Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.SMB_NT_MS16-072.NASL
HistoryJun 14, 2016 - 12:00 a.m.

MS16-072: Security Update for Group Policy (3163622)

2016-06-1400:00:00
This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
90
JSON

The remote Windows host is missing a security update. It is, therefore, affected by an elevation of privilege vulnerability due to a lack of Kerberos authentication for certain calls over LDAP when processing group policy updates. A man-in-the-middle attacker can exploit this vulnerability to create arbitrary group policies and grant a standard user elevated, administrative privileges.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(91600);
  script_version("1.9");
  script_cvs_date("Date: 2019/11/19");

  script_cve_id("CVE-2016-3223");
  script_bugtraq_id(91119);
  script_xref(name:"MSFT", value:"MS16-072");
  script_xref(name:"MSKB", value:"3159398");
  script_xref(name:"MSKB", value:"3163017");
  script_xref(name:"MSKB", value:"3163018");
  script_xref(name:"IAVA", value:"2016-A-0155");

  script_name(english:"MS16-072: Security Update for Group Policy (3163622)");
  script_summary(english:"Checks the version of gpprefcl.dll and gpapi.dll.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by an elevation of privilege
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is missing a security update. It is,
therefore, affected by an elevation of privilege vulnerability due to
a lack of Kerberos authentication for certain calls over LDAP when
processing  group policy updates. A man-in-the-middle attacker can
exploit this vulnerability to create arbitrary group policies and
grant a standard user elevated, administrative privileges.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-072");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows Vista, 2008, 7,
2008 R2, 2012, 8.1, RT 8.1, 2012 R2, and 10.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-3223");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/06/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/06/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS16-072';
kbs = make_list(
  "3159398",
  "3163017",
  "3163018"
);

if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
if ("Windows 8" >< productname && "8.1" >!< productname)
  audit(AUDIT_OS_SP_NOT_VULN);

if (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  # 10 threshold 2 (aka 1511)
  hotfix_is_vulnerable(os:"10", sp:0, file:'gpprefcl.dll', version:"10.0.10586.420", min_version:"10.0.10586.0", dir:"\system32", bulletin:bulletin, kb:"3163018") ||

  # 10 RTM
  hotfix_is_vulnerable(os:"10", sp:0, file:'gpprefcl.dll', version:"10.0.10240.16942", dir:"\system32", bulletin:bulletin, kb:"3163017") ||

  # Windows 8.1 / Windows Server 2012 R2
  hotfix_is_vulnerable(os:"6.3", sp:0, file:'gpprefcl.dll', version:"6.3.9600.18339", min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:"3159398") ||

  # Windows Server 2012
  hotfix_is_vulnerable(os:"6.2", sp:0, file:'gpprefcl.dll', version:"6.2.9200.21872", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:"3159398") ||

  # Windows 7 / Server 2008 R2
  hotfix_is_vulnerable(os:"6.1", sp:1, file:'gpprefcl.dll', version:"6.1.7601.23452", min_version:"6.1.7600.16000", dir:"\system32", bulletin:bulletin, kb:"3159398") ||

  # Vista / Windows Server 2008
  hotfix_is_vulnerable(os:"6.0", sp:2, file:'gpapi.dll', version:"6.0.6002.23972", min_version:"6.0.6002.23000", dir:"\system32", bulletin:bulletin, kb:"3159398") ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:'gpapi.dll', version:"6.0.6002.19657", min_version:"6.0.6001.18000", dir:"\system32", bulletin:bulletin, kb:"3159398")
)
{
  set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}
VendorProductVersionCPE
microsoftwindowscpe:/o:microsoft:windows

Related

mskb 4
openvas 1
mscve 1
packetstorm 1
cve 1
exploitpack 1
prion 1
zdt 1
symantec 1
exploitdb 1
kaspersky 2
mskb
mskb
MS16-072: Description of the security update for Group Policy: June 14, 2016
2016-06-14 07:00:00
MS16-072: Security update for Group Policy: June 14, 2016
2016-06-14 00:00:00
Cumulative update for Windows 10: June 14, 2016
2016-06-16 07:00:00
openvas
openvas
Microsoft Windows Group Policy Elevation of Privilege Vulnerability (3163622)
2016-06-15 00:00:00
mscve
mscve
Group Policy Elevation of Privilege Vulnerability
2016-06-14 07:00:00
packetstorm
packetstorm
Microsoft Windows 7 Group Policy Privilege Escalation
2016-08-08 00:00:00
cve
cve
CVE-2016-3223
2016-06-16 01:59:00
exploitpack
exploitpack
Microsoft Windows 7 (x86x64) - Group Policy Privilege Escalation (MS16-072)
2016-08-08 00:00:00
prion
prion
Privilege escalation
2016-06-16 01:59:00
zdt
zdt
Microsoft Windows 7 (x32/x64) - Group Policy Privilege Escalation (MS16-072)
2016-08-08 00:00:00
symantec
symantec
Microsoft Windows Group Policy CVE-2016-3223 Man in the Middle Security Bypass Vulnerability
2016-06-14 00:00:00
exploitdb
exploitdb
Microsoft Windows 7 (x86/x64) - Group Policy Privilege Escalation (MS16-072)
2016-08-08 00:00:00
kaspersky
kaspersky
KLA11911 Multiple vulnerabilites in Microsoft Products (ESU)
2016-06-14 00:00:00
KLA10825 Multiple vulnerabilities in Microsoft Windows
2016-06-14 00:00:00
JSON
Related for SMB_NT_MS16-072.NASL
mskb4openvas1mscve1packetstorm1cve1exploitpack1prion1zdt1symantec1exploitdb1kaspersky2