Lucene search
This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.SMB_NT_MS16-097.NASLHistoryAug 10, 2016 - 12:00 a.m.
MS16-097: Security Update for Microsoft Graphics Component (3177393)
2016-08-1000:00:00
This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
240
The remote Windows host is missing a security update. It is, therefore, affected by multiple vulnerabilities in the Graphics component due to improper handling of embedded fonts by the Windows font library. An unauthenticated, remote attacker can exploit these vulnerabilities, by convincing a user to visit a malicious website or open a specially crafted document file, to execute arbitrary code in the context of the current user.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(92843);
script_version("1.12");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/09/04");
script_cve_id("CVE-2016-3301", "CVE-2016-3303", "CVE-2016-3304");
script_bugtraq_id(92288, 92301, 92302);
script_xref(name:"MSFT", value:"MS16-097");
script_xref(name:"MSKB", value:"3174301");
script_xref(name:"MSKB", value:"3178034");
script_xref(name:"MSKB", value:"3176492");
script_xref(name:"MSKB", value:"3176493");
script_xref(name:"MSKB", value:"3176495");
script_xref(name:"MSKB", value:"3115109");
script_xref(name:"MSKB", value:"3115131");
script_xref(name:"MSKB", value:"3115481");
script_xref(name:"MSKB", value:"3115408");
script_xref(name:"MSKB", value:"3115431");
script_xref(name:"MSKB", value:"3174302");
script_xref(name:"MSKB", value:"3174304");
script_xref(name:"MSKB", value:"3174305");
script_xref(name:"IAVA", value:"2016-A-0205");
script_name(english:"MS16-097: Security Update for Microsoft Graphics Component (3177393)");
script_summary(english:"Checks the file versions.");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The remote Windows host is missing a security update. It is,
therefore, affected by multiple vulnerabilities in the Graphics
component due to improper handling of embedded fonts by the Windows
font library. An unauthenticated, remote attacker can exploit these
vulnerabilities, by convincing a user to visit a malicious website or
open a specially crafted document file, to execute arbitrary code in
the context of the current user.");
# https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-097
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?faae7b37");
script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows Vista, 2008, 7,
2008 R2, 2012, 8.1, RT 8.1, 2012 R2, and 10.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-3304");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/09");
script_set_attribute(attribute:"patch_publication_date", value:"2016/08/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/10");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_set_attribute(attribute:"stig_severity", value:"II");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows : Microsoft Bulletins");
script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl", "office_installed.nasl", "microsoft_lync_server_installed.nasl");
script_require_keys("SMB/MS_Bulletin_Checks/Possible");
script_require_ports(139, 445, "Host/patch_management_checks");
exit(0);
}
include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");
include("install_func.inc");
get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
bulletin = 'MS16-097';
kbs = make_list(
"3174301",
"3178034",
"3176492",
"3176493",
"3176495",
"3115109",
"3115131",
"3115481",
"3115408",
"3115431",
"3174302",
"3174304",
"3174305"
);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
arch = get_kb_item_or_exit('SMB/ARCH', exit_code:1);
os = get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
if ("Windows 8" >< productname && "Windows 8.1" >!< productname) audit(AUDIT_OS_SP_NOT_VULN);
if (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0)
audit(AUDIT_OS_SP_NOT_VULN);
share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
systemroot = hotfix_get_systemroot();
if (!systemroot) audit(AUDIT_PATH_NOT_DETERMINED, 'system root');
port = kb_smb_transport();
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
if (hotfix_check_fversion_init() == HCF_CONNECT) exit(0, "Unable to create SMB session.");
winsxs = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:"\1\WinSxS", string:systemroot);
winsxs_share = hotfix_path2share(path:systemroot);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:winsxs_share);
if (rc != 1)
{
NetUseDel();
audit(AUDIT_SHARE_FAIL, winsxs_share);
}
files = list_dir(basedir:winsxs, level:0, dir_pat:"microsoft.windows.gdiplus", file_pat:"^gdiplus\.dll$", max_recurse:1);
if (arch == 'x86')
key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\ApplicabilityEvaluationCache\Package_for_KB3178034~31bf3856ad364e35~x86~~";
else if (arch == 'x64')
key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\ApplicabilityEvaluationCache\Package_for_KB3178034~31bf3856ad364e35~amd64~~";
else key = NULL;
if (!isnull(key))
{
if (os == '6.1') key = key + '6.0.1.1';
else if (os == '6.2') key = key + '6.1.1.1';
else if (os == '6.3') key = key + '6.3.1.0';
else key = NULL;
}
vuln = 0;
function windows_os_is_vuln()
{
# hotfix_check_winsxs opens another share
# we need to save state so our session can be restored
local_var smb_session = make_array(
'login', login,
'password', pass,
'domain', domain,
'share', winsxs_share
);
local_var kb = "3178034";
vuln += hotfix_check_winsxs(
os:'6.0',
sp:2,
files:files,
versions:make_list('5.2.6002.19672', '5.2.6002.23998', '6.0.6002.19672', '6.0.6002.23998'),
max_versions:make_list('5.2.6002.21000', '5.2.6002.99999', '6.0.6002.21000', '6.0.6003.99999'),
bulletin:bulletin,
kb:kb,
key:key,
session:smb_session
);
vuln += hotfix_check_winsxs(os:'6.1', sp:1, files:files, versions:make_list('6.1.7601.23508'), max_versions:make_list('6.1.7601.99999'), bulletin:bulletin, kb:kb, key:key, session:smb_session);
vuln += hotfix_check_winsxs(os:'6.2', sp:0, files:files, versions:make_list('6.2.9200.21926'), max_versions:make_list('6.2.9200.99999'), bulletin:bulletin, kb:kb, key:key, session:smb_session);
vuln += hotfix_check_winsxs(os:'6.3', sp:0, files:files, versions:make_list('6.3.9600.18405'), max_versions:make_list('6.3.9600.99999'), bulletin:bulletin, kb:kb, key:key, session:smb_session);
if (
# 10
hotfix_is_vulnerable(os:"10", sp:0, os_build:"10240", file:"gdiplus.dll", version:"10.0.10240.17071", dir:"\system32", bulletin:bulletin, kb:"3176492") ||
hotfix_is_vulnerable(os:"10", sp:0, os_build:"10586", file:"gdiplus.dll", version:"10.0.10586.545", min_version:"10.0.10586.0", dir:"\system32", bulletin:bulletin, kb:"3176493") ||
hotfix_is_vulnerable(os:"10", sp:0, os_build:"14393", file:"gdiplus.dll", version:"10.0.14393.51", min_version:"10.0.14393.0", dir:"\system32", bulletin:bulletin, kb:"3176495")
) vuln += 1;
}
function office_is_vuln()
{
local_var office_versions, office_sp;
local_var path;
office_versions = hotfix_check_office_version();
if (office_versions["14.0"])
{
office_sp = get_kb_item("SMB/Office/2010/SP");
if (!isnull(office_sp) && office_sp == 2)
{
path = hotfix_append_path(path:hotfix_get_officecommonfilesdir(officever:"14.0"), value:"\Microsoft Shared\Office14");
if (hotfix_check_fversion(file:"Ogl.dll", version:"14.0.7172.5000", min_version:"14.0.0.0", path:path, bulletin:bulletin, kb:"3115131", product:"Microsoft Office 2010 SP2") == HCF_OLDER)
vuln++;
}
}
# 2007 SP3
if (office_versions["12.0"])
{
office_sp = get_kb_item("SMB/Office/2007/SP");
if (office_sp == 3)
{
path = hotfix_append_path(path:hotfix_get_officecommonfilesdir(officever:"12.0"), value:"\Microsoft Shared\Office12");
if (hotfix_check_fversion(file:"Ogl.dll", version:"12.0.6751.5000", min_version:"12.0.0.0", path:path, bulletin:bulletin, kb:'3115109', product:"Microsoft Office 2007 SP3") == HCF_OLDER)
vuln++;
}
}
# Word Viewer
if (!empty_or_null(get_kb_list("SMB/Office/WordViewer/*/ProductPath")))
{
path = hotfix_append_path(path:hotfix_get_officecommonfilesdir(officever:"11.0"), value:"Microsoft Shared\Office11");
if (hotfix_check_fversion(file:"gdiplus.dll", version:"11.0.8432.0", min_version:"11.0.0.0", path:path, bulletin:bulletin, kb:'3115481', product:"Microsoft Word Viewer") == HCF_OLDER)
vuln++;
}
}
function lync_is_vuln()
{
local_var lync_count, lync_installs, lync_install;
lync_count = get_install_count(app_name:"Microsoft Lync");
# Nothing to do
if (int(lync_count) <= 0)
return FALSE;
lync_installs = get_installs(app_name:"Microsoft Lync");
foreach lync_install (lync_installs[1])
{
#if ("Live Meeting 2007 Console" >< lync_install["Product"])
#{
# if (hotfix_check_fversion(file:"pubutil.dll", version:"8.0.6362.252", min_version:"8.0.0.0", path:lync_install["path"], bulletin:bulletin, kb:"3174305", product:"Live Meeting 2007 Console") == HCF_OLDER)
# vuln++;
#}
if (lync_install["version"] =~ "^4\.0\." && "Server" >!< lync_install["Product"])
{
# Lync 2010
if ("Attendee" >!< lync_install["Product"])
{
if (hotfix_check_fversion(file:"communicator.exe", version:"4.0.7577.4510", min_version:"4.0.0.0", path:lync_install["path"], bulletin:bulletin, kb:"3174301", product:"Microsoft Lync 2010") == HCF_OLDER)
vuln++;
}
# Lync 2010 Attendee
else if ("Attendee" >< lync_install["Product"])
{
if ("user level" >< tolower(lync_install["Product"])) # User
{
if (hotfix_check_fversion(file:"MeetingJoinAxAOC.DLL", version:"4.0.7577.4510", min_version:"4.0.0.0", path:lync_install["path"], bulletin:bulletin, kb:"3174302", product:lync_install["Product"]) == HCF_OLDER)
vuln++;
}
else # Admin
{
if (hotfix_check_fversion(file:"MeetingJoinAxAOC.DLL", version:"4.0.7577.4510", min_version:"4.0.0.0", path:lync_install["path"], bulletin:bulletin, kb:"3174304", product:lync_install["Product"]) == HCF_OLDER)
vuln++;
}
}
}
# Lync 2013
else if (lync_install["version"] =~ "^15\.0\." && "Server" >!< lync_install["Product"])
{
if (hotfix_check_fversion(file:"Lync.exe", version:"15.0.4849.1000", min_version:"15.0.4700.1000", path:lync_install["path"], bulletin:bulletin, kb:"3115431", product:"Microsoft Lync 2013 (Skype for Business)") == HCF_OLDER)
vuln++;
}
# Skype for Business 2016
else if (lync_install["version"] =~ "^16\.0\." && "Server" >!< lync_install["Product"])
{
# Office 365 Deferred channel
if (hotfix_check_fversion(file:"Lync.exe", version:"16.0.6001.1087", channel:"Deferred", channel_product:"Lync", path:lync_install["path"], bulletin:bulletin, kb:"3115408", product:"Skype for Business 2016") == HCF_OLDER)
vuln++;
# Office 365 Deferred channel 1602
if (hotfix_check_fversion(file:"Lync.exe", version:"16.0.6741.2063", channel:"Deferred", channel_version:"1602", channel_product:"Lync", path:lync_install["path"], bulletin:bulletin, kb:"3115408", product:"Skype for Business 2016") == HCF_OLDER)
vuln++;
# Office 365 First Release for Deferred channel
if (hotfix_check_fversion(file:"Lync.exe", version:"16.0.6965.2076", channel:"First Release for Deferred", channel_product:"Lync", path:lync_install["path"], bulletin:bulletin, kb:"3115408", product:"Skype for Business 2016") == HCF_OLDER)
vuln++;
# Office 365 Current channel
if (hotfix_check_fversion(file:"Lync.exe", version:"16.0.7070.2036", channel:"Current", channel_product:"Lync", path:lync_install["path"], bulletin:bulletin, kb:"3115408", product:"Skype for Business 2016") == HCF_OLDER)
vuln++;
# KB
if (hotfix_check_fversion(file:"Lync.exe", version:"16.0.4417.1000", channel:"MSI", channel_product:"Lync", path:lync_install["path"], bulletin:bulletin, kb:"3115408", product:"Skype for Business 2016") == HCF_OLDER)
vuln++;
}
}
}
windows_os_is_vuln();
office_is_vuln();
lync_is_vuln();
if (vuln > 0)
{
set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
hotfix_security_hole();
hotfix_check_fversion_end();
exit(0);
}
else
{
hotfix_check_fversion_end();
audit(AUDIT_HOST_NOT, 'affected');
}
Related
openvas
openvas
mskb
mskb
Security update 2016-08-09
2016-08-09 07:00:00
Security update 2016-08-09
2016-08-09 07:00:00
Security update 2016-08-09
2016-08-09 07:00:00
cve
cve
prion
prion
Security feature bypass
2016-08-09 21:59:00
Security feature bypass
2016-08-09 21:59:00
Code injection
2016-08-09 21:59:00
checkpoint_advisories
checkpoint_advisories
kaspersky
kaspersky
KLA10857 Multiple vulnerabilities in Microsoft Office
2016-08-09 00:00:00
KLA11908 Multiple vulnerabilities in Microsoft Products (ESU)
2016-08-09 00:00:00
KLA10856 Multiple vulnerabilities in Microsoft Windows
2016-08-09 00:00:00
symantec
symantec
mscve
mscve
Microsoft Graphics Remote Code Execution Vulnerability
2016-08-09 07:00:00
Microsoft Graphics Remote Code Execution Vulnerability
2016-08-09 07:00:00
Microsoft Graphics Remote Code Execution Vulnerability
2016-08-09 07:00:00
Related for SMB_NT_MS16-097.NASL