MS13-002: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (2756145)

2013-01-09T00:00:00
ID SMB_NT_MS13-002.NASL
Type nessus
Reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
Modified 2018-11-15T00:00:00

Description

The version of Microsoft XML Core Services installed on the remote Windows host is affected by multiple code execution vulnerabilities when visiting a specially crafted web page using Internet Explorer.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(63420);
  script_version("1.11");
  script_cvs_date("Date: 2018/11/15 20:50:31");

  script_cve_id("CVE-2013-0006", "CVE-2013-0007");
  script_bugtraq_id(57116, 57122);
  script_xref(name:"MSFT", value:"MS13-002");
  script_xref(name:"MSKB", value:"2687497");
  script_xref(name:"MSKB", value:"2687499");
  script_xref(name:"MSKB", value:"2757638");
  script_xref(name:"MSKB", value:"2758694");
  script_xref(name:"MSKB", value:"2758696");
  script_xref(name:"MSKB", value:"2760574");
  script_xref(name:"IAVA", value:"2013-A-0004");

  script_name(english:"MS13-002: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (2756145)");
  script_summary(english:"Checks the versions of Msxml3.dll, Msxml4.dll, and Msxml6.dll");
  script_set_attribute(
    attribute:"synopsis",
    value:
"Arbitrary code can be executed on the remote host through Microsoft XML
Core Services."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The version of Microsoft XML Core Services installed on the remote
Windows host is affected by multiple code execution vulnerabilities when
visiting a specially crafted web page using Internet Explorer."
  );
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-002");
  script_set_attribute(
    attribute:"solution",
    value:
"Microsoft has released a set of patches for Windows XP, 2003, Vista,
2008, 7, and 2008 R2, 8, 2012, Office 2003, 2007, Word Viewer, Office
Compatibility Pack, Expression Web Service, Expression Web 2, SharePoint
Server 2007 and Groove Server 2007."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/01/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/01/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/09");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:xml_core_services");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:expression_web");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:groove_server");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office_compatibility_pack");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sharepoint_server");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:word_viewer");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 'Host/patch_management_checks');

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS13-002';
kbs = make_list(
  "2687497",
  "2687499",
  "2757638",
  "2758694",
  "2758696",
  "2760574"
);

if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);


get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (!is_accessible_share())  audit(AUDIT_SHARE_FAIL, 'is_accessible_share');

vuln = 0;

arch = get_kb_item_or_exit("SMB/ARCH");
if (arch == "x86")
  commonfiles = hotfix_get_commonfilesdir();
else commonfiles = hotfix_get_commonfilesdirx86();
if (commonfiles)
  msxml5_dir = commonfiles + '\\Microsoft Shared\\Office11';

# XML Core Services 5 (this could be one of three KBs - KB2760574, KB2687497, KB2687499)
if (msxml5_dir)
  vuln += hotfix_is_vulnerable(path:msxml5_dir, file:"Msxml5.dll", version:"5.20.1099.0", min_version:"5.0.0.0", bulletin:bulletin);

# If a vulnerable version of XML Core Services 5 was detected, we should report on that
# regardless of the OS version.
if ((hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1', win8:'0') <= 0))
{
  if (!vuln) audit(AUDIT_OS_SP_NOT_VULN);
}
else
{
  productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
  # Windows 8 / Server 2012
  vuln += hotfix_is_vulnerable(os:"6.2", arch:"x64", sp:0, file:"Msxml3.dll", version:"8.110.9200.16447",                                  dir:"\SysWOW64", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"6.2", arch:"x64", sp:0, file:"Msxml3.dll", version:"8.110.9200.20551", min_version:"8.110.9200.20000",  dir:"\SysWOW64", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"6.2", arch:"x64", sp:0, file:"Msxml4.dll", version:"4.30.2117.0", min_version:"4.30.0.0",            dir:"\SysWOW64", bulletin:bulletin, kb:"2758694");
  vuln += hotfix_is_vulnerable(os:"6.2", arch:"x64", sp:0, file:"Msxml6.dll", version:"6.30.9200.16447", min_version:"6.30.9200.16000",     dir:"\SysWOW64", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"6.2", arch:"x64", sp:0, file:"Msxml6.dll", version:"6.30.9200.20551", min_version:"6.30.9200.20000",     dir:"\SysWOW64", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"6.2", arch:"x64", sp:0, file:"Msxml3.dll", version:"8.110.9200.16447",                                  dir:"\System32", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"6.2", arch:"x64", sp:0, file:"Msxml3.dll", version:"8.110.9200.20551", min_version:"8.110.9200.20000",  dir:"\System32", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"6.2",             sp:0, file:"Msxml4.dll", version:"4.30.2117.0", min_version:"4.30.0.0",            dir:"\System32", bulletin:bulletin, kb:"2758694");
  vuln += hotfix_is_vulnerable(os:"6.2",             sp:0, file:"Msxml6.dll", version:"6.30.9200.16447", min_version:"6.30.9200.16000",     dir:"\System32", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"6.2",             sp:0, file:"Msxml6.dll", version:"6.30.9200.20551", min_version:"6.30.9200.20000",     dir:"\System32", bulletin:bulletin, kb:"2757638");

  # Windows 7 / Server 2008 R2
  vuln += hotfix_is_vulnerable(os:"6.1", arch:"x64", sp:0, file:"Msxml3.dll", version:"8.110.7600.17157",                                  dir:"\SysWOW64", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"6.1", arch:"x64", sp:0, file:"Msxml3.dll", version:"8.110.7600.21360", min_version:"8.110.7600.21000",  dir:"\SysWOW64", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"6.1", arch:"x64", sp:1, file:"Msxml3.dll", version:"8.110.7601.17988", min_version:"8.110.7601.17000",  dir:"\SysWOW64", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"6.1", arch:"x64", sp:1, file:"Msxml3.dll", version:"8.110.7601.22149", min_version:"8.110.7601.22000",  dir:"\SysWOW64", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"6.1", arch:"x64",       file:"Msxml4.dll", version:"4.30.2117.0", min_version:"4.30.0.0",            dir:"\SysWOW64", bulletin:bulletin, kb:"2758694");
  vuln += hotfix_is_vulnerable(os:"6.1", arch:"x64", sp:0, file:"Msxml6.dll", version:"6.30.7600.17157",                                   dir:"\SysWOW64", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"6.1", arch:"x64", sp:0, file:"Msxml6.dll", version:"6.30.7600.21360",  min_version:"6.30.7600.21000",   dir:"\SysWOW64", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"6.1", arch:"x64", sp:1, file:"Msxml6.dll", version:"6.30.7601.17988",  min_version:"6.30.7601.17000",   dir:"\SysWOW64", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"6.1", arch:"x64", sp:1, file:"Msxml6.dll", version:"6.30.7601.22149",  min_version:"6.30.7601.22000",   dir:"\SysWOW64", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"6.1", arch:"x64", sp:0, file:"Msxml3.dll", version:"8.110.7600.17157",                                  dir:"\System32", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"6.1", arch:"x64", sp:0, file:"Msxml3.dll", version:"8.110.7600.21360", min_version:"8.110.7600.21000",  dir:"\System32", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"6.1", arch:"x64", sp:1, file:"Msxml3.dll", version:"8.110.7601.17988", min_version:"8.110.7601.17000",  dir:"\System32", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"6.1", arch:"x64", sp:1, file:"Msxml3.dll", version:"8.110.7601.22149", min_version:"8.110.7601.22000",  dir:"\System32", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"6.1",                   file:"Msxml4.dll", version:"4.30.2117.0", min_version:"4.30.0.0",            dir:"\System32", bulletin:bulletin, kb:"2758694");
  vuln += hotfix_is_vulnerable(os:"6.1",             sp:0, file:"Msxml6.dll", version:"6.30.7600.17157",                                   dir:"\System32", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"6.1",             sp:0, file:"Msxml6.dll", version:"6.30.7600.21360",  min_version:"6.30.7600.21000",   dir:"\System32", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"6.1",             sp:1, file:"Msxml6.dll", version:"6.30.7601.17988",  min_version:"6.30.7601.17000",   dir:"\System32", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"6.1",             sp:1, file:"Msxml6.dll", version:"6.30.7601.22149",  min_version:"6.30.7601.22000",   dir:"\System32", bulletin:bulletin, kb:"2757638");

  # Vista / Windows Server 2008
  vuln += hotfix_is_vulnerable(os:"6.0", arch:"x64",  sp:2, file:"Msxml3.dll", version:"8.100.5006.0",                               dir:"\SysWOW64", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"6.0", arch:"x64",  sp:2, file:"Msxml4.dll", version:"4.30.2117.0", min_version:"4.30.0.0",     dir:"\SysWOW64", bulletin:bulletin, kb:"2758694");
  vuln += hotfix_is_vulnerable(os:"6.0", arch:"x64",  sp:2, file:"Msxml6.dll", version:"6.20.5006.0",                                dir:"\SysWOW64", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"6.0", arch:"x64",  sp:2, file:"Msxml3.dll", version:"8.100.5006.0",                               dir:"\System32", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"6.0",              sp:2, file:"Msxml4.dll", version:"4.30.2117.0", min_version:"4.30.0.0",     dir:"\System32", bulletin:bulletin, kb:"2758694");
  vuln += hotfix_is_vulnerable(os:"6.0",              sp:2, file:"Msxml6.dll", version:"6.20.5006.0",                                dir:"\System32", bulletin:bulletin, kb:"2757638");

  # Windows 2003 and XP x64
  vuln += hotfix_is_vulnerable(os:"5.2", arch:"x64", sp:2, file:"Msxml3.dll", version:"8.100.1053.0",                               dir:"\SysWOW64", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"5.2", arch:"x64", sp:2, file:"Msxml4.dll", version:"4.30.2117.0", min_version:"4.30.0.0",     dir:"\SysWOW64", bulletin:bulletin, kb:"2758694");
  vuln += hotfix_is_vulnerable(os:"5.2", arch:"x64", sp:2, file:"Msxml6.dll", version:"6.20.2016.0",                                dir:"\SysWOW64", bulletin:bulletin, kb:"2758696");
  vuln += hotfix_is_vulnerable(os:"5.2", arch:"x64", sp:2, file:"Msxml3.dll", version:"8.100.1053.0",                               dir:"\System32", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"5.2",             sp:2, file:"Msxml4.dll", version:"4.30.2117.0", min_version:"4.30.0.0",     dir:"\System32", bulletin:bulletin, kb:"2758694");
  vuln += hotfix_is_vulnerable(os:"5.2",             sp:2, file:"Msxml6.dll", version:"6.20.2016.0",                                dir:"\System32", bulletin:bulletin, kb:"2758696");

  # Windows XP
  vuln += hotfix_is_vulnerable(os:"5.1", arch:"x64", sp:3, file:"Msxml4.dll", version:"4.30.2117.0", min_version:"4.30.0.0",     dir:"\SysWOW64", bulletin:bulletin, kb:"2758694");
  vuln += hotfix_is_vulnerable(os:"5.1", arch:"x64", sp:3, file:"Msxml6.dll", version:"6.20.2502.0",                                dir:"\SysWOW64", bulletin:bulletin, kb:"2757638");
  vuln += hotfix_is_vulnerable(os:"5.1",             sp:3, file:"Msxml4.dll", version:"4.30.2117.0", min_version:"4.30.0.0",     dir:"\System32", bulletin:bulletin, kb:"2758694");
  vuln += hotfix_is_vulnerable(os:"5.1",             sp:3, file:"Msxml6.dll", version:"6.20.2502.0",                                dir:"\System32", bulletin:bulletin, kb:"2757638");
}

if (vuln > 0)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();

  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}