Vulnerabilities > CVE-2009-0232 - Numeric Errors vulnerability in Microsoft products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
microsoft
CWE-189
nessus
NVD
Published: 2009-07-15
Updated: 2023-12-07

Summary

Integer overflow in the Embedded OpenType (EOT) Font Engine in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via a crafted name table, aka "Embedded OpenType Font Integer Overflow Vulnerability."

Vulnerable Configurations

Part Description Count
OS
Microsoft
16

Common Weakness Enumeration (CWE)

Msbulletin

bulletin_idMS09-029
bulletin_url
date2009-07-14T00:00:00
impactRemote Code Execution
knowledgebase_id961371
knowledgebase_url
severityCritical
titleVulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS09-029.NASL
descriptionThe remote Windows host contains a version of the Embedded OpenType (EOT) Font Engine that is affected by multiple buffer overflow vulnerabilities due to the way the EOT font technology parses name tables in specially crafted embedded fonts. If an attacker can trick a user on the affected system into viewing content rendered in a specially crafted EOT font, these issues could be leveraged to execute arbitrary code subject to the user
last seen2020-06-01
modified2020-06-02
plugin id39792
published2009-07-14
reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/39792
titleMS09-029: Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371)
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(39792);
  script_version("1.24");
  script_cvs_date("Date: 2018/11/15 20:50:30");

  script_cve_id("CVE-2009-0231", "CVE-2009-0232");
  script_bugtraq_id(35186, 35187);
  script_xref(name:"MSFT", value:"MS09-029");
  script_xref(name:"MSKB", value:"961371");

  script_name(english:"MS09-029: Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371)");
  script_summary(english:"Checks version of T2embed.dll");

  script_set_attribute(attribute:"synopsis", value:
"It is possible to execute arbitrary code on the remote Windows host
using the Embedded OpenType Font Engine.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host contains a version of the Embedded OpenType
(EOT) Font Engine that is affected by multiple buffer overflow
vulnerabilities due to the way the EOT font technology parses name
tables in specially crafted embedded fonts.

If an attacker can trick a user on the affected system into viewing
content rendered in a specially crafted EOT font, these issues could
be leveraged to execute arbitrary code subject to the user's
privileges.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-029");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, XP, 2003,
Vista and 2008.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_cwe_id(119, 189);

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/07/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/07/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 'Host/patch_management_checks');

  exit(0);
}


include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");


get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS09-029';
kb = "961371";

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);


get_kb_item_or_exit('SMB/Registry/Enumerated');
get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'2', vista:'0,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  # Vista / Windows Server 2008
  hotfix_is_vulnerable(os:"6.0", sp:2,             file:"T2embed.dll", version:"6.0.6002.22152", min_version:"6.0.6002.20000", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:2,             file:"T2embed.dll", version:"6.0.6002.18051",                               dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:1,             file:"T2embed.dll", version:"6.0.6001.22450", min_version:"6.0.6001.20000", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:1,             file:"T2embed.dll", version:"6.0.6001.18272",                               dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:0,             file:"T2embed.dll", version:"6.0.6000.21067", min_version:"6.0.6000.20000", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:0,             file:"T2embed.dll", version:"6.0.6000.16870",                               dir:"\System32", bulletin:bulletin, kb:kb) ||

  # Windows 2003
  hotfix_is_vulnerable(os:"5.2", sp:2,             file:"T2embed.dll", version:"5.2.3790.4530", dir:"\System32", bulletin:bulletin, kb:kb) ||

  # Windows XP
  hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"T2embed.dll", version:"5.1.2600.5830", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x64", file:"T2embed.dll", version:"5.2.3790.4530", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x86", file:"T2embed.dll", version:"5.1.2600.3589", dir:"\System32", bulletin:bulletin, kb:kb) ||

  # Windows 2000
  hotfix_is_vulnerable(os:"5.0",                   file:"T2embed.dll", version:"5.0.2195.7263", dir:"\System32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();

  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2011-10-31T04:04:10.648-04:00
classvulnerability
contributors
  • nameDragos Prisaca
    organizationGideon Technologies, Inc.
  • nameDragos Prisaca
    organizationGideon Technologies, Inc.
  • nameRachana Shetty
    organizationSecPod Technologies
definition_extensions
  • commentMicrosoft Windows 2000 SP4 or later is installed
    ovaloval:org.mitre.oval:def:229
  • commentMicrosoft Windows XP (x86) SP2 is installed
    ovaloval:org.mitre.oval:def:754
  • commentMicrosoft Windows XP (x86) SP3 is installed
    ovaloval:org.mitre.oval:def:5631
  • commentMicrosoft Windows XP x64 Edition SP2 is installed
    ovaloval:org.mitre.oval:def:4193
  • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
    ovaloval:org.mitre.oval:def:2161
  • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
    ovaloval:org.mitre.oval:def:1935
  • commentMicrosoft Windows Server 2003 (ia64) SP2 is installed
    ovaloval:org.mitre.oval:def:1442
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Vista (32-bit) Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:4873
  • commentMicrosoft Windows Vista x64 Edition Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:5254
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Server 2008 (ia-64) is installed
    ovaloval:org.mitre.oval:def:5667
  • commentMicrosoft Windows Vista (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6124
  • commentMicrosoft Windows Server 2008 (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5653
  • commentMicrosoft Windows Vista x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5594
  • commentMicrosoft Windows Server 2008 x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6216
  • commentMicrosoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6150
descriptionInteger overflow in the Embedded OpenType (EOT) Font Engine in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via a crafted name table, aka "Embedded OpenType Font Integer Overflow Vulnerability."
familywindows
idoval:org.mitre.oval:def:5678
statusaccepted
submitted2009-07-14T13:00:00
titleEmbedded OpenType Font Integer Overflow Vulnerability
version73

Seebug

bulletinFamilyexploit
descriptionBugraq ID: 35187 CVE ID:CVE-2009-0232 Microsoft Windows是一款流行的操作系统。 Microsoft Windows包含的嵌入式EOT字体技术在解析特殊构建的名字表时存在漏洞,远程攻击者可以利用漏洞以系统进程权限执行任意指令。 目前没有详细漏洞细节提供。 Microsoft Windows XP Tablet PC Edition SP3 Microsoft Windows XP Tablet PC Edition SP2 Microsoft Windows XP Tablet PC Edition SP1 Microsoft Windows XP Tablet PC Edition Microsoft Windows XP Professional x64 Edition SP2 Microsoft Windows XP Professional x64 Edition Microsoft Windows XP Professional SP3 Microsoft Windows XP Professional SP2 Microsoft Windows XP Professional SP1 Microsoft Windows XP Professional Microsoft Windows XP Media Center Edition SP3 Microsoft Windows XP Media Center Edition SP2 Microsoft Windows XP Media Center Edition SP1 Microsoft Windows XP Media Center Edition Microsoft Windows XP Home SP3 Microsoft Windows XP Home SP2 Microsoft Windows XP Home SP1 Microsoft Windows XP Home Microsoft Windows XP Gold 0 Microsoft Windows XP 64-bit Edition SP1 Microsoft Windows XP 64-bit Edition Microsoft Windows XP 0 Microsoft Windows Vista x64 Edition SP2 Microsoft Windows Vista x64 Edition SP1 Microsoft Windows Vista x64 Edition 0 Microsoft Windows Vista Ultimate 64-bit edition SP2 Microsoft Windows Vista Ultimate 64-bit edition SP1 Microsoft Windows Vista Ultimate 64-bit edition 0 Microsoft Windows Vista Home Premium 64-bit edition SP2 Microsoft Windows Vista Home Premium 64-bit edition SP1 Microsoft Windows Vista Home Premium 64-bit edition 0 Microsoft Windows Vista Home Basic 64-bit edition SP2 Microsoft Windows Vista Home Basic 64-bit edition SP1 Microsoft Windows Vista Home Basic 64-bit edition 0 Microsoft Windows Vista Enterprise 64-bit edition SP2 Microsoft Windows Vista Enterprise 64-bit edition SP1 Microsoft Windows Vista Enterprise 64-bit edition 0 Microsoft Windows Vista Business 64-bit edition SP2 Microsoft Windows Vista Business 64-bit edition SP1 Microsoft Windows Vista Business 64-bit edition 0 Microsoft Windows Vista Ultimate SP2 Microsoft Windows Vista Ultimate SP1 Microsoft Windows Vista Ultimate Microsoft Windows Vista SP2 Beta Microsoft Windows Vista SP2 Microsoft Windows Vista SP1 Microsoft Windows Vista Home Premium SP2 Microsoft Windows Vista Home Premium SP1 Microsoft Windows Vista Home Premium Microsoft Windows Vista Home Basic SP2 Microsoft Windows Vista Home Basic SP1 Microsoft Windows Vista Home Basic Microsoft Windows Vista Enterprise SP2 Microsoft Windows Vista Enterprise SP1 Microsoft Windows Vista Enterprise Microsoft Windows Vista Business SP2 Microsoft Windows Vista Business SP1 Microsoft Windows Vista Business Microsoft Windows Vista beta 2 Microsoft Windows Vista Beta 1 Microsoft Windows Vista Beta Microsoft Windows Vista 0 Microsoft Windows Server 2008 Standard Edition SP2 Microsoft Windows Server 2008 Standard Edition Release Candidate Microsoft Windows Server 2008 Standard Edition 0 Microsoft Windows Server 2008 for x64-based Systems SP2 Microsoft Windows Server 2008 for x64-based Systems 0 Microsoft Windows Server 2008 for Itanium-based Systems SP2 Microsoft Windows Server 2008 for Itanium-based Systems 0 Microsoft Windows Server 2008 for 32-bit Systems SP2 Microsoft Windows Server 2008 for 32-bit Systems 0 Microsoft Windows Server 2008 Enterprise Edition SP2 Microsoft Windows Server 2008 Enterprise Edition Release Candidate Microsoft Windows Server 2008 Enterprise Edition 0 Microsoft Windows Server 2008 Datacenter Edition SP2 Microsoft Windows Server 2008 Datacenter Edition Release Candidate Microsoft Windows Server 2008 Datacenter Edition 0 Microsoft Windows Server 2003 x64 SP2 Microsoft Windows Server 2003 x64 SP1 Microsoft Windows Server 2003 Web Edition SP2 Microsoft Windows Server 2003 Web Edition SP1 Beta 1 Microsoft Windows Server 2003 Web Edition SP1 Microsoft Windows Server 2003 Web Edition Microsoft Windows Server 2003 Standard x64 Edition Microsoft Windows Server 2003 Standard Edition SP2 Microsoft Windows Server 2003 Standard Edition SP1 Beta 1 Microsoft Windows Server 2003 Standard Edition SP1 Microsoft Windows Server 2003 Standard Edition Microsoft Windows Server 2003 Itanium SP2 Microsoft Windows Server 2003 Itanium SP1 Microsoft Windows Server 2003 Itanium 0 Microsoft Windows Server 2003 Enterprise x64 Edition SP2 Microsoft Windows Server 2003 Enterprise x64 Edition Microsoft Windows Server 2003 Enterprise Edition Itanium SP1 Beta 1 Microsoft Windows Server 2003 Enterprise Edition Itanium SP1 Microsoft Windows Server 2003 Enterprise Edition Itanium 0 Microsoft Windows Server 2003 Enterprise Edition SP1 Beta 1 Microsoft Windows Server 2003 Enterprise Edition SP1 Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 Datacenter x64 Edition SP2 Microsoft Windows Server 2003 Datacenter x64 Edition Microsoft Windows Server 2003 Datacenter Edition Itanium SP1 Beta 1 Microsoft Windows Server 2003 Datacenter Edition Itanium SP1 Microsoft Windows Server 2003 Datacenter Edition Itanium 0 Microsoft Windows Server 2003 Datacenter Edition SP1 Beta 1 Microsoft Windows Server 2003 Datacenter Edition SP1 Microsoft Windows Server 2003 Datacenter Edition Microsoft Windows 2000 Server SP4 Microsoft Windows 2000 Server SP3 Microsoft Windows 2000 Server SP2 Microsoft Windows 2000 Server SP1 Microsoft Windows 2000 Server + Avaya DefinityOne Media Servers + Avaya IP600 Media Servers + Avaya S3400 Message Application Server + Avaya S8100 Media Servers Microsoft Windows 2000 Professional SP4 Microsoft Windows 2000 Professional SP3 Microsoft Windows 2000 Professional SP2 Microsoft Windows 2000 Professional SP1 Microsoft Windows 2000 Professional Microsoft Windows 2000 Datacenter Server SP4 Microsoft Windows 2000 Datacenter Server SP3 Microsoft Windows 2000 Datacenter Server SP2 Microsoft Windows 2000 Datacenter Server SP1 Microsoft Windows 2000 Datacenter Server Microsoft Windows 2000 Advanced Server SP4 Microsoft Windows 2000 Advanced Server SP3 Microsoft Windows 2000 Advanced Server SP2 Microsoft Windows 2000 Advanced Server SP1 Microsoft Windows 2000 Advanced Server 3DM Software Disk Management Software SP2 3DM Software Disk Management Software SP1 厂商解决方案 用户可参考如下补丁程序: Microsoft Windows Server 2008 for 32-bit Systems SP2 Microsoft Security Update for Windows Server 2008 (KB961371) http://www.microsoft.com/downloads/details.aspx?familyid=91f6ee68-0e39 -4ec3-b4cd-45f05404e2fb Microsoft Windows XP Tablet PC Edition SP2 Microsoft Security Update for Windows XP (KB961371) http://www.microsoft.com/downloads/details.aspx?familyid=6914167b-6961 -480c-a4d4-808cd58a035b Microsoft Windows XP Media Center Edition SP3 Microsoft Security Update for Windows XP (KB961371) http://www.microsoft.com/downloads/details.aspx?familyid=6914167b-6961 -480c-a4d4-808cd58a035b Microsoft Windows Server 2003 Web Edition SP2 Microsoft Security Update for Windows Server 2003 (KB961371) http://www.microsoft.com/downloads/details.aspx?familyid=018ef53d-f78e -4084-940d-7c86bf59d83c Microsoft Windows XP Professional x64 Edition SP2 Microsoft Security Update for Windows XP x64 Edition (KB961371) http://www.microsoft.com/downloads/details.aspx?familyid=3b8b019e-e6d8 -4ce2-8f1f-3a6399b252d1 Microsoft Windows Vista x64 Edition SP1 Microsoft Security Update for Windows Vista for x64-based Systems (KB961371) http://www.microsoft.com/downloads/details.aspx?familyid=3f8ae651-59f7 -48e1-9e8c-8e07c6806964 Microsoft Windows Server 2008 for x64-based Systems 0 Microsoft Security Update for Windows Server 2008 x64 Edition (KB961371) http://www.microsoft.com/downloads/details.aspx?familyid=5cdc3014-97b3 -47b5-a6b7-cd0e12ec60e4 Microsoft Windows Server 2008 for Itanium-based Systems SP2 Microsoft Security Update for Windows Server 2008 for Itanium-based Systems (KB961371) http://www.microsoft.com/downloads/details.aspx?familyid=03330a14-9cfa -4146-a3d3-4b7a76975d2d Microsoft Windows 2000 Advanced Server SP4 Microsoft Security Update for Windows 2000 (KB961371) http://www.microsoft.com/downloads/details.aspx?familyid=1efbbd95-cd72 -43df-b1ce-7e2b0c0cb9e2 Microsoft Windows Server 2003 Standard Edition SP2 Microsoft Security Update for Windows Server 2003 (KB961371) http://www.microsoft.com/downloads/details.aspx?familyid=018ef53d-f78e -4084-940d-7c86bf59d83c Microsoft Windows Server 2008 for x64-based Systems SP2 Microsoft Security Update for Windows Server 2008 x64 Edition (KB961371) http://www.microsoft.com/downloads/details.aspx?familyid=5cdc3014-97b3 -47b5-a6b7-cd0e12ec60e4 Microsoft Windows Server 2003 Itanium SP2 Microsoft Security Update for Windows Server 2003 for Itanium-based Systems (KB961371) http://www.microsoft.com/downloads/details.aspx?familyid=7df0fce2-543c -4e82-85e6-012bfc8bf130 Microsoft Windows Server 2008 for Itanium-based Systems 0 Microsoft Security Update for Windows Server 2008 for Itanium-based Systems (KB961371) http://www.microsoft.com/downloads/details.aspx?familyid=03330a14-9cfa -4146-a3d3-4b7a76975d2d Microsoft Windows Vista x64 Edition SP2 Microsoft Security Update for Windows Vista for x64-based Systems (KB961371) http://www.microsoft.com/downloads/details.aspx?familyid=3f8ae651-59f7 -48e1-9e8c-8e07c6806964 Microsoft Windows 2000 Professional SP4 Microsoft Security Update for Windows 2000 (KB961371) http://www.microsoft.com/downloads/details.aspx?familyid=1efbbd95-cd72 -43df-b1ce-7e2b0c0cb9e2 Microsoft Windows XP Media Center Edition SP2 Microsoft Security Update for Windows XP (KB961371) http://www.microsoft.com/downloads/details.aspx?familyid=6914167b-6961 -480c-a4d4-808cd58a035b Microsoft Windows Vista x64 Edition 0 Microsoft Security Update for Windows Vista for x64-based Systems (KB961371) http://www.microsoft.com/downloads/details.aspx?familyid=3f8ae651-59f7 -48e1-9e8c-8e07c6806964 Microsoft Windows Server 2003 Datacenter x64 Edition SP2 Microsoft Security Update for Windows Server 2003 x64 Edition (KB961371) http://www.microsoft.com/downloads/details.aspx?familyid=7f5fc902-f5d8 -4a87-a73f-68632f9a0935
idSSV:11815
last seen2017-11-19
modified2009-07-15
published2009-07-15
reporterRoot
titleMicrosoft Windows嵌入式OpenType字体引擎整数溢出漏洞

References