CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
99.9%
If a remote attacker can trick a user on the affected host into opening a specially crafted bitmap file, a vulnerability in the graphics rendering engine that arises due to its failure to validate the βbiClrUsedβ parameter could be leveraged to execute arbitrary code on the host subject to the userβs privileges.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(51906);
script_version("1.24");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/08/05");
script_cve_id("CVE-2010-3970");
script_bugtraq_id(45662);
script_xref(name:"IAVA", value:"2011-A-0019-S");
script_xref(name:"CERT", value:"106516");
script_xref(name:"MSFT", value:"MS11-006");
script_xref(name:"MSKB", value:"2483185");
script_name(english:"MS11-006: Vulnerability in Windows Shell Graphics Processing Could Allow Remote Code Execution (2483185)");
script_summary(english:"Checks version of Shell32.dll");
script_set_attribute(
attribute:"synopsis",
value:
"It may be possible to execute arbitrary code on the remote host using
the graphics rendering engine."
);
script_set_attribute(
attribute:"description",
value:
"If a remote attacker can trick a user on the affected host into
opening a specially crafted bitmap file, a vulnerability in the
graphics rendering engine that arises due to its failure to validate
the 'biClrUsed' parameter could be leveraged to execute arbitrary
code on the host subject to the user's privileges."
);
# https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-006
script_set_attribute(attribute:"see_also", value:"https://www.nessus.org/u?1ac9f3e1");
script_set_attribute(
attribute:"solution",
value:
"Microsoft has released a set of patches for Windows XP, 2003, Vista,
2008."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2010-3970");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'MS11-006 Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2010/12/15");
script_set_attribute(attribute:"patch_publication_date", value:"2011/02/08");
script_set_attribute(attribute:"plugin_publication_date", value:"2011/02/08");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_set_attribute(attribute:"stig_severity", value:"II");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows : Microsoft Bulletins");
script_copyright(english:"This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
script_require_keys("SMB/MS_Bulletin_Checks/Possible");
script_require_ports(139, 445, 'Host/patch_management_checks');
exit(0);
}
include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");
get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
bulletin = 'MS11-006';
kb = '2483185';
kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'1,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);
rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");
share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
if (
# Vista / Windows 2008
hotfix_is_vulnerable(os:"6.0", sp:2, file:"Shell32.dll", version:"6.0.6002.22574", min_version:"6.0.6002.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"6.0", sp:2, file:"Shell32.dll", version:"6.0.6002.18393", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"6.0", sp:1, file:"Shell32.dll", version:"6.0.6001.22839", min_version:"6.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"6.0", sp:1, file:"Shell32.dll", version:"6.0.6001.18588", min_version:"6.0.6001.18000", dir:"\system32", bulletin:bulletin, kb:kb) ||
# Windows 2003 / XP x64
hotfix_is_vulnerable(os:"5.2", sp:2, file:"Shell32.dll", version:"6.0.3790.4822", dir:"\system32", bulletin:bulletin, kb:kb) ||
# Windows XP x86
hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"Shell32.dll", version:"6.0.2900.6072", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
set_kb_item(name:'SMB/Missing/' + bulletin, value:TRUE);
hotfix_security_hole();
hotfix_check_fversion_end();
exit(0);
}
else
{
hotfix_check_fversion_end();
audit(AUDIT_HOST_NOT, 'affected');
}