Microsoft Web Service API Device Remote Code Execution Vulnerability

Overview

» IDS/IPS Signatures

Security Sites

iPolicy Networks Security Advisory


Date Discovered:	11/10/2009
Severity:	High
Operating Systems Affected:	Microsoft Windows Vista Microsoft Windows Server 2008
Type:	Remote
Identifiers:	CVE-2009-2512

Synopsis

Microsoft Windows Vista WSDAPI service is prone to a remote code execution vulnerability.

Recommended Actions

Update the patches as guided by vendor at :
http://www.microsoft.com/technet/security/bulletin/ms09-063.mspx

Threat Analysis

A WSDAPI message with a long MIME header value can lead to a stack corruption when a NULL byte is written at an attacker-controlled offset.

This could be exploited for remote code execution in the context of any of the WSD services, all of which listen on TCP/5357 and TCP/5358. It's also possible for a malicious host to respond to a user query for devices with an HTTP response crafted to exploit this vulnerability.

An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, delete data, or create new accounts with full user rights.

References

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2512

Write-up by: Aditya Chaturvedi