MS09-070: Vulnerabilities in Active Directory Federation Services Could Allow Remote Code Execution (971726)

2009-12-08T00:00:00
ID SMB_NT_MS09-070.NASL
Type nessus
Reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
Modified 2020-02-02T00:00:00

Description

The version of Microsoft Active Directory Federation Services (ADFS) installed on the remote host is affected by the following vulnerabilities :

  • Insufficient session management validation in the single sign-on functionality of ADFS could allow a remote, authenticated user to spoof the identity of another user. (CVE-2009-2508)

  • Incorrect validation of request headers when a remote, authenticated user connects to an ADFS-enabled web server could be leveraged to perform actions on the affected IIS server with the same rights as the Worker Process Identity (WPI), which by default is configured with Network Service account privileges. (CVE-2009-2509)

                                        
                                            #
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(43062);
  script_version("1.22");
  script_cvs_date("Date: 2018/11/15 20:50:30");

  script_cve_id("CVE-2009-2508", "CVE-2009-2509");
  script_bugtraq_id(37214, 37215);
  script_xref(name:"IAVA", value:"2009-A-0125");
  script_xref(name:"MSFT", value:"MS09-070");
  script_xref(name:"MSKB", value:"971726");

  script_name(english:"MS09-070: Vulnerabilities in Active Directory Federation Services Could Allow Remote Code Execution (971726)");
  script_summary(english:"Checks file version of Ifsutils.dll");

  script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through Microsoft
Active Directory Federation Services.");
  script_set_attribute(attribute:"description", value:
"The version of Microsoft Active Directory Federation Services (ADFS)
installed on the remote host is affected by the following
vulnerabilities :

  - Insufficient session management validation in the
    single sign-on functionality of ADFS could allow a
    remote, authenticated user to spoof the identity of
    another user. (CVE-2009-2508)

  - Incorrect validation of request headers when a remote,
    authenticated user connects to an ADFS-enabled web
    server could be leveraged to perform actions on the
    affected IIS server with the same rights as the Worker
    Process Identity (WPI), which by default is configured
    with Network Service account privileges.
    (CVE-2009-2509)");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-070");
  script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2003 and 2008.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 255);

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/12/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/12/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/12/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 'Host/patch_management_checks');

  exit(0);
}


include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS09-070';
kb = '971726';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);


get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2003:'2', vista:'1,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);

# Determine if ADFS is installed.
ADFS_Installed = FALSE;

port    =  kb_smb_transport();
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();

if(! smb_session_init()) audit(AUDIT_FN_FAIL, "smb_session_init");

rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
  NetUseDel();
  audit(AUDIT_SHARE_FAIL, "IPC$");
}

hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
  NetUseDel();
  audit(AUDIT_REG_FAIL);
}

key = "SOFTWARE\Microsoft\ADFS\Setup\Parameters";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
  ADFS_Enabled = TRUE;
  RegCloseKey(handle:key_h);
}
RegCloseKey(handle:hklm);
NetUseDel();

if (!ADFS_Enabled) exit(0, "The host is not affected since ADFS is not installed.");

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  # Windows Server 2008
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"Ifsutils.dll", version:"6.0.6002.22201", min_version:"6.0.6002.22000", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"Ifsutils.dll", version:"6.0.6002.18091", min_version:"6.0.6002.18000", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:1, file:"Ifsutils.dll", version:"6.0.6001.22498", min_version:"6.0.6001.22000", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:1, file:"Ifsutils.dll", version:"6.0.6001.18311", min_version:"6.0.6001.18000", dir:"\System32", bulletin:bulletin, kb:kb) ||

  # Windows 2003
  hotfix_is_vulnerable(os:"5.2", sp:2, file:"Ifsutils.dll", version:"5.2.3790.4578",                                dir:"\System32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}