MS RPC Patch (Mis-)Reporting

Renaud Deraison deraison at nessus.org
Thu Sep 11 13:19:41 EDT 2003 

On Thu, Sep 11, 2003 at 02:23:45AM -0400, John Kapp wrote:
> Over the past couple weeks, I've had very good results using msrpc_dcom.nasl for testing for the MS03-026 patch.  Now that we have starting applying MS03-039, I'm getting inconsistent results with both the msrpc_dcom and dcom2 plugins.  After applying the 039 patch, about 20% of the systems that I scan are reported as being vulnerable by both the dcom and dcom2 plugins.  Microsoft's KB824146 scanner accurately reports that both patches have been installed on these same systems.

Could you run the attached plugin in command-line mode and tell me
what it outputs ? (nasl -t target msrpc_dcom2.nasl).

What operating system is running on the hosts which are supposed to be
patched ?

Also, note that msrpc_dcom.nasl won't work against a host with
MS03-039 applied, so make sure you are running version 1.9 and that BOTH
msrpc_dcom.nasl and msrpc_dcom2.nasl are enabled when you do a scan.


				-- Renaud
-------------- next part --------------
#
# (C) Tenable Network Security
#
# v1.2: use the same requests as MS checktool
#
if(description)
{
 script_id(11835);
 script_cve_id("CAN-2003-0715", "CAN-2003-0528", "CAN-2003-0605");
 script_bugtraq_id(8458);


 script_version ("$Revision: 1.6 $");
 
 name["english"] = "Microsoft RPC Interface Buffer Overrun (KB824146)";
 script_name(english:name["english"]);
 
 desc["english"] = "
The remote host is running a version of Windows which has a flaw in 
its RPC interface, which may allow an attacker to execute arbitrary code 
and gain SYSTEM privileges. 

An attacker or a worm could use it to gain the control of this host.

Note that this is NOT the same bug as the one described in MS03-026 
which fixes the flaw exploited by the 'MSBlast' (or LoveSan) worm.
 
Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-039.asp 
Risk factor : High";
 
 script_description(english:desc["english"]);
 
 summary["english"] = "Checks if the remote host has a patched RPC interface (KB824146)";
 script_summary(english:summary["english"]);
 
 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 2003 Tenable Network Security");
 family["english"] = "Gain root remotely";
 script_family(english:family["english"]);
 script_require_ports("Services/msrpc", 135, 593); 
 exit(0);
}

#
# The script code starts here
#

function dcom_recv(socket)
{
 local_var buf, len;
 
 buf = recv(socket:socket, length:10);
 if(strlen(buf) != 10)return NULL;
 
 len = ord(buf[8]);
 len += ord(buf[9])*256;
 buf += recv(socket:socket, length:len - 10);
 return buf;
}
 

port = 135;
if(!get_port_state(port))port = 593;
else {
 soc = open_sock_tcp(port);
 if(!soc)port = 593;
 else close(soc);
}
if(!get_port_state(port))exit(0);

#-------------------------------------------------------------#

function hex2raw(s)
{
 local_var i, j, ret;
 
 for(i=0;i<strlen(s);i+=2)
 {
  if(ord(s[i]) >= ord("0") && ord(s[i]) <= ord("9"))
  	j = int(s[i]);
  else
  	j = int((ord(s[i]) - ord("a")) + 10);

  j *= 16;
  if(ord(s[i+1]) >= ord("0") && ord(s[i+1]) <= ord("9"))
  	j += int(s[i+1]);
  else
  	j += int((ord(s[i+1]) - ord("a")) + 10);
  ret += raw_string(j);
 }
 return ret;
}

#--------------------------------------------------------------#
function check(req)
{ 
 local_var soc, bindstr, error_code, r;
 
 
 soc = open_sock_tcp(port);
 if(!soc)exit(0);

 bindstr = "05000b03100000004800000001000000d016d016000000000100000000000100a001000000000000c00000000000004600000000045d888aeb1cc9119fe808002b10486002000000";
 send(socket:soc, data:hex2raw(s:bindstr));
 r = dcom_recv(socket:soc);
 if(!r)exit(0);

 send(socket:soc, data:req);
 r = dcom_recv(socket:soc);
 if(!r)return NULL;

 close(soc);
 error_code = substr(r, strlen(r) - 4, strlen(r));
 return error_code;
}

function check2(req)
{ 
 local_var soc,bindstr, error_code, r;
 
 
 soc = open_sock_tcp(port);
 if(!soc)exit(0);

 bindstr = "05000b03100000004800000001000000d016d016000000000100000000000100a001000000000000c00000000000004600000000045d888aeb1cc9119fe808002b10486002000000";
 send(socket:soc, data:hex2raw(s:bindstr));
 r = dcom_recv(socket:soc);
 if(!r)exit(0);

 send(socket:soc, data:req);
 r = dcom_recv(socket:soc);
 if(!r)return NULL;


 error_code = substr(r, strlen(r) - 24, strlen(r) - 20);
 return error_code;
}
#---------------------------------------------------------------#


# Determine if we the remote host is running Win95/98/ME
bindwinme = "05000b03100000004800000053535641d016d016000000000100000000000100e6730ce6f988cf119af10020af6e72f402000000045d888aeb1cc9119fe808002b10486002000000";
soc = open_sock_tcp(port);
if(!soc)exit(0);
send(socket:soc, data:hex2raw(s:bindwinme));
rwinme = dcom_recv(socket:soc);
close(soc);
lenwinme = strlen(rwinme);
stubwinme = substr(rwinme, lenwinme-24, lenwinme-21);

# This is Windows 95/98/ME which is not vulnerable
if("02000100" >< hexstr(stubwinme))exit(0);


#----------------------------------------------------------------#

REGDB_CLASS_NOTREG = "5401048000";
CO_E_BADPATH = "0400088000";
NT_QUOTE_ERROR_CODE_EQUOTE = "00000000";



#
req1 = "0500000310000000b00300000100000098030000000004000500020000000000000000000000000000000000000000000000000000000000000000009005140068030000680300004d454f5704000000a201000000000000c0000000000000463803000000000000c0000000000000460000000038030000300300000000000001100800ccccccccc80000000000000030030000d80000000000000002000000070000000000000000000000000000000000000018018d00b8018d000000000007000000b901000000000000c000000000000046ab01000000000000c000000000000046a501000000000000c000000000000046a601000000000000c000000000000046a401000000000000c000000000000046ad01000000000000c000000000000046aa01000000000000c0000000000000460700000060000000580000009000000058000000200000006800000030000000c000000001100800cccccccc5000000000000000ffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001100800cccccccc4800000000000000005d889aeb1cc9119fe808002b1048601000000000000000000000000100000000000000b8470a005800000005000600010000000000000000000000c000000000000046cccccccc01100800cccccccc80000000000000000000000000000000000000000000000020ba09000000000060000000600000004d454f5704000000c001000000000000c0000000000000463b03000000000000c000000000000046000000003000000001000100673c70941333fd4687244d093988939d0200000000000000000000000000000000000000000000000100000001100800cccccccc480000000000000000000000b07e09000000000000000000f0890a0000000000000000000d000000000000000d000000730061006a00690061006400650076005f0078003800360000000800cccccccc01100800cccccccc10000000000000000000000000000000000000000000000001100800cccccccc5800000000000000c05e0a000000000000000000000000001b000000000000001b0000005c005c0000005c006a00690061006400650076005f007800000036005c007000750062006c00690063005c004100410041004100000000000100150001100800cccccccc200000000000000000000000905b09000200000001006c00c0df0800010000000700550000000000";

req2 = "0500000310000000b00300000200000098030000000004000500020000000000000000000000000000000000000000000000000000000000000000009005140068030000680300004d454f5704000000a201000000000000c0000000000000463803000000000000c0000000000000460000000038030000300300000000000001100800ccccccccc80000000000000030030000d80000000000000002000000070000000000000000000000000000000000000018018d00b8018d000000000007000000b901000000000000c000000000000046ab01000000000000c000000000000046a501000000000000c000000000000046f601000000000000c000000000000046ff01000000000000c000000000000046ad01000000000000c000000000000046aa01000000000000c0000000000000460700000060000000580000009000000058000000200000006800000030000000c000000001100800cccccccc5000000000000000ffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001100800cccccccc4800000000000000005d889aeb1cc9119fe808002b1048601000000000000000000000000100000000000000b8470a005800000005000600010000000000000000000000c000000000000046cccccccc01100800cccccccc80000000000000000000000000000000000000000000000020ba09000000000060000000600000004d454f5704000000c001000000000000c0000000000000463b03000000000000c000000000000046000000003000000001000100673c70941333fd4687244d093988939d0200000000000000000000000000000000000000000000000100000001100800cccccccc480000000000000000000000b07e09000000000000000000f0890a0000000000000000000d000000000000000d000000730061006a00690061006400650076005f0078003800360000000800cccccccc01100800cccccccc10000000000000000000000000000000000000000000000001100800cccccccc5800000000000000c05e0a000000000000000000000000001b000000000000001b0000005c005c0000005c006a00690061006400650076005f007800000036005c007000750062006c00690063005c004100410041004100000000000100150001100800cccccccc200000000000000000000000905b09000200000001006c00c0df0800010000000700550000000000";


req3  = "05000e03100000004800000003000000d016d01605af00000100000001000100b84a9f4d1c7dcf11861e0020af6e7c5700000000045d888aeb1cc9119fe808002b10486002000000";

req4 = "05000003100000009a00000003000000820000000100000005000200000000000000000000000000000000000000000000000000000000009596952a8cda6d4ab23619bcaf2c2dea34eb8f000700000000000000070000005c005c004d0045004f00570000000000000000005c0048005c0048000100000058e98f00010000009596952a8cda6d4ab23619bcaf2c2dea01000000010000005c00";




#display(hex2raw(s:req));
#exit(0);



 
 

error1 = check(req:hex2raw(s:req1));
error2 = check(req:hex2raw(s:req2)); 


error3 = check(req:hex2raw(s:req3));
error4 = check2(req:hex2raw(s:req4));

display("error1=", hexstr(error1), "\n");
display("error2=", hexstr(error2), "\n");
display("error3=", hexstr(error3), "\n");
display("error4=", hexstr(error4), "\n");



if(hexstr(error2) == hexstr(error1))
{
 if(hexstr(error1) == "0500078000")exit(0); # DCOM disabled
 security_hole(port);
}
else {
 set_kb_item(name:"SMB/KB824146", value:TRUE);
}

More information about the Nessus mailing list