Fix Soon

CVE-2008-4250

Remote Code Execution in Windows

Summary

The vulnerability is in the Windows Server service, which mishandles specially crafted RPC requests over SMB. On Windows 2000, Windows XP, and Windows Server 2003, an attacker can exploit it without authentication; on Windows Vista and Windows Server 2008, the vulnerable code path requires authentication. A successful exploit can give the attacker complete remote control of the system and was considered wormable.

Why Fix Soon?

5/6

No authentication required

Internal deployment

User interaction unknown (assumed none)

Exploitable in default configuration

Active exploitation in the wild

High impact vulnerability

Exploitation Details

Type

RCE (Remote Code Execution)

Is exploitable with default configuration?

Yes

Is authentication needed?

PoC / Exploit

Yes

rapid7.com

Impact

Execute arbitrary code remotely and take complete control of the host.

RCE (Remote Code Execution)

Exploitation Requirements

None — vulnerable in default configuration

Exploitation Process

An attacker targets the Windows Server service over TCP 139 or 445 and sends a specially crafted RPC request that exercises the path-canonicalization code path. On Windows 2000/XP/Server 2003, the packet can be delivered anonymously from the network; on Vista/Server 2008, the attacker must first authenticate. If the malformed request is accepted, the service overflows and the target may crash or spawn attacker-controlled code, typically with SYSTEM-level privileges.

Detection Resources

Manual Detection

rapid7.com

Script Detection

nmap.org

Scanner Detection

Tenable Nessus

Affected Software

Vendor:Microsoft

Product	Affected Versions
Microsoft Windows	Windows 2000 Service Pack 4; Windows XP Service Pack 2/3; Windows XP Professional x64 Edition Service Pack 2; Windows Server 2003 Service Pack 1/2; Windows Server 2003 x64 Edition Service Pack 1/2; Windows Server 2003 Itanium-based Systems Service Pack 1/2; Windows Vista/Vista Service Pack 1; Windows Vista x64 Edition/Vista x64 Edition Service Pack 1; Windows Server 2008 (32-bit/x64/Itanium, including Server Core); Windows 7 Pre-Beta

Product

Affected Versions

Microsoft Windows

Windows 2000 Service Pack 4; Windows XP Service Pack 2/3; Windows XP Professional x64 Edition Service Pack 2; Windows Server 2003 Service Pack 1/2; Windows Server 2003 x64 Edition Service Pack 1/2; Windows Server 2003 Itanium-based Systems Service Pack 1/2; Windows Vista/Vista Service Pack 1; Windows Vista x64 Edition/Vista x64 Edition Service Pack 1; Windows Server 2008 (32-bit/x64/Itanium, including Server Core); Windows 7 Pre-Beta

Description

Microsoft Windows operating system family for desktops and servers, used for endpoint, file, print, and application hosting.

Deployment:Typically internal

Protocol:RPC over SMB

Ports:139, 445

Affected ComponentServer service RPC request handling for SMB-based file and print sharing.

Server service RPC request handling for SMB-based file and print sharing.

Enterprise Usage

Very Low

Low

Medium

High

Very High

Vendor Size:Big

Vendor Notifications

https://learn.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067 https://support.microsoft.com/en-us/help/958644

Remediation

Workaround

Disable the Server and Computer Browser services, or block TCP 139 and 445; on Vista/Server 2008, also filter RPC UUID 4b324fc8-1670-01d3-1278-5a47bf6ee188.

learn.microsoft.com

Patch

Apply Microsoft security update KB958644 (MS08-067) on all affected Windows versions.

support.microsoft.com

Update

Not available

Threat Intelligence

EPSS Score93.5%

Probability of exploitation in the next 30 days

EPSS Percentile100%

Worse than 100% of all CVEs

Last updated: Loading...

CISA KEV

Listed

Active Exploitation

Active

learn.microsoft.com

Threat Actors

No known threat actors

Detection Rules2

Snort

DELETED NETBIOS SMB wkssvc NetrUseAdd/NetrUseGetInfo/NetrUseDel andx object call overflow attempt

Other

SMB:SERVER-SVC-OF

NVD Data

Published: Loading...Modified: Loading...

Description Summary

The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization, as exploited in the wild by Gimmiv.A in October 2008, aka "Server Service Vulnerability."

CVSS Base Score

10.0

Critical

CVSS Vector (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Attack Vector (AV)

Physical

Local

Adjacent

Network

Attack Complexity (AC)

High

Low

Privileges Required (PR)

High

Low

None

User Interaction (UI)

Required

None

Scope (S)

Unchanged

Changed

Confidentiality (C)

None

Low

High

Integrity (I)

None

Low

High

Availability (A)

None

Low

High

CWE:CWE-94 Code Injection

NVD:CVE-2008-4250

Version From:—

Version Upto:—

Affected Software (CPE) (18)

•cpe:2.3:o:microsoft:windows_2000:-:sp4:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_server_2003:-:*:*:*:*:*:x64:*
•cpe:2.3:o:microsoft:windows_server_2003:-:sp1:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_server_2003:-:sp1:*:*:-:*:itanium:*
•cpe:2.3:o:microsoft:windows_server_2003:-:sp2:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_server_2003:-:sp2:*:*:*:*:itanium:*
•cpe:2.3:o:microsoft:windows_server_2003:-:sp2:*:*:*:*:x64:*
•cpe:2.3:o:microsoft:windows_server_2008:-:*:*:*:-:*:itanium:*
•cpe:2.3:o:microsoft:windows_server_2008:-:*:*:*:-:*:x64:*
•cpe:2.3:o:microsoft:windows_server_2008:-:*:*:*:-:*:x86:*
•cpe:2.3:o:microsoft:windows_vista:-:*:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_vista:-:*:*:*:*:*:x64:*
•cpe:2.3:o:microsoft:windows_vista:-:sp1:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_vista:-:sp1:*:*:-:*:x64:*
•cpe:2.3:o:microsoft:windows_xp:-:-:*:*:professional:*:x64:*
•cpe:2.3:o:microsoft:windows_xp:-:sp2:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_xp:-:sp2:*:*:professional:*:x64:*
•cpe:2.3:o:microsoft:windows_xp:-:sp3:*:*:*:*:*:*

Sources

Source	Article
www.cisa.gov	Known Exploited Vulnerabilities Catalog
nvd.nist.gov	CVE-2008-4250 Detail
learn.microsoft.com	Microsoft Security Bulletin MS08-067 - Critical
support.microsoft.com	MS08-067: Vulnerability in Server service could allow remote code execution
www.microsoft.com	MS08-067 Released
nmap.org	smb-vuln-ms08-067 NSE script
www.rapid7.com	MS08-067 Microsoft Server Service Relative Path Stack Corruption
www.snort.org	Rule Document 1:15053
www.juniper.net	SMB: Microsoft Windows Server Service Crafted RPC Request
www.tenable.com	CVE-2008-4250

Priority History

Fix SoonLoading...

Initial analysis