Vulnerabilities > CVE-2009-0102 - Resource Management Errors vulnerability in Microsoft products

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
microsoft
CWE-399
critical
nessus
NVD
Published: 2009-12-09
Updated: 2018-10-12

Summary

Microsoft Project 2000 SR1 and 2002 SP1, and Office Project 2003 SP3, does not properly handle memory allocation for Project files, which allows remote attackers to execute arbitrary code via a malformed file, aka "Project Memory Validation Vulnerability."

Vulnerable Configurations

Part Description Count
Application
Microsoft
7

Common Weakness Enumeration (CWE)

Msbulletin

bulletin_idMS09-074
bulletin_url
date2009-12-08T00:00:00
impactRemote Code Execution
knowledgebase_id967183
knowledgebase_url
severityCritical
titleVulnerability in Microsoft Office Project Could Allow Remote Code Execution

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS09-074.NASL
descriptionThe remote host contains a version of Microsoft Project that has a vulnerability in the way it validates memory that could be used by an attacker to execute arbitrary code on the remote host. To exploit this vulnerability, an attacker would need to spend a specially crafted Project document to a user on the remote host and lure him into opening it.
last seen2020-06-01
modified2020-06-02
plugin id43066
published2009-12-08
reporterThis script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/43066
titleMS09-074: Vulnerability in Microsoft Office Project Could Allow Remote Code Execution (967183)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(43066);
  script_version("1.23");
  script_cvs_date("Date: 2018/11/15 20:50:30");

  script_cve_id("CVE-2009-0102");
  script_bugtraq_id(37211);
  script_xref(name:"MSFT", value:"MS09-074");
  script_xref(name:"MSKB", value:"961082");
  script_xref(name:"MSKB", value:"961083");
  script_xref(name:"MSKB", value:"961079");

  script_name(english:"MS09-074: Vulnerability in Microsoft Office Project Could Allow Remote Code Execution (967183)");
  script_summary(english:"Determines the presence of update 967183");

  script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through Microsoft
Project.");
  script_set_attribute(attribute:"description", value:
"The remote host contains a version of Microsoft Project that has a
vulnerability in the way it validates memory that could be used by an
attacker to execute arbitrary code on the remote host.

To exploit this vulnerability, an attacker would need to spend a
specially crafted Project document to a user on the remote host and
lure him into opening it.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-074");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Microsoft Project 2000,
2002 and 2003.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(399);

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/12/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/12/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/12/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office_project");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:project");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);

  script_copyright(english:"This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Windows : Microsoft Bulletins");

  script_dependencies("smb_hotfixes.nasl", "smb_nt_ms02-031.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports("SMB/Office/Project/Version", "Host/patch_management_checks");

  exit(0);
}

include("smb_func.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");
include("smb_hotfixes.inc");
include("audit.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS09-074';
kbs = make_list("961082", "961083", "961079");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

vers9  = make_list(9, 0,2009, 1022);
vers10 = make_list(10,0,2108,2216);
vers11 = make_list(11,3,2009,1108);
vuln = 0;
installs = get_kb_list_or_exit("SMB/Office/Project/*/ProductPath");
foreach install (keys(installs))
{
  version = install - 'SMB/Office/Project/' - '/ProductPath';
  path = installs[install];

  vers = split(version, sep:'.', keep:FALSE);
  for (i=0; i < max_index(vers); i++) vers[i] = int(vers[i]);

  kb = '';
  if ( vers[0] == 9 )
  {
    ref = vers9;
    kb = '961083';
  }
  else if ( vers[0] == 10 )
  {
    ref = vers10;
    kb = '961079';
  }
  else if ( vers[0] == 11 )
  {
    ref = vers11;
    kb = '961082';
  }

  if (kb)
  {
    for (i=0; i < max_index(vers); i++)
    {
      if (vers[i] < ref[i])
      {
        vuln++;
        info =
          '\n  Path              : ' + path +
          '\n  Installed version : ' + str +
          '\n  Fixed version     : ' + join(ref, sep:'.') + '\n';
        hotfix_add_report(info, bulletin:bulletin, kb:kb);
      }
      else if (vers[i] > ref[i]) break;
    }
  }
}
if (vuln)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  exit(0);
}
else audit(AUDIT_HOST_NOT, 'affected');

Oval

accepted2012-05-28T04:02:05.809-04:00
classvulnerability
contributors
  • nameJ. Daniel Brown
    organizationDTCC
  • nameMike Lah
    organizationThe MITRE Corporation
  • nameRachana Shetty
    organizationSecPod Technologies
  • nameShane Shaffer
    organizationG2, Inc.
definition_extensions
  • commentMicrosoft Project 2000 SR1 is installed
    ovaloval:org.mitre.oval:def:518
  • commentMicrosoft Project 2002 SP1 is installed
    ovaloval:org.mitre.oval:def:707
  • commentMicrosoft Project 2003 SP3 is installed
    ovaloval:org.mitre.oval:def:5755
descriptionMicrosoft Project 2000 SR1 and 2002 SP1, and Office Project 2003 SP3, does not properly handle memory allocation for Project files, which allows remote attackers to execute arbitrary code via a malformed file, aka "Project Memory Validation Vulnerability."
familywindows
idoval:org.mitre.oval:def:6298
statusaccepted
submitted2009-12-09T17:00:00
titleProject Memory Validation Vulnerability
version8

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 37211 CVE ID: CVE-2009-0102 Project是微软Office套件中的项目管理和控制组件。 Project的winproj.exe服务在处理包含有畸形元素字段列表结构的特制Project文件时存在内存破坏漏洞。如果用户受骗打开了畸形文档,就可能触发这个漏洞,导致执行任意指令。 Microsoft Project 2003 SP3 Microsoft Project 2002 SP1 Microsoft Project 2000 SP1 临时解决方法: 如果您不能立刻安装补丁或者升级,建议您采取以下措施以降低威胁: * 不要打开从不可信任来源接收或从可信任来源意外接收到的Project文件,如带有.mpp扩展名的文件。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS09-074)以及相应补丁: MS09-074:Vulnerability in Microsoft Office Project Could Allow Remote Code Execution (967183) 链接:http://www.microsoft.com/technet/security/bulletin/ms09-074.mspx?pf=true
idSSV:15049
last seen2017-11-19
modified2009-12-12
published2009-12-12
reporterRoot
titleMicrosoft Project无效资源内存分配远程代码执行漏洞(MS09-074)

References