Microsoft RPC Code Execution MS08-067

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization, as exploited in the wild by Gimmiv.A in October 2008, aka “Server Service Vulnerability.”

Add Assessment

busterb (317)

September 17, 2019 6:10pm UTC (5 years ago)•Edited 4 years ago

Ratings

Attacker Value

Very High

Exploitability

Very High

Technical Analysis

A classic vulnerability. Like small pox, you’d wish it was actually eradicated by now, but it still pops up occasionally in legacy systems.

See More &1 replySee Less

blackn0te (0) February 27, 2020 2:46pm UTC (4 years ago)•Edited 4 years ago

Definitely still do see this vulnerability around in small businesses, tho most organisations have patches for their legacy systems some are unaware of how critical this vulnerability actually is.

jorgeorchilles (19)

April 11, 2020 4:59pm UTC (4 years ago)•Edited 4 years ago

Ratings

Attacker Value

Very High

Exploitability

Very High

Common in enterprise Easy to weaponize Gives privileged access Unauthenticated Vulnerable in default configuration

Technical Analysis

MS08-067 was possibly the most popular vulnerability of the 2000s. It allows remote code execution, pre-authentication, against all default Windows operating system configurations of the time. While SMB, should never be exposed on the Internet, once on the internal network, almost all windows systems have it enabled.

Exploitation is trivial (point and shoot) through metasploit: https://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi

This exploit was widely used and most notably known for the Conficker worm: https://en.wikipedia.org/wiki/Conficker