MS11-020: Vulnerability in SMB Server Could Allow Remote Code Execution (2508429) (remote check) - Nessus

Critical   Plugin ID: 53503

This page contains detailed information about the MS11-020: Vulnerability in SMB Server Could Allow Remote Code Execution (2508429) (remote check) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 53503
Name: MS11-020: Vulnerability in SMB Server Could Allow Remote Code Execution (2508429) (remote check)
Filename: smb_kb2508429.nasl
Vulnerability Published: 2011-04-12
This Plugin Published: 2011-04-20
Last Modification Time: 2020-08-05
Plugin Version: 1.12
Plugin Type: remote
Plugin Family: Windows
Dependencies: netbios_name_get.nasl, samba_detect.nasl, smb_accessible_shares.nasl
Required KB Items [?]: SMB/accessible_shares/1
Excluded KB Items: SMB/not_windows

Vulnerability Information

Severity: Critical
Vulnerability Published: 2011-04-12
Patch Published: 2011-04-12
CVE [?]: CVE-2011-0661
CPE [?]: cpe:/o:microsoft:windows, x-cpe:/a:microsoft:windows:smbsvr

Synopsis

It is possible to execute arbitrary code on the remote Windows host due to flaws in its SMB implementation.

Description

The remote host is affected by a vulnerability in the SMB server that may allow an attacker to execute arbitrary code or perform a denial of service against the remote host. This vulnerability depends on access to a Windows file share, but does not necessarily require credentials.

Solution

Microsoft has released a set of patches for Windows XP, Vista, 2008, 7, and 2008 R2.

Public Exploits

Target Network Port(s): 139, 445
Target Asset(s): N/A
Exploit Available: True (GitHub)
Exploit Ease: Exploits (PoCs) are available

Here's the list of publicly known exploits and PoCs for verifying the MS11-020: Vulnerability in SMB Server Could Allow Remote Code Execution (2508429) (remote check) vulnerability:

  1. GitHub: https://github.com/aRustyDev/C844
    [CVE-2011-0661]
  2. GitHub: https://github.com/uroboros-security/SMB-CVE
    [CVE-2011-0661]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS Score Source [?]: CVE-2011-0661
CVSS V2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C
CVSS Base Score:10.0 (High)
Impact Subscore:10.0
Exploitability Subscore:10.0
CVSS Temporal Score:7.4 (High)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:7.4 (High)
STIG Severity [?]: I
STIG Risk Rating: High

Go back to menu.

Plugin Source

This is the smb_kb2508429.nasl nessus plugin source code. This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof. 

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(53503);
  script_version("1.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/08/05");

  script_cve_id("CVE-2011-0661");
  script_bugtraq_id(47198);
  script_xref(name:"IAVA", value:"2011-A-0050-S");
  script_xref(name:"MSFT", value:"MS11-020");
  script_xref(name:"MSKB", value:"2508429");

  script_name(english:"MS11-020: Vulnerability in SMB Server Could Allow Remote Code Execution (2508429) (remote check)");
  script_summary(english:"Checks response to a SMB ReadAndX request with a large file offset");

 script_set_attribute(
  attribute:"synopsis",
  value:
"It is possible to execute arbitrary code on the remote Windows host
due to flaws in its SMB implementation."
 );
 script_set_attribute(
  attribute:"description",
  value:
"The remote host is affected by a vulnerability in the SMB server that
may allow an attacker to execute arbitrary code or perform a denial of
service against the remote host.  This vulnerability depends on access
to a Windows file share, but does not necessarily require credentials."
 );
  # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-020
  script_set_attribute(attribute:"see_also", value:"https://www.nessus.org/u?c0a773fa");
 script_set_attribute(
  attribute:"solution",
  value:
"Microsoft has released a set of patches for Windows XP, Vista, 2008, 7,
and 2008 R2."
 );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2011-0661");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"2011/04/12");
 script_set_attribute(attribute:"patch_publication_date", value:"2011/04/12");
 script_set_attribute(attribute:"plugin_publication_date", value:"2011/04/20");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"x-cpe:/a:microsoft:windows:smbsvr");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_set_attribute(attribute:"stig_severity", value:"I");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

  script_copyright(english:"This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
 script_family(english:"Windows");

 script_dependencies("samba_detect.nasl", "smb_accessible_shares.nasl", "netbios_name_get.nasl");
 script_exclude_keys("SMB/not_windows");
 script_require_keys("SMB/accessible_shares/1");
 script_require_ports(139, 445);
 exit(0);

}

include("audit.inc");
include("byte_func.inc");
include("global_settings.inc");
include("misc_func.inc");
include("smb_func.inc");


if (get_kb_item("SMB/not_windows")) audit(AUDIT_OS_NOT, "Windows");


set_byte_order(BYTE_ORDER_LITTLE_ENDIAN);

##
# added param <offset_high>  to the original smb_read_and_x in smb_cifs.inc
#
# @param fid          - file ID
# @param offset       - lower  32 bit of the file offset
# @param offset_high  - higher 32 bit of the file offset
# @param length       - number of bytes to read
#
# @return  server response, starting with the smb header
#          or NULL if an error occurred
##
function my_smb_read_and_x (fid, offset, offset_high, length)
{
 local_var header, parameters, data, packet, pad;

 if (session_is_smb2()) return smb2_read(fid:fid, offset:offset, length:length);

 header = smb_header (Command: SMB_COM_READ_ANDX,
                      Status: nt_status (Status: STATUS_SUCCESS));

 pad = raw_byte (b:0);

 parameters = raw_byte (b:255) +            # no further command
              raw_byte (b:0) +              # reserved
              raw_word (w:0) +              # andxoffset
              raw_word (w:fid) +            # fid
              raw_dword (d:offset) +        # offset
              raw_word (w:length) +         # Max count low
              raw_word (w:length) +         # Min count
              raw_dword (d:0xFFFFFFFF) +    # Reserved or max count high ?
              raw_word (w:length) +         # Remaining
              raw_dword (d:offset_high) ;   # high offset

 parameters = smb_parameters (data:parameters);

 data = pad + smb_data (data:NULL);

 packet = netbios_packet (header:header, parameters:parameters, data:data);

 return smb_sendrecv (data:packet);
}


##
# finds a file in a directory, including its subdirectories
#
# @param dir    - directory in which to find a file
#
# @return       - full path of the found file
#                 or NULL if not found
##
function find_a_file_in_dir(dir)
{
  local_var fh, file;

  file = NULL;

  fh = FindFirstFile(pattern:dir + "\*");
  while (! isnull(fh))
  {
    # file found
    if(!(fh[2] & FILE_ATTRIBUTE_DIRECTORY))
    {
      if (!(fh[2] & (FILE_ATTRIBUTE_REPARSE_POINT
                     | 0x40       # FILE_ATTRIBUTE_DEVICE
                     | 0x4000     # FILE_ATTRIBUTE_ENCRYPTED
                    )
            )
          )
      {
        file = dir + "\" + fh[1];
        break;
      }
    }
    # search in sub-directories
    else if (fh[1] != "." && fh[1] != "..")
    {
      file = find_a_file_in_dir(dir: dir + "\" + fh[1]);
      if (!isnull(file)) return file;
    }
    fh = FindNextFile(handle:fh);
  }

  return file;
}


###
# finds a file (any) in a share
#
# @param  share   - the share in which to find a file
# @return file name if found
#         or NULL if not found
###
function find_a_file(share)
{
  local_var ret, parameters;

  if(! smb_tree_connect_and_x(share:share))
  {
    debug_print("Failed to connect to network share '" + share + "'.");
    return NULL;
  }

  # starting at the top level of the share
  return find_a_file_in_dir(dir:NULL);
}


#
# Main
#

# get accessible shares
accessible_shares = get_kb_item_or_exit("SMB/accessible_shares/1");

# get a list of shares
shares = get_kb_list("SMB/shares");
if (isnull(shares)) exit(1, "The 'SMB/shares' KB items are missing.");


host    = get_host_ip();
port    =  kb_smb_transport();
if (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();

soc = open_sock_tcp(port);
if (!soc) audit(AUDIT_SOCK_FAIL, port);


# init a smb session
session_init(socket:soc, hostname:host);

# protocol negotiate and authentication
if ( smb_login(login:login,password:pass,domain:domain) != 1 )
{
  close(soc);
  audit(AUDIT_FN_FAIL, "smb_login");
}
session_set_authenticated();



#
# find a file in one of the accessible shares
#
file = NULL;
foreach share (make_list(shares))
{
  if (share != "IPC$" && share >< accessible_shares)
  {
    file = find_a_file(share:share);
    if (! isnull(file)) break;
  }
}

if(isnull(file))
{
  close(soc);
  exit(1, "Could not find a file in accessible shares.");
}


# open the file
fh= CreateFile(file:file, desired_access:FILE_GENERIC_READ,file_attributes:0,
                 share_mode:FILE_SHARE_READ,create_disposition:OPEN_EXISTING);
if(isnull(fh))
{
  close(soc);
  exit(1, "Failed to open "+file+ ".");
}
fid = fh[0];

# read at a very large offset
ret = my_smb_read_and_x(fid:fid, offset:0xffffffff, offset_high: 0x7fffffff, length:10);

# close the file
CloseFile(handle:fh);

close(soc);

if (isnull(ret)) exit(1, "No response from the server to a SMB ReadAndX request.");


# get status code
code = get_header_nt_error_code(header:ret);
if (code == STATUS_INVALID_PARAMETER)
{
  security_hole(port:port);
}
else if( code == 0x00010002)
{
  audit(AUDIT_HOST_NOT, "affected");
}
else
{
  exit(1, "Unexpected status code (" + code + ").");
}

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/smb_kb2508429.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\smb_kb2508429.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/smb_kb2508429.nasl

Go back to menu.

How to Run

Here is how to run the MS11-020: Vulnerability in SMB Server Could Allow Remote Code Execution (2508429) (remote check) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select Windows plugin family.
  6. On the right side table select MS11-020: Vulnerability in SMB Server Could Allow Remote Code Execution (2508429) (remote check) plugin ID 53503.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl smb_kb2508429.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a smb_kb2508429.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - smb_kb2508429.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state smb_kb2508429.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID: MSKB | Microsoft Knowledge Base: MSFT | Microsoft Security Bulletin:
  • MS11-020
IAVA | Information Assurance Vulnerability Alert:
  • 2011-A-0050-S
See also: Similar and related Nessus plugins:
  • 53377 - MS11-020: Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)
  • 51956 - MS11-004: Vulnerability in Internet Information Services (IIS) FTP Service Could Allow Remote Code Execution (2489256) (uncredentialed check)
  • 53514 - MS11-030: Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553) (remote check)
  • 56044 - MS11-064: Vulnerabilities in TCP/IP Stack Could Allow Denial of Service (2563894) (uncredentialed check)
  • 55286 - MS11-048: Vulnerability in SMB Server Could Allow Denial of Service (2536275) (remote check)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file smb_kb2508429.nasl version 1.12. For more plugins, visit the Nessus Plugin Library.

Go back to menu.