Vulnerabilities > CVE-2009-2526 - Resource Management Errors vulnerability in Microsoft Windows Server 2008 and Windows Vista

047910
CVSS 7.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
low complexity
microsoft
CWE-399
nessus
exploit available

Summary

Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 do not properly validate fields in SMBv2 packets, which allows remote attackers to cause a denial of service (infinite loop and system hang) via a crafted packet to the Server service, aka "SMBv2 Infinite Loop Vulnerability."

Common Weakness Enumeration (CWE)

Exploit-Db

  • idEDB-ID:40280
    last seen2018-11-30
    modified2016-02-26
    published2016-02-26
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/40280
    titleMicrosoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)
  • descriptionMicrosoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (MS09-050). CVE-2009-2526,CVE-2009-2532,CVE-2009-3103. Remote exploit for windows platform
    idEDB-ID:14674
    last seen2016-02-01
    modified2010-08-17
    published2010-08-17
    reporterPiotr Bania
    sourcehttps://www.exploit-db.com/download/14674/
    titleMicrosoft Windows - SRV2.SYS SMB Negotiate ProcessID Function Table Dereference MS09-050

Msbulletin

bulletin_idMS09-050
bulletin_url
date2009-10-13T00:00:00
impactRemote Code Execution
knowledgebase_id975517
knowledgebase_url
severityCritical
titleVulnerabilities in SMBv2 Could Allow Remote Code Execution

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS09-050.NASL
descriptionThe remote Windows host contains a vulnerable SMBv2 implementation with the following issues : - A specially crafted SMBv2 packet can cause an infinite loop in the Server service. A remote, unauthenticated attacker can exploit this to cause a denial of service. (CVE-2009-2526) - Sending a specially crafted SMBv2 packet to the Server service can result in code execution. A remote, unauthenticated attacker can exploit this to take complete control of the system. (CVE-2009-2532, CVE-2009-3103) (EDUCATEDSCHOLAR) EDUCATEDSCHOLAR is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers.
last seen2020-06-01
modified2020-06-02
plugin id42106
published2009-10-13
reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/42106
titleMS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517) (EDUCATEDSCHOLAR)
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(42106);
  script_version("1.29");
  script_cvs_date("Date: 2018/11/15 20:50:30");

  script_cve_id("CVE-2009-2526", "CVE-2009-2532", "CVE-2009-3103");
  script_bugtraq_id(36299, 36594, 36595);
  script_xref(name:"MSFT", value:"MS09-050");
  script_xref(name:"MSKB", value:"975517");
  script_xref(name:"CERT", value:"135940");
  script_xref(name:"EDB-ID", value:"9594");
  script_xref(name:"EDB-ID", value:"10005");
  script_xref(name:"EDB-ID", value:"12524");
  script_xref(name:"EDB-ID", value:"14674");
  script_xref(name:"EDB-ID", value:"16363");

  script_name(english:"MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517) (EDUCATEDSCHOLAR)");
  script_summary(english:"Checks version of srv2.sys");

  script_set_attribute(attribute:"synopsis", value:"The remote SMB server can be abused to execute code remotely.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host contains a vulnerable SMBv2 implementation with
the following issues :

  - A specially crafted SMBv2 packet can cause an
    infinite loop in the Server service.  A remote,
    unauthenticated attacker can exploit this to cause
    a denial of service. (CVE-2009-2526)

  - Sending a specially crafted SMBv2 packet to the Server
    service can result in code execution.  A remote,
    unauthenticated attacker can exploit this to take
    complete control of the system. (CVE-2009-2532,
    CVE-2009-3103) (EDUCATEDSCHOLAR)

EDUCATEDSCHOLAR is one of multiple Equation Group vulnerabilities and
exploits disclosed on 2017/04/14 by a group known as the Shadow
Brokers.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-050");
  script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows Vista and 2008.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');
  script_cwe_id(94, 399);

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/09/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/10/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/10/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"in_the_news", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");
  script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 'Host/patch_management_checks');
  exit(0);
}


include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS09-050';
kb = '975517';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(vista:'0,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  # Vista SP0 (x86 & x64)
  hotfix_is_vulnerable(os:"6.0",   file:"srv2.sys", version:"6.0.6000.16927",   min_version:"6.0.6000.0", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0",   file:"srv2.sys", version:"6.0.6000.21127",   min_version:"6.0.6000.20000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||

  # Vista / 2k8 SP1 (x86 & x64)
  hotfix_is_vulnerable(os:"6.0",   file:"srv2.sys", version:"6.0.6001.18331",   min_version:"6.0.6001.0", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0",   file:"srv2.sys", version:"6.0.6001.22522",   min_version:"6.0.6001.20000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||

  # Vista / 2k8 SP2 (x86 & x64)
  hotfix_is_vulnerable(os:"6.0",   file:"srv2.sys", version:"6.0.6002.18112",   min_version:"6.0.6002.0", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0",   file:"srv2.sys", version:"6.0.6002.22225",   min_version:"6.0.6002.20000", dir:"\system32\drivers", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2014-08-18T04:05:59.376-04:00
classvulnerability
contributors
  • nameDragos Prisaca
    organizationGideon Technologies, Inc.
  • nameMaria Mikhno
    organizationALTX-SOFT
definition_extensions
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Server 2008 (ia-64) is installed
    ovaloval:org.mitre.oval:def:5667
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Server 2008 (ia-64) is installed
    ovaloval:org.mitre.oval:def:5667
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Server 2008 (ia-64) is installed
    ovaloval:org.mitre.oval:def:5667
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Server 2008 (ia-64) is installed
    ovaloval:org.mitre.oval:def:5667
descriptionMicrosoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 do not properly validate fields in SMBv2 packets, which allows remote attackers to cause a denial of service (infinite loop and system hang) via a crafted packet to the Server service, aka "SMBv2 Infinite Loop Vulnerability."
familywindows
idoval:org.mitre.oval:def:5595
statusaccepted
submitted2009-10-13T13:00:00
titleSMBv2 Infinite Loop Vulnerability
version43

Seebug

bulletinFamilyexploit
descriptionBugraq ID: 36595 CVE ID:CVE-2009-2526 Microsoft windows是一款流行的操作系统。 Microsoft windows SMB2是新版windows捆绑的SMB协议实现,Microsoft Server Message Block (SMB)协议软件处理特殊构建的SMB版本2(SMBv2)报文存在漏洞,攻击者可以提交恶意请求报文对系统进行拒绝服务攻击。 利用此漏洞无需验证,允许攻击者发送特殊构建的网络消息给运行server服务的计算机,成功利用漏洞可导致计算机停止响应,直至重新启动。 目前没有详细漏洞细节提供。 Microsoft Windows Vista x64 Edition SP2 Microsoft Windows Vista x64 Edition SP1 Microsoft Windows Vista x64 Edition 0 Microsoft Windows Vista Ultimate 64-bit edition SP2 Microsoft Windows Vista Ultimate 64-bit edition SP1 Microsoft Windows Vista Ultimate 64-bit edition 0 Microsoft Windows Vista Home Premium 64-bit edition SP2 Microsoft Windows Vista Home Premium 64-bit edition SP1 Microsoft Windows Vista Home Premium 64-bit edition 0 Microsoft Windows Vista Home Basic 64-bit edition SP2 Microsoft Windows Vista Home Basic 64-bit edition SP1 Microsoft Windows Vista Home Basic 64-bit edition 0 Microsoft Windows Vista Enterprise 64-bit edition SP2 Microsoft Windows Vista Enterprise 64-bit edition SP1 Microsoft Windows Vista Enterprise 64-bit edition 0 Microsoft Windows Vista Business 64-bit edition SP2 Microsoft Windows Vista Business 64-bit edition SP1 Microsoft Windows Vista Business 64-bit edition 0 Microsoft Windows Vista Ultimate SP2 Microsoft Windows Vista Ultimate SP1 Microsoft Windows Vista Ultimate Microsoft Windows Vista Home Premium SP2 Microsoft Windows Vista Home Premium SP1 Microsoft Windows Vista Home Premium Microsoft Windows Vista Home Basic SP2 Microsoft Windows Vista Home Basic SP1 Microsoft Windows Vista Home Basic Microsoft Windows Vista Enterprise SP2 Microsoft Windows Vista Enterprise SP1 Microsoft Windows Vista Enterprise Microsoft Windows Vista Business SP2 Microsoft Windows Vista Business SP1 Microsoft Windows Vista Business Microsoft Windows Server 2008 Standard Edition SP2 Microsoft Windows Server 2008 Standard Edition 0 Microsoft Windows Server 2008 for x64-based Systems SP2 Microsoft Windows Server 2008 for x64-based Systems 0 Microsoft Windows Server 2008 for Itanium-based Systems SP2 Microsoft Windows Server 2008 for Itanium-based Systems 0 Microsoft Windows Server 2008 for 32-bit Systems SP2 Microsoft Windows Server 2008 for 32-bit Systems 0 Microsoft Windows Server 2008 Enterprise Edition SP2 Microsoft Windows Server 2008 Enterprise Edition 0 Microsoft Windows Server 2008 Datacenter Edition SP2 Microsoft Windows Server 2008 Datacenter Edition 0 Microsoft Windows 7 RC Microsoft Windows 7 beta 厂商解决方案 用户可参考如下供应商提供的安全补丁: Microsoft Windows Server 2008 for x64-based Systems 0 Microsoft Security Update for Windows Server 2008 x64 Edition (KB975517) http://www.microsoft.com/downloads/details.aspx?familyid=aff6f9c7-4a72 -48f2-b750-204d796c7daa Microsoft Windows Server 2008 for Itanium-based Systems SP2 Microsoft Security Update for Windows Server 2008 for Itanium-based Systems (KB975517) http://www.microsoft.com/downloads/details.aspx?familyid=7b70108b-7f59 -4898-ab4e-76be990de878 Microsoft Windows Server 2008 for 32-bit Systems SP2 Microsoft Security Update for Windows Server 2008 (KB975517) http://www.microsoft.com/downloads/details.aspx?familyid=ff6bfcf3-76c9 -4c45-b57d-22f94458dd6e Microsoft Windows Vista x64 Edition 0 Microsoft Security Update for Windows Vista for x64-based Systems (KB975517) http://www.microsoft.com/downloads/details.aspx?familyid=62ed5d0a-5ca6 -4942-80c9-7808b14cb6b5 Microsoft Windows Server 2008 for x64-based Systems SP2 Microsoft Security Update for Windows Server 2008 x64 Edition (KB975517) http://www.microsoft.com/downloads/details.aspx?familyid=aff6f9c7-4a72 -48f2-b750-204d796c7daa Microsoft Windows Server 2008 for Itanium-based Systems 0 Microsoft Security Update for Windows Server 2008 for Itanium-based Systems (KB975517) http://www.microsoft.com/downloads/details.aspx?familyid=7b70108b-7f59 -4898-ab4e-76be990de878 Microsoft Windows Vista x64 Edition SP2 Microsoft Security Update for Windows Vista for x64-based Systems (KB975517) http://www.microsoft.com/downloads/details.aspx?familyid=62ed5d0a-5ca6 -4942-80c9-7808b14cb6b5 Microsoft Windows Server 2008 for 32-bit Systems 0 Microsoft Security Update for Windows Server 2008 (KB975517) http://www.microsoft.com/downloads/details.aspx?familyid=ff6bfcf3-76c9 -4c45-b57d-22f94458dd6e Microsoft Windows Vista x64 Edition SP1 Microsoft Security Update for Windows Vista for x64-based Systems (KB975517) http://www.microsoft.com/downloads/details.aspx?familyid=62ed5d0a-5ca6 -4942-80c9-7808b14cb6b5
idSSV:12472
last seen2017-11-19
modified2009-10-14
published2009-10-14
reporterRoot
titleMicrosoft Windows SMB2字段校验远程拒绝服务漏洞(MS09-050)