Microsoft Windows HTTP Services Credential Reflection Vulnerability

 (MS09-013, CVE-2009-0550)
A remote code execution vulnerability has been disclosed in the way Microsoft Windows HTTP Services handles NTLM credentials. This vulnerability can enable a hacker to execute malicious code as a logged on user of Windows HTTP Services.

Vulnerability Details

NTLM is a sequence-response challenge protocol used by Microsoft Windows computers to authenticate each other. Windows HTTP Services (WinHTTP) provides developers with an HTTP client application programming interface (API) to send requests through the HTTP protocol to other HTTP servers.

The vulnerability allows a remote attacker to replay the user's credentials back to them, creating a reflection attack, and enabling execution of arbitrary code in the context of the logged-on user.

Unlike the reflection attack discussed in MS08-068,(for which Check Point provided a protection last November) involving NTLM credential reflection over SMB, MS09-013 concerns a cross-protocol reflection attack, where the NTLM credential is reflected over HTTP to SMB. This means the attacker gets the victim's credentials via HTTP and relays it to authenticate its SMB requests to the victim.

How an HTTP-SMB Reflection Attack Works:

1. The client (victim) initiates a connection to the server (attacker) via HTTP. A hacker may influence the victim to do this by presenting a link.
2. The attacker issues another connection to the victim via SMB, before sending the challenge to the victim via HTTP.
3. The victim issues the challenge to the attacker via SMB.
4. The attacker reflects the challenge it receives back to the victim via HTTP.
5. The victim sends the response back to the attacker via HTTP.
6. The attacker reflects the response back to the Client via SMB.

Protection

Check Point SmartDefense, and the new Check Point IPS Software Blade provide protection against attacks that use this vulnerability. For more information, see CPAI-2009-082.