Vulnerabilities > CVE-2009-2526 - Resource Management Errors vulnerability in Microsoft Windows Server 2008 and Windows Vista

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

microsoft

CWE-399

nessus

exploit available

NVD

Published: 2009-10-14

Updated: 2024-11-21

Summary

Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 do not properly validate fields in SMBv2 packets, which allows remote attackers to cause a denial of service (infinite loop and system hang) via a crafted packet to the Server service, aka "SMBv2 Infinite Loop Vulnerability."

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows Server 2008 - Microsoft Windows Server 2008 * Microsoft Windows Vista * Microsoft Windows Vista -	14

Common Weakness Enumeration (CWE)

CWE-399 - Resource Management Errors

Exploit-Db

id	EDB-ID:40280
last seen	2018-11-30
modified	2016-02-26
published	2016-02-26
reporter	Exploit-DB
source	https://www.exploit-db.com/download/40280
title	Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)

description	Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (MS09-050). CVE-2009-2526,CVE-2009-2532,CVE-2009-3103. Remote exploit for windows platform
id	EDB-ID:14674
last seen	2016-02-01
modified	2010-08-17
published	2010-08-17
reporter	Piotr Bania
source	https://www.exploit-db.com/download/14674/
title	Microsoft Windows - SRV2.SYS SMB Negotiate ProcessID Function Table Dereference MS09-050

Msbulletin

bulletin_id	MS09-050
bulletin_url
date	2009-10-13T00:00:00
impact	Remote Code Execution
knowledgebase_id	975517
knowledgebase_url
severity	Critical
title	Vulnerabilities in SMBv2 Could Allow Remote Code Execution

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS09-050.NASL
description	The remote Windows host contains a vulnerable SMBv2 implementation with the following issues : - A specially crafted SMBv2 packet can cause an infinite loop in the Server service. A remote, unauthenticated attacker can exploit this to cause a denial of service. (CVE-2009-2526) - Sending a specially crafted SMBv2 packet to the Server service can result in code execution. A remote, unauthenticated attacker can exploit this to take complete control of the system. (CVE-2009-2532, CVE-2009-3103) (EDUCATEDSCHOLAR) EDUCATEDSCHOLAR is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers.
last seen	2020-06-01
modified	2020-06-02
plugin id	42106
published	2009-10-13
reporter	This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/42106
title	MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517) (EDUCATEDSCHOLAR)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(42106); script_version("1.29"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2009-2526", "CVE-2009-2532", "CVE-2009-3103"); script_bugtraq_id(36299, 36594, 36595); script_xref(name:"MSFT", value:"MS09-050"); script_xref(name:"MSKB", value:"975517"); script_xref(name:"CERT", value:"135940"); script_xref(name:"EDB-ID", value:"9594"); script_xref(name:"EDB-ID", value:"10005"); script_xref(name:"EDB-ID", value:"12524"); script_xref(name:"EDB-ID", value:"14674"); script_xref(name:"EDB-ID", value:"16363"); script_name(english:"MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517) (EDUCATEDSCHOLAR)"); script_summary(english:"Checks version of srv2.sys"); script_set_attribute(attribute:"synopsis", value:"The remote SMB server can be abused to execute code remotely."); script_set_attribute(attribute:"description", value: "The remote Windows host contains a vulnerable SMBv2 implementation with the following issues : - A specially crafted SMBv2 packet can cause an infinite loop in the Server service. A remote, unauthenticated attacker can exploit this to cause a denial of service. (CVE-2009-2526) - Sending a specially crafted SMBv2 packet to the Server service can result in code execution. A remote, unauthenticated attacker can exploit this to take complete control of the system. (CVE-2009-2532, CVE-2009-3103) (EDUCATEDSCHOLAR) EDUCATEDSCHOLAR is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-050"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows Vista and 2008."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(94, 399); script_set_attribute(attribute:"vuln_publication_date", value:"2009/09/08"); script_set_attribute(attribute:"patch_publication_date", value:"2009/10/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/10/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"in_the_news", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS09-050'; kb = '975517'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(vista:'0,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Vista SP0 (x86 & x64) hotfix_is_vulnerable(os:"6.0", file:"srv2.sys", version:"6.0.6000.16927", min_version:"6.0.6000.0", dir:"\system32\drivers", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", file:"srv2.sys", version:"6.0.6000.21127", min_version:"6.0.6000.20000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) \|\| # Vista / 2k8 SP1 (x86 & x64) hotfix_is_vulnerable(os:"6.0", file:"srv2.sys", version:"6.0.6001.18331", min_version:"6.0.6001.0", dir:"\system32\drivers", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", file:"srv2.sys", version:"6.0.6001.22522", min_version:"6.0.6001.20000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) \|\| # Vista / 2k8 SP2 (x86 & x64) hotfix_is_vulnerable(os:"6.0", file:"srv2.sys", version:"6.0.6002.18112", min_version:"6.0.6002.0", dir:"\system32\drivers", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", file:"srv2.sys", version:"6.0.6002.22225", min_version:"6.0.6002.20000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Oval

accepted

2014-08-18T04:05:59.376-04:00

class

vulnerability

contributors

name Dragos Prisaca
organization Gideon Technologies, Inc.
name Maria Mikhno
organization ALTX-SOFT

definition_extensions

comment Microsoft Windows Vista (32-bit) is installed
oval oval:org.mitre.oval:def:1282
comment Microsoft Windows Vista x64 Edition is installed
oval oval:org.mitre.oval:def:2041
comment Microsoft Windows Vista (32-bit) is installed
oval oval:org.mitre.oval:def:1282
comment Microsoft Windows Vista x64 Edition is installed
oval oval:org.mitre.oval:def:2041
comment Microsoft Windows Vista (32-bit) is installed
oval oval:org.mitre.oval:def:1282
comment Microsoft Windows Vista x64 Edition is installed
oval oval:org.mitre.oval:def:2041
comment Microsoft Windows Server 2008 (32-bit) is installed
oval oval:org.mitre.oval:def:4870
comment Microsoft Windows Server 2008 (64-bit) is installed
oval oval:org.mitre.oval:def:5356
comment Microsoft Windows Server 2008 (ia-64) is installed
oval oval:org.mitre.oval:def:5667
comment Microsoft Windows Vista (32-bit) is installed
oval oval:org.mitre.oval:def:1282
comment Microsoft Windows Vista x64 Edition is installed
oval oval:org.mitre.oval:def:2041
comment Microsoft Windows Server 2008 (32-bit) is installed
oval oval:org.mitre.oval:def:4870
comment Microsoft Windows Server 2008 (64-bit) is installed
oval oval:org.mitre.oval:def:5356
comment Microsoft Windows Server 2008 (ia-64) is installed
oval oval:org.mitre.oval:def:5667
comment Microsoft Windows Vista (32-bit) is installed
oval oval:org.mitre.oval:def:1282
comment Microsoft Windows Vista x64 Edition is installed
oval oval:org.mitre.oval:def:2041
comment Microsoft Windows Server 2008 (32-bit) is installed
oval oval:org.mitre.oval:def:4870
comment Microsoft Windows Server 2008 (64-bit) is installed
oval oval:org.mitre.oval:def:5356
comment Microsoft Windows Server 2008 (ia-64) is installed
oval oval:org.mitre.oval:def:5667
comment Microsoft Windows Vista (32-bit) is installed
oval oval:org.mitre.oval:def:1282
comment Microsoft Windows Vista x64 Edition is installed
oval oval:org.mitre.oval:def:2041
comment Microsoft Windows Server 2008 (32-bit) is installed
oval oval:org.mitre.oval:def:4870
comment Microsoft Windows Server 2008 (64-bit) is installed
oval oval:org.mitre.oval:def:5356
comment Microsoft Windows Server 2008 (ia-64) is installed
oval oval:org.mitre.oval:def:5667

description

family

windows

oval:org.mitre.oval:def:5595

status

accepted

submitted

2009-10-13T13:00:00

title

SMBv2 Infinite Loop Vulnerability

version

Seebug

bulletinFamily	exploit
description	Bugraq ID: 36595 CVE ID：CVE-2009-2526 Microsoft windows是一款流行的操作系统。 Microsoft windows SMB2是新版windows捆绑的SMB协议实现，Microsoft Server Message Block (SMB)协议软件处理特殊构建的SMB版本2(SMBv2)报文存在漏洞，攻击者可以提交恶意请求报文对系统进行拒绝服务攻击。利用此漏洞无需验证，允许攻击者发送特殊构建的网络消息给运行server服务的计算机，成功利用漏洞可导致计算机停止响应，直至重新启动。目前没有详细漏洞细节提供。 Microsoft Windows Vista x64 Edition SP2 Microsoft Windows Vista x64 Edition SP1 Microsoft Windows Vista x64 Edition 0 Microsoft Windows Vista Ultimate 64-bit edition SP2 Microsoft Windows Vista Ultimate 64-bit edition SP1 Microsoft Windows Vista Ultimate 64-bit edition 0 Microsoft Windows Vista Home Premium 64-bit edition SP2 Microsoft Windows Vista Home Premium 64-bit edition SP1 Microsoft Windows Vista Home Premium 64-bit edition 0 Microsoft Windows Vista Home Basic 64-bit edition SP2 Microsoft Windows Vista Home Basic 64-bit edition SP1 Microsoft Windows Vista Home Basic 64-bit edition 0 Microsoft Windows Vista Enterprise 64-bit edition SP2 Microsoft Windows Vista Enterprise 64-bit edition SP1 Microsoft Windows Vista Enterprise 64-bit edition 0 Microsoft Windows Vista Business 64-bit edition SP2 Microsoft Windows Vista Business 64-bit edition SP1 Microsoft Windows Vista Business 64-bit edition 0 Microsoft Windows Vista Ultimate SP2 Microsoft Windows Vista Ultimate SP1 Microsoft Windows Vista Ultimate Microsoft Windows Vista Home Premium SP2 Microsoft Windows Vista Home Premium SP1 Microsoft Windows Vista Home Premium Microsoft Windows Vista Home Basic SP2 Microsoft Windows Vista Home Basic SP1 Microsoft Windows Vista Home Basic Microsoft Windows Vista Enterprise SP2 Microsoft Windows Vista Enterprise SP1 Microsoft Windows Vista Enterprise Microsoft Windows Vista Business SP2 Microsoft Windows Vista Business SP1 Microsoft Windows Vista Business Microsoft Windows Server 2008 Standard Edition SP2 Microsoft Windows Server 2008 Standard Edition 0 Microsoft Windows Server 2008 for x64-based Systems SP2 Microsoft Windows Server 2008 for x64-based Systems 0 Microsoft Windows Server 2008 for Itanium-based Systems SP2 Microsoft Windows Server 2008 for Itanium-based Systems 0 Microsoft Windows Server 2008 for 32-bit Systems SP2 Microsoft Windows Server 2008 for 32-bit Systems 0 Microsoft Windows Server 2008 Enterprise Edition SP2 Microsoft Windows Server 2008 Enterprise Edition 0 Microsoft Windows Server 2008 Datacenter Edition SP2 Microsoft Windows Server 2008 Datacenter Edition 0 Microsoft Windows 7 RC Microsoft Windows 7 beta 厂商解决方案用户可参考如下供应商提供的安全补丁： Microsoft Windows Server 2008 for x64-based Systems 0 Microsoft Security Update for Windows Server 2008 x64 Edition (KB975517) http://www.microsoft.com/downloads/details.aspx?familyid=aff6f9c7-4a72 -48f2-b750-204d796c7daa Microsoft Windows Server 2008 for Itanium-based Systems SP2 Microsoft Security Update for Windows Server 2008 for Itanium-based Systems (KB975517) http://www.microsoft.com/downloads/details.aspx?familyid=7b70108b-7f59 -4898-ab4e-76be990de878 Microsoft Windows Server 2008 for 32-bit Systems SP2 Microsoft Security Update for Windows Server 2008 (KB975517) http://www.microsoft.com/downloads/details.aspx?familyid=ff6bfcf3-76c9 -4c45-b57d-22f94458dd6e Microsoft Windows Vista x64 Edition 0 Microsoft Security Update for Windows Vista for x64-based Systems (KB975517) http://www.microsoft.com/downloads/details.aspx?familyid=62ed5d0a-5ca6 -4942-80c9-7808b14cb6b5 Microsoft Windows Server 2008 for x64-based Systems SP2 Microsoft Security Update for Windows Server 2008 x64 Edition (KB975517) http://www.microsoft.com/downloads/details.aspx?familyid=aff6f9c7-4a72 -48f2-b750-204d796c7daa Microsoft Windows Server 2008 for Itanium-based Systems 0 Microsoft Security Update for Windows Server 2008 for Itanium-based Systems (KB975517) http://www.microsoft.com/downloads/details.aspx?familyid=7b70108b-7f59 -4898-ab4e-76be990de878 Microsoft Windows Vista x64 Edition SP2 Microsoft Security Update for Windows Vista for x64-based Systems (KB975517) http://www.microsoft.com/downloads/details.aspx?familyid=62ed5d0a-5ca6 -4942-80c9-7808b14cb6b5 Microsoft Windows Server 2008 for 32-bit Systems 0 Microsoft Security Update for Windows Server 2008 (KB975517) http://www.microsoft.com/downloads/details.aspx?familyid=ff6bfcf3-76c9 -4c45-b57d-22f94458dd6e Microsoft Windows Vista x64 Edition SP1 Microsoft Security Update for Windows Vista for x64-based Systems (KB975517) http://www.microsoft.com/downloads/details.aspx?familyid=62ed5d0a-5ca6 -4942-80c9-7808b14cb6b5
id	SSV:12472
last seen	2017-11-19
modified	2009-10-14
published	2009-10-14
reporter	Root
title	Microsoft Windows SMB2字段校验远程拒绝服务漏洞(MS09-050)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Exploit-Db

Msbulletin

Nessus

Oval

Seebug

References