Microsoft Internet Explorer RDP ActiveX Control Remote Code Execution Vulnerability
2013-05-10T00:00:00
ID ZDI-13-065 Type zdi Reporter c1d2d9acc746ae45eeb477b97fa74688 Modified 2013-11-09T00:00:00
Description
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within Remote Desktop ActiveX control. By manipulating TransportSettings or AdvancedSettings, an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this to gain code execution in the context of the current user.
{"enchantments": {"score": {"value": 9.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1296"]}, {"type": "symantec", "idList": ["SMNTC-58874"]}, {"type": "seebug", "idList": ["SSV:60731"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310901217", "OPENVAS:901217"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13003"]}, {"type": "nessus", "idList": ["SMB_NT_MS13-029.NASL"]}], "modified": "2016-11-09T00:17:59"}, "vulnersScore": 9.3}, "edition": 2, "href": "http://www.zerodayinitiative.com/advisories/ZDI-13-065", "modified": "2013-11-09T00:00:00", "published": "2013-05-10T00:00:00", "history": [{"differentElements": ["modified"], "edition": 1, "lastseen": "2016-09-04T11:33:45", "bulletin": {"published": "2013-05-10T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-13-065", "modified": "2013-09-04T00:00:00", "edition": 1, "history": [], "bulletinFamily": "info", "viewCount": 0, "objectVersion": "1.2", "hash": "25fe2f0af637c2a947c8fb7e04dbf2e8f1d13809ac2e12c8226170a191c8524f", "title": "Microsoft Internet Explorer RDP ActiveX Control Remote Code Execution Vulnerability", "references": ["http://technet.microsoft.com/en-us/security/bulletin/ms13-029"], "cvelist": ["CVE-2013-1296"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within Remote Desktop ActiveX control. By manipulating TransportSettings or AdvancedSettings, an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this to gain code execution in the context of the current user.", "type": "zdi", "id": "ZDI-13-065", "lastseen": "2016-09-04T11:33:45", "reporter": "c1d2d9acc746ae45eeb477b97fa74688", "hashmap": [{"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "3dd086b59554fe33c1b8f051475b4b31", "key": "type"}, {"hash": "de25676891f23b04ab869e6e7840e9a3", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "4c9bb1dcbf696bc255481ded310eeba3", "key": "title"}, {"hash": "57baa7bd33e9a42a11526a63dc32bdca", "key": "href"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "5cda424f9f398c331477b6cb93b960c7", "key": "published"}, {"hash": "dd7766abf0d4322c692ea9f72670a80d", "key": "reporter"}, {"hash": "d06152115dc2b7456b806ae7b0fe9acd", "key": "references"}, {"hash": "8ad3ab98669e25e6994b50a38e0dcbe7", "key": "description"}, {"hash": "9c7d000161441bfb23b08402d897624a", "key": "cvelist"}], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}}], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within Remote Desktop ActiveX control. By manipulating TransportSettings or AdvancedSettings, an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this to gain code execution in the context of the current user.", "bulletinFamily": "info", "viewCount": 1, "objectVersion": "1.2", "hash": "5a7376b435f38f49a18b97106888705bb9dfebf9099e7b78c81767a84388056b", "title": "Microsoft Internet Explorer RDP ActiveX Control Remote Code Execution Vulnerability", "references": ["http://technet.microsoft.com/en-us/security/bulletin/ms13-029"], "cvelist": ["CVE-2013-1296"], "type": "zdi", "id": "ZDI-13-065", "lastseen": "2016-11-09T00:17:59", "reporter": "c1d2d9acc746ae45eeb477b97fa74688", "hashmap": [{"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "9c7d000161441bfb23b08402d897624a", "key": "cvelist"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "8ad3ab98669e25e6994b50a38e0dcbe7", "key": "description"}, {"hash": "57baa7bd33e9a42a11526a63dc32bdca", "key": "href"}, {"hash": "b7fd0bad9a3db89554b13b658b53fddb", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "5cda424f9f398c331477b6cb93b960c7", "key": "published"}, {"hash": "d06152115dc2b7456b806ae7b0fe9acd", "key": "references"}, {"hash": "dd7766abf0d4322c692ea9f72670a80d", "key": "reporter"}, {"hash": "4c9bb1dcbf696bc255481ded310eeba3", "key": "title"}, {"hash": "3dd086b59554fe33c1b8f051475b4b31", "key": "type"}], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}
{"cve": [{"lastseen": "2018-10-13T11:06:05", "bulletinFamily": "NVD", "description": "The Remote Desktop ActiveX control in mstscax.dll in Microsoft Remote Desktop Connection Client 6.1 and 7.0 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code via a web page that triggers access to a deleted object, and allows remote RDP servers to execute arbitrary code via unspecified vectors that trigger access to a deleted object, aka \"RDP ActiveX Control Remote Code Execution Vulnerability.\"", "modified": "2018-10-12T18:04:06", "published": "2013-04-09T18:55:01", "id": "CVE-2013-1296", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1296", "title": "CVE-2013-1296", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "symantec": [{"lastseen": "2018-03-12T10:28:22", "bulletinFamily": "software", "description": "### Description\n\nThe Microsoft Remote Desktop ActiveX control is prone to a remote code-execution vulnerability. An attacker can exploit this issue by enticing an unsuspecting user to view a malicious webpage. Successful exploits will allow the attacker to execute arbitrary code within the context of the application (typically Internet Explorer) that uses the ActiveX control.\n\n### Technologies Affected\n\n * Avaya Aura Conferencing 6.0 SP1 Standard \n * Avaya Aura Conferencing 6.0.0 Standard \n * Avaya CallPilot 4.0 \n * Avaya CallPilot 4.0.1 \n * Avaya CallPilot 5.0 \n * Avaya CallPilot 5.0.1 \n * Avaya CallPilot \n * Avaya Communication Server 1000 Telephony Manager 3.0 \n * Avaya Communication Server 1000 Telephony Manager 3.0.1 \n * Avaya Communication Server 1000 Telephony Manager 4.0 \n * Avaya Communication Server 1000 Telephony Manager 4.0.1 \n * Avaya Communication Server 1000 Telephony Manager \n * Avaya Meeting Exchange - Client Registration Server 5.0 \n * Avaya Meeting Exchange - Client Registration Server 5.0.1 \n * Avaya Meeting Exchange - Client Registration Server 5.2 \n * Avaya Meeting Exchange - Client Registration Server 5.2.1 \n * Avaya Meeting Exchange - Client Registration Server \n * Avaya Meeting Exchange - Recording Server 5.0 \n * Avaya Meeting Exchange - Recording Server 5.0.1 \n * Avaya Meeting Exchange - Recording Server 5.2 \n * Avaya Meeting Exchange - Recording Server 5.2.1 \n * Avaya Meeting Exchange - Recording Server \n * Avaya Meeting Exchange - Streaming Server 5.0 \n * Avaya Meeting Exchange - Streaming Server 5.0 \n * Avaya Meeting Exchange - Streaming Server 5.0.1 \n * Avaya Meeting Exchange - Streaming Server 5.2 \n * Avaya Meeting Exchange - Streaming Server 5.2.1 \n * Avaya Meeting Exchange - Streaming Server \n * Avaya Meeting Exchange - Web Conferencing Server 5.0 \n * Avaya Meeting Exchange - Web Conferencing Server 5.0.1 \n * Avaya Meeting Exchange - Web Conferencing Server 5.2 \n * Avaya Meeting Exchange - Web Conferencing Server 5.2.1 \n * Avaya Meeting Exchange - Web Conferencing Server \n * Avaya Meeting Exchange - Webportal 5.0 \n * Avaya Meeting Exchange - Webportal 5.0.1 \n * Avaya Meeting Exchange - Webportal 5.2 \n * Avaya Meeting Exchange - Webportal 5.2.1 \n * Avaya Meeting Exchange - Webportal 6.0 \n * Avaya Messaging Application Server 4 \n * Avaya Messaging Application Server 5 \n * Avaya Messaging Application Server 5.0 \n * Avaya Messaging Application Server 5.0.1 \n * Avaya Messaging Application Server 5.2 \n * Avaya Messaging Application Server 5.2.1 \n * Avaya Messaging Application Server MM 1.1 \n * Microsoft RDP 6.1 \n * Microsoft RDP 7.0 \n * Microsoft Windows 7 for 32-bit Systems \n * Microsoft Windows 7 for x64-based Systems \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows Server 2003 SP2 \n * Microsoft Windows Server 2003 x64 SP2 \n * Microsoft Windows Server 2008 R2 Itanium SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems R2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Vista Service Pack 2 \n * Microsoft Windows Vista Ultimate 64-bit edition SP2 \n * Microsoft Windows XP Professional x64 Edition SP2 \n * Microsoft Windows XP Service Pack 3 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nNever accept files from untrusted or unknown sources, because they may be malicious in nature. Avoid opening email attachments from unknown or questionable sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nAttackers could exploit this vulnerability by enticing a user to visit a malicious website. Do not follow links provided by sources of questionable integrity.\n\n**Set web browser security to disable the execution of script code or active content.** \nDisable support for script code and active content within a client browser to reduce the chances of a successful exploit. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2013-04-09T00:00:00", "published": "2013-04-09T00:00:00", "id": "SMNTC-58874", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/58874", "type": "symantec", "title": "Microsoft Remote Desktop ActiveX Control CVE-2013-1296 Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T17:45:39", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 58874\r\nCVE(CAN) ID: CVE-2013-1296\r\n\r\n\u8fdc\u7a0b\u684c\u9762\u534f\u8bae\uff08RDP, Remote Desktop Protocol\uff09\u662f\u4e00\u4e2a\u591a\u901a\u9053\uff08multi-channel\uff09\u7684\u534f\u8bae\uff0c\u8ba9\u7528\u6237\uff08\u5ba2\u6237\u7aef\u6216\u79f0\u201c\u672c\u5730\u7535\u8111\u201d\uff09\u8fde\u4e0a\u63d0\u4f9b\u5fae\u8f6f\u7ec8\u7aef\u673a\u670d\u52a1\u7684\u7535\u8111\uff08\u670d\u52a1\u5668\u7aef\u6216\u79f0\u201c\u8fdc\u7a0b\u7535\u8111\u201d\uff09\u3002\r\n\r\n\u5f53\u8fdc\u7a0b\u684c\u9762 ActiveX \u63a7\u4ef6 mstscax.dll \u5c1d\u8bd5\u8bbf\u95ee\u5185\u5b58\u4e2d\u5df2\u88ab\u5220\u9664\u7684\u5bf9\u8c61\u65f6\uff0c\u5b58\u5728\u4e00\u4e2a\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8bf1\u4f7f\u7528\u6237\u8bbf\u95ee\u7279\u5236\u7f51\u9875\u6765\u5229\u7528\u8be5\u6f0f\u6d1e\u3002\u6210\u529f\u5229\u7528\u6b64\u6f0f\u6d1e\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u83b7\u5f97\u4e0e\u767b\u5f55\u7528\u6237\u76f8\u540c\u7684\u7528\u6237\u6743\u9650\u3002\r\n0\r\nMicrosoft Windows XP\r\nMicrosoft Windows Server 2008\r\nMicrosoft Windows Server 2003\r\nMicrosoft Windows 7\r\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0c\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n* \u9650\u5236\u5bf9 mstscax.dll \u7684\u8bbf\u95ee\r\n* \u7981\u6b62\u8fdc\u7a0b\u684c\u9762\u8fde\u63a5 ActiveX \u63a7\u4ef6\u5728 Internet Explorer \u4e2d\u8fd0\u884c\r\n* \u5c06 Internet \u548c\u672c\u5730 Intranet \u5b89\u5168\u533a\u57df\u8bbe\u7f6e\u8bbe\u4e3a\u201c\u9ad8\u201d\uff0c\u4ee5\u4fbf\u5728\u8fd9\u4e9b\u533a\u57df\u4e2d\u963b\u6b62 ActiveX \u63a7\u4ef6\u548c\u6d3b\u52a8\u811a\u672c\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS13-029\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS13-029\uff1aVulnerability in Remote Desktop Client Could Allow Remote Code Execution (2828223)\r\n\u94fe\u63a5\uff1ahttp://technet.microsoft.com/security/bulletin/MS13-029", "modified": "2013-04-11T00:00:00", "published": "2013-04-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60731", "id": "SSV:60731", "title": "Microsoft Remote Desktop ActiveX\u63a7\u4ef6\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e(CVE-2013-1296)(MS13-029)", "type": "seebug", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "openvas": [{"lastseen": "2018-10-22T16:41:34", "bulletinFamily": "scanner", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS13-029.", "modified": "2018-10-12T00:00:00", "published": "2013-04-10T00:00:00", "id": "OPENVAS:1361412562310901217", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310901217", "title": "Microsoft RDP ActiveX Control Remote Code Execution Vulnerability (2828223)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms13-029.nasl 11876 2018-10-12 12:20:01Z cfischer $\n#\n# Microsoft RDP ActiveX Control Remote Code Execution Vulnerability (2828223)\n#\n# Authors:\n# Veerendra GG <veerendragg@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.901217\");\n script_version(\"$Revision: 11876 $\");\n script_cve_id(\"CVE-2013-1296\");\n script_bugtraq_id(58874);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 14:20:01 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-04-10 12:20:24 +0530 (Wed, 10 Apr 2013)\");\n script_name(\"Microsoft RDP ActiveX Control Remote Code Execution Vulnerability (2828223)\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/52911\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2813347\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2813345\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/security/bulletin/ms13-029\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to execute arbitrary\n code in the context of the current user.\");\n script_tag(name:\"insight\", value:\"Flaw is in Remote Desktop ActiveX control and can be exploited to access\n an object in memory that has been freed.\");\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed hotfixes or download and\n install the hotfixes from the referenced advisory.\");\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS13-029.\");\n script_tag(name:\"affected\", value:\"Remote Desktop Connection 6.1 Client\n\n - Windows XP x32 Edition Service Pack 3 and prior\n\n - Microsoft Windows XP x64 Edition Service Pack 2 and prior\n\n - Microsoft Windows 2003 x32/x64 Edition Service Pack 2 and prior\n\n - Microsoft Windows Vista x32/x64 Edition Service Pack 2 and prior\n\n - Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2 and prior\n\n Remote Desktop Connection 7.0 Client\n\n - Windows XP x32 Edition Service Pack 3 and prior\n\n - Microsoft Windows 7 x32/x64 Edition Service Pack 1 and prior\n\n - Microsoft Windows Vista x32/x64 Edition Service Pack 2 and prior\n\n - Microsoft Windows Server 2008 R2 x64 Edition Service Pack 1 and prior\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, xpx64:3, win2003:3, win2003x64:3, winVista:3, win7:2,\n win7x64:2, win2008:3, win2008r2:2 ) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\nexeVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Tsgqec.dll\");\nif(!exeVer){\n exit(0);\n}\n\nif(hotfix_check_sp(xp:4) > 0)\n{\n if(version_in_range(version:exeVer, test_version:\"6.1.7600.17000\", test_version2:\"6.1.7600.17232\") ||\n version_in_range(version:exeVer, test_version:\"6.1.7600.21000\", test_version2:\"6.1.7600.21447\") ||\n version_in_range(version:exeVer, test_version:\"6.0.6001.23000\", test_version2:\"6.0.6001.23190\")) {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win2003:3, xpx64:3, win2003x64:3) > 0)\n{\n if(version_in_range(version:exeVer, test_version:\"6.0.6001.17000\", test_version2:\"6.0.6001.17999\") ||\n version_in_range(version:exeVer, test_version:\"6.0.6001.23000\", test_version2:\"6.0.6001.23190\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\n## Currently not supporting for Vista and Windows Server 2008 64 bit\nelse if(hotfix_check_sp(winVista:3) > 0)\n{\n if(version_in_range(version:exeVer, test_version:\"6.1.7600.17000\", test_version2:\"6.1.7600.17232\") ||\n version_in_range(version:exeVer, test_version:\"6.1.7600.21000\", test_version2:\"6.1.7600.21447\") ||\n version_in_range(version:exeVer, test_version:\"6.0.6002.18000\", test_version2:\"6.0.6002.18004\") ||\n version_in_range(version:exeVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.23074\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win2008:3) > 0)\n{\n if(version_in_range(version:exeVer, test_version:\"6.0.6002.18000\", test_version2:\"6.0.6002.18004\") ||\n version_in_range(version:exeVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.23074\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0)\n{\n if(version_in_range(version:exeVer, test_version:\"6.1.7600.17000\", test_version2:\"6.1.7600.17232\") ||\n version_in_range(version:exeVer, test_version:\"6.1.7600.21448\", test_version2:\"6.1.7600.21447\") ||\n version_in_range(version:exeVer, test_version:\"6.1.7601.18079\", test_version2:\"6.1.7601.18078\") ||\n version_in_range(version:exeVer, test_version:\"6.1.7601.22000\", test_version2:\"6.1.7601.22251\")) {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:11:17", "bulletinFamily": "scanner", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS13-029.", "modified": "2017-02-19T00:00:00", "published": "2013-04-10T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=901217", "id": "OPENVAS:901217", "title": "Microsoft RDP ActiveX Control Remote Code Execution Vulnerability (2828223)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms13-029.nasl 5346 2017-02-19 08:43:11Z cfi $\n#\n# Microsoft RDP ActiveX Control Remote Code Execution Vulnerability (2828223)\n#\n# Authors:\n# Veerendra GG <veerendragg@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"Remote Desktop Connection 6.1 Client\n - Windows XP x32 Edition Service Pack 3 and prior\n - Microsoft Windows XP x64 Edition Service Pack 2 and prior\n - Microsoft Windows 2003 x32/x64 Edition Service Pack 2 and prior\n - Microsoft Windows Vista x32/x64 Edition Service Pack 2 and prior\n - Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2 and prior\n\n Remote Desktop Connection 7.0 Client\n - Windows XP x32 Edition Service Pack 3 and prior\n - Microsoft Windows 7 x32/x64 Edition Service Pack 1 and prior\n - Microsoft Windows Vista x32/x64 Edition Service Pack 2 and prior\n - Microsoft Windows Server 2008 R2 x64 Edition Service Pack 1 and prior\";\n\ntag_impact = \"Successful exploitation will allow remote attackers to execute arbitrary\n code in the context of the current user.\n Impact Level: System\";\n\ntag_insight = \"Flaw is in Remote Desktop ActiveX control and can be exploited to access\n an object in memory that has been freed.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n https://technet.microsoft.com/en-us/security/bulletin/ms13-029\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS13-029.\";\n\nif(description)\n{\n script_id(901217);\n script_version(\"$Revision: 5346 $\");\n script_cve_id(\"CVE-2013-1296\");\n script_bugtraq_id(58874);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-19 09:43:11 +0100 (Sun, 19 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-04-10 12:20:24 +0530 (Wed, 10 Apr 2013)\");\n script_name(\"Microsoft RDP ActiveX Control Remote Code Execution Vulnerability (2828223)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/52911\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2813347\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2813345\");\n script_xref(name : \"URL\" , value : \"https://technet.microsoft.com/en-us/security/bulletin/ms13-029\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Variable Initialization\nsysPath = \"\";\nexeVer = \"\";\n\n## Check for OS and Service Pack\nif(hotfix_check_sp(xp:4, xpx64:3, win2003:3, win2003x64:3, winVista:3, win7:2,\n win7x64:2, win2008:3, win2008r2:2 ) <= 0){\n exit(0);\n}\n\n## Get System Path\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\n## Get Version from Tsgqec.dll file\nexeVer = fetch_file_version(sysPath, file_name:\"system32\\Tsgqec.dll\");\nif(!exeVer){\n exit(0);\n}\n\n## Windows XP\nif(hotfix_check_sp(xp:4) > 0)\n{\n ## Check for Tsgqec.dll for RDC 6.1 and 7.0\n if(version_in_range(version:exeVer, test_version:\"6.1.7600.17000\", test_version2:\"6.1.7600.17232\") ||\n version_in_range(version:exeVer, test_version:\"6.1.7600.21000\", test_version2:\"6.1.7600.21447\") ||\n version_in_range(version:exeVer, test_version:\"6.0.6001.23000\", test_version2:\"6.0.6001.23190\")) {\n security_message(0);\n }\n exit(0);\n}\n\n## Windows 2003 x86, Windows XP x64 and Windows 2003 x64\nelse if(hotfix_check_sp(win2003:3, xpx64:3, win2003x64:3) > 0)\n{\n ## Check for Tsgqec.dll for RDC 6.1\n if(version_in_range(version:exeVer, test_version:\"6.0.6001.17000\", test_version2:\"6.0.6001.17999\") ||\n version_in_range(version:exeVer, test_version:\"6.0.6001.23000\", test_version2:\"6.0.6001.23190\")){\n security_message(0);\n }\n exit(0);\n}\n\n## Currently not supporting for Vista and Windows Server 2008 64 bit\n## Windows Vista\nelse if(hotfix_check_sp(winVista:3) > 0)\n{\n ## Check for Tsgqec.dll version or RDC 6.1 and 7.0\n if(version_in_range(version:exeVer, test_version:\"6.1.7600.17000\", test_version2:\"6.1.7600.17232\") ||\n version_in_range(version:exeVer, test_version:\"6.1.7600.21000\", test_version2:\"6.1.7600.21447\") ||\n version_in_range(version:exeVer, test_version:\"6.0.6002.18000\", test_version2:\"6.0.6002.18004\") ||\n version_in_range(version:exeVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.23074\")){\n security_message(0);\n }\n exit(0);\n}\n\n## Windows Server 2008\nelse if(hotfix_check_sp(win2008:3) > 0)\n{\n ## Check for Tsgqec.dll version or RDC 6.1\n if(version_in_range(version:exeVer, test_version:\"6.0.6002.18000\", test_version2:\"6.0.6002.18004\") ||\n version_in_range(version:exeVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.23074\")){\n security_message(0);\n }\n exit(0);\n}\n\n## Windows 7 and Windows 2008 R2\nelse if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0)\n{\n ## Check for Tsgqec.dll version for RDC 7.0\n if(version_in_range(version:exeVer, test_version:\"6.1.7600.17000\", test_version2:\"6.1.7600.17232\") ||\n version_in_range(version:exeVer, test_version:\"6.1.7600.21448\", test_version2:\"6.1.7600.21447\") ||\n version_in_range(version:exeVer, test_version:\"6.1.7601.18079\", test_version2:\"6.1.7601.18078\") ||\n version_in_range(version:exeVer, test_version:\"6.1.7601.22000\", test_version2:\"6.1.7601.22251\")) {\n security_message(0);\n }\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:51", "bulletinFamily": "software", "description": "Use-after-free in ActiveX", "modified": "2013-04-12T00:00:00", "published": "2013-04-12T00:00:00", "id": "SECURITYVULNS:VULN:13003", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13003", "title": "Microsoft Remote Desktop Connection Client ActiveX code execution", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:18:46", "bulletinFamily": "scanner", "description": "The remote host contains a version of the Remote Desktop ActiveX control that is affected by a remote code execution vulnerability when attempting to access an object in memory that has been deleted.\n\nIf an attacker can trick a user on the affected system into opening a specially crafted webpage, this issue could be leveraged to execute arbitrary code subject to the user's privileges.", "modified": "2018-11-15T00:00:00", "id": "SMB_NT_MS13-029.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=65876", "published": "2013-04-10T00:00:00", "title": "MS13-029: Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2828223)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(65876);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\"CVE-2013-1296\");\n script_bugtraq_id(58874);\n script_xref(name:\"MSFT\", value:\"MS13-029\");\n script_xref(name:\"MSKB\", value:\"2813345\");\n script_xref(name:\"MSKB\", value:\"2813347\");\n\n script_name(english:\"MS13-029: Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2828223)\");\n script_summary(english:\"Checks for hotfix 2828223\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"It is possible to execute arbitrary code on the remote host through\nthe Remote Desktop ActiveX control.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host contains a version of the Remote Desktop ActiveX\ncontrol that is affected by a remote code execution vulnerability\nwhen attempting to access an object in memory that has been deleted.\n\nIf an attacker can trick a user on the affected system into opening a\nspecially crafted webpage, this issue could be leveraged to execute\narbitrary code subject to the user's privileges.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-065/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-029\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Microsoft has released a set of patches for Windows XP, 2003, Vista,\n7, 2008, and 2008 R2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/04/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/04/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:remote_desktop_connection\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS13-029';\nkbs = make_list('2813345', '2813347');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin\n:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\nif(\n # Windows 7 / Windows Server 2008 R2\n # RDP 7.0\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Mstscax.dll\", version:\"6.1.7600.17233\", min_version:\"6.1.7600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:'2813347') ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Mstscax.dll\", version:\"6.1.7600.21448\", min_version:\"6.1.7600.20000\", dir:\"\\system32\", bulletin:bulletin, kb:'2813347') ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mstscax.dll\", version:\"6.1.7601.18079\", min_version:\"6.1.7600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:'2813347') ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mstscax.dll\", version:\"6.1.7601.22252\", min_version:\"6.1.7601.20000\", dir:\"\\system32\", bulletin:bulletin, kb:'2813347') ||\n\n # Windows Vista Service Pack 2 / Windows Server 2008\n # RDP 6.1\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mstscax.dll\", version:\"6.0.6002.18804\", min_version:\"6.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:'2813345') ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mstscax.dll\", version:\"6.0.6002.23075\", min_version:\"6.0.6002.22000\", dir:\"\\system32\", bulletin:bulletin, kb:'2813345') ||\n # RDP 7.0\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mstscax.dll\", version:\"6.1.7600.17233\", min_version:\"6.1.7600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:'2813347') ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mstscax.dll\", version:\"6.1.7600.21448\", min_version:\"6.1.7600.20000\", dir:\"\\system32\", bulletin:bulletin, kb:'2813347') ||\n\n # Windows 2003 / XP x64\n # RDP 6.1\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mstscax.dll\", version:\"6.0.6001.18926\", min_version:\"6.0.6001.0\", dir:\"\\system32\", bulletin:bulletin, kb:'2813345') ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mstscax.dll\", version:\"6.0.6001.23191\", min_version:\"6.0.6001.22000\", dir:\"\\system32\", bulletin:bulletin, kb:'2813345') ||\n\n # Windows XP x86\n # RDP 6.1\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mstscax.dll\", version:\"6.0.6001.18926\", min_version:\"6.0.6001.16000\", dir:\"\\system32\", bulletin:bulletin, kb:'2813345') ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mstscax.dll\", version:\"6.0.6001.23191\", min_version:\"6.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:'2813345') ||\n # RDP 7.0\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mstscax.dll\", version:\"6.1.7600.17233\", min_version:\"6.1.7600.16000\",dir:\"\\system32\", bulletin:bulletin, kb:'2813347') ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mstscax.dll\", version:\"6.1.7600.21448\", min_version:\"6.1.7600.20000\",dir:\"\\system32\", bulletin:bulletin, kb:'2813347')\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
