MS09-070: Vulnerabilities in Active Directory Federation Services Could Allow Remote Code Execution (971726)

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(43062);
  script_version("1.23");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/08/05");

  script_cve_id("CVE-2009-2508", "CVE-2009-2509");
  script_bugtraq_id(37214, 37215);
  script_xref(name:"IAVA", value:"2009-A-0125-S");
  script_xref(name:"MSFT", value:"MS09-070");
  script_xref(name:"MSKB", value:"971726");

  script_name(english:"MS09-070: Vulnerabilities in Active Directory Federation Services Could Allow Remote Code Execution (971726)");
  script_summary(english:"Checks file version of Ifsutils.dll");

  script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through Microsoft
Active Directory Federation Services.");
  script_set_attribute(attribute:"description", value:
"The version of Microsoft Active Directory Federation Services (ADFS)
installed on the remote host is affected by the following
vulnerabilities :

  - Insufficient session management validation in the
    single sign-on functionality of ADFS could allow a
    remote, authenticated user to spoof the identity of
    another user. (CVE-2009-2508)

  - Incorrect validation of request headers when a remote,
    authenticated user connects to an ADFS-enabled web
    server could be leveraged to perform actions on the
    affected IIS server with the same rights as the Worker
    Process Identity (WPI), which by default is configured
    with Network Service account privileges.
    (CVE-2009-2509)");
  # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-070
  script_set_attribute(attribute:"see_also", value:"https://www.nessus.org/u?041004d1");
  script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2003 and 2008.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 255);

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/12/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/12/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/12/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2009-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 'Host/patch_management_checks');

  exit(0);
}


include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS09-070';
kb = '971726';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);


get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2003:'2', vista:'1,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);

# Determine if ADFS is installed.
ADFS_Installed = FALSE;

port    =  kb_smb_transport();
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();

if(! smb_session_init()) audit(AUDIT_FN_FAIL, "smb_session_init");

rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
  NetUseDel();
  audit(AUDIT_SHARE_FAIL, "IPC$");
}

hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
  NetUseDel();
  audit(AUDIT_REG_FAIL);
}

key = "SOFTWARE\Microsoft\ADFS\Setup\Parameters";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
  ADFS_Enabled = TRUE;
  RegCloseKey(handle:key_h);
}
RegCloseKey(handle:hklm);
NetUseDel();

if (!ADFS_Enabled) exit(0, "The host is not affected since ADFS is not installed.");

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  # Windows Server 2008
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"Ifsutils.dll", version:"6.0.6002.22201", min_version:"6.0.6002.22000", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"Ifsutils.dll", version:"6.0.6002.18091", min_version:"6.0.6002.18000", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:1, file:"Ifsutils.dll", version:"6.0.6001.22498", min_version:"6.0.6001.22000", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:1, file:"Ifsutils.dll", version:"6.0.6001.18311", min_version:"6.0.6001.18000", dir:"\System32", bulletin:bulletin, kb:kb) ||

  # Windows 2003
  hotfix_is_vulnerable(os:"5.2", sp:2, file:"Ifsutils.dll", version:"5.2.3790.4578",                                dir:"\System32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}