11");
 script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/11");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS05-051';
kb = '902400';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"5.2", sp:0, file:"ole32.dll", version:"5.2.3790.374", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.2", sp:1, file:"ole32.dll", version:"5.2.3790.2492", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:1, file:"ole32.dll", version:"5.1.2600.1720", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:2, file:"ole32.dll", version:"5.1.2600.2726", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0",       file:"ole32.dll", version:"5.0.2195.7059", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

VendorProductVersionCPE
microsoftwindowscpe:/o:microsoft:windows

Vendor	Product	Version	CPE
microsoft	windows		cpe:/o:microsoft:windows

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1978

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1979

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1980

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2119

docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-051

JSON

Related for SMB_NT_MS05-051.NASL