Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)

2017-03-22T00:00:00
ID OPENVAS:1361412562310810676
Type openvas
Reporter Copyright (C) 2017 Greenbone Networks GmbH
Modified 2020-06-04T00:00:00

Description

This host is missing a critical security update according to Microsoft Bulletin MS17-010.

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
#
# Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)
#
# Authors:
# Shakeel <bshakeel@secpod.com>
# Antu Sanadi <santu@secpod.com>
#
# Copyright:
# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.810676");
  script_version("2020-06-04T12:11:49+0000");
  script_cve_id("CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146",
                "CVE-2017-0147", "CVE-2017-0148");
  script_bugtraq_id(96703, 96704, 96705, 96707, 96709, 96706);
  script_tag(name:"cvss_base", value:"9.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_tag(name:"last_modification", value:"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)");
  script_tag(name:"creation_date", value:"2017-03-22 17:51:25 +0530 (Wed, 22 Mar 2017)");
  script_name("Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)");

  script_tag(name:"summary", value:"This host is missing a critical security
  update according to Microsoft Bulletin MS17-010.");

  script_tag(name:"vuldetect", value:"Send the crafted SMB transaction request
  with fid = 0 and check the response to confirm the vulnerability.");

  script_tag(name:"insight", value:"Multiple flaws exist due to the way that the
  Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests.");

  script_tag(name:"impact", value:"Successful exploitation will allow remote
  attackers to gain the ability to execute code on the target server, also
  could lead to information disclosure from the server.");

  script_tag(name:"affected", value:"- Microsoft Windows 10 x32/x64

  - Microsoft Windows Server 2012

  - Microsoft Windows Server 2016

  - Microsoft Windows 8.1 x32/x64

  - Microsoft Windows Server 2012 R2

  - Microsoft Windows 7 x32/x64 Service Pack 1

  - Microsoft Windows Vista x32/x64 Service Pack 2

  - Microsoft Windows Server 2008 R2 x64 Service Pack 1

  - Microsoft Windows Server 2008 x32/x64 Service Pack 2");

  script_tag(name:"solution", value:"The vendor has released updates. Please see the references for more information.");

  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"qod_type", value:"remote_active");
  script_xref(name:"URL", value:"https://support.microsoft.com/en-in/kb/4013078");
  script_xref(name:"URL", value:"https://technet.microsoft.com/library/security/MS17-010");
  script_xref(name:"URL", value:"https://github.com/rapid7/metasploit-framework/pull/8167/files");
  script_category(ACT_ATTACK);
  script_copyright("Copyright (C) 2017 Greenbone Networks GmbH");
  script_family("Windows : Microsoft Bulletins");
  script_dependencies("gb_smb_version_detect.nasl", "os_detection.nasl");
  script_require_ports(139, 445);
  script_mandatory_keys("smb_v1/supported", "Host/runs_windows");
  exit(0);
}

include("smb_nt.inc");
include("host_details.inc");

name = kb_smb_name();
smbPort = kb_smb_transport();

if(!name || !smbPort){
  exit(0);
}

soc = open_sock_tcp( smbPort );
if( ! soc ) exit( 0 );

## SMB Negotiate Protocol Request
smb_neg_req = raw_string(0x00, 0x00, 0x00, 0x85, 0xff, 0x53, 0x4d, 0x42,
                         0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,
                         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xa6,
                         0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x00, 0x02,
                         0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,
                         0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52,
                         0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02,
                         0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e,
                         0x30, 0x00, 0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f,
                         0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57,
                         0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70,
                         0x73, 0x20, 0x33, 0x2e, 0x31, 0x61, 0x00, 0x02,
                         0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30,
                         0x32, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41,
                         0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54,
                         0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32,
                         0x00);

send( socket:soc, data:smb_neg_req );

## SMB Negotiate Protocol Response
smb_neg_resp = smb_recv( socket:soc );
if( ! smb_neg_resp )
{
  close( soc );
  exit( 0 );
}

## SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE
smb_sess_req = raw_string(0x00, 0x00, 0x00, 0xec, 0xff, 0x53, 0x4d, 0x42,
                          0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,
                          0x00, 0x00, 0x42, 0x53, 0x52, 0x53, 0x50, 0x59,
                          0x4c, 0x20, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xa6,
                          0x00, 0x00, 0x40, 0x00, 0x0c, 0xff, 0x00, 0x00,
                          0x00, 0x00, 0x44, 0x01, 0x00, 0x01, 0x00, 0x00,
                          0x00, 0x00, 0x00, 0x4a, 0x00, 0x00, 0x00, 0x00,
                          0x00, 0xdc, 0x02, 0x00, 0x80, 0xb1, 0x00, 0x60,
                          0x48, 0x06, 0x06, 0x2b, 0x06, 0x01, 0x05, 0x05,
                          0x02, 0xa0, 0x3e, 0x30, 0x3c, 0xa0, 0x0e, 0x30,
                          0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01,
                          0x82, 0x37, 0x02, 0x02, 0x0a, 0xa2, 0x2a, 0x04,
                          0x28, 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50,
                          0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x82, 0x08,
                          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                          0x00, 0x05, 0x01, 0x28, 0x0a, 0x00, 0x00, 0x00,
                          0x0f, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00,
                          0x64, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00,
                          0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,
                          0x32, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00,
                          0x72, 0x00, 0x76, 0x00, 0x69, 0x00, 0x63, 0x00,
                          0x65, 0x00, 0x20, 0x00, 0x50, 0x00, 0x61, 0x00,
                          0x63, 0x00, 0x6b, 0x00, 0x20, 0x00, 0x32, 0x00,
                          0x20, 0x00, 0x32, 0x00, 0x36, 0x00, 0x30, 0x00,
                          0x30, 0x00, 0x00, 0x00, 0x57, 0x00, 0x69, 0x00,
                          0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00,
                          0x73, 0x00, 0x20, 0x00, 0x32, 0x00, 0x30, 0x00,
                          0x30, 0x00, 0x32, 0x00, 0x20, 0x00, 0x35, 0x00,
                          0x2e, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00);

send( socket:soc, data:smb_sess_req );

## SMB Session Setup AndX Response, NTLMSSP_CHALLENGE,
## Error: STATUS_MORE_PROCESSING_REQUIRED
smb_sess_resp = smb_recv( socket:soc );
if( ! smb_sess_resp )
{
  close( soc );
  exit( 0 );
}

##Extract UID from Session Setup AndX Response
if(smb_sess_resp && strlen(smb_sess_resp) > 33)
{
  uid_low   = ord(smb_sess_resp[32]);
  uid_high  = ord(smb_sess_resp[33]);
  uid   = uid_high * 256;
  uid  += uid_low;
}
else {
  exit(0);
}

## SMB Session Setup AndX Request, NTLMSSP_AUTH, User: \
smb_sess_andx_req = raw_string(0x00, 0x00, 0x01, 0x02, 0xff, 0x53, 0x4d, 0x42,
                               0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,
                               0x00, 0x00, 0x42, 0x53, 0x52, 0x53, 0x50, 0x59,
                               0x4c, 0x20, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xa6)
                               + raw_string(uid_low, uid_high) +
                               raw_string( 0x80, 0x00, 0x0c, 0xff, 0x00, 0x00,
                               0x00, 0x00, 0x44, 0x01, 0x00, 0x00, 0x00, 0x00,
                               0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00, 0x00,
                               0x00, 0xdc, 0x02, 0x00, 0x80, 0xc7, 0x00, 0xa1,
                               0x5f, 0x30, 0x5d, 0xa2, 0x5b, 0x04, 0x59, 0x4e,
                               0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x03,
                               0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x48,
                               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,
                               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,
                               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,
                               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,
                               0x00, 0x00, 0x00, 0x10, 0x00, 0x10, 0x00, 0x49,
                               0x00, 0x00, 0x00, 0x05, 0x02, 0x08, 0x00, 0x01,
                               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,
                               0x77, 0x24, 0xb3, 0x5b, 0xd0, 0xee, 0x67, 0x99,
                               0xa6, 0x5b, 0x68, 0xa4, 0x4f, 0x0e, 0xeb, 0x56,
                               0x57, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00,
                               0x6f, 0x00, 0x77, 0x00, 0x73, 0x00, 0x20, 0x00,
                               0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x32, 0x00,
                               0x20, 0x00, 0x53, 0x00, 0x65, 0x00, 0x72, 0x00,
                               0x76, 0x00, 0x69, 0x00, 0x63, 0x00, 0x65, 0x00,
                               0x20, 0x00, 0x50, 0x00, 0x61, 0x00, 0x63, 0x00,
                               0x6b, 0x00, 0x20, 0x00, 0x32, 0x00, 0x20, 0x00,
                               0x32, 0x00, 0x36, 0x00, 0x30, 0x00, 0x30, 0x00,
                               0x00, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00,
                               0x64, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00,
                               0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,
                               0x32, 0x00, 0x20, 0x00, 0x35, 0x00, 0x2e, 0x00,
                               0x31, 0x00, 0x00, 0x00, 0x00, 0x00);

send( socket:soc, data:smb_sess_andx_req );

## SMB Session Setup AndX Response
smb_sess_andx_resp = smb_recv( socket:soc );
if( ! smb_sess_andx_resp )
{
  close( soc );
  exit( 0 );
}

## SMB Tree Connect AndX Request, Path: \\xxx.xxx.xxx.xxx\IPC$
smb_tree_resp = smb_tconx( soc:soc, name:name, uid:uid, share:"IPC$" );
if(! smb_tree_resp )
{
  close( soc );
  exit( 0 );
}

##Extract Tree ID from SMB Tree Connect Response
if(smb_tree_resp && strlen(smb_tree_resp) > 29)
{
  tid_low = ord(smb_tree_resp[28] );
  tid_high = ord(smb_tree_resp[29] );
}
else {
  exit(0);
}

# SMB Pipe PeekNamedPipe Request, FID: 0x0000
smbtrans_request = raw_string(0x00, 0x00, 0x00, 0x4a, 0xff, 0x53, 0x4d, 0x42,
                              0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x28,
                              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                              0x00, 0x00, 0x00, 0x00)+raw_string(tid_low, tid_high) +
                              raw_string( 0xf5, 0x5e)+raw_string(uid_low, uid_high) +
                              raw_string(0x26, 0x76, 0x10, 0x00, 0x00, 0x00,
                              0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00,
                              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                              0x00, 0x4a, 0x00, 0x00, 0x00, 0x4a, 0x00, 0x02,
                              0x00, 0x23, 0x00, 0x00, 0x00, 0x07, 0x00, 0x5c,
                              0x50, 0x49, 0x50, 0x45, 0x5c, 0x00);

send( socket:soc, data: smbtrans_request);
smb_trans_resp = smb_recv( socket:soc );
if(strlen( smb_trans_resp ) < 39)
{
  close(soc);
  exit(0);
}

## SMB Trans Response, Error: STATUS_INSUFF_SERVER_RESOURCES
## If the status returned is "STATUS_INSUFF_SERVER_RESOURCES", the machine
## does not have the MS17-010 patch. After the patch, "STATUS_ACCESS_DENIED",
## "STATUS_INVALID_HANDLE".
if(ord(smb_trans_resp[9]) == 5 &&  ord(smb_trans_resp[10]) == 2 &&
   ord(smb_trans_resp[11]) == 0 && ord(smb_trans_resp[12]) == 192)
{
  security_message(port:smbPort );
  close(soc);
  exit(0);
}
close(soc);