Executive Summary
Summary | |
---|---|
Title | Microsoft Windows Internet Printing Protocol service integer overflow |
Informations | |||
---|---|---|---|
Name | VU#793233 | First vendor Publication | 2008-10-15 |
Vendor | VU-CERT | Last vendor Modification | 2008-10-27 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:S/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 8 | Authentication | Requires single instance |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#793233Microsoft Windows Internet Printing Protocol service integer overflowOverviewThe Microsoft Windows Internet Printing Protocol (IPP) service contains an integer overflow vulnerability, which can allow a remote attacker to execute arbitrary code on a vulnerable system.I. DescriptionIPP is an IP-based network protocol that allows remote printing and printer management. On Windows 2000 and XP, IIS comes with IPP enabled by default. IPP is optional on Windows 2003 systems. IPP by default is configured to only allow authenticated users; however, it may be configured to allow unauthenticated connections.The Microsoft Windows IPP component, which is provided by msw3prt.dll, contains an integer overflow vulnerability that results in an overflow of heap memory. By creating a specific HTTP POST to the vulnerable server, the IPP server will attempt to make an SMB connection to a printer that is specified by the attacker. If this printer returns a malformed JOB_INFO_2 structure, the integer overflow vulnerability in IPP may be triggered, resulting in a four-byte memory overwrite and eventually code execution on the IPP server. This issue is addressed in Microsoft Security Bulletin MS08-062. Additional workarounds are provided in the bulletin as well.
References
This document was written by Will Dormann.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/793233 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-190 | Integer Overflow or Wraparound (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:5764 | |||
Oval ID: | oval:org.mitre.oval:def:5764 | ||
Title: | Integer Overflow in IPP Service Vulnerability | ||
Description: | Integer overflow in the Internet Printing Protocol (IPP) ISAPI extension in Microsoft Internet Information Services (IIS) 5.0 through 7.0 on Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, and Server 2008 allows remote authenticated users to execute arbitrary code via an HTTP POST request that triggers an outbound IPP connection from a web server to a machine operated by the attacker, aka "Integer Overflow in IPP Service Vulnerability." | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2008-1446 | Version: | 4 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows Server 2008 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2008-10-15 | Name : Windows Internet Printing Service Allow Remote Code Execution Vulnerability (... File : nvt/secpod_ms08-062_900052.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
49059 | Microsoft IIS IPP Service Unspecified Remote Overflow |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2008-10-16 | IAVM : 2008-B-0075 - Microsoft Internet Printing Service Remote Code Execution Vulnerability Severity : Category I - VMSKEY : V0017793 |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | SMB spoolss EnumJobs response WriteAndX unicode andx attempt RuleID : 14724 - Revision : 12 - Type : NETBIOS |
2014-01-10 | SMB spoolss EnumJobs response WriteAndX andx attempt RuleID : 14723 - Revision : 12 - Type : NETBIOS |
2014-01-10 | SMB spoolss EnumJobs response unicode andx attempt RuleID : 14722 - Revision : 12 - Type : NETBIOS |
2014-01-10 | SMB spoolss EnumJobs response andx attempt RuleID : 14721 - Revision : 12 - Type : NETBIOS |
2014-01-10 | SMB spoolss EnumJobs response WriteAndX little endian andx attempt RuleID : 14720 - Revision : 12 - Type : NETBIOS |
2014-01-10 | SMB spoolss EnumJobs response little endian andx attempt RuleID : 14719 - Revision : 12 - Type : NETBIOS |
2014-01-10 | SMB spoolss EnumJobs response unicode little endian andx attempt RuleID : 14718 - Revision : 12 - Type : NETBIOS |
2014-01-10 | SMB spoolss EnumJobs response WriteAndX unicode little endian andx attempt RuleID : 14717 - Revision : 12 - Type : NETBIOS |
2014-01-10 | SMB spoolss EnumJobs response WriteAndX unicode attempt RuleID : 14716 - Revision : 10 - Type : NETBIOS |
2014-01-10 | SMB spoolss EnumJobs response WriteAndX attempt RuleID : 14715 - Revision : 10 - Type : NETBIOS |
2014-01-10 | SMB spoolss EnumJobs response unicode attempt RuleID : 14714 - Revision : 10 - Type : NETBIOS |
2014-01-10 | SMB spoolss EnumJobs response attempt RuleID : 14713 - Revision : 10 - Type : NETBIOS |
2014-01-10 | SMB spoolss EnumJobs response WriteAndX little endian attempt RuleID : 14712 - Revision : 10 - Type : NETBIOS |
2014-01-10 | SMB spoolss EnumJobs response little endian attempt RuleID : 14711 - Revision : 10 - Type : NETBIOS |
2014-01-10 | DCERPC NCACN-IP-TCP spoolss EnumJobs attempt RuleID : 14710 - Revision : 20 - Type : OS-WINDOWS |
2014-01-10 | SMB spoolss EnumJobs response WriteAndX unicode little endian attempt RuleID : 14709 - Revision : 10 - Type : NETBIOS |
2014-01-10 | DCERPC NCACN-IP-TCP spoolss EnumJobs attempt RuleID : 14661 - Revision : 17 - Type : NETBIOS |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2018-04-03 | Name : The remote web server may allow remote code execution. File : iis_7_pci.nasl - Type : ACT_GATHER_INFO |
2008-10-15 | Name : It is possible to execute arbitrary code on the remote host via the internet ... File : smb_nt_ms08-062.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2013-05-11 00:57:23 |
|