MS09-048: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)

This script is Copyright (C) 2009-2013 Tenable Network Security, Inc.


Synopsis :

Multiple vulnerabilities in the Windows TCP/IP implementation could
lead to denial of service or remote code execution.

Description :

The TCP/IP implementation on the remote host has multiple flaws that
could allow remote code execution if an attacker sent specially crafted
TCP/IP packets over the network to a computer with a listening service :

- A denial of service vulnerability exists in TCP/IP
processing in Microsoft Windows due to the way that
Windows handles an excessive number of established TCP
connections. The affect of this vulnerability can be
amplified by the requirement to process specially
crafted packets with a TCP receive window size set to a
very small value or zero. An attacker could exploit the
vulnerability by flooding a system with specially
crafted packets causing the affected system to stop
responding to new requests or automatically restart.
(CVE-2008-4609)

- A remote code execution vulnerability exists in the
Windows TCP/IP stack due to the TCP/IP stack not
cleaning up state information correctly. This causes the
TCP/IP stack to reference a field as a function pointer
when it actually contains other information. An anonymous
attacker could exploit the vulnerability by sending
specially crafted TCP/IP packets to a computer that has
a service listening over the network. An attacker who
successfully exploited this vulnerability could take
complete control of an affected system. (CVE-2009-1925)

- A denial of service vulnerability exists in TCP/IP
processing in Microsoft Windows due to an error in the
processing of specially crafted packets with a small or
zero TCP receive window size. If an application closes a
TCP connection with pending data to be sent and an
attacker has set a small or zero TCP receive window
size, the affected server will not be able to
completely close the TCP connection. An attacker could
exploit the vulnerability by flooding a system with
specially crafted packets causing the affected system
to stop responding to new requests. The system would
remain non-responsive even after the attacker stops
sending malicious packets. (CVE-2009-1926)

See also :

http://technet.microsoft.com/en-us/security/bulletin/MS09-048

Solution :

Microsoft has released a set of patches for Windows 2003, Vista and
2008.

Risk factor :

High / CVSS Base Score : 7.6
(CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.3
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Windows : Microsoft Bulletins

Nessus Plugin ID: 40891 ()

Bugtraq ID: 31545
36265
36269

CVE ID: CVE-2008-4609
CVE-2009-1925
CVE-2009-1926