Vulnerabilities > CVE-2009-2507 - Unspecified vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
microsoft
critical
nessus
NVD
Published: 2009-10-14
Updated: 2018-10-12

Summary

A certain ActiveX control in the Indexing Service in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 does not properly process URLs, which allows remote attackers to execute arbitrary programs via unspecified vectors that cause a "vulnerable binary" to load and run, aka "Memory Corruption in Indexing Service Vulnerability."

Vulnerable Configurations

Part Description Count
OS
Microsoft
7

Msbulletin

bulletin_idMS09-057
bulletin_url
date2009-10-13T00:00:00
impactRemote Code Execution
knowledgebase_id969059
knowledgebase_url
severityImportant
titleVulnerability in Indexing Service Could Allow Remote Code Execution

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS09-057.NASL
descriptionThe remote host contains the ixsso.dll ActiveX control. This control is included with the Indexing Service. The version of this control installed on the remote host reportedly has an arbitrary code execution vulnerability. A remote attacker could exploit this by tricking a user into requesting a maliciously crafted web page. This vulnerability only affects systems that have the Indexing Service enabled. It is disabled by default.
last seen2020-06-01
modified2020-06-02
plugin id42113
published2009-10-13
reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/42113
titleMS09-057: Vulnerability in Indexing Service Could Allow Remote Code Execution (969059)
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(42113);
  script_version("1.24");
  script_cvs_date("Date: 2018/11/15 20:50:30");

  script_cve_id("CVE-2009-2507");
  script_bugtraq_id(36629);
  script_xref(name:"MSFT", value:"MS09-057");
  script_xref(name:"MSKB", value:"969059");
  script_xref(name:"IAVB", value:"2009-B-0053");

  script_name(english:"MS09-057: Vulnerability in Indexing Service Could Allow Remote Code Execution (969059)");
  script_summary(english:"Checks the version of query.dll");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an ActiveX control that is affected by a
code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote host contains the ixsso.dll ActiveX control.

This control is included with the Indexing Service.  The version of this
control installed on the remote host reportedly has an arbitrary code
execution vulnerability.  A remote attacker could exploit this by
tricking a user into requesting a maliciously crafted web page.

This vulnerability only affects systems that have the Indexing Service
enabled.  It is disabled by default.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-057");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, XP, and
2003.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/10/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/10/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/10/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 'Host/patch_management_checks');

  exit(0);
}


include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS09-057';
kb = '969059';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  # 2k3
  hotfix_is_vulnerable(os:"5.2", file:"query.dll", version:"5.2.3790.4554", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # XP
  hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"query.dll",                 version:"5.1.2600.5847",   min_version:"5.1.2600.5000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.2", sp:2, arch:"x64", file:"query.dll",                 version:"5.2.3790.4554", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x86", file:"query.dll",                 version:"5.1.2600.3602",   dir:"\system32", bulletin:bulletin, kb:kb) ||

  # 2000
  hotfix_is_vulnerable(os:"5.0", file:"query.dll", version:"5.0.2195.7320",   dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2009-11-30T04:00:18.262-05:00
classvulnerability
contributors
nameDragos Prisaca
organizationGideon Technologies, Inc.
definition_extensions
  • commentMicrosoft Windows 2000 SP4 or later is installed
    ovaloval:org.mitre.oval:def:229
  • commentMicrosoft Windows XP (x86) SP2 is installed
    ovaloval:org.mitre.oval:def:754
  • commentMicrosoft Windows XP (x86) SP3 is installed
    ovaloval:org.mitre.oval:def:5631
  • commentMicrosoft Windows XP x64 Edition SP2 is installed
    ovaloval:org.mitre.oval:def:4193
  • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
    ovaloval:org.mitre.oval:def:1935
  • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
    ovaloval:org.mitre.oval:def:2161
  • commentMicrosoft Windows Server 2003 (ia64) SP2 is installed
    ovaloval:org.mitre.oval:def:1442
descriptionA certain ActiveX control in the Indexing Service in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 does not properly process URLs, which allows remote attackers to execute arbitrary programs via unspecified vectors that cause a "vulnerable binary" to load and run, aka "Memory Corruption in Indexing Service Vulnerability."
familywindows
idoval:org.mitre.oval:def:6042
statusaccepted
submitted2009-10-13T13:00:00
titleMemory Corruption in Indexing Service Vulnerability
version69

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 36629 CVE(CAN) ID: CVE-2009-2507 Windows是微软发布的非常流行的操作系统。 Windows的索引服务所包含的ActiveX控件未正确处理特制Web内容,导致Windows系统上的索引服务中存在内存破坏漏洞。成功利用此漏洞的攻击者可以完全控制受影响的系统。 Microsoft Windows XP SP3 Microsoft Windows XP SP2 Microsoft Windows Server 2003 SP2 Microsoft Windows Server 2003 SP1 Microsoft Windows 2000SP4 临时解决方法: * 注销ixsso.dll 1. 单击“开始”、“运行”,键入&quot;%SystemRoot%\System32\regsvr32.exe&quot; /u ixsso.dll,然后单击“确定”。 2. 此时将出现一个对话框,确认注销过程已成功完成。单击“确定”关闭对话框。 * 阻止在Internet Explorer中运行索引服务ActiveX控件COM对象,将以下文本粘贴于记事本等文本编辑器中,然后使用.reg文件扩展名保存文件。 Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A4463024-2B6F-11D0-BFBC-0020F8008024}] &quot;Compatibility Flags&quot;=dword:00000400 可以通过双击此.reg文件将其应用到各个系统,还可以使用组策略跨域应用该文件。 * 将Internet Explorer配置为在Internet和本地Intranet安全区域中运行ActiveX控件和活动脚本之前进行提示。 * 将Internet 和本地Intranet安全区域设置设为“高”,以便在这些区域中运行ActiveX控件和活动脚本之前进行提示。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS09-057)以及相应补丁: MS09-057:Vulnerability in Indexing Service Could Allow Remote Code Execution (969059) 链接:http://www.microsoft.com/technet/security/Bulletin/MS09-057.mspx?pf=true
idSSV:12489
last seen2017-11-19
modified2009-10-19
published2009-10-19
reporterRoot
titleMicrosoft Windows索引服务ActiveX控件内存破坏漏洞(MS09-057)

References