Microsoft Internet Explorer RDP ActiveX Control Remote Code Execution Vulnerability
2013-05-10T00:00:00
ID ZDI-13-065 Type zdi Reporter c1d2d9acc746ae45eeb477b97fa74688 Modified 2013-06-22T00:00:00
Description
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within Remote Desktop ActiveX control. By manipulating TransportSettings or AdvancedSettings, an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this to gain code execution in the context of the current user.
{"enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1296"]}, {"type": "symantec", "idList": ["SMNTC-58874"]}, {"type": "seebug", "idList": ["SSV:60731"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310901217", "OPENVAS:901217"]}, {"type": "mskb", "idList": ["KB2828223"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13003"]}, {"type": "nessus", "idList": ["SMB_NT_MS13-029.NASL"]}], "modified": "2020-06-22T11:40:14", "rev": 2}, "score": {"value": 9.4, "vector": "NONE", "modified": "2020-06-22T11:40:14", "rev": 2}, "vulnersScore": 9.4}, "edition": 3, "href": "https://www.zerodayinitiative.com/advisories/ZDI-13-065/", "modified": "2013-06-22T00:00:00", "published": "2013-05-10T00:00:00", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within Remote Desktop ActiveX control. By manipulating TransportSettings or AdvancedSettings, an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this to gain code execution in the context of the current user.", "bulletinFamily": "info", "viewCount": 4, "title": "Microsoft Internet Explorer RDP ActiveX Control Remote Code Execution Vulnerability", "references": ["http://technet.microsoft.com/en-us/security/bulletin/ms13-029"], "cvelist": ["CVE-2013-1296"], "type": "zdi", "id": "ZDI-13-065", "lastseen": "2020-06-22T11:40:14", "reporter": "c1d2d9acc746ae45eeb477b97fa74688", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "scheme": null}
{"cve": [{"lastseen": "2021-02-02T06:06:48", "description": "The Remote Desktop ActiveX control in mstscax.dll in Microsoft Remote Desktop Connection Client 6.1 and 7.0 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code via a web page that triggers access to a deleted object, and allows remote RDP servers to execute arbitrary code via unspecified vectors that trigger access to a deleted object, aka \"RDP ActiveX Control Remote Code Execution Vulnerability.\"", "edition": 4, "cvss3": {}, "published": "2013-04-09T22:55:00", "title": "CVE-2013-1296", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1296"], "modified": "2018-10-12T22:04:00", "cpe": ["cpe:/a:microsoft:remote_desktop_connection:6.1", "cpe:/a:microsoft:remote_desktop_connection:7.0"], "id": "CVE-2013-1296", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1296", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:remote_desktop_connection:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:remote_desktop_connection:6.1:*:*:*:*:*:*:*"]}], "symantec": [{"lastseen": "2018-03-12T10:28:22", "bulletinFamily": "software", "cvelist": ["CVE-2013-1296"], "description": "### Description\n\nThe Microsoft Remote Desktop ActiveX control is prone to a remote code-execution vulnerability. An attacker can exploit this issue by enticing an unsuspecting user to view a malicious webpage. Successful exploits will allow the attacker to execute arbitrary code within the context of the application (typically Internet Explorer) that uses the ActiveX control.\n\n### Technologies Affected\n\n * Avaya Aura Conferencing 6.0 SP1 Standard \n * Avaya Aura Conferencing 6.0.0 Standard \n * Avaya CallPilot 4.0 \n * Avaya CallPilot 4.0.1 \n * Avaya CallPilot 5.0 \n * Avaya CallPilot 5.0.1 \n * Avaya CallPilot \n * Avaya Communication Server 1000 Telephony Manager 3.0 \n * Avaya Communication Server 1000 Telephony Manager 3.0.1 \n * Avaya Communication Server 1000 Telephony Manager 4.0 \n * Avaya Communication Server 1000 Telephony Manager 4.0.1 \n * Avaya Communication Server 1000 Telephony Manager \n * Avaya Meeting Exchange - Client Registration Server 5.0 \n * Avaya Meeting Exchange - Client Registration Server 5.0.1 \n * Avaya Meeting Exchange - Client Registration Server 5.2 \n * Avaya Meeting Exchange - Client Registration Server 5.2.1 \n * Avaya Meeting Exchange - Client Registration Server \n * Avaya Meeting Exchange - Recording Server 5.0 \n * Avaya Meeting Exchange - Recording Server 5.0.1 \n * Avaya Meeting Exchange - Recording Server 5.2 \n * Avaya Meeting Exchange - Recording Server 5.2.1 \n * Avaya Meeting Exchange - Recording Server \n * Avaya Meeting Exchange - Streaming Server 5.0 \n * Avaya Meeting Exchange - Streaming Server 5.0 \n * Avaya Meeting Exchange - Streaming Server 5.0.1 \n * Avaya Meeting Exchange - Streaming Server 5.2 \n * Avaya Meeting Exchange - Streaming Server 5.2.1 \n * Avaya Meeting Exchange - Streaming Server \n * Avaya Meeting Exchange - Web Conferencing Server 5.0 \n * Avaya Meeting Exchange - Web Conferencing Server 5.0.1 \n * Avaya Meeting Exchange - Web Conferencing Server 5.2 \n * Avaya Meeting Exchange - Web Conferencing Server 5.2.1 \n * Avaya Meeting Exchange - Web Conferencing Server \n * Avaya Meeting Exchange - Webportal 5.0 \n * Avaya Meeting Exchange - Webportal 5.0.1 \n * Avaya Meeting Exchange - Webportal 5.2 \n * Avaya Meeting Exchange - Webportal 5.2.1 \n * Avaya Meeting Exchange - Webportal 6.0 \n * Avaya Messaging Application Server 4 \n * Avaya Messaging Application Server 5 \n * Avaya Messaging Application Server 5.0 \n * Avaya Messaging Application Server 5.0.1 \n * Avaya Messaging Application Server 5.2 \n * Avaya Messaging Application Server 5.2.1 \n * Avaya Messaging Application Server MM 1.1 \n * Microsoft RDP 6.1 \n * Microsoft RDP 7.0 \n * Microsoft Windows 7 for 32-bit Systems \n * Microsoft Windows 7 for x64-based Systems \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows Server 2003 SP2 \n * Microsoft Windows Server 2003 x64 SP2 \n * Microsoft Windows Server 2008 R2 Itanium SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems R2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Vista Service Pack 2 \n * Microsoft Windows Vista Ultimate 64-bit edition SP2 \n * Microsoft Windows XP Professional x64 Edition SP2 \n * Microsoft Windows XP Service Pack 3 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nNever accept files from untrusted or unknown sources, because they may be malicious in nature. Avoid opening email attachments from unknown or questionable sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nAttackers could exploit this vulnerability by enticing a user to visit a malicious website. Do not follow links provided by sources of questionable integrity.\n\n**Set web browser security to disable the execution of script code or active content.** \nDisable support for script code and active content within a client browser to reduce the chances of a successful exploit. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2013-04-09T00:00:00", "published": "2013-04-09T00:00:00", "id": "SMNTC-58874", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/58874", "type": "symantec", "title": "Microsoft Remote Desktop ActiveX Control CVE-2013-1296 Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T17:45:39", "description": "BUGTRAQ ID: 58874\r\nCVE(CAN) ID: CVE-2013-1296\r\n\r\n\u8fdc\u7a0b\u684c\u9762\u534f\u8bae\uff08RDP, Remote Desktop Protocol\uff09\u662f\u4e00\u4e2a\u591a\u901a\u9053\uff08multi-channel\uff09\u7684\u534f\u8bae\uff0c\u8ba9\u7528\u6237\uff08\u5ba2\u6237\u7aef\u6216\u79f0\u201c\u672c\u5730\u7535\u8111\u201d\uff09\u8fde\u4e0a\u63d0\u4f9b\u5fae\u8f6f\u7ec8\u7aef\u673a\u670d\u52a1\u7684\u7535\u8111\uff08\u670d\u52a1\u5668\u7aef\u6216\u79f0\u201c\u8fdc\u7a0b\u7535\u8111\u201d\uff09\u3002\r\n\r\n\u5f53\u8fdc\u7a0b\u684c\u9762 ActiveX \u63a7\u4ef6 mstscax.dll \u5c1d\u8bd5\u8bbf\u95ee\u5185\u5b58\u4e2d\u5df2\u88ab\u5220\u9664\u7684\u5bf9\u8c61\u65f6\uff0c\u5b58\u5728\u4e00\u4e2a\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8bf1\u4f7f\u7528\u6237\u8bbf\u95ee\u7279\u5236\u7f51\u9875\u6765\u5229\u7528\u8be5\u6f0f\u6d1e\u3002\u6210\u529f\u5229\u7528\u6b64\u6f0f\u6d1e\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u83b7\u5f97\u4e0e\u767b\u5f55\u7528\u6237\u76f8\u540c\u7684\u7528\u6237\u6743\u9650\u3002\r\n0\r\nMicrosoft Windows XP\r\nMicrosoft Windows Server 2008\r\nMicrosoft Windows Server 2003\r\nMicrosoft Windows 7\r\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0c\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n* \u9650\u5236\u5bf9 mstscax.dll \u7684\u8bbf\u95ee\r\n* \u7981\u6b62\u8fdc\u7a0b\u684c\u9762\u8fde\u63a5 ActiveX \u63a7\u4ef6\u5728 Internet Explorer \u4e2d\u8fd0\u884c\r\n* \u5c06 Internet \u548c\u672c\u5730 Intranet \u5b89\u5168\u533a\u57df\u8bbe\u7f6e\u8bbe\u4e3a\u201c\u9ad8\u201d\uff0c\u4ee5\u4fbf\u5728\u8fd9\u4e9b\u533a\u57df\u4e2d\u963b\u6b62 ActiveX \u63a7\u4ef6\u548c\u6d3b\u52a8\u811a\u672c\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS13-029\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS13-029\uff1aVulnerability in Remote Desktop Client Could Allow Remote Code Execution (2828223)\r\n\u94fe\u63a5\uff1ahttp://technet.microsoft.com/security/bulletin/MS13-029", "published": "2013-04-11T00:00:00", "title": "Microsoft Remote Desktop ActiveX\u63a7\u4ef6\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e(CVE-2013-1296)(MS13-029)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1296"], "modified": "2013-04-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60731", "id": "SSV:60731", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "openvas": [{"lastseen": "2017-07-02T21:11:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1296"], "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS13-029.", "modified": "2017-02-19T00:00:00", "published": "2013-04-10T00:00:00", "id": "OPENVAS:901217", "href": "http://plugins.openvas.org/nasl.php?oid=901217", "type": "openvas", "title": "Microsoft RDP ActiveX Control Remote Code Execution Vulnerability (2828223)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms13-029.nasl 5346 2017-02-19 08:43:11Z cfi $\n#\n# Microsoft RDP ActiveX Control Remote Code Execution Vulnerability (2828223)\n#\n# Authors:\n# Veerendra GG <veerendragg@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"Remote Desktop Connection 6.1 Client\n - Windows XP x32 Edition Service Pack 3 and prior\n - Microsoft Windows XP x64 Edition Service Pack 2 and prior\n - Microsoft Windows 2003 x32/x64 Edition Service Pack 2 and prior\n - Microsoft Windows Vista x32/x64 Edition Service Pack 2 and prior\n - Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2 and prior\n\n Remote Desktop Connection 7.0 Client\n - Windows XP x32 Edition Service Pack 3 and prior\n - Microsoft Windows 7 x32/x64 Edition Service Pack 1 and prior\n - Microsoft Windows Vista x32/x64 Edition Service Pack 2 and prior\n - Microsoft Windows Server 2008 R2 x64 Edition Service Pack 1 and prior\";\n\ntag_impact = \"Successful exploitation will allow remote attackers to execute arbitrary\n code in the context of the current user.\n Impact Level: System\";\n\ntag_insight = \"Flaw is in Remote Desktop ActiveX control and can be exploited to access\n an object in memory that has been freed.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n https://technet.microsoft.com/en-us/security/bulletin/ms13-029\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS13-029.\";\n\nif(description)\n{\n script_id(901217);\n script_version(\"$Revision: 5346 $\");\n script_cve_id(\"CVE-2013-1296\");\n script_bugtraq_id(58874);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-19 09:43:11 +0100 (Sun, 19 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-04-10 12:20:24 +0530 (Wed, 10 Apr 2013)\");\n script_name(\"Microsoft RDP ActiveX Control Remote Code Execution Vulnerability (2828223)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/52911\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2813347\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2813345\");\n script_xref(name : \"URL\" , value : \"https://technet.microsoft.com/en-us/security/bulletin/ms13-029\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Variable Initialization\nsysPath = \"\";\nexeVer = \"\";\n\n## Check for OS and Service Pack\nif(hotfix_check_sp(xp:4, xpx64:3, win2003:3, win2003x64:3, winVista:3, win7:2,\n win7x64:2, win2008:3, win2008r2:2 ) <= 0){\n exit(0);\n}\n\n## Get System Path\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\n## Get Version from Tsgqec.dll file\nexeVer = fetch_file_version(sysPath, file_name:\"system32\\Tsgqec.dll\");\nif(!exeVer){\n exit(0);\n}\n\n## Windows XP\nif(hotfix_check_sp(xp:4) > 0)\n{\n ## Check for Tsgqec.dll for RDC 6.1 and 7.0\n if(version_in_range(version:exeVer, test_version:\"6.1.7600.17000\", test_version2:\"6.1.7600.17232\") ||\n version_in_range(version:exeVer, test_version:\"6.1.7600.21000\", test_version2:\"6.1.7600.21447\") ||\n version_in_range(version:exeVer, test_version:\"6.0.6001.23000\", test_version2:\"6.0.6001.23190\")) {\n security_message(0);\n }\n exit(0);\n}\n\n## Windows 2003 x86, Windows XP x64 and Windows 2003 x64\nelse if(hotfix_check_sp(win2003:3, xpx64:3, win2003x64:3) > 0)\n{\n ## Check for Tsgqec.dll for RDC 6.1\n if(version_in_range(version:exeVer, test_version:\"6.0.6001.17000\", test_version2:\"6.0.6001.17999\") ||\n version_in_range(version:exeVer, test_version:\"6.0.6001.23000\", test_version2:\"6.0.6001.23190\")){\n security_message(0);\n }\n exit(0);\n}\n\n## Currently not supporting for Vista and Windows Server 2008 64 bit\n## Windows Vista\nelse if(hotfix_check_sp(winVista:3) > 0)\n{\n ## Check for Tsgqec.dll version or RDC 6.1 and 7.0\n if(version_in_range(version:exeVer, test_version:\"6.1.7600.17000\", test_version2:\"6.1.7600.17232\") ||\n version_in_range(version:exeVer, test_version:\"6.1.7600.21000\", test_version2:\"6.1.7600.21447\") ||\n version_in_range(version:exeVer, test_version:\"6.0.6002.18000\", test_version2:\"6.0.6002.18004\") ||\n version_in_range(version:exeVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.23074\")){\n security_message(0);\n }\n exit(0);\n}\n\n## Windows Server 2008\nelse if(hotfix_check_sp(win2008:3) > 0)\n{\n ## Check for Tsgqec.dll version or RDC 6.1\n if(version_in_range(version:exeVer, test_version:\"6.0.6002.18000\", test_version2:\"6.0.6002.18004\") ||\n version_in_range(version:exeVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.23074\")){\n security_message(0);\n }\n exit(0);\n}\n\n## Windows 7 and Windows 2008 R2\nelse if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0)\n{\n ## Check for Tsgqec.dll version for RDC 7.0\n if(version_in_range(version:exeVer, test_version:\"6.1.7600.17000\", test_version2:\"6.1.7600.17232\") ||\n version_in_range(version:exeVer, test_version:\"6.1.7600.21448\", test_version2:\"6.1.7600.21447\") ||\n version_in_range(version:exeVer, test_version:\"6.1.7601.18079\", test_version2:\"6.1.7601.18078\") ||\n version_in_range(version:exeVer, test_version:\"6.1.7601.22000\", test_version2:\"6.1.7601.22251\")) {\n security_message(0);\n }\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:37:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1296"], "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS13-029.", "modified": "2019-05-03T00:00:00", "published": "2013-04-10T00:00:00", "id": "OPENVAS:1361412562310901217", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310901217", "type": "openvas", "title": "Microsoft RDP ActiveX Control Remote Code Execution Vulnerability (2828223)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft RDP ActiveX Control Remote Code Execution Vulnerability (2828223)\n#\n# Authors:\n# Veerendra GG <veerendragg@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.901217\");\n script_version(\"2019-05-03T12:31:27+0000\");\n script_cve_id(\"CVE-2013-1296\");\n script_bugtraq_id(58874);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 12:31:27 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2013-04-10 12:20:24 +0530 (Wed, 10 Apr 2013)\");\n script_name(\"Microsoft RDP ActiveX Control Remote Code Execution Vulnerability (2828223)\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/52911\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2813347\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2813345\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/security/bulletin/ms13-029\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to execute arbitrary\n code in the context of the current user.\");\n script_tag(name:\"insight\", value:\"Flaw is in Remote Desktop ActiveX control and can be exploited to access\n an object in memory that has been freed.\");\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS13-029.\");\n script_tag(name:\"affected\", value:\"Remote Desktop Connection 6.1 Client\n\n - Windows XP x32 Edition Service Pack 3 and prior\n\n - Microsoft Windows XP x64 Edition Service Pack 2 and prior\n\n - Microsoft Windows 2003 x32/x64 Edition Service Pack 2 and prior\n\n - Microsoft Windows Vista x32/x64 Edition Service Pack 2 and prior\n\n - Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2 and prior\n\n Remote Desktop Connection 7.0 Client\n\n - Windows XP x32 Edition Service Pack 3 and prior\n\n - Microsoft Windows 7 x32/x64 Edition Service Pack 1 and prior\n\n - Microsoft Windows Vista x32/x64 Edition Service Pack 2 and prior\n\n - Microsoft Windows Server 2008 R2 x64 Edition Service Pack 1 and prior\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, xpx64:3, win2003:3, win2003x64:3, winVista:3, win7:2,\n win7x64:2, win2008:3, win2008r2:2 ) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\nexeVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Tsgqec.dll\");\nif(!exeVer){\n exit(0);\n}\n\nif(hotfix_check_sp(xp:4) > 0)\n{\n if(version_in_range(version:exeVer, test_version:\"6.1.7600.17000\", test_version2:\"6.1.7600.17232\") ||\n version_in_range(version:exeVer, test_version:\"6.1.7600.21000\", test_version2:\"6.1.7600.21447\") ||\n version_in_range(version:exeVer, test_version:\"6.0.6001.23000\", test_version2:\"6.0.6001.23190\")) {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win2003:3, xpx64:3, win2003x64:3) > 0)\n{\n if(version_in_range(version:exeVer, test_version:\"6.0.6001.17000\", test_version2:\"6.0.6001.17999\") ||\n version_in_range(version:exeVer, test_version:\"6.0.6001.23000\", test_version2:\"6.0.6001.23190\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\n## Currently not supporting for Vista and Windows Server 2008 64 bit\nelse if(hotfix_check_sp(winVista:3) > 0)\n{\n if(version_in_range(version:exeVer, test_version:\"6.1.7600.17000\", test_version2:\"6.1.7600.17232\") ||\n version_in_range(version:exeVer, test_version:\"6.1.7600.21000\", test_version2:\"6.1.7600.21447\") ||\n version_in_range(version:exeVer, test_version:\"6.0.6002.18000\", test_version2:\"6.0.6002.18004\") ||\n version_in_range(version:exeVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.23074\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win2008:3) > 0)\n{\n if(version_in_range(version:exeVer, test_version:\"6.0.6002.18000\", test_version2:\"6.0.6002.18004\") ||\n version_in_range(version:exeVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.23074\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0)\n{\n if(version_in_range(version:exeVer, test_version:\"6.1.7600.17000\", test_version2:\"6.1.7600.17232\") ||\n version_in_range(version:exeVer, test_version:\"6.1.7600.21448\", test_version2:\"6.1.7600.21447\") ||\n version_in_range(version:exeVer, test_version:\"6.1.7601.18079\", test_version2:\"6.1.7601.18078\") ||\n version_in_range(version:exeVer, test_version:\"6.1.7601.22000\", test_version2:\"6.1.7601.22251\")) {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-01-01T22:47:08", "bulletinFamily": "microsoft", "cvelist": ["CVE-2013-1296"], "description": "<html><body><p>Resolves a vulnerability in Windows Remote Desktop Client that could allow remote code execution if a user views a specially crafted webpage.</p><h2>INTRODUCTION</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS13-029. To view the complete security bulletin, go to one of the following Microsoft websites: <ul class=\"sbody-free_list\"><li>Home users:<br/><div class=\"indent\"><a href=\"http://www.microsoft.com/security/pc-security/bulletins/201304.aspx\" id=\"kb-link-1\" target=\"_self\">http://www.microsoft.com/security/pc-security/bulletins/201304.aspx</a></div><span class=\"text-base\">Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update website now:<br/><div class=\"indent\"><a href=\"http://update.microsoft.com/microsoftupdate/\" id=\"kb-link-2\" target=\"_self\">http://update.microsoft.com/microsoftupdate/</a></div></li><li>IT professionals:<br/><div class=\"indent\"><a href=\"http://technet.microsoft.com/security/bulletin/ms13-029\" id=\"kb-link-3\" target=\"_self\">http://technet.microsoft.com/security/bulletin/MS13-029</a></div></li></ul><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3>Help installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-4\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <br/><a href=\"http://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-5\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-6\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <br/><a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-7\" target=\"_self\">International Support</a><br/><br/></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">More information about this security update</h3>The following articles contain more information about this security update as it relates to individual product versions. The articles may contain known issue information. If this is the case, the known issue is listed under each article link. <ul class=\"sbody-free_list\"><li><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2813345\" id=\"kb-link-8\">2813345 </a> MS13-029: Vulnerability in Remote Desktop Client could allow remote code execution: April 9, 2013</div></li><li><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2813347\" id=\"kb-link-9\">2813347 </a> MS13-029: Description of the security update for Remote Desktop Connection 7.0 Client: April 9, 2013</div></li></ul><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">File hash information</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">SHA1 hash</th><th class=\"sbody-th\">SHA256 hash</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB2813345-ia64.msu</td><td class=\"sbody-td\">1B32A0EAE48D57BFD1632C4DC67F1AA5A0739521</td><td class=\"sbody-td\">2AF725E48148255BCE4FC0FA457CF0310D78F822F50137DF8CF09018CD215C44</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB2813345-x64.msu</td><td class=\"sbody-td\">DA7FA78544AFE141A260D02BF5CE7B1A0BC4BA74</td><td class=\"sbody-td\">57AD0632122B30E57AD7C716AEBFD5B2EE2A5992E3C6CBEB146B9CCA5ACD3B72</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB2813345-x86.msu</td><td class=\"sbody-td\">EEEC0230ECC031CD0AD0608A2C8FEC6121D930E0</td><td class=\"sbody-td\">BE3A635197FAA845C79DA935A985F78C479F3619807E8E585F16E485626EB2DA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB2813347-x64.msu</td><td class=\"sbody-td\">8E823346831F2832E29839C79EF1BB34F3F65E19</td><td class=\"sbody-td\">B434121C46803604B9B78094E67A1B18E05661396D7DF523E7A9BBE5CE8CF027</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB2813347-x86.msu</td><td class=\"sbody-td\">DFCC80514C3FA66B89F4F6C3ADD676B97E78CDC2</td><td class=\"sbody-td\">E9A2EEC6D2671E3562CB910C4A85479ABEE02C4D778A3E8EFC0FB72C18C50523</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB2813347-ia64.msu</td><td class=\"sbody-td\">514DE555E0E361A117B2F1ED30D3BAA7736684CF</td><td class=\"sbody-td\">4F3FF82196ACE90D16A394CFF67455C97245098FB91A80206A371C73FBB1B262</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB2813347-x64.msu</td><td class=\"sbody-td\">76A7CDFABD3778DC9B4FFB603BBB5D9EAF3143AA</td><td class=\"sbody-td\">AA71D95EE2EB92D386AA1CBB8B1C7D59FA1B2664CD2006596C2D90EFB1DE1398</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB2813347-x86.msu</td><td class=\"sbody-td\">3C262DCDF6ABAE2C733BBA2AAD62465FFCBE5B20</td><td class=\"sbody-td\">FE82CF08FF236B36DE77B7FE09E77F0F3725762130846E6CFBE4835D18D07DA6</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2813345-x86-CHS.exe</td><td class=\"sbody-td\">36732B90FB705C3BCAA4E3F262B775F27D16D599</td><td class=\"sbody-td\">09DF535938F7D188BC9372D5C1F106F21522C9D0F56D8B74E0A1B61514AA54E5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2813345-x86-CHT.exe</td><td class=\"sbody-td\">461A44B71CB71CCB6078C3A597C0790D7A2E9C45</td><td class=\"sbody-td\">84F47862655C49466DB45514EE0FA6D0460FD04F0F8C3066B54A84265E3C794D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2813345-x86-CSY.exe</td><td class=\"sbody-td\">ED51674E6777CA3DA93D2CA530915E111DFE863F</td><td class=\"sbody-td\">2F57FB0E6B577C9A8BFF2E813A4D90C209298F7C459B8BE58902C4BE44652271</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2813345-x86-DEU.exe</td><td class=\"sbody-td\">1A5725F1DF2847D2CDF2D36F8FF166E35EE18CC5</td><td class=\"sbody-td\">84FD4BD45B745110DC2C7FC90E691518337B3D9562C2325FA9B5F80C55E9F027</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2813345-x86-ENU.exe</td><td class=\"sbody-td\">2A461432292AB5592D9E919DDDC4389863AA9EB6</td><td class=\"sbody-td\">3E26F6450B1A48BEF6699F2274CEE2FFF237CF4F9B0984CD4AFE7166647B5877</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2813345-x86-ESN.exe</td><td class=\"sbody-td\">BBA9762D6A12349B670D8492708D113066697D5E</td><td class=\"sbody-td\">4AE3A3C1A28F7BDCB3F3E1C9C8E263CEC931F73B469AC3DA73C3486189CDC87D</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2813345-x86-FRA.exe</td><td class=\"sbody-td\">9377F15606056BC4BE17A7E5391CAFC9C9CC05CD</td><td class=\"sbody-td\">C3A818B366A5F47FD5571AC7BB133A7830337BA79ACEEB9E7060BC3D85AC8EAA</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2813345-x86-HUN.exe</td><td class=\"sbody-td\">FACA98F61AE0672A1680D60B8090446757CC41B0</td><td class=\"sbody-td\">316EC0CA843F3B92075E004059862541B413237A84258DED7AB8410CA8024FAE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2813345-x86-ITA.exe</td><td class=\"sbody-td\">222F92643BC6A26B70D59FB83BE92D4C79B85F4F</td><td class=\"sbody-td\">6F127248FFD79326F32C24D3D5497811DA0BA4B5A3FCDE350A3C60C36487383B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2813345-x86-JPN.exe</td><td class=\"sbody-td\">AF3984D3426717CACE9AE954CC248A588CC1184B</td><td class=\"sbody-td\">CB484861BA2815BB572F7BAEE625C4F6DC28865B9905898C653106DE5E258CE5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2813345-x86-KOR.exe</td><td class=\"sbody-td\">C8907C2AB48779E9D56BECAE86C1AD1CB3D5EF29</td><td class=\"sbody-td\">EFBD6371DC6AF2631CA102745C990B201588FC5A846BA68B99B1B4D299053727</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2813345-x86-NLD.exe</td><td class=\"sbody-td\">F7BC3E23A1479D776273363BCF75C583D4C978C6</td><td class=\"sbody-td\">6CCA3422D375E50DC1613FE88BF543997A4ECADE2F6558B15DF83CDF794F3995</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2813345-x86-PLK.exe</td><td class=\"sbody-td\">29EA7CC25D2B15B94932A1185B1887F445B081A4</td><td class=\"sbody-td\">BF44EB628CCA585F75C4557A1D6DA75C9FC179A7DE7C7E33E2A626390C004104</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2813345-x86-PTB.exe</td><td class=\"sbody-td\">597085944EFDED770CB5E30354F8C299034BFAE1</td><td class=\"sbody-td\">5C76DD7F8E3F1771A8559C606C94009EF355AD5C126D2773F4AAB1CA2A3671A9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2813345-x86-PTG.exe</td><td class=\"sbody-td\">F1710FDD6A36F09F3B75C1C7D571D2604EDC2353</td><td class=\"sbody-td\">E123481406A982C73A5ADC5B925154A7CAD6F1A548DA0BF6F26CBD785E5FE2B2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2813345-x86-RUS.exe</td><td class=\"sbody-td\">15129610BB73B85D08A08775AF859FD8EF7C7A1A</td><td class=\"sbody-td\">0AD80CA6587E6319F0D5CE8E87FC2FA3CD3B5390DC907E16703D83F8CD094EA7</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2813345-x86-SVE.exe</td><td class=\"sbody-td\">2C0723B0750040626BBC5631794F90AEF761B290</td><td class=\"sbody-td\">877B8699B10306B7D2578BAF7E37A76050294B59F46BE755594752F38F5BFE97</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003-KB2813345-x86-TRK.exe</td><td class=\"sbody-td\">593BCF86558260FAD5DA0070B80DD53C5A806235</td><td class=\"sbody-td\">CD98196F4AE6C4B247202B2BF46A23018F0863C003E16ED9E456200E859AD870</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003.WindowsXP-KB2813345-x64-CHS.exe</td><td class=\"sbody-td\">BE24E1056125F71328A726167AB20F9A45190E13</td><td class=\"sbody-td\">538490956599E6838172DA746999E260D0C57B5412CE6088E45EA4CE6A07EB87</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003.WindowsXP-KB2813345-x64-CHT.exe</td><td class=\"sbody-td\">93BCCEB628CA476E58DC9D1513136DEB9BB6EB99</td><td class=\"sbody-td\">E7258B30441C8638265C1661A0CC2FF755FDD615790DEEAB5C4FE410AE48E70F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003.WindowsXP-KB2813345-x64-DEU.exe</td><td class=\"sbody-td\">5DE227DF6B901D98FBCAD0D38865885E95A6E840</td><td class=\"sbody-td\">00E712CA26949EB01FB3FF74C5A1D65950086121851C0D05695C4DF9B57F8D1B</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003.WindowsXP-KB2813345-x64-ENU.exe</td><td class=\"sbody-td\">52D251FDFC06F15DE9EF0DE0203581E2D9869957</td><td class=\"sbody-td\">3D31BAB2C9B5F127423C244D4E7AB0EA827B7474CFA3FA022B7D188A92342736</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003.WindowsXP-KB2813345-x64-ESN.exe</td><td class=\"sbody-td\">1C4E90CF9B0F58252DF8D1376167D486FE87730F</td><td class=\"sbody-td\">EE048EC49715B30D4008F75646978215A9C74F61E91548C57B98C112A08B4338</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003.WindowsXP-KB2813345-x64-FRA.exe</td><td class=\"sbody-td\">208D5D8302CEC2A6FAA35155A5F33EEA62516BB2</td><td class=\"sbody-td\">840914122F460DE1151BDD2B9A9AA4A98E748584E683F11A7DE70DF78A641A61</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003.WindowsXP-KB2813345-x64-ITA.exe</td><td class=\"sbody-td\">BB1177A8F3461BAAD4BCE92B6A36620C0B2DDF2F</td><td class=\"sbody-td\">21E96DD43EC7E22B85D8FFBBE5054D6C3FB3137E3B8D8969C016809552DC9659</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003.WindowsXP-KB2813345-x64-JPN.exe</td><td class=\"sbody-td\">5BDB3F853A70A437735FC1ACFAC47B1442CD2627</td><td class=\"sbody-td\">CC2F71E2B777A9F674C64B2E023BCF4D9240E564D22D00FF7EC84D8EFB677701</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003.WindowsXP-KB2813345-x64-KOR.exe</td><td class=\"sbody-td\">7994D6A6A782611DB661BCC30FF64A9EA6ABE78B</td><td class=\"sbody-td\">126ADDA5D1684C5F637C0838B0594E8D4BC9DA6073941F0582007370A5472678</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsServer2003.WindowsXP-KB2813345-x64-PTB.exe</td><td class=\"sbody-td\">A2E558CB0950767291521B56B4B5D01BD66FA1E4</td><td class=\"sbody-td\">ED79AD5EF1D34A2113841522A01C737BA48FBED59686CBB9BB08E369184DECBF</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2813347-v2-x86-ARA.exe</td><td class=\"sbody-td\">899C85E33FC1F8B639DDE9FE64D56A5D25E5D915</td><td class=\"sbody-td\">930194E49F8C8F28EC05C7DEA8A1CA3BBAF122A760B909C7E90351C2F646BF18</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2813347-v2-x86-CHS.exe</td><td class=\"sbody-td\">074D9195C3B517E91388D15C46263E97BB282F91</td><td class=\"sbody-td\">22CD5266EE8C25C577C4042C1C5225F1815665F6E1AE3331C93887BA378BFB9C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2813347-v2-x86-CHT.exe</td><td class=\"sbody-td\">681D8DF5BCC785D5CB6DFB3474636DFFE9B27941</td><td class=\"sbody-td\">8E0B21AE6B3A77ACF577123E660A339238601419C21C360A4723D5D91254311F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2813347-v2-x86-CSY.exe</td><td class=\"sbody-td\">B121E117595D66C8EC6615ACF80AE1FB08DFC57D</td><td class=\"sbody-td\">97B6A0F36E1AD241C8D1AAB8D42B6FEB22B182A0095C3C102F69F9A6E8810C06</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2813347-v2-x86-DAN.exe</td><td class=\"sbody-td\">8F5D0366AA29E084C127AF1E2EEEABE3E34A410D</td><td class=\"sbody-td\">26B5FE4936497386885EB9341FCF9F14C787A1F6511C088F44C5BF14B771AA57</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2813347-v2-x86-DEU.exe</td><td class=\"sbody-td\">611789F9F5DC70C73A5B7BF73B6E4BF069071544</td><td class=\"sbody-td\">A8DCB358533B7585E73C3C7EF5228F0E72B1D81B19F6C4C644A25223F095E1E0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2813347-v2-x86-ELL.exe</td><td class=\"sbody-td\">AED0B39406415D68568F774EE56DF8C76C9FDA1E</td><td class=\"sbody-td\">B26B7B15B7BD8B0872C1911922A9006625F320CA16630A71B6B71A771B8E7224</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2813347-v2-x86-ENU.exe</td><td class=\"sbody-td\">7F5B07E5464702CDFA24A869D21F55335223069A</td><td class=\"sbody-td\">C4EE2E5F9E95983AE94C9953CEA17ED951D9040452BA80A5DA65D36138E29BB2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2813347-v2-x86-ESN.exe</td><td class=\"sbody-td\">5C71D53C1E98D6604C2E8DD08411E6FE683F9117</td><td class=\"sbody-td\">2900B87B3146246C28B0AC27F33D45292230B3784E443BA9B55F7789F4F70166</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2813347-v2-x86-FIN.exe</td><td class=\"sbody-td\">5A40879013A1537FF9C013F28337DB188EAC0E6E</td><td class=\"sbody-td\">06C918FD9B4129319A09421E257A8982BA1573C8BB4AAC6A59BD8824156442E6</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2813347-v2-x86-FRA.exe</td><td class=\"sbody-td\">5E854A17963A813FD58ECF45450215C9C087F8FF</td><td class=\"sbody-td\">BF01DDAFC04529D2BADD36D4E33911578919C9FC2369B6E649F0825C31D6E65F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2813347-v2-x86-HEB.exe</td><td class=\"sbody-td\">12A8457DF10A3E7C6D41A08D7C6AC126C0191A53</td><td class=\"sbody-td\">26E6C0E3089C9E4FCF3A701076F00F8653FC6373689AB78AF0D7461A2A14B173</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2813347-v2-x86-HUN.exe</td><td class=\"sbody-td\">320B8DDB03098102DE0FE39D3D367E2B59A568AD</td><td class=\"sbody-td\">C8513D9E4987D15B6402A5D215CB3973320530287241F0452C5D8EAA3517DFDC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2813347-v2-x86-ITA.exe</td><td class=\"sbody-td\">F641A1709517701CF1C3E73CAB2E94B8D9C3E99E</td><td class=\"sbody-td\">F91E2D714E4E51CBA5D00CFDB1FCC57A8EDDF5C005D0F0B3018EA335736F336C</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2813347-v2-x86-JPN.exe</td><td class=\"sbody-td\">7131B5A4A346F0CE48EF4E87A45226585E4E989F</td><td class=\"sbody-td\">BC1D13DBBF2DD58287B09294932EE2CDCFDA0FF4B014BADC0477F29F4102D1AB</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2813347-v2-x86-KOR.exe</td><td class=\"sbody-td\">309DFDDF27DF6D2C6BDB947A3A20DF7BE0C5DA01</td><td class=\"sbody-td\">D9E0DF36F5B8A3F4B36EA396FCC2EF76CA770FBF96834CB271816BD37F47967F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2813347-v2-x86-NLD.exe</td><td class=\"sbody-td\">388876A31CBEC49C8A7F0F995660028C1B91D57D</td><td class=\"sbody-td\">E5ECAB551FE906BACD2AA38B12790D28EE2FC41A59625BF974EA512F2A8A98D1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2813347-v2-x86-NOR.exe</td><td class=\"sbody-td\">9D8FB7C2DBD869FBEB3F22F85BBBADFC147F5BF7</td><td class=\"sbody-td\">3F1668753F6827213A1C7EE0C6FCE8656DB46A6156067C693C2901E40EEF964F</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2813347-v2-x86-PLK.exe</td><td class=\"sbody-td\">8D69D1D9E2354400C20A0F07F653776BF3204B7C</td><td class=\"sbody-td\">A52F1039CE4F63BF032833EAD67F8B56E1C905F00E762294D17C45206D0CD3D1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2813347-v2-x86-PTB.exe</td><td class=\"sbody-td\">49525492113F99F45A5B9E0377B2FBBF657105DF</td><td class=\"sbody-td\">E158577E63893C5C56BBF9E95E518996AEF9C3BFD9D8D4B1A214EA664DE50078</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2813347-v2-x86-PTG.exe</td><td class=\"sbody-td\">9B980E7E4197EF63EB4B458C7CC9E86DAFA67289</td><td class=\"sbody-td\">45529C97A1800BB626408EF6BEE69568620B039F1F2878CAEEFEAC94968E9B42</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2813347-v2-x86-RUS.exe</td><td class=\"sbody-td\">7715CDA4907F0C982FFF7D0BC72AD0DF29B5A064</td><td class=\"sbody-td\">591409F1F0BCD596F9947EBE326FD8CA267A0B01C91294C66521E8B915D91269</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2813347-v2-x86-SVE.exe</td><td class=\"sbody-td\">C37709C3D8E8F8B02C913279CE4BFA39C1350391</td><td class=\"sbody-td\">B11A05DFEF97D5894E851E1C0F4D48496AA0DB516E66E4D6E61D7680D34A2257</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">WindowsXP-KB2813347-v2-x86-TRK.exe</td><td class=\"sbody-td\">5F6DD866CD43D7E4B909CFAF01DDF2AE6B8CE866</td><td class=\"sbody-td\">BE73C62590B61722ED333D6400A6E786AD3F6B72E310E886BCA36E8F5E932CDA</td></tr></table></div></div><br/></span></div></div></div></div></body></html>", "edition": 2, "modified": "2013-06-25T21:57:55", "id": "KB2828223", "href": "https://support.microsoft.com/en-us/help/2828223/", "published": "2013-04-09T00:00:00", "title": "MS13-029: Vulnerability in Remote Desktop Client could allow remote code execution: April 9, 2013", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:51", "bulletinFamily": "software", "cvelist": ["CVE-2013-1296"], "description": "Use-after-free in ActiveX", "edition": 1, "modified": "2013-04-12T00:00:00", "published": "2013-04-12T00:00:00", "id": "SECURITYVULNS:VULN:13003", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13003", "title": "Microsoft Remote Desktop Connection Client ActiveX code execution", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-02-01T06:15:02", "description": "The remote host contains a version of the Remote Desktop ActiveX\ncontrol that is affected by a remote code execution vulnerability\nwhen attempting to access an object in memory that has been deleted.\n\nIf an attacker can trick a user on the affected system into opening a\nspecially crafted webpage, this issue could be leveraged to execute\narbitrary code subject to the user's privileges.", "edition": 29, "published": "2013-04-10T00:00:00", "title": "MS13-029: Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2828223)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1296"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:remote_desktop_connection"], "id": "SMB_NT_MS13-029.NASL", "href": "https://www.tenable.com/plugins/nessus/65876", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(65876);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\"CVE-2013-1296\");\n script_bugtraq_id(58874);\n script_xref(name:\"MSFT\", value:\"MS13-029\");\n script_xref(name:\"MSKB\", value:\"2813345\");\n script_xref(name:\"MSKB\", value:\"2813347\");\n\n script_name(english:\"MS13-029: Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2828223)\");\n script_summary(english:\"Checks for hotfix 2828223\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"It is possible to execute arbitrary code on the remote host through\nthe Remote Desktop ActiveX control.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host contains a version of the Remote Desktop ActiveX\ncontrol that is affected by a remote code execution vulnerability\nwhen attempting to access an object in memory that has been deleted.\n\nIf an attacker can trick a user on the affected system into opening a\nspecially crafted webpage, this issue could be leveraged to execute\narbitrary code subject to the user's privileges.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-065/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-029\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Microsoft has released a set of patches for Windows XP, 2003, Vista,\n7, 2008, and 2008 R2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/04/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/04/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:remote_desktop_connection\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS13-029';\nkbs = make_list('2813345', '2813347');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin\n:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\nif(\n # Windows 7 / Windows Server 2008 R2\n # RDP 7.0\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Mstscax.dll\", version:\"6.1.7600.17233\", min_version:\"6.1.7600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:'2813347') ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Mstscax.dll\", version:\"6.1.7600.21448\", min_version:\"6.1.7600.20000\", dir:\"\\system32\", bulletin:bulletin, kb:'2813347') ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mstscax.dll\", version:\"6.1.7601.18079\", min_version:\"6.1.7600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:'2813347') ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mstscax.dll\", version:\"6.1.7601.22252\", min_version:\"6.1.7601.20000\", dir:\"\\system32\", bulletin:bulletin, kb:'2813347') ||\n\n # Windows Vista Service Pack 2 / Windows Server 2008\n # RDP 6.1\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mstscax.dll\", version:\"6.0.6002.18804\", min_version:\"6.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:'2813345') ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mstscax.dll\", version:\"6.0.6002.23075\", min_version:\"6.0.6002.22000\", dir:\"\\system32\", bulletin:bulletin, kb:'2813345') ||\n # RDP 7.0\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mstscax.dll\", version:\"6.1.7600.17233\", min_version:\"6.1.7600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:'2813347') ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mstscax.dll\", version:\"6.1.7600.21448\", min_version:\"6.1.7600.20000\", dir:\"\\system32\", bulletin:bulletin, kb:'2813347') ||\n\n # Windows 2003 / XP x64\n # RDP 6.1\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mstscax.dll\", version:\"6.0.6001.18926\", min_version:\"6.0.6001.0\", dir:\"\\system32\", bulletin:bulletin, kb:'2813345') ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mstscax.dll\", version:\"6.0.6001.23191\", min_version:\"6.0.6001.22000\", dir:\"\\system32\", bulletin:bulletin, kb:'2813345') ||\n\n # Windows XP x86\n # RDP 6.1\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mstscax.dll\", version:\"6.0.6001.18926\", min_version:\"6.0.6001.16000\", dir:\"\\system32\", bulletin:bulletin, kb:'2813345') ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mstscax.dll\", version:\"6.0.6001.23191\", min_version:\"6.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:'2813345') ||\n # RDP 7.0\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mstscax.dll\", version:\"6.1.7600.17233\", min_version:\"6.1.7600.16000\",dir:\"\\system32\", bulletin:bulletin, kb:'2813347') ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mstscax.dll\", version:\"6.1.7600.21448\", min_version:\"6.1.7600.20000\",dir:\"\\system32\", bulletin:bulletin, kb:'2813347')\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
