Vulnerabilities > CVE-2009-1544 - Resource Management Errors vulnerability in Microsoft products

047910
CVSS 9.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
microsoft
CWE-399
critical
nessus

Summary

Double free vulnerability in the Workstation service in Microsoft Windows allows remote authenticated users to gain privileges via a crafted RPC message to a Windows XP SP2 or SP3 or Server 2003 SP2 system, or cause a denial of service via a crafted RPC message to a Vista Gold, SP1, or SP2 or Server 2008 Gold or SP2 system, aka "Workstation Service Memory Corruption Vulnerability."

Common Weakness Enumeration (CWE)

Msbulletin

bulletin_idMS09-041
bulletin_url
date2009-08-11T00:00:00
impactElevation of Privilege
knowledgebase_id971657
knowledgebase_url
severityImportant
titleVulnerability in Workstation Service Could Allow Elevation of Privilege

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS09-041.NASL
descriptionThe remote host contains a version of the
last seen2020-06-01
modified2020-06-02
plugin id40560
published2009-08-11
reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/40560
titleMS09-041: Vulnerability in Workstation Service Could Allow Elevation of Privilege (971657)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(40560);
 script_version("1.20");
 script_cvs_date("Date: 2018/11/15 20:50:30");

 script_cve_id("CVE-2009-1544");
 script_bugtraq_id(35972);
 script_xref(name:"MSFT", value:"MS09-041");
 script_xref(name:"MSKB", value:"971657");
 script_xref(name:"IAVB", value:"2009-B-0035");

 script_name(english:"MS09-041: Vulnerability in Workstation Service Could Allow Elevation of Privilege (971657)");
 script_summary(english:"Checks for hotfix 971657");

 script_set_attribute(attribute:"synopsis", value:"Users can elevate their privileges on the remote host.");
 script_set_attribute(attribute:"description", value:
"The remote host contains a version of the 'Workstation' service that
contains a memory corruption vulnerability that might allow an attacker
with valid credentials to execute arbitrary code on the remote host.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-041");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows XP, 2003, Vista and
Server 2008.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_cwe_id(399);

 script_set_attribute(attribute:"vuln_publication_date", value:"2009/08/11");
 script_set_attribute(attribute:"patch_publication_date", value:"2009/08/11");
 script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/11");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_set_attribute(attribute:"stig_severity", value:"II");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_family(english:"Windows : Microsoft Bulletins");

 script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}


include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS09-041';
kb = '971657';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);


get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(xp:'2,3', win2003:'2', vista:'0,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"5.1", sp:2, file:"wkssvc.dll", version:"5.1.2600.3584", dir:"\system32", bulletin:bulletin, kb:kb)  ||
  hotfix_is_vulnerable(os:"5.1", sp:3, file:"wkssvc.dll", version:"5.1.2600.5826", dir:"\system32", bulletin:bulletin, kb:kb)  ||
  hotfix_is_vulnerable(os:"5.2", sp:2, file:"wkssvc.dll", version:"5.2.3790.4530", dir:"\system32", bulletin:bulletin, kb:kb)  ||
  hotfix_is_vulnerable(os:"6.0", sp:0, file:"wkssvc.dll", version:"6.0.6000.16868", dir:"\system32", bulletin:bulletin, kb:kb)  ||
  hotfix_is_vulnerable(os:"6.0", sp:0, file:"wkssvc.dll", version:"6.0.6000.21065", min_version:"6.0.6000.21000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:1, file:"wkssvc.dll", version:"6.0.6001.18270", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:1, file:"wkssvc.dll", version:"6.0.6001.22447", min_version:"6.0.6001.22000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"wkssvc.dll", version:"6.0.6002.18049", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"wkssvc.dll", version:"6.0.6002.22150", min_version:"6.0.6002.22000", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2011-10-03T04:00:07.430-04:00
classvulnerability
contributors
  • nameDragos Prisaca
    organizationGideon Technologies, Inc.
  • namePradeep R B
    organizationSecPod Technologies
definition_extensions
  • commentMicrosoft Windows XP (x86) SP2 is installed
    ovaloval:org.mitre.oval:def:754
  • commentMicrosoft Windows XP (x86) SP3 is installed
    ovaloval:org.mitre.oval:def:5631
  • commentMicrosoft Windows XP x64 Edition SP2 is installed
    ovaloval:org.mitre.oval:def:4193
  • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
    ovaloval:org.mitre.oval:def:1935
  • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
    ovaloval:org.mitre.oval:def:2161
  • commentMicrosoft Windows Server 2003 (ia64) SP2 is installed
    ovaloval:org.mitre.oval:def:1442
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Vista (32-bit) Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:4873
  • commentMicrosoft Windows Vista x64 Edition Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:5254
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Server 2008 (ia-64) is installed
    ovaloval:org.mitre.oval:def:5667
  • commentMicrosoft Windows Vista (32-bit) Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:4873
  • commentMicrosoft Windows Vista x64 Edition Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:5254
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Server 2008 (ia-64) is installed
    ovaloval:org.mitre.oval:def:5667
  • commentMicrosoft Windows Vista (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6124
  • commentMicrosoft Windows Vista x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5594
  • commentMicrosoft Windows Server 2008 (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5653
  • commentMicrosoft Windows Server 2008 x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6216
  • commentMicrosoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6150
  • commentMicrosoft Windows Vista (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6124
  • commentMicrosoft Windows Vista x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5594
  • commentMicrosoft Windows Server 2008 (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5653
  • commentMicrosoft Windows Server 2008 x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6216
  • commentMicrosoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6150
descriptionDouble free vulnerability in the Workstation service in Microsoft Windows allows remote authenticated users to gain privileges via a crafted RPC message to a Windows XP SP2 or SP3 or Server 2003 SP2 system, or cause a denial of service via a crafted RPC message to a Vista Gold, SP1, or SP2 or Server 2008 Gold or SP2 system, aka "Workstation Service Memory Corruption Vulnerability."
familywindows
idoval:org.mitre.oval:def:6286
statusaccepted
submitted2009-07-28T13:00:00
titleWorkstation Service Memory Corruption Vulnerability
version73

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 35972 CVE(CAN) ID: CVE-2009-1544 Microsoft Windows是微软发布的非常流行的操作系统。 Workstation RPC服务在处理发送给NetrGetJoinInformation函数的参数时没有正确地释放内存,可能出现“双重释放”的情况。成功利用此漏洞的攻击者可以使用提升的权限运行任意指令。攻击者可随后安装程序;查看、更改或删除数据;或者创建拥有完全用户权限的新帐户。 Microsoft Windows XP SP3 Microsoft Windows XP SP2 Microsoft Windows Vista SP2 Microsoft Windows Vista SP1 Microsoft Windows Vista Microsoft Windows Server 2008 SP2 Microsoft Windows Server 2008 Microsoft Windows Server 2003 SP2 临时解决方法: * 在防火墙处阻止TCP 139和445端口。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS09-041)以及相应补丁: MS09-041:Vulnerability in Workstation Service Could Allow Elevation of Privilege (971657) 链接:http://www.microsoft.com/technet/security/bulletin/MS09-041.mspx?pf=true
idSSV:12040
last seen2017-11-19
modified2009-08-12
published2009-08-12
reporterRoot
titleMicrosoft Windows Workstation服务双重释放代码执行漏洞(MS09-041)