9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.188 Low
EPSS
Percentile
96.3%
The remote Windows host has a bypass vulnerability in the SafeSEH security feature. This could allow an attacker to use other vulnerabilities to bypass the SafeSEH security feature and run arbitrary code on the remote host. Only software applications compiled using Microsoft Visual C++ .NET 2003 could be used to exploit this vulnerability.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(57469);
script_version("1.14");
script_cvs_date("Date: 2018/11/15 20:50:31");
script_cve_id("CVE-2012-0001");
script_bugtraq_id(51296);
script_xref(name:"MSFT", value:"MS12-001");
script_xref(name:"IAVA", value:"2012-A-0003");
script_xref(name:"MSKB", value:"2644615");
script_name(english:"MS12-001: Vulnerability in Windows Kernel Could Allow Security Feature Bypass (2644615)");
script_summary(english:"Checks the version of Ntdll.dll");
script_set_attribute(
attribute:"synopsis",
value:
"The remote Windows host has a flaw in a security feature that is
utilized by certain software applications."
);
script_set_attribute(
attribute:"description",
value:
"The remote Windows host has a bypass vulnerability in the SafeSEH
security feature. This could allow an attacker to use other
vulnerabilities to bypass the SafeSEH security feature and run
arbitrary code on the remote host. Only software applications
compiled using Microsoft Visual C++ .NET 2003 could be used to exploit
this vulnerability."
);
script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-001");
script_set_attribute(
attribute:"solution",
value:
"Microsoft has released a set of patches for Windows XP, 2003, Vista,
2008, 7, and 2008 R2."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2012/01/10");
script_set_attribute(attribute:"patch_publication_date", value:"2012/01/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/10");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows : Microsoft Bulletins");
script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");
script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
script_require_keys("SMB/MS_Bulletin_Checks/Possible");
script_require_ports(139, 445, "Host/patch_management_checks");
exit(0);
}
include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");
get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');
bulletin = 'MS12-001';
kb = '2644615';
kbs = make_list(kb);
if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
get_kb_item_or_exit('SMB/Registry/Enumerated');
get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);
if (hotfix_check_sp_range(win2003:'2', vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");
share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
if (
# Windows 7 and Windows Server 2008 R2
hotfix_is_vulnerable(os:"6.1", sp:1, file:"Ntdll.dll", version:"6.1.7601.21861", min_version:"6.1.7601.21000", dir:"\system32", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"6.1", sp:1, file:"Ntdll.dll", version:"6.1.7601.17725", min_version:"6.1.7601.17000", dir:"\system32", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"6.1", sp:0, file:"Ntdll.dll", version:"6.1.7600.21092", min_version:"6.1.7600.21000", dir:"\system32", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"6.1", sp:0, file:"Ntdll.dll", version:"6.1.7600.16915", min_version:"6.1.7600.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||
# Vista SP2 / Windows 2008 SP2
hotfix_is_vulnerable(os:"6.0", sp:2, file:"Ntdll.dll", version:"6.0.6002.22742", min_version:"6.0.6002.22000", dir:"\system32", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"6.0", sp:2, file:"Ntdll.dll", version:"6.0.6002.18541", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) ||
# Windows 2003 SP2 / XP x64
hotfix_is_vulnerable(os:"5.2", sp:2, file:"Ntdll.dll", version:"5.2.3790.4937", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
hotfix_security_hole();
hotfix_check_fversion_end();
exit(0);
}
else
{
hotfix_check_fversion_end();
audit(AUDIT_HOST_NOT, 'affected');
}