Vulnerabilities > CVE-2009-0098 - Resource Management Errors vulnerability in Microsoft Exchange Server 2000/2003/2007
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Microsoft Exchange 2000 Server SP3, Exchange Server 2003 SP2, and Exchange Server 2007 SP1 do not properly interpret Transport Neutral Encapsulation (TNEF) properties, which allows remote attackers to execute arbitrary code via a crafted TNEF message, aka "Memory Corruption Vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 |
Common Weakness Enumeration (CWE)
Msbulletin
| bulletin_id | MS09-003 |
| bulletin_url | |
| date | 2009-02-10T00:00:00 |
| impact | Remote Code Execution |
| knowledgebase_id | 959239 |
| knowledgebase_url | |
| severity | Critical |
| title | Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS09-003.NASL description The remote host is running a version of Microsoft Exchange that is affected by a memory corruption vulnerability that could lead to remote code execution when processing a specially crafted TNEF message as well as a denial of service vulnerability when processing a specially crafted MAPI command that could cause the Microsoft Exchange System Attendant service and other services that use the EMSMDB32 provider to stop responding. last seen 2020-06-01 modified 2020-06-02 plugin id 35631 published 2009-02-11 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35631 title MS09-003: Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (959239) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(35631); script_version("1.27"); script_cvs_date("Date: 2019/01/10 15:44:14"); script_cve_id("CVE-2009-0098", "CVE-2009-0099"); script_bugtraq_id(33134, 33136); script_xref(name:"MSFT", value:"MS09-003"); script_xref(name:"MSKB", value:"959241"); script_xref(name:"MSKB", value:"959897"); script_name(english:"MS09-003: Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (959239)"); script_summary(english:"Determines the version of Exchange"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through the email server."); script_set_attribute(attribute:"description", value: "The remote host is running a version of Microsoft Exchange that is affected by a memory corruption vulnerability that could lead to remote code execution when processing a specially crafted TNEF message as well as a denial of service vulnerability when processing a specially crafted MAPI command that could cause the Microsoft Exchange System Attendant service and other services that use the EMSMDB32 provider to stop responding."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-003"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Exchange 2000, 2003, and 2007."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(20, 399); script_set_attribute(attribute:"vuln_publication_date", value:"2009/02/10"); script_set_attribute(attribute:"patch_publication_date", value:"2009/02/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/02/11"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:exchange_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS09-003'; kbs = make_list("959241", "959897"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); version = get_kb_item("SMB/Exchange/Version"); if (!version) exit(0); # 2000 if (version == 60) { sp = get_kb_item ("SMB/Exchange/SP"); rootfile = get_kb_item("SMB/Exchange/Path"); if (!rootfile || (sp && sp > 4)) exit(0); rootfile = rootfile + "\bin"; if (hotfix_check_fversion(path:rootfile, file:"Emsmdb32.dll", version:"6.0.6620.9", bulletin:bulletin, kb:"959897") == HCF_OLDER) { set_kb_item(name:"SMB/Missing/MS09-003", value:TRUE); hotfix_security_hole(); } hotfix_check_fversion_end(); } # 2003 else if (version == 65) { sp = get_kb_item ("SMB/Exchange/SP"); rootfile = hotfix_get_commonfilesdir() + "\Microsoft Shared\CDO"; if (!rootfile || (sp && sp > 2)) exit(0); if (hotfix_check_fversion(path:rootfile, file:"Cdoex.dll", version:"6.5.7654.12", bulletin:bulletin, kb:"959897") == HCF_OLDER) { set_kb_item(name:"SMB/Missing/MS09-003", value:TRUE); hotfix_security_hole(); } hotfix_check_fversion_end(); } # 2007 else if (version == 80) { sp = get_kb_item ("SMB/Exchange/SP"); rootfile = hotfix_get_commonfilesdir() + "\Microsoft Shared\CDO"; if (!rootfile || (sp && sp > 1)) exit(0); if ( hotfix_check_fversion(path:rootfile, file:"Cdoex.dll", version:"8.1.338.0", min_version:"8.1.0.0", bulletin:bulletin, kb:"959241") == HCF_OLDER || hotfix_check_fversion(path:rootfile, file:"Cdoex.dll", version:"8.0.834.0", bulletin:bulletin, kb:"959241") == HCF_OLDER ) { set_kb_item(name:"SMB/Missing/MS09-003", value:TRUE); hotfix_security_hole(); } hotfix_check_fversion_end(); }NASL family Windows NASL id EXCHANGE_MS09-003.NASL description The remote host is running a version of Microsoft Exchange that is affected by a memory corruption vulnerability that could lead to remote code execution when processing a specially crafted TNEF message as well as a denial of service vulnerability when processing a specially crafted MAPI command that could cause the Microsoft Exchange System Attendant service and other services that use the EMSMDB32 provider to stop responding. last seen 2020-06-01 modified 2020-06-02 plugin id 108799 published 2018-04-03 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108799 title MS09-003: Microsoft Exchange Remote Code Execution (959239) (Uncredentialed) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(108799); script_version("1.13"); script_cvs_date("Date: 2019/11/08"); script_cve_id("CVE-2009-0098", "CVE-2009-0099"); script_bugtraq_id(33134, 33136); script_xref(name:"MSFT", value:"MS09-003"); script_xref(name:"MSKB", value:"959241"); script_xref(name:"MSKB", value:"959897"); script_name(english:"MS09-003: Microsoft Exchange Remote Code Execution (959239) (Uncredentialed)"); script_summary(english:"Checks the version of Exchange"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through the email server."); script_set_attribute(attribute:"description", value: "The remote host is running a version of Microsoft Exchange that is affected by a memory corruption vulnerability that could lead to remote code execution when processing a specially crafted TNEF message as well as a denial of service vulnerability when processing a specially crafted MAPI command that could cause the Microsoft Exchange System Attendant service and other services that use the EMSMDB32 provider to stop responding."); # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-003 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?20f7b688"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Exchange 2000, 2003, and 2007."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2009-0098"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(20, 399); script_set_attribute(attribute:"vuln_publication_date", value:"2009/02/10"); script_set_attribute(attribute:"patch_publication_date", value:"2009/02/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/03"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:exchange_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("exchange_detect.nbin"); script_require_keys("installed_sw/Exchange Server"); script_require_ports("Services/smtp", 25, "Services/pop3", 143, "Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("vcf.inc"); appname = 'Exchange Server'; get_install_count(app_name:appname, exit_if_zero:TRUE); smtp_ports = get_kb_list("Services/smtp"); pop3_ports = get_kb_list("Services/pop3"); http_ports = get_kb_list("Services/www"); ports = make_list(smtp_ports, pop3_ports, http_ports); port = branch(ports); app_info = vcf::get_app_info(app:appname, port:port, service:TRUE); vcf::check_granularity(app_info:app_info, sig_segments:3); constraints = [ {"min_version" : "6.0.0", "fixed_version":"6.0.6620.9"}, {"min_version" : "6.5.0", "fixed_version":"6.5.7654.4"}, {"min_version" : "8.0.0", "fixed_version":"8.1.340.1"} # do SP0 & SP1 combined ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
Oval
| accepted | 2014-06-23T04:07:47.483-04:00 | ||||||||||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||||||||||
| description | Microsoft Exchange 2000 Server SP3, Exchange Server 2003 SP2, and Exchange Server 2007 SP1 do not properly interpret Transport Neutral Encapsulation (TNEF) properties, which allows remote attackers to execute arbitrary code via a crafted TNEF message, aka "Memory Corruption Vulnerability." | ||||||||||||||||||||||||||||||||
| family | windows | ||||||||||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:6114 | ||||||||||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||||||||||
| submitted | 2009-02-10T16:00:00 | ||||||||||||||||||||||||||||||||
| title | Memory Corruption Vulnerability | ||||||||||||||||||||||||||||||||
| version | 16 |
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 33134 CVE(CAN) ID: CVE-2009-0098 Microsoft Exchange Server是一款企业级的邮件服务程序。 Microsoft Exchange Server解码消息的传输中性封装格式(TNEF)数据时存在内存破坏漏洞。如果用户预览了以TNEF格式发送的特制邮件消息,或Microsoft Exchange Server Information Store处理了特制的邮件消息,就可以触发这个漏洞,导致执行任意代码。 Microsoft Exchange Server 2007 SP1 Microsoft Exchange Server 2003 SP2 Microsoft Exchange Server 2000 SP3 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS09-003)以及相应补丁: MS09-003:Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (959239) 链接:<a href=http://www.microsoft.com/technet/security/Bulletin/MS09-003.mspx?pf=true target=_blank rel=external nofollow>http://www.microsoft.com/technet/security/Bulletin/MS09-003.mspx?pf=true</a> |
| id | SSV:4745 |
| last seen | 2017-11-19 |
| modified | 2009-02-13 |
| published | 2009-02-13 |
| reporter | Root |
| title | Exchange Server TNEF解码内存破坏漏洞(MS09-003) |