CVE-ID: CAN-2003-0345
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0345 CVE Description: Buffer overflow in the SMB capability for Microsoft Windows XP, 2000, and NT allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required. Microsoft Security Bulletin MS03-024: Buffer Overrun in Windows Could Lead to Data Corruption (817606) http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-024.asp SMB (Server Message Block) is a client to server protocol that enables sharing files, printers, etc. and communication between computers. This vulnerability results because the server does not properly validate SMB packet parameters, allowing an attacker to overflow a buffer and run code. Microsoft assigned a maximum severity rating of Important to this issue and provided a patch. Windows 2000 Service Pack 4 also fixes this vulnerability. The query below looks for the affected versions of both of the patch files (SRV.SYS and Srvsvc.dll) included in the corresponding knowledgebase article (http://support.microsoft.com/?kbid=817606). Does anyone know if we should include both, or if just one sufficient? I propose the following OVAL query for Windows 2000 systems. Please review and provide comments and suggestions. OVAL-ID: OVAL118 Status: DRAFT Version: 0 Date Modified: 2003-08-01 Platform: Windows 2000 Query Synopsis: -- Vulnerable software exists o Microsoft Windows 2000 o Affected SRV.SYS version o Affected srvsvc.dll version o Patch Windows2000-KB817606-x86-ENU.exe not installed o Windows 2000 Service Pack 4 (or later) not installed SELECT 'CAN-2003-0345' FROM Placeholder WHERE EXISTS -- ### BEGIN VULNERABLE SOFTWARE EXISTS -- -- Windows 2000 (SELECT 'Windows 2000 Installed' FROM Win2K_RegistryKeys WHERE RegistryKey = 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion' AND EntryName = 'CurrentVersion' AND EntryValue = '5.0') AND EXISTS -- Affected SRV.SYS versions -- Build the FilePath for SRV.SYS by retrieving the value of -- SystemRoot from the registry, and concatenating it with -- '\System32\Drivers\SRV.SYS' (using || concat. operator): (SELECT 'File %windir%\System32\Drivers\SRV.SYS < 5.0.2195.6699' FROM Win2K_FileAttributes WHERE FilePath = (SELECT EntryValue || '\System32\\Drivers\SRV.SYS' FROM Win2K_RegistryKeys WHERE RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion' AND EntryName = 'SystemRoot') AND -- To avoid lexical (string) comparisons of file versions, the -- version string (e.g. '5.0.2195.6699') is broken into its -- components, stored as numbers. (Version1 < 5 OR (Version1 = 5 AND Version2 = 0 AND (Version3 < 2195 OR (Version3 = 2195 AND Version4 < 6699))))) AND EXISTS -- Affected srvsvc.dll versions (SELECT 'File %windir%\System32\srvsvc.dll < 5.0.2195.6697' FROM Win2K_FileAttributes WHERE FilePath = (SELECT EntryValue || '\System32\srvsvc.dll' FROM Win2K_RegistryKeys WHERE RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion' AND EntryName = 'SystemRoot') AND (Version1 < 5 OR (Version1 = 5 AND Version2 = 0 AND (Version3 < 2195 OR (Version3 = 2195 AND Version4 < 6697))))) AND NOT EXISTS -- Patch Windows2000-KB817606-x86-ENU.exe installed (SELECT 'Patch Windows2000-KB817606-x86-ENU.exe Installed' FROM Win2K_RegistryKeys WHERE RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB817606' AND EntryName = 'Installed' AND EntryValue = '1') AND NOT EXISTS -- Windows 2000 Service Pack 4 (or later) installed (SELECT 'Windows 2000 SP4 Installed' FROM Win2K_RegistryKeys WHERE RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion' AND EntryName = 'CSDVersion' AND EntryValue >= 'Service Pack 4') -- ### END VULNERABLE SOFTWARE EXISTS -- -- ### BEGIN VULNERABLE CONFIGURATION -- ### END VULNERABLE CONFIGURATION ; ----------------------------------------------------------------- INSERT IDs used: INSERT3 INSERT22 INSERT125 INSERT280 New INSERTs: INSERT125 -- SRV.SYS INSERT INTO Win2K_FileAttributes_Conf (FilePath) VALUES ('%windir%\System32\Drivers\SRV.SYS') ; INSERT280 -- Windows2000-KB817606-x86-ENU.exe INSERT INTO Win2K_RegistryKeys_Conf (RegistryKey) VALUES ('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB817606') ; ----------------------------------------------------------------- Thanks, Tiffany Microsoft Technical Lead, MITRE's OVAL Team |
Information about this vulnerability provided by OVAL Board member Bill
Wall of Harris indicates that checking for the srv.sys file is sufficient. OVAL118 has been modified to reflect this information: SELECT 'CAN-2003-0345' FROM Placeholder WHERE EXISTS -- ### BEGIN VULNERABLE SOFTWARE EXISTS -- -- Windows 2000 (SELECT 'Windows 2000 Installed' FROM Win2K_RegistryKeys WHERE RegistryKey = 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion' AND EntryName = 'CurrentVersion' AND EntryValue = '5.0') AND EXISTS -- Affected SRV.SYS versions -- Build the FilePath for SRV.SYS by retrieving the value of -- SystemRoot from the registry, and concatenating it with -- '\System32\Drivers\SRV.SYS' (using || concat. operator): (SELECT 'File %windir%\System32\Drivers\SRV.SYS < 5.0.2195.6699' FROM Win2K_FileAttributes WHERE FilePath = (SELECT EntryValue || '\System32\\Drivers\SRV.SYS' FROM Win2K_RegistryKeys WHERE RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion' AND EntryName = 'SystemRoot') AND -- To avoid lexical (string) comparisons of file versions, the -- version string (e.g. '5.0.2195.6699') is broken into its -- components, stored as numbers. (Version1 < 5 OR (Version1 = 5 AND Version2 = 0 AND (Version3 < 2195 OR (Version3 = 2195 AND Version4 < 6699))))) AND NOT EXISTS -- Patch Windows2000-KB817606-x86-ENU.exe installed (SELECT 'Patch Windows2000-KB817606-x86-ENU.exe Installed' FROM Win2K_RegistryKeys WHERE RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB817606' AND EntryName = 'Installed' AND EntryValue = '1') AND NOT EXISTS -- Windows 2000 Service Pack 4 (or later) installed (SELECT 'Windows 2000 SP4 Installed' FROM Win2K_RegistryKeys WHERE RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion' AND EntryName = 'CSDVersion' AND EntryValue >= 'Service Pack 4') -- ### END VULNERABLE SOFTWARE EXISTS -- -- ### BEGIN VULNERABLE CONFIGURATION -- ### END VULNERABLE CONFIGURATION ; Thanks, Tiffany Microsoft Technical Lead, MITRE's OVAL Team |
Free forum by Nabble | Edit this page |