OVAL118 for CAN-2003-0345 (Windows 2000)

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

OVAL118 for CAN-2003-0345 (Windows 2000)

Tiffany Bergeron
CVE-ID: CAN-2003-0345
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0345
CVE Description: Buffer overflow in the SMB capability for Microsoft
Windows XP, 2000, and NT allows remote attackers to cause a denial of
service and possibly execute arbitrary code via an SMB packet that
specifies a smaller buffer length than is required.

Microsoft Security Bulletin MS03-024: Buffer Overrun in Windows Could Lead
to Data Corruption (817606)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-024.asp

SMB (Server Message Block) is a client to server protocol that enables
sharing files, printers, etc. and communication between computers.  This
vulnerability results because the server does not properly validate SMB
packet parameters, allowing an attacker to overflow a buffer and run code.
Microsoft assigned a maximum severity rating of Important to this issue and
provided a patch.  Windows 2000 Service Pack 4 also fixes this
vulnerability.

The query below looks for the affected versions of both of the patch files
(SRV.SYS and Srvsvc.dll) included in the corresponding knowledgebase
article (http://support.microsoft.com/?kbid=817606).  Does anyone know if
we should include both, or if just one sufficient?

I propose the following OVAL query for Windows 2000 systems.  Please review
and provide comments and suggestions.

OVAL-ID: OVAL118
Status: DRAFT
Version: 0
Date Modified: 2003-08-01
Platform: Windows 2000

Query Synopsis:
-- Vulnerable software exists
   o Microsoft Windows 2000
   o Affected SRV.SYS version
   o Affected srvsvc.dll version
   o Patch Windows2000-KB817606-x86-ENU.exe not installed
   o Windows 2000 Service Pack 4 (or later) not installed

SELECT 'CAN-2003-0345' FROM Placeholder WHERE EXISTS
-- ### BEGIN VULNERABLE SOFTWARE EXISTS
--
-- Windows 2000
   (SELECT 'Windows 2000 Installed' FROM Win2K_RegistryKeys WHERE
           RegistryKey = 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion' AND
           EntryName = 'CurrentVersion' AND
           EntryValue = '5.0')
AND EXISTS
-- Affected SRV.SYS versions
     -- Build the FilePath for SRV.SYS by retrieving the value of
     --   SystemRoot from the registry, and concatenating it with
     --   '\System32\Drivers\SRV.SYS' (using || concat. operator):
   (SELECT 'File %windir%\System32\Drivers\SRV.SYS < 5.0.2195.6699' FROM
Win2K_FileAttributes WHERE
           FilePath = (SELECT EntryValue || '\System32\\Drivers\SRV.SYS'
FROM Win2K_RegistryKeys WHERE
           RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion' AND
           EntryName = 'SystemRoot') AND
     -- To avoid lexical (string) comparisons of file versions, the
     --   version string (e.g. '5.0.2195.6699') is broken into its
     --   components, stored as numbers.
           (Version1 < 5 OR
           (Version1 = 5 AND Version2 = 0 AND
           (Version3 < 2195 OR
           (Version3 = 2195 AND Version4 < 6699)))))
AND EXISTS
-- Affected srvsvc.dll versions
   (SELECT 'File %windir%\System32\srvsvc.dll < 5.0.2195.6697' FROM
Win2K_FileAttributes WHERE
           FilePath = (SELECT EntryValue || '\System32\srvsvc.dll' FROM
Win2K_RegistryKeys WHERE
           RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion' AND
           EntryName = 'SystemRoot') AND
           (Version1 < 5 OR
           (Version1 = 5 AND Version2 = 0 AND
           (Version3 < 2195 OR
           (Version3 = 2195 AND Version4 < 6697)))))
AND NOT EXISTS
-- Patch Windows2000-KB817606-x86-ENU.exe installed
   (SELECT 'Patch Windows2000-KB817606-x86-ENU.exe Installed' FROM
Win2K_RegistryKeys WHERE
           RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\HotFix\KB817606' AND
           EntryName = 'Installed' AND
           EntryValue = '1')
AND NOT EXISTS
-- Windows 2000 Service Pack 4 (or later) installed
   (SELECT 'Windows 2000 SP4 Installed' FROM Win2K_RegistryKeys WHERE
                RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion' AND
                EntryName = 'CSDVersion' AND
                EntryValue >= 'Service Pack 4')
-- ### END VULNERABLE SOFTWARE EXISTS
--
-- ### BEGIN VULNERABLE CONFIGURATION
-- ### END VULNERABLE CONFIGURATION
;

-----------------------------------------------------------------
INSERT IDs used:
INSERT3
INSERT22
INSERT125
INSERT280

New INSERTs:

INSERT125
-- SRV.SYS
INSERT INTO Win2K_FileAttributes_Conf (FilePath) VALUES
('%windir%\System32\Drivers\SRV.SYS')
;
INSERT280
-- Windows2000-KB817606-x86-ENU.exe
INSERT INTO Win2K_RegistryKeys_Conf (RegistryKey) VALUES
('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\HotFix\KB817606')
;
-----------------------------------------------------------------

Thanks,
Tiffany

Microsoft Technical Lead, MITRE's OVAL Team


Reply | Threaded
Open this post in threaded view
|

Re: OVAL118 for CAN-2003-0345 (Windows 2000)

Tiffany Bergeron
Information about this vulnerability provided by OVAL Board member Bill
Wall of Harris indicates that checking for the srv.sys file is sufficient.
OVAL118 has been modified to reflect this information:

SELECT 'CAN-2003-0345' FROM Placeholder WHERE EXISTS
-- ### BEGIN VULNERABLE SOFTWARE EXISTS
--
-- Windows 2000
   (SELECT 'Windows 2000 Installed' FROM Win2K_RegistryKeys WHERE
           RegistryKey = 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion' AND
           EntryName = 'CurrentVersion' AND
           EntryValue = '5.0')
AND EXISTS
-- Affected SRV.SYS versions
     -- Build the FilePath for SRV.SYS by retrieving the value of
     --   SystemRoot from the registry, and concatenating it with
     --   '\System32\Drivers\SRV.SYS' (using || concat. operator):
   (SELECT 'File %windir%\System32\Drivers\SRV.SYS < 5.0.2195.6699' FROM
Win2K_FileAttributes WHERE
           FilePath = (SELECT EntryValue || '\System32\\Drivers\SRV.SYS'
FROM Win2K_RegistryKeys WHERE
           RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion' AND
           EntryName = 'SystemRoot') AND
     -- To avoid lexical (string) comparisons of file versions, the
     --   version string (e.g. '5.0.2195.6699') is broken into its
     --   components, stored as numbers.
           (Version1 < 5 OR
           (Version1 = 5 AND Version2 = 0 AND
           (Version3 < 2195 OR
           (Version3 = 2195 AND Version4 < 6699)))))
AND NOT EXISTS
-- Patch Windows2000-KB817606-x86-ENU.exe installed
   (SELECT 'Patch Windows2000-KB817606-x86-ENU.exe Installed' FROM
Win2K_RegistryKeys WHERE
           RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\HotFix\KB817606' AND
           EntryName = 'Installed' AND
           EntryValue = '1')
AND NOT EXISTS
-- Windows 2000 Service Pack 4 (or later) installed
   (SELECT 'Windows 2000 SP4 Installed' FROM Win2K_RegistryKeys WHERE
                RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion' AND
                EntryName = 'CSDVersion' AND
                EntryValue >= 'Service Pack 4')
-- ### END VULNERABLE SOFTWARE EXISTS
--
-- ### BEGIN VULNERABLE CONFIGURATION
-- ### END VULNERABLE CONFIGURATION
;


Thanks,
Tiffany

Microsoft Technical Lead, MITRE's OVAL Team