I have a issuse when write script nasl. how to detect KB windows with SMB v1. Example i want to check KB in MS03-026 how to do it? Thanks you
You would need to have a look at how this has been done in the past, for example MS03-026 is checked already in / with the following:
/path/to/plugins/scripts/pre2008/msrpc_dcom.nasl
As this methodology might be outdated these days you can also have a look at existing newer Windows based detection found in / via:
/path/to/plugins/scripts/2024/microsoft/*
2 Likes
thank you so much. I was tested script msrpc_dcom.nasl but result dont find vulunerbility. I also test with tenable then result ms03-026. I also checked missing hotfix in OS target that KB still dont update KB 823980. What is wrong? thank you.
SPDX-FileCopyrightText: 2003 KK LIU
Some text descriptions might be excerpted from (a) referenced
source(s), and are Copyright (C) by the respective right holder(s).
SPDX-License-Identifier: GPL-2.0-only
[LSD] Critical security vulnerability in Microsoft Operating Systems
Updated 7/29/2003 - Now works for NT4
Updated 8/13/2003 - Now works for Win 95/98/ME
if(description)
{
script_oid(“1.3.6.1.4.1.25623.1.0.11808”);
script_version(“2023-08-01T13:29:10+0000”);
script_tag(name:“last_modification”, value:“2023-08-01 13:29:10 +0000 (Tue, 01 Aug 2023)”);
script_tag(name:“creation_date”, value:“2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)”);
script_cve_id(“CVE-2003-0352”);
script_xref(name:“IAVA”, value:“2003-A-0011”);
script_tag(name:“cvss_base”, value:“7.5”);
script_tag(name:“cvss_base_vector”, value:“AV:N/AC:L/Au:N/C:P/I:P/A:P”);
script_name(“Microsoft RPC Interface Buffer Overrun (823980)”);
script_category(ACT_GATHER_INFO);
script_copyright(“Copyright (C) 2003 KK LIU”);
script_family(“Gain a shell remotely”);
script_dependencies(“secpod_reg_enum.nasl”);
script_require_ports(139, 445);
script_mandatory_keys(“SMB/registry_enumerated”);
script_tag(name:“solution”, value:“The vendor has releases updates, please see the references for more information.”);
script_xref(name:“URL”, value:“Microsoft Security Bulletin MS03-026 - Critical | Microsoft Learn”);
script_xref(name:“URL”, value:“http://www.securityfocus.com/bid/8205”);
script_xref(name:“URL”, value:“Microsoft Security Bulletin MS04-012 - Critical | Microsoft Learn”);
script_xref(name:“URL”, value:“Microsoft Security Bulletin MS05-012 - Critical | Microsoft Learn”);
script_xref(name:“URL”, value:“Microsoft Security Bulletin MS05-051 - Critical | Microsoft Learn”);
script_xref(name:“URL”, value:“Microsoft Security Bulletin MS06-018 - Moderate | Microsoft Learn”);
script_tag(name:“summary”, value:“The remote host is running a version of Windows which has a flaw in
its RPC interface which may allow an attacker to execute arbitrary code
and gain SYSTEM privileges. There is at least one Worm which is
currently exploiting this vulnerability. Namely, the MsBlaster worm.”);
script_tag(name:“solution_type”, value:“VendorFix”);
script_tag(name:“qod_type”, value:“registry”);
exit(0);
}
include(“smb_nt.inc”);
include(“secpod_reg.inc”);
if(hotfix_check_sp(xp:3, win2k:5, win2003:2) <= 0){
exit(0);
}
rollUp = registry_key_exists(key:“SOFTWARE\Microsoft\Updates\Windows 2000\SP5\Update Rollup 1”);
if(rollUp){
exit(0);
}
Supersede checks (MS04-012, MS05-012, MS05-051 and MS06-018)
if(hotfix_missing(name:“828741”) == 0 || hotfix_missing(name:“873333”) == 0 ||
hotfix_missing(name:“902400”) == 0 || hotfix_missing(name:“913580”) == 0){
exit(0);
}
if(hotfix_missing(name:“823980”) == 1){
security_message(port:get_kb_item(“SMB/transport”));
exit(0);
}
exit(99);
I am used to OS XP Professional. I was checked secpod_reg.inc function hotfix_fix_check_xp. I found Winversion compare string “Windows Microsoft XP” Is it error?
The team working on this topic doesn’t read/answer in this forum so you would need to investigate this topic on your own.
But as this is about Windows XP which is long EOL i personally wouldn’t put much effort into this currently / right now.