Vulnerabilities > CVE-2009-2523 - Out-of-bounds Write vulnerability in Microsoft Windows 2000
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The License Logging Server (llssrv.exe) in Microsoft Windows 2000 SP4 allows remote attackers to execute arbitrary code via an RPC message containing a string without a null terminator, which triggers a heap-based buffer overflow in the LlsrLicenseRequestW method, aka "License Logging Server Heap Overflow Vulnerability."
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 1 |
Common Weakness Enumeration (CWE)
Msbulletin
bulletin_id | MS09-064 |
bulletin_url | |
date | 2009-11-10T00:00:00 |
impact | Remote Code Execution |
knowledgebase_id | 974783 |
knowledgebase_url | |
severity | Critical |
title | Vulnerability in License Logging Server Could Allow Remote Code Execution |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS09-064.NASL description The remote version of Windows contains a flaw in the Logging Service that may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need to send a malformed packet to the remote logging service, and would be able to either execute arbitrary code on the remote host or to perform a denial of service. last seen 2020-06-01 modified 2020-06-02 plugin id 42438 published 2009-11-10 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42438 title MS09-064: Vulnerability in the License Logging Service (974783) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(42438); script_version("1.21"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2009-2523"); script_bugtraq_id(36921); script_xref(name:"MSFT", value:"MS09-064"); script_xref(name:"MSKB", value:"974783"); script_name(english:"MS09-064: Vulnerability in the License Logging Service (974783)"); script_summary(english:"Determines if hotfix 974783 has been installed"); script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host."); script_set_attribute(attribute:"description", value: "The remote version of Windows contains a flaw in the Logging Service that may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need to send a malformed packet to the remote logging service, and would be able to either execute arbitrary code on the remote host or to perform a denial of service."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-064"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/10"); script_set_attribute(attribute:"patch_publication_date", value:"2009/11/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/11/10"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS09-064'; kb = '974783'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if ( hotfix_check_nt_server() <= 0 ) exit(0, "The host is not affected because it is not running the WinNT service."); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if (hotfix_is_vulnerable(os:"5.0", file:"Llssrv.exe", version:"5.0.2195.7337", dir:"\system32", bulletin:bulletin, kb:kb)) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }
NASL family Windows NASL id SMB_KB974783.NASL description The remote version of Windows contains a flaw in the Logging Service that may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need to send a malformed packet to the remote logging service and would be able to either execute arbitrary code on the remote host or perform a denial of service. last seen 2020-06-01 modified 2020-06-02 plugin id 42443 published 2009-11-10 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42443 title MS09-064: Vulnerability in the License Logging Service (974783) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(42443); script_version("1.17"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2009-2523"); script_bugtraq_id(36921); script_xref(name:"MSFT", value:"MS09-064"); script_xref(name:"MSKB", value:"974783"); script_name(english:"MS09-064: Vulnerability in the License Logging Service (974783) (uncredentialed check)"); script_summary(english:"Determines if hotfix 974783 has been installed"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host."); script_set_attribute(attribute:"description", value: "The remote version of Windows contains a flaw in the Logging Service that may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need to send a malformed packet to the remote logging service and would be able to either execute arbitrary code on the remote host or perform a denial of service."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-064"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/10"); script_set_attribute(attribute:"patch_publication_date", value:"2009/11/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/11/10"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_family(english:"Windows"); script_dependencies("smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated", "Host/OS/smb"); script_require_ports(139, 445); exit(0); } include ('smb_func.inc'); function LlsrLicenseRequestW() { local_var fid, data, rep, name; local_var code; fid = bind_pipe (pipe:"\llsrpc", uuid:"57674cd0-5200-11ce-a897-08002b2e9c6d", vers:1); if (isnull (fid)) return -1; name = session_get_hostname(); # only unicode is supported if (session_is_unicode ()) name = class_name(name:name); else { session_set_unicode(unicode:1); name = class_name(name:name); session_set_unicode(unicode:0); } data = name + raw_dword (d:0) + raw_dword (d:0) + raw_byte(b:0) + raw_dword(d:0) + raw_dword(d:0) + raw_dword (d:0)+ raw_dword (d:5)+ '\xd4\xce\xc2\xcc\x00'; data = dce_rpc_pipe_request (fid:fid, code:0x00, data:data); if (!data || strlen(data) != 48 ) return 0; code = get_dword(blob:data, pos:strlen(data) - 4); if ( code == 0 ) return 1; else return 0; # Patched version returns 0xc000000d } os = get_kb_item ("Host/OS/smb") ; if ( ! os || "Windows 5.0" >!< os ) exit(0, "OS unknown"); port = get_kb_item("SMB/transport"); if(!port)port = 445; if ( ! get_port_state(port) ) exit(0, "Port " + port + " is closed."); soc = open_sock_tcp(port); if ( ! soc ) exit(1, "Could not connect to port "+port+"."); name = kb_smb_name(); login = kb_smb_login(); pass = kb_smb_password(); dom = kb_smb_domain(); session_init(socket:soc, hostname:name); r = NetUseAdd(share:"IPC$", login:login, password:pass, domain:dom); if ( r == 1 ) { ret = LlsrLicenseRequestW(); NetUseDel(); if ( ret < 0 ) exit(1, "Could not connect to \llssvr"); if (ret == 1) { security_hole(port:port); exit(0, "Host is vulnerable."); } else exit(0, "Host is patched."); }
Oval
accepted | 2009-12-28T04:00:26.884-05:00 | ||||||||
class | vulnerability | ||||||||
contributors |
| ||||||||
definition_extensions |
| ||||||||
description | The License Logging Server (llssrv.exe) in Microsoft Windows 2000 SP4 allows remote attackers to execute arbitrary code via an RPC message containing a string without a null terminator, which triggers a heap-based buffer overflow in the LlsrLicenseRequestW method, aka "License Logging Server Heap Overflow Vulnerability." | ||||||||
family | windows | ||||||||
id | oval:org.mitre.oval:def:6300 | ||||||||
status | accepted | ||||||||
submitted | 2009-11-10T13:00:00 | ||||||||
title | License Logging Server Heap Overflow Vulnerability | ||||||||
version | 70 |
Seebug
bulletinFamily | exploit |
description | BUGTRAQ ID: 36921 CVE ID: CVE-2009-2523 Microsoft Windows是微软发布的非常流行的操作系统。 Windows系统中的License Logging服务(llssrv.exe)处理RPC调用的方式堆溢出漏洞。在处理传送给LlsrLicenseRequestW方式的参数时,字符数组应包含有终止的空字符。如果用户发送了没有空字符的恶意请求数据,就可以覆盖对lstrcatW的调用,触发这个溢出。 利用这个漏洞无需认证。攻击者可以通过向运行License Logging服务的计算机发送特制网络消息来利用这个漏洞,成功利用这个漏洞允许攻击者完全控制系统。 Microsoft Windows 2000SP4 临时解决方法: * 禁用License Logging服务。 * 在防火墙阻断TCP 139和445端口。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS09-064)以及相应补丁: MS09-064:Vulnerability in License Logging Server Could Allow Remote Code Execution (974783) 链接:http://www.microsoft.com/technet/security/bulletin/ms09-064.mspx?pf=true 补丁下载: http://www.microsoft.com/downloads/details.aspx?familyid=365a8dff-2383-42f6-b567-e545461fd135 |
id | SSV:12610 |
last seen | 2017-11-19 |
modified | 2009-11-11 |
published | 2009-11-11 |
reporter | Root |
title | Microsoft Windows License Logging服务远程堆溢出漏洞(MS09-064) |