MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966)

2007-05-0800:00:00

www.tenable.com

109

JSON

The remote host has the Windows DNS server installed.

There is a flaw in the remote version of this server that may allow an attacker to execute arbitrary code on the remote host with SYSTEM privileges. To exploit this flaw, an attacker needs to connect to the DNS server RPC interface and send malformed RPC queries.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(25168);
 script_version("1.34");
 script_cvs_date("Date: 2018/11/15 20:50:30");

 script_cve_id("CVE-2007-1748");
 script_bugtraq_id(23470);
 script_xref(name:"MSFT", value:"MS07-029");
 script_xref(name:"MSKB", value:"935966");
 
 script_xref(name:"CERT", value:"555920");
 script_xref(name:"EDB-ID", value:"3737");
 script_xref(name:"EDB-ID", value:"3740");
 script_xref(name:"EDB-ID", value:"16366");
 script_xref(name:"EDB-ID", value:"16748");

 script_name(english:"MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966)");
 script_summary(english:"Determines the presence of update 935966");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host due to the DNS
service.");
 script_set_attribute(attribute:"description", value:
"The remote host has the Windows DNS server installed.

There is a flaw in the remote version of this server that may allow an
attacker to execute arbitrary code on the remote host with SYSTEM
privileges.  To exploit this flaw, an attacker needs to connect to the
DNS server RPC interface and send malformed RPC queries.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-029");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released patches for Windows 2000 and 2003 Server.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'MS07-029 Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');

 script_set_attribute(attribute:"vuln_publication_date", value:"2007/04/12");
 script_set_attribute(attribute:"patch_publication_date", value:"2007/05/08");
 script_set_attribute(attribute:"plugin_publication_date", value:"2007/05/08");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS07-029';
kb = '935966';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);


get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', win2003:'1,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
if (!get_kb_item("SMB/Registry/HKLM/SYSTEM/CurrentControlSet/Services/DNS/DisplayName")) exit(0, "The host does not have the DNS Server service.");

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"5.2", sp:1, file:"Dns.exe", version:"5.2.3790.2915", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.2", sp:2, file:"Dns.exe", version:"5.2.3790.4059", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0", file:"Dns.exe", version:"5.0.2195.7135", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

VendorProductVersionCPE
microsoftwindowscpe:/o:microsoft:windows

Vendor	Product	Version	CPE
microsoft	windows		cpe:/o:microsoft:windows

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1748

docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-029

JSON

Related for SMB_NT_MS07-029.NASL