Microsoft Silverlight CVE-2015-6114 Information Disclosure Vulnerability
2015-12-08T00:00:00
ID SMNTC-78502 Type symantec Reporter Symantec Security Response Modified 2015-12-08T00:00:00
Description
Description
Microsoft Silverlight is prone to an information-disclosure vulnerability. Successful exploits will allow attackers to gain access to potentially sensitive information that may aid in further attacks.
Technologies Affected
Microsoft Silverlight 5 Developer Runtime
Microsoft Silverlight 5.0
Recommendations
Run all software as a nonprivileged user with minimal access rights.
When possible, run all software as a user with minimal privileges and limited access to system resources. Use additional precautions such as restrictive environments to insulate software that may potentially handle malicious content.
Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This may indicate exploit attempts or activity that results from successful exploits.
Do not follow links provided by unknown or untrusted sources.
Web users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.
Updates are available. Please see the references or vendor advisory for more information.
{"hash": "8c34f9ee5f7501701907dd8fe244c700c28e251ed13fa06a342121479c4a0592", "id": "SMNTC-78502", "lastseen": "2018-03-13T12:07:42", "viewCount": 3, "hashmap": [{"hash": "afb97e276a228568f6bada72cd5ab926", "key": "affectedSoftware"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "51489ebc1ee623de91e5a95be16c93ad", "key": "cvelist"}, {"hash": "3c236091754d2db00c1c42f811b3ada4", "key": "cvss"}, {"hash": "d01885a0e48746b71d1d226b6759bbef", "key": "description"}, {"hash": "6affdf20a82f3c6fb05e5e87e7d4b49d", "key": "href"}, {"hash": "4783d05d9c31996002206accb4d9274a", "key": "modified"}, {"hash": "4783d05d9c31996002206accb4d9274a", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "d6218597dc7a1b025a781373296b2b63", "key": "reporter"}, {"hash": "747de8f1dddf0822dd982054e9676cc5", "key": "title"}, {"hash": "52e3bbafc627009ac13caff1200a0dbf", "key": "type"}], "bulletinFamily": "software", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "edition": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-6114"]}, {"type": "talos", "idList": ["TALOS-2015-0130"]}, {"type": "nessus", "idList": ["MACOSX_MS15-129.NASL", "SMB_NT_MS15-129.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310806171"]}, {"type": "kaspersky", "idList": ["KLA10717"]}], "modified": "2018-03-13T12:07:42"}, "vulnersScore": 5.0}, "type": "symantec", "description": "### Description\n\nMicrosoft Silverlight is prone to an information-disclosure vulnerability. Successful exploits will allow attackers to gain access to potentially sensitive information that may aid in further attacks.\n\n### Technologies Affected\n\n * Microsoft Silverlight 5 Developer Runtime \n * Microsoft Silverlight 5.0 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nWhen possible, run all software as a user with minimal privileges and limited access to system resources. Use additional precautions such as restrictive environments to insulate software that may potentially handle malicious content.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "title": "Microsoft Silverlight CVE-2015-6114 Information Disclosure Vulnerability", "history": [{"bulletin": {"hash": "185fbea2061bc00fdc24822b51bba896f436b3d1c32e23f134452d6ce9fe81c7", "viewCount": 0, "edition": 1, "lastseen": "2016-09-04T11:41:27", "history": [], "objectVersion": "1.2", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "4783d05d9c31996002206accb4d9274a", "key": "modified"}, {"hash": "4783d05d9c31996002206accb4d9274a", "key": "published"}, {"hash": "3c236091754d2db00c1c42f811b3ada4", "key": "cvss"}, {"hash": "52e3bbafc627009ac13caff1200a0dbf", "key": "type"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "3029bf795f4cd3005ac3e499b44c8ad5", "key": "affectedSoftware"}, {"hash": "9be864195e2de21d6f684294d5782cae", "key": "href"}, {"hash": "747de8f1dddf0822dd982054e9676cc5", "key": "title"}, {"hash": "f5efce30664299d4218d0a69a85f50a8", "key": "description"}, {"hash": "51489ebc1ee623de91e5a95be16c93ad", "key": "cvelist"}, {"hash": "d6218597dc7a1b025a781373296b2b63", "key": "reporter"}], "cvelist": ["CVE-2015-6114"], "bulletinFamily": "software", "published": "2015-12-08T00:00:00", "description": "### Description\n\nMicrosoft Silverlight is prone to an information-disclosure vulnerability. Successful exploits will allow attackers to gain access to potentially sensitive information that may aid in further attacks. \n\n### Technologies Affected\n\n * Microsoft Silverlight 5 Developer Runtime\n * Microsoft Silverlight 5.0\n\n### Recommendations\n\n#### Run all software as a nonprivileged user with minimal access rights.\n\nWhen possible, run all software as a user with minimal privileges and limited access to system resources. Use additional precautions such as restrictive environments to insulate software that may potentially handle malicious content.\n\n#### Deploy network intrusion detection systems to monitor network traffic for malicious activity.\n\nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This may indicate exploit attempts or activity that results from successful exploits.\n\n#### Do not follow links provided by unknown or untrusted sources.\n\nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users. \n\nUpdates are available. Please see the references or vendor advisory for more information. \n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "id": "SMNTC-78502", "reporter": "Symantec Security Response", "references": [], "affectedSoftware": [{"version": "5.0", "name": "Microsoft Silverlight", "operator": "eq"}], "title": "Microsoft Silverlight CVE-2015-6114 Information Disclosure Vulnerability", "modified": "2015-12-08T00:00:00", "enchantments": {"score": {"value": 6.4, "modified": "2016-09-04T11:41:27"}}, "href": "https://www.symantec.com/security_response/vulnerability.jsp?bid=78502", "type": "symantec"}, "lastseen": "2016-09-04T11:41:27", "edition": 1, "differentElements": ["description", "href", "affectedSoftware"]}], "objectVersion": "1.3", "cvelist": ["CVE-2015-6114"], "published": "2015-12-08T00:00:00", "references": [], "reporter": "Symantec Security Response", "affectedSoftware": [{"version": "5 Developer Runtime ", "name": "Microsoft Silverlight", "operator": "eq"}, {"version": "5.0 ", "name": "Microsoft Silverlight", "operator": "eq"}], "modified": "2015-12-08T00:00:00", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/78502"}
{"cve": [{"lastseen": "2018-10-13T11:07:00", "bulletinFamily": "NVD", "description": "Microsoft Silverlight 5 before 5.1.41105.00 allows remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka \"Microsoft Silverlight Information Disclosure Vulnerability,\" a different vulnerability than CVE-2015-6165.", "modified": "2018-10-12T18:10:25", "published": "2015-12-09T06:59:06", "id": "CVE-2015-6114", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6114", "title": "CVE-2015-6114", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "talos": [{"lastseen": "2018-08-31T00:36:37", "bulletinFamily": "info", "description": "# Talos Vulnerability Report\n\n### TALOS-2015-0130\n\n## Microsoft .NET Manifest Resource Information Disclosure Vulnerability\n\n##### December 8, 2015\n\n##### CVE Number\n\nCVE-2015-6114\n\n##### Summary\n\nAn exploitable information leak or denial of service vulnerability exists in the manifest resource parsing functionality of the .NET Framework. A specially crafted resource can cause an integer overflow resulting in an out of bounds read which may return arbitrary memory contents or cause the application to unexpectedly terminate. An attacker can supply a corrupted manifest through a .NET or Silverlight assembly, which can be automatically loaded in Internet Explorer or other browsers with the appropriate plugin installed. This vulnerability can be used to crash the program or to return memory contents to assist with bypassing memory hardening mitigations such as ASLR.\n\n##### Tested Versions\n\nMicrosoft Silverlight 5.1.30514.0 \nMicrosoft .NET Framework 4.5.50938\n\n##### Product URLs\n\n[http://www.microsoft.com/](<https://www.microsoft.com/>)\n\n##### CVSSv3 Score\n\n6.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H\n\n##### Details\n\nThe .NET Manifest Resources format is undocumented but to learn about it we use one of source mentioned in references [1] [2]. The resource structure is documented in the following way:\n \n \n +00 : Signature | needs to equal 0xbeefcace\n +04 : Resource Manager header version\n +08 : Reader Type string length [*]\n +0C : Reader String |\n [*] : Resource version\n [*]+4 : Number of resources\n [*]+8 : Number of types\n [ types ]\n [align 8]\n [Resources Name hashes] = Number of resource * DWORD\n [Offsets to resource names] = Number of resource * DWORD\n [..] : Data Section offset\n (...)\n \n\nWe will focus our attention on Number of resources field. An attacker can modify this field to corrupt a pointer in the following way.\n\nVulnerable code appears in ResourceReader class: .net\\coreclr\\src\\mscorlib\\src\\System\\Resources\\ResourceReader.cs This class has multipple constructors, in our scenario we are interested in constructors that assign a value to the _ums field. So it can be :\n \n \n Line 175 public ResourceReader(Stream stream)\n \n\nor\n \n \n Line 197 internal ResourceReader(Stream stream, Dictionary<String, ResourceLocator> resCache)\n \n\nLet\u2019s we analyze the way .NET Manifest Resources structure is parsed. Both constructors call internal _ReadResources method:\n \n \n Line 870 private void _ReadResources()\n {\n (...)\n 933 _numResources = _store.ReadInt32();\n 934 if (_numResources < 0) {\n 935 throw new BadImageFormatException(Environment.GetResourceString(\"BadImageFormat_ResourcesHeaderCorrupted\"));\n 936 }\n (...)\n \n\nNumber of resources is represented by 32bit signed integer variable which value can\u2019t be larger than MAX_INT. Later _numResources is used two times in code to calculate stream offset:\n \n \n 991 else {\n 992 int seekPos = unchecked(4 * _numResources);\n 993 if (seekPos < 0) {\n 994 throw new BadImageFormatException(Environment.GetResourceString(\"BadImageFormat_ResourcesHeaderCorrupted\"));\n 995 }\n 996 unsafe {\n 997 _nameHashesPtr = (int*)_ums.PositionPointer;\n 998 // Skip over the array of nameHashes.\n 999 _ums.Seek(seekPos, SeekOrigin.Current);\n 1000 // get the position pointer once more to check that the whole table is within the stream\n 1001 byte* junk = _ums.PositionPointer;\n 1002 }\n 1003 }\n \n\nYou can see the vulnerable code at line 992 where integer overflow appears, but we won\u2019t focus on it right now, just remember that _nameHashesPtr pointer was initialized here and it points to area where Resources Name hashes(DWORDs) should appears. We observe here also that the programmer planned to check whether pointer is assigned within stream boundaries but ultimately nothing is checked.\n\nSecond usage of _numResources:\n \n \n else {\n int seekPos = unchecked(4 * _numResources);\n if (seekPos < 0) {\n throw new BadImageFormatException(Environment.GetResourceString(\"BadImageFormat_ResourcesHeaderCorrupted\"));\n }\n unsafe {\n _namePositionsPtr = (int*)_ums.PositionPointer;\n // Skip over the array of namePositions.\n _ums.Seek(seekPos, SeekOrigin.Current);\n // get the position pointer once more to check that the whole table is within the stream\n byte* junk = _ums.PositionPointer;\n }\n }\n \n\nThis code containts another integer overflow and lack of checking whether _namePositionsPtr points out-of-bounds. As we know already where and how _numResources and _nameHashesPtr is set and that there is lack of sanitization for these variables, we can run test application with malformed .NET resource manifest and see where it crashes.\n\nIf application has one .NET resource and it\u2019s major resource e.g MainPage.xaml it will be automatically loaded during application start in components initialization method which will trigger the vulnerability:\n \n \n 47 [System.Diagnostics.DebuggerNonUserCodeAttribute()]\n 48 public void InitializeComponent() {\n 49 if (_contentLoaded) {\n 50 return;\n 51 }\n 52 _contentLoaded = true;\n 53 System.Windows.Application.LoadComponent(this, new System.Uri(\"/SilverlightApplication1;component/MainPage.xaml\", System.UriKind.Relative));\n \n\n##### Crash Analysis\n \n \n 1:035> r\n eax=40000000 ebx=20000000 ecx=80be126c edx=20000000 esi=00000000 edi=055b5318\n eip=795a8a9c esp=0037ebe8 ebp=0037ebec iopl=0 nv up ei pl nz na po nc\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210200\n mscorlib_ni+0x348a9c:\n 795a8a9c 0fb601 movzx eax,byte ptr [ecx] ds:002b:80be126c=??\n 1:035> !u eip\n preJIT generated code\n System.Resources.ResourceReader.ReadUnalignedI4(Int32*)\n Begin 795a8a9c, size 1f\n >>> 795a8a9c 0fb601 movzx eax,byte ptr [ecx]\n 795a8a9f 0fb65101 movzx edx,byte ptr [ecx+1]\n \n\nAccess violation appears in ReadUnalignedI4 method in the following way:\n \n \n 245 [System.Security.SecurityCritical] // auto-generated\n 246 internal static unsafe int ReadUnalignedI4(int* p)\n 247 {\n 248 byte* buffer = (byte*)p;\n 249 // Unaligned, little endian format\n 250 return buffer[0] | (buffer[1] << 8) | (buffer[2] << 16) | (buffer[3] << 24);\n 251 }\n \n\nTo understand where this *p pointer came from and how its value was calculated let\u2019s we take a look at the call stack:\n \n \n >!dumpstack\n \n System.Resources.ResourceReader.ReadUnalignedI4(Int32*))\n System.Resources.ResourceReader.GetNameHash(Int32)),\n System.Resources.ResourceReader.FindPosForResource(System.String))\n System.Collections.Generic.Dictionary`2[[System.__Canon, mscorlib],[System.Resources.ResourceLocator, mscorlib]].TryGetValue(System.__Canon, System.Resources.ResourceLocator ByRef)),\n System.Resources.RuntimeResourceSet.GetObject(System.String, Boolean, Boolean)),\n System.Resources.RuntimeResourceSet.GetObject(System.String, Boolean)),\n System.Resources.ResourceManager.GetObject(System.String, System.Globalization.CultureInfo, Boolean))\n System.Resources.ResourceManager.GetStream(System.String, System.Globalization.CultureInfo)),\n System.Windows.ResourceManagerWrapper.GetResourceForUri(System.Uri, System.Type)),\n System.Windows.Application.LoadComponent(System.Object, System.Uri)),\n SilverlightApp1.MainPage.InitializeComponent()),\n (...)\n \n\nWe will start our investigation in FindPosForResource method.\n \n \n 316 internal int FindPosForResource(String name)\n 317 {\n 318 Contract.Assert(_store != null, \"ResourceReader is closed!\");\n 319 int hash = FastResourceComparer.HashFunction(name);\n 320 BCLDebug.Log(\"RESMGRFILEFORMAT\", \"FindPosForResource for \"+name+\" hash: \"+hash.ToString(\"x\", CultureInfo.InvariantCulture));\n 321 // Binary search over the hashes. Use the _namePositions array to\n 322 // determine where they exist in the underlying stream.\n 323 int lo = 0;\n 324 int hi = _numResources - 1;\n 325 int index = -1;\n 326 bool success = false;\n 327 while (lo <= hi) {\n 328 index = (lo + hi) >> 1;\n 329 // Do NOT use subtraction here, since it will wrap for large\n 330 // negative numbers.\n 331 int currentHash = GetNameHash(index);\n \n\nThis function is searching for a particular resource name using its hash representation on Line 319. Calculated hash is searched for in the array pointed by _nameHashesPtr which is initialized in the _ReadResources method. Index for this array is calculated based on malformed by us _numResources. In this example we modified the original value of _numResources from 1 to 0x40000001 in the manifest. Setting a breakpoint at the beginning of FindPosForResource method we can easy check it out:\n \n \n eax=055b52c0 ebx=055b2e0c ecx=055b5318 edx=055b3938 esi=ffffffff edi=0037ec88\n eip=795a8c3c esp=0037ec3c ebp=0037ec98 iopl=0 nv up ei pl nz na po nc\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202\n mscorlib_ni+0x348c3c:\n 795a8c3c 55 push ebp\n 1:035> !dumpobj ecx\n Name: System.Resources.ResourceReader\n MethodTable: 796f446c\n EEClass: 792a6fd4\n Size: 68(0x44) bytes\n File: C:\\Program Files (x86)\\Microsoft Silverlight\\5.1.30514.0\\mscorlib.dll\n Fields:\n MT Field Offset Type VT Attr Value Name\n 796f40c0 4000f6e 14 ...m.IO.BinaryReader 0 instance 055b535c _store\n 796f42cc 4000f6f 18 ...cator, mscorlib]] 0 instance 055b52e4 _resCache\n 796e737c 4000f70 4 System.Int64 1 instance 188 _nameSectionOffset\n 796e737c 4000f71 c System.Int64 1 instance 211 _dataSectionOffset\n 796cf828 4000f72 1c System.Int32[] 0 instance 00000000 _nameHashes\n 796f8ae8 4000f73 30 PTR 0 instance 00be126c _nameHashesPtr\n 796cf828 4000f74 20 System.Int32[] 0 instance 00000000 _namePositions\n 796f8ae8 4000f75 34 PTR 0 instance 00be1270 _namePositionsPtr\n 796d17d0 4000f76 24 System.Object[] 0 instance 055b5850 _typeTable\n 796cf828 4000f77 28 System.Int32[] 0 instance 055b5860 _typeNamePositions\n 796e71d4 4000f78 38 System.Int32 1 instance 1073741825 _numResources\n 796ee0d4 4000f79 2c ...nagedMemoryStream 0 instance 055b4d04 _ums\n 796e71d4 4000f7a 3c System.Int32 1 instance 2 _version\n \n\nFirst index value calculated will be 0x20000000. Further index is passed to GetNameHash function.\n \n \n 266 [System.Security.SecuritySafeCritical] // auto-generated\n 267 private unsafe int GetNameHash(int index)\n 268 {\n 269 Contract.Assert(index >=0 && index < _numResources, \"Bad index into hash array. index: \"+index);\n 270 Contract.Assert((_ums == null && _nameHashes != null && _nameHashesPtr == null) ||\n 271 (_ums != null && _nameHashes == null && _nameHashesPtr != null), \"Internal state mangled.\");\n 272 if (_ums == null)\n 273 return _nameHashes[index];\n 274 else\n 275 return ReadUnalignedI4(&_nameHashesPtr[index]);\n 276 }\n \n\nAccording to call stack and _ums value which we can observe on ResourceRader object dump above another call is made to ReadUnalignedI4 method where crash appears. Pointer passed to this method as argument is just pointer to element from _nameHashesPtr table. As we can see index argument is used as index into the name hashes array. In this case the corrupted value will point outside array (Resource section/directory) space.\n \n \n 1:035> !dumpobj 055b4d04 //dump of _ums object\n Name: System.IO.UnmanagedMemoryStream\n MethodTable: 796ee0d4\n EEClass: 792a39ac\n Size: 56(0x38) bytes\n File: C:\\Program Files (x86)\\Microsoft Silverlight\\5.1.30514.0\\mscorlib.dll\n Fields:\n MT Field Offset Type VT Attr Value Name\n 796f2674 400123d 3c0 System.IO.Stream 0 shared static Null\n >> Domain:Value 0500a6b0:NotInit 050acb70:NotInit <<\n 796efb84 4001320 24 ...rvices.SafeBuffer 0 instance 00000000 _buffer\n 796f8ae8 4001321 28 PTR 0 instance 00be11bc _mem\n 796e737c 4001322 4 System.Int64 1 instance 1954 _length\n 796e737c 4001323 c System.Int64 1 instance 1954 _capacity\n 796e737c 4001324 14 System.Int64 1 instance 188 _position\n 796e737c 4001325 1c System.Int64 1 instance 0 _offset\n 796cf860 4001326 2c System.Int32 1 instance 1 _access\n 796e6b40 4001327 30 System.Boolean 1 instance 1 _isOpen\n \n\n00be11bc _mem is a pointer to the beginning of .Net Resources Manifest and the _nameHashesPtr should be constrained within the _mem + _length memory boundary.\n \n \n Moment when pointer to hash element is calculated:\n eax=40000000 ebx=20000000 ecx=00be126c edx=20000000 esi=00000000 edi=055b5318\n eip=795a8b26 esp=0037ebec ebp=0037ebec iopl=0 nv up ei pl nz na po nc\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202\n mscorlib_ni+0x348b26:\n 795a8b26 8d0c91 lea ecx,[ecx+edx*4]\n \n\nNotice that here the index is multiplied by 4 (sizeof of element in array) which is another place for possible overflow.\n \n \n 1:035> p\n eax=40000000 ebx=20000000 ecx=80be126c edx=20000000 esi=00000000 edi=055b5318\n eip=795a8b29 esp=0037ebec ebp=0037ebec iopl=0 nv up ei pl nz na po nc\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202\n mscorlib_ni+0x348b29:\n 795a8b29 e86effffff call mscorlib_ni+0x348a9c (795a8a9c)\n \n\nFinally read access violation appears during read of first byte from calculated pointer:\n \n \n 1:035> p\n (23e8.2504): Access violation - code c0000005 (first chance)\n First chance exceptions are reported before any exception handling.\n This exception may be expected and handled.\n eax=40000000 ebx=20000000 ecx=80be126c edx=20000000 esi=00000000 edi=055b5318\n eip=795a8a9c esp=0037ebe8 ebp=0037ebec iopl=0 nv up ei pl nz na po nc\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202\n mscorlib_ni+0x348a9c:\n 795a8a9c 0fb601 movzx eax,byte ptr [ecx] ds:002b:80be126c=??\n \n FAULTING_IP:\n mscorlib_ni+348a9c\n 795a8a9c 0fb601 movzx eax,byte ptr [ecx]\n \n EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)\n ExceptionAddress: 795a8a9c (mscorlib_ni+0x00348a9c)\n ExceptionCode: c0000005 (Access violation)\n ExceptionFlags: 00000000\n NumberParameters: 2\n Parameter[0]: 00000000\n Parameter[1]: 80be126c\n Attempt to read from address 80be126c\n \n FAULTING_THREAD: 00002504\n \n DEFAULT_BUCKET_ID: WRONG_SYMBOLS\n \n PROCESS_NAME: plugin-container.exe\n \n ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo\n \n EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo\n \n EXCEPTION_PARAMETER1: 00000000\n \n EXCEPTION_PARAMETER2: 80be126c\n \n READ_ADDRESS: 80be126c\n \n FOLLOWUP_IP:\n mscorlib_ni+348a9c\n 795a8a9c 0fb601 movzx eax,byte ptr [ecx]\n \n NTGLOBALFLAG: 470\n \n APPLICATION_VERIFIER_FLAGS: 0\n \n APP: plugin-container.exe\n \n MANAGED_STACK:\n (TransitionMU)\n 0037EBE8 795A8A9C mscorlib_ni!System.Resources.ResourceReader.ReadUnalignedI4(Int32*)\n 0037EBEC 795A8B2E mscorlib_ni!System.Resources.ResourceReader.GetNameHash(Int32)+0x22\n 0037EBF4 795A8C88 mscorlib_ni!System.Resources.ResourceReader.FindPosForResource(System.String)+0x4c\n 0037EC40 795A6774 mscorlib_ni!System.Resources.RuntimeResourceSet.GetObject(System.String, Boolean, Boolean)+0xb8\n 0037ECA8 795A646D mscorlib_ni!System.Resources.RuntimeResourceSet.GetObject(System.String, Boolean)+0xd\n 0037ECB0 795A3057 mscorlib_ni!System.Resources.ResourceManager.GetObject(System.String, System.Globalization.CultureInfo, Boolean)+0xc7\n 0037ECF4 795A3163 mscorlib_ni!System.Resources.ResourceManager.GetStream(System.String, System.Globalization.CultureInfo)+0x13\n 0037ED08 56E28AB7 System_Windows_ni!System.Windows.ResourceManagerWrapper.GetResourceForUri(System.Uri, System.Type)+0x197\n 0037ED4C 56E0604A System_Windows_ni!System.Windows.Application.LoadComponent(System.Object, System.Uri)+0x17a\n 0037ED90 00BF02C6 UNKNOWN!Inplay.Page.InitializeComponent()+0x8e\n 0037EDD8 00BF0217 UNKNOWN!Inplay.Page..ctor(System.Collections.Generic.IDictionary`2<System.String,System.String>)+0xc7\n 0037EDEC 00BF0126 UNKNOWN!Inplay.Application.Application_Startup(System.Object, System.Windows.StartupEventArgs)+0x5e\n 0037EE0C 56E27053 System_Windows_ni!MS.Internal.CoreInvokeHandler.InvokeEventHandler(UInt32, System.Delegate, System.Object, System.Object)+0x3d3\n 0037EE38 56E052A9 System_Windows_ni!MS.Internal.JoltHelper.FireEvent(IntPtr, IntPtr, Int32, Int32, System.String, UInt32)+0x38d\n 0037EE88 56EA0A59 System_Windows_ni!DomainNeutralILStubClass.IL_STUB_ReversePInvoke(Int32, Int32, Int32, Int32, IntPtr, Int32)+0x61\n (TransitionUM)\n \n MANAGED_STACK_COMMAND: _EFN_StackTrace\n \n LAST_CONTROL_TRANSFER: from 795a8c88 to 795a8a9c\n \n PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS\n \n BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS\n \n STACK_TEXT:\n 0037ebe8 00000000 unknown.dll!Inplay.Page.InitializeComponent+0x8e\n 0037ebec 00000000 unknown.dll!Inplay.Page.InitializeComponent+0x8e\n 0037ebf4 00000000 unknown.dll!Inplay.Page.InitializeComponent+0x8e\n 0037ec40 00000000 unknown.dll!Inplay.Page.InitializeComponent+0x8e\n 0037eca8 00000000 unknown.dll!Inplay.Page.InitializeComponent+0x8e\n 0037ecb0 00000000 unknown.dll!Inplay.Page.InitializeComponent+0x8e\n 0037ecf4 00000000 unknown.dll!Inplay.Page.InitializeComponent+0x8e\n 0037ed08 00000000 unknown.dll!Inplay.Page.InitializeComponent+0x8e\n 0037ed4c 00000000 unknown.dll!Inplay.Page.InitializeComponent+0x8e\n 0037ed90 00000000 unknown.dll!Inplay.Page.InitializeComponent+0x8e\n 0037edd8 00000000 unknown.dll!Inplay.Page..ctor+0xc7\n 0037edec 00000000 unknown.dll!Inplay.Application.Application_Startup+0x5e\n 0037ee0c 56e27053 system_windows_ni!MS.Internal.CoreInvokeHandler.InvokeEventHandler+0x3d3\n 0037ee38 56e052a9 system_windows_ni!MS.Internal.JoltHelper.FireEvent+0x38d\n 0037ee88 56ea0a59 system_windows_ni!DomainNeutralILStubClass.IL_STUB_ReversePInvoke+0x61\n \n \n SYMBOL_STACK_INDEX: 0\n \n SYMBOL_NAME: unknown.dll!Inplay.Page.InitializeComponent\n \n FOLLOWUP_NAME: MachineOwner\n \n MODULE_NAME: unknown\n \n IMAGE_NAME: unknown.dll\n \n DEBUG_FLR_IMAGE_TIMESTAMP: 0\n \n STACK_COMMAND: _EFN_StackTrace ; ** Pseudo Context ** ; kb\n \n FAILURE_BUCKET_ID: WRONG_SYMBOLS_c0000005_unknown.dll!Inplay.Page.InitializeComponent\n \n BUCKET_ID: APPLICATION_FAULT_WRONG_SYMBOLS_unknown.dll!Inplay.Page.InitializeComponent\n \n Followup: MachineOwner\n \n\n* * *\n\n##### References\n\n[1] <http://www.codeproject.com/Articles/12096/NET-Manifest-Resources> \n[2] <https://github.com/dotnet/coreclr>\n\n##### Timeline\n\n2015-05-08 - Vendor Disclosure \n2015-12-08 - Public Disclosure\n\n##### Credit\n\nMarcin \u2018Icewall\u2019 Noga of Cisco Talos\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0066\n\nPrevious Report\n\nTALOS-2015-0069\n", "modified": "2015-12-08T00:00:00", "published": "2015-12-08T00:00:00", "id": "TALOS-2015-0130", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2015-0130", "title": "Microsoft .NET Manifest Resource Information Disclosure Vulnerability", "type": "talos", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "kaspersky": [{"lastseen": "2019-03-21T00:15:16", "bulletinFamily": "info", "description": "### *Detect date*:\n12/08/2015\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Silverlight. Malicious users can exploit these vulnerabilities to execute arbitrary code or bypass security restrictions.\n\n### *Affected products*:\nMicrosoft Silverlight 5\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2015-6114](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-6114>) \n[CVE-2015-6166](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-6166>) \n[CVE-2015-6165](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-6165>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Silverlight](<https://threats.kaspersky.com/en/product/Microsoft-Silverlight/>)\n\n### *CVE-IDS*:\n[CVE-2015-6114](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6114>)4.3High \n[CVE-2015-6166](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6166>)9.3High \n[CVE-2015-6165](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6165>)4.3High\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[3106614](<http://support.microsoft.com/kb/3106614>)", "modified": "2019-03-07T00:00:00", "published": "2015-12-08T00:00:00", "id": "KLA10717", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10717", "title": "\r KLA10717Multiple vulnerabilities in Microsoft Silverlight ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:25:35", "bulletinFamily": "scanner", "description": "The version of Microsoft Silverlight installed on the remote Mac OS X host is affected by the following vulnerabilities :\n\n - Multiple information disclosure vulnerabilities exist due to a failure to properly handle objects in memory.\n An attacker can exploit these issues, via crafted Silverlight content, to more reliably predict pointer values and thus degrade the effectiveness of the Address Space Layout Randomization (ASLR) security feature, allowing the system to be further compromised.\n (CVE-2015-6114, CVE-2015-6165)\n\n - A remote code execution vulnerability exists due to incorrect handling of certain open and close requests, which result in read and write access violations. A remote attacker can exploit this vulnerability, via a specially crafted Silverlight application, to gain privileges and take complete control of the affected host. (CVE-2015-6166)", "modified": "2018-07-14T00:00:00", "id": "MACOSX_MS15-129.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=87251", "published": "2015-12-08T00:00:00", "title": "MS15-129: Security Update for Silverlight to Address Remote Code Execution (3106614) (Mac OS X)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87251);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\"CVE-2015-6114\", \"CVE-2015-6165\", \"CVE-2015-6166\");\n script_xref(name:\"MSFT\", value:\"MS15-129\");\n script_xref(name:\"MSKB\", value:\"3106614\");\n\n script_name(english:\"MS15-129: Security Update for Silverlight to Address Remote Code Execution (3106614) (Mac OS X)\");\n script_summary(english:\"Checks the version of Microsoft Silverlight.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A multimedia application framework installed on the remote Mac OS X\nhost is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Silverlight installed on the remote Mac OS X\nhost is affected by the following vulnerabilities :\n\n - Multiple information disclosure vulnerabilities exist\n due to a failure to properly handle objects in memory.\n An attacker can exploit these issues, via crafted\n Silverlight content, to more reliably predict pointer\n values and thus degrade the effectiveness of the Address\n Space Layout Randomization (ASLR) security feature,\n allowing the system to be further compromised.\n (CVE-2015-6114, CVE-2015-6165)\n\n - A remote code execution vulnerability exists due to\n incorrect handling of certain open and close requests,\n which result in read and write access violations. A\n remote attacker can exploit this vulnerability, via a\n specially crafted Silverlight application, to gain\n privileges and take complete control of the affected\n host. (CVE-2015-6166)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms15-129\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Silverlight 5.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/12/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:silverlight\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"macosx_silverlight_installed.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"MacOSX/Silverlight/Installed\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nkb_base = \"MacOSX/Silverlight\";\nget_kb_item_or_exit(kb_base+\"/Installed\");\npath = get_kb_item_or_exit(kb_base+\"/Path\", exit_code:1);\nversion = get_kb_item_or_exit(kb_base+\"/Version\", exit_code:1);\n\n\nbulletin = \"MS15-129\";\nkb = \"3106614\";\n\nfixed_version = \"5.1.41105.0\";\nif (version =~ \"^5\\.\" && ver_compare(ver:version, fix:fixed_version, strict:FALSE) < 0)\n{\n if (defined_func(\"report_xml_tag\")) report_xml_tag(tag:bulletin, value:kb);\n\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"Microsoft Silverlight\", version);\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:25:35", "bulletinFamily": "scanner", "description": "The version of Microsoft Silverlight installed on the remote Windows host is affected by the following vulnerabilities :\n\n - Multiple information disclosure vulnerabilities exist due to a failure to properly handle objects in memory.\n An attacker can exploit these issues, via crafted Silverlight content, to more reliably predict pointer values and thus degrade the effectiveness of the Address Space Layout Randomization (ASLR) security feature, allowing the system to be further compromised.\n (CVE-2015-6114, CVE-2015-6165)\n\n - A remote code execution vulnerability exists due to incorrect handling of certain open and close requests, which result in read and write access violations. A remote attacker can exploit this vulnerability, via a specially crafted Silverlight application, to gain privileges and take complete control of the affected host. (CVE-2015-6166)", "modified": "2018-11-15T00:00:00", "id": "SMB_NT_MS15-129.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=87258", "published": "2015-12-08T00:00:00", "title": "MS15-129: Security Update for Silverlight to Address Remote Code Execution (3106614)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87258);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\"CVE-2015-6114\", \"CVE-2015-6165\", \"CVE-2015-6166\");\n script_bugtraq_id(78502, 78504, 78505);\n script_xref(name:\"MSFT\", value:\"MS15-129\");\n script_xref(name:\"MSKB\", value:\"3106614\");\n\n script_name(english:\"MS15-129: Security Update for Silverlight to Address Remote Code Execution (3106614)\");\n script_summary(english:\"Checks the version of Microsoft Silverlight.exe.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A multimedia application framework installed on the remote Windows\nhost is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Silverlight installed on the remote Windows\nhost is affected by the following vulnerabilities :\n\n - Multiple information disclosure vulnerabilities exist\n due to a failure to properly handle objects in memory.\n An attacker can exploit these issues, via crafted\n Silverlight content, to more reliably predict pointer\n values and thus degrade the effectiveness of the Address\n Space Layout Randomization (ASLR) security feature,\n allowing the system to be further compromised.\n (CVE-2015-6114, CVE-2015-6165)\n\n - A remote code execution vulnerability exists due to\n incorrect handling of certain open and close requests,\n which result in read and write access violations. A\n remote attacker can exploit this vulnerability, via a\n specially crafted Silverlight application, to gain\n privileges and take complete control of the affected\n host. (CVE-2015-6166)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-129\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Silverlight 5.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/12/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:silverlight\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"silverlight_detect.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS15-129';\nkb = \"3106614\";\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\n# Silverlight 5.x\nver = get_kb_item(\"SMB/Silverlight/Version\");\nif (isnull(ver)) audit(AUDIT_NOT_INST, \"Silverlight\");\nif (ver !~ \"^5\\.\") audit(AUDIT_NOT_INST, \"Silverlight 5\");\n\nfix = \"5.1.41105.0\";\nif (ver_compare(ver:ver, fix:fix) == -1)\n{\n path = get_kb_item(\"SMB/Silverlight/Path\");\n if (isnull(path)) path = 'n/a';\n\n report +=\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix +\n '\\n';\n hotfix_add_report(report, bulletin:bulletin, kb:kb);\n\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-10-22T16:40:05", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS15-129.", "modified": "2018-10-12T00:00:00", "published": "2015-12-09T00:00:00", "id": "OPENVAS:1361412562310806171", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806171", "title": "Microsoft Silverlight Remote Code Execution Vulnerability (3106614)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_silverlight_ms15-129.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Microsoft Silverlight Remote Code Execution Vulnerability (3106614)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:microsoft:silverlight\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806171\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2015-6114\", \"CVE-2015-6165\", \"CVE-2015-6166\");\n script_bugtraq_id(78502, 78504, 78505);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-12-09 09:21:22 +0530 (Wed, 09 Dec 2015)\");\n script_name(\"Microsoft Silverlight Remote Code Execution Vulnerability (3106614)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS15-129.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to improper memory\n operations performed by the affected software while handling content with\n crafted TrueType fonts.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to execute arbitrary code in the context of the vulnerable application. Failed\n exploit attempts will result in a denial-of-service condition.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Silverlight version 5 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the\n listed hotfixes or download and install the hotfixes from the referenced advisory.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS15-129\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3106614#bookmark-fileinfo\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_silverlight_detect.nasl\");\n script_mandatory_keys(\"Microsoft/Silverlight/Installed\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS15-080\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!msl_ver = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(msl_ver=~ \"^5\\.\")\n{\n if(version_in_range(version:msl_ver, test_version:\"5.0\", test_version2:\"5.1.41104.0\"))\n {\n report = 'Silverlight version: ' + msl_ver + '\\n' +\n 'Vulnerable range: 5.0 - 5.1.41104.0' + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
