Vulnerabilities > CVE-2009-0094 - Unspecified vulnerability in Microsoft products

CVSS 5.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

microsoft

nessus

NVD

Published: 2009-03-11

Updated: 2019-02-26

Summary

The WINS server in Microsoft Windows 2000 SP4 and Server 2003 SP1 and SP2 does not restrict registration of the (1) "wpad" and (2) "isatap" NetBIOS names, which allows remote authenticated users to hijack the Web Proxy Auto-Discovery (WPAD) and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) features, and conduct man-in-the-middle attacks by spoofing a proxy server or ISATAP route, by registering one of these names in the WINS database, aka "WPAD WINS Server Registration Vulnerability," a related issue to CVE-2007-1692. Per: http://www.microsoft.com/technet/security/Bulletin/MS09-008.mspx Mitigating Factors for WPAD WINS Server Registration Vulnerability - CVE-2009-0094 Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation. If WINS server already has WPAD and ISATAP registered than an attacker will not be able to register these as well.

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows 2000 * Microsoft Windows Server 2003 * Microsoft Windows Server 2008 *	7

Msbulletin

bulletin_id	MS09-008
bulletin_url
date	2009-03-10T00:00:00
impact	Spoofing
knowledgebase_id	962238
knowledgebase_url
severity	Important
title	Vulnerabilities in DNS and WINS Server Could Allow Spoofing

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS09-008.NASL
description	The remote host has a Windows DNS server and/or a Windows WINS server installed. Multiple vulnerabilities in the way that Windows DNS servers cache and validate queries as well as the way that Windows DNS servers and Windows WINS servers handle WPAD and ISATAP registration may allow remote attackers to redirect network traffic intended for systems on the Internet to the attacker
last seen	2020-06-01
modified	2020-06-02
plugin id	35824
published	2009-03-11
reporter	This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/35824
title	MS09-008: Vulnerabilities in DNS and WINS Server Could Allow Spoofing (962238)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(35824); script_version("1.27"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id( "CVE-2009-0093", "CVE-2009-0094", "CVE-2009-0233", "CVE-2009-0234" ); script_bugtraq_id(33982, 33988, 33989, 34013); script_xref(name:"IAVA", value:"2009-A-0018"); script_xref(name:"MSFT", value:"MS09-008"); script_xref(name:"MSKB", value:"961063"); script_xref(name:"MSKB", value:"961064"); script_xref(name:"CERT", value:"319331"); script_name(english:"MS09-008: Vulnerabilities in DNS and WINS Server Could Allow Spoofing (962238)"); script_summary(english:"Determines the presence of update 962238"); script_set_attribute(attribute:"synopsis", value:"The remote host is vulnerable to DNS and/or WINS spoofing attacks."); script_set_attribute(attribute:"description", value: "The remote host has a Windows DNS server and/or a Windows WINS server installed. Multiple vulnerabilities in the way that Windows DNS servers cache and validate queries as well as the way that Windows DNS servers and Windows WINS servers handle WPAD and ISATAP registration may allow remote attackers to redirect network traffic intended for systems on the Internet to the attacker's own systems."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-008"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, 2003 and 2008."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20); script_set_attribute(attribute:"vuln_publication_date", value:"2009/03/10"); script_set_attribute(attribute:"patch_publication_date", value:"2009/03/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/03/11"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS09-008'; kbs = make_list("961063", "961064"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', win2003:'1,2', vista:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (!get_kb_item("SMB/Registry/HKLM/SYSTEM/CurrentControlSet/Services/DNS/DisplayName")) exit(0, "The host is not operate as a DNS server."); productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1); if ("Vista" >< productname) exit(0, "The host is running "+productname+" and hence is not affected."); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows Server 2008 # # nb: CVE-2009-0094 (WPAD WINS Server Registration Vulnerability) doesn't apply to 2008. hotfix_is_vulnerable(os:"6.0", sp:1, file:"Dns.exe", version:"6.0.6001.22375", min_version:"6.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:"961063") \|\| hotfix_is_vulnerable(os:"6.0", sp:1, file:"Dns.exe", version:"6.0.6001.18214", dir:"\system32", bulletin:bulletin, kb:"961063") \|\| # Windows Server 2003 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Dns.exe", version:"5.2.3790.4460", dir:"\System32", bulletin:bulletin, kb:"961063") \|\| hotfix_is_vulnerable(os:"5.2", sp:2, file:"Wins.exe", version:"5.2.3790.4446", dir:"\System32", bulletin:bulletin, kb:"961064") \|\| hotfix_is_vulnerable(os:"5.2", sp:1, file:"Dns.exe", version:"5.2.3790.3295", dir:"\System32", bulletin:bulletin, kb:"961063") \|\| hotfix_is_vulnerable(os:"5.2", sp:1, file:"Wins.exe", version:"5.2.3790.3281", dir:"\System32", bulletin:bulletin, kb:"961064") \|\| # Windows 2000 hotfix_is_vulnerable(os:"5.0", file:"Dns.exe", version:"5.0.2195.7260", dir:"\System32", bulletin:bulletin, kb:"961063") \|\| hotfix_is_vulnerable(os:"5.0", file:"Wins.exe", version:"5.0.2195.7241", dir:"\System32", bulletin:bulletin, kb:"961064") ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_warning(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Oval

accepted

2011-11-14T04:00:57.877-05:00

class

vulnerability

contributors

name Dragos Prisaca
organization Gideon Technologies, Inc.
name Chandan S
organization SecPod Technologies

definition_extensions

comment Microsoft Windows 2000 SP4 or later is installed
oval oval:org.mitre.oval:def:229
comment Microsoft Windows Server 2003 SP1 (x86) is installed
oval oval:org.mitre.oval:def:565
comment Microsoft Windows Server 2003 SP1 (x64) is installed
oval oval:org.mitre.oval:def:4386
comment Microsoft Windows Server 2003 SP1 for Itanium is installed
oval oval:org.mitre.oval:def:1205
comment Microsoft Windows Server 2003 SP2 (x86) is installed
oval oval:org.mitre.oval:def:1935
comment Microsoft Windows Server 2003 SP2 (x64) is installed
oval oval:org.mitre.oval:def:2161
comment Microsoft Windows Server 2003 (ia64) SP2 is installed
oval oval:org.mitre.oval:def:1442

description

family

windows

oval:org.mitre.oval:def:6117

status

accepted

submitted

2009-03-10T16:00:00

title

WPAD WINS Server Registration Vulnerability

version

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 34013,33982,33988,33989 CVE(CAN) ID: CVE-2009-0093,CVE-2009-0094,CVE-2009-0233,CVE-2009-0234 Microsoft Windows是微软发布的非常流行的操作系统。 Windows DNS服务器和WINS服务器存在多个漏洞，可能会允许远程攻击者将Internet上发送给系统的网络通信重定向至攻击者自己的系统。 1) Windows DNS服务器没有正确地重新使用缓存的响应，特制的DNS查询可以向DNS缓存投毒，重新定向网络通讯。 2) Windows DNS服务器没有正确地缓存DNS响应，未经认证的远程攻击者向DNS服务器发送特制查询，以增加DNS服务器所使用事件ID的可预测性，这样可以重新定向合法位置的Internet通讯。 3) 如果Windows DNS服务器中使用了动态更新且DNS中还没有注册ISATAP和WPAD，则服务器无法正确地验证注册WPAD项的用户。远程攻击者可以通过在指向预期IP地址的DNS数据库中注册WPAD执行中间人攻击。 4) Windows WINS服务器没有正确地验证哪些用户可以注册WPAD或ISATAP项，远程攻击者可以通过在执行预期IP地址的WINS服务器中注册WPAD或ISATP执行中间人攻击。 Microsoft Windows Server 2008 Microsoft Windows Server 2003 SP2 Microsoft Windows Server 2003 SP1 Microsoft Windows 2000 Server SP4 厂商补丁： Microsoft --------- Microsoft已经为此发布了一个安全公告（MS09-008）以及相应补丁: MS09-008：Vulnerabilities in DNS and WINS Server Could Allow Spoofing (962238) 链接：<a href=http://www.microsoft.com/technet/security/bulletin/MS09-008.mspx?pf=true target=_blank rel=external nofollow>http://www.microsoft.com/technet/security/bulletin/MS09-008.mspx?pf=true</a>
id	SSV:4893
last seen	2017-11-19
modified	2009-03-12
published	2009-03-12
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-4893
title	Microsoft Windows DNS/WINS服务器多个欺骗漏洞（MS09-008）