Scribd Logo
Upload

Welcome to Scribd!

  • Exploit

    Uploaded by

    pkv00228
    8 views4 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    8 views4 pages

    Exploit

    Uploaded by

    pkv00228

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    #

    # (C) Tenable Network Security, Inc.


    #
    # The descriptive text and package checks in this plugin were
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #

    include('compat.inc');

    if (description)
    {
    script_id(136946);
    script_version("1.2");
    script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

    script_cve_id("CVE-2017-8529");
    script_bugtraq_id(98953);
    script_xref(name:"MSKB", value:"4038781");
    script_xref(name:"MSFT", value:"MS17-4038781");
    script_xref(name:"MSKB", value:"4038783");
    script_xref(name:"MSFT", value:"MS17-4038783");
    script_xref(name:"MSKB", value:"4038782");
    script_xref(name:"MSFT", value:"MS17-4038782");
    script_xref(name:"MSKB", value:"4038788");
    script_xref(name:"MSFT", value:"MS17-4038788");

    script_name(english:"Windows 10 / Windows Server 2016 September 2017 Information


    Disclosure Vulnerability (CVE-2017-8529)");
    script_summary(english:"Checks for presence of the patch rollup and registry
    key(s).");

    script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by an information disclosure vulnerability.");
    script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing a security update or a registry setting
    required to enable protections for CVE-2017-8529. It is, therefore, affected by an
    information disclosure vulnerability:

    - An information disclosure vulnerability exists when affected Microsoft


    scripting engines do not properly handle objects in memory. The vulnerability
    could allow an attacker to detect specific files on the user's computer. In a
    web-based attack scenario, an attacker could host a website that is used to
    attempt to exploit the vulnerability.");
    # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-
    8529
    script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?
    1f6a3c24");
    script_set_attribute(attribute:"solution", value:
    "Refer to the Microsoft CVE article for additional information.");
    script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
    script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
    script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N");
    script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
    script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-8529");

    script_set_attribute(attribute:"exploitability_ease", value:"No known exploits


    are available");
    script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/13");
    script_set_attribute(attribute:"patch_publication_date", value:"2017/06/13");
    script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/28");

    script_set_attribute(attribute:"plugin_type", value:"local");
    script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
    script_end_attributes();

    script_category(ACT_GATHER_INFO);
    script_family(english:"Windows : Microsoft Bulletins");

    script_copyright(english:"This script is Copyright (C) 2020 and is owned by


    Tenable, Inc. or an Affiliate thereof.");

    script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl",
    "ms_bulletin_checks_possible.nasl");
    script_require_keys("SMB/MS_Bulletin_Checks/Possible");
    script_require_ports(139, 445, "Host/patch_management_checks");

    exit(0);
    }

    include('audit.inc');
    include('smb_func.inc');
    include('smb_hotfixes.inc');
    include('smb_hotfixes_fcheck.inc');
    include('smb_reg_query.inc');
    include('misc_func.inc');

    function is_print_fix_enabled(kb)
    {
    var keyx86 = "SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\
    FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX\iexplore.exe";
    var keyx64 = "SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\
    FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX\iexplore.exe";
    registry_init();
    var result = check_print_fix(key:keyx86);
    var ret_result = FALSE;
    var report = '';
    if(result != 'set')
    {
    report += '\nThe following registry key is required to enable the fix for CVE-
    2017-8529 and is ' + result + '\n ';
    report += 'HKLM\\' + keyx86;
    report += '\n';
    ret_result = TRUE;
    }
    var arch = get_kb_item('SMB/ARCH');
    if(!isnull(arch) && arch == 'x64')
    {
    var x64result = check_print_fix(key:keyx64);
    if(x64result != 'set')
    {
    report += '\nThe following registry key is required to enable the fix for
    CVE-2017-8529 and is ' + x64result + '\n ';
    report += 'HKLM\\' + keyx64;
    report += '\n';
    ret_result = TRUE;
    }
    }
    close_registry();
    if(ret_result)
    {
    hotfix_add_report(bulletin:'MS17-06', kb:kb, report);
    }

    return ret_result;
    }

    function check_print_fix(key)
    {
    var hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
    var key_h = get_registry_value(handle:hklm, item:key);
    RegCloseKey(handle:hklm);
    if(isnull(key_h))
    return 'missing.';
    else if(key_h == 0)
    return 'not enabled.';
    else
    return 'set';
    }

    get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');

    ## NB: Microsoft
    bulletin = 'MS17-09';
    kbs = make_list(
    '4038781',
    '4038783',
    '4038782',
    '4038788'
    );

    get_kb_item_or_exit('SMB/Registry/Enumerated');
    get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);

    if (get_kb_item('Host/patch_management_checks'))
    exit(0, 'Patch coverage provided by monthly rollup plugin.');

    # Update only applies to Window 10 / Server 2016


    if (hotfix_check_sp_range(win10:'0') <= 0 || hotfix_check_server_core() == 1 ||
    hotfix_check_server_nano() == 1)
    audit(AUDIT_OS_SP_NOT_VULN);

    os_build = get_kb_item('SMB/WindowsVersionBuild');

    switch (os_build)
    {
    case 10240: # Windows 10 RTM
    kb = '4038781';
    break;
    case 10586: # Windows 10 1511
    kb = '4038783';
    break;
    case 14393: # Windows 10 1607 / Windows Server 2016
    kb = '4038782';
    break;
    case 15063: # Windows 10 1703
    kb = '4038788';
    break;
    default:
    audit(AUDIT_OS_SP_NOT_VULN);
    }

    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);


    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

    # Run them all separately and avoid a bitwise or in the if statement


    rollupBool = (smb_check_rollup(os:'10', sp:0, os_build:os_build,
    rollup_date:'09_2017', bulletin:bulletin, rollup_kb_list:[kb]));
    printfixBool = (is_print_fix_enabled());

    if (rollupBool || printfixBool)
    {
    replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
    hotfix_security_warning();
    hotfix_check_fversion_end();
    exit(0);
    }
    else
    {
    hotfix_check_fversion_end();
    audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }

    You might also like