Exploit Frameworks TENABLE NETWORK SECURITY, INC.static.tenable.com/oldsite/blog/files/example---exploit-frameworks.pdf · Runtime and in Microsoft Silverlight Could ... Tenable Network
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Exploit FrameworksMay 9, 2012 at 9:56pm CDTDave Breslin [dbreslin6]Confidential: The following report contains confidential information. Do not distribute, email, fax,or transfer via any electronic mechanism unless it has been approved by the recipient company'ssecurity policy. All copies and backups of this document should be saved on protected storage at alltimes. Do not share any of the information contained within this report with anyone unless they areauthorized to view the information. Violating any of the previous instructions is grounds for termination.
Table of ContentsNotice ......................................................................................................................................................................................................................................... 1
Synopsis: It is possible to execute arbitrary code on the remote host.
Description: The remote host contains a version of the Windows kernel that is affected by vulnerabilities :
- A remote code execution vulnerability exists due to improper validation of input passed from user mode through the kernel component of GDI. Successful exploitation requiresthat a user on the affected host view a specially crafted EMF or WMF image file, perhaps by being tricked into visiting a malicious web site, and could lead to a complete systemcompromise.(CVE-2009-0081)
- A local privilege escalation vulnerability exists due to the way the kernel validates handles. (CVE-2009-0082)
- A local privilege escalation vulnerability exists due to improper handling of a specially crafted invalid pointer.(CVE-2009-0083)
Solution: Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :
Plugin Plugin Name Severity Port Protocol Family Exploit?
39347
MS09-025:Vulnerabilities inWindows KernelCould AllowElevation of Privilege(968537)
High 445 TCP Windows : Microsoft Bulletins Yes
Synopsis: The remote Windows kernel is affected by local privilege escalation vulnerabilities.
Description: The remote host contains a version of the Windows kernel that is affected by multiple vulnerabilities :
- A failure of the Windows kernel to properly validate changes in certain kernel objects allows a local user to run arbitrary code in kernel mode. (CVE-2009-1123)
- Insufficient validation of certain pointers passed from user mode allows a local user to run arbitrary code in kernel mode. (CVE-2009-1124)
- A failure to properly validate an argument passed to a Windows kernel system call allows a local user to run arbitrary code in kernel mode. (CVE-2009-1125)
- Improper validation of input passed from user mode to the kernel when editing a specific desktop parameter allows a local user to run arbitrary code in kernel mode.(CVE-2009-1126)
Solution: Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :
Synopsis: The remote Windows host contains a browser plugin that is affected by multiple vulnerabilities.
Description: The remote Windows host contains a version of Adobe Flash Player that is earlier than 9.0.246.0 / 10.0.32.18. Such versions are reportedly affected by multiplevulnerabilities :
- A memory corruption vulnerability that could potentially lead to code execution. (CVE-2009-1862)
- A vulnerability in the Microsoft Active Template Library (ATL) which could allow an attacker who successfully exploits the vulnerability to take control of the affected system.(CVE-2009-0901, CVE-2009-2395, CVE-2009-2493)
- A privilege escalation vulnerability that could potentially lead to code execution. (CVE-2009-1863)
- A heap overflow vulnerability that could potentially lead to code execution. (CVE-2009-1864)
- A null pointer vulnerability that could potentially lead to code execution. (CVE-2009-1865)
- A stack overflow vulnerability that could potentially lead to code execution. (CVE-2009-1866)
Synopsis: The remote Windows kernel is affected by remote privilege escalation vulnerabilities.
Description: The remote host contains a version of the Windows kernel that is affected by multiple vulnerabilities :
- A NULL pointer dereferencing vulnerability allowing a local user to elevate his privileges (CVE-2009-1127)
- Insufficient validation of certain input passed to GDI from user mode allows a local user to run arbitrary code in kernel mode. (CVE-2009-2513)
- A parsing vulnerability when decoding a specially crafted Embedded OpenType (EOT) font may allow a remote user to execute arbitrary code on the remote host by luring a user ofthe remote host into viewing a web page containing such a malformed font. (CVE-2009-2514)
Solution: Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :
Synopsis: The Windows kernel is affected by several vulnerabilities that could allow escalation of privileges.
Description: The remote Windows host is running a version of the Windows kernel that is affected by one or more of the following vulnerabilities :
- Improper validation of changes in certain kernel objects may allow a local attacker to execute arbitrary code in kernel mode and take complete control of the affected system.(CVE-2010-0484)
- Improper validation of parameters when creating a new window may allow a local attacker to execute arbitrary code in kernel mode and take complete control of the affectedsystem. (CVE-2010-0485)
- A vulnerability that arises in the way Windows provides glyph outline information to applications may allow a local attacker to execute arbitrary code in kernel mode and takecomplete control of the affected system. (CVE-2010-1255)
Solution: Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista, 2008, 7, and 2008 R2 :
Synopsis: The Windows kernel is affected by several vulnerabilities that could allow escalation of privileges.
Description: The remote Windows host is running a version of the Windows kernel that is affected by one or more of the following vulnerabilities :
- Improper valiation of an argument passed to a system call can result in a denial of service. (CVE-2010-1887)
- Certain unspecified exceptions are not properly handled which could result in arbitrary code execution in the kernel. (CVE-2010-1894)
- Memory is not properly allocated when making a copy from user mode, which could result in an elevation of privileges. (CVE-2010-1895)
- Unspecified input from user mode is not properly validated, which could result in arbitrary code execution in the kernel. (CVE-2010-1896)
- Unspecified parameters are not properly validated when creating a new window, which could result in arbitrary code execution in the kernel.(CVE-2010-1897)
Solution: Microsoft has released a set of patches for Windows XP, 2003, Vista, 2008, 7, and 2008 R2 :
Synopsis: The Windows kernel is affected by multiple vulnerabilities that could allow escalation of privileges.
Description: The remote Windows host is running a version of the Windows kernel that is affected by the following vulnerabilities :
- A reference count leak, which could result in arbitrary code execution in the kernel.(CVE-2010-2549)
- Kernel-mode drivers load unspecified keyboard layers improperly, which could result in arbitrary code execution in the kernel. (CVE-2010-2743)
- Kernel-mode drivers do not properly validate unspecified window class data, which could result in arbitrary code execution in the kernel.(CVE-2010-2744)
Solution: Microsoft has released a set of patches for Windows 2003, XP, Vista, 2008, 7, and 2008 R2 :
Synopsis: The remote Windows host contains a browser plug-in that is affected by a memory corruption vulnerability.
Description: The remote Windows host contains a version of Adobe Flash Player earlier than 10.2.153.1. Such versions are affected by an unspecified memory corruptionvulnerability.
A remote attacker could exploit this by tricking a user into viewing maliciously crafted SWF content, resulting in arbitrary code execution.
This bug is currently being exploited in the wild.
Solution: Upgrade to Flash Player 10.2.153.1 or later.
See Also: http://www.nessus.org/u?82775d9ehttp://www.adobe.com/support/security/advisories/apsa11-01.htmlhttp://www.adobe.com/support/security/bulletins/apsb11-05.html
Risk Factor: High
STIG Severity: II
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:Product : ActiveX control (for Internet Explorer)Path : C:\WINDOWS\system32\Macromed\Flash\Flash6.ocxInstalled version : 6.0.88.0Fixed version : 10.2.153.1
Synopsis: The remote Windows host contains a browser plug-in that allows arbitrary code execution.
Description: The remote Windows host contains a version of Adobe Flash Player earlier than 10.2.159.1. Such versions are reportedly affected by a memory corruption vulnerability.
By tricking a user on the affected system into opening a specially crafted document with Flash content, such as a SWF file embedded in a Microsoft Word document, an attacker canpotentially leverage this issue to execute arbitrary code remotely on the system subject to the user's privileges.
Note that there are reports that this issue is being exploited in the wild as of April 2011.
Solution: Upgrade to Adobe Flash Player 10.2.159.1 or later.
See Also: http://www.nessus.org/u?9ee82b34http://www.adobe.com/support/security/bulletins/apsb11-07.html
Risk Factor: High
STIG Severity: II
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:Product : ActiveX control (for Internet Explorer)Path : C:\WINDOWS\system32\Macromed\Flash\Flash6.ocx
Plugin Plugin Name Severity Port Protocol Family Exploit?
55140
Flash Player <10.3.181.26 MultipleVulnerabilities(APSB11-18)
High 445 TCP Windows Yes
Synopsis: A browser plugin is affected by a memory corruption vulnerability.
Description: According to its version, the instance of Flash Player installed on the remote Windows host is earlier than 10.3.181.26. This version of Flash Player has a criticalvulnerability. By tricking a user on the affected system into opening a specially crafted document with Flash content, an attacker could leverage the vulnerability to execute arbitrarycode remotely on the system subject to the user's privileges.
This issue is reportedly being exploited in the wild in targeted attacks as of June 2011.
Solution: Upgrade to Adobe Flash version 10.3.181.26 or later.
See Also: http://www.adobe.com/support/security/bulletins/apsb11-18.html
Risk Factor: High
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:Product : ActiveX control (for Internet Explorer)Path : C:\WINDOWS\system32\Macromed\Flash\Flash6.ocxInstalled version : 6.0.88.0Fixed version : 10.3.181.26
Synopsis: Arbitrary code can be executed on the remote Windows host through the Indeo codec.
Description: The remote Windows XP host contains a version of the Indeo codec that is affected by an insecure library loading vulnerability.
A remote attacker could exploit this by tricking a user into opening a legitimate file (e.g., an .avi file) located in the same directory as a maliciously crafted dynamic link library (DLL)file, resulting in arbitrary code execution.
Solution: Microsoft has released a patch for Windows XP :
Plugin Plugin Name Severity Port Protocol Family Exploit?
48297
MS10-060:Vulnerabilities inthe Microsoft .NETCommon LanguageRuntime and inMicrosoft SilverlightCould Allow RemoteCode Execution(2265906)
High 445 TCP Windows : Microsoft Bulletins Yes
Synopsis: The Microsoft .NET Common Language Runtime and/or Microsoft Silverlight have multiple vulnerabilities.
Description: The remote Windows host is running a version of the Microsoft .NET Framework and/or Microsoft Silverlight affected by multiple vulnerabilities :
- Silverlight improperly handles pointers in an unspecified manner. A remote attacker could exploit this by tricking a user into viewing a web page with maliciously crafted Silverlightcontent. (CVE-2010-0019)
- An unspecified vulnerability in the .NET framework can allow a specially crafted .NET or Silverlight application to access memory, resulting in arbitrary unmanaged code execution.(CVE-2010-1898)
Solution: Microsoft has released a set of patches for .NET Framework 2.0, 3.5, and Silverlight :
Synopsis: The remote Windows host contains an application that is affected by multiple vulnerabilities.
Description: The installed version of Wireshark is 1.2.x less than 1.2.16 or 1.4.x less than 1.4.5. Such versions are affected by the following vulnerabilities :
- A data type mismatch error exists in the function 'dissect_nfs_clientaddr4' in the file 'packet-nfs.c' of the NFS dissector and could lead to application crashes while decoding'SETCLIENTID' calls. (5209)- A use-after-free error exists in the file 'asn1/x509if/x509if.cnf' of the X.509if dissector that could lead to application crashes. (5754, 5793)- An buffer overflow vulnerability exists in the file 'packet-dect.c' of the DECT dissector that could allow arbitrary code execution. (5836)
Solution: Upgrade to Wireshark version 1.2.16 / 1.4.5 or later.
See Also: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5209https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5754https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5793https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836http://www.wireshark.org/security/wnpa-sec-2011-05.htmlhttp://www.wireshark.org/security/wnpa-sec-2011-06.htmlhttp://www.wireshark.org/docs/relnotes/wireshark-1.2.16.htmlhttp://www.wireshark.org/docs/relnotes/wireshark-1.4.5.html
Risk Factor: High
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:The following vulnerable instance of Wireshark is installed :
Plugin Plugin Name Severity Port Protocol Family Exploit?
55141
Flash Player forMac < 10.3.181.26Remote MemoryCorruption(APSB11-18)
High 0 TCP MacOS X Local Security Checks Yes
Synopsis: The remote Mac OS X host has a browser plugin that is affected by a remote memory corruption vulnerability.
Description: According to its version, the instance of Flash Player installed on the remote Mac OS X host is earlier than 10.3.181.26. This version of Flash Player has a criticalvulnerability. By tricking a user on the affected system into opening a specially crafted document with Flash content, an attacker could leverage the vulnerability to execute arbitrarycode remotely on the system subject to the user's privileges.
This issue is reportedly being exploited in the wild in targeted attacks as of June 2011.
Solution: Upgrade to Adobe Flash for Mac version 10.3.181.26 or later.
See Also: http://www.adobe.com/support/security/bulletins/apsb11-18.html
Synopsis: The version of Adobe Reader on the remote Mac OS X host is affected by multiple vulnerabilities.
Description: The version of Adobe Reader installed on the remote Mac OS X host is earlier than 10.1 / 9.4.5 / 8.3. As such, it is potentially affected by the following vulnerabilities :
- Multiple buffer overflow vulnerabilities exist that could lead to code execution. (CVE-2011-2094, CVE-2011-2095, CVE-2011-2097)
- A heap overflow vulnerability exists that could lead to code execution. (CVE-2011-2096)
- Multiple memory corruption vulnerabilities exist that could lead to code execution. (CVE-2011-2098, CVE-2011-2099, CVE-2011-2103, CVE-2011-2105, CVE-2011-2106)
- Multiple memory corruption vulnerabilities exist that could cause the application to crash. (CVE-2011-2104, CVE-2011-2105)
- A DLL loading vulnerability exists that could lead to code execution. (CVE-2011-2100)
- A cross document script execution vulnerability exists that could lead to code execution. (CVE-2011-2101)
- A security bypass vulnerability exists that could lead to bypassing security restrictions. (CVE-2011-2102)
Solution: Upgrade to Adobe Reader 8.3 / 9.4.5 / 10.1 or later.
See Also: http://www.zerodayinitiative.com/advisories/ZDI-11-218http://www.zerodayinitiative.com/advisories/ZDI-11-219http://www.adobe.com/support/security/bulletins/apsb11-16.html
Risk Factor: High
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:The following vulnerable instance of Adobe Reader is installed on theremote host :
Path : /Applications/Adobe Reader.appInstalled version : 10.0.0Fixed version : 8.3 / 9.4.5 / 10.1
Synopsis: The remote Windows host contains a browser plugin that is affected by multiple vulnerabilities.
Description: The remote Windows host contains a version of Adobe Flash Player that is earlier than 9.0.246.0 / 10.0.32.18. Such versions are reportedly affected by multiplevulnerabilities :
- A memory corruption vulnerability that could potentially lead to code execution. (CVE-2009-1862)
- A vulnerability in the Microsoft Active Template Library (ATL) which could allow an attacker who successfully exploits the vulnerability to take control of the affected system.(CVE-2009-0901, CVE-2009-2395, CVE-2009-2493)
- A privilege escalation vulnerability that could potentially lead to code execution. (CVE-2009-1863)
- A heap overflow vulnerability that could potentially lead to code execution. (CVE-2009-1864)
- A null pointer vulnerability that could potentially lead to code execution. (CVE-2009-1865)
Plugin Plugin Name Severity Port Protocol Family Exploit?
45509
MS10-022:Vulnerability inVBScript ScriptingEngine Could AllowRemote CodeExecution (981169)
High 445 TCP Windows : Microsoft Bulletins Yes
Synopsis: Arbitrary code can be executed on the remote host through the installed VBScript Scripting Engine.
Description: The installed version of the VBScript Scripting Engine allows an attacker to specify a Help file location when displaying a dialog box on a web page. If a user can betricked into pressing the F1 key while such a dialog box is being displayed, an attacker can leverage this to cause the Windows Help System to load a specially crafted Help file,resulting in execution of arbitrary code subject to the user's privileges.
Solution: Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista, 2008, 7, and 2008 R2 :
Description: The remote Windows host is running a version of the Windows kernel that is affected by one or more of the following vulnerabilities :
- Improper validation of changes in certain kernel objects may allow a local attacker to execute arbitrary code in kernel mode and take complete control of the affected system.(CVE-2010-0484)
- Improper validation of parameters when creating a new window may allow a local attacker to execute arbitrary code in kernel mode and take complete control of the affectedsystem. (CVE-2010-0485)
- A vulnerability that arises in the way Windows provides glyph outline information to applications may allow a local attacker to execute arbitrary code in kernel mode and takecomplete control of the affected system. (CVE-2010-1255)
Solution: Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista, 2008, 7, and 2008 R2 :
Synopsis: The Windows kernel is affected by several vulnerabilities that could allow escalation of privileges.
Description: The remote Windows host is running a version of the Windows kernel that is affected by one or more of the following vulnerabilities :
- Improper valiation of an argument passed to a system call can result in a denial of service. (CVE-2010-1887)
- Certain unspecified exceptions are not properly handled which could result in arbitrary code execution in the kernel. (CVE-2010-1894)
- Memory is not properly allocated when making a copy from user mode, which could result in an elevation of privileges. (CVE-2010-1895)
- Unspecified input from user mode is not properly validated, which could result in arbitrary code execution in the kernel. (CVE-2010-1896)
- Unspecified parameters are not properly validated when creating a new window, which could result in arbitrary code execution in the kernel.(CVE-2010-1897)
Solution: Microsoft has released a set of patches for Windows XP, 2003, Vista, 2008, 7, and 2008 R2 :
Synopsis: The Windows kernel is affected by multiple vulnerabilities that could allow escalation of privileges.
Description: The remote Windows host is running a version of the Windows kernel that is affected by the following vulnerabilities :
- A reference count leak, which could result in arbitrary code execution in the kernel.(CVE-2010-2549)
- Kernel-mode drivers load unspecified keyboard layers improperly, which could result in arbitrary code execution in the kernel. (CVE-2010-2743)
- Kernel-mode drivers do not properly validate unspecified window class data, which could result in arbitrary code execution in the kernel.(CVE-2010-2744)
Solution: Microsoft has released a set of patches for Windows 2003, XP, Vista, 2008, 7, and 2008 R2 :
Plugin Plugin Name Severity Port Protocol Family Exploit?
55140
Flash Player <10.3.181.26 MultipleVulnerabilities(APSB11-18)
High 445 TCP Windows Yes
Synopsis: A browser plugin is affected by a memory corruption vulnerability.
Description: According to its version, the instance of Flash Player installed on the remote Windows host is earlier than 10.3.181.26. This version of Flash Player has a criticalvulnerability. By tricking a user on the affected system into opening a specially crafted document with Flash content, an attacker could leverage the vulnerability to execute arbitrarycode remotely on the system subject to the user's privileges.
This issue is reportedly being exploited in the wild in targeted attacks as of June 2011.
Solution: Upgrade to Adobe Flash version 10.3.181.26 or later.
See Also: http://www.adobe.com/support/security/bulletins/apsb11-18.html
Plugin Output:Product : ActiveX control (for Internet Explorer)Path : C:\WINDOWS\system32\Macromed\Flash\Flash6.ocxInstalled version : 6.0.88.0Fixed version : 10.3.181.26
Synopsis: The remote Windows host has an ActiveX control that allows execution of arbitrary code.
Description: Macrovision FLEXnet Connect, formerly known as InstallShield Update Service, is installed on the remote host. It is a software management solution for internally-developed and third-party applications, and may have been installed as part of the FLEXnet Connect SDK, other InstallShield software, or by running FLEXnet Connect-enabledWindows software.
The version of the FLEXnet Connect client on the remote host includes an ActiveX control -- the InstallShield Update Service Agent -- that is marked as 'safe for scripting' andcontains several methods that allow for downloading and launching arbitrary programs. If a remote attacker can trick a user on the affected host into visiting a specially crafted webpage, he may be able to leverage this issue to execute arbitrary code on the host subject to the user's privileges.
Additionally, it is reportedly affected by a buffer overflow that can be triggered by passing a long argument for 'ProductCode' to the 'DownloadAndExecute()' method.
Solution: Upgrade to version 6.0.100.65101 or later of the FLEXnet Connect client.
Plugin Plugin Name Severity Port Protocol Family Exploit?
48297
MS10-060:Vulnerabilities inthe Microsoft .NETCommon LanguageRuntime and inMicrosoft SilverlightCould Allow RemoteCode Execution(2265906)
High 445 TCP Windows : Microsoft Bulletins Yes
Synopsis: The Microsoft .NET Common Language Runtime and/or Microsoft Silverlight have multiple vulnerabilities.
Description: The remote Windows host is running a version of the Microsoft .NET Framework and/or Microsoft Silverlight affected by multiple vulnerabilities :
- Silverlight improperly handles pointers in an unspecified manner. A remote attacker could exploit this by tricking a user into viewing a web page with maliciously crafted Silverlightcontent. (CVE-2010-0019)
- An unspecified vulnerability in the .NET framework can allow a specially crafted .NET or Silverlight application to access memory, resulting in arbitrary unmanaged code execution.(CVE-2010-1898)
Solution: Microsoft has released a set of patches for .NET Framework 2.0, 3.5, and Silverlight :
Synopsis: The remote Windows host contains an application that is affected by multiple vulnerabilities.
Description: The installed version of Wireshark is 1.2.x less than 1.2.16 or 1.4.x less than 1.4.5. Such versions are affected by the following vulnerabilities :
- A data type mismatch error exists in the function 'dissect_nfs_clientaddr4' in the file 'packet-nfs.c' of the NFS dissector and could lead to application crashes while decoding'SETCLIENTID' calls. (5209)- A use-after-free error exists in the file 'asn1/x509if/x509if.cnf' of the X.509if dissector that could lead to application crashes. (5754, 5793)- An buffer overflow vulnerability exists in the file 'packet-dect.c' of the DECT dissector that could allow arbitrary code execution. (5836)
Solution: Upgrade to Wireshark version 1.2.16 / 1.4.5 or later.
See Also: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5209https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5754https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5793https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836http://www.wireshark.org/security/wnpa-sec-2011-05.htmlhttp://www.wireshark.org/security/wnpa-sec-2011-06.htmlhttp://www.wireshark.org/docs/relnotes/wireshark-1.2.16.htmlhttp://www.wireshark.org/docs/relnotes/wireshark-1.4.5.html
Risk Factor: High
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:The following vulnerable instance of Wireshark is installed :
Path : C:\Program Files\WiresharkInstalled version : 1.4.4Fixed version : 1.2.16 / 1.4.5
Synopsis: The remote Windows host contains an application that is affected by multiple vulnerabilities.
Description: The installed version of Wireshark is 1.4.x before 1.4.9. This version is affected by the following vulnerabilities :
- An error exists in IKE dissector that can allow denial of service attacks when processing certain malformed packets. (CVE-2011-3266)
- A buffer exception handling vulnerability exists that can allow denial of service attacks when processing certain malformed packets. (Issue #6135)
- It may be possible to make Wireshark execute Lua scripts using a method similar to DLL hijacking. (Issue #6136)
Solution: Upgrade to Wireshark version 1.4.9 or later.
See Also: http://www.wireshark.org/security/wnpa-sec-2011-13.htmlhttp://www.wireshark.org/security/wnpa-sec-2011-14.htmlhttp://www.wireshark.org/security/wnpa-sec-2011-15.htmlhttp://www.wireshark.org/docs/relnotes/wireshark-1.4.9.html
Risk Factor: Medium
CVSS Base Score: 5.0
CVSS Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P
Plugin Output:The following vulnerable instance of Wireshark is installed :
Path : C:\Program Files\WiresharkInstalled version : 1.4.4Fixed version : 1.4.9
Plugin Plugin Name Severity Port Protocol Family Exploit?
55141
Flash Player forMac < 10.3.181.26Remote MemoryCorruption(APSB11-18)
High 0 TCP MacOS X Local Security Checks Yes
Synopsis: The remote Mac OS X host has a browser plugin that is affected by a remote memory corruption vulnerability.
Description: According to its version, the instance of Flash Player installed on the remote Mac OS X host is earlier than 10.3.181.26. This version of Flash Player has a criticalvulnerability. By tricking a user on the affected system into opening a specially crafted document with Flash content, an attacker could leverage the vulnerability to execute arbitrarycode remotely on the system subject to the user's privileges.
This issue is reportedly being exploited in the wild in targeted attacks as of June 2011.
Solution: Upgrade to Adobe Flash for Mac version 10.3.181.26 or later.
See Also: http://www.adobe.com/support/security/bulletins/apsb11-18.html
Description: The version of Adobe Reader installed on the remote Mac OS X host is earlier or equal to 10.1.1 / 9.4.6 and is affected by a memory corruption vulnerability related tothe 'Universal 3D' (U3D) file format.
A remote attacker could exploit this by tricking a user into viewing a maliciously crafted PDF file, causing application crashes and potentially resulting in arbitrary code execution.
Note that the Adobe Reader X user-specific option to use 'Protected Mode' prevents an exploit of this kind from executing and that Nessus cannot test for this configuration option.
Solution: At the time of this writing there is no vendor supplied patch. If the installed product is Reader X, then the user-specific option to use 'Protected Mode' should be enabled.
See Also: http://www.adobe.com/support/security/bulletins/apsa11-04.html
Risk Factor: High
STIG Severity: I
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:Path : /Applications/Adobe Reader.appInstalled version : 10.0.0Fixed version : A workaround is available.
Plugin Plugin Name Severity Port Protocol Family Exploit?
45509
MS10-022:Vulnerability inVBScript ScriptingEngine Could AllowRemote CodeExecution (981169)
High 445 TCP Windows : Microsoft Bulletins Yes
Synopsis: Arbitrary code can be executed on the remote host through the installed VBScript Scripting Engine.
Description: The installed version of the VBScript Scripting Engine allows an attacker to specify a Help file location when displaying a dialog box on a web page. If a user can betricked into pressing the F1 key while such a dialog box is being displayed, an attacker can leverage this to cause the Windows Help System to load a specially crafted Help file,resulting in execution of arbitrary code subject to the user's privileges.
Solution: Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista, 2008, 7, and 2008 R2 :
Synopsis: The remote Windows host contains a browser plug-in that is affected by a memory corruption vulnerability.
Description: The remote Windows host contains a version of Adobe Flash Player earlier than 10.2.153.1. Such versions are affected by an unspecified memory corruptionvulnerability.
A remote attacker could exploit this by tricking a user into viewing maliciously crafted SWF content, resulting in arbitrary code execution.
This bug is currently being exploited in the wild.
Solution: Upgrade to Flash Player 10.2.153.1 or later.
See Also: http://www.nessus.org/u?82775d9ehttp://www.adobe.com/support/security/advisories/apsa11-01.htmlhttp://www.adobe.com/support/security/bulletins/apsb11-05.html
Risk Factor: High
STIG Severity: II
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:Product : ActiveX control (for Internet Explorer)Path : C:\WINDOWS\system32\Macromed\Flash\Flash6.ocxInstalled version : 6.0.88.0Fixed version : 10.2.153.1
Synopsis: The remote Windows host contains a browser plug-in that allows arbitrary code execution.
Description: The remote Windows host contains a version of Adobe Flash Player earlier than 10.2.159.1. Such versions are reportedly affected by a memory corruption vulnerability.
By tricking a user on the affected system into opening a specially crafted document with Flash content, such as a SWF file embedded in a Microsoft Word document, an attacker canpotentially leverage this issue to execute arbitrary code remotely on the system subject to the user's privileges.
Note that there are reports that this issue is being exploited in the wild as of April 2011.
Solution: Upgrade to Adobe Flash Player 10.2.159.1 or later.
See Also: http://www.nessus.org/u?9ee82b34http://www.adobe.com/support/security/bulletins/apsb11-07.html
Plugin Output:Product : ActiveX control (for Internet Explorer)Path : C:\WINDOWS\system32\Macromed\Flash\Flash6.ocxInstalled version : 6.0.88.0Fixed version : 10.2.159.1
Plugin Plugin Name Severity Port Protocol Family Exploit?
55803
Flash Player <=10.3.181.36 MultipleVulnerabilities(APSB11-21)
High 445 TCP Windows Yes
Synopsis: A browser plugin is affected by multiple vulnerabilities.
Description: According to its version, the instance of Flash Player installed on the remote Windows host is 10.3.181.36 or earlier. As such, it is reportedly affected by several criticalvulnerabilities :
- Multiple buffer overflow vulnerabilities could lead to code execution. (CVE-2011-2130, CVE-2011-2134, CVE-2011-2137, CVE-2011-2414, CVE-2011-2415)
- Multiple memory corruption vulnerabilities could lead to code execution. (CVE-2011-2135, CVE-2011-2140, CVE-2011-2417, CVE-2011-2424, CVE-2011-2425)
- Multiple integer overflow vulnerabilities could lead to code execution. (CVE-2011-2136, CVE-2011-2138, CVE-2011-2416)
- A cross-site information disclosure vulnerability exists that could lead to code execution. (CVE-2011-2139)
By tricking a user on the affected system into opening a specially crafted document with Flash content, an attacker could leverage these vulnerabilities to execute arbitrary coderemotely on the system subject to the user's privileges.
Solution: Upgrade to Adobe Flash version 10.3.183.5 or later.
See Also: http://www.nessus.org/u?18dbdb20http://www.nessus.org/u?0651458ahttp://www.nessus.org/u?46d1fce8http://www.zerodayinitiative.com/advisories/ZDI-11-253/http://www.adobe.com/support/security/bulletins/apsb11-21.html
Risk Factor: High
STIG Severity: II
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
Plugin Output:Product : ActiveX control (for Internet Explorer)Path : C:\WINDOWS\system32\Macromed\Flash\Flash6.ocxInstalled version : 6.0.88.0Fixed version : 10.3.183.5
Plugin Plugin Name Severity Port Protocol Family Exploit?
58001
Flash Player <=10.3.183.14 /11.1.102.55 MultipleVulnerabilities(APSB12-03)
High 445 TCP Windows Yes
Synopsis: The remote Windows host has a browser plugin that is affected by multiple vulnerabilities.
Description: According to its version, the instance of Flash Player installed on the remote Windows host is 10.x equal to or earlier than 10.3.183.14 or 11.x equal to or earlier than11.1.102.55. It is, therefore, reportedly affected by several critical vulnerabilities :
- Multiple unspecified memory corruption issues exist that could lead to code execution. (CVE-2012-0751, CVE-2012-0754)
- An unspecified type confusion memory corruption vulnerability exists that could lead to code execution.(CVE-2012-0752)
- An MP4 parsing memory corruption issue exists that could lead to code execution. (CVE-2012-0753)
- Multiple unspecified security bypass vulnerabilities exist that could lead to code execution. (CVE-2012-0755, CVE-2012-0756)
- A universal cross-site scripting issue exists that could be used to take actions on a user's behalf on any website or webmail provider. (CVE-2012-0767)
Solution: Upgrade to Adobe Flash version 10.3.183.15 / 11.1.102.62 or later.
See Also: http://www.nessus.org/u?2bd088e6http://zerodayinitiative.com/advisories/ZDI-12-047/http://www.adobe.com/support/security/bulletins/apsb12-03.html
Risk Factor: High
STIG Severity: I
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
Plugin Output:Product : ActiveX control (for Internet Explorer)Path : C:\WINDOWS\system32\Macromed\Flash\Flash6.ocxInstalled version : 6.0.88.0Fixed version : 10.3.183.15 / 11.1.102.62
Synopsis: The remote Windows host has an ActiveX control that allows execution of arbitrary code.
Description: Macrovision FLEXnet Connect, formerly known as InstallShield Update Service, is installed on the remote host. It is a software management solution for internally-developed and third-party applications, and may have been installed as part of the FLEXnet Connect SDK, other InstallShield software, or by running FLEXnet Connect-enabledWindows software.
The version of the FLEXnet Connect client on the remote host includes an ActiveX control -- the InstallShield Update Service Agent -- that is marked as 'safe for scripting' andcontains several methods that allow for downloading and launching arbitrary programs. If a remote attacker can trick a user on the affected host into visiting a specially crafted webpage, he may be able to leverage this issue to execute arbitrary code on the host subject to the user's privileges.
Additionally, it is reportedly affected by a buffer overflow that can be triggered by passing a long argument for 'ProductCode' to the 'DownloadAndExecute()' method.
Solution: Upgrade to version 6.0.100.65101 or later of the FLEXnet Connect client.
Synopsis: The remote Windows host contains an application that is affected by multiple vulnerabilities.
Description: The installed version of Wireshark is 1.2.x less than 1.2.16 or 1.4.x less than 1.4.5. Such versions are affected by the following vulnerabilities :
- A data type mismatch error exists in the function 'dissect_nfs_clientaddr4' in the file 'packet-nfs.c' of the NFS dissector and could lead to application crashes while decoding'SETCLIENTID' calls. (5209)- A use-after-free error exists in the file 'asn1/x509if/x509if.cnf' of the X.509if dissector that could lead to application crashes. (5754, 5793)- An buffer overflow vulnerability exists in the file 'packet-dect.c' of the DECT dissector that could allow arbitrary code execution. (5836)
Solution: Upgrade to Wireshark version 1.2.16 / 1.4.5 or later.
See Also: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5209https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5754https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5793https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836http://www.wireshark.org/security/wnpa-sec-2011-05.htmlhttp://www.wireshark.org/security/wnpa-sec-2011-06.htmlhttp://www.wireshark.org/docs/relnotes/wireshark-1.2.16.htmlhttp://www.wireshark.org/docs/relnotes/wireshark-1.4.5.html
Risk Factor: High
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:The following vulnerable instance of Wireshark is installed :
Path : C:\Program Files\WiresharkInstalled version : 1.4.4Fixed version : 1.2.16 / 1.4.5
Synopsis: The remote Windows host has a code execution vulnerability.
Description: There is an unspecified remote code execution vulnerability in Windows common controls, which is included in several Microsoft products. An attacker could exploit thisby tricking a user into viewing a maliciously crafted web page, resulting in arbitrary code execution.
Solution: Microsoft has released a set of patches for Office 2003, 2007 and 2010, Office 2003 Web Components, SQL Server 2005 and 2008, BizTalk Server 2002, Visual FoxPro8.0 and 9.0, and Visual Basic 6.0 Runtime :
Plugin Plugin Name Severity Port Protocol Family Exploit?
55804
Flash Playerfor Mac <=10.3.181.36 MultipleVulnerabilities(APSB11-21)
High 0 TCP MacOS X Local Security Checks Yes
Synopsis: The remote Mac OS X host has a browser plugin that is affected by multiple vulnerabilities.
Description: According to its version, the instance of Flash Player installed on the remote Mac OS X host is 10.3.181.36 or earlier. As such, it is reportedly affected by several criticalvulnerabilities :
- Multiple buffer overflow vulnerabilities could lead to code execution. (CVE-2011-2130, CVE-2011-2134, CVE-2011-2137, CVE-2011-2414, CVE-2011-2415)
- Multiple memory corruption vulnerabilities could lead to code execution. (CVE-2011-2135, CVE-2011-2140, CVE-2011-2417, CVE-2011-2424, CVE-2011-2425)
- Multiple integer overflow vulnerabilities could lead to code execution. (CVE-2011-2136, CVE-2011-2138, CVE-2011-2416)
- A cross-site information disclosure vulnerability exists that could lead to code execution. (CVE-2011-2139)
By tricking a user on the affected system into opening a specially crafted document with Flash content, an attacker could leverage these vulnerabilities to execute arbitrary coderemotely on the system subject to the user's privileges.
Synopsis: The version of Adobe Reader on the remote Mac OS X host is affected by multiple vulnerabilities.
Description: The version of Adobe Reader installed on the remote Mac OS X host is earlier than 10.1.1 / 9.4.6 / 8.3.1. It is therefore potentially affected by the followingvulnerabilities :
- An unspecified error exists that can allow an attacker to bypass security leading to code execution. (CVE-2011-2431)
- Several errors exist that allow buffer overflows leading to code execution. (CVE-2011-2432, CVE-2011-2435)
- Several errors exist that allow heap overflows leading to code execution. (CVE-2011-2433, CVE-2011-2434, CVE-2011-2436, CVE-2011-2437)
- Several errors exist that allow stack overflows leading to code execution. (CVE-2011-2438)
- An error exists that can allow memory leaks leading to code execution. (CVE-2011-2439)
- A use-after-free error exists that can allow code exection. (CVE-2011-2440)
- Several errors exist in the 'CoolType.dll' library that can allow stack overflows leading to code execution.(CVE-2011-2441)
- A logic error exists that can lead to code execution.(CVE-2011-2442)
- Multiple issues exist as noted in APSB11-21, a security update for Adobe Flash Player. (CVE-2011-2130, CVE-2011-2134, CVE-2011-2135, CVE-2011-2136, CVE-2011-2137,CVE-2011-2138, CVE-2011-2139, CVE-2011-2140, CVE-2011-2414, CVE-2011-2415, CVE-2011-2416, CVE-2011-2417, CVE-2011-2425, CVE-2011-2424)
Solution: Upgrade to Adobe Reader 10.1.1 / 9.4.6 / 8.3.1 or later.
See Also: http://www.adobe.com/support/security/bulletins/apsb11-21.htmlhttp://www.adobe.com/support/security/bulletins/apsb11-24.html
Synopsis: The version of Adobe Reader on the remote Mac OS X host is affected by a memory corruption vulnerability.
Description: The version of Adobe Reader installed on the remote Mac OS X host is earlier or equal to 10.1.1 / 9.4.6 and is affected by a memory corruption vulnerability related tothe 'Universal 3D' (U3D) file format.
A remote attacker could exploit this by tricking a user into viewing a maliciously crafted PDF file, causing application crashes and potentially resulting in arbitrary code execution.
Note that the Adobe Reader X user-specific option to use 'Protected Mode' prevents an exploit of this kind from executing and that Nessus cannot test for this configuration option.
Solution: At the time of this writing there is no vendor supplied patch. If the installed product is Reader X, then the user-specific option to use 'Protected Mode' should be enabled.
See Also: http://www.adobe.com/support/security/bulletins/apsa11-04.html
Risk Factor: High
STIG Severity: I
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:Path : /Applications/Adobe Reader.appInstalled version : 10.0.0Fixed version : A workaround is available.
Plugin Plugin Name Severity Port Protocol Family Exploit?
58002
Flash Player for Mac<= 10.3.183.14 /11.1.102.62 MultipleVulnerabilities(APSB12-03)
High 0 TCP MacOS X Local Security Checks Yes
Synopsis: The remote Mac OS X host has a browser plugin that is affected by multiple vulnerabilities.
Description: According to its version, the instance of Flash Player installed on the remote Mac OS X host is 10.x equal to or earlier than 10.3.183.14 or 11.x equal to or earlier than11.1.102.62. It is, therefore, reportedly affected by several critical vulnerabilities :
- An unspecified memory corruption issue exists that could lead to code execution. (CVE-2012-0754)
- An unspecified type confusion memory corruption vulnerability exists that could lead to code execution.(CVE-2012-0752)
- An MP4 parsing memory corruption issue exists that could lead to code execution. (CVE-2012-0753)
- Multiple unspecified security bypass vulnerabilities exist that could lead to code execution. (CVE-2012-0755, CVE-2012-0756)
- A universal cross-site scripting issue exists that could be used to take actions on a user's behalf on any website or webmail provider. (CVE-2012-0767)
Solution: Upgrade to Adobe Flash version 10.3.183.15 / 11.1.102.62 or later.
See Also: http://www.adobe.com/support/security/bulletins/apsb12-03.html