Microsoft Windows JScript & VBScript Security Bypass Vulnerability (3057263)

2015-05-1300:00:00

plugins.openvas.org

6.2 Medium

AI Score

Confidence

Low

0.927 High

EPSS

Percentile

99.0%

JSON

This host is missing an important security
update according to Microsoft Bulletin MS15-053.

# SPDX-FileCopyrightText: 2015 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:microsoft:ie";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.805614");
  script_version("2023-07-25T05:05:58+0000");
  script_cve_id("CVE-2015-1684", "CVE-2015-1686");
  script_tag(name:"cvss_base", value:"4.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_tag(name:"last_modification", value:"2023-07-25 05:05:58 +0000 (Tue, 25 Jul 2023)");
  script_tag(name:"creation_date", value:"2015-05-13 11:43:10 +0530 (Wed, 13 May 2015)");
  script_name("Microsoft Windows JScript & VBScript Security Bypass Vulnerability (3057263)");

  script_tag(name:"summary", value:"This host is missing an important security
  update according to Microsoft Bulletin MS15-053.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"Flaw exists as the JScript and VBScript
  engines fails to use the Address Space Layout Randomization (ASLR) security
  feature, allowing an attacker to more reliably predict the memory offsets of
  specific instructions in a given call stack.");

  script_tag(name:"impact", value:"Successful exploitation will allow a
  context-dependent attacker to bypass certain security restrictions and execute
  arbitrary code in conjunction with some another vulnerability.");

  script_tag(name:"affected", value:"- Microsoft Windows 2003 x32/x64 Service Pack 2 and prior

  - Microsoft Windows Vista x32/x64 Service Pack 2 and prior

  - Microsoft Windows Server 2008 x32/x64 Service Pack 2 and prior");

  script_tag(name:"solution", value:"The vendor has released updates. Please see the references for more information.");

  script_tag(name:"solution_type", value:"VendorFix");

  script_tag(name:"qod_type", value:"executable_version");

  script_xref(name:"URL", value:"https://support.microsoft.com/kb/3050946");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/74530");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/74522");
  script_xref(name:"URL", value:"https://support.microsoft.com/kb/3050941");
  script_xref(name:"URL", value:"https://support.microsoft.com/kb/3050945");
  script_xref(name:"URL", value:"https://technet.microsoft.com/library/security/MS15-053");

  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2015 Greenbone AG");
  script_family("Windows : Microsoft Bulletins");
  script_dependencies("smb_reg_service_pack.nasl", "gb_ms_ie_detect.nasl");
  script_require_ports(139, 445);
  script_mandatory_keys("MS/IE/Version");
  exit(0);
}


include("smb_nt.inc");
include("host_details.inc");
include("secpod_reg.inc");
include("version_func.inc");
include("secpod_smb_func.inc");

if(hotfix_check_sp(win2003:3, win2003x64:3, winVista:3, win2008:3) <= 0){
  exit(0);
}

sysPath = smb_get_systemroot();
if(!sysPath ){
  exit(0);
}

ieVer = get_app_version(cpe:CPE);
if(ieVer =~ "^(8|9|10|11)"){
  exit(0);
}

v_dllVer = fetch_file_version(sysPath:sysPath, file_name:"system32\Vbscript.dll");
if(!v_dllVer){
  exit(0);
}

j_dllVer = fetch_file_version(sysPath:sysPath, file_name:"system32\Jscript.dll");
if(!j_dllVer){
  exit(0);
}

if(hotfix_check_sp(win2003:3, win2003x64:3) > 0)
{
  if((version_in_range(version:v_dllVer, test_version:"5.6", test_version2:"5.6.0.8854")) ||
     (version_in_range(version:v_dllVer, test_version:"5.7.6002.23000", test_version2:"5.7.6002.23658")) ||
     (version_in_range(version:j_dllVer, test_version:"5.6", test_version2:"5.6.0.8854")) ||
     (version_in_range(version:j_dllVer, test_version:"5.7.6002.23000", test_version2:"5.7.6002.23658"))){
    security_message( port: 0, data: "The target host was found to be vulnerable" );
  }
  exit(0);
}

## Currently not supporting for Vista and Windows Server 2008 64 bit
if(hotfix_check_sp(win2008:3) > 0)
{
  if((version_in_range(version:v_dllVer, test_version:"5.8.7601.17000", test_version2:"5.8.7601.18810")) ||
     (version_in_range(version:v_dllVer, test_version:"5.8.7601.21000", test_version2:"5.8.7601.23015")) ||
     (version_in_range(version:v_dllVer, test_version:"5.7", test_version2:"5.7.6002.19350")) ||
     (version_in_range(version:v_dllVer, test_version:"5.7.6002.23000", test_version2:"5.7.6002.23658")) ||
     (version_in_range(version:j_dllVer, test_version:"5.8.7601.17000", test_version2:"5.8.7601.18810")) ||
     (version_in_range(version:j_dllVer, test_version:"5.8.7601.21000", test_version2:"5.8.7601.23015")) ||
     (version_in_range(version:j_dllVer, test_version:"5.7", test_version2:"5.7.6002.19350")) ||
     (version_in_range(version:j_dllVer, test_version:"5.7.6002.23000", test_version2:"5.7.6002.23658"))){
    security_message( port: 0, data: "The target host was found to be vulnerable" );
  }
  exit(0);
}


if(hotfix_check_sp(winVista:3) > 0)
{
  if((version_in_range(version:v_dllVer, test_version:"5.7", test_version2:"5.7.6002.19350")) ||
     (version_in_range(version:v_dllVer, test_version:"5.7.6002.23000", test_version2:"5.7.6002.23658")) ||
     (version_in_range(version:j_dllVer, test_version:"5.7", test_version2:"5.7.6002.19350")) ||
     (version_in_range(version:j_dllVer, test_version:"5.7.6002.23000", test_version2:"5.7.6002.23658"))){
    security_message( port: 0, data: "The target host was found to be vulnerable" );
  }
  exit(0);
}