CERT-In:Indian Computer Emergency Response Team

HOME > VULNERABILITY NOTES

VULNERABILITY NOTE

CERT-In Vulnerability Note CIVN-2009-51
Multiple Vulnerabilities in Microsoft Windows HTTP Services

Original Issue Date:April 15, 2009

Severity Rating: High

Systems Affected

Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 with SP2 for Itanium-based Systems
Microsoft Windows Vista and Windows Vista Service Pack 1
Microsoft Windows Vista x64 Edition
Microsoft Windows Vista x64 Edition Service Pack 1
Microsoft Windows Server 2008 for 32-bit Systems
Microsoft Windows Server 2008 for x64-based Systems
Microsoft Windows Server 2008 for Itanium-based Systems

Overview

Multiple vulnerabilities have been reported in Microsoft Windows HTTP Services (WinHTTP) which could allow remote attacker to execute arbitrary code on affected systems and to take complete control of affected systems. Multiple vulnerabilities have been reported in Microsoft Windows HTTP Services (WinHTTP) which could allow remote attacker to execute arbitrary code on affected systems and to take complete control of affected systems.

Description

1. Windows HTTP Services Integer Underflow Vulnerability
(CVE-2009-0086)

A remote code execution vulnerability exists in Microsoft Windows HTTP Services. This vulnerability is caused due to insufficient validation of information while handling specific values returned by a remote webserver. WinHTTP provides an API for application and services on Windows systems to make HTTP requests. An unauthenticated, remote attacker could exploit this vulnerability by causing an application or service to connect to a malicious HTTP server using Windows HTTP Services (WinHTTP). Successful exploitation of this vulnerability could allow remote attacker to execute arbitrary code with the privileges of the service or application.

2. Windows HTTP Services Certificate Name Mismatch Vulnerability (CVE-2009-0089)

A spoofing vulnerability exists in Microsoft Windows HTTP Services. This vulnerability is caused due to insufficient validation of digital certificates. An unauthenticated, remote attacker could exploit this vulnerability by redirecting WinHTTP requests to a malicious host by the use of DNS spoofing. WinHTTP only checks that the fully-qualified domain name (FQDN) of a contacted host matches the name on the provided digital certificate. If WinHTTP is later redirected to a malicious site with a valid but untrustworthy certificate, WinHTTP will assign the trust given to the original site to the second, malicious site. Successful exploitation of this vulnerability could cause WinHTTP to accept the digital certificate of a trusted site as valid for accessing an untrustworthy site.

3. Windows HTTP Services Credential Reflection Vulnerability
(CVE-2009-0550)

A remote code execution vulnerability exist in Microsoft Windows HTTP Services. This vulnerability is caused due to insufficient credential protections when transmitting NTLM credentials to remote websites. Microsoft Windows HTTP Services (WinHTTP) and WinINET APIs fail to protect NTLM credentials against reflection attacks. An unauthenticated, remote attacker could exploit this vulnerability by enticing users to visit a malicious website. The attacker could capture and replay credentials back to the user's system, allowing the attacker to take actions on the system with the privileges of the user.

Note: These vulnerabilities affect Windows Server 2008 installed using Server Core installation.

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS09-013

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/bulletin/MS09-013.mspx

References

CISCO
http://tools.cisco.com/security/center/viewAlert.x?alertId=17992
http://tools.cisco.com/security/center/viewAlert.x?alertId=17993
http://tools.cisco.com/security/center/viewAlert.x?alertId=17994

VUPEN Security
http://www.vupen.com/english/advisories/2009/1027

SecurityTracker
http://www.securitytracker.com/alerts/2009/Apr/1022041.html

CVE Name
CVE-2009-0086
CVE-2009-0089
CVE-2009-0550

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

Home || Feedback || FAQ || Disclaimer

CERT-In Vulnerability Note CIVN-2009-51 Multiple Vulnerabilities in Microsoft Windows HTTP Services

CERT-In Vulnerability Note CIVN-2009-51
Multiple Vulnerabilities in Microsoft Windows HTTP Services