MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966)

2007-05-08T00:00:00
ID SMB_NT_MS07-029.NASL
Type nessus
Reporter Tenable
Modified 2017-08-10T00:00:00

Description

The remote host has the Windows DNS server installed.

There is a flaw in the remote version of this server that may allow an attacker to execute arbitrary code on the remote host with SYSTEM privileges. To exploit this flaw, an attacker needs to connect to the DNS server RPC interface and send malformed RPC queries.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(25168);
 script_version("$Revision: 1.32 $");
 script_cvs_date("$Date: 2017/08/10 16:58:11 $");

 script_cve_id("CVE-2007-1748");
 script_bugtraq_id(23470);
 script_osvdb_id(34100);
 script_xref(name:"MSFT", value:"MS07-029");
 script_xref(name:"MSKB", value:"935966");
 
 script_xref(name:"CERT", value:"555920");
 script_xref(name:"EDB-ID", value:"3737");
 script_xref(name:"EDB-ID", value:"3740");
 script_xref(name:"EDB-ID", value:"16366");
 script_xref(name:"EDB-ID", value:"16748");

 script_name(english:"MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966)");
 script_summary(english:"Determines the presence of update 935966");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host due to the DNS
service.");
 script_set_attribute(attribute:"description", value:
"The remote host has the Windows DNS server installed.

There is a flaw in the remote version of this server that may allow an
attacker to execute arbitrary code on the remote host with SYSTEM
privileges.  To exploit this flaw, an attacker needs to connect to the
DNS server RPC interface and send malformed RPC queries.");
 script_set_attribute(attribute:"see_also", value:"https://technet.microsoft.com/library/security/MS07-029");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released patches for Windows 2000 and 2003 Server.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'MS07-029 Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');

 script_set_attribute(attribute:"vuln_publication_date", value:"2007/04/12");
 script_set_attribute(attribute:"patch_publication_date", value:"2007/05/08");
 script_set_attribute(attribute:"plugin_publication_date", value:"2007/05/08");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2007-2017 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS07-029';
kb = '935966';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);


get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', win2003:'1,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
if (!get_kb_item("SMB/Registry/HKLM/SYSTEM/CurrentControlSet/Services/DNS/DisplayName")) exit(0, "The host does not have the DNS Server service.");

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"5.2", sp:1, file:"Dns.exe", version:"5.2.3790.2915", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.2", sp:2, file:"Dns.exe", version:"5.2.3790.4059", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0", file:"Dns.exe", version:"5.0.2195.7135", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}