MS09-049: Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (970710)

2009-09-0800:00:00

www.tenable.com

A remote code execution vulnerability exists in the way that the Wireless LAN AutoConfig Service (wlansvc) parses specific frames received on the wireless network. This vulnerability could allow remote code execution if a client or server with a wireless network interface enabled receives specially crafted wireless frames. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system.

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(40892);
  script_version("1.23");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/08/05");

  script_cve_id("CVE-2009-1132");
  script_bugtraq_id(36223);
  script_xref(name:"IAVA", value:"2009-A-0078-S");
  script_xref(name:"MSFT", value:"MS09-049");
  script_xref(name:"MSKB", value:"970710");

  script_name(english:"MS09-049: Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (970710)");
  script_summary(english:"Checks version of Wlansvc.dll");

  script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through the Wireless
LAN AutoConfig Service.");
  script_set_attribute(attribute:"description", value:
"A remote code execution vulnerability exists in the way that the
Wireless LAN AutoConfig Service (wlansvc) parses specific frames
received on the wireless network.  This vulnerability could allow remote
code execution if a client or server with a wireless network interface
enabled receives specially crafted wireless frames.  If a user is logged
on with administrative user rights, an attacker who successfully
exploited this vulnerability could take complete control of an affected
system.");
  # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-049
  script_set_attribute(attribute:"see_also", value:"https://www.nessus.org/u?526b78db");
  script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows Vista and 2008.");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2009-1132");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(119);

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/09/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/09/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2009-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 'Host/patch_management_checks');

  exit(0);
}


include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS09-049';
kb = '970710';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);


get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(vista:'0,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  # Vista / Windows Server 2008
  hotfix_is_vulnerable(os:"6.0", sp:2,             file:"Wlansvc.dll", version:"6.0.6002.22170", min_version:"6.0.6002.20000", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:2,             file:"Wlansvc.dll", version:"6.0.6002.18064",                               dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:1,             file:"Wlansvc.dll", version:"6.0.6001.22468", min_version:"6.0.6001.20000", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:1,             file:"Wlansvc.dll", version:"6.0.6001.18288",                               dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:0,             file:"Wlansvc.dll", version:"6.0.6000.21082", min_version:"6.0.6000.20000", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:0,             file:"Wlansvc.dll", version:"6.0.6000.16884",                               dir:"\System32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

VendorProductVersionCPE
microsoftwindowscpe:/o:microsoft:windows

Vendor	Product	Version	CPE
microsoft	windows		cpe:/o:microsoft:windows

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1132

www.nessus.org/u?526b78db

JSON

Related for SMB_NT_MS09-049.NASL