TCP IP Timestamps Remote code Execution Vulnerability

Overview

» IDS/IPS Signatures

Security Sites

iPolicy Networks Security Advisory


Date Discovered:	09/08/2009
Severity:	High
Operating Systems Affected:	Microsoft Windows 2000 SP4 Microsoft Windows Server 2003 SP2 Windows Server 2003 x64 SP2 Windows Server 2003 SP2 for Itanium-based Windows Vista Windows Vista SP1 Windows Vista SP2 Windows Vista x64 Windows Vista x64 SP1 Windows Vista x64 SP2 Windows Server 2008 for 32-bit Windows Server 2008 for 32-bit SP2
Type:	Remote
Identifiers:	CVE-2009-1925

Synopsis

Microsoft Windows TCP/IP stack is prone to a remote code execution vulnerability due to the TCP/IP stack not cleaning up state information correctly.

Recommended Actions

Update the patches as guided by vendor at :
http://www.microsoft.com/technet/security/bulletin/ms09-048.mspx

Threat Analysis

The vulnerability is caused by the Windows TCP/IP stack not cleaning up state information correctly. This causes the TCP/IP stack to reference a field as a function pointer when it actually contains other information.

An anonymous attacker could exploit the vulnerability by sending specially crafted TCP/IP packets to a computer that has a service listening over the network.

An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, delete data or create new accounts with full user rights.

References

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1925

Write-up by: Aditya Chaturvedi