Vulnerabilities > CVE-2009-1924 - Numeric Errors vulnerability in Microsoft Windows 2000 and Windows 2003 Server
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Integer overflow in the Windows Internet Name Service (WINS) component for Microsoft Windows 2000 SP4 allows remote WINS replication partners to execute arbitrary code via crafted data structures in a packet, aka "WINS Integer Overflow Vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 4 |
Common Weakness Enumeration (CWE)
Msbulletin
| bulletin_id | MS09-039 |
| bulletin_url | |
| date | 2009-08-11T00:00:00 |
| impact | Remote Code Execution |
| knowledgebase_id | 969883 |
| knowledgebase_url | |
| severity | Critical |
| title | Vulnerabilities in WINS Could Allow Remote Code Execution |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS09-039.NASL description The remote host has a Windows WINS server installed. The remote version of this server contains two vulnerabilities that may allow an attacker to execute arbitrary code on the remote system : - A heap overflow vulnerability can be exploited by any attacker. - A integer overflow vulnerability can be exploited by a WINS replication partner. An attacker may use these flaws to execute arbitrary code on the remote system with SYSTEM privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 40558 published 2009-08-12 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40558 title MS09-039: Vulnerabilities in WINS Could Allow Remote Code Execution (969883) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(40558); script_version("1.26"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2009-1923", "CVE-2009-1924"); script_bugtraq_id(35980, 35981); script_xref(name:"MSFT", value:"MS09-039"); script_xref(name:"MSKB", value:"969883"); script_name(english:"MS09-039: Vulnerabilities in WINS Could Allow Remote Code Execution (969883)"); script_summary(english:"Determines the presence of update 969883"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through the WINS service."); script_set_attribute(attribute:"description", value: "The remote host has a Windows WINS server installed. The remote version of this server contains two vulnerabilities that may allow an attacker to execute arbitrary code on the remote system : - A heap overflow vulnerability can be exploited by any attacker. - A integer overflow vulnerability can be exploited by a WINS replication partner. An attacker may use these flaws to execute arbitrary code on the remote system with SYSTEM privileges."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-039"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000 and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(119, 189); script_set_attribute(attribute:"vuln_publication_date", value:"2009/08/11"); script_set_attribute(attribute:"patch_publication_date", value:"2009/08/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS09-039'; kb = '969883'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', win2003:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (!get_kb_item("SMB/Registry/HKLM/SYSTEM/CurrentControlSet/Services/WINS/DisplayName")) exit(0, "The host is not operate as a WINS server."); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows Server 2003 hotfix_is_vulnerable(os:"5.2", file:"Wins.exe", version:"5.2.3790.4520", dir:"\System32", bulletin:bulletin, kb:kb) || # Windows 2000 hotfix_is_vulnerable(os:"5.0", file:"Wins.exe", version:"5.0.2195.7300", dir:"\System32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }NASL family Windows NASL id WINS_REPLICATION_OVERFLOW2.NASL description The remote host has a Windows WINS server installed. The remote version of this server has two vulnerabilities that may allow an attacker to execute arbitrary code on the remote system: - One heap overflow vulnerability can be exploited by any attacker. - One integer overflow vulnerability can be exploited by a WINS replication partner. An attacker may use these flaws to execute arbitrary code on the remote system with SYSTEM privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 40564 published 2009-08-12 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40564 title MS09-039: Vulnerabilities in WINS Could Allow Remote Code Execution (969883) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(40564); script_version("1.24"); script_cve_id("CVE-2009-1923", "CVE-2009-1924"); script_bugtraq_id(35980, 35981); script_xref(name:"MSFT", value:"MS09-039"); script_xref(name:"MSKB", value:"969883"); script_name(english: "MS09-039: Vulnerabilities in WINS Could Allow Remote Code Execution (969883) (uncredentialed check)"); script_summary(english:"Determines the presence of update 969883"); script_set_attribute( attribute:"synopsis", value:"Arbitrary code can be executed on the remote host through the WINS service" ); script_set_attribute( attribute:"description", value: "The remote host has a Windows WINS server installed. The remote version of this server has two vulnerabilities that may allow an attacker to execute arbitrary code on the remote system: - One heap overflow vulnerability can be exploited by any attacker. - One integer overflow vulnerability can be exploited by a WINS replication partner. An attacker may use these flaws to execute arbitrary code on the remote system with SYSTEM privileges." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-039"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000 and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(119, 189); script_set_attribute(attribute:"plugin_publication_date", value: "2009/08/12"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("netbios_name_get.nasl"); script_require_ports(42); exit(0); } # include('byte_func.inc'); port = 42; if ( ! get_port_state(port) ) exit(0, "Port 42 is closed"); soc = open_sock_tcp(port); if ( ! soc ) exit(0, "Port 42 is closed"); request = raw_string (0x00,0x00,0x00,0x29,0x00,0x00,0x78,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x02,0x00,0x05, 0x00,0x00,0x00,0x00,0x60,0x56,0x02,0x01,0x00,0x1F,0x6E,0x03, 0x00,0x1F,0x6E,0x03,0x08,0xFE,0x66,0x03,0x00); send(socket:soc, data:request); r = recv(socket:soc, length:4); if (!r || strlen(r) != 4 ) exit (0, "WINS server shut the connection down"); len = getdword(blob:r, pos:0); if ( len > 256 ) exit(1, "Invalid WINS reply"); r += recv(socket:soc, length:len); if (strlen(r) < 20) exit (1, "Invalid WINS reply"); if (ord(r[6]) != 0x78) exit (1, "Invalid WINS reply"); pointer = substr(r,16,19); request = raw_string (0x00,0x00,0x00,0x09,0xC7,0xF5,0xEC,0xE1) + pointer + raw_string( 0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x00); send(socket:soc, data:request); r = recv(socket:soc, length:4); if (!r || strlen(r) != 4 ) exit (0, "Server is patched"); len = getdword(blob:r, pos:0); if ( len > 256 ) exit(1, "Invalid WINS reply"); r += recv(socket:soc, length:len); close(soc); if (ord(r[6]) == 0x78) security_hole(port); else exit(0, "Server is patched");
Oval
| accepted | 2009-09-28T04:00:25.942-04:00 | ||||
| class | vulnerability | ||||
| contributors |
| ||||
| definition_extensions |
| ||||
| description | Integer overflow in the Windows Internet Name Service (WINS) component for Microsoft Windows 2000 SP4 allows remote WINS replication partners to execute arbitrary code via crafted data structures in a packet, aka "WINS Integer Overflow Vulnerability." | ||||
| family | windows | ||||
| id | oval:org.mitre.oval:def:6354 | ||||
| status | accepted | ||||
| submitted | 2009-07-28T13:00:00 | ||||
| title | WINS Integer Overflow Vulnerability | ||||
| version | 69 |
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 35981 CVE(CAN) ID: CVE-2009-1924 Microsoft Windows是微软发布的非常流行的操作系统。 Windows服务器上的WINS.exe进程用于为NetBIOS网络提供名称解析服务。在从受信任的WINS复制伙伴收到特制WINS报文中时没有充分验证数据结构,如果远程攻击者提供了特制的请求,就可以触发整数溢出,导致以SYSTEM权限执行任意代码。 Microsoft Windows 2000 Server SP4 临时解决方法: * 在防火墙上屏蔽TCP 42和UDP 42端口。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS09-039)以及相应补丁: MS09-039:Vulnerabilities in WINS Could Allow Remote Code Execution (969883) 链接:http://www.microsoft.com/technet/security/bulletin/ms09-039.mspx?pf=true |
| id | SSV:12045 |
| last seen | 2017-11-19 |
| modified | 2009-08-12 |
| published | 2009-08-12 |
| reporter | Root |
| title | Microsoft Windows WINS Server网络报文整数溢出漏洞(MS09-039) |