53620 : Microsoft Windows HTTP Services Web Server Response Unspecified Integer Underflow
Printer | http://osvdb.org/53620 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
8	3781	over 2 years ago	about 1 year ago	6 times	70%

Timeline

Disclosure Date	Vendor Solution Date
2009-04-14	2009-04-14

Description

A memory corruption flaw exists in Windows. WinHTTP.dll fails to properly parse the HTTP chunksize parameter resulting in an integer underflow. With a specially crafted HTTP response, a context-dependent attacker can cause arbitrary code execution, resulting in a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Patch / RCS
Disclosure: Vendor Verified
OSVDB: Web Related

Technical

This vulnerability affects the WinHTTP library, which is a client HTTP library. The vulnerability occurs in ChunkFilter::Decode() method. The HTTP chunksize is compared as a signed integer but is passed as an unsigned integer to ntdll.RtlMoveMemory().

The underlying call to socket recv() only grabs ~900 bytes of data and does not fill memory. The RtlMoveMemory call is being used to shift memory down by 0xA bytes. A denial of service condition occurs when an attempt is made to read inaccessible memory.

Remote code execution is possible if an attacker can manipulate heap memory into a useful overwrite. A conceivable attack is to spawn a number of threads, spraying the heap with jump addresses, and then causing a thread stack return address to be overwritten. This makes this vulnerability difficult to reliably gain remote code execution given known techniques.

Solution

Microsoft has released a patch to address this vulnerability. Additionally, a user can make registry changes to mitigate this vulnerability without patching.

Products

Unknown or Incomplete

References

Security Tracker: 1022041
CVE ID: 2009-0086 (see also: NVD)
Secunia Advisory ID: 34677
SCIP VulDB ID: 3950
Related OSVDB ID: 53619 53620 53621
Microsoft Knowledge Base Article: 960803
News Article: http://gcn.com/articles/2009/04/15/microsoft-april-security-patch.aspx
http://www.eweek.com/c/a/Security/Micrsoft-Patch-Tuesday-Plugs-Security-Holes-as-Hackers-Circle-317813/
Other Advisory URL: http://www.us-cert.gov/cas/techalerts/TA09-104A.html
http://www.vupen.com/english/advisories/2009/1027
Microsoft Security Bulletin: MS09-013

Tools & Filters

	36151

Credit

Greg MacManus - iDEFENSE Labs

CVSSv2 Score

CVSSv2 Base Score = 10.0
Source: nvd.nist.gov | Generated: 2009-04-15 | Disagree?

Blogs

This product uses the Daylife API but is not endorsed or certified by Daylife.

This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.

2009/06/13 11:32:00 | Windows XP SP3 Black EN-US Edition 2009 32-BIT

from: My Free House

Windows XP Black Edition is one more edition in the stables of modified XP series. This Windows XP is not for upgrading, you must make a clean installation on a formatted Hard Disk or Partition. This Windows XP was tested on a Intel Pentium 4 1,2 GHz Laptop and on a Intel Core 2 Duo 2,2 GHz Laptop. Unattended Installation (Prompt repair)

2009/05/28 02:39:00 | Windows XP SP3 Black en-US Edition 2009 32-BIT

from: Software, Cracked Software

Windows XP SP3 Black en-US Edition 2009 32-BIT | 740 MB General Infos: * This Windows XP was tested on a Intel Pentium 4 1,2 GHz Laptop and on a Intel Core 2 Duo 2,2 GHz Laptop. * Unattended Installation (Prompt repair) + Original Serial and Windows Genuine Advantage Crack included and no Windows Activation needed

2009/05/27 09:48:00 | Windows XP SP3 Black en-US Edition 2009 32-BIT [RS.com]

from: Free Software Downloads

General Infos: * This Windows XP was tested on a Intel Pentium 4 1,2 GHz Laptop and on a Intel Core 2 Duo 2,2 GHz Laptop. * Unattended Installation (Prompt repair) + Original Serial and Windows Genuine Advantage C.r.@.c.k included and no Windows Activation needed. * All Official and Unofficial Windows XP Updates are included till 15.4.2009

2009/05/22 03:16:00 | Windows XP Professional SP3 en-US Black Edition 2009

from: Full Software Download MediaFire Rapidshare Adrive crack keygen serial License Portable

Windows XP Professional SP3 en-US Black Edition 2009 32-bit INFOS General Infos: * This Windows XP was tested on a Intel Pentium 4 1,2 GHz Laptop and on a Intel Core 2 Duo 2,2 GHz Laptop. * Unattended Installation (Prompt repair)

2009/05/03 15:25:35 | Automatically Slipstream Windows XP with SP3 and All Post-SP3 Security Hotfixes with a Single Command (Updated 03-May-09)

from: smithii.com - Stemming the tide...

For information about slipstreaming Windows XP SP2, visit http://smithii.com/slipstream_xpsp2 . I've written the batch file xpsp3.cmd ( ... Remote Code Execution (960477) KB923561 SP2: replaces none SP3: replaces none MS09-013 - Critical

2009/05/03 15:25:04 | Automatically Slipstream Windows XP with SP2 and All Post-SP2 Security Hotfixes with a Single Command (Updated 03-May-09)

from: smithii.com - Stemming the tide...

For information about slipstreaming Windows XP SP3, visit http://smithii.com/slipstream_xpsp3 . I've written the batch file xpsp2.cmd ( ... : replaces none MS09-013 - Critical Vulnerabilities in Windows HTTP Services Could Allow Remote Code

2009/04/30 08:20:53 | [MS Security Bulletin] Minor Revisions - Issued: April 29, 2009

from: MSMVPS.COM

Summary The following bulletins have undergone a minor revision increment. Please see the appropriate bulletin for more details. * MS09-013 - Critical Bulletin Information: * MS09-013 - Critical - http://www.microsoft.com/technet/security Read More......( read more )

2009/04/30 08:20:53 | [MS Security Bulletin] Minor Revisions - Issued: April 29, 2009

from: Cliff Hobbs - FAQShop.com and Microsoft MVP ConfigMgr/ SMS

2009/04/30 08:20:53 | [MS Security Bulletin] Minor Revisions - Issued: April 29, 2009

from: Cliff Hobbs at myITforum.com

2009/04/30 08:09:00 | Microsoft Security Bulletin Minor Revisions - April 29, 2009

from: MSMVPS.COM

Issued: April 29, 2009 Summary The following bulletins have undergone a minor revision increment. Please see the appropriate bulletin for more details. * MS09-013 - Critical Bulletin Information: * MS09-013 - Critical - http://www.microsoft.com/technet/security/bulletin/ms09-013

2009/04/30 08:09:00 | Microsoft Security Bulletin Minor Revisions - April 29, 2009

from: Microsoft Patch Watch

2009/04/29 01:07:00 | Windows Deluxe Edition 2009 v.1.0 Multi Bootable

from: IT SOLUTIONS

Windows Deluxe Edition 2009 v.1.0 Multi Bootable | 1.09 GB Boot Menu Contains :- 1) Windows XP Deluxe Edition 2009 (All Driver Version) 2) Hiren's Live CD 9.8 3) Hiren's Boot CD 9.8 4) Acronis True Image 2009 5) Norton Ghost 11.5 6) Windows NT/2K/XP/Vista Password Reset 7) Partition Magic PRO 8.05 8 ) Boot from HDD 9)

2009/04/24 15:10:45 | Possible MS09-013 activity – SANS Internet Storm Center

from: Chris Mosby at myITforum.com

Possible MS09-013 activity Published: 2009-04-23, Last Updated: 2009-04-23 21:34:10 UTC by Kyle Haugsness (Version: 1) 0 comment(s) acebook witter Jack sends us notice that Symantec is alerting

2009/04/23 21:34:10 | Possible MS09-013 activity, (Thu, Apr 23rd)

from: SANS Internet Storm Center, InfoCON: green

Jack sends us notice that Symantec is alerting on possible MS09-013 activity. This information ...(more)...

2009/04/23 14:33:00 | Windows Deluxe Edition 2009 v.1.0 Multi Bootable

from: ::: AlanWarez.TK :::

2009/04/21 19:54:21 | [MS KBs] New KB Articles At Microsoft 21 Apr 2009 - Weekly Summary

from: Cliff Hobbs - FAQShop.com and Microsoft MVP ConfigMgr/ SMS

Internet Information Services 6.0 970268 Internet Information Services (IIS) 6.0 responds with an HTTP 200 status to requests handled by ssinc ... 960803 MS09-013: Vulnerabilities in Windows HTTP services could allow remote code execution

2009/04/14 18:44:00 | Microsoft Security Bulletin Summary for April 2009

from: Kellep Charles Information Security Blog Space

******************************************************************** Microsoft Security Bulletin Summary for April 2009 Issued: April 14, 2009 ******************************************************************** This bulletin summary lists security bulletins released for April 2009

2009/04/15 10:04:02 | Excel bulletin stars in Microsoft patch batch - Register

from: Virtual Office Wire

Excel bulletin stars in Microsoft patch batch Register, UK Virtual all Windows systems - client and server - will need patching. According to patching security firm Lumension, six of the eight bulletins require a restart, including one critical flaw (covered by MS09-013) that requires the restart of Windows ...

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.