Signature Detail

HTTP: Active Directory Federation Services Malicious Header Remote Code Execution

This signature detects an attempt to exploit a known flaw in Microsoft Active Directory Federation Services. A remote code execution vulnerability exists in implementations of Active Directory Federation Services (ADFS). The vulnerability is due to incorrect validation of request headers when an authenticated user connects to an ADFS enabled Web server. An attacker who successfully exploited this vulnerability could take complete control of an affected system. A separate, but related, vulnerability allows an unauthenticated user to spoof a valid login, which when used in combination with this vulnerability could allow an unauthenticated user complete control of a victim's computer.

Extended Description

Microsoft Active Directory Federation Services (ADFS) is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the application, which may aid in further attacks.

Affected Products

• Microsoft Windows Server 2008 R2
• Microsoft Windows Server 2003 SP1
• Microsoft Windows Server 2003 SP2
• Microsoft Windows Server 2003 Datacenter Edition SP1
• Microsoft Windows Server 2003 Datacenter Edition
• Microsoft Windows Server 2003 Datacenter x64 Edition SP2
• Microsoft Windows Server 2003 Datacenter x64 Edition
• Microsoft Windows Server 2003 Enterprise Edition SP1
• Microsoft Windows Server 2003 Enterprise Edition
• Microsoft Windows Server 2003 Enterprise x64 Edition SP2
• Microsoft Windows Server 2003 Enterprise x64 Edition
• Microsoft Windows Server 2003 Standard Edition SP1
• Microsoft Windows Server 2003 Standard Edition SP2
• Microsoft Windows Server 2003 Standard Edition
• Microsoft Windows Server 2003 Standard x64 Edition
• Microsoft Windows Server 2003 Web Edition SP1
• Microsoft Windows Server 2003 Web Edition SP2
• Microsoft Windows Server 2003 Web Edition
• Microsoft Windows Server 2003 x64 SP1
• Microsoft Windows Server 2003 x64 SP2
• Microsoft Windows Server 2008 SP2 Beta
• Microsoft Windows Server 2008 Datacenter Edition SP2
• Microsoft Windows Server 2008 Datacenter Edition
• Microsoft Windows Server 2008 Enterprise Edition SP2
• Microsoft Windows Server 2008 Enterprise Edition
• Microsoft Windows Server 2008 for 32-bit Systems SP2
• Microsoft Windows Server 2008 for 32-bit Systems
• Microsoft Windows Server 2008 for x64-based Systems R2
• Microsoft Windows Server 2008 for x64-based Systems SP2
• Microsoft Windows Server 2008 for x64-based Systems
• Microsoft Windows Server 2008 R2 Datacenter
• Microsoft Windows Server 2008 Standard Edition SP2
• Microsoft Windows Server 2008 Standard Edition

References

• BugTraq: 37214
• CVE: CVE-2009-2509
• URL: http://secunia.com/advisories/37542/