MS09-048: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)
High Nessus Plugin ID 40891
SynopsisMultiple vulnerabilities in the Windows TCP/IP implementation could lead to denial of service or remote code execution.
DescriptionThe TCP/IP implementation on the remote host has multiple flaws that could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service :
- A denial of service vulnerability exists in TCP/IP processing in Microsoft Windows due to the way that Windows handles an excessive number of established TCP connections. The affect of this vulnerability can be amplified by the requirement to process specially crafted packets with a TCP receive window size set to a very small value or zero. An attacker could exploit the vulnerability by flooding a system with specially crafted packets causing the affected system to stop responding to new requests or automatically restart.
- A remote code execution vulnerability exists in the Windows TCP/IP stack due to the TCP/IP stack not cleaning up state information correctly. This causes the TCP/IP stack to reference a field as a function pointer when it actually contains other information. An anonymous attacker could exploit the vulnerability by sending specially crafted TCP/IP packets to a computer that has a service listening over the network. An attacker who successfully exploited this vulnerability could take complete control of an affected system. (CVE-2009-1925)
- A denial of service vulnerability exists in TCP/IP processing in Microsoft Windows due to an error in the processing of specially crafted packets with a small or zero TCP receive window size. If an application closes a TCP connection with pending data to be sent and an attacker has set a small or zero TCP receive window size, the affected server will not be able to completely close the TCP connection. An attacker could exploit the vulnerability by flooding a system with specially crafted packets causing the affected system to stop responding to new requests. The system would remain non-responsive even after the attacker stops sending malicious packets. (CVE-2009-1926)
SolutionMicrosoft has released a set of patches for Windows 2003, Vista and 2008.