Vulnerabilities > CVE-2010-0239 - Code Injection vulnerability in Microsoft Windows Server 2008 and Windows Vista

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
microsoft
CWE-94
nessus
exploit available
NVD
Published: 2010-02-10
Updated: 2023-12-07

Summary

The TCP/IP implementation in Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2, when IPv6 is enabled, does not properly perform bounds checking on ICMPv6 Router Advertisement packets, which allows remote attackers to execute arbitrary code via crafted packets, aka "ICMPv6 Router Advertisement Vulnerability."

Vulnerable Configurations

Part Description Count
OS
Microsoft
11

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Exploit-Db

descriptionMicrosoft Windows VISTA/2008 ICMPv6 Router Advertisement Remote Code Execution Vulnerability. CVE-2010-0239. Remote exploit for windows platform
idEDB-ID:33594
last seen2016-02-03
modified2010-02-09
published2010-02-09
reporterSumit Gwalani
sourcehttps://www.exploit-db.com/download/33594/
titleMicrosoft Windows VISTA/2008 ICMPv6 Router Advertisement Remote Code Execution Vulnerability

Msbulletin

bulletin_idMS10-009
bulletin_url
date2010-02-09T00:00:00
impactRemote Code Execution
knowledgebase_id974145
knowledgebase_url
severityCritical
titleVulnerabilities in Windows TCP/IP Could Allow Remote Code Execution

Nessus

  • NASL familyWindows
    NASL idWIN_SERVER_2008_NTLM_PCI.NASL
    descriptionAccording to the version number obtained by NTLM the remote host has Windows Server 2008 installed. The host may be vulnerable to a number of vulnerabilities including remote unauthenticated code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id108811
    published2018-04-03
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108811
    titleWindows Server 2008 Critical RCE Vulnerabilities (uncredentialed) (PCI/DSS)
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS10-009.NASL
    descriptionThe remote Windows host has the following vulnerabilities in its TCP/IP implementation : - Hosts with IPv6 enabled perform insufficient bounds checking when processing specially crafted ICMPv6 Router Advertisement packets. A remote attacker could exploit this to execute arbitrary code. (CVE-2010-0239) - Specially crafted Encapsulating Security Payloads (ESP) are not processed properly. A remote attacker could exploit this to execute arbitrary code. (CVE-2010-0240) - Hosts with IPv6 enabled perform insufficient bounds checking when processing specially crafted ICMPv6 Route Information packets. A remote attacker could exploit this to execute arbitrary code. (CVE-2010-0241) - Specially crafted TCP packets with a malformed selective acknowledgment (SACK) value can cause the system to stop responding and automatically restart. A remote attacker could exploit this to cause a denial of service. (CVE-2009-0242)
    last seen2020-06-01
    modified2020-06-02
    plugin id44419
    published2010-02-09
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/44419
    titleMS10-009: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (974145)

Oval

accepted2010-03-22T04:00:17.877-04:00
classvulnerability
contributors
nameDragos Prisaca
organizationSymantec Corporation
definition_extensions
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Vista (32-bit) Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:4873
  • commentMicrosoft Windows Vista x64 Edition Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:5254
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Server 2008 (ia-64) is installed
    ovaloval:org.mitre.oval:def:5667
  • commentMicrosoft Windows Vista (32-bit) Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:4873
  • commentMicrosoft Windows Vista x64 Edition Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:5254
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Server 2008 (ia-64) is installed
    ovaloval:org.mitre.oval:def:5667
  • commentMicrosoft Windows Vista (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6124
  • commentMicrosoft Windows Vista x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5594
  • commentMicrosoft Windows Server 2008 (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5653
  • commentMicrosoft Windows Server 2008 x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6216
  • commentMicrosoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6150
  • commentMicrosoft Windows Vista (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6124
  • commentMicrosoft Windows Vista x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5594
  • commentMicrosoft Windows Server 2008 (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5653
  • commentMicrosoft Windows Server 2008 x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6216
  • commentMicrosoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6150
descriptionThe TCP/IP implementation in Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2, when IPv6 is enabled, does not properly perform bounds checking on ICMPv6 Router Advertisement packets, which allows remote attackers to execute arbitrary code via crafted packets, aka "ICMPv6 Router Advertisement Vulnerability."
familywindows
idoval:org.mitre.oval:def:8478
statusaccepted
submitted2010-02-08T13:00:00
titleICMPv6 Router Advertisement Vulnerability
version41

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 38061 CVE ID: CVE-2010-0239 Microsoft Windows是微软发布的非常流行的操作系统。 Windows TCP/IP栈在处理特制的ICMPv6路由播发报文时没有执行充分的边界检查,匿名攻击者可以通过向启用了IPv6的计算机发送特制的ICMPv6报文来利用此漏洞,成功利用此漏洞的攻击者可以完全控制受影响的系统。 Microsoft Windows Vista SP2 Microsoft Windows Vista SP1 Microsoft Windows Vista Microsoft Windows Server 2008 SP2 Microsoft Windows Server 2008 临时解决方法: * 禁用“核心网络 – 路由器播发(ICMPv6-In)”入站防火墙规则,从提升的命令提示符处运行下列命令: netsh firewall set rule name="Core Networking – Router Advertisement (ICMPv6-In)" dir=in new enable=No 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS10-009)以及相应补丁: MS10-009:Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (974145) 链接:http://www.microsoft.com/technet/security/Bulletin/MS10-009.mspx?pf=true
idSSV:19152
last seen2017-11-19
modified2010-02-20
published2010-02-20
reporterRoot
titleMicrosoft Windows ICMPv6路由播发缓冲区溢出漏洞(MS10-009)

References