MS Security Advisory 2974294: Vulnerability in Microsoft Malware Protection Engine Could Allow Denial of Service
2014-06-18T00:00:00
ID SMB_KB2974294.NASL Type nessus Reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2021-03-02T00:00:00
Description
A vulnerable version of Microsoft Malware Protection Engine (MMPE) is
installed on the remote host. Scanning a maliciously crafted file
could prevent the Malware Protection Engine from monitoring affected
systems until the file is manually removed and the service is
restarted. This plugin checks if a vulnerable version of MMPE is being
used by any of the following applications :
Microsoft Forefront Client Security
Microsoft Forefront Endpoint Protection 2010
Microsoft System Center 2012 Endpoint Protection
Microsoft Malicious Software Removal Tool
Microsoft Security Essentials
Microsoft Security Essentials Prerelease
Windows Defender for Windows 8, Windows 8.1, Windows
Server 2012 and Windows Server 2012 R2
Windows Defender for Windows XP, Windows Server 2003,
Windows Vista, Windows Server 2008, Windows 7, and
Windows Server 2008 R2
These applications are only affected if they are using a scan engine
prior to 1.1.10701.0.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(76123);
script_version("1.8");
script_cvs_date("Date: 2019/11/26");
script_cve_id("CVE-2014-2779");
script_bugtraq_id(68076);
script_xref(name:"MSKB", value:"2974294");
script_name(english:"MS Security Advisory 2974294: Vulnerability in Microsoft Malware Protection Engine Could Allow Denial of Service");
script_summary(english:"Checks engine version");
script_set_attribute(attribute:"synopsis", value:
"The remote host has an antimalware application that is affected by a
denial of service vulnerability.");
script_set_attribute(attribute:"description", value:
"A vulnerable version of Microsoft Malware Protection Engine (MMPE) is
installed on the remote host. Scanning a maliciously crafted file
could prevent the Malware Protection Engine from monitoring affected
systems until the file is manually removed and the service is
restarted. This plugin checks if a vulnerable version of MMPE is being
used by any of the following applications :
- Microsoft Forefront Client Security
- Microsoft Forefront Endpoint Protection 2010
- Microsoft System Center 2012 Endpoint Protection
- Microsoft Malicious Software Removal Tool
- Microsoft Security Essentials
- Microsoft Security Essentials Prerelease
- Windows Defender for Windows 8, Windows 8.1, Windows
Server 2012 and Windows Server 2012 R2
- Windows Defender for Windows XP, Windows Server 2003,
Windows Vista, Windows Server 2008, Windows 7, and
Windows Server 2008 R2
These applications are only affected if they are using a scan engine
prior to 1.1.10701.0.");
script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2014/2974294");
script_set_attribute(attribute:"solution", value:
"Enable automatic updates to update the scan engine for the relevant
antimalware applications. Refer to KB2510781 for information on how to
verify MMPE has been updated.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-2779");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/06/17");
script_set_attribute(attribute:"patch_publication_date", value:"2014/06/17");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/18");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:malware_protection_engine");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("smb_hotfixes.nasl", "fcs_installed.nasl", "smb_mrt_installed.nasl");
script_require_keys("SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("smb_func.inc");
get_kb_item_or_exit("SMB/Registry/Enumerated");
# indicates if any antimalware products were found. this is used
# to determine whether or not the plugin should check if defender is affected
antimalware_installed = FALSE;
# Connect to the appropriate share.
port = kb_smb_transport();
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
NetUseDel();
audit(AUDIT_SHARE_FAIL, "IPC$");
}
# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
NetUseDel();
audit(AUDIT_REG_FAIL);
}
# Figure out where it is installed.
path = NULL;
info = '';
info2 = '';
engine_version = NULL;
fixed_engine_version = "1.1.10701.0";
# Forefront Client Security (either both or neither of these will be in the KB)
engine_version = get_kb_item("Antivirus/Forefront_Client_Security/engine_version");
fcs_path = get_kb_item("Antivirus/Forefront_Client_Security/path");
if (!isnull(engine_version))
{
antimalware_installed = TRUE;
if (ver_compare(ver:engine_version, fix:fixed_engine_version) == -1)
{
info +=
'\n Product : Microsoft Forefront Client Security'+
'\n Path : ' + fcs_path +
'\n Installed version : ' + engine_version +
'\n Fixed version : ' + fixed_engine_version + '\n';
}
else info2 += 'Microsoft Forefront Client Security with MMPE version '+ engine_version + ". ";
}
# Microsoft Security Essentials
# Microsoft Security Essentials Prerelease
# Forefront Endpoint Protection
# System Center Endpoint Protection
engine_version = NULL;
NetUseDel(close:FALSE);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
NetUseDel();
audit(AUDIT_SHARE_FAIL, "IPC$");
}
# Connect to remote registry again.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
NetUseDel();
audit(AUDIT_REG_FAIL);
}
key = "SOFTWARE\Microsoft\Microsoft Antimalware\Signature Updates";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
value = RegQueryValue(handle:key_h, item:"EngineVersion");
if (!isnull(value)) engine_version = value[1];
RegCloseKey(handle:key_h);
}
path = NULL;
key = "SOFTWARE\Microsoft\Microsoft Antimalware";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
value = RegQueryValue(handle:key_h, item:"InstallLocation");
if (!isnull(value)) path = value[1];
RegCloseKey(handle:key_h);
}
if(!isnull(path))
{
found = 0;
# Check if the main exe exists.
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
exe = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\MsMpEng.exe", string:path);
NetUseDel(close:FALSE);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
NetUseDel();
audit(AUDIT_SHARE_FAIL, share);
}
fh = CreateFile(
file:exe,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
if (!isnull(fh))
{
antimalware_installed = TRUE;
found = 1;
CloseFile(handle:fh);
}
if (found && !isnull(engine_version))
{
if (ver_compare(ver:engine_version, fix:fixed_engine_version) == -1)
{
info +=
'\n Product : Microsoft Security Essentials / Microsoft Security Essentials Prerelease / Forefront Endpoint Protection / System Center Endpoint Protection'+
'\n Path : ' + share[0] + ':' + exe +
'\n Installed version : ' + engine_version +
'\n Fixed version : ' + fixed_engine_version + '\n';
}
else info2 += 'Microsoft Security Essentials / Microsoft Security Essentials Prerelease / Forefront Endpoint Protection / System Center Endpoint Protection with MMPE version ' + engine_version + ". ";
}
}
# Microsoft Windows Defender
# Microsoft Windows Defender for Windows 8
# defender is apparently disabled when other antimalware products are installed,
# so it will only be checked if the plugin hasn't detected other products are present
if (!antimalware_installed)
{
defender_enabled = TRUE;
engine_version = NULL;
# Check if Windows Defender is disabled via group policy
key = "SOFTWARE\Policies\Microsoft\Windows Defender";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
value = RegQueryValue(handle:key_h, item:"DisableAntiSpyware");
if (!isnull(value))
{
if (value[1] > 0)
{
defender_enabled = FALSE;
}
}
RegCloseKey(handle:key_h);
}
key = "SOFTWARE\Microsoft\Windows Defender";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
value = RegQueryValue(handle:key_h, item:"DisableAntiSpyware");
if (!isnull(value))
{
if (value[1] > 0)
{
defender_enabled = FALSE;
}
}
RegCloseKey(handle:key_h);
}
if (defender_enabled)
{
key = "SOFTWARE\Microsoft\Windows Defender\Signature Updates";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
value = RegQueryValue(handle:key_h, item:"EngineVersion");
if (!isnull(value)) engine_version = value[1];
RegCloseKey(handle:key_h);
}
path = NULL;
key = "SOFTWARE\Microsoft\Windows Defender\Signature Updates";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
value = RegQueryValue(handle:key_h, item:"SignatureLocation");
if (!isnull(value)) path = value[1];
RegCloseKey(handle:key_h);
}
if(!isnull(path))
{
found = 0;
defender_dll = NULL;
# Check the version of the main exe.
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
# this is the path smb_kb2491888.nasl checks
dll1 = ereg_replace(pattern:"^[A-Za-z]:(.+Windows Defender\\Definition Updates).+", replace:"\1\Default\MpEngine.dll", string:path);
# this path works for Windows Defender on Windows 8
dll2 = ereg_replace(pattern:"^[A-Za-z]:(.+)$", replace:"\1\MpEngine.dll", string:path);
NetUseDel(close:FALSE);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
NetUseDel();
audit(AUDIT_SHARE_FAIL, share);
}
fh = CreateFile(
file:dll1,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
if (!isnull(fh))
{
found =1 ;
defender_dll = share[0] + ':' + dll1;
CloseFile(handle:fh);
}
if (found == 0)
{
fh = CreateFile(
file:dll2,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
if (!isnull(fh))
{
found =1 ;
defender_dll = share[0] + ':' + dll2;
CloseFile(handle:fh);
}
}
if (found && !isnull(engine_version))
{
if (ver_compare(ver:engine_version, fix:fixed_engine_version) == -1)
{
info +=
'\n Product : Microsoft Windows Defender'+
'\n Path : ' + defender_dll +
'\n Installed version : ' + engine_version +
'\n Fixed version : ' + fixed_engine_version + '\n';
}
else info2 += 'Microsoft Windows Defender with MMPE version ' + engine_version + ". ";
}
}
}
}
RegCloseKey(handle:hklm);
NetUseDel();
# Microsoft Malicious Software Removal Tool
# Only May 2014 or earlier versions of the Microsoft Malicious Software Removal Tool are vuln
# ie we are patched in June 2014 (5.13.10300.0)
mrt_version = get_kb_item('SMB/MRT/Version');
if (!isnull(mrt_version))
{
if (ver_compare(ver:mrt_version, fix:'5.13.10300.0') < 0)
{
info +=
'\n Product : Microsoft Malicious Software Removal Tool' +
'\n Installed version : ' + mrt_version +
'\n Fixed version : 5.13.10300.0 (June 2014)\n';
}
else info2 += 'Microsoft Malicious Software Removal Tool ' + mrt_version + '. ';
}
if (info)
{
if (report_verbosity > 0)
{
report = '\n' +
"Nessus found following vulnerable product(s) installed :" +'\n'+
info;
security_warning(port:port, extra:report);
}
else security_warning(port);
exit(0);
}
else if(info2) exit(0,"The following instance(s) of MMPE are installed and not vulnerable : "+ info2);
else exit(0, "Nessus could not find evidence of affected Microsoft antimalware products installed.");
{"id": "SMB_KB2974294.NASL", "bulletinFamily": "scanner", "title": "MS Security Advisory 2974294: Vulnerability in Microsoft Malware Protection Engine Could Allow Denial of Service", "description": "A vulnerable version of Microsoft Malware Protection Engine (MMPE) is\ninstalled on the remote host. Scanning a maliciously crafted file\ncould prevent the Malware Protection Engine from monitoring affected\nsystems until the file is manually removed and the service is\nrestarted. This plugin checks if a vulnerable version of MMPE is being\nused by any of the following applications :\n\n - Microsoft Forefront Client Security\n - Microsoft Forefront Endpoint Protection 2010\n - Microsoft System Center 2012 Endpoint Protection\n - Microsoft Malicious Software Removal Tool\n - Microsoft Security Essentials\n - Microsoft Security Essentials Prerelease\n - Windows Defender for Windows 8, Windows 8.1, Windows\n Server 2012 and Windows Server 2012 R2\n - Windows Defender for Windows XP, Windows Server 2003,\n Windows Vista, Windows Server 2008, Windows 7, and\n Windows Server 2008 R2\n\nThese applications are only affected if they are using a scan engine\nprior to 1.1.10701.0.", "published": "2014-06-18T00:00:00", "modified": "2021-03-02T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "href": "https://www.tenable.com/plugins/nessus/76123", "reporter": "This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2014/2974294"], "cvelist": ["CVE-2014-2779"], "type": "nessus", "lastseen": "2021-03-01T06:17:56", "edition": 29, "viewCount": 72, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-2779"]}, {"type": "threatpost", "idList": ["THREATPOST:0E3897F7DF9D4F63E0234945A6AE4E28"]}], "modified": "2021-03-01T06:17:56", "rev": 2}, "score": {"value": 5.7, "vector": "NONE", "modified": "2021-03-01T06:17:56", "rev": 2}, "vulnersScore": 5.7}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76123);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/11/26\");\n\n script_cve_id(\"CVE-2014-2779\");\n script_bugtraq_id(68076);\n script_xref(name:\"MSKB\", value:\"2974294\");\n\n script_name(english:\"MS Security Advisory 2974294: Vulnerability in Microsoft Malware Protection Engine Could Allow Denial of Service\");\n script_summary(english:\"Checks engine version\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an antimalware application that is affected by a\ndenial of service vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A vulnerable version of Microsoft Malware Protection Engine (MMPE) is\ninstalled on the remote host. Scanning a maliciously crafted file\ncould prevent the Malware Protection Engine from monitoring affected\nsystems until the file is manually removed and the service is\nrestarted. This plugin checks if a vulnerable version of MMPE is being\nused by any of the following applications :\n\n - Microsoft Forefront Client Security\n - Microsoft Forefront Endpoint Protection 2010\n - Microsoft System Center 2012 Endpoint Protection\n - Microsoft Malicious Software Removal Tool\n - Microsoft Security Essentials\n - Microsoft Security Essentials Prerelease\n - Windows Defender for Windows 8, Windows 8.1, Windows\n Server 2012 and Windows Server 2012 R2\n - Windows Defender for Windows XP, Windows Server 2003,\n Windows Vista, Windows Server 2008, Windows 7, and\n Windows Server 2008 R2\n\nThese applications are only affected if they are using a scan engine\nprior to 1.1.10701.0.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2014/2974294\");\n script_set_attribute(attribute:\"solution\", value:\n\"Enable automatic updates to update the scan engine for the relevant\nantimalware applications. Refer to KB2510781 for information on how to\nverify MMPE has been updated.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-2779\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/06/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:malware_protection_engine\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"fcs_installed.nasl\", \"smb_mrt_installed.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\n# indicates if any antimalware products were found. this is used\n# to determine whether or not the plugin should check if defender is affected\nantimalware_installed = FALSE;\n\n# Connect to the appropriate share.\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:\"IPC$\");\nif (rc != 1)\n{\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, \"IPC$\");\n}\n\n# Connect to remote registry.\nhklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);\nif (isnull(hklm))\n{\n NetUseDel();\n audit(AUDIT_REG_FAIL);\n}\n\n# Figure out where it is installed.\npath = NULL;\ninfo = '';\ninfo2 = '';\nengine_version = NULL;\n\nfixed_engine_version = \"1.1.10701.0\";\n\n# Forefront Client Security (either both or neither of these will be in the KB)\nengine_version = get_kb_item(\"Antivirus/Forefront_Client_Security/engine_version\");\nfcs_path = get_kb_item(\"Antivirus/Forefront_Client_Security/path\");\nif (!isnull(engine_version))\n{\n antimalware_installed = TRUE;\n\n if (ver_compare(ver:engine_version, fix:fixed_engine_version) == -1)\n {\n info +=\n '\\n Product : Microsoft Forefront Client Security'+\n '\\n Path : ' + fcs_path +\n '\\n Installed version : ' + engine_version +\n '\\n Fixed version : ' + fixed_engine_version + '\\n';\n }\n else info2 += 'Microsoft Forefront Client Security with MMPE version '+ engine_version + \". \";\n}\n\n# Microsoft Security Essentials\n# Microsoft Security Essentials Prerelease\n# Forefront Endpoint Protection\n# System Center Endpoint Protection\nengine_version = NULL;\n\nNetUseDel(close:FALSE);\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:\"IPC$\");\nif (rc != 1)\n{\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, \"IPC$\");\n}\n\n# Connect to remote registry again.\nhklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);\nif (isnull(hklm))\n{\n NetUseDel();\n audit(AUDIT_REG_FAIL);\n}\n\nkey = \"SOFTWARE\\Microsoft\\Microsoft Antimalware\\Signature Updates\";\nkey_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\nif (!isnull(key_h))\n{\n value = RegQueryValue(handle:key_h, item:\"EngineVersion\");\n if (!isnull(value)) engine_version = value[1];\n\n RegCloseKey(handle:key_h);\n}\n\npath = NULL;\nkey = \"SOFTWARE\\Microsoft\\Microsoft Antimalware\";\nkey_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\nif (!isnull(key_h))\n{\n value = RegQueryValue(handle:key_h, item:\"InstallLocation\");\n if (!isnull(value)) path = value[1];\n\n RegCloseKey(handle:key_h);\n}\n\nif(!isnull(path))\n{\n found = 0;\n # Check if the main exe exists.\n share = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:path);\n exe = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\MsMpEng.exe\", string:path);\n NetUseDel(close:FALSE);\n rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\n if (rc != 1)\n {\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, share);\n }\n fh = CreateFile(\n file:exe,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n );\n if (!isnull(fh))\n {\n antimalware_installed = TRUE;\n found = 1;\n CloseFile(handle:fh);\n }\n\n if (found && !isnull(engine_version))\n {\n if (ver_compare(ver:engine_version, fix:fixed_engine_version) == -1)\n {\n info +=\n '\\n Product : Microsoft Security Essentials / Microsoft Security Essentials Prerelease / Forefront Endpoint Protection / System Center Endpoint Protection'+\n '\\n Path : ' + share[0] + ':' + exe +\n '\\n Installed version : ' + engine_version +\n '\\n Fixed version : ' + fixed_engine_version + '\\n';\n }\n else info2 += 'Microsoft Security Essentials / Microsoft Security Essentials Prerelease / Forefront Endpoint Protection / System Center Endpoint Protection with MMPE version ' + engine_version + \". \";\n }\n}\n\n# Microsoft Windows Defender\n# Microsoft Windows Defender for Windows 8\n# defender is apparently disabled when other antimalware products are installed,\n# so it will only be checked if the plugin hasn't detected other products are present\nif (!antimalware_installed)\n{\n defender_enabled = TRUE;\n engine_version = NULL;\n\n # Check if Windows Defender is disabled via group policy\n key = \"SOFTWARE\\Policies\\Microsoft\\Windows Defender\";\n key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\n if (!isnull(key_h))\n {\n value = RegQueryValue(handle:key_h, item:\"DisableAntiSpyware\");\n if (!isnull(value))\n {\n if (value[1] > 0)\n {\n defender_enabled = FALSE;\n }\n }\n RegCloseKey(handle:key_h);\n }\n key = \"SOFTWARE\\Microsoft\\Windows Defender\";\n key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\n if (!isnull(key_h))\n {\n value = RegQueryValue(handle:key_h, item:\"DisableAntiSpyware\");\n if (!isnull(value))\n {\n if (value[1] > 0)\n {\n defender_enabled = FALSE;\n }\n }\n RegCloseKey(handle:key_h);\n }\n if (defender_enabled)\n {\n key = \"SOFTWARE\\Microsoft\\Windows Defender\\Signature Updates\";\n key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\n if (!isnull(key_h))\n {\n value = RegQueryValue(handle:key_h, item:\"EngineVersion\");\n if (!isnull(value)) engine_version = value[1];\n\n RegCloseKey(handle:key_h);\n }\n\n path = NULL;\n key = \"SOFTWARE\\Microsoft\\Windows Defender\\Signature Updates\";\n key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\n if (!isnull(key_h))\n {\n value = RegQueryValue(handle:key_h, item:\"SignatureLocation\");\n if (!isnull(value)) path = value[1];\n\n RegCloseKey(handle:key_h);\n }\n\n if(!isnull(path))\n {\n found = 0;\n defender_dll = NULL;\n # Check the version of the main exe.\n share = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:path);\n # this is the path smb_kb2491888.nasl checks\n dll1 = ereg_replace(pattern:\"^[A-Za-z]:(.+Windows Defender\\\\Definition Updates).+\", replace:\"\\1\\Default\\MpEngine.dll\", string:path);\n # this path works for Windows Defender on Windows 8\n dll2 = ereg_replace(pattern:\"^[A-Za-z]:(.+)$\", replace:\"\\1\\MpEngine.dll\", string:path);\n NetUseDel(close:FALSE);\n rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\n if (rc != 1)\n {\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, share);\n }\n fh = CreateFile(\n file:dll1,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n );\n if (!isnull(fh))\n {\n found =1 ;\n defender_dll = share[0] + ':' + dll1;\n CloseFile(handle:fh);\n }\n\n if (found == 0)\n {\n fh = CreateFile(\n file:dll2,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n );\n if (!isnull(fh))\n {\n found =1 ;\n defender_dll = share[0] + ':' + dll2;\n CloseFile(handle:fh);\n }\n }\n\n if (found && !isnull(engine_version))\n {\n if (ver_compare(ver:engine_version, fix:fixed_engine_version) == -1)\n {\n info +=\n '\\n Product : Microsoft Windows Defender'+\n '\\n Path : ' + defender_dll +\n '\\n Installed version : ' + engine_version +\n '\\n Fixed version : ' + fixed_engine_version + '\\n';\n }\n else info2 += 'Microsoft Windows Defender with MMPE version ' + engine_version + \". \";\n }\n }\n }\n}\n\nRegCloseKey(handle:hklm);\nNetUseDel();\n\n# Microsoft Malicious Software Removal Tool\n# Only May 2014 or earlier versions of the Microsoft Malicious Software Removal Tool are vuln\n# ie we are patched in June 2014 (5.13.10300.0)\nmrt_version = get_kb_item('SMB/MRT/Version');\nif (!isnull(mrt_version))\n{\n if (ver_compare(ver:mrt_version, fix:'5.13.10300.0') < 0)\n {\n info +=\n '\\n Product : Microsoft Malicious Software Removal Tool' +\n '\\n Installed version : ' + mrt_version +\n '\\n Fixed version : 5.13.10300.0 (June 2014)\\n';\n }\n else info2 += 'Microsoft Malicious Software Removal Tool ' + mrt_version + '. ';\n}\n\nif (info)\n{\n if (report_verbosity > 0)\n {\n report = '\\n' +\n \"Nessus found following vulnerable product(s) installed :\" +'\\n'+\n info;\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n\n exit(0);\n}\nelse if(info2) exit(0,\"The following instance(s) of MMPE are installed and not vulnerable : \"+ info2);\nelse exit(0, \"Nessus could not find evidence of affected Microsoft antimalware products installed.\");\n", "naslFamily": "Windows", "pluginID": "76123", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:malware_protection_engine"], "scheme": null}
{"cve": [{"lastseen": "2021-02-02T06:14:28", "description": "mpengine.dll in Microsoft Malware Protection Engine before 1.1.10701.0 allows remote attackers to cause a denial of service (system hang) via a crafted file.", "edition": 6, "cvss3": {}, "published": "2014-06-18T16:55:00", "title": "CVE-2014-2779", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2779"], "modified": "2016-09-02T21:40:00", "cpe": ["cpe:/a:microsoft:malware_protection_engine:1.1.10600.0"], "id": "CVE-2014-2779", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2779", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:malware_protection_engine:1.1.10600.0:*:*:*:*:*:*:*"]}], "threatpost": [{"lastseen": "2018-10-06T22:58:39", "bulletinFamily": "info", "cvelist": ["CVE-2014-2779"], "description": "Microsoft today released a security [advisory](<https://technet.microsoft.com/en-us/library/security/2974294>) alerting users of a serious vulnerability in the antimalware engine present in a number of security products, including Windows Defender, Forefront and others.\n\nThe update will be automatically pushed down to the Microsoft Malware Protection Engine in the next 48 hours, Microsoft said.\n\nThere are no known public exploits for the bug, which was privately disclosed by Google engineer Tavis Ormandy, a longtime bug-hunter, and occasional thorn in Microsoft\u2019s side. Microsoft, meanwhile, said that exploits are unlikely because they would be difficult to build.\n\nAttackers could exploit the bug by sending a malicious file to a victim, or enticing them to a website hosting a malicious file.\n\nAttackers could exploit the bug by sending a malicious file to a victim, or enticing them to a website hosting a malicious file.\n\n\u201cAn attacker who successfully exploited this [vulnerability](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2779>) could prevent the Microsoft Malware Protection Engine from monitoring affected systems until the specially crafted file is manually removed and the service is restarted,\u201d Microsoft said in its advisory.\n\nIf the engine is configured for real-time protection, it would automatically scan files causing the scan to timeout, otherwise, the exploit would be triggered during a scheduled scan.\n\nThe Microsoft Malware Protection Engine ships with a number of Microsoft products, including server and endpoint versions of Windows Defender for Windows 8 and 8.1, Microsoft Security Essentials, the Microsoft Malicious Software Removal Tool, Microsoft System Center 2012 and Microsoft Forefront Client, Endpoint Protection and Sharepoint versions.\n\n\u201cTypically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release,\u201d Microsoft said. \u201cThe exact time frame depends on the software used, Internet connection, and infrastructure configuration.\u201d\n\nOrmandy has disclosed Microsoft vulnerabilities in the past, some of them publicly.\n\nLast July, [Microsoft patched a critical Windows kernel vulnerability](<http://threatpost.com/july-patch-tuesday-updates-expected-to-include-fix-for-ormandy-kernel-bug/101204>) after Ormandy in May made a post to the Full Disclosure list looking for help with an exploit for kernel bug he\u2019d found. Ormandy said he had a working exploit within a week, and also took some shots at Microsoft on his personal blog, calling the company hostile toward security researchers.\n\nThe timing of the initial disclosure was awkward for Microsoft, which could not turn around a patch in time for its [June 2013 Patch Tuesday updates](<http://threatpost.com/microsoft-patches-ie-again-ormandy-bug-waits/100945>), instead holding off until July. The situation, meanwhile, was complicated by the release of a Metasploit module exploiting the privilege escalation vulnerability.\n", "modified": "2014-06-17T19:13:09", "published": "2014-06-17T15:05:45", "id": "THREATPOST:0E3897F7DF9D4F63E0234945A6AE4E28", "href": "https://threatpost.com/microsoft-warns-of-denial-of-service-bug-in-malware-protection-engine/106701/", "type": "threatpost", "title": "Microsoft Malware Protection Engine Denial of Service Bug", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}]}
