Vulnerabilities > CVE-2009-2523 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Windows 2000

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
microsoft
CWE-119
critical
nessus

Summary

The License Logging Server (llssrv.exe) in Microsoft Windows 2000 SP4 allows remote attackers to execute arbitrary code via an RPC message containing a string without a null terminator, which triggers a heap-based buffer overflow in the LlsrLicenseRequestW method, aka "License Logging Server Heap Overflow Vulnerability."

Vulnerable Configurations

Part Description Count
OS
Microsoft
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Msbulletin

bulletin_idMS09-064
bulletin_url
date2009-11-10T00:00:00
impactRemote Code Execution
knowledgebase_id974783
knowledgebase_url
severityCritical
titleVulnerability in License Logging Server Could Allow Remote Code Execution

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS09-064.NASL
    descriptionThe remote version of Windows contains a flaw in the Logging Service that may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need to send a malformed packet to the remote logging service, and would be able to either execute arbitrary code on the remote host or to perform a denial of service.
    last seen2020-06-01
    modified2020-06-02
    plugin id42438
    published2009-11-10
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42438
    titleMS09-064: Vulnerability in the License Logging Service (974783)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(42438);
      script_version("1.21");
      script_cvs_date("Date: 2018/11/15 20:50:30");
    
      script_cve_id("CVE-2009-2523");
      script_bugtraq_id(36921);
      script_xref(name:"MSFT", value:"MS09-064");
      script_xref(name:"MSKB", value:"974783");
    
      script_name(english:"MS09-064: Vulnerability in the License Logging Service (974783)");
      script_summary(english:"Determines if hotfix 974783 has been installed");
    
      script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host.");
      script_set_attribute(attribute:"description", value:
    "The remote version of Windows contains a flaw in the Logging Service
    that may allow an attacker to execute arbitrary code on the remote host.
    
    To exploit this flaw, an attacker would need to send a malformed packet
    to the remote logging service, and would be able to either execute
    arbitrary code on the remote host or to perform a denial of service.");
      script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-064");
      script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/11/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/11/10");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
    
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, 'Host/patch_management_checks');
      exit(0);
    }
    
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS09-064';
    kb = '974783';
    
    kbs = make_list(kb);
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win2k:'4,5') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    if ( hotfix_check_nt_server() <= 0 ) exit(0, "The host is not affected because it is not running the WinNT service.");
    
    rootfile = hotfix_get_systemroot();
    if (!rootfile) exit(1, "Failed to get the system root.");
    
    share = hotfix_path2share(path:rootfile);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (hotfix_is_vulnerable(os:"5.0", file:"Llssrv.exe", version:"5.0.2195.7337", dir:"\system32", bulletin:bulletin, kb:kb))
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
  • NASL familyWindows
    NASL idSMB_KB974783.NASL
    descriptionThe remote version of Windows contains a flaw in the Logging Service that may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need to send a malformed packet to the remote logging service and would be able to either execute arbitrary code on the remote host or perform a denial of service.
    last seen2020-06-01
    modified2020-06-02
    plugin id42443
    published2009-11-10
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42443
    titleMS09-064: Vulnerability in the License Logging Service (974783) (uncredentialed check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(42443);
     script_version("1.17");
     script_cvs_date("Date: 2018/11/15 20:50:28");
    
     script_cve_id("CVE-2009-2523");
     script_bugtraq_id(36921);
     script_xref(name:"MSFT", value:"MS09-064");
     script_xref(name:"MSKB", value:"974783");
    
     script_name(english:"MS09-064: Vulnerability in the License Logging Service (974783) (uncredentialed check)");
     script_summary(english:"Determines if hotfix 974783 has been installed");
    
     script_set_attribute(attribute:"synopsis", value:
    "Arbitrary code can be executed on the remote host.");
     script_set_attribute(attribute:"description", value:
    "The remote version of Windows contains a flaw in the Logging Service
    that may allow an attacker to execute arbitrary code on the remote
    host.
    
    To exploit this flaw, an attacker would need to send a malformed
    packet to the remote logging service and would be able to either
    execute arbitrary code on the remote host or perform a denial of
    service.");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-064");
     script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploit_framework_core", value:"true");
     script_cwe_id(119);
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/10");
     script_set_attribute(attribute:"patch_publication_date", value:"2009/11/10");
     script_set_attribute(attribute:"plugin_publication_date", value:"2009/11/10");
    
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
    
     script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows");
    
     script_dependencies("smb_hotfixes.nasl");
     script_require_keys("SMB/Registry/Enumerated", "Host/OS/smb");
     script_require_ports(139, 445);
     exit(0);
    }
    
    
    include ('smb_func.inc');
    
    function LlsrLicenseRequestW()
    {
     local_var fid, data, rep, name;
     local_var code;
    
     fid = bind_pipe (pipe:"\llsrpc", uuid:"57674cd0-5200-11ce-a897-08002b2e9c6d", vers:1);
     if (isnull (fid))
       return -1;
    
     name = session_get_hostname();
    
     # only unicode is supported
     if (session_is_unicode ())
       name = class_name(name:name);
     else
     {
       session_set_unicode(unicode:1);
       name = class_name(name:name);
       session_set_unicode(unicode:0);
     }
    
     data = name +
    	raw_dword (d:0) +
    	raw_dword (d:0) +
    	raw_byte(b:0) +
    	raw_dword(d:0) +
    	raw_dword(d:0) +
            raw_dword (d:0)+
            raw_dword (d:5)+
    	'\xd4\xce\xc2\xcc\x00';
    
    
    
     data = dce_rpc_pipe_request (fid:fid, code:0x00, data:data);
     if (!data || strlen(data) != 48 )
       return 0;
    
     code = get_dword(blob:data, pos:strlen(data) - 4);
     if ( code == 0 )
    	return 1;
     else
    	return 0; # Patched version returns  0xc000000d
    }
    
    os = get_kb_item ("Host/OS/smb") ;
    if ( ! os || "Windows 5.0" >!< os ) exit(0, "OS unknown");
    
    
    port = get_kb_item("SMB/transport");
    if(!port)port = 445;
    
    if ( ! get_port_state(port) ) exit(0, "Port " + port + " is closed.");
    soc = open_sock_tcp(port);
    if ( ! soc ) exit(1, "Could not connect to port "+port+".");
    
    name = kb_smb_name();
    login = kb_smb_login();
    pass = kb_smb_password();
    dom  = kb_smb_domain();
    session_init(socket:soc, hostname:name);
    r = NetUseAdd(share:"IPC$", login:login, password:pass, domain:dom);
    if ( r == 1 )
    {
     ret = LlsrLicenseRequestW();
     NetUseDel();
     if ( ret < 0 )
       exit(1, "Could not connect to \llssvr");
     if (ret == 1)
     {
       security_hole(port:port);
       exit(0, "Host is vulnerable.");
     }
     else exit(0, "Host is patched.");
    }
    

Oval

accepted2009-12-28T04:00:26.884-05:00
classvulnerability
contributors
  • nameDragos Prisaca
    organizationGideon Technologies, Inc.
  • nameDragos Prisaca
    organizationGideon Technologies, Inc.
definition_extensions
commentMicrosoft Windows 2000 SP4 or later is installed
ovaloval:org.mitre.oval:def:229
descriptionThe License Logging Server (llssrv.exe) in Microsoft Windows 2000 SP4 allows remote attackers to execute arbitrary code via an RPC message containing a string without a null terminator, which triggers a heap-based buffer overflow in the LlsrLicenseRequestW method, aka "License Logging Server Heap Overflow Vulnerability."
familywindows
idoval:org.mitre.oval:def:6300
statusaccepted
submitted2009-11-10T13:00:00
titleLicense Logging Server Heap Overflow Vulnerability
version70

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 36921 CVE ID: CVE-2009-2523 Microsoft Windows是微软发布的非常流行的操作系统。 Windows系统中的License Logging服务(llssrv.exe)处理RPC调用的方式堆溢出漏洞。在处理传送给LlsrLicenseRequestW方式的参数时,字符数组应包含有终止的空字符。如果用户发送了没有空字符的恶意请求数据,就可以覆盖对lstrcatW的调用,触发这个溢出。 利用这个漏洞无需认证。攻击者可以通过向运行License Logging服务的计算机发送特制网络消息来利用这个漏洞,成功利用这个漏洞允许攻击者完全控制系统。 Microsoft Windows 2000SP4 临时解决方法: * 禁用License Logging服务。 * 在防火墙阻断TCP 139和445端口。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS09-064)以及相应补丁: MS09-064:Vulnerability in License Logging Server Could Allow Remote Code Execution (974783) 链接:http://www.microsoft.com/technet/security/bulletin/ms09-064.mspx?pf=true 补丁下载: http://www.microsoft.com/downloads/details.aspx?familyid=365a8dff-2383-42f6-b567-e545461fd135
idSSV:12610
last seen2017-11-19
modified2009-11-11
published2009-11-11
reporterRoot
titleMicrosoft Windows License Logging服务远程堆溢出漏洞(MS09-064)