Vulnerabilities > CVE-2009-0550 - Remote Code Execution vulnerability in Microsoft Windows NTLM Credential Reflection

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
microsoft
critical
nessus

Summary

Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008; and WinINet in Microsoft Internet Explorer 5.01 SP4, 6 SP1, 6 and 7 on Windows XP SP2 and SP3, 6 and 7 on Windows Server 2003 SP1 and SP2, 7 on Windows Vista Gold and SP1, and 7 on Windows Server 2008; allows remote web servers to capture and replay NTLM credentials, and execute arbitrary code, via vectors related to absence of a "credential-reflection protections" opt-in step, aka "Windows HTTP Services Credential Reflection Vulnerability" and "WinINet Credential Reflection Vulnerability."

Msbulletin

  • bulletin_idMS09-013
    bulletin_url
    date2009-04-14T00:00:00
    impactRemote Code Execution
    knowledgebase_id960803
    knowledgebase_url
    severityCritical
    titleVulnerabilities in Windows HTTP Services Could Allow Remote Code Execution
  • bulletin_idMS09-014
    bulletin_url
    date2009-04-14T00:00:00
    impactRemote Code Execution
    knowledgebase_id963027
    knowledgebase_url
    severityCritical
    titleCumulative Security Update for Internet Explorer

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS09-013.NASL
    descriptionThe version of Windows HTTP Services installed on the remote host is affected by several vulnerabilities : - An integer underflow triggered by a specially crafted response from a malicious web server (for example, during device discovery of UPnP devices on a network) may allow for arbitrary code execution. (CVE-2009-0086) - Incomplete validation of the distinguished name in a digital certificate may, in combination with other attacks, allow an attacker to successfully spoof the digital certificate of a third-party website. (CVE-2009-0089) - A flaw in the way that Windows HTTP Services handles NTLM credentials may allow an attacker to reflect back a user
    last seen2020-06-01
    modified2020-06-02
    plugin id36151
    published2009-04-15
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/36151
    titleMS09-013: Vulnerabilities in Windows HTTP Services Could Allow Remote Code Execution (960803)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(36151);
      script_version("1.35");
      script_cvs_date("Date: 2018/11/15 20:50:30");
    
      script_cve_id("CVE-2009-0086", "CVE-2009-0089", "CVE-2009-0550");
      script_bugtraq_id(34435, 34437, 34439);
      script_xref(name:"MSFT", value:"MS09-013");
      script_xref(name:"MSKB", value:"960803");
      script_xref(name:"IAVA", value:"2009-A-0034");
    
      script_name(english:"MS09-013: Vulnerabilities in Windows HTTP Services Could Allow Remote Code Execution (960803)");
      script_summary(english:"Checks version of Winhttp.dll");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host contains an API that is affected by multiple
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Windows HTTP Services installed on the remote host is
    affected by several vulnerabilities :
    
      - An integer underflow triggered by a specially crafted
        response from a malicious web server (for example,
        during device discovery of UPnP devices on a network)
        may allow for arbitrary code execution. (CVE-2009-0086)
    
      - Incomplete validation of the distinguished name in a
        digital certificate may, in combination with other
        attacks, allow an attacker to successfully spoof the
        digital certificate of a third-party website.
        (CVE-2009-0089)
    
      - A flaw in the way that Windows HTTP Services handles
        NTLM credentials may allow an attacker to reflect back
        a user's credentials and thereby gain access as that
        user. (CVE-2009-0550)");
      script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-013");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for Windows 2000, XP, 2003,
    Vista and 2008.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(20, 189);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/04/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/04/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/15");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
    
      script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, 'Host/patch_management_checks');
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS09-013';
    kb = "960803";
    
    kbs = make_list(kb);
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', vista:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    rootfile = hotfix_get_systemroot();
    if (!rootfile) exit(1, "Failed to get the system root.");
    
    share = hotfix_path2share(path:rootfile);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    vuln = 0;
    
    if (
      # Windows Vista and Windows Server 2008
      hotfix_is_vulnerable(os:"6.0", sp:1, file:"Winhttp.dll", version:"6.0.6001.22323", min_version:"6.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.0", sp:1, file:"Winhttp.dll", version:"6.0.6001.18178", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.0", sp:0, file:"Winhttp.dll", version:"6.0.6000.20971", min_version:"6.0.6000.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.0", sp:0, file:"Winhttp.dll", version:"6.0.6000.16786", dir:"\system32", bulletin:bulletin, kb:kb) ||
    
      # Windows XP
      hotfix_is_vulnerable(os:"5.1", sp:3, file:"Winhttp.dll", version:"5.1.2600.5727", dir:"\System32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.1", sp:2, file:"Winhttp.dll", version:"5.1.2600.3494", dir:"\System32", bulletin:bulletin, kb:kb) ||
    
      # Windows 2000
      hotfix_is_vulnerable(os:"5.0", file:"Winhttp.dll", version:"5.1.2600.3490", dir:"\System32", bulletin:bulletin, kb:kb)
    ) vuln++;
    
    hotfix_check_fversion_end();
    
    if (hotfix_check_sp(win2003:3) > 0)
    {
      if (hotfix_check_sp(win2003:2) > 0)
        fixed_version = '5.2.3790.3262'; # fix for SP1 (and earlier)
      else
        fixed_version = '5.2.3790.4427'; # fix for SP2
    
      login   =  kb_smb_login();
      pass    =  kb_smb_password();
      domain  =  kb_smb_domain();
      port    =  kb_smb_transport();
    
      if(! smb_session_init()) audit(AUDIT_FN_FAIL, "smb_session_init");
    
      r = NetUseAdd(login:login, password:pass, domain:domain, share:share);
      if ( r != 1 ) audit(AUDIT_SHARE_FAIL, share);
    
      winsxs = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\WinSxS", string:rootfile);
      files = list_dir(basedir:winsxs, level:0, dir_pat:"microsoft.windows.winhttp", file_pat:"^winhttp\.dll$");
    
      vuln += hotfix_check_winsxs(os:'5.2', sp:1, files:files, versions:make_list('5.2.3790.3262'), bulletin:bulletin, kb:kb);
      vuln += hotfix_check_winsxs(os:'5.2', sp:2, files:files, versions:make_list('5.2.3790.4427'), bulletin:bulletin, kb:kb);
    
      NetUseDel();
    }
    
    
    if (vuln)
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_hole();
      exit(0);
    }
    else
    {
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
  • NASL familyWindows
    NASL idWIN_SERVER_2008_NTLM_PCI.NASL
    descriptionAccording to the version number obtained by NTLM the remote host has Windows Server 2008 installed. The host may be vulnerable to a number of vulnerabilities including remote unauthenticated code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id108811
    published2018-04-03
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108811
    titleWindows Server 2008 Critical RCE Vulnerabilities (uncredentialed) (PCI/DSS)
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS09-014.NASL
    descriptionThe remote host is missing IE Security Update 963027. The remote version of IE is affected by several vulnerabilities that may allow an attacker to execute arbitrary code on the remote host.
    last seen2020-06-01
    modified2020-06-02
    plugin id36152
    published2009-04-15
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/36152
    titleMS09-014: Cumulative Security Update for Internet Explorer (963027)

Oval

  • accepted2009-06-29T04:00:25.753-04:00
    classvulnerability
    contributors
    • nameKyle Key
      organizationGideon Technologies, Inc.
    • nameBrendan Miles
      organizationThe MITRE Corporation
    • nameJ. Daniel Brown
      organizationDTCC
    • nameMike Lah
      organizationThe MITRE Corporation
    • nameShane Shaffer
      organizationG2, Inc.
    definition_extensions
    • commentMicrosoft Windows 2000 SP4 or later is installed
      ovaloval:org.mitre.oval:def:229
    • commentMicrosoft Windows XP (x86) SP2 is installed
      ovaloval:org.mitre.oval:def:754
    • commentMicrosoft Windows XP (x86) SP3 is installed
      ovaloval:org.mitre.oval:def:5631
    • commentMicrosoft Windows XP SP1 (64-bit) is installed
      ovaloval:org.mitre.oval:def:480
    • commentMicrosoft Windows XP x64 Edition SP2 is installed
      ovaloval:org.mitre.oval:def:4193
    • commentMicrosoft Windows Server 2003 SP1 (x86) is installed
      ovaloval:org.mitre.oval:def:565
    • commentMicrosoft Windows Server 2003 SP1 (x64) is installed
      ovaloval:org.mitre.oval:def:4386
    • commentMicrosoft Windows Server 2003 (ia64) SP1 is installed
      ovaloval:org.mitre.oval:def:1205
    • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
      ovaloval:org.mitre.oval:def:1935
    • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
      ovaloval:org.mitre.oval:def:2161
    • commentMicrosoft Windows Server 2003 (ia64) SP2 is installed
      ovaloval:org.mitre.oval:def:1442
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Vista (32-bit) Service Pack 1 is installed
      ovaloval:org.mitre.oval:def:4873
    • commentMicrosoft Windows Vista x64 Edition Service Pack 1 is installed
      ovaloval:org.mitre.oval:def:5254
    • commentMicrosoft Windows Server 2008 (32-bit) is installed
      ovaloval:org.mitre.oval:def:4870
    • commentMicrosoft Windows Server 2008 (64-bit) is installed
      ovaloval:org.mitre.oval:def:5356
    • commentMicrosoft Windows Server 2008 (ia-64) is installed
      ovaloval:org.mitre.oval:def:5667
    • commentMicrosoft Windows Vista (32-bit) Service Pack 1 is installed
      ovaloval:org.mitre.oval:def:4873
    • commentMicrosoft Windows Vista x64 Edition Service Pack 1 is installed
      ovaloval:org.mitre.oval:def:5254
    • commentMicrosoft Windows Server 2008 (32-bit) is installed
      ovaloval:org.mitre.oval:def:4870
    • commentMicrosoft Windows Server 2008 (64-bit) is installed
      ovaloval:org.mitre.oval:def:5356
    • commentMicrosoft Windows Server 2008 (ia-64) is installed
      ovaloval:org.mitre.oval:def:5667
    descriptionWindows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008; and WinINet in Microsoft Internet Explorer 5.01 SP4, 6 SP1, 6 and 7 on Windows XP SP2 and SP3, 6 and 7 on Windows Server 2003 SP1 and SP2, 7 on Windows Vista Gold and SP1, and 7 on Windows Server 2008; allows remote web servers to capture and replay NTLM credentials, and execute arbitrary code, via vectors related to absence of a "credential-reflection protections" opt-in step, aka "Windows HTTP Services Credential Reflection Vulnerability" and "WinINet Credential Reflection Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:5320
    statusdeprecated
    submitted2009-04-14T16:00:00
    titleWindows HTTP Services Credential Reflection Vulnerability
    version75
  • accepted2009-06-29T04:01:05.570-04:00
    classvulnerability
    contributors
    • nameDragos Prisaca
      organizationGideon Technologies, Inc.
    • nameBrendan Miles
      organizationThe MITRE Corporation
    • nameJ. Daniel Brown
      organizationDTCC
    definition_extensions
    • commentMicrosoft Windows 2000 SP4 or later is installed
      ovaloval:org.mitre.oval:def:229
    • commentMicrosoft Internet Explorer 5.01 SP4 is installed
      ovaloval:org.mitre.oval:def:325
    • commentMicrosoft Windows 2000 SP4 or later is installed
      ovaloval:org.mitre.oval:def:229
    • commentMicrosoft Internet Explorer 6 is installed
      ovaloval:org.mitre.oval:def:563
    • commentMicrosoft Windows XP SP2 is installed
      ovaloval:org.mitre.oval:def:521
    • commentMicrosoft Internet Explorer 6 is installed
      ovaloval:org.mitre.oval:def:563
    • commentMicrosoft Windows XP (x86) SP3 is installed
      ovaloval:org.mitre.oval:def:5631
    • commentMicrosoft Internet Explorer 6 is installed
      ovaloval:org.mitre.oval:def:563
    • commentMicrosoft Windows Server 2003 SP1 (x86) is installed
      ovaloval:org.mitre.oval:def:565
    • commentMicrosoft Internet Explorer 6 is installed
      ovaloval:org.mitre.oval:def:563
    • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
      ovaloval:org.mitre.oval:def:1935
    • commentMicrosoft Internet Explorer 6 is installed
      ovaloval:org.mitre.oval:def:563
    • commentMicrosoft Windows XP x64 Edition SP1 is installed
      ovaloval:org.mitre.oval:def:720
    • commentMicrosoft Windows Server 2003 SP1 (x64) is installed
      ovaloval:org.mitre.oval:def:4386
    • commentMicrosoft Internet Explorer 6 is installed
      ovaloval:org.mitre.oval:def:563
    • commentMicrosoft Windows XP x64 Edition SP2 is installed
      ovaloval:org.mitre.oval:def:4193
    • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
      ovaloval:org.mitre.oval:def:2161
    • commentMicrosoft Internet Explorer 6 is installed
      ovaloval:org.mitre.oval:def:563
    • commentMicrosoft Windows Server 2003 (ia64) SP1 is installed
      ovaloval:org.mitre.oval:def:1205
    • commentMicrosoft Internet Explorer 6 is installed
      ovaloval:org.mitre.oval:def:563
    • commentMicrosoft Windows Server 2003 (ia64) SP2 is installed
      ovaloval:org.mitre.oval:def:1442
    • commentMicrosoft Internet Explorer 6 is installed
      ovaloval:org.mitre.oval:def:563
    • commentMicrosoft Windows XP (x86) SP2 is installed
      ovaloval:org.mitre.oval:def:754
    • commentMicrosoft Windows XP (x86) SP3 is installed
      ovaloval:org.mitre.oval:def:5631
    • commentMicrosoft Windows XP x64 Edition SP1 is installed
      ovaloval:org.mitre.oval:def:720
    • commentMicrosoft Windows XP x64 Edition SP2 is installed
      ovaloval:org.mitre.oval:def:4193
    • commentMicrosoft Internet Explorer 7 is installed
      ovaloval:org.mitre.oval:def:627
    • commentMicrosoft Windows XP (x86) SP2 is installed
      ovaloval:org.mitre.oval:def:754
    • commentMicrosoft Windows XP (x86) SP3 is installed
      ovaloval:org.mitre.oval:def:5631
    • commentMicrosoft Windows XP x64 Edition SP1 is installed
      ovaloval:org.mitre.oval:def:720
    • commentMicrosoft Windows XP x64 Edition SP2 is installed
      ovaloval:org.mitre.oval:def:4193
    • commentMicrosoft Internet Explorer 7 is installed
      ovaloval:org.mitre.oval:def:627
    • commentMicrosoft Windows Server 2003 SP1 (x86) is installed
      ovaloval:org.mitre.oval:def:565
    • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
      ovaloval:org.mitre.oval:def:1935
    • commentMicrosoft Windows Server 2003 SP1 (x64) is installed
      ovaloval:org.mitre.oval:def:4386
    • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
      ovaloval:org.mitre.oval:def:2161
    • commentMicrosoft Windows Server 2003 (ia64) SP1 is installed
      ovaloval:org.mitre.oval:def:1205
    • commentMicrosoft Windows Server 2003 (ia64) SP2 is installed
      ovaloval:org.mitre.oval:def:1442
    • commentMicrosoft Internet Explorer 7 is installed
      ovaloval:org.mitre.oval:def:627
    • commentMicrosoft Windows Server 2003 SP1 (x86) is installed
      ovaloval:org.mitre.oval:def:565
    • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
      ovaloval:org.mitre.oval:def:1935
    • commentMicrosoft Windows Server 2003 SP1 (x64) is installed
      ovaloval:org.mitre.oval:def:4386
    • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
      ovaloval:org.mitre.oval:def:2161
    • commentMicrosoft Windows Server 2003 (ia64) SP1 is installed
      ovaloval:org.mitre.oval:def:1205
    • commentMicrosoft Windows Server 2003 (ia64) SP2 is installed
      ovaloval:org.mitre.oval:def:1442
    • commentMicrosoft Internet Explorer 7 is installed
      ovaloval:org.mitre.oval:def:627
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Vista (32-bit) Service Pack 1 is installed
      ovaloval:org.mitre.oval:def:4873
    • commentMicrosoft Windows Vista x64 Edition Service Pack 1 is installed
      ovaloval:org.mitre.oval:def:5254
    • commentMicrosoft Windows Server 2008 (32-bit) is installed
      ovaloval:org.mitre.oval:def:4870
    • commentMicrosoft Windows Server 2008 x64 Edition is installed
      ovaloval:org.mitre.oval:def:5356
    • commentMicrosoft Windows Server 2008 Itanium-Based Edition is installed
      ovaloval:org.mitre.oval:def:5667
    • commentMicrosoft Windows Vista (32-bit) Service Pack 1 is installed
      ovaloval:org.mitre.oval:def:4873
    • commentMicrosoft Windows Vista x64 Edition Service Pack 1 is installed
      ovaloval:org.mitre.oval:def:5254
    • commentMicrosoft Windows Server 2008 (32-bit) is installed
      ovaloval:org.mitre.oval:def:4870
    • commentMicrosoft Windows Server 2008 x64 Edition is installed
      ovaloval:org.mitre.oval:def:5356
    • commentMicrosoft Windows Server 2008 Itanium-Based Edition is installed
      ovaloval:org.mitre.oval:def:5667
    descriptionWindows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008; and WinINet in Microsoft Internet Explorer 5.01 SP4, 6 SP1, 6 and 7 on Windows XP SP2 and SP3, 6 and 7 on Windows Server 2003 SP1 and SP2, 7 on Windows Vista Gold and SP1, and 7 on Windows Server 2008; allows remote web servers to capture and replay NTLM credentials, and execute arbitrary code, via vectors related to absence of a "credential-reflection protections" opt-in step, aka "Windows HTTP Services Credential Reflection Vulnerability" and "WinINet Credential Reflection Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:6233
    statusdeprecated
    submitted2009-04-14T16:00:00
    titleWinINet Credential Reflection Vulnerability
    version71
  • accepted2014-08-18T04:06:30.302-04:00
    classvulnerability
    contributors
    • nameJ. Daniel Brown
      organizationDTCC
    • nameMike Lah
      organizationThe MITRE Corporation
    • nameShane Shaffer
      organizationG2, Inc.
    • nameMaria Mikhno
      organizationALTX-SOFT
    definition_extensions
    • commentMicrosoft Windows 2000 is installed
      ovaloval:org.mitre.oval:def:85
    • commentMicrosoft Internet Explorer 5.01 SP4 is installed
      ovaloval:org.mitre.oval:def:325
    • commentMicrosoft Windows 2000 is installed
      ovaloval:org.mitre.oval:def:85
    • commentMicrosoft Internet Explorer 6 is installed
      ovaloval:org.mitre.oval:def:563
    • commentMicrosoft Windows XP is installed
      ovaloval:org.mitre.oval:def:105
    • commentMicrosoft Internet Explorer 6 is installed
      ovaloval:org.mitre.oval:def:563
    • commentMicrosoft Windows XP (32-bit) is installed
      ovaloval:org.mitre.oval:def:1353
    • commentMicrosoft Internet Explorer 6 is installed
      ovaloval:org.mitre.oval:def:563
    • commentMicrosoft Windows Server 2003 (32-bit) is installed
      ovaloval:org.mitre.oval:def:1870
    • commentMicrosoft Internet Explorer 6 is installed
      ovaloval:org.mitre.oval:def:563
    • commentMicrosoft Windows Server 2003 (32-bit) is installed
      ovaloval:org.mitre.oval:def:1870
    • commentMicrosoft Internet Explorer 6 is installed
      ovaloval:org.mitre.oval:def:563
    • commentMicrosoft Windows XP x64 is installed
      ovaloval:org.mitre.oval:def:15247
    • commentMicrosoft Windows Server 2003 (x64) is installed
      ovaloval:org.mitre.oval:def:730
    • commentMicrosoft Internet Explorer 6 is installed
      ovaloval:org.mitre.oval:def:563
    • commentMicrosoft Windows XP x64 is installed
      ovaloval:org.mitre.oval:def:15247
    • commentMicrosoft Windows Server 2003 (x64) is installed
      ovaloval:org.mitre.oval:def:730
    • commentMicrosoft Internet Explorer 6 is installed
      ovaloval:org.mitre.oval:def:563
    • commentMicrosoft Windows Server 2003 (ia64) Gold is installed
      ovaloval:org.mitre.oval:def:396
    • commentMicrosoft Internet Explorer 6 is installed
      ovaloval:org.mitre.oval:def:563
    • commentMicrosoft Windows Server 2003 (ia64) Gold is installed
      ovaloval:org.mitre.oval:def:396
    • commentMicrosoft Internet Explorer 6 is installed
      ovaloval:org.mitre.oval:def:563
    • commentMicrosoft Windows XP (32-bit) is installed
      ovaloval:org.mitre.oval:def:1353
    • commentMicrosoft Windows XP x64 is installed
      ovaloval:org.mitre.oval:def:15247
    • commentMicrosoft Internet Explorer 7 is installed
      ovaloval:org.mitre.oval:def:627
    • commentMicrosoft Windows XP (32-bit) is installed
      ovaloval:org.mitre.oval:def:1353
    • commentMicrosoft Windows XP x64 is installed
      ovaloval:org.mitre.oval:def:15247
    • commentMicrosoft Internet Explorer 7 is installed
      ovaloval:org.mitre.oval:def:627
    • commentMicrosoft Windows Server 2003 (32-bit) is installed
      ovaloval:org.mitre.oval:def:1870
    • commentMicrosoft Windows Server 2003 (x64) is installed
      ovaloval:org.mitre.oval:def:730
    • commentMicrosoft Windows Server 2003 (ia64) Gold is installed
      ovaloval:org.mitre.oval:def:396
    • commentMicrosoft Internet Explorer 7 is installed
      ovaloval:org.mitre.oval:def:627
    • commentMicrosoft Windows Server 2003 (32-bit) is installed
      ovaloval:org.mitre.oval:def:1870
    • commentMicrosoft Windows Server 2003 (x64) is installed
      ovaloval:org.mitre.oval:def:730
    • commentMicrosoft Windows Server 2003 (ia64) Gold is installed
      ovaloval:org.mitre.oval:def:396
    • commentMicrosoft Internet Explorer 7 is installed
      ovaloval:org.mitre.oval:def:627
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Server 2008 (32-bit) is installed
      ovaloval:org.mitre.oval:def:4870
    • commentMicrosoft Windows Server 2008 (64-bit) is installed
      ovaloval:org.mitre.oval:def:5356
    • commentMicrosoft Windows Server 2008 (ia-64) is installed
      ovaloval:org.mitre.oval:def:5667
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Server 2008 (32-bit) is installed
      ovaloval:org.mitre.oval:def:4870
    • commentMicrosoft Windows Server 2008 (64-bit) is installed
      ovaloval:org.mitre.oval:def:5356
    • commentMicrosoft Windows Server 2008 (ia-64) is installed
      ovaloval:org.mitre.oval:def:5667
    • commentMicrosoft Windows 2000 is installed
      ovaloval:org.mitre.oval:def:85
    • commentMicrosoft Windows XP (32-bit) is installed
      ovaloval:org.mitre.oval:def:1353
    • commentMicrosoft Windows XP (32-bit) is installed
      ovaloval:org.mitre.oval:def:1353
    • commentMicrosoft Windows XP x64 is installed
      ovaloval:org.mitre.oval:def:15247
    • commentMicrosoft Windows XP x64 is installed
      ovaloval:org.mitre.oval:def:15247
    • commentMicrosoft Windows Server 2003 (32-bit) is installed
      ovaloval:org.mitre.oval:def:1870
    • commentMicrosoft Windows Server 2003 (x64) is installed
      ovaloval:org.mitre.oval:def:730
    • commentMicrosoft Windows Server 2003 (ia64) Gold is installed
      ovaloval:org.mitre.oval:def:396
    • commentMicrosoft Windows Server 2003 (32-bit) is installed
      ovaloval:org.mitre.oval:def:1870
    • commentMicrosoft Windows Server 2003 (x64) is installed
      ovaloval:org.mitre.oval:def:730
    • commentMicrosoft Windows Server 2003 (ia64) Gold is installed
      ovaloval:org.mitre.oval:def:396
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Server 2008 (32-bit) is installed
      ovaloval:org.mitre.oval:def:4870
    • commentMicrosoft Windows Server 2008 (64-bit) is installed
      ovaloval:org.mitre.oval:def:5356
    • commentMicrosoft Windows Server 2008 (ia-64) is installed
      ovaloval:org.mitre.oval:def:5667
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Server 2008 (32-bit) is installed
      ovaloval:org.mitre.oval:def:4870
    • commentMicrosoft Windows Server 2008 (64-bit) is installed
      ovaloval:org.mitre.oval:def:5356
    • commentMicrosoft Windows Server 2008 (ia-64) is installed
      ovaloval:org.mitre.oval:def:5667
    descriptionWindows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008; and WinINet in Microsoft Internet Explorer 5.01 SP4, 6 SP1, 6 and 7 on Windows XP SP2 and SP3, 6 and 7 on Windows Server 2003 SP1 and SP2, 7 on Windows Vista Gold and SP1, and 7 on Windows Server 2008; allows remote web servers to capture and replay NTLM credentials, and execute arbitrary code, via vectors related to absence of a "credential-reflection protections" opt-in step, aka "Windows HTTP Services Credential Reflection Vulnerability" and "WinINet Credential Reflection Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:7569
    statusaccepted
    submitted2009-12-26T17:00:00.000-05:00
    titleWinINet and Windows HTTP Services Credential Reflection Vulnerability
    version79

Saint

bid34439
descriptionInternet Explorer WinINet credential reflection vulnerability
idwin_patch_ie_v5,win_patch_ie_v6,win_patch_ie_v7
osvdb53619
titleie_wininet_credential_reflection
typeclient

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 34439 CVE(CAN) ID: CVE-2009-0550 Microsoft Windows是微软发布的非常流行的操作系统。 Windows的HTTP服务没有正确地实现NTLM凭据反射保护以确保用户的凭据没有被反射和使用。如果用户连接到了攻击者的WEB服务器,Windows HTTP服务处理NTLM凭据的方式存允许攻击者重放用户凭据并以登录用户的权限执行任意代码。如果用户使用管理用户权限登录,成功利用此漏洞的攻击者便可完全控制受影响的系统。 Microsoft Internet Explorer 7.0 Microsoft Internet Explorer 6.0 SP1 Microsoft Internet Explorer 6.0 Microsoft Internet Explorer 5.0.1 SP4 Microsoft Windows XP x64 SP2 Microsoft Windows XP x64 Microsoft Windows XP SP3 Microsoft Windows XP SP2 Microsoft Windows Vista SP1 Microsoft Windows Vista Microsoft Windows Server 2008 Microsoft Windows Server 2003 SP2 Microsoft Windows Server 2003 SP1 Microsoft Windows 2000SP4 厂商补丁: Microsoft --------- Microsoft已经为此发布了两个安全公告(MS09-013/MS09-014)以及相应补丁: MS09-013:Vulnerabilities in Windows HTTP Services Could Allow Remote Code Execution (960803) 链接:<a href=http://www.microsoft.com/technet/security/bulletin/MS09-013.mspx?pf=true target=_blank rel=external nofollow>http://www.microsoft.com/technet/security/bulletin/MS09-013.mspx?pf=true</a> MS09-014:Cumulative Security Update for Internet Explorer (963027) 链接:<a href=http://www.microsoft.com/technet/security/bulletin/MS09-014.mspx?pf=true target=_blank rel=external nofollow>http://www.microsoft.com/technet/security/bulletin/MS09-014.mspx?pf=true</a>
idSSV:5053
last seen2017-11-19
modified2009-04-16
published2009-04-16
reporterRoot
titleMicrosoft Windows NTLM凭据反射远程代码执行漏洞(MS09-013/MS09-014)