Vulnerabilities > CVE-2009-0231 - Incorrect Conversion between Numeric Types vulnerability in Microsoft products

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

microsoft

CWE-681

nessus

NVD

Published: 2009-07-15

Updated: 2024-02-08

Summary

The Embedded OpenType (EOT) Font Engine (T2EMBED.DLL) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via a crafted name table in a data record that triggers an integer truncation and a heap-based buffer overflow, aka "Embedded OpenType Font Heap Overflow Vulnerability."

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows XP - Microsoft Windows XP * Microsoft Windows Server 2008 - Microsoft Windows Vista - Microsoft Windows 2000 - Microsoft Windows Server 2003 -	11

Common Weakness Enumeration (CWE)

CWE-681 - Incorrect Conversion between Numeric Types

Msbulletin

bulletin_id	MS09-029
bulletin_url
date	2009-07-14T00:00:00
impact	Remote Code Execution
knowledgebase_id	961371
knowledgebase_url
severity	Critical
title	Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS09-029.NASL
description	The remote Windows host contains a version of the Embedded OpenType (EOT) Font Engine that is affected by multiple buffer overflow vulnerabilities due to the way the EOT font technology parses name tables in specially crafted embedded fonts. If an attacker can trick a user on the affected system into viewing content rendered in a specially crafted EOT font, these issues could be leveraged to execute arbitrary code subject to the user
last seen	2020-06-01
modified	2020-06-02
plugin id	39792
published	2009-07-14
reporter	This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/39792
title	MS09-029: Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(39792); script_version("1.24"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2009-0231", "CVE-2009-0232"); script_bugtraq_id(35186, 35187); script_xref(name:"MSFT", value:"MS09-029"); script_xref(name:"MSKB", value:"961371"); script_name(english:"MS09-029: Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371)"); script_summary(english:"Checks version of T2embed.dll"); script_set_attribute(attribute:"synopsis", value: "It is possible to execute arbitrary code on the remote Windows host using the Embedded OpenType Font Engine."); script_set_attribute(attribute:"description", value: "The remote Windows host contains a version of the Embedded OpenType (EOT) Font Engine that is affected by multiple buffer overflow vulnerabilities due to the way the EOT font technology parses name tables in specially crafted embedded fonts. If an attacker can trick a user on the affected system into viewing content rendered in a specially crafted EOT font, these issues could be leveraged to execute arbitrary code subject to the user's privileges."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-029"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(119, 189); script_set_attribute(attribute:"vuln_publication_date", value:"2009/07/14"); script_set_attribute(attribute:"patch_publication_date", value:"2009/07/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/14"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS09-029'; kb = "961371"; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit('SMB/Registry/Enumerated'); get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'2', vista:'0,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Vista / Windows Server 2008 hotfix_is_vulnerable(os:"6.0", sp:2, file:"T2embed.dll", version:"6.0.6002.22152", min_version:"6.0.6002.20000", dir:"\System32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:2, file:"T2embed.dll", version:"6.0.6002.18051", dir:"\System32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:1, file:"T2embed.dll", version:"6.0.6001.22450", min_version:"6.0.6001.20000", dir:"\System32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:1, file:"T2embed.dll", version:"6.0.6001.18272", dir:"\System32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:0, file:"T2embed.dll", version:"6.0.6000.21067", min_version:"6.0.6000.20000", dir:"\System32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:0, file:"T2embed.dll", version:"6.0.6000.16870", dir:"\System32", bulletin:bulletin, kb:kb) \|\| # Windows 2003 hotfix_is_vulnerable(os:"5.2", sp:2, file:"T2embed.dll", version:"5.2.3790.4530", dir:"\System32", bulletin:bulletin, kb:kb) \|\| # Windows XP hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"T2embed.dll", version:"5.1.2600.5830", dir:"\System32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x64", file:"T2embed.dll", version:"5.2.3790.4530", dir:"\System32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x86", file:"T2embed.dll", version:"5.1.2600.3589", dir:"\System32", bulletin:bulletin, kb:kb) \|\| # Windows 2000 hotfix_is_vulnerable(os:"5.0", file:"T2embed.dll", version:"5.0.2195.7263", dir:"\System32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Oval

accepted

2011-10-31T04:04:09.282-04:00

class

vulnerability

contributors

name Dragos Prisaca
organization Gideon Technologies, Inc.
name Dragos Prisaca
organization Gideon Technologies, Inc.
name Rachana Shetty
organization SecPod Technologies

definition_extensions

comment Microsoft Windows 2000 SP4 or later is installed
oval oval:org.mitre.oval:def:229
comment Microsoft Windows XP (x86) SP2 is installed
oval oval:org.mitre.oval:def:754
comment Microsoft Windows XP (x86) SP3 is installed
oval oval:org.mitre.oval:def:5631
comment Microsoft Windows XP x64 Edition SP2 is installed
oval oval:org.mitre.oval:def:4193
comment Microsoft Windows Server 2003 SP2 (x64) is installed
oval oval:org.mitre.oval:def:2161
comment Microsoft Windows Server 2003 SP2 (x86) is installed
oval oval:org.mitre.oval:def:1935
comment Microsoft Windows Server 2003 (ia64) SP2 is installed
oval oval:org.mitre.oval:def:1442
comment Microsoft Windows Vista (32-bit) is installed
oval oval:org.mitre.oval:def:1282
comment Microsoft Windows Vista x64 Edition is installed
oval oval:org.mitre.oval:def:2041
comment Microsoft Windows Vista (32-bit) Service Pack 1 is installed
oval oval:org.mitre.oval:def:4873
comment Microsoft Windows Vista x64 Edition Service Pack 1 is installed
oval oval:org.mitre.oval:def:5254
comment Microsoft Windows Server 2008 (32-bit) is installed
oval oval:org.mitre.oval:def:4870
comment Microsoft Windows Server 2008 (64-bit) is installed
oval oval:org.mitre.oval:def:5356
comment Microsoft Windows Server 2008 (ia-64) is installed
oval oval:org.mitre.oval:def:5667
comment Microsoft Windows Vista (32-bit) Service Pack 2 is installed
oval oval:org.mitre.oval:def:6124
comment Microsoft Windows Server 2008 (32-bit) Service Pack 2 is installed
oval oval:org.mitre.oval:def:5653
comment Microsoft Windows Vista x64 Edition Service Pack 2 is installed
oval oval:org.mitre.oval:def:5594
comment Microsoft Windows Server 2008 x64 Edition Service Pack 2 is installed
oval oval:org.mitre.oval:def:6216
comment Microsoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed
oval oval:org.mitre.oval:def:6150

description

family

windows

oval:org.mitre.oval:def:5457

status

accepted

submitted

2009-07-14T13:00:00

title

Embedded OpenType Font Heap Overflow Vulnerability

version

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Msbulletin

Nessus

Oval

References