7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
14.4%
The Windows Client/Server Run-time Subsystem (CSRSS) on the remote host has a privilege escalation vulnerability due to an improper handling of objects in memory. An attacker who successfully exploits this vulnerability can execute arbitrary code in the context of the local system. The attacker could then install or modify applications as well as create new accounts with full user rights.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(65880);
script_version("1.8");
script_cvs_date("Date: 2018/11/15 20:50:31");
script_cve_id("CVE-2013-1295");
script_bugtraq_id(58886);
script_xref(name:"MSFT", value:"MS13-033");
script_xref(name:"MSKB", value:"2820917");
script_xref(name:"IAVB", value:"2013-B-0034");
script_name(english:"MS13-033: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2820917)");
script_summary(english:"Checks the version of Winsrv.dll");
script_set_attribute(
attribute:"synopsis",
value:"The remote Windows host has a privilege escalation vulnerability."
);
script_set_attribute(
attribute:"description",
value:
"The Windows Client/Server Run-time Subsystem (CSRSS) on the remote host
has a privilege escalation vulnerability due to an improper handling of
objects in memory. An attacker who successfully exploits this
vulnerability can execute arbitrary code in the context of the local
system. The attacker could then install or modify applications as well
as create new accounts with full user rights."
);
script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-033");
script_set_attribute(
attribute:"solution",
value:
"Microsoft has released a set of patches for Windows XP, 2003, Vista,
and 2008."
);
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2013/04/09");
script_set_attribute(attribute:"patch_publication_date", value:"2013/04/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/04/10");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_set_attribute(attribute:"stig_severity", value:"II");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows : Microsoft Bulletins");
script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");
script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
script_require_keys("SMB/MS_Bulletin_Checks/Possible");
script_require_ports(139, 445, 'Host/patch_management_checks');
exit(0);
}
include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");
get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
bulletin = 'MS13-033';
kb = "2820917";
kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");
share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
if (
# Windows Vista / 2008
hotfix_is_vulnerable(os:"6.0", sp:2, file:"Winsrv.dll", version:"6.0.6002.23075", min_version:"6.0.6002.22000", dir:"\system32", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"6.0", sp:2, file:"Winsrv.dll", version:"6.0.6002.18804", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) ||
# Windows 2003 / XP 64-bit
hotfix_is_vulnerable(os:"5.2", sp:2, file:"Winsrv.dll", version:"5.2.3790.5138", dir:"\system32", bulletin:bulletin, kb:kb) ||
# Windows XP 32-bit
hotfix_is_vulnerable(os:"5.1", sp:3, file:"Winsrv.dll", version:"5.1.2600.6368", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
hotfix_security_hole();
hotfix_check_fversion_end();
exit(0);
}
else
{
hotfix_check_fversion_end();
audit(AUDIT_HOST_NOT, 'affected');
}