Vulnerabilities > CVE-2009-1930 - Credentials Management vulnerability in Microsoft products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The Telnet service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote Telnet servers to execute arbitrary code on a client machine by replaying the NTLM credentials of a client user, aka "Telnet Credential Reflection Vulnerability," a related issue to CVE-2000-0834.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 18 |
Common Weakness Enumeration (CWE)
Msbulletin
| bulletin_id | MS09-042 |
| bulletin_url | |
| date | 2009-08-11T00:00:00 |
| impact | Remote Code Execution |
| knowledgebase_id | 960859 |
| knowledgebase_url | |
| severity | Important |
| title | Vulnerability in Telnet Could Allow Remote Code Execution |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS09-042.NASL description The remote Telnet client does not correctly opt in to NTLM credential- reflection protections, which ensure that a user last seen 2020-06-01 modified 2020-06-02 plugin id 40561 published 2009-08-11 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40561 title MS09-042: Vulnerability in Telnet Could Allow Remote Code Execution (960859) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(40561); script_version("1.21"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2009-1930"); script_bugtraq_id(35993); script_xref(name:"MSFT", value:"MS09-042"); script_xref(name:"MSKB", value:"960859"); script_xref(name:"IAVB", value:"2009-B-0037"); script_name(english:"MS09-042: Vulnerability in Telnet Could Allow Remote Code Execution (960859)"); script_summary(english:"Checks version of Telnet.exe"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through the remote Telnet client."); script_set_attribute(attribute:"description", value: "The remote Telnet client does not correctly opt in to NTLM credential- reflection protections, which ensure that a user's credentials are not reflected back and used against the user. If a remote attacker can trick a user on the host into connecting to a malicious server with an affected version of the Telnet client, he can leverage this issue to gain the rights of that user and do anything that he has privileges to do."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-042"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(255); script_set_attribute(attribute:"vuln_publication_date", value:"2009/08/11"); script_set_attribute(attribute:"patch_publication_date", value:"2009/08/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/11"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS09-042'; kb = '960859'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'2', vista:'0,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Vista / Windows Server 2008 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Telnet.exe", version:"6.0.6002.22150", min_version:"6.0.6002.20000", dir:"\System32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Telnet.exe", version:"6.0.6002.18049", dir:"\System32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:1, file:"Telnet.exe", version:"6.0.6001.22447", min_version:"6.0.6001.20000", dir:"\System32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:1, file:"Telnet.exe", version:"6.0.6001.18270", dir:"\System32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:0, file:"Telnet.exe", version:"6.0.6000.21065", min_version:"6.0.6000.20000", dir:"\System32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:0, file:"Telnet.exe", version:"6.0.6000.16868", dir:"\System32", bulletin:bulletin, kb:kb) || # Windows 2003 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Telnet.exe", version:"5.2.3790.4528", dir:"\System32", bulletin:bulletin, kb:kb) || # Windows XP hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"Telnet.exe", version:"5.1.2600.5829", dir:"\System32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x64", file:"Telnet.exe", version:"5.2.3790.4528", dir:"\System32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x86", file:"Telnet.exe", version:"5.1.2600.3587", dir:"\System32", bulletin:bulletin, kb:kb) || # Windows 2000 hotfix_is_vulnerable(os:"5.0", file:"Telnet.exe", version:"5.0.33670.4", dir:"\System32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }NASL family Windows NASL id WIN_SERVER_2008_NTLM_PCI.NASL description According to the version number obtained by NTLM the remote host has Windows Server 2008 installed. The host may be vulnerable to a number of vulnerabilities including remote unauthenticated code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 108811 published 2018-04-03 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108811 title Windows Server 2008 Critical RCE Vulnerabilities (uncredentialed) (PCI/DSS)
Oval
| accepted | 2009-09-28T04:00:21.810-04:00 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| description | The Telnet service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote Telnet servers to execute arbitrary code on a client machine by replaying the NTLM credentials of a client user, aka "Telnet Credential Reflection Vulnerability," a related issue to CVE-2000-0834. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| family | windows | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:6302 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| submitted | 2009-07-28T13:00:00 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| title | Telnet Credential Reflection Vulnerability | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| version | 72 |
Saint
| bid | 35993 |
| description | Windows Telnet credential reflection |
| id | shell_telnet_reflect |
| osvdb | 56904 |
| title | windows_telnet_credential_reflection |
| type | client |
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 35993 CVE(CAN) ID: CVE-2009-1930 Microsoft Windows是微软发布的非常流行的操作系统。 Telnet协议未正确地选择加入NTLM凭据反射保护以确保用户凭据不被反射回来并供用户使用。如果用户受骗连接到了恶意的Telnet服务器,就可能导致反射NTLM凭据并以当前用户的权限获得系统访问。 Microsoft Windows XP SP3 Microsoft Windows XP SP2 Microsoft Windows Vista SP2 Microsoft Windows Vista SP1 Microsoft Windows Vista Microsoft Windows Server 2008 SP2 Microsoft Windows Server 2008 Microsoft Windows Server 2003 SP2 Microsoft Windows Server 2003 SP1 Microsoft Windows 2000SP4 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS09-042)以及相应补丁: MS09-042:Vulnerability in Telnet Could Allow Remote Code Execution (960859) 链接:http://www.microsoft.com/technet/security/bulletin/MS09-042.mspx?pf=true |
| id | SSV:12039 |
| last seen | 2017-11-19 |
| modified | 2009-08-12 |
| published | 2009-08-12 |
| reporter | Root |
| title | Microsoft Windows Telnet NTLM凭据反射绕过认证漏洞(MS09-042) |
References
- http://www.securityfocus.com/bid/35993
- http://secunia.com/advisories/36222
- http://securitytracker.com/id?1022716
- http://www.vupen.com/english/advisories/2009/2237
- http://osvdb.org/56904
- http://www.us-cert.gov/cas/techalerts/TA09-223A.html
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6302
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-042