Vulnerabilities > CVE-2009-1923 - Buffer Errors vulnerability in Microsoft Windows 2000 and Windows 2003 Server
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Heap-based buffer overflow in the Windows Internet Name Service (WINS) component for Microsoft Windows 2000 SP4 and Server 2003 SP2 allows remote attackers to execute arbitrary code via a crafted WINS replication packet that triggers an incorrect buffer-length calculation, aka "WINS Heap Overflow Vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 4 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Msbulletin
| bulletin_id | MS09-039 |
| bulletin_url | |
| date | 2009-08-11T00:00:00 |
| impact | Remote Code Execution |
| knowledgebase_id | 969883 |
| knowledgebase_url | |
| severity | Critical |
| title | Vulnerabilities in WINS Could Allow Remote Code Execution |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS09-039.NASL description The remote host has a Windows WINS server installed. The remote version of this server contains two vulnerabilities that may allow an attacker to execute arbitrary code on the remote system : - A heap overflow vulnerability can be exploited by any attacker. - A integer overflow vulnerability can be exploited by a WINS replication partner. An attacker may use these flaws to execute arbitrary code on the remote system with SYSTEM privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 40558 published 2009-08-12 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40558 title MS09-039: Vulnerabilities in WINS Could Allow Remote Code Execution (969883) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(40558); script_version("1.26"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2009-1923", "CVE-2009-1924"); script_bugtraq_id(35980, 35981); script_xref(name:"MSFT", value:"MS09-039"); script_xref(name:"MSKB", value:"969883"); script_name(english:"MS09-039: Vulnerabilities in WINS Could Allow Remote Code Execution (969883)"); script_summary(english:"Determines the presence of update 969883"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through the WINS service."); script_set_attribute(attribute:"description", value: "The remote host has a Windows WINS server installed. The remote version of this server contains two vulnerabilities that may allow an attacker to execute arbitrary code on the remote system : - A heap overflow vulnerability can be exploited by any attacker. - A integer overflow vulnerability can be exploited by a WINS replication partner. An attacker may use these flaws to execute arbitrary code on the remote system with SYSTEM privileges."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-039"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000 and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(119, 189); script_set_attribute(attribute:"vuln_publication_date", value:"2009/08/11"); script_set_attribute(attribute:"patch_publication_date", value:"2009/08/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS09-039'; kb = '969883'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', win2003:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (!get_kb_item("SMB/Registry/HKLM/SYSTEM/CurrentControlSet/Services/WINS/DisplayName")) exit(0, "The host is not operate as a WINS server."); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows Server 2003 hotfix_is_vulnerable(os:"5.2", file:"Wins.exe", version:"5.2.3790.4520", dir:"\System32", bulletin:bulletin, kb:kb) || # Windows 2000 hotfix_is_vulnerable(os:"5.0", file:"Wins.exe", version:"5.0.2195.7300", dir:"\System32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }NASL family Windows NASL id WINS_REPLICATION_OVERFLOW2.NASL description The remote host has a Windows WINS server installed. The remote version of this server has two vulnerabilities that may allow an attacker to execute arbitrary code on the remote system: - One heap overflow vulnerability can be exploited by any attacker. - One integer overflow vulnerability can be exploited by a WINS replication partner. An attacker may use these flaws to execute arbitrary code on the remote system with SYSTEM privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 40564 published 2009-08-12 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40564 title MS09-039: Vulnerabilities in WINS Could Allow Remote Code Execution (969883) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(40564); script_version("1.24"); script_cve_id("CVE-2009-1923", "CVE-2009-1924"); script_bugtraq_id(35980, 35981); script_xref(name:"MSFT", value:"MS09-039"); script_xref(name:"MSKB", value:"969883"); script_name(english: "MS09-039: Vulnerabilities in WINS Could Allow Remote Code Execution (969883) (uncredentialed check)"); script_summary(english:"Determines the presence of update 969883"); script_set_attribute( attribute:"synopsis", value:"Arbitrary code can be executed on the remote host through the WINS service" ); script_set_attribute( attribute:"description", value: "The remote host has a Windows WINS server installed. The remote version of this server has two vulnerabilities that may allow an attacker to execute arbitrary code on the remote system: - One heap overflow vulnerability can be exploited by any attacker. - One integer overflow vulnerability can be exploited by a WINS replication partner. An attacker may use these flaws to execute arbitrary code on the remote system with SYSTEM privileges." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-039"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000 and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(119, 189); script_set_attribute(attribute:"plugin_publication_date", value: "2009/08/12"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("netbios_name_get.nasl"); script_require_ports(42); exit(0); } # include('byte_func.inc'); port = 42; if ( ! get_port_state(port) ) exit(0, "Port 42 is closed"); soc = open_sock_tcp(port); if ( ! soc ) exit(0, "Port 42 is closed"); request = raw_string (0x00,0x00,0x00,0x29,0x00,0x00,0x78,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x02,0x00,0x05, 0x00,0x00,0x00,0x00,0x60,0x56,0x02,0x01,0x00,0x1F,0x6E,0x03, 0x00,0x1F,0x6E,0x03,0x08,0xFE,0x66,0x03,0x00); send(socket:soc, data:request); r = recv(socket:soc, length:4); if (!r || strlen(r) != 4 ) exit (0, "WINS server shut the connection down"); len = getdword(blob:r, pos:0); if ( len > 256 ) exit(1, "Invalid WINS reply"); r += recv(socket:soc, length:len); if (strlen(r) < 20) exit (1, "Invalid WINS reply"); if (ord(r[6]) != 0x78) exit (1, "Invalid WINS reply"); pointer = substr(r,16,19); request = raw_string (0x00,0x00,0x00,0x09,0xC7,0xF5,0xEC,0xE1) + pointer + raw_string( 0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x00); send(socket:soc, data:request); r = recv(socket:soc, length:4); if (!r || strlen(r) != 4 ) exit (0, "Server is patched"); len = getdword(blob:r, pos:0); if ( len > 256 ) exit(1, "Invalid WINS reply"); r += recv(socket:soc, length:len); close(soc); if (ord(r[6]) == 0x78) security_hole(port); else exit(0, "Server is patched");
Oval
| accepted | 2009-09-28T04:00:28.690-04:00 | ||||||||||||||||
| class | vulnerability | ||||||||||||||||
| contributors |
| ||||||||||||||||
| definition_extensions |
| ||||||||||||||||
| description | Heap-based buffer overflow in the Windows Internet Name Service (WINS) component for Microsoft Windows 2000 SP4 and Server 2003 SP2 allows remote attackers to execute arbitrary code via a crafted WINS replication packet that triggers an incorrect buffer-length calculation, aka "WINS Heap Overflow Vulnerability." | ||||||||||||||||
| family | windows | ||||||||||||||||
| id | oval:org.mitre.oval:def:6410 | ||||||||||||||||
| status | accepted | ||||||||||||||||
| submitted | 2009-07-28T13:00:00 | ||||||||||||||||
| title | WINS Heap Overflow Vulnerability | ||||||||||||||||
| version | 69 |
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 35980 CVE(CAN) ID: CVE-2009-1923 Microsoft Windows是微软发布的非常流行的操作系统。 Windows服务器上的WINS.exe进程用于为NetBIOS网络提供名称解析服务。在解析push请求时WINS服务将报文数据拷贝到了静态的堆缓冲区上。如果远程攻击者提供了特制的请求,就可以触发堆溢出,导致以SYSTEM权限执行任意代码。 Microsoft Windows Server 2003 SP2 Microsoft Windows 2000 Server SP4 临时解决方法: * 在防火墙上屏蔽TCP 42和UDP 42端口。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS09-039)以及相应补丁: MS09-039:Vulnerabilities in WINS Could Allow Remote Code Execution (969883) 链接:http://www.microsoft.com/technet/security/bulletin/ms09-039.mspx?pf=true |
| id | SSV:12047 |
| last seen | 2017-11-19 |
| modified | 2009-08-12 |
| published | 2009-08-12 |
| reporter | Root |
| title | Microsoft Windows WINS Server网络报文堆溢出漏洞(MS09-039) |