Adobe Shockwave Player <= 12.2.7.197 DLL Hijacking (APSB17-08)
2017-03-20T00:00:00
ID SHOCKWAVE_PLAYER_APSB17-08.NASL Type nessus Reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2021-03-02T00:00:00
Description
The remote Windows host contains a version of Adobe Shockwave Player
that is prior or equal to 12.2.7.197. It is, therefore, affected by a
DLL hijacking vulnerability when loading certain dynamic link library
(DLL) files due to searching an insecure path that may not be trusted
or under user control. An unauthenticated, remote attacker can exploit
this issue to execute arbitrary code, with the privileges of the user
running the program, by placing a specially crafted file in the path
and convincing the user to open a supported file type (e.g., located
on a remote WebDAV share).
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(97835);
script_version("1.6");
script_cvs_date("Date: 2019/11/13");
script_cve_id("CVE-2017-2983");
script_bugtraq_id(96863);
script_name(english:"Adobe Shockwave Player <= 12.2.7.197 DLL Hijacking (APSB17-08)");
script_summary(english:"Checks the version of Shockwave Player.");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host contains a web browser plugin that is affected
by a DLL hijacking vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote Windows host contains a version of Adobe Shockwave Player
that is prior or equal to 12.2.7.197. It is, therefore, affected by a
DLL hijacking vulnerability when loading certain dynamic link library
(DLL) files due to searching an insecure path that may not be trusted
or under user control. An unauthenticated, remote attacker can exploit
this issue to execute arbitrary code, with the privileges of the user
running the program, by placing a specially crafted file in the path
and convincing the user to open a supported file type (e.g., located
on a remote WebDAV share).");
script_set_attribute(attribute:"see_also", value:"https://helpx.adobe.com/security/products/shockwave/apsb17-08.html");
script_set_attribute(attribute:"solution", value:
"Upgrade to Adobe Shockwave Player version 12.2.8.198 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-2983");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/14");
script_set_attribute(attribute:"patch_publication_date", value:"2017/03/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/20");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:shockwave_player");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("shockwave_player_apsb09_08.nasl");
script_require_keys("SMB/shockwave_player");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
installs = get_kb_list_or_exit("SMB/shockwave_player/*/path");
appname = "Shockwave Player";
latest_vuln_version = "12.2.7.197"; # versions <= this version are vuln
fix = "12.2.8.198";
info = NULL;
pattern = "SMB/shockwave_player/([^/]+)/([^/]+)/path";
vuln = 0;
foreach install (keys(installs))
{
match = eregmatch(string:install, pattern:pattern);
if (!match) exit(1, "Unexpected format of KB key '" + install + "'.");
file = installs[install];
variant = match[1];
version = match[2];
if (ver_compare(ver:version, fix:latest_vuln_version) <= 0)
{
if (variant == "Plugin")
info += '\n Variant : Browser Plugin (for Firefox / Netscape / Opera)';
else if (variant == "ActiveX")
info += '\n Variant : ActiveX control (for Internet Explorer)';
info +=
'\n File : ' + file +
'\n Installed version : ' + version +
'\n Fixed version : ' + fix + '\n';
vuln++;
}
}
if (!info) audit(AUDIT_INST_VER_NOT_VULN, appname);
port = get_kb_item("SMB/transport");
if (!port) port = 445;
if (report_verbosity > 0)
{
if (vuln > 1) s = "s";
else s = "";
report =
'\n' + 'Nessus has identified the following vulnerable instance' + s + ' of Shockwave'+
'\n' + 'Player installed on the remote host :' +
'\n' +
info + '\n';
security_warning(port:port, extra:report);
}
else security_warning(port);
{"id": "SHOCKWAVE_PLAYER_APSB17-08.NASL", "bulletinFamily": "scanner", "title": "Adobe Shockwave Player <= 12.2.7.197 DLL Hijacking (APSB17-08)", "description": "The remote Windows host contains a version of Adobe Shockwave Player\nthat is prior or equal to 12.2.7.197. It is, therefore, affected by a\nDLL hijacking vulnerability when loading certain dynamic link library\n(DLL) files due to searching an insecure path that may not be trusted\nor under user control. An unauthenticated, remote attacker can exploit\nthis issue to execute arbitrary code, with the privileges of the user\nrunning the program, by placing a specially crafted file in the path\nand convincing the user to open a supported file type (e.g., located\non a remote WebDAV share).", "published": "2017-03-20T00:00:00", "modified": "2021-03-02T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/97835", "reporter": "This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://helpx.adobe.com/security/products/shockwave/apsb17-08.html"], "cvelist": ["CVE-2017-2983"], "type": "nessus", "lastseen": "2021-03-01T06:05:24", "edition": 29, "viewCount": 15, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-2983"]}, {"type": "kaspersky", "idList": ["KLA10991"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810816"]}], "modified": "2021-03-01T06:05:24", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-03-01T06:05:24", "rev": 2}, "vulnersScore": 7.5}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97835);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\"CVE-2017-2983\");\n script_bugtraq_id(96863);\n\n script_name(english:\"Adobe Shockwave Player <= 12.2.7.197 DLL Hijacking (APSB17-08)\");\n script_summary(english:\"Checks the version of Shockwave Player.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a web browser plugin that is affected\nby a DLL hijacking vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host contains a version of Adobe Shockwave Player\nthat is prior or equal to 12.2.7.197. It is, therefore, affected by a\nDLL hijacking vulnerability when loading certain dynamic link library\n(DLL) files due to searching an insecure path that may not be trusted\nor under user control. An unauthenticated, remote attacker can exploit\nthis issue to execute arbitrary code, with the privileges of the user\nrunning the program, by placing a specially crafted file in the path\nand convincing the user to open a supported file type (e.g., located\non a remote WebDAV share).\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/shockwave/apsb17-08.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Shockwave Player version 12.2.8.198 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-2983\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:shockwave_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"shockwave_player_apsb09_08.nasl\");\n script_require_keys(\"SMB/shockwave_player\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\ninstalls = get_kb_list_or_exit(\"SMB/shockwave_player/*/path\");\n\nappname = \"Shockwave Player\";\n\nlatest_vuln_version = \"12.2.7.197\"; # versions <= this version are vuln\nfix = \"12.2.8.198\";\n\ninfo = NULL;\npattern = \"SMB/shockwave_player/([^/]+)/([^/]+)/path\";\n\nvuln = 0;\nforeach install (keys(installs))\n{\n match = eregmatch(string:install, pattern:pattern);\n if (!match) exit(1, \"Unexpected format of KB key '\" + install + \"'.\");\n\n file = installs[install];\n variant = match[1];\n version = match[2];\n\n if (ver_compare(ver:version, fix:latest_vuln_version) <= 0)\n {\n if (variant == \"Plugin\")\n info += '\\n Variant : Browser Plugin (for Firefox / Netscape / Opera)';\n else if (variant == \"ActiveX\")\n info += '\\n Variant : ActiveX control (for Internet Explorer)';\n info +=\n '\\n File : ' + file +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix + '\\n';\n vuln++;\n }\n}\n\nif (!info) audit(AUDIT_INST_VER_NOT_VULN, appname);\n\nport = get_kb_item(\"SMB/transport\");\nif (!port) port = 445;\n\nif (report_verbosity > 0)\n{\n if (vuln > 1) s = \"s\";\n else s = \"\";\n\n report =\n '\\n' + 'Nessus has identified the following vulnerable instance' + s + ' of Shockwave'+\n '\\n' + 'Player installed on the remote host :' +\n '\\n' +\n info + '\\n';\n security_warning(port:port, extra:report);\n}\nelse security_warning(port);\n\n", "naslFamily": "Windows", "pluginID": "97835", "cpe": ["cpe:/a:adobe:shockwave_player"], "scheme": null, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}
{"cve": [{"lastseen": "2021-02-02T06:36:44", "description": "Adobe Shockwave versions 12.2.7.197 and earlier have an insecure library loading (DLL hijacking) vulnerability. Successful exploitation could lead to escalation of privilege.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-14T16:59:00", "title": "CVE-2017-2983", "type": "cve", "cwe": ["CWE-426"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2983"], "modified": "2017-07-17T13:18:00", "cpe": ["cpe:/a:adobe:shockwave_player:12.2.7.197"], "id": "CVE-2017-2983", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2983", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:adobe:shockwave_player:12.2.7.197:*:*:*:*:*:*:*"]}], "kaspersky": [{"lastseen": "2020-09-02T12:00:33", "bulletinFamily": "info", "cvelist": ["CVE-2017-2983"], "description": "### *Detect date*:\n03/14/2017\n\n### *Severity*:\nHigh\n\n### *Description*:\nAn unspecified vulnerability was found in the Adobe Shockwave Player. By exploiting this vulnerability malicious users can gain privileges. This vulnerability can be exploited remotely via a DLL hijacking.\n\n### *Affected products*:\nAdobe Shockwave Player earlier than 12.2.8.198\n\n### *Solution*:\nUpdate to the latest version \n[Download Adobe Shockwave Player](<https://get.adobe.com/shockwave/>)\n\n### *Original advisories*:\n[Adobe Security Bulletin](<https://helpx.adobe.com/security/products/shockwave/apsb17-08.html>) \n\n\n### *Impacts*:\nPE \n\n### *Related products*:\n[Adobe Shockwave Player](<https://threats.kaspersky.com/en/product/Adobe-Shockwave-Player/>)\n\n### *CVE-IDS*:\n[CVE-2017-2983](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2983>)6.8High", "edition": 42, "modified": "2020-05-22T00:00:00", "published": "2017-03-14T00:00:00", "id": "KLA10991", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10991", "title": "\r KLA10991Privilege escalation vulnerability in Adobe Shockwave Player ", "type": "kaspersky", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:34:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2983"], "description": "This host is installed with Adobe Shockwave\n Player and is prone to privilege escalation vulnerability.", "modified": "2018-10-19T00:00:00", "published": "2017-03-17T00:00:00", "id": "OPENVAS:1361412562310810816", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810816", "type": "openvas", "title": "Adobe Shockwave Player Privilege Escalation Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_shockwave_player_privilege_escalation_vuln.nasl 11977 2018-10-19 07:28:56Z mmartin $\n#\n# Adobe Shockwave Player Privilege Escalation Vulnerability\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:shockwave_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810816\");\n script_version(\"$Revision: 11977 $\");\n script_cve_id(\"CVE-2017-2983\");\n script_bugtraq_id(96863);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-19 09:28:56 +0200 (Fri, 19 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-17 11:52:16 +0530 (Fri, 17 Mar 2017)\");\n script_name(\"Adobe Shockwave Player Privilege Escalation Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Shockwave\n Player and is prone to privilege escalation vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an insecure library\n loading (DLL hijacking) vulnerability.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to elevate privileges.\");\n\n script_tag(name:\"affected\", value:\"Adobe Shockwave Player version before\n 12.2.8.198 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Shockwave Player version\n 12.2.8.198 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/shockwave/apsb17-08.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_shockwave_player_detect.nasl\");\n script_mandatory_keys(\"Adobe/ShockwavePlayer/Ver\");\n script_xref(name:\"URL\", value:\"http://get.adobe.com/shockwave\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:playerVer, test_version:\"12.2.8.198\"))\n{\n report = report_fixed_ver(installed_version:playerVer, fixed_version:\"12.2.8.198\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
