Lucene search
This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.SMB_NT_MS13-086.NASLHistoryOct 09, 2013 - 12:00 a.m.
MS13-086: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2885084)
2013-10-0900:00:00
This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
www.tenable.com
14
CVSS2
9.3
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
0.846
Percentile
98.6%
The remote Windows host is running a version of Microsoft Office or Microsoft Office Compatibility Pack that is affected by multiple remote code execution vulnerabilities. The vulnerabilities exist in the way that Microsoft Word parses specially crafted files.
An attacker who successfully exploited these issues could take complete control of an affected system and potentially execute remote code.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(70338);
script_version("1.14");
script_cvs_date("Date: 2018/11/15 20:50:31");
script_cve_id("CVE-2013-3891", "CVE-2013-3892");
script_bugtraq_id(62827, 62832);
script_xref(name:"MSFT", value:"MS13-086");
script_xref(name:"MSKB", value:"2827330");
script_xref(name:"MSKB", value:"2827329");
script_xref(name:"MSKB", value:"2826020");
script_name(english:"MS13-086: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2885084)");
script_summary(english:"Checks file versions");
script_set_attribute(
attribute:"synopsis",
value:
"The Microsoft Office component installed on the remote host is affected
by multiple remote code execution vulnerabilities."
);
script_set_attribute(
attribute:"description",
value:
"The remote Windows host is running a version of Microsoft Office or
Microsoft Office Compatibility Pack that is affected by multiple remote
code execution vulnerabilities. The vulnerabilities exist in the way
that Microsoft Word parses specially crafted files.
An attacker who successfully exploited these issues could take complete
control of an affected system and potentially execute remote code."
);
script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-086");
script_set_attribute(
attribute:"solution",
value:
"Microsoft has released a set of patches for Office 2003, 2007, and
Office Compatibility Pack."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2013/10/08");
script_set_attribute(attribute:"patch_publication_date", value:"2013/10/08");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/10/09");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office_compatibility_pack");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows : Microsoft Bulletins");
script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");
script_dependencies("office_installed.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
script_require_keys("SMB/MS_Bulletin_Checks/Possible");
script_require_ports(139, 445, "Host/patch_management_checks");
exit(0);
}
include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_reg_query.inc");
include("misc_func.inc");
global_var bulletin, vuln;
get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
bulletin = 'MS13-086';
kbs = make_list(
2827330,
2827329,
2826020
);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
# Word
kb = "";
installs = get_kb_list("SMB/Office/Word/*/ProductPath");
if (!isnull(installs))
{
foreach install (keys(installs))
{
version = install - 'SMB/Office/Word/' - '/ProductPath';
path = installs[install];
info = "";
ver = split(version, sep:'.', keep:FALSE);
for (i=0; i<max_index(ver); i++)
ver[i] = int(ver[i]);
# Word 2007
if (
ver[0] == 12 && ver[1] == 0 &&
(
ver[2] < 6683 ||
(ver[2] == 6683 && ver[3] < 5002)
)
)
{
office_sp = get_kb_item("SMB/Office/2007/SP");
if (!isnull(office_sp) && office_sp == 3)
{
info =
'\n Product : Word 2007 SP3' +
'\n File : ' + path +
'\n Installed version : ' + version +
'\n Fixed version : 12.0.6683.5002' + '\n';
kb = "2827330";
}
}
# Word 2003
if (ver[0] == 11 && ver[1] == 0 && ver[2] < 8407)
{
office_sp = get_kb_item("SMB/Office/2003/SP");
if (!isnull(office_sp) && office_sp == 3)
{
info =
'\n Product : Word 2003 SP3' +
'\n File : ' + path +
'\n Installed version : ' + version +
'\n Fixed version : 11.0.8407.0' + '\n';
kb = "2826020";
}
}
if (info)
{
hotfix_add_report(info, bulletin:bulletin, kb:kb);
vuln = TRUE;
}
}
}
# Ensure Office is installed
office_vers = hotfix_check_office_version();
if (!isnull(office_vers))
{
# Ensure we can get common files directory
commonfiles = hotfix_get_officecommonfilesdir(officever:"12.0");
if (commonfiles)
{
# Ensure share is accessible
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:commonfiles);
if (is_accessible_share(share:share))
{
# Office 2007 SP3
if (office_vers["12.0"])
{
office_sp = get_kb_item("SMB/Office/2007/SP");
if (!isnull(office_sp) && office_sp == 3)
{
path = get_kb_item("SMB/Office/Word/12.0/Path");
if (path)
{
old_report = hotfix_get_report();
check_file = "Wwlib.dll";
if (hotfix_check_fversion(path:path, file:check_file, version:"12.0.6683.5002", min_version:"12.0.0.0") == HCF_OLDER)
{
file = ereg_replace(pattern:"^[A-Za-z]:(.*)", string:path, replace:"\1\" + check_file);
kb_name = "SMB/FileVersions/"+tolower(share-'$')+tolower(str_replace(string:file, find:"\", replace:"/"));
version = get_kb_item(kb_name);
info =
'\n Product : Microsoft Office 2007 SP3' +
'\n File : ' + path + '\\' + check_file +
'\n Installed version : ' + version +
'\n Fixed version : 12.0.6683.5002' + '\n';
hcf_report = '';
hotfix_add_report(old_report + info, bulletin:bulletin, kb:"2827330");
vuln = TRUE;
}
}
}
}
}
}
}
version = '';
installs = get_kb_list("SMB/Office/WordCnv/*/ProductPath");
if (!isnull(installs))
{
foreach install (keys(installs))
{
version = install - 'SMB/Office/WordCnv/' - '/ProductPath';
path = installs[install];
if (path)
{
share = hotfix_path2share(path:path);
if (!is_accessible_share(share:share))
audit(AUDIT_SHARE_FAIL, share);
path = path - '\\Wordconv.exe';
old_report = hotfix_get_report();
check_file = "wordcnv.dll";
if (hotfix_check_fversion(path:path, file:check_file, version:"12.0.6683.5002") == HCF_OLDER)
{
file = ereg_replace(pattern:"^[A-Za-z]:(.*)", string:path, replace:"\1\" + check_file);
kb_name = "SMB/FileVersions/"+tolower(share-'$')+tolower(str_replace(string:file, find:"\", replace:"/"));
kb_name = ereg_replace(pattern:"//"+check_file, replace:"/"+check_file, string:kb_name);
version = get_kb_item(kb_name);
info =
'\n Product : Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats' +
'\n File : ' + path + '\\' + check_file +
'\n Installed version : ' + version +
'\n Fixed version : 12.0.6683.5002' + '\n';
hcf_report = '';
hotfix_add_report(old_report + info, bulletin:bulletin, kb:"2827329");
vuln = TRUE;
}
}
}
}
if (!version)
{
# Additional check if registry key is missing
path = hotfix_get_officecommonfilesdir(officever:"12.0") + "\Microsoft Office\Office12";
kb = "2827329";
if (hotfix_is_vulnerable(file:"wordcnv.dll", version:"12.0.6683.5002", min_version:"12.0.0.0", path:path, bulletin:bulletin, kb:kb)) vuln = TRUE;
}
if (vuln)
{
set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
hotfix_security_hole();
hotfix_check_fversion_end();
exit(0);
}
else
{
hotfix_check_fversion_end();
audit(AUDIT_HOST_NOT, 'affected');
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| microsoft | office | cpe:/a:microsoft:office | |
| microsoft | office_compatibility_pack | cpe:/a:microsoft:office_compatibility_pack |
Related
openvas
openvas
MS Office Compatibility Pack Remote Code Execution Vulnerabilities (2885084)
2013-10-09 00:00:00
Microsoft Office Word Remote Code Execution Vulnerabilities (2885084)
2013-10-09 00:00:00
Microsoft Office Word Remote Code Execution Vulnerabilities (2885084)
2013-10-09 00:00:00
securityvulns
securityvulns
Microsoft Office multiple security vulnerabilities
2013-10-09 00:00:00
symantec
symantec
Microsoft Word CVE-2013-3891 Remote Memory Corruption Vulnerability
2013-10-08 00:00:00
Microsoft Word CVE-2013-3892 Remote Memory Corruption Vulnerability
2013-10-08 00:00:00
cve
cve
CVE-2013-3891
2013-10-09 14:53:25
CVE-2013-3892
2013-10-09 14:53:25
prion
prion
Memory corruption
2013-10-09 14:53:00
Memory corruption
2013-10-09 14:53:00
nvd
nvd
CVE-2013-3891
2013-10-09 14:53:25
CVE-2013-3892
2013-10-09 14:53:25
checkpoint_advisories
checkpoint_advisories
Microsoft Word File Parsing Memory Corruption (MS13-086; CVE-2013-3891)
2013-10-08 00:00:00
cvelist
cvelist
CVE-2013-3891
2013-10-09 14:44:00
CVE-2013-3892
2013-10-09 14:44:00
threatpost
threatpost
Three New APTs Spotted Piling On IE Zero Day
2013-10-01 15:45:17
CVSS2
9.3
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
0.846
Percentile
98.6%
Related for SMB_NT_MS13-086.NASL