ID SSV:20827 Type seebug Reporter Root Modified 2011-08-10T00:00:00
Description
Bugtraq ID: 49012
CVE ID:CVE-2011-1966
Microsoft Windows是一款流行的操作系统。
Windows DNS server处理NAPTR (Name Authority Pointer)资源记录的查询存在错误,允许攻击者对设置为非权威DNS服务器进行任意代码执行攻击。
此问题是一个符号扩展漏洞,由于没有对小的负数扩展为大的类型进行正确检查,之后这个大的负值用于memcpy计算堆缓冲区。复制长度始终至少为0x80000000字节长,因此在2+GB可用内存中进行拷贝可导致拷贝操作失败。另外要成功利用漏洞并执行代码需要绕过ASLR,DEP和堆元数据保护。最后攻击者只有三次机会来利用此漏洞,因为服务控制管理器在三次崩溃后就不会再启动
Microsoft Windows Server 2008 Standard Edition SP2
Microsoft Windows Server 2008 Standard Edition Release Candidate
Microsoft Windows Server 2008 Standard Edition R2 SP1
Microsoft Windows Server 2008 Standard Edition R2
Microsoft Windows Server 2008 Standard Edition Itanium
Microsoft Windows Server 2008 Standard Edition 0
Microsoft Windows Server 2008 Standard Edition - Sp2 Web
Microsoft Windows Server 2008 Standard Edition - Sp2 Storage
Microsoft Windows Server 2008 Standard Edition - Sp2 Hpc
Microsoft Windows Server 2008 Standard Edition - Gold Web
Microsoft Windows Server 2008 Standard Edition - Gold Storage
Microsoft Windows Server 2008 Standard Edition - Gold Standard
Microsoft Windows Server 2008 Standard Edition - Gold Itanium
Microsoft Windows Server 2008 Standard Edition - Gold Hpc
Microsoft Windows Server 2008 Standard Edition - Gold Enterprise
Microsoft Windows Server 2008 Standard Edition - Gold Datacenter
Microsoft Windows Server 2008 Standard Edition - Gold
Microsoft Windows Server 2008 R2 x64 SP1
Microsoft Windows Server 2008 R2 x64 0
Microsoft Windows Server 2008 R2 Standard Edition 0
Microsoft Windows Server 2008 R2 Itanium SP1
Microsoft Windows Server 2008 R2 Itanium 0
Microsoft Windows Server 2008 R2 for x64-based Systems SP1 0
Microsoft Windows Server 2008 R2 Enterprise Edition 0
Microsoft Windows Server 2008 R2 Datacenter SP1
Microsoft Windows Server 2008 R2 Datacenter 0
Microsoft Windows Server 2008 for x64-based Systems SP2
Microsoft Windows Server 2008 for x64-based Systems R2
Microsoft Windows Server 2008 for x64-based Systems 0
Microsoft Windows Server 2008 for Itanium-based Systems SP2
Microsoft Windows Server 2008 for Itanium-based Systems R2
Microsoft Windows Server 2008 for Itanium-based Systems 0
Microsoft Windows Server 2008 for 32-bit Systems SP2
Microsoft Windows Server 2008 for 32-bit Systems 0
Microsoft Windows Server 2008 Enterprise Edition SP2
Microsoft Windows Server 2008 Enterprise Edition Release Candidate
Microsoft Windows Server 2008 Enterprise Edition 0
Microsoft Windows Server 2008 Datacenter Edition SP2
Microsoft Windows Server 2008 Datacenter Edition Release Candidate
Microsoft Windows Server 2008 Datacenter Edition 0
Microsoft Windows Server 2008 SP2 Beta
Microsoft Windows Server 2008 - Sp2 Enterprise X64
厂商解决方案
用户可参考如下供应商提供的安全公告获得补丁信息:
http://www.microsoft.com/technet/security/Bulletin/MS11-058.mspx
{"href": "https://www.seebug.org/vuldb/ssvid-20827", "status": "details", "history": [], "bulletinFamily": "exploit", "modified": "2011-08-10T00:00:00", "title": "Microsoft Windows DNS Server NAPTR\u67e5\u8be2\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 10.0}, "sourceHref": "", "cvelist": ["CVE-2011-1966"], "description": "Bugtraq ID: 49012\r\nCVE ID\uff1aCVE-2011-1966\r\n\r\nMicrosoft Windows\u662f\u4e00\u6b3e\u6d41\u884c\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\r\nWindows DNS server\u5904\u7406NAPTR (Name Authority Pointer)\u8d44\u6e90\u8bb0\u5f55\u7684\u67e5\u8be2\u5b58\u5728\u9519\u8bef\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5bf9\u8bbe\u7f6e\u4e3a\u975e\u6743\u5a01DNS\u670d\u52a1\u5668\u8fdb\u884c\u4efb\u610f\u4ee3\u7801\u6267\u884c\u653b\u51fb\u3002\r\n\u6b64\u95ee\u9898\u662f\u4e00\u4e2a\u7b26\u53f7\u6269\u5c55\u6f0f\u6d1e\uff0c\u7531\u4e8e\u6ca1\u6709\u5bf9\u5c0f\u7684\u8d1f\u6570\u6269\u5c55\u4e3a\u5927\u7684\u7c7b\u578b\u8fdb\u884c\u6b63\u786e\u68c0\u67e5\uff0c\u4e4b\u540e\u8fd9\u4e2a\u5927\u7684\u8d1f\u503c\u7528\u4e8ememcpy\u8ba1\u7b97\u5806\u7f13\u51b2\u533a\u3002\u590d\u5236\u957f\u5ea6\u59cb\u7ec8\u81f3\u5c11\u4e3a0x80000000\u5b57\u8282\u957f\uff0c\u56e0\u6b64\u57282+GB\u53ef\u7528\u5185\u5b58\u4e2d\u8fdb\u884c\u62f7\u8d1d\u53ef\u5bfc\u81f4\u62f7\u8d1d\u64cd\u4f5c\u5931\u8d25\u3002\u53e6\u5916\u8981\u6210\u529f\u5229\u7528\u6f0f\u6d1e\u5e76\u6267\u884c\u4ee3\u7801\u9700\u8981\u7ed5\u8fc7ASLR,DEP\u548c\u5806\u5143\u6570\u636e\u4fdd\u62a4\u3002\u6700\u540e\u653b\u51fb\u8005\u53ea\u6709\u4e09\u6b21\u673a\u4f1a\u6765\u5229\u7528\u6b64\u6f0f\u6d1e\uff0c\u56e0\u4e3a\u670d\u52a1\u63a7\u5236\u7ba1\u7406\u5668\u5728\u4e09\u6b21\u5d29\u6e83\u540e\u5c31\u4e0d\u4f1a\u518d\u542f\u52a8\n\nMicrosoft Windows Server 2008 Standard Edition SP2\r\n Microsoft Windows Server 2008 Standard Edition Release Candidate\r\n Microsoft Windows Server 2008 Standard Edition R2 SP1\r\n Microsoft Windows Server 2008 Standard Edition R2\r\n Microsoft Windows Server 2008 Standard Edition Itanium\r\n Microsoft Windows Server 2008 Standard Edition 0\r\n Microsoft Windows Server 2008 Standard Edition - Sp2 Web\r\n Microsoft Windows Server 2008 Standard Edition - Sp2 Storage\r\n Microsoft Windows Server 2008 Standard Edition - Sp2 Hpc\r\n Microsoft Windows Server 2008 Standard Edition - Gold Web\r\n Microsoft Windows Server 2008 Standard Edition - Gold Storage\r\n Microsoft Windows Server 2008 Standard Edition - Gold Standard\r\n Microsoft Windows Server 2008 Standard Edition - Gold Itanium\r\n Microsoft Windows Server 2008 Standard Edition - Gold Hpc\r\n Microsoft Windows Server 2008 Standard Edition - Gold Enterprise\r\n Microsoft Windows Server 2008 Standard Edition - Gold Datacenter\r\n Microsoft Windows Server 2008 Standard Edition - Gold\r\n Microsoft Windows Server 2008 R2 x64 SP1\r\n Microsoft Windows Server 2008 R2 x64 0\r\n Microsoft Windows Server 2008 R2 Standard Edition 0\r\n Microsoft Windows Server 2008 R2 Itanium SP1\r\n Microsoft Windows Server 2008 R2 Itanium 0\r\n Microsoft Windows Server 2008 R2 for x64-based Systems SP1 0\r\n Microsoft Windows Server 2008 R2 Enterprise Edition 0\r\n Microsoft Windows Server 2008 R2 Datacenter SP1\r\n Microsoft Windows Server 2008 R2 Datacenter 0\r\n Microsoft Windows Server 2008 for x64-based Systems SP2\r\n Microsoft Windows Server 2008 for x64-based Systems R2\r\n Microsoft Windows Server 2008 for x64-based Systems 0\r\n Microsoft Windows Server 2008 for Itanium-based Systems SP2\r\n Microsoft Windows Server 2008 for Itanium-based Systems R2\r\n Microsoft Windows Server 2008 for Itanium-based Systems 0\r\n Microsoft Windows Server 2008 for 32-bit Systems SP2\r\n Microsoft Windows Server 2008 for 32-bit Systems 0\r\n Microsoft Windows Server 2008 Enterprise Edition SP2\r\n Microsoft Windows Server 2008 Enterprise Edition Release Candidate\r\n Microsoft Windows Server 2008 Enterprise Edition 0\r\n Microsoft Windows Server 2008 Datacenter Edition SP2\r\n Microsoft Windows Server 2008 Datacenter Edition Release Candidate\r\n Microsoft Windows Server 2008 Datacenter Edition 0\r\n Microsoft Windows Server 2008 SP2 Beta\r\n Microsoft Windows Server 2008 - Sp2 Enterprise X64\n\u5382\u5546\u89e3\u51b3\u65b9\u6848\r\n\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttp://www.microsoft.com/technet/security/Bulletin/MS11-058.mspx", "viewCount": 13, "published": "2011-08-10T00:00:00", "sourceData": "", "id": "SSV:20827", "enchantments_done": [], "_object_type": "robots.models.seebug.SeebugBulletin", "type": "seebug", "lastseen": "2017-11-19T18:00:42", "reporter": "Root", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-1966"]}, {"type": "nessus", "idList": ["DNS_MS11-058.NASL", "MS_DNS_KB2562485.NASL", "SMB_NT_MS11-058.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:900295", "OPENVAS:1361412562310900295"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11840"]}], "modified": "2017-11-19T18:00:42"}, "vulnersScore": 5.0}, "objectVersion": "1.4", "references": []}
{"cve": [{"lastseen": "2018-10-13T11:35:16", "bulletinFamily": "NVD", "description": "The DNS server in Microsoft Windows Server 2008 SP2, R2, and R2 SP1 does not properly handle NAPTR queries that trigger recursive processing, which allows remote attackers to execute arbitrary code via a crafted query, aka \"DNS NAPTR Query Vulnerability.\"", "modified": "2018-10-12T18:01:11", "published": "2011-08-10T17:55:01", "id": "CVE-2011-1966", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1966", "title": "CVE-2011-1966", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:15:17", "bulletinFamily": "scanner", "description": "The version of Windows DNS server running on the remote host has a memory corruption vulnerability that can be triggered by making a specially crafted NAPTR query. This could allow an attacker to write arbitrary data to the heap and potentially execute arbitrary code.\n\nNote that upstream servers may filter this request, creating a false negative, or may be vulnerable themselves, creating a false positive.\nIf the target is patched and shows up as vulnerable, check your upstream DNS servers.\n\nNote also that while Microsoft's advisory referenced multiple vulnerabilities, Nessus only tests for the vulnerability described above.", "modified": "2018-11-15T00:00:00", "id": "DNS_MS11-058.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=55883", "published": "2011-08-17T00:00:00", "title": "MS11-058: Vulnerabilities in DNS Server Could Allow Remote Code Execution (2562485) (remote check)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(55883);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/11/15 20:50:26\");\n\n script_cve_id(\"CVE-2011-1966\");\n script_bugtraq_id(49012);\n script_xref(name:\"MSFT\", value:\"MS11-058\");\n script_xref(name:\"MSKB\", value:\"2562485\");\n\n script_name(english:\"MS11-058: Vulnerabilities in DNS Server Could Allow Remote Code Execution (2562485) (remote check)\");\n script_summary(english:\"Checks if Dns.exe on Windows Server 2008 handles long NAPTR lookup requests safely.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The DNS server running on the remote host is affected by a memory\ncorruption vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Windows DNS server running on the remote host has a\nmemory corruption vulnerability that can be triggered by making a\nspecially crafted NAPTR query. This could allow an attacker to write\narbitrary data to the heap and potentially execute arbitrary code.\n\nNote that upstream servers may filter this request, creating a false\nnegative, or may be vulnerable themselves, creating a false positive.\nIf the target is patched and shows up as vulnerable, check your\nupstream DNS servers.\n\nNote also that while Microsoft's advisory referenced multiple\nvulnerabilities, Nessus only tests for the vulnerability described\nabove.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-058\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Microsoft has released a set of patches for Windows 2003, 2008, and\n2008 R2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/08/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/08/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"dns_server.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Services/dns\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"dns_func.inc\");\n\n# Figure out which port we're using\nport = get_service(svc:'dns', default:53, exit_on_fail:TRUE, ipproto:\"udp\");\nif (!get_udp_port_state(port)) audit(AUDIT_PORT_CLOSED, port, \"UDP\");\n\n# Make sure this is Windows 2008 (if possible) before trying\nos = get_kb_item(\"Host/OS\");\nif (!isnull(os) && '2008' >!< os)\n exit(1, \"This plugin only detects vulnerable installations of Windows 2008\");\n\n# Connect to the host\ns = open_sock_udp(port);\nif (!s) audit(AUDIT_SOCK_FAIL, port, \"UDP\");\n\n# Generate a random transaction id\ntransaction_id = rand() % 0xFFFF;\n\n# Create a simple DNS packet\ndns = '';\ndns += mkword(transaction_id); # Transaction id\ndns += mkword(0x0100); # Flags (0x0100 = 'recursion desired')\n# Questions, answers, authority, and additional\ndns += mkword(0x0001) + mkword(0x0000) + mkword(0x0000) + mkword(0x0000);\ndns += '\\x08ms11-058\\x01t\\x06nessus\\x03org\\x00'; # Using ms11-058.t.nessus.org\ndns += mkword(0x0023); # Type (0x0023 = NAPTR)\ndns += mkword(0x0001); # Class (0x0001 = IN)\nif(!send(socket:s, data:dns))\n exit(1, \"Failed to send data to the DNS server listening on UDP port \"+port+\".\");\n\n# Receive the response from the DNS server\nresponse = recv(socket:s, length:0xFFFF);\nif(isnull(response))\n exit(1, \"Failed to receive a packet from the DNS server listening on UDP port \"+port+\".\");\n\n# Parse the response with the DNS library\ndns = dns_split(response);\n\nif(isnull(dns))\n exit(1, \"Failed to parse the response from the DNS server listening on UDP port \"+port+\".\");\n\n# Validate the transaction id\nif(dns['transaction_id'] != transaction_id)\n exit(1, \"Incorrect transaction_id on the response from the DNS server listening on UDP port \"+port+\".\");\n\n# Validate the flags\nif(dns['flags'] & 0x0002)\n exit(0, \"The response from the DNS server listening on UDP port \"+port+\" indicates an error; host either isn't vulnerable, it isn't configured to forward DNS requests recursively, or an upstream DNS server prevented the attack.\");\n\ni = 0;\nwhile(!isnull(dns['an_rr_data_' + i + '_data']))\n{\n # The answer that we get from a vulnerable server is a little complicated,\n # but is fortunately static. It's the in-memory representation of the domain\n # name, as generated by _Name_PacketNameToCountName(), which is a byte\n # representing the number of fields, followed by the length-prefixed fields\n # (ie, test.tenable.com becomes \\x03 (number of fields) \\x04 (length) \"test\"\n # \\x07 (length) \"tenable\" \\x03 (length) \"com\" \\x00).\n answer = dns['an_rr_data_' + i + '_data'];\n if('\\x00\\x64' + # Order (the proper value)\n '\\x00\\x0A' + # Preference (the proper value)\n '\\x12' + # Flags length (not the proper value)\n '\\x03\\x04test\\x07tenable\\x03com\\x00' # encoded name\n >< answer)\n {\n security_hole(port:port, proto:\"udp\");\n exit(0);\n }\n i++;\n}\n\naudit(AUDIT_HOST_NOT, 'affected');\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:15:15", "bulletinFamily": "scanner", "description": "The version of Windows DNS server running on the remote host has the following vulnerabilities :\n\n - A memory corruption vulnerability that can be triggered by making a specially crafted NAPTR query, which can result in arbitrary code execution. (CVE-2011-1966)\n\n - A denial of service vulnerability related to handling uninitialized memory improperly, which can cause the DNS service to become unresponsive. (CVE-2011-1970)", "modified": "2018-11-15T00:00:00", "id": "SMB_NT_MS11-058.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=55788", "published": "2011-08-09T00:00:00", "title": "MS11-058: Vulnerabilities in DNS Server Could Allow Remote Code Execution (2562485)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(55788);\n script_version(\"1.18\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\"CVE-2011-1966\", \"CVE-2011-1970\");\n script_bugtraq_id(49012, 49019);\n script_xref(name:\"MSFT\", value:\"MS11-058\");\n script_xref(name:\"MSKB\", value:\"2562485\");\n\n script_name(english:\"MS11-058: Vulnerabilities in DNS Server Could Allow Remote Code Execution (2562485)\");\n script_summary(english:\"Checks file version of Dns.exe\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The DNS server running on the remote host has multiple\nvulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Windows DNS server running on the remote host has the\nfollowing vulnerabilities :\n\n - A memory corruption vulnerability that can be triggered\n by making a specially crafted NAPTR query, which can\n result in arbitrary code execution. (CVE-2011-1966)\n\n - A denial of service vulnerability related to handling\n uninitialized memory improperly, which can cause the\n DNS service to become unresponsive. (CVE-2011-1970)\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-058\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Microsoft has released a set of patches for Windows 2003, 2008, and\n2008 R2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/08/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS11-058';\nkb = '2562485';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win2003:'2', vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nregistry_init();\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\npath = get_registry_value(handle:hklm, item:\"SYSTEM\\CurrentControlSet\\Services\\DNS\\ImagePath\");\nRegCloseKey(handle:hklm);\nclose_registry();\n\nif (isnull(path))\n exit(0, 'The DNS role is not enabled on the remote host.');\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows Server 2008 R2\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Dns.exe\", version:\"6.1.7601.21754\", min_version:\"6.1.7601.21000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Dns.exe\", version:\"6.1.7601.17639\", min_version:\"6.1.7601.17000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Dns.exe\", version:\"6.1.7600.20993\", min_version:\"6.1.7600.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Dns.exe\", version:\"6.1.7600.16840\", min_version:\"6.1.7600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Dns.exe\", version:\"6.0.6002.22665\", min_version:\"6.0.6002.22000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Dns.exe\", version:\"6.0.6002.18486\", min_version:\"6.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2003\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Dns.exe\", version:\"5.2.3790.4882\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:20:52", "bulletinFamily": "scanner", "description": "According to its self-reported version number, the Microsoft DNS Server running on the remote host has the following vulnerabilities :\n\n - A memory corruption vulnerability exists that can be triggered by an attacker sending a specially crafted NAPTR query. This could result in arbitrary code execution. (CVE-2011-1966)\n\n - A denial of service vulnerability exists related to the improper handling of uninitialized memory. This may result in the DNS service becoming unresponsive.\n (CVE-2011-1970)", "modified": "2018-11-15T00:00:00", "id": "MS_DNS_KB2562485.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=72836", "published": "2014-03-05T00:00:00", "title": "MS11-058: Vulnerabilities in DNS Server Could Allow Remote Code Execution (2562485) (uncredentialed check)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(72836);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/11/15 20:50:21\");\n\n script_cve_id(\"CVE-2011-1966\", \"CVE-2011-1970\");\n script_bugtraq_id(49012, 49019);\n script_xref(name:\"MSFT\", value:\"MS11-058\");\n script_xref(name:\"MSKB\", value:\"2562485\");\n\n script_name(english:\"MS11-058: Vulnerabilities in DNS Server Could Allow Remote Code Execution (2562485) (uncredentialed check)\");\n script_summary(english:\"Checks version of Microsoft DNS Server\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The DNS server running on the remote host has multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Microsoft DNS Server\nrunning on the remote host has the following vulnerabilities :\n\n - A memory corruption vulnerability exists that can be\n triggered by an attacker sending a specially crafted\n NAPTR query. This could result in arbitrary code\n execution. (CVE-2011-1966)\n\n - A denial of service vulnerability exists related to the\n improper handling of uninitialized memory. This may\n result in the DNS service becoming unresponsive.\n (CVE-2011-1970)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-058\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 2003, 2008, and\n2008 R2.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/08/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/03/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"DNS\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ms_dns_version.nasl\");\n script_require_keys(\"ms_dns/version\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"ms_dns/version\");\nport = 53;\nfix = NULL;\n\n# Windows Server 2008 R2\nif (version =~ \"^6\\.1\\.7601\\.21\\d{3}$\" && ver_compare(ver:version, fix:\"6.1.7601.21754\") == -1)\n fix = \"6.1.7601.21754\";\nelse if (version =~ \"^6\\.1\\.7601\\.17\\d{3}$\" && ver_compare(ver:version, fix:\"6.1.7601.17639\") == -1)\n fix = \"6.1.7601.17639\";\nelse if (version =~ \"^6\\.1\\.7600\\.20\\d{3}$\" && ver_compare(ver:version, fix:\"6.1.7600.20993\") == -1)\n fix = \"6.1.7600.20993\";\nelse if (version =~ \"^6\\.1\\.7600\\.16\\d{3}$\" && ver_compare(ver:version, fix:\"6.1.7600.16840\") == -1)\n fix = \"6.1.7600.16840\";\n\n# Windows 2008\nelse if (version =~ \"^6\\.0\\.6002\\.22\\d{3}$\" && ver_compare(ver:version, fix:\"6.0.6002.22665\") == -1)\n fix = \"6.0.6002.22665\";\nelse if (version =~ \"^6\\.0\\.6002\\.18\\d{3}$\" && ver_compare(ver:version, fix:\"6.0.6002.18486\") == -1)\n fix = \"6.0.6002.18486\";\nelse if ( get_kb_item(\"Settings/PCI_DSS\") && version =~ \"^6\\.0\\.6001\\.18\\d{3}$\" )\n fix = \"6.0.6002.18486\";\n\n# Windows 2003 SP2\nelse if (\n version =~ \"^5\\.2\\.3790\\.\" &&\n ver_compare(ver:version, fix:\"5.2.3790.3959\") >= 0 &&\n ver_compare(ver:version, fix:\"5.2.3790.4882\") == -1\n)\n fix = \"5.2.3790.4882\";\n\nelse\n audit(AUDIT_LISTEN_NOT_VULN, \"Microsoft DNS\", port, version, \"UDP\");\n\n\nif (report_verbosity > 0)\n{\n report =\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_hole(port:port, proto:\"udp\", extra:report);\n}\nelse security_hole(port:port, proto:\"udp\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:43", "bulletinFamily": "software", "description": "Memory corruption on NAPTR record handling, uninitialized memory access on non-existent domain lookup.", "modified": "2011-08-10T00:00:00", "published": "2011-08-10T00:00:00", "id": "SECURITYVULNS:VULN:11840", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11840", "title": "Microsoft Windows DNS server security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-02T21:13:26", "bulletinFamily": "scanner", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS11-058.", "modified": "2017-02-20T00:00:00", "published": "2011-08-11T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=900295", "id": "OPENVAS:900295", "title": "Microsoft Windows DNS Server Remote Code Execution Vulnerability (2562485)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms11-058.nasl 5362 2017-02-20 12:46:39Z cfi $\n#\n# Microsoft Windows DNS Server Remote Code Execution Vulnerability (2562485)\n#\n# Authors:\n# Veerendra G.G <veerendragg@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could allow remote attacker to execute arbitrary\n code or to cause the DNS server to stop responding.\n Impact Level: System/Application\";\ntag_affected = \"Microsoft Windows 2K3 Service Pack 2 and prior.\n Microsoft Windows Server 2008 Service Pack 2 and prior.\";\ntag_insight = \"The flaws are exists when Windows DNS server processing a query for a NAPTR\n (Name Authority Pointer) resource record and when processing a query for\n a non-existent domain.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://www.microsoft.com/technet/security/bulletin/ms11-058.mspx\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS11-058.\";\n\nif(description)\n{\n script_id(900295);\n script_version(\"$Revision: 5362 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 13:46:39 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-08-11 06:41:03 +0200 (Thu, 11 Aug 2011)\");\n script_bugtraq_id(49019, 49012);\n script_cve_id(\"CVE-2011-1966\", \"CVE-2011-1970\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft Windows DNS Server Remote Code Execution Vulnerability (2562485)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/45564\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/45552\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2562485\");\n script_xref(name : \"URL\" , value : \"http://www.sophos.com/support/knowledgebase/article/113982.html\");\n script_xref(name : \"URL\" , value : \"http://www.microsoft.com/technet/security/bulletin/ms11-058.mspx\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Check for OS and Service Pack\nif(hotfix_check_sp(win2003:3, win2008:3) <= 0){\n exit(0);\n}\n\nif(!registry_key_exists(key:\"SYSTEM\\CurrentControlSet\\Services\\DNS\")){\n exit(0);\n}\n\n## MS11-058 Hotfix 2562485\nif((hotfix_missing(name:\"2562485\") == 0)){\n exit(0);\n}\n\n## Get System Path\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\n## Get Version for Dns.exe\nsysVer = fetch_file_version(sysPath, file_name:\"system32\\Dns.exe\");\nif(!sysVer){\n exit(0);\n}\n\n## Windows 2003\nif(hotfix_check_sp(win2003:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n ## Check for Dns.exe version\n if(version_is_less(version:sysVer, test_version:\"5.2.3790.4882\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n## Windows Server 2008\nelse if(hotfix_check_sp(win2008:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n\n if(\"Service Pack 2\" >< SP)\n {\n ## Check for Dns.exe version\n if(version_in_range(version:sysVer, test_version:\"6.0.6002.18000\", test_version2:\"6.0.6002.18485\")||\n version_in_range(version:sysVer, test_version:\"6.0.6002.22000\", test_version2:\"6.0.6002.22664\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-06T14:40:01", "bulletinFamily": "scanner", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS11-058.", "modified": "2019-05-03T00:00:00", "published": "2011-08-11T00:00:00", "id": "OPENVAS:1361412562310900295", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900295", "title": "Microsoft Windows DNS Server Remote Code Execution Vulnerability (2562485)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows DNS Server Remote Code Execution Vulnerability (2562485)\n#\n# Authors:\n# Veerendra G.G <veerendragg@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900295\");\n script_version(\"2019-05-03T10:54:50+0000\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 10:54:50 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2011-08-11 06:41:03 +0200 (Thu, 11 Aug 2011)\");\n script_bugtraq_id(49019, 49012);\n script_cve_id(\"CVE-2011-1966\", \"CVE-2011-1970\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft Windows DNS Server Remote Code Execution Vulnerability (2562485)\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/45564\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/45552\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2562485\");\n script_xref(name:\"URL\", value:\"http://www.sophos.com/support/knowledgebase/article/113982.html\");\n script_xref(name:\"URL\", value:\"http://www.microsoft.com/technet/security/bulletin/ms11-058.mspx\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/registry_enumerated\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow remote attacker to execute arbitrary\n code or to cause the DNS server to stop responding.\");\n script_tag(name:\"affected\", value:\"Microsoft Windows 2K3 Service Pack 2 and prior.\n Microsoft Windows Server 2008 Service Pack 2 and prior.\");\n script_tag(name:\"insight\", value:\"The flaws are exists when Windows DNS server processing a query for a NAPTR\n (Name Authority Pointer) resource record and when processing a query for\n a non-existent domain.\");\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS11-058.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2003:3, win2008:3) <= 0){\n exit(0);\n}\n\nif(!registry_key_exists(key:\"SYSTEM\\CurrentControlSet\\Services\\DNS\")){\n exit(0);\n}\n\n## MS11-058 Hotfix 2562485\nif((hotfix_missing(name:\"2562485\") == 0)){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\nsysVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Dns.exe\");\nif(!sysVer){\n exit(0);\n}\n\nif(hotfix_check_sp(win2003:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"5.2.3790.4882\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nelse if(hotfix_check_sp(win2008:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n\n if(\"Service Pack 2\" >< SP)\n {\n if(version_in_range(version:sysVer, test_version:\"6.0.6002.18000\", test_version2:\"6.0.6002.18485\")||\n version_in_range(version:sysVer, test_version:\"6.0.6002.22000\", test_version2:\"6.0.6002.22664\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
