Flash Player < 10.3.181.26 Multiple Vulnerabilities (APSB11-18)

2011-06-1500:00:00

www.tenable.com

According to its version, the instance of Flash Player installed on the remote Windows host is earlier than 10.3.181.26. This version of Flash Player has a critical vulnerability. By tricking a user on the affected system into opening a specially crafted document with Flash content, an attacker could leverage the vulnerability to execute arbitrary code remotely on the system subject to the user’s privileges.

This issue is reportedly being exploited in the wild in targeted attacks as of June 2011.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(55140);
  script_version("1.14");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2011-2110");
  script_bugtraq_id(48268);
  script_xref(name:"EDB-ID", value:"19295");

  script_name(english:"Flash Player < 10.3.181.26 Multiple Vulnerabilities (APSB11-18)");

  script_set_attribute(attribute:"synopsis", value:
"A browser plugin is affected by a memory corruption vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its version, the instance of Flash Player installed on
the remote Windows host is earlier than 10.3.181.26.  This version of
Flash Player has a critical vulnerability.  By tricking a user on the
affected system into opening a specially crafted document with Flash
content, an attacker could leverage the vulnerability to execute
arbitrary code remotely on the system subject to the user's
privileges. 

This issue is reportedly being exploited in the wild in targeted
attacks as of June 2011.");
  script_set_attribute(attribute:"see_also", value:"http://www.adobe.com/support/security/bulletins/apsb11-18.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Adobe Flash version 10.3.181.26 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Adobe Flash Player AVM Verification Logic Array Indexing Code Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/06/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/06/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/06/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:flash_player");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2011-2022 Tenable Network Security, Inc.");

  script_dependencies("flash_player_installed.nasl");
  script_require_keys("SMB/Flash_Player/installed");

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/Flash_Player/installed");

# Identify vulnerable versions.
info = "";

foreach variant (make_list("Plugin", "ActiveX", "Chrome"))
{
  vers = get_kb_list("SMB/Flash_Player/"+variant+"/Version/*");
  files = get_kb_list("SMB/Flash_Player/"+variant+"/File/*");
  if (!isnull(vers) && !isnull(files))
  {
    foreach key (keys(vers))
    {
      ver = vers[key];

      if (ver)
      {
        iver = split(ver, sep:'.', keep:FALSE);
        for (i=0; i<max_index(iver); i++)
          iver[i] = int(iver[i]);

        if (
          iver[0] < 10 ||
          (
            iver[0] == 10 &&
            (
              iver[1] < 3 ||
              (
                iver[1] == 3 &&
                (
                  iver[2] < 181 ||
                  (iver[2] == 181 && iver[3] < 26)
                )
              )
            )
          )
        )
        {
          num = key - ("SMB/Flash_Player/"+variant+"/Version/");
          file = files["SMB/Flash_Player/"+variant+"/File/"+num];
          if (variant == "Plugin")
          {
            info += '\n  Product: Browser Plugin (for Firefox / Netscape / Opera)';
          }
          else if (variant == "ActiveX")
          {
            info += '\n Product : ActiveX control (for Internet Explorer)';
          }
          else if (variant == "Chrome")
          {
            info += '\n Product : Browser Plugin (for Google Chrome)';
          }
          info += '\n  Path              : ' + file +
                  '\n  Installed version : ' + ver  +
                  '\n  Fixed version     : 10.3.181.26';

          if (variant == "Chrome")
            info += ' (as included with Google Chrome 12.0.742.100)';

          info += '\n';
        }
      }
    }
  }
}

if (info)
{
  if (report_verbosity > 0)
    security_hole(port:get_kb_item("SMB/transport"), extra:info);
  else
    security_hole(get_kb_item("SMB/transport"));
}
else exit(0, 'The host is not affected.');

VendorProductVersionCPE
adobeflash_playercpe:/a:adobe:flash_player

Vendor	Product	Version	CPE
adobe	flash_player		cpe:/a:adobe:flash_player

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2110

www.adobe.com/support/security/bulletins/apsb11-18.html

JSON

Related for FLASH_PLAYER_APSB11-18.NASL