MS15-028: Vulnerability in Windows Task Scheduler Could Allow Security Feature Bypass (3030377)

2015-03-10T00:00:00
ID SMB_NT_MS15-028.NASL
Type nessus
Reporter Tenable
Modified 2017-07-24T00:00:00

Description

The remote Windows host is affected by a security bypass vulnerability due to Windows Task Scheduler not properly validating and enforcing impersonation levels. Attackers can exploit this flaw to elevate privileges in order to execute files they have no permission to run.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(81742);
  script_version("$Revision: 1.6 $");
  script_cvs_date("$Date: 2017/07/24 20:45:40 $");

  script_cve_id("CVE-2015-0084");
  script_bugtraq_id(72913);
  script_osvdb_id(119383);
  script_xref(name:"MSFT", value:"MS15-028");
  script_xref(name:"MSKB", value:"3030377");
  script_xref(name:"IAVB", value:"2015-B-0037");

  script_name(english:"MS15-028: Vulnerability in Windows Task Scheduler Could Allow Security Feature Bypass (3030377)");
  script_summary(english:"Checks the version of ubpm.dll.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by a security bypass
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is affected by a security bypass vulnerability
due to Windows Task Scheduler not properly validating and enforcing
impersonation levels. Attackers can exploit this flaw to elevate
privileges in order to execute files they have no permission to run.");
  script_set_attribute(attribute:"see_also", value:"https://technet.microsoft.com/library/security/ms15-028");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 7, 2008 R2, 8,
2012, 8.1, and 2012 R2.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/03/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/03/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS15-028';
kb = '3030377';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

systemroot = hotfix_get_systemroot();
if (!systemroot) audit(AUDIT_PATH_NOT_DETERMINED, 'system root');

if (
  # Windows 8.1 / Windows Server 2012 R2
  hotfix_is_vulnerable(os:"6.3", sp:0, file:"ubpm.dll", version:"6.3.9600.17671", min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows 8 / Windows Server 2012
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"ubpm.dll", version:"6.2.9200.21364", min_version:"6.2.9200.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"ubpm.dll", version:"6.2.9200.17247", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows 7 SP1 / Server 2008 R2
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"ubpm.dll", version:"6.1.7601.22948", min_version:"6.1.7601.21000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"ubpm.dll", version:"6.1.7601.18741", min_version:"6.1.7600.16000", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}