Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Vulnerabilities in Windows HTTP Services Could Allow Remote Code Execution (960803)
Informations
Name MS09-013 First vendor Publication 2009-04-14
Vendor Microsoft Last vendor Modification 2009-04-29
Severity (Vendor) Critical Revision 1.1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Revision Note: V1.1 (April 29, 2009): Added entry to the section, Frequently Asked Questions (FAQ) Related to This Security Update, to communicate that the Known issues with this security update section in the associated Microsoft Knowledge Base Article 960803 has been updated. This is an informational change only.Summary: This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft Windows HTTP Services (WinHTTP). The most severe vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Original Source

Url : http://www.microsoft.com/technet/security/bulletin/MS09-013.mspx

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-189 Numeric Errors (CWE/SANS Top 25)
50 % CWE-20 Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:5320
 
Oval ID: oval:org.mitre.oval:def:5320
Title: Windows HTTP Services Credential Reflection Vulnerability
Description: Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008; and WinINet in Microsoft Internet Explorer 5.01 SP4, 6 SP1, 6 and 7 on Windows XP SP2 and SP3, 6 and 7 on Windows Server 2003 SP1 and SP2, 7 on Windows Vista Gold and SP1, and 7 on Windows Server 2008; allows remote web servers to capture and replay NTLM credentials, and execute arbitrary code, via vectors related to absence of a "credential-reflection protections" opt-in step, aka "Windows HTTP Services Credential Reflection Vulnerability" and "WinINet Credential Reflection Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0550
 Version: 4
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6027
 
Oval ID: oval:org.mitre.oval:def:6027
Title: Windows HTTP Services Certificate Name Mismatch Vulnerability
Description: Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, and Vista Gold allows remote web servers to impersonate arbitrary https web sites by using DNS spoofing to "forward a connection" to a different https web site that has a valid certificate matching its own domain name, but not a certificate matching the domain name of the host requested by the user, aka "Windows HTTP Services Certificate Name Mismatch Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0089
 Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6149
 
Oval ID: oval:org.mitre.oval:def:6149
Title: Windows HTTP Services Integer Underflow Vulnerability
Description: Integer underflow in Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote HTTP servers to execute arbitrary code via crafted parameter values in a response, related to error handling, aka "Windows HTTP Services Integer Underflow Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0086
 Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6233
 
Oval ID: oval:org.mitre.oval:def:6233
Title: WinINet Credential Reflection Vulnerability
Description: Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008; and WinINet in Microsoft Internet Explorer 5.01 SP4, 6 SP1, 6 and 7 on Windows XP SP2 and SP3, 6 and 7 on Windows Server 2003 SP1 and SP2, 7 on Windows Vista Gold and SP1, and 7 on Windows Server 2008; allows remote web servers to capture and replay NTLM credentials, and execute arbitrary code, via vectors related to absence of a "credential-reflection protections" opt-in step, aka "Windows HTTP Services Credential Reflection Vulnerability" and "WinINet Credential Reflection Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0550
 Version: 2
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
 Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7569
 
Oval ID: oval:org.mitre.oval:def:7569
Title: WinINet and Windows HTTP Services Credential Reflection Vulnerability
Description: Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008; and WinINet in Microsoft Internet Explorer 5.01 SP4, 6 SP1, 6 and 7 on Windows XP SP2 and SP3, 6 and 7 on Windows Server 2003 SP1 and SP2, 7 on Windows Vista Gold and SP1, and 7 on Windows Server 2008; allows remote web servers to capture and replay NTLM credentials, and execute arbitrary code, via vectors related to absence of a "credential-reflection protections" opt-in step, aka "Windows HTTP Services Credential Reflection Vulnerability" and "WinINet Credential Reflection Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0550
 Version: 8
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
 Product(s): Microsoft Internet Explorer
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 1
Os 4
Os 5
Os 5
Os 4

SAINT Exploits

Description Link
Internet Explorer WinINet credential reflection vulnerability More info here

OpenVAS Exploits

Date Description
2009-04-15 Name : Windows HTTP Services Could Allow Remote Code Execution Vulnerabilities (960803)
File : nvt/secpod_ms09-013.nasl
2009-04-15 Name : Microsoft Internet Explorer Remote Code Execution Vulnerability (963027)
File : nvt/secpod_ms09-014.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
53621 Microsoft Windows HTTP Services Digital Certificate Distinguished Name Mismat...
53620 Microsoft Windows HTTP Services Web Server Response Unspecified Integer Under...

A memory corruption flaw exists in Windows. WinHTTP.dll fails to properly parse the HTTP chunksize parameter resulting in an integer underflow. With a specially crafted HTTP response, a context-dependent attacker can cause arbitrary code execution, resulting in a loss of integrity.
53619 Microsoft Windows HTTP Services NTLM Credential Replay Privileged Code Execution

Information Assurance Vulnerability Management (IAVM)

Date Description
2009-04-19 IAVM : 2009-A-0034 - Microsoft Windows HTTP Services Remote Code Execution Vulnerability
Severity : Category I - VMSKEY : V0018756

Snort® IPS/IDS

Date Description
2014-01-10 possible SMB replay attempt - overlapping encryption keys detected
RuleID : 17723 - Revision : 12 - Type : OS-WINDOWS
2014-01-10 Telnet-based NTLM replay attack attempt
RuleID : 15847 - Revision : 14 - Type : OS-WINDOWS
2014-01-10 Multiple web browsers HTTP chunked transfer-encoding memory corruption attempt
RuleID : 15462 - Revision : 20 - Type : BROWSER-OTHER
2014-01-10 WinHTTP SSL/TLS impersonation attempt
RuleID : 15456 - Revision : 6 - Type : SERVER-OTHER
2014-01-10 SMB replay attempt via NTLMSSP - overlapping encryption keys detected
RuleID : 15453 - Revision : 16 - Type : OS-WINDOWS
2014-01-10 Web-based NTLM replay attack attempt
RuleID : 15124 - Revision : 17 - Type : OS-WINDOWS
2014-01-10 possible SMB replay attempt - overlapping encryption keys detected
RuleID : 15009 - Revision : 22 - Type : OS-WINDOWS

Nessus® Vulnerability Scanner

Date Description
2009-04-15 Name : The remote host contains an API that is affected by multiple vulnerabilities.
File : smb_nt_ms09-013.nasl - Type : ACT_GATHER_INFO
2009-04-15 Name : Arbitrary code can be executed on the remote host through a web browser.
File : smb_nt_ms09-014.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2014-02-17 11:46:12
  • Multiple Updates
2014-01-19 21:30:18
  • Multiple Updates
2013-11-11 12:41:11
  • Multiple Updates