Vulnerabilities > CVE-2009-1930 - Credentials Management vulnerability in Microsoft products

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
microsoft
CWE-255
critical
nessus

Summary

The Telnet service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote Telnet servers to execute arbitrary code on a client machine by replaying the NTLM credentials of a client user, aka "Telnet Credential Reflection Vulnerability," a related issue to CVE-2000-0834.

Common Weakness Enumeration (CWE)

Msbulletin

bulletin_idMS09-042
bulletin_url
date2009-08-11T00:00:00
impactRemote Code Execution
knowledgebase_id960859
knowledgebase_url
severityImportant
titleVulnerability in Telnet Could Allow Remote Code Execution

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS09-042.NASL
    descriptionThe remote Telnet client does not correctly opt in to NTLM credential- reflection protections, which ensure that a user
    last seen2020-06-01
    modified2020-06-02
    plugin id40561
    published2009-08-11
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40561
    titleMS09-042: Vulnerability in Telnet Could Allow Remote Code Execution (960859)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(40561);
      script_version("1.21");
      script_cvs_date("Date: 2018/11/15 20:50:30");
    
      script_cve_id("CVE-2009-1930");
      script_bugtraq_id(35993);
      script_xref(name:"MSFT", value:"MS09-042");
      script_xref(name:"MSKB", value:"960859");
      script_xref(name:"IAVB", value:"2009-B-0037");
    
      script_name(english:"MS09-042: Vulnerability in Telnet Could Allow Remote Code Execution (960859)");
      script_summary(english:"Checks version of Telnet.exe");
    
      script_set_attribute(attribute:"synopsis", value:
    "Arbitrary code can be executed on the remote host through the remote
    Telnet client.");
      script_set_attribute(attribute:"description", value:
    "The remote Telnet client does not correctly opt in to NTLM credential-
    reflection protections, which ensure that a user's credentials are not
    reflected back and used against the user.
    
    If a remote attacker can trick a user on the host into connecting to a
    malicious server with an affected version of the Telnet client, he can
    leverage this issue to gain the rights of that user and do anything that
    he has privileges to do.");
      script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-042");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for Windows 2000, XP, 2003,
    Vista and 2008.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(255);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/08/11");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/08/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/11");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_set_attribute(attribute:"stig_severity", value:"II");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
    
      script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, 'Host/patch_management_checks');
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS09-042';
    kb = '960859';
    
    kbs = make_list(kb);
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'2', vista:'0,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    rootfile = hotfix_get_systemroot();
    if (!rootfile) exit(1, "Failed to get the system root.");
    
    share = hotfix_path2share(path:rootfile);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      # Vista / Windows Server 2008
      hotfix_is_vulnerable(os:"6.0", sp:2,             file:"Telnet.exe", version:"6.0.6002.22150", min_version:"6.0.6002.20000", dir:"\System32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.0", sp:2,             file:"Telnet.exe", version:"6.0.6002.18049",                               dir:"\System32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.0", sp:1,             file:"Telnet.exe", version:"6.0.6001.22447", min_version:"6.0.6001.20000", dir:"\System32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.0", sp:1,             file:"Telnet.exe", version:"6.0.6001.18270",                               dir:"\System32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.0", sp:0,             file:"Telnet.exe", version:"6.0.6000.21065", min_version:"6.0.6000.20000", dir:"\System32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.0", sp:0,             file:"Telnet.exe", version:"6.0.6000.16868",                               dir:"\System32", bulletin:bulletin, kb:kb) ||
    
      # Windows 2003
      hotfix_is_vulnerable(os:"5.2", sp:2,             file:"Telnet.exe", version:"5.2.3790.4528", dir:"\System32", bulletin:bulletin, kb:kb) ||
    
      # Windows XP
      hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"Telnet.exe", version:"5.1.2600.5829", dir:"\System32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x64", file:"Telnet.exe", version:"5.2.3790.4528", dir:"\System32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x86", file:"Telnet.exe", version:"5.1.2600.3587", dir:"\System32", bulletin:bulletin, kb:kb) ||
    
      # Windows 2000
      hotfix_is_vulnerable(os:"5.0",                   file:"Telnet.exe", version:"5.0.33670.4", dir:"\System32", bulletin:bulletin, kb:kb)
    )
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
  • NASL familyWindows
    NASL idWIN_SERVER_2008_NTLM_PCI.NASL
    descriptionAccording to the version number obtained by NTLM the remote host has Windows Server 2008 installed. The host may be vulnerable to a number of vulnerabilities including remote unauthenticated code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id108811
    published2018-04-03
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108811
    titleWindows Server 2008 Critical RCE Vulnerabilities (uncredentialed) (PCI/DSS)

Oval

accepted2009-09-28T04:00:21.810-04:00
classvulnerability
contributors
nameDragos Prisaca
organizationGideon Technologies, Inc.
definition_extensions
  • commentMicrosoft Windows 2000 SP4 or later is installed
    ovaloval:org.mitre.oval:def:229
  • commentMicrosoft Windows XP (x86) SP2 is installed
    ovaloval:org.mitre.oval:def:754
  • commentMicrosoft Windows XP (x86) SP3 is installed
    ovaloval:org.mitre.oval:def:5631
  • commentMicrosoft Windows XP x64 Edition SP2 is installed
    ovaloval:org.mitre.oval:def:4193
  • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
    ovaloval:org.mitre.oval:def:1935
  • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
    ovaloval:org.mitre.oval:def:2161
  • commentMicrosoft Windows Server 2003 (ia64) SP2 is installed
    ovaloval:org.mitre.oval:def:1442
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Vista (32-bit) Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:4873
  • commentMicrosoft Windows Vista x64 Edition Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:5254
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Server 2008 (ia-64) is installed
    ovaloval:org.mitre.oval:def:5667
  • commentMicrosoft Windows Vista (32-bit) Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:4873
  • commentMicrosoft Windows Vista x64 Edition Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:5254
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Server 2008 (ia-64) is installed
    ovaloval:org.mitre.oval:def:5667
  • commentMicrosoft Windows Vista (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6124
  • commentMicrosoft Windows Vista x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5594
  • commentMicrosoft Windows Server 2008 (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5653
  • commentMicrosoft Windows Server 2008 x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6216
  • commentMicrosoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6150
  • commentMicrosoft Windows Vista (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6124
  • commentMicrosoft Windows Vista x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5594
  • commentMicrosoft Windows Server 2008 (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5653
  • commentMicrosoft Windows Server 2008 x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6216
  • commentMicrosoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6150
descriptionThe Telnet service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote Telnet servers to execute arbitrary code on a client machine by replaying the NTLM credentials of a client user, aka "Telnet Credential Reflection Vulnerability," a related issue to CVE-2000-0834.
familywindows
idoval:org.mitre.oval:def:6302
statusaccepted
submitted2009-07-28T13:00:00
titleTelnet Credential Reflection Vulnerability
version72

Saint

bid35993
descriptionWindows Telnet credential reflection
idshell_telnet_reflect
osvdb56904
titlewindows_telnet_credential_reflection
typeclient

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 35993 CVE(CAN) ID: CVE-2009-1930 Microsoft Windows是微软发布的非常流行的操作系统。 Telnet协议未正确地选择加入NTLM凭据反射保护以确保用户凭据不被反射回来并供用户使用。如果用户受骗连接到了恶意的Telnet服务器,就可能导致反射NTLM凭据并以当前用户的权限获得系统访问。 Microsoft Windows XP SP3 Microsoft Windows XP SP2 Microsoft Windows Vista SP2 Microsoft Windows Vista SP1 Microsoft Windows Vista Microsoft Windows Server 2008 SP2 Microsoft Windows Server 2008 Microsoft Windows Server 2003 SP2 Microsoft Windows Server 2003 SP1 Microsoft Windows 2000SP4 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS09-042)以及相应补丁: MS09-042:Vulnerability in Telnet Could Allow Remote Code Execution (960859) 链接:http://www.microsoft.com/technet/security/bulletin/MS09-042.mspx?pf=true
idSSV:12039
last seen2017-11-19
modified2009-08-12
published2009-08-12
reporterRoot
titleMicrosoft Windows Telnet NTLM凭据反射绕过认证漏洞(MS09-042)