Exploit Frameworks TENABLE NETWORK SECURITY,...
Transcript of Exploit Frameworks TENABLE NETWORK SECURITY,...
SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
TENABLE NETWORK SECURITY, INC.
Exploit FrameworksMay 9, 2012 at 9:56pm CDTDave Breslin [dbreslin6]Confidential: The following report contains confidential information. Do not distribute, email, fax,or transfer via any electronic mechanism unless it has been approved by the recipient company'ssecurity policy. All copies and backups of this document should be saved on protected storage at alltimes. Do not share any of the information contained within this report with anyone unless they areauthorized to view the information. Violating any of the previous instructions is grounds for termination.
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Table of Contents
Tenable Network Security i
Table of ContentsNotice ......................................................................................................................................................................................................................................... 1
Exploit Framework Summary ........................................................................................................................................................................2
Core Impact ........................................................................................................................................................................................................................ 710.0.0.41 ............................................................................................................................................................................................................................................1110.0.0.54 ............................................................................................................................................................................................................................................2910.0.100.40 ........................................................................................................................................................................................................................................33
Canvas ...................................................................................................................................................................................................................................3710.0.0.41 ............................................................................................................................................................................................................................................4110.0.0.54 ............................................................................................................................................................................................................................................5110.0.100.40 ........................................................................................................................................................................................................................................58
Metasploit ...........................................................................................................................................................................................................................6210.0.0.41 ............................................................................................................................................................................................................................................6610.0.0.54 ............................................................................................................................................................................................................................................7510.0.100.40 ........................................................................................................................................................................................................................................82
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Notice
Tenable Network Security 1
Notice
This is an example report produced by scanning hosts in a lab. It is not intended for use in competitve analysis of exploit frameworks.
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Exploit Framework Summary
Tenable Network Security 2
Exploit Framework Summary
5 Day Trend
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Exploit Framework Summary
Tenable Network Security 3
Core Impact Exploitable Vulnerabilities
Plugin Total Severity Plugin Name
57948 1 HighMS12-014: Vulnerability in Indeo CodecCould Allow Remote Code Execution(2661637)
55421 1 HighAdobe Reader < 10.1 / 9.4.5 / 8.3 MultipleVulnerabilities (APSB11-16) (Mac OS X)
55141 1 HighFlash Player for Mac < 10.3.181.26 RemoteMemory Corruption (APSB11-18)
55140 1 HighFlash Player < 10.3.181.26 MultipleVulnerabilities (APSB11-18)
53473 1 HighWireshark < 1.2.16 / 1.4.5 MultipleVulnerabilities
53472 1 HighFlash Player < 10.2.159.1 ActionScriptPredefined Class Prototype AdditionRemote Code Execution (APSB11-07)
52673 1 HighFlash Player < 10.2.153.1 UnspecifiedMemory Corruption (APSB11-05)
49950 1 HighMS10-073: Vulnerabilities in WindowsKernel-Mode Drivers Could Allow Elevationof Privilege (981957)
48297 1 High
MS10-060: Vulnerabilities in theMicrosoft .NET Common LanguageRuntime and in Microsoft Silverlight CouldAllow Remote Code Execution (2265906)
48285 1 HighMS10-048: Vulnerabilities in WindowsKernel-Mode Drivers Could Allow Elevationof Privilege (2160329)
46839 1 HighMS10-032: Vulnerabilities in WindowsKernel-Mode Drivers Could Allow Elevationof Privilege (979559)
42439 1 HighMS09-065: Vulnerabilities in WindowsKernel-Mode Drivers Could Allow RemoteCode Execution (969947)
40434 1 HighFlash Player < 9.0.246.0 / 10.0.32.18Multiple Vulnerabilities (APSB09-10)
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Exploit Framework Summary
Tenable Network Security 4
Plugin Total Severity Plugin Name
39347 1 HighMS09-025: Vulnerabilities in WindowsKernel Could Allow Elevation of Privilege(968537)
35822 1 HighMS09-006: Vulnerabilities in WindowsKernel Could Allow Remote Code Execution(958690)
Canvas Exploitable Vulnerabilities
Plugin Total Severity Plugin Name
57044 1 HighAdobe Reader <= 10.1.1 / 9.4.6 U3DMemory Corruption (APSA11-04) (Mac OSX)
56163 1 MediumWireshark 1.4.x < 1.4.9 MultipleVulnerabilities
55141 1 HighFlash Player for Mac < 10.3.181.26 RemoteMemory Corruption (APSB11-18)
55140 1 HighFlash Player < 10.3.181.26 MultipleVulnerabilities (APSB11-18)
53473 1 HighWireshark < 1.2.16 / 1.4.5 MultipleVulnerabilities
49950 1 HighMS10-073: Vulnerabilities in WindowsKernel-Mode Drivers Could Allow Elevationof Privilege (981957)
48297 1 High
MS10-060: Vulnerabilities in theMicrosoft .NET Common LanguageRuntime and in Microsoft Silverlight CouldAllow Remote Code Execution (2265906)
48285 1 HighMS10-048: Vulnerabilities in WindowsKernel-Mode Drivers Could Allow Elevationof Privilege (2160329)
46839 1 HighMS10-032: Vulnerabilities in WindowsKernel-Mode Drivers Could Allow Elevationof Privilege (979559)
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Exploit Framework Summary
Tenable Network Security 5
Plugin Total Severity Plugin Name
45509 1 HighMS10-022: Vulnerability in VBScriptScripting Engine Could Allow Remote CodeExecution (981169)
40434 1 HighFlash Player < 9.0.246.0 / 10.0.32.18Multiple Vulnerabilities (APSB09-10)
27599 1 HighFLEXnet Connect Update ServiceActiveX Control Multiple Code ExecutionVulnerabilities
Metasploit Exploitable Vulnerabilities
Plugin Total Severity Plugin Name
58659 1 HighMS12-027: Vulnerability in WindowsCommon Controls Could Allow RemoteCode Execution (2664258)
58002 1 HighFlash Player for Mac <= 10.3.183.14 /11.1.102.62 Multiple Vulnerabilities(APSB12-03)
58001 1 HighFlash Player <= 10.3.183.14 / 11.1.102.55Multiple Vulnerabilities (APSB12-03)
57044 1 HighAdobe Reader <= 10.1.1 / 9.4.6 U3DMemory Corruption (APSA11-04) (Mac OSX)
56199 1 HighAdobe Reader < 10.1.1 / 9.4.6 / 8.3.1Multiple Vulnerabilities (APSB11-21,APSB11-24) (Mac OS X)
56163 1 MediumWireshark 1.4.x < 1.4.9 MultipleVulnerabilities
55804 1 HighFlash Player for Mac <= 10.3.181.36Multiple Vulnerabilities (APSB11-21)
55803 1 HighFlash Player <= 10.3.181.36 MultipleVulnerabilities (APSB11-21)
53473 1 HighWireshark < 1.2.16 / 1.4.5 MultipleVulnerabilities
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Exploit Framework Summary
Tenable Network Security 6
Plugin Total Severity Plugin Name
53472 1 HighFlash Player < 10.2.159.1 ActionScriptPredefined Class Prototype AdditionRemote Code Execution (APSB11-07)
52673 1 HighFlash Player < 10.2.153.1 UnspecifiedMemory Corruption (APSB11-05)
45509 1 HighMS10-022: Vulnerability in VBScriptScripting Engine Could Allow Remote CodeExecution (981169)
27599 1 HighFLEXnet Connect Update ServiceActiveX Control Multiple Code ExecutionVulnerabilities
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 7
Core Impact
5 Day Trend
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 8
Core Impact Exploitable Hosts
IP Address NetBIOS Name DNS Name MAC Address Total Low Med. High Crit.
10.0.0.41 ITSDEPT\DT0008 dt8001.itsdept.com 52:54:00:fc:14:86 11 0 0 11 0
10.0.0.54 ITSDEPT\DT0007 dt0007.itsdept.com 00:10:60:df:1e:2b 2 0 0 2 0
10.0.100.40 UNKNOWN\MAC0001 mac0001.itsdept.com 60:c5:47:10:a7:1b 2 0 0 2 0
Core Impact Exploitable Vulnerability Totals by Plugin Family
Family Total Low Med. High Crit.
Windows : Microsoft Bulletins 8 0 0 8 0
Windows 5 0 0 5 0
MacOS X Local Security Checks 2 0 0 2 0
Core Impact Exploitable Vulnerability Totals by MS Bulletin
MS Bulletin Total Severity
MS12-014 1 High
MS10-073 1 High
MS10-060 1 High
MS10-048 1 High
MS10-032 1 High
MS09-065 1 High
MS09-025 1 High
MS09-006 1 High
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 9
Core Impact Exploitable Vulnerability Totals by CVE
CVE Total Severity
CVE-2011-2110 2 High
CVE-2011-2106 1 High
CVE-2011-2105 1 High
CVE-2011-2104 1 High
CVE-2011-2103 1 High
CVE-2011-2102 1 High
CVE-2011-2101 1 High
CVE-2011-2100 1 High
CVE-2011-2099 1 High
CVE-2011-2098 1 High
CVE-2011-2097 1 High
CVE-2011-2096 1 High
CVE-2011-2095 1 High
CVE-2011-2094 1 High
CVE-2011-1592 1 High
CVE-2011-1591 1 High
CVE-2011-1590 1 High
CVE-2011-0611 1 High
CVE-2011-0609 1 High
CVE-2010-3138 1 High
CVE-2010-2744 1 High
CVE-2010-2743 1 High
CVE-2010-2549 1 High
CVE-2010-1898 1 High
CVE-2010-1897 1 High
CVE-2010-1896 1 High
CVE-2010-1895 1 High
CVE-2010-1894 1 High
CVE-2010-1887 1 High
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 10
CVE Total Severity
CVE-2010-1255 1 High
CVE-2010-0485 1 High
CVE-2010-0484 1 High
CVE-2010-0019 1 High
CVE-2009-2514 1 High
CVE-2009-2513 1 High
CVE-2009-2493 1 High
CVE-2009-1870 1 High
CVE-2009-1869 1 High
CVE-2009-1868 1 High
CVE-2009-1867 1 High
CVE-2009-1866 1 High
CVE-2009-1865 1 High
CVE-2009-1864 1 High
CVE-2009-1863 1 High
CVE-2009-1862 1 High
CVE-2009-1127 1 High
CVE-2009-1126 1 High
CVE-2009-1125 1 High
CVE-2009-1124 1 High
CVE-2009-1123 1 High
CVE-2009-0901 1 High
CVE-2009-0083 1 High
CVE-2009-0082 1 High
CVE-2009-0081 1 High
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 11
10.0.0.41
NetBIOS Name: ITSDEPT\DT0008
IP Address: 10.0.0.41
Vulnerabilities: Critical: 0, High: 42, Medium: 8, Low: 4, Info: 86
MAC Address: 52:54:00:fc:14:86
DNS Name: dt8001.itsdept.com
Repository: repo
Last Scan: May 9, 2012 @ 8:25PM
Core Impact Exploitable Vulnerability Details:
Plugin Plugin Name Severity Port Protocol Family Exploit?
35822
MS09-006:Vulnerabilities inWindows KernelCould Allow RemoteCode Execution(958690)
High 445 TCP Windows : Microsoft Bulletins Yes
Synopsis: It is possible to execute arbitrary code on the remote host.
Description: The remote host contains a version of the Windows kernel that is affected by vulnerabilities :
- A remote code execution vulnerability exists due to improper validation of input passed from user mode through the kernel component of GDI. Successful exploitation requiresthat a user on the affected host view a specially crafted EMF or WMF image file, perhaps by being tricked into visiting a malicious web site, and could lead to a complete systemcompromise.(CVE-2009-0081)
- A local privilege escalation vulnerability exists due to the way the kernel validates handles. (CVE-2009-0082)
- A local privilege escalation vulnerability exists due to improper handling of a specially crafted invalid pointer.(CVE-2009-0083)
Solution: Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 12
http://technet.microsoft.com/en-us/security/bulletin/ms09-006
Risk Factor: High
STIG Severity: I
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:- C:\WINDOWS\system32\Win32k.sys has not been patchedRemote version : 5.1.2600.5512Should be : 5.1.2600.5756
CPE: cpe:/o:microsoft:windows
CVE: CVE-2009-0081, CVE-2009-0082, CVE-2009-0083
BID: 34012, 34025, 34027
Crossref: OSVDB #52522, OSVDB #52523, OSVDB #52524, IAVA #2009-A-0020, MSFT #MS09-006, CWE #20
Plugin Publication Date: 2009/03/11
Plugin Modification Date: 2011/12/12
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: smb_nt_ms09-006.nasl
Exploit Frameworks: Core Impact
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 13
Plugin Plugin Name Severity Port Protocol Family Exploit?
39347
MS09-025:Vulnerabilities inWindows KernelCould AllowElevation of Privilege(968537)
High 445 TCP Windows : Microsoft Bulletins Yes
Synopsis: The remote Windows kernel is affected by local privilege escalation vulnerabilities.
Description: The remote host contains a version of the Windows kernel that is affected by multiple vulnerabilities :
- A failure of the Windows kernel to properly validate changes in certain kernel objects allows a local user to run arbitrary code in kernel mode. (CVE-2009-1123)
- Insufficient validation of certain pointers passed from user mode allows a local user to run arbitrary code in kernel mode. (CVE-2009-1124)
- A failure to properly validate an argument passed to a Windows kernel system call allows a local user to run arbitrary code in kernel mode. (CVE-2009-1125)
- Improper validation of input passed from user mode to the kernel when editing a specific desktop parameter allows a local user to run arbitrary code in kernel mode.(CVE-2009-1126)
Solution: Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :
http://technet.microsoft.com/en-us/security/bulletin/MS09-025
Risk Factor: High
CVSS Base Score: 7.2
CVSS Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 6.0
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:- C:\WINDOWS\system32\Win32k.sys has not been patchedRemote version : 5.1.2600.5512Should be : 5.1.2600.5796
CPE: cpe:/o:microsoft:windows
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 14
CVE: CVE-2009-1123, CVE-2009-1124, CVE-2009-1125, CVE-2009-1126
BID: 35120, 35121, 35238, 35240
Crossref: CWE #20, OSVDB #54940, OSVDB #54941, OSVDB #54942, OSVDB #54943, MSFT #MS09-025
Plugin Publication Date: 2009/06/10
Plugin Modification Date: 2012/04/23
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: smb_nt_ms09-025.nasl
Exploit Frameworks: Core Impact
Plugin Plugin Name Severity Port Protocol Family Exploit?
40434
Flash Player< 9.0.246.0 /10.0.32.18 MultipleVulnerabilities(APSB09-10)
High 445 TCP Windows Yes
Synopsis: The remote Windows host contains a browser plugin that is affected by multiple vulnerabilities.
Description: The remote Windows host contains a version of Adobe Flash Player that is earlier than 9.0.246.0 / 10.0.32.18. Such versions are reportedly affected by multiplevulnerabilities :
- A memory corruption vulnerability that could potentially lead to code execution. (CVE-2009-1862)
- A vulnerability in the Microsoft Active Template Library (ATL) which could allow an attacker who successfully exploits the vulnerability to take control of the affected system.(CVE-2009-0901, CVE-2009-2395, CVE-2009-2493)
- A privilege escalation vulnerability that could potentially lead to code execution. (CVE-2009-1863)
- A heap overflow vulnerability that could potentially lead to code execution. (CVE-2009-1864)
- A null pointer vulnerability that could potentially lead to code execution. (CVE-2009-1865)
- A stack overflow vulnerability that could potentially lead to code execution. (CVE-2009-1866)
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 15
- A clickjacking vulnerability that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog. (CVE-2009-1867
- A URL parsing heap overflow vulnerability that could potentially lead to code execution. (CVE-2009-1868)
- An integer overflow vulnerability that could potentially lead to code execution. (CVE-2009-1869)
- A local sandbox vulnerability that could potentially lead to information disclosure when SWFs are saved to the hard drive. CVE-2009-1870)
Solution: Upgrade to version 10.0.32.18 or later. If you are unable to upgrade to version 10, upgrade to version 9.0.246.0 or later.
See Also: http://www.adobe.com/support/security/bulletins/apsb09-10.html
Risk Factor: High
STIG Severity: I
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:Nessus has identified the following vulnerable instance of FlashPlayer installed on the remote host :
- ActiveX control (for Internet Explorer) :C:\WINDOWS\system32\Macromed\Flash\Flash6.ocx, 6.0.88.0
CPE: cpe:/a:adobe:flash_player
CVE: CVE-2009-1862, CVE-2009-0901, CVE-2009-2493, CVE-2009-1863, CVE-2009-1864, CVE-2009-1865, CVE-2009-1866, CVE-2009-1867, CVE-2009-1868, CVE-2009-1869,CVE-2009-1870
BID: 35759, 35832, 35846, 35900, 35901, 35902, 35903, 35904, 35905, 35906, 35907, 35908
Crossref: OSVDB #56282, OSVDB #56696, OSVDB #56698, OSVDB #56771, OSVDB #56772, OSVDB #56773, OSVDB #56774, OSVDB #56775, OSVDB #56776, OSVDB#56777, OSVDB #56778, IAVA #2009-A-0061, IAVA #2009-A-0062, IAVA #2009-A-0063, IAVA #2009-A-0067, IAVA #2009-A-0094, IAVA #2009-A-0097, IAVA #2009-A-0127, CWE#200
Vulnerability Publication Date: 2009/07/28
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 16
Patch Publication Date: 2009/07/30
Plugin Publication Date: 2009/07/30
Plugin Modification Date: 2011/12/12
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: flash_player_apsb09_10.nasl
Exploit Frameworks: Canvas (CANVAS), Core Impact
Plugin Plugin Name Severity Port Protocol Family Exploit?
42439
MS09-065:Vulnerabilities inWindows Kernel-Mode Drivers CouldAllow Remote CodeExecution (969947)
High 445 TCP Windows : Microsoft Bulletins Yes
Synopsis: The remote Windows kernel is affected by remote privilege escalation vulnerabilities.
Description: The remote host contains a version of the Windows kernel that is affected by multiple vulnerabilities :
- A NULL pointer dereferencing vulnerability allowing a local user to elevate his privileges (CVE-2009-1127)
- Insufficient validation of certain input passed to GDI from user mode allows a local user to run arbitrary code in kernel mode. (CVE-2009-2513)
- A parsing vulnerability when decoding a specially crafted Embedded OpenType (EOT) font may allow a remote user to execute arbitrary code on the remote host by luring a user ofthe remote host into viewing a web page containing such a malformed font. (CVE-2009-2514)
Solution: Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :
http://technet.microsoft.com/en-us/security/bulletin/MS09-065
Risk Factor: High
STIG Severity: II
CVSS Base Score: 9.3
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 17
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.3
CVSS Temporal Vector: CVSS2#E:POC/RL:OF/RC:C
Plugin Output:- C:\WINDOWS\system32\Win32k.sys has not been patchedRemote version : 5.1.2600.5512Should be : 5.1.2600.5863
CPE: cpe:/o:microsoft:windows
CVE: CVE-2009-1127, CVE-2009-2513, CVE-2009-2514
BID: 36029, 36939, 36941
Crossref: OSVDB #59867, OSVDB #59868, OSVDB #59869, IAVA #2009-A-0117, MSFT #MS09-065, CWE #94
Vulnerability Publication Date: 2009/11/10
Patch Publication Date: 2009/11/10
Plugin Publication Date: 2009/11/10
Plugin Modification Date: 2011/12/12
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: smb_nt_ms09-065.nasl
Exploit Frameworks: Core Impact
Plugin Plugin Name Severity Port Protocol Family Exploit?
46839
MS10-032:Vulnerabilities inWindows Kernel-Mode Drivers Could
High 445 TCP Windows : Microsoft Bulletins Yes
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 18
Allow Elevation ofPrivilege (979559)
Synopsis: The Windows kernel is affected by several vulnerabilities that could allow escalation of privileges.
Description: The remote Windows host is running a version of the Windows kernel that is affected by one or more of the following vulnerabilities :
- Improper validation of changes in certain kernel objects may allow a local attacker to execute arbitrary code in kernel mode and take complete control of the affected system.(CVE-2010-0484)
- Improper validation of parameters when creating a new window may allow a local attacker to execute arbitrary code in kernel mode and take complete control of the affectedsystem. (CVE-2010-0485)
- A vulnerability that arises in the way Windows provides glyph outline information to applications may allow a local attacker to execute arbitrary code in kernel mode and takecomplete control of the affected system. (CVE-2010-1255)
Solution: Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista, 2008, 7, and 2008 R2 :
http://technet.microsoft.com/en-us/security/bulletin/MS10-032
Risk Factor: High
STIG Severity: II
CVSS Base Score: 7.2
CVSS Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 6.0
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:- C:\WINDOWS\system32\Win32k.sys has not been patchedRemote version : 5.1.2600.5512Should be : 5.1.2600.5976
CPE: cpe:/o:microsoft:windows
CVE: CVE-2010-0484, CVE-2010-0485, CVE-2010-1255
BID: 40508, 40569, 40570
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 19
Crossref: OSVDB #65223, OSVDB #65224, OSVDB #65225, IAVA #2010-A-0077, MSFT #MS10-032
Vulnerability Publication Date: 2010/06/08
Patch Publication Date: 2010/06/08
Plugin Publication Date: 2010/06/09
Plugin Modification Date: 2011/12/12
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: smb_nt_ms10-032.nasl
Exploit Frameworks: Canvas (CANVAS), Core Impact
Plugin Plugin Name Severity Port Protocol Family Exploit?
48285
MS10-048:Vulnerabilities inWindows Kernel-Mode Drivers CouldAllow Elevation ofPrivilege (2160329)
High 445 TCP Windows : Microsoft Bulletins Yes
Synopsis: The Windows kernel is affected by several vulnerabilities that could allow escalation of privileges.
Description: The remote Windows host is running a version of the Windows kernel that is affected by one or more of the following vulnerabilities :
- Improper valiation of an argument passed to a system call can result in a denial of service. (CVE-2010-1887)
- Certain unspecified exceptions are not properly handled which could result in arbitrary code execution in the kernel. (CVE-2010-1894)
- Memory is not properly allocated when making a copy from user mode, which could result in an elevation of privileges. (CVE-2010-1895)
- Unspecified input from user mode is not properly validated, which could result in arbitrary code execution in the kernel. (CVE-2010-1896)
- Unspecified parameters are not properly validated when creating a new window, which could result in arbitrary code execution in the kernel.(CVE-2010-1897)
Solution: Microsoft has released a set of patches for Windows XP, 2003, Vista, 2008, 7, and 2008 R2 :
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 20
http://technet.microsoft.com/en-us/security/bulletin/MS10-048
Risk Factor: High
STIG Severity: II
CVSS Base Score: 7.2
CVSS Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 6.0
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:- C:\WINDOWS\system32\Win32k.sys has not been patchedRemote version : 5.1.2600.5512Should be : 5.1.2600.6003
CPE: cpe:/o:microsoft:windows
CVE: CVE-2010-1887, CVE-2010-1894, CVE-2010-1895, CVE-2010-1896, CVE-2010-1897
BID: 39630, 42206, 42210, 42245, 42250
Crossref: OSVDB #66979, OSVDB #66980, OSVDB #66981, OSVDB #66982, OSVDB #66983, IAVA #2010-A-0106, MSFT #MS10-048
Vulnerability Publication Date: 2010/04/22
Patch Publication Date: 2010/08/10
Plugin Publication Date: 2010/08/11
Plugin Modification Date: 2011/12/12
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: smb_nt_ms10-048.nasl
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 21
Exploit Frameworks: Canvas (CANVAS), Core Impact
Plugin Plugin Name Severity Port Protocol Family Exploit?
49950
MS10-073:Vulnerabilities inWindows Kernel-Mode Drivers CouldAllow Elevation ofPrivilege (981957)
High 445 TCP Windows : Microsoft Bulletins Yes
Synopsis: The Windows kernel is affected by multiple vulnerabilities that could allow escalation of privileges.
Description: The remote Windows host is running a version of the Windows kernel that is affected by the following vulnerabilities :
- A reference count leak, which could result in arbitrary code execution in the kernel.(CVE-2010-2549)
- Kernel-mode drivers load unspecified keyboard layers improperly, which could result in arbitrary code execution in the kernel. (CVE-2010-2743)
- Kernel-mode drivers do not properly validate unspecified window class data, which could result in arbitrary code execution in the kernel.(CVE-2010-2744)
Solution: Microsoft has released a set of patches for Windows 2003, XP, Vista, 2008, 7, and 2008 R2 :
http://technet.microsoft.com/en-us/security/bulletin/MS10-073
See Also: http://archives.neohapsis.com/archives/fulldisclosure/2010-07/0003.html
Risk Factor: High
STIG Severity: II
CVSS Base Score: 7.2
CVSS Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 6.0
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:- C:\WINDOWS\system32\Win32k.sys has not been patchedRemote version : 5.1.2600.5512Should be : 5.1.2600.6033
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 22
CPE: cpe:/o:microsoft:windows
CVE: CVE-2010-2549, CVE-2010-2743, CVE-2010-2744
BID: 41280, 43773, 43774
Crossref: OSVDB #66003, OSVDB #68551, OSVDB #68552, EDB-ID #15985, IAVA #2010-A-0138, MSFT #MS10-073
Vulnerability Publication Date: 2010/06/30
Patch Publication Date: 2010/10/12
Plugin Publication Date: 2010/10/13
Plugin Modification Date: 2012/04/23
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: smb_nt_ms10-073.nasl
Exploit Frameworks: Canvas (CANVAS), Core Impact
Plugin Plugin Name Severity Port Protocol Family Exploit?
52673
Flash Player< 10.2.153.1UnspecifiedMemory Corruption(APSB11-05)
High 445 TCP Windows Yes
Synopsis: The remote Windows host contains a browser plug-in that is affected by a memory corruption vulnerability.
Description: The remote Windows host contains a version of Adobe Flash Player earlier than 10.2.153.1. Such versions are affected by an unspecified memory corruptionvulnerability.
A remote attacker could exploit this by tricking a user into viewing maliciously crafted SWF content, resulting in arbitrary code execution.
This bug is currently being exploited in the wild.
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 23
Solution: Upgrade to Flash Player 10.2.153.1 or later.
See Also: http://www.nessus.org/u?82775d9ehttp://www.adobe.com/support/security/advisories/apsa11-01.htmlhttp://www.adobe.com/support/security/bulletins/apsb11-05.html
Risk Factor: High
STIG Severity: II
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:Product : ActiveX control (for Internet Explorer)Path : C:\WINDOWS\system32\Macromed\Flash\Flash6.ocxInstalled version : 6.0.88.0Fixed version : 10.2.153.1
CPE: cpe:/a:adobe:flash_player
CVE: CVE-2011-0609
BID: 46860
Crossref: OSVDB #71254, CERT #192052, EDB-ID #17027, IAVA #2011-A-0035, IAVA #2011-A-0036, Secunia #43751, Secunia #43757
Vulnerability Publication Date: 2011/03/14
Patch Publication Date: 2011/03/21
Plugin Publication Date: 2011/03/15
Plugin Modification Date: 2012/04/23
Exploit Available: true
Exploitability Ease: Exploits are available
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 24
Plugin Type: local
Source File: flash_player_apsa11-01.nasl
Exploit Frameworks: Metasploit (Adobe Flash Player AVM Bytecode Verification), Core Impact
Plugin Plugin Name Severity Port Protocol Family Exploit?
53472
Flash Player< 10.2.159.1ActionScriptPredefinedClass PrototypeAddition RemoteCode Execution(APSB11-07)
High 445 TCP Windows Yes
Synopsis: The remote Windows host contains a browser plug-in that allows arbitrary code execution.
Description: The remote Windows host contains a version of Adobe Flash Player earlier than 10.2.159.1. Such versions are reportedly affected by a memory corruption vulnerability.
By tricking a user on the affected system into opening a specially crafted document with Flash content, such as a SWF file embedded in a Microsoft Word document, an attacker canpotentially leverage this issue to execute arbitrary code remotely on the system subject to the user's privileges.
Note that there are reports that this issue is being exploited in the wild as of April 2011.
Solution: Upgrade to Adobe Flash Player 10.2.159.1 or later.
See Also: http://www.nessus.org/u?9ee82b34http://www.adobe.com/support/security/bulletins/apsb11-07.html
Risk Factor: High
STIG Severity: II
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:Product : ActiveX control (for Internet Explorer)Path : C:\WINDOWS\system32\Macromed\Flash\Flash6.ocx
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 25
Installed version : 6.0.88.0Fixed version : 10.2.159.1
CPE: cpe:/a:adobe:flash_player
CVE: CVE-2011-0611
BID: 47314
Crossref: OSVDB #71686, CERT #230057, IAVA #2011-A-0053, Secunia #44119
Vulnerability Publication Date: 2011/04/11
Patch Publication Date: 2011/04/15
Plugin Publication Date: 2011/04/18
Plugin Modification Date: 2012/04/23
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: flash_player_apsb11-07.nasl
Exploit Frameworks: Metasploit (windows/browser/adobe_flashplayer_flash10o.rb), Core Impact
Plugin Plugin Name Severity Port Protocol Family Exploit?
55140
Flash Player <10.3.181.26 MultipleVulnerabilities(APSB11-18)
High 445 TCP Windows Yes
Synopsis: A browser plugin is affected by a memory corruption vulnerability.
Description: According to its version, the instance of Flash Player installed on the remote Windows host is earlier than 10.3.181.26. This version of Flash Player has a criticalvulnerability. By tricking a user on the affected system into opening a specially crafted document with Flash content, an attacker could leverage the vulnerability to execute arbitrarycode remotely on the system subject to the user's privileges.
This issue is reportedly being exploited in the wild in targeted attacks as of June 2011.
Solution: Upgrade to Adobe Flash version 10.3.181.26 or later.
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 26
See Also: http://www.adobe.com/support/security/bulletins/apsb11-18.html
Risk Factor: High
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:Product : ActiveX control (for Internet Explorer)Path : C:\WINDOWS\system32\Macromed\Flash\Flash6.ocxInstalled version : 6.0.88.0Fixed version : 10.3.181.26
CPE: cpe:/a:adobe:flash_player
CVE: CVE-2011-2110
BID: 48268
Crossref: OSVDB #73007
Vulnerability Publication Date: 2011/06/14
Patch Publication Date: 2011/06/14
Plugin Publication Date: 2011/06/15
Plugin Modification Date: 2012/04/23
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: flash_player_apsb11-18.nasl
Exploit Frameworks: Canvas (CANVAS), Core Impact
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 27
Plugin Plugin Name Severity Port Protocol Family Exploit?
57948
MS12-014:Vulnerability inIndeo Codec CouldAllow Remote CodeExecution (2661637)
High 445 TCP Windows : Microsoft Bulletins Yes
Synopsis: Arbitrary code can be executed on the remote Windows host through the Indeo codec.
Description: The remote Windows XP host contains a version of the Indeo codec that is affected by an insecure library loading vulnerability.
A remote attacker could exploit this by tricking a user into opening a legitimate file (e.g., an .avi file) located in the same directory as a maliciously crafted dynamic link library (DLL)file, resulting in arbitrary code execution.
Solution: Microsoft has released a patch for Windows XP :
http://technet.microsoft.com/en-us/security/bulletin/ms12-014
See Also: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4956.php
Risk Factor: High
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:
The following file was not found :
C:\WINDOWS\system32\Iacenc.dll
This indicates KB2661637 is missing.
CPE: cpe:/o:microsoft:windows_xp
CVE: CVE-2010-3138
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 28
BID: 42730
Crossref: OSVDB #67551, EDB-ID #14765, EDB-ID #14788, MSFT #MS12-014, Secunia #41114
Vulnerability Publication Date: 2010/08/25
Patch Publication Date: 2012/02/14
Plugin Publication Date: 2012/02/14
Plugin Modification Date: 2012/04/23
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: smb_nt_ms12-014.nasl
Exploit Frameworks: Core Impact
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 29
10.0.0.54
NetBIOS Name: ITSDEPT\DT0007
IP Address: 10.0.0.54
Vulnerabilities: Critical: 2, High: 10, Medium: 10, Low: 5, Info: 55
MAC Address: 00:10:60:df:1e:2b
DNS Name: dt0007.itsdept.com
Repository: repo
Last Scan: May 9, 2012 @ 8:25PM
Core Impact Exploitable Vulnerability Details:
Plugin Plugin Name Severity Port Protocol Family Exploit?
48297
MS10-060:Vulnerabilities inthe Microsoft .NETCommon LanguageRuntime and inMicrosoft SilverlightCould Allow RemoteCode Execution(2265906)
High 445 TCP Windows : Microsoft Bulletins Yes
Synopsis: The Microsoft .NET Common Language Runtime and/or Microsoft Silverlight have multiple vulnerabilities.
Description: The remote Windows host is running a version of the Microsoft .NET Framework and/or Microsoft Silverlight affected by multiple vulnerabilities :
- Silverlight improperly handles pointers in an unspecified manner. A remote attacker could exploit this by tricking a user into viewing a web page with maliciously crafted Silverlightcontent. (CVE-2010-0019)
- An unspecified vulnerability in the .NET framework can allow a specially crafted .NET or Silverlight application to access memory, resulting in arbitrary unmanaged code execution.(CVE-2010-1898)
Solution: Microsoft has released a set of patches for .NET Framework 2.0, 3.5, and Silverlight :
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 30
http://technet.microsoft.com/en-us/security/bulletin/MS10-060
Risk Factor: High
STIG Severity: II
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:
Product : Microsoft SilverlightPath : c:\Program Files\Microsoft Silverlight\3.0.40624.0Installed version : 3.0.40624.0Fix : 3.0.50611.0
CPE: cpe:/a:microsoft:silverlightcpe:/o:microsoft:windows
CVE: CVE-2010-0019, CVE-2010-1898
BID: 42138, 42295
Crossref: OSVDB #66992, OSVDB #66993, IAVA #2010-A-0109, MSFT #MS10-060
Vulnerability Publication Date: 2010/08/10
Patch Publication Date: 2010/08/10
Plugin Publication Date: 2010/08/11
Plugin Modification Date: 2012/02/21
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 31
Source File: smb_nt_ms10-060.nasl
Exploit Frameworks: Canvas (CANVAS), Core Impact
Plugin Plugin Name Severity Port Protocol Family Exploit?
53473Wireshark < 1.2.16 /1.4.5 MultipleVulnerabilities
High 445 TCP Windows Yes
Synopsis: The remote Windows host contains an application that is affected by multiple vulnerabilities.
Description: The installed version of Wireshark is 1.2.x less than 1.2.16 or 1.4.x less than 1.4.5. Such versions are affected by the following vulnerabilities :
- A data type mismatch error exists in the function 'dissect_nfs_clientaddr4' in the file 'packet-nfs.c' of the NFS dissector and could lead to application crashes while decoding'SETCLIENTID' calls. (5209)- A use-after-free error exists in the file 'asn1/x509if/x509if.cnf' of the X.509if dissector that could lead to application crashes. (5754, 5793)- An buffer overflow vulnerability exists in the file 'packet-dect.c' of the DECT dissector that could allow arbitrary code execution. (5836)
Solution: Upgrade to Wireshark version 1.2.16 / 1.4.5 or later.
See Also: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5209https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5754https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5793https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836http://www.wireshark.org/security/wnpa-sec-2011-05.htmlhttp://www.wireshark.org/security/wnpa-sec-2011-06.htmlhttp://www.wireshark.org/docs/relnotes/wireshark-1.2.16.htmlhttp://www.wireshark.org/docs/relnotes/wireshark-1.4.5.html
Risk Factor: High
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:The following vulnerable instance of Wireshark is installed :
Path : C:\Program Files\Wireshark
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 32
Installed version : 1.4.4Fixed version : 1.2.16 / 1.4.5
CPE: cpe:/a:wireshark:wireshark
CVE: CVE-2011-1590, CVE-2011-1591, CVE-2011-1592
BID: 47392
Crossref: OSVDB #71846, OSVDB #71847, OSVDB #71848, EDB-ID #17185, EDB-ID #18145, Secunia #44172
Vulnerability Publication Date: 2011/04/15
Patch Publication Date: 2011/04/15
Plugin Publication Date: 2011/04/18
Plugin Modification Date: 2012/04/23
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: wireshark_1_4_5.nasl
Exploit Frameworks: Canvas (CANVAS), Metasploit (Wireshark <= 1.4.4 packet-dect.c Stack Buffer Overflow), Core Impact
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 33
10.0.100.40
NetBIOS Name: UNKNOWN\MAC0001
IP Address: 10.0.100.40
Vulnerabilities: Critical: 2, High: 17, Medium: 2, Low: 0, Info: 44
MAC Address: 60:c5:47:10:a7:1b
DNS Name: mac0001.itsdept.com
Repository: repo
Last Scan: May 9, 2012 @ 8:25PM
Core Impact Exploitable Vulnerability Details:
Plugin Plugin Name Severity Port Protocol Family Exploit?
55141
Flash Player forMac < 10.3.181.26Remote MemoryCorruption(APSB11-18)
High 0 TCP MacOS X Local Security Checks Yes
Synopsis: The remote Mac OS X host has a browser plugin that is affected by a remote memory corruption vulnerability.
Description: According to its version, the instance of Flash Player installed on the remote Mac OS X host is earlier than 10.3.181.26. This version of Flash Player has a criticalvulnerability. By tricking a user on the affected system into opening a specially crafted document with Flash content, an attacker could leverage the vulnerability to execute arbitrarycode remotely on the system subject to the user's privileges.
This issue is reportedly being exploited in the wild in targeted attacks as of June 2011.
Solution: Upgrade to Adobe Flash for Mac version 10.3.181.26 or later.
See Also: http://www.adobe.com/support/security/bulletins/apsb11-18.html
Risk Factor: High
CVSS Base Score: 9.3
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 34
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:Installed version : 10.2.159.1Fixed version : 10.3.181.26
CPE: cpe:/a:adobe:flash_player
CVE: CVE-2011-2110
BID: 48268
Crossref: OSVDB #73007
Vulnerability Publication Date: 2011/06/14
Patch Publication Date: 2011/06/14
Plugin Publication Date: 2011/06/15
Plugin Modification Date: 2012/04/23
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: macosx_flash_player_10_3_181_26.nasl
Exploit Frameworks: Canvas (CANVAS), Core Impact
Plugin Plugin Name Severity Port Protocol Family Exploit?
55421
Adobe Reader< 10.1 / 9.4.5 /8.3 MultipleVulnerabilities(APSB11-16) (MacOS X)
High 0 TCP MacOS X Local Security Checks Yes
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 35
Synopsis: The version of Adobe Reader on the remote Mac OS X host is affected by multiple vulnerabilities.
Description: The version of Adobe Reader installed on the remote Mac OS X host is earlier than 10.1 / 9.4.5 / 8.3. As such, it is potentially affected by the following vulnerabilities :
- Multiple buffer overflow vulnerabilities exist that could lead to code execution. (CVE-2011-2094, CVE-2011-2095, CVE-2011-2097)
- A heap overflow vulnerability exists that could lead to code execution. (CVE-2011-2096)
- Multiple memory corruption vulnerabilities exist that could lead to code execution. (CVE-2011-2098, CVE-2011-2099, CVE-2011-2103, CVE-2011-2105, CVE-2011-2106)
- Multiple memory corruption vulnerabilities exist that could cause the application to crash. (CVE-2011-2104, CVE-2011-2105)
- A DLL loading vulnerability exists that could lead to code execution. (CVE-2011-2100)
- A cross document script execution vulnerability exists that could lead to code execution. (CVE-2011-2101)
- A security bypass vulnerability exists that could lead to bypassing security restrictions. (CVE-2011-2102)
Solution: Upgrade to Adobe Reader 8.3 / 9.4.5 / 10.1 or later.
See Also: http://www.zerodayinitiative.com/advisories/ZDI-11-218http://www.zerodayinitiative.com/advisories/ZDI-11-219http://www.adobe.com/support/security/bulletins/apsb11-16.html
Risk Factor: High
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:The following vulnerable instance of Adobe Reader is installed on theremote host :
Path : /Applications/Adobe Reader.appInstalled version : 10.0.0Fixed version : 8.3 / 9.4.5 / 10.1
CPE: cpe:/a:adobe:reader
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Core Impact
Tenable Network Security 36
CVE: CVE-2011-2094, CVE-2011-2095, CVE-2011-2096, CVE-2011-2097, CVE-2011-2098, CVE-2011-2099, CVE-2011-2100, CVE-2011-2101, CVE-2011-2102, CVE-2011-2103,CVE-2011-2104, CVE-2011-2105, CVE-2011-2106
BID: 48240, 48242, 48243, 48244, 48245, 48246, 48247, 48248, 48249, 48251, 48252, 48253, 48255
Crossref: OSVDB #73055, OSVDB #73056, OSVDB #73057, OSVDB #73058, OSVDB #73059, OSVDB #73061, OSVDB #73062, OSVDB #73063, OSVDB #73064, OSVDB#73065, OSVDB #73066, OSVDB #73067, OSVDB #73068, CERT #264729
Vulnerability Publication Date: 2011/06/14
Patch Publication Date: 2011/06/14
Plugin Publication Date: 2011/06/24
Plugin Modification Date: 2012/04/23
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: macosx_adobe_reader_apsb11-16.nasl
Exploit Frameworks: Core Impact
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Canvas
Tenable Network Security 37
Canvas
5 Day Trend
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Canvas
Tenable Network Security 38
Canvas Exploitable Hosts
IP Address NetBIOS Name DNS Name MAC Address Total Low Med. High Crit.
10.0.0.41 ITSDEPT\DT0008 dt8001.itsdept.com 52:54:00:fc:14:86 6 0 0 6 0
10.0.0.54 ITSDEPT\DT0007 dt0007.itsdept.com 00:10:60:df:1e:2b 4 0 1 3 0
10.0.100.40 UNKNOWN\MAC0001 mac0001.itsdept.com 60:c5:47:10:a7:1b 2 0 0 2 0
Canvas Exploitable Vulnerability Totals by Plugin Family
Family Total Low Med. High Crit.
Windows 5 0 1 4 0
Windows : Microsoft Bulletins 5 0 0 5 0
MacOS X Local Security Checks 2 0 0 2 0
Canvas Exploitable Vulnerability Totals by MS Bulletin
MS Bulletin Total Severity
MS10-073 1 High
MS10-060 1 High
MS10-048 1 High
MS10-032 1 High
MS10-022 1 High
Canvas Exploitable Vulnerability Totals by CVE
CVE Total Severity
CVE-2011-3360 1 Medium
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Canvas
Tenable Network Security 39
CVE Total Severity
CVE-2011-3266 1 Medium
CVE-2011-2462 1 High
CVE-2011-2110 2 High
CVE-2011-1592 1 High
CVE-2011-1591 1 High
CVE-2011-1590 1 High
CVE-2010-2744 1 High
CVE-2010-2743 1 High
CVE-2010-2549 1 High
CVE-2010-1898 1 High
CVE-2010-1897 1 High
CVE-2010-1896 1 High
CVE-2010-1895 1 High
CVE-2010-1894 1 High
CVE-2010-1887 1 High
CVE-2010-1255 1 High
CVE-2010-0485 1 High
CVE-2010-0484 1 High
CVE-2010-0483 1 High
CVE-2010-0019 1 High
CVE-2009-2493 1 High
CVE-2009-1870 1 High
CVE-2009-1869 1 High
CVE-2009-1868 1 High
CVE-2009-1867 1 High
CVE-2009-1866 1 High
CVE-2009-1865 1 High
CVE-2009-1864 1 High
CVE-2009-1863 1 High
CVE-2009-1862 1 High
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Canvas
Tenable Network Security 40
CVE Total Severity
CVE-2009-0901 1 High
CVE-2007-6654 1 High
CVE-2007-5660 1 High
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Canvas
Tenable Network Security 41
10.0.0.41
NetBIOS Name: ITSDEPT\DT0008
IP Address: 10.0.0.41
Vulnerabilities: Critical: 0, High: 42, Medium: 8, Low: 4, Info: 86
MAC Address: 52:54:00:fc:14:86
DNS Name: dt8001.itsdept.com
Repository: repo
Last Scan: May 9, 2012 @ 8:25PM
Canvas Exploitable Vulnerability Details:
Plugin Plugin Name Severity Port Protocol Family Exploit?
40434
Flash Player< 9.0.246.0 /10.0.32.18 MultipleVulnerabilities(APSB09-10)
High 445 TCP Windows Yes
Synopsis: The remote Windows host contains a browser plugin that is affected by multiple vulnerabilities.
Description: The remote Windows host contains a version of Adobe Flash Player that is earlier than 9.0.246.0 / 10.0.32.18. Such versions are reportedly affected by multiplevulnerabilities :
- A memory corruption vulnerability that could potentially lead to code execution. (CVE-2009-1862)
- A vulnerability in the Microsoft Active Template Library (ATL) which could allow an attacker who successfully exploits the vulnerability to take control of the affected system.(CVE-2009-0901, CVE-2009-2395, CVE-2009-2493)
- A privilege escalation vulnerability that could potentially lead to code execution. (CVE-2009-1863)
- A heap overflow vulnerability that could potentially lead to code execution. (CVE-2009-1864)
- A null pointer vulnerability that could potentially lead to code execution. (CVE-2009-1865)
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Canvas
Tenable Network Security 42
- A stack overflow vulnerability that could potentially lead to code execution. (CVE-2009-1866)
- A clickjacking vulnerability that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog. (CVE-2009-1867
- A URL parsing heap overflow vulnerability that could potentially lead to code execution. (CVE-2009-1868)
- An integer overflow vulnerability that could potentially lead to code execution. (CVE-2009-1869)
- A local sandbox vulnerability that could potentially lead to information disclosure when SWFs are saved to the hard drive. CVE-2009-1870)
Solution: Upgrade to version 10.0.32.18 or later. If you are unable to upgrade to version 10, upgrade to version 9.0.246.0 or later.
See Also: http://www.adobe.com/support/security/bulletins/apsb09-10.html
Risk Factor: High
STIG Severity: I
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:Nessus has identified the following vulnerable instance of FlashPlayer installed on the remote host :
- ActiveX control (for Internet Explorer) :C:\WINDOWS\system32\Macromed\Flash\Flash6.ocx, 6.0.88.0
CPE: cpe:/a:adobe:flash_player
CVE: CVE-2009-1862, CVE-2009-0901, CVE-2009-2493, CVE-2009-1863, CVE-2009-1864, CVE-2009-1865, CVE-2009-1866, CVE-2009-1867, CVE-2009-1868, CVE-2009-1869,CVE-2009-1870
BID: 35759, 35832, 35846, 35900, 35901, 35902, 35903, 35904, 35905, 35906, 35907, 35908
Crossref: OSVDB #56282, OSVDB #56696, OSVDB #56698, OSVDB #56771, OSVDB #56772, OSVDB #56773, OSVDB #56774, OSVDB #56775, OSVDB #56776, OSVDB#56777, OSVDB #56778, IAVA #2009-A-0061, IAVA #2009-A-0062, IAVA #2009-A-0063, IAVA #2009-A-0067, IAVA #2009-A-0094, IAVA #2009-A-0097, IAVA #2009-A-0127, CWE#200
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Canvas
Tenable Network Security 43
Vulnerability Publication Date: 2009/07/28
Patch Publication Date: 2009/07/30
Plugin Publication Date: 2009/07/30
Plugin Modification Date: 2011/12/12
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: flash_player_apsb09_10.nasl
Exploit Frameworks: Canvas (CANVAS), Core Impact
Plugin Plugin Name Severity Port Protocol Family Exploit?
45509
MS10-022:Vulnerability inVBScript ScriptingEngine Could AllowRemote CodeExecution (981169)
High 445 TCP Windows : Microsoft Bulletins Yes
Synopsis: Arbitrary code can be executed on the remote host through the installed VBScript Scripting Engine.
Description: The installed version of the VBScript Scripting Engine allows an attacker to specify a Help file location when displaying a dialog box on a web page. If a user can betricked into pressing the F1 key while such a dialog box is being displayed, an attacker can leverage this to cause the Windows Help System to load a specially crafted Help file,resulting in execution of arbitrary code subject to the user's privileges.
Solution: Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista, 2008, 7, and 2008 R2 :
http://technet.microsoft.com/en-us/security/bulletin/MS10-022
Risk Factor: High
STIG Severity: II
CVSS Base Score: 7.6
CVSS Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 6.3
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Canvas
Tenable Network Security 44
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:- C:\WINDOWS\system32\Vbscript.dll has not been patchedRemote version : 5.8.6001.18702Should be : 5.8.6001.23000
CPE: cpe:/o:microsoft:windows
CVE: CVE-2010-0483
BID: 38463
Crossref: OSVDB #62632, IAVA #2010-A-0056, MSFT #MS10-022, CWE #94
Vulnerability Publication Date: 2010/02/01
Patch Publication Date: 2010/04/13
Plugin Publication Date: 2010/04/13
Plugin Modification Date: 2011/12/12
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: smb_nt_ms10-022.nasl
Exploit Frameworks: Canvas (CANVAS), Metasploit (Internet Explorer Winhlp32.exe MsgBox Code Execution)
Plugin Plugin Name Severity Port Protocol Family Exploit?
46839
MS10-032:Vulnerabilities inWindows Kernel-Mode Drivers CouldAllow Elevation ofPrivilege (979559)
High 445 TCP Windows : Microsoft Bulletins Yes
Synopsis: The Windows kernel is affected by several vulnerabilities that could allow escalation of privileges.
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Canvas
Tenable Network Security 45
Description: The remote Windows host is running a version of the Windows kernel that is affected by one or more of the following vulnerabilities :
- Improper validation of changes in certain kernel objects may allow a local attacker to execute arbitrary code in kernel mode and take complete control of the affected system.(CVE-2010-0484)
- Improper validation of parameters when creating a new window may allow a local attacker to execute arbitrary code in kernel mode and take complete control of the affectedsystem. (CVE-2010-0485)
- A vulnerability that arises in the way Windows provides glyph outline information to applications may allow a local attacker to execute arbitrary code in kernel mode and takecomplete control of the affected system. (CVE-2010-1255)
Solution: Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista, 2008, 7, and 2008 R2 :
http://technet.microsoft.com/en-us/security/bulletin/MS10-032
Risk Factor: High
STIG Severity: II
CVSS Base Score: 7.2
CVSS Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 6.0
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:- C:\WINDOWS\system32\Win32k.sys has not been patchedRemote version : 5.1.2600.5512Should be : 5.1.2600.5976
CPE: cpe:/o:microsoft:windows
CVE: CVE-2010-0484, CVE-2010-0485, CVE-2010-1255
BID: 40508, 40569, 40570
Crossref: OSVDB #65223, OSVDB #65224, OSVDB #65225, IAVA #2010-A-0077, MSFT #MS10-032
Vulnerability Publication Date: 2010/06/08
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Canvas
Tenable Network Security 46
Patch Publication Date: 2010/06/08
Plugin Publication Date: 2010/06/09
Plugin Modification Date: 2011/12/12
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: smb_nt_ms10-032.nasl
Exploit Frameworks: Canvas (CANVAS), Core Impact
Plugin Plugin Name Severity Port Protocol Family Exploit?
48285
MS10-048:Vulnerabilities inWindows Kernel-Mode Drivers CouldAllow Elevation ofPrivilege (2160329)
High 445 TCP Windows : Microsoft Bulletins Yes
Synopsis: The Windows kernel is affected by several vulnerabilities that could allow escalation of privileges.
Description: The remote Windows host is running a version of the Windows kernel that is affected by one or more of the following vulnerabilities :
- Improper valiation of an argument passed to a system call can result in a denial of service. (CVE-2010-1887)
- Certain unspecified exceptions are not properly handled which could result in arbitrary code execution in the kernel. (CVE-2010-1894)
- Memory is not properly allocated when making a copy from user mode, which could result in an elevation of privileges. (CVE-2010-1895)
- Unspecified input from user mode is not properly validated, which could result in arbitrary code execution in the kernel. (CVE-2010-1896)
- Unspecified parameters are not properly validated when creating a new window, which could result in arbitrary code execution in the kernel.(CVE-2010-1897)
Solution: Microsoft has released a set of patches for Windows XP, 2003, Vista, 2008, 7, and 2008 R2 :
http://technet.microsoft.com/en-us/security/bulletin/MS10-048
Risk Factor: High
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Canvas
Tenable Network Security 47
STIG Severity: II
CVSS Base Score: 7.2
CVSS Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 6.0
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:- C:\WINDOWS\system32\Win32k.sys has not been patchedRemote version : 5.1.2600.5512Should be : 5.1.2600.6003
CPE: cpe:/o:microsoft:windows
CVE: CVE-2010-1887, CVE-2010-1894, CVE-2010-1895, CVE-2010-1896, CVE-2010-1897
BID: 39630, 42206, 42210, 42245, 42250
Crossref: OSVDB #66979, OSVDB #66980, OSVDB #66981, OSVDB #66982, OSVDB #66983, IAVA #2010-A-0106, MSFT #MS10-048
Vulnerability Publication Date: 2010/04/22
Patch Publication Date: 2010/08/10
Plugin Publication Date: 2010/08/11
Plugin Modification Date: 2011/12/12
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: smb_nt_ms10-048.nasl
Exploit Frameworks: Canvas (CANVAS), Core Impact
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Canvas
Tenable Network Security 48
Plugin Plugin Name Severity Port Protocol Family Exploit?
49950
MS10-073:Vulnerabilities inWindows Kernel-Mode Drivers CouldAllow Elevation ofPrivilege (981957)
High 445 TCP Windows : Microsoft Bulletins Yes
Synopsis: The Windows kernel is affected by multiple vulnerabilities that could allow escalation of privileges.
Description: The remote Windows host is running a version of the Windows kernel that is affected by the following vulnerabilities :
- A reference count leak, which could result in arbitrary code execution in the kernel.(CVE-2010-2549)
- Kernel-mode drivers load unspecified keyboard layers improperly, which could result in arbitrary code execution in the kernel. (CVE-2010-2743)
- Kernel-mode drivers do not properly validate unspecified window class data, which could result in arbitrary code execution in the kernel.(CVE-2010-2744)
Solution: Microsoft has released a set of patches for Windows 2003, XP, Vista, 2008, 7, and 2008 R2 :
http://technet.microsoft.com/en-us/security/bulletin/MS10-073
See Also: http://archives.neohapsis.com/archives/fulldisclosure/2010-07/0003.html
Risk Factor: High
STIG Severity: II
CVSS Base Score: 7.2
CVSS Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 6.0
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:- C:\WINDOWS\system32\Win32k.sys has not been patchedRemote version : 5.1.2600.5512Should be : 5.1.2600.6033
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Canvas
Tenable Network Security 49
CPE: cpe:/o:microsoft:windows
CVE: CVE-2010-2549, CVE-2010-2743, CVE-2010-2744
BID: 41280, 43773, 43774
Crossref: OSVDB #66003, OSVDB #68551, OSVDB #68552, EDB-ID #15985, IAVA #2010-A-0138, MSFT #MS10-073
Vulnerability Publication Date: 2010/06/30
Patch Publication Date: 2010/10/12
Plugin Publication Date: 2010/10/13
Plugin Modification Date: 2012/04/23
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: smb_nt_ms10-073.nasl
Exploit Frameworks: Canvas (CANVAS), Core Impact
Plugin Plugin Name Severity Port Protocol Family Exploit?
55140
Flash Player <10.3.181.26 MultipleVulnerabilities(APSB11-18)
High 445 TCP Windows Yes
Synopsis: A browser plugin is affected by a memory corruption vulnerability.
Description: According to its version, the instance of Flash Player installed on the remote Windows host is earlier than 10.3.181.26. This version of Flash Player has a criticalvulnerability. By tricking a user on the affected system into opening a specially crafted document with Flash content, an attacker could leverage the vulnerability to execute arbitrarycode remotely on the system subject to the user's privileges.
This issue is reportedly being exploited in the wild in targeted attacks as of June 2011.
Solution: Upgrade to Adobe Flash version 10.3.181.26 or later.
See Also: http://www.adobe.com/support/security/bulletins/apsb11-18.html
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Canvas
Tenable Network Security 50
Risk Factor: High
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:Product : ActiveX control (for Internet Explorer)Path : C:\WINDOWS\system32\Macromed\Flash\Flash6.ocxInstalled version : 6.0.88.0Fixed version : 10.3.181.26
CPE: cpe:/a:adobe:flash_player
CVE: CVE-2011-2110
BID: 48268
Crossref: OSVDB #73007
Vulnerability Publication Date: 2011/06/14
Patch Publication Date: 2011/06/14
Plugin Publication Date: 2011/06/15
Plugin Modification Date: 2012/04/23
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: flash_player_apsb11-18.nasl
Exploit Frameworks: Canvas (CANVAS), Core Impact
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Canvas
Tenable Network Security 51
10.0.0.54
NetBIOS Name: ITSDEPT\DT0007
IP Address: 10.0.0.54
Vulnerabilities: Critical: 2, High: 10, Medium: 10, Low: 5, Info: 55
MAC Address: 00:10:60:df:1e:2b
DNS Name: dt0007.itsdept.com
Repository: repo
Last Scan: May 9, 2012 @ 8:25PM
Canvas Exploitable Vulnerability Details:
Plugin Plugin Name Severity Port Protocol Family Exploit?
27599
FLEXnet ConnectUpdate ServiceActiveX ControlMultiple CodeExecutionVulnerabilities
High 445 TCP Windows Yes
Synopsis: The remote Windows host has an ActiveX control that allows execution of arbitrary code.
Description: Macrovision FLEXnet Connect, formerly known as InstallShield Update Service, is installed on the remote host. It is a software management solution for internally-developed and third-party applications, and may have been installed as part of the FLEXnet Connect SDK, other InstallShield software, or by running FLEXnet Connect-enabledWindows software.
The version of the FLEXnet Connect client on the remote host includes an ActiveX control -- the InstallShield Update Service Agent -- that is marked as 'safe for scripting' andcontains several methods that allow for downloading and launching arbitrary programs. If a remote attacker can trick a user on the affected host into visiting a specially crafted webpage, he may be able to leverage this issue to execute arbitrary code on the host subject to the user's privileges.
Additionally, it is reportedly affected by a buffer overflow that can be triggered by passing a long argument for 'ProductCode' to the 'DownloadAndExecute()' method.
Solution: Upgrade to version 6.0.100.65101 or later of the FLEXnet Connect client.
See Also: http://www.nessus.org/u?85aedec1
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Canvas
Tenable Network Security 52
http://www.securityfocus.com/archive/1/483062/30/0/threadedhttp://archives.neohapsis.com/archives/fulldisclosure/2007-12/0553.htmlhttp://support.installshield.com/kb/view.asp?articleid=Q113602http://support.installshield.com/kb/view.asp?articleid=Q113020
Risk Factor: High
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 8.1
CVSS Temporal Vector: CVSS2#E:H/RL:OF/RC:C
Plugin Output: Version 2.20.100.1166 of the vulnerable control is installed as :
C:\WINDOWS\Downloaded Program Files\isusweb.dll
Moreover, its 'kill' bit is not set so it is accessible via InternetExplorer.
CVE: CVE-2007-5660, CVE-2007-6654
BID: 26280, 27013
Crossref: OSVDB #38347, OSVDB #39980, CWE #119
Vulnerability Publication Date: 2007/10/30
Plugin Publication Date: 2007/11/01
Plugin Modification Date: 2011/09/26
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: flexnet_connect_isusweb_activex.nasl
Exploit Frameworks: Canvas (CANVAS), Metasploit (Macrovision InstallShield Update Service Buffer Overflow)
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Canvas
Tenable Network Security 53
Plugin Plugin Name Severity Port Protocol Family Exploit?
48297
MS10-060:Vulnerabilities inthe Microsoft .NETCommon LanguageRuntime and inMicrosoft SilverlightCould Allow RemoteCode Execution(2265906)
High 445 TCP Windows : Microsoft Bulletins Yes
Synopsis: The Microsoft .NET Common Language Runtime and/or Microsoft Silverlight have multiple vulnerabilities.
Description: The remote Windows host is running a version of the Microsoft .NET Framework and/or Microsoft Silverlight affected by multiple vulnerabilities :
- Silverlight improperly handles pointers in an unspecified manner. A remote attacker could exploit this by tricking a user into viewing a web page with maliciously crafted Silverlightcontent. (CVE-2010-0019)
- An unspecified vulnerability in the .NET framework can allow a specially crafted .NET or Silverlight application to access memory, resulting in arbitrary unmanaged code execution.(CVE-2010-1898)
Solution: Microsoft has released a set of patches for .NET Framework 2.0, 3.5, and Silverlight :
http://technet.microsoft.com/en-us/security/bulletin/MS10-060
Risk Factor: High
STIG Severity: II
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:
Product : Microsoft SilverlightPath : c:\Program Files\Microsoft Silverlight\3.0.40624.0Installed version : 3.0.40624.0Fix : 3.0.50611.0
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Canvas
Tenable Network Security 54
CPE: cpe:/a:microsoft:silverlightcpe:/o:microsoft:windows
CVE: CVE-2010-0019, CVE-2010-1898
BID: 42138, 42295
Crossref: OSVDB #66992, OSVDB #66993, IAVA #2010-A-0109, MSFT #MS10-060
Vulnerability Publication Date: 2010/08/10
Patch Publication Date: 2010/08/10
Plugin Publication Date: 2010/08/11
Plugin Modification Date: 2012/02/21
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: smb_nt_ms10-060.nasl
Exploit Frameworks: Canvas (CANVAS), Core Impact
Plugin Plugin Name Severity Port Protocol Family Exploit?
53473Wireshark < 1.2.16 /1.4.5 MultipleVulnerabilities
High 445 TCP Windows Yes
Synopsis: The remote Windows host contains an application that is affected by multiple vulnerabilities.
Description: The installed version of Wireshark is 1.2.x less than 1.2.16 or 1.4.x less than 1.4.5. Such versions are affected by the following vulnerabilities :
- A data type mismatch error exists in the function 'dissect_nfs_clientaddr4' in the file 'packet-nfs.c' of the NFS dissector and could lead to application crashes while decoding'SETCLIENTID' calls. (5209)- A use-after-free error exists in the file 'asn1/x509if/x509if.cnf' of the X.509if dissector that could lead to application crashes. (5754, 5793)- An buffer overflow vulnerability exists in the file 'packet-dect.c' of the DECT dissector that could allow arbitrary code execution. (5836)
Solution: Upgrade to Wireshark version 1.2.16 / 1.4.5 or later.
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Canvas
Tenable Network Security 55
See Also: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5209https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5754https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5793https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836http://www.wireshark.org/security/wnpa-sec-2011-05.htmlhttp://www.wireshark.org/security/wnpa-sec-2011-06.htmlhttp://www.wireshark.org/docs/relnotes/wireshark-1.2.16.htmlhttp://www.wireshark.org/docs/relnotes/wireshark-1.4.5.html
Risk Factor: High
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:The following vulnerable instance of Wireshark is installed :
Path : C:\Program Files\WiresharkInstalled version : 1.4.4Fixed version : 1.2.16 / 1.4.5
CPE: cpe:/a:wireshark:wireshark
CVE: CVE-2011-1590, CVE-2011-1591, CVE-2011-1592
BID: 47392
Crossref: OSVDB #71846, OSVDB #71847, OSVDB #71848, EDB-ID #17185, EDB-ID #18145, Secunia #44172
Vulnerability Publication Date: 2011/04/15
Patch Publication Date: 2011/04/15
Plugin Publication Date: 2011/04/18
Plugin Modification Date: 2012/04/23
Exploit Available: true
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Canvas
Tenable Network Security 56
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: wireshark_1_4_5.nasl
Exploit Frameworks: Canvas (CANVAS), Metasploit (Wireshark <= 1.4.4 packet-dect.c Stack Buffer Overflow), Core Impact
Plugin Plugin Name Severity Port Protocol Family Exploit?
56163Wireshark 1.4.x< 1.4.9 MultipleVulnerabilities
Medium 445 TCP Windows Yes
Synopsis: The remote Windows host contains an application that is affected by multiple vulnerabilities.
Description: The installed version of Wireshark is 1.4.x before 1.4.9. This version is affected by the following vulnerabilities :
- An error exists in IKE dissector that can allow denial of service attacks when processing certain malformed packets. (CVE-2011-3266)
- A buffer exception handling vulnerability exists that can allow denial of service attacks when processing certain malformed packets. (Issue #6135)
- It may be possible to make Wireshark execute Lua scripts using a method similar to DLL hijacking. (Issue #6136)
Solution: Upgrade to Wireshark version 1.4.9 or later.
See Also: http://www.wireshark.org/security/wnpa-sec-2011-13.htmlhttp://www.wireshark.org/security/wnpa-sec-2011-14.htmlhttp://www.wireshark.org/security/wnpa-sec-2011-15.htmlhttp://www.wireshark.org/docs/relnotes/wireshark-1.4.9.html
Risk Factor: Medium
CVSS Base Score: 5.0
CVSS Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P
Plugin Output:The following vulnerable instance of Wireshark is installed :
Path : C:\Program Files\WiresharkInstalled version : 1.4.4Fixed version : 1.4.9
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Canvas
Tenable Network Security 57
CPE: cpe:/a:wireshark:wireshark
CVE: CVE-2011-3266, CVE-2011-3360
BID: 49377, 49521, 49528
Crossref: OSVDB #74732, OSVDB #75347
Vulnerability Publication Date: 2011/07/28
Patch Publication Date: 2011/09/07
Plugin Publication Date: 2011/09/12
Plugin Modification Date: 2011/12/01
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: wireshark_1_4_9.nasl
Exploit Frameworks: Canvas (D2ExploitPack), Metasploit (windows/misc/wireshark_lua.rb)
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Canvas
Tenable Network Security 58
10.0.100.40
NetBIOS Name: UNKNOWN\MAC0001
IP Address: 10.0.100.40
Vulnerabilities: Critical: 2, High: 17, Medium: 2, Low: 0, Info: 44
MAC Address: 60:c5:47:10:a7:1b
DNS Name: mac0001.itsdept.com
Repository: repo
Last Scan: May 9, 2012 @ 8:25PM
Canvas Exploitable Vulnerability Details:
Plugin Plugin Name Severity Port Protocol Family Exploit?
55141
Flash Player forMac < 10.3.181.26Remote MemoryCorruption(APSB11-18)
High 0 TCP MacOS X Local Security Checks Yes
Synopsis: The remote Mac OS X host has a browser plugin that is affected by a remote memory corruption vulnerability.
Description: According to its version, the instance of Flash Player installed on the remote Mac OS X host is earlier than 10.3.181.26. This version of Flash Player has a criticalvulnerability. By tricking a user on the affected system into opening a specially crafted document with Flash content, an attacker could leverage the vulnerability to execute arbitrarycode remotely on the system subject to the user's privileges.
This issue is reportedly being exploited in the wild in targeted attacks as of June 2011.
Solution: Upgrade to Adobe Flash for Mac version 10.3.181.26 or later.
See Also: http://www.adobe.com/support/security/bulletins/apsb11-18.html
Risk Factor: High
CVSS Base Score: 9.3
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Canvas
Tenable Network Security 59
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:Installed version : 10.2.159.1Fixed version : 10.3.181.26
CPE: cpe:/a:adobe:flash_player
CVE: CVE-2011-2110
BID: 48268
Crossref: OSVDB #73007
Vulnerability Publication Date: 2011/06/14
Patch Publication Date: 2011/06/14
Plugin Publication Date: 2011/06/15
Plugin Modification Date: 2012/04/23
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: macosx_flash_player_10_3_181_26.nasl
Exploit Frameworks: Canvas (CANVAS), Core Impact
Plugin Plugin Name Severity Port Protocol Family Exploit?
57044
Adobe Reader <=10.1.1 / 9.4.6 U3DMemory Corruption(APSA11-04) (MacOS X)
High 0 TCP MacOS X Local Security Checks Yes
Synopsis: The version of Adobe Reader on the remote Mac OS X host is affected by a memory corruption vulnerability.
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Canvas
Tenable Network Security 60
Description: The version of Adobe Reader installed on the remote Mac OS X host is earlier or equal to 10.1.1 / 9.4.6 and is affected by a memory corruption vulnerability related tothe 'Universal 3D' (U3D) file format.
A remote attacker could exploit this by tricking a user into viewing a maliciously crafted PDF file, causing application crashes and potentially resulting in arbitrary code execution.
Note that the Adobe Reader X user-specific option to use 'Protected Mode' prevents an exploit of this kind from executing and that Nessus cannot test for this configuration option.
Solution: At the time of this writing there is no vendor supplied patch. If the installed product is Reader X, then the user-specific option to use 'Protected Mode' should be enabled.
See Also: http://www.adobe.com/support/security/bulletins/apsa11-04.html
Risk Factor: High
STIG Severity: I
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:Path : /Applications/Adobe Reader.appInstalled version : 10.0.0Fixed version : A workaround is available.
CPE: cpe:/a:adobe:reader
CVE: CVE-2011-2462
BID: 50922
Crossref: OSVDB #77529, IAVA #2011-A-0174, IAVA #2012-A-0008
Vulnerability Publication Date: 2011/12/06
Plugin Publication Date: 2011/12/07
Plugin Modification Date: 2012/04/25
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Canvas
Tenable Network Security 61
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: macosx_adobe_reader_apsa11-04.nasl
Exploit Frameworks: Canvas (CANVAS), Metasploit (Adobe Reader U3D Memory Corruption Vulnerability)
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 62
Metasploit
5 Day Trend
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 63
Metasploit Exploitable Hosts
IP Address NetBIOS Name DNS Name MAC Address Total Low Med. High Crit.
10.0.100.40 UNKNOWN\MAC0001 mac0001.itsdept.com 60:c5:47:10:a7:1b 4 0 0 4 0
10.0.0.54 ITSDEPT\DT0007 dt0007.itsdept.com 00:10:60:df:1e:2b 4 0 1 3 0
10.0.0.41 ITSDEPT\DT0008 dt8001.itsdept.com 52:54:00:fc:14:86 5 0 0 5 0
Metasploit Exploitable Vulnerability Totals by Plugin Family
Family Total Low Med. High Crit.
Windows 7 0 1 6 0
MacOS X Local Security Checks 4 0 0 4 0
Windows : Microsoft Bulletins 2 0 0 2 0
Metasploit Exploitable Vulnerability Totals by MS Bulletin
MS Bulletin Total Severity
MS12-027 1 High
MS10-022 1 High
Metasploit Exploitable Vulnerability Totals by CVE
CVE Total Severity
CVE-2012-0767 2 High
CVE-2012-0756 2 High
CVE-2012-0755 2 High
CVE-2012-0754 2 High
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 64
CVE Total Severity
CVE-2012-0753 2 High
CVE-2012-0752 2 High
CVE-2012-0751 1 High
CVE-2012-0158 1 High
CVE-2011-3360 1 Medium
CVE-2011-3266 1 Medium
CVE-2011-2462 1 High
CVE-2011-2442 1 High
CVE-2011-2441 1 High
CVE-2011-2440 1 High
CVE-2011-2439 1 High
CVE-2011-2438 1 High
CVE-2011-2437 1 High
CVE-2011-2436 1 High
CVE-2011-2435 1 High
CVE-2011-2434 1 High
CVE-2011-2433 1 High
CVE-2011-2432 1 High
CVE-2011-2431 1 High
CVE-2011-2425 3 High
CVE-2011-2424 3 High
CVE-2011-2417 3 High
CVE-2011-2416 3 High
CVE-2011-2415 3 High
CVE-2011-2414 3 High
CVE-2011-2140 3 High
CVE-2011-2139 3 High
CVE-2011-2138 3 High
CVE-2011-2137 3 High
CVE-2011-2136 3 High
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 65
CVE Total Severity
CVE-2011-2135 3 High
CVE-2011-2134 3 High
CVE-2011-2130 3 High
CVE-2011-1592 1 High
CVE-2011-1591 1 High
CVE-2011-1590 1 High
CVE-2011-0611 1 High
CVE-2011-0609 1 High
CVE-2010-0483 1 High
CVE-2007-6654 1 High
CVE-2007-5660 1 High
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 66
10.0.0.41
NetBIOS Name: ITSDEPT\DT0008
IP Address: 10.0.0.41
Vulnerabilities: Critical: 0, High: 42, Medium: 8, Low: 4, Info: 86
MAC Address: 52:54:00:fc:14:86
DNS Name: dt8001.itsdept.com
Repository: repo
Last Scan: May 9, 2012 @ 8:25PM
Metasploit Exploitable Vulnerability Details:
Plugin Plugin Name Severity Port Protocol Family Exploit?
45509
MS10-022:Vulnerability inVBScript ScriptingEngine Could AllowRemote CodeExecution (981169)
High 445 TCP Windows : Microsoft Bulletins Yes
Synopsis: Arbitrary code can be executed on the remote host through the installed VBScript Scripting Engine.
Description: The installed version of the VBScript Scripting Engine allows an attacker to specify a Help file location when displaying a dialog box on a web page. If a user can betricked into pressing the F1 key while such a dialog box is being displayed, an attacker can leverage this to cause the Windows Help System to load a specially crafted Help file,resulting in execution of arbitrary code subject to the user's privileges.
Solution: Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista, 2008, 7, and 2008 R2 :
http://technet.microsoft.com/en-us/security/bulletin/MS10-022
Risk Factor: High
STIG Severity: II
CVSS Base Score: 7.6
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 67
CVSS Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 6.3
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:- C:\WINDOWS\system32\Vbscript.dll has not been patchedRemote version : 5.8.6001.18702Should be : 5.8.6001.23000
CPE: cpe:/o:microsoft:windows
CVE: CVE-2010-0483
BID: 38463
Crossref: OSVDB #62632, IAVA #2010-A-0056, MSFT #MS10-022, CWE #94
Vulnerability Publication Date: 2010/02/01
Patch Publication Date: 2010/04/13
Plugin Publication Date: 2010/04/13
Plugin Modification Date: 2011/12/12
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: smb_nt_ms10-022.nasl
Exploit Frameworks: Canvas (CANVAS), Metasploit (Internet Explorer Winhlp32.exe MsgBox Code Execution)
Plugin Plugin Name Severity Port Protocol Family Exploit?
52673Flash Player< 10.2.153.1Unspecified
High 445 TCP Windows Yes
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 68
Memory Corruption(APSB11-05)
Synopsis: The remote Windows host contains a browser plug-in that is affected by a memory corruption vulnerability.
Description: The remote Windows host contains a version of Adobe Flash Player earlier than 10.2.153.1. Such versions are affected by an unspecified memory corruptionvulnerability.
A remote attacker could exploit this by tricking a user into viewing maliciously crafted SWF content, resulting in arbitrary code execution.
This bug is currently being exploited in the wild.
Solution: Upgrade to Flash Player 10.2.153.1 or later.
See Also: http://www.nessus.org/u?82775d9ehttp://www.adobe.com/support/security/advisories/apsa11-01.htmlhttp://www.adobe.com/support/security/bulletins/apsb11-05.html
Risk Factor: High
STIG Severity: II
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:Product : ActiveX control (for Internet Explorer)Path : C:\WINDOWS\system32\Macromed\Flash\Flash6.ocxInstalled version : 6.0.88.0Fixed version : 10.2.153.1
CPE: cpe:/a:adobe:flash_player
CVE: CVE-2011-0609
BID: 46860
Crossref: OSVDB #71254, CERT #192052, EDB-ID #17027, IAVA #2011-A-0035, IAVA #2011-A-0036, Secunia #43751, Secunia #43757
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 69
Vulnerability Publication Date: 2011/03/14
Patch Publication Date: 2011/03/21
Plugin Publication Date: 2011/03/15
Plugin Modification Date: 2012/04/23
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: flash_player_apsa11-01.nasl
Exploit Frameworks: Metasploit (Adobe Flash Player AVM Bytecode Verification), Core Impact
Plugin Plugin Name Severity Port Protocol Family Exploit?
53472
Flash Player< 10.2.159.1ActionScriptPredefinedClass PrototypeAddition RemoteCode Execution(APSB11-07)
High 445 TCP Windows Yes
Synopsis: The remote Windows host contains a browser plug-in that allows arbitrary code execution.
Description: The remote Windows host contains a version of Adobe Flash Player earlier than 10.2.159.1. Such versions are reportedly affected by a memory corruption vulnerability.
By tricking a user on the affected system into opening a specially crafted document with Flash content, such as a SWF file embedded in a Microsoft Word document, an attacker canpotentially leverage this issue to execute arbitrary code remotely on the system subject to the user's privileges.
Note that there are reports that this issue is being exploited in the wild as of April 2011.
Solution: Upgrade to Adobe Flash Player 10.2.159.1 or later.
See Also: http://www.nessus.org/u?9ee82b34http://www.adobe.com/support/security/bulletins/apsb11-07.html
Risk Factor: High
STIG Severity: II
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 70
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:Product : ActiveX control (for Internet Explorer)Path : C:\WINDOWS\system32\Macromed\Flash\Flash6.ocxInstalled version : 6.0.88.0Fixed version : 10.2.159.1
CPE: cpe:/a:adobe:flash_player
CVE: CVE-2011-0611
BID: 47314
Crossref: OSVDB #71686, CERT #230057, IAVA #2011-A-0053, Secunia #44119
Vulnerability Publication Date: 2011/04/11
Patch Publication Date: 2011/04/15
Plugin Publication Date: 2011/04/18
Plugin Modification Date: 2012/04/23
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: flash_player_apsb11-07.nasl
Exploit Frameworks: Metasploit (windows/browser/adobe_flashplayer_flash10o.rb), Core Impact
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 71
Plugin Plugin Name Severity Port Protocol Family Exploit?
55803
Flash Player <=10.3.181.36 MultipleVulnerabilities(APSB11-21)
High 445 TCP Windows Yes
Synopsis: A browser plugin is affected by multiple vulnerabilities.
Description: According to its version, the instance of Flash Player installed on the remote Windows host is 10.3.181.36 or earlier. As such, it is reportedly affected by several criticalvulnerabilities :
- Multiple buffer overflow vulnerabilities could lead to code execution. (CVE-2011-2130, CVE-2011-2134, CVE-2011-2137, CVE-2011-2414, CVE-2011-2415)
- Multiple memory corruption vulnerabilities could lead to code execution. (CVE-2011-2135, CVE-2011-2140, CVE-2011-2417, CVE-2011-2424, CVE-2011-2425)
- Multiple integer overflow vulnerabilities could lead to code execution. (CVE-2011-2136, CVE-2011-2138, CVE-2011-2416)
- A cross-site information disclosure vulnerability exists that could lead to code execution. (CVE-2011-2139)
By tricking a user on the affected system into opening a specially crafted document with Flash content, an attacker could leverage these vulnerabilities to execute arbitrary coderemotely on the system subject to the user's privileges.
Solution: Upgrade to Adobe Flash version 10.3.183.5 or later.
See Also: http://www.nessus.org/u?18dbdb20http://www.nessus.org/u?0651458ahttp://www.nessus.org/u?46d1fce8http://www.zerodayinitiative.com/advisories/ZDI-11-253/http://www.adobe.com/support/security/bulletins/apsb11-21.html
Risk Factor: High
STIG Severity: II
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
Plugin Output:Product : ActiveX control (for Internet Explorer)Path : C:\WINDOWS\system32\Macromed\Flash\Flash6.ocxInstalled version : 6.0.88.0Fixed version : 10.3.183.5
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 72
CPE: cpe:/a:adobe:flash_player
CVE: CVE-2011-2130, CVE-2011-2134, CVE-2011-2135, CVE-2011-2136, CVE-2011-2137, CVE-2011-2138, CVE-2011-2139, CVE-2011-2140, CVE-2011-2414, CVE-2011-2415,CVE-2011-2416, CVE-2011-2417, CVE-2011-2424, CVE-2011-2425
BID: 49073, 49074, 49075, 49076, 49077, 49079, 49080, 49081, 49082, 49083, 49084, 49085, 49086, 49186
Crossref: OSVDB #74432, OSVDB #74433, OSVDB #74434, OSVDB #74435, OSVDB #74436, OSVDB #74437, OSVDB #74438, OSVDB #74439, OSVDB #74440, OSVDB#74441, OSVDB #74442, OSVDB #74443, OSVDB #74444, OSVDB #75201, EDB-ID #18437, EDB-ID #18479, IAVA #2011-A-0110
Vulnerability Publication Date: 2011/08/09
Patch Publication Date: 2011/08/09
Plugin Publication Date: 2011/08/10
Plugin Modification Date: 2012/02/13
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: flash_player_apsb11-21.nasl
Exploit Frameworks: Metasploit (windows/browser/adobe_flash_sps.rb)
Plugin Plugin Name Severity Port Protocol Family Exploit?
58001
Flash Player <=10.3.183.14 /11.1.102.55 MultipleVulnerabilities(APSB12-03)
High 445 TCP Windows Yes
Synopsis: The remote Windows host has a browser plugin that is affected by multiple vulnerabilities.
Description: According to its version, the instance of Flash Player installed on the remote Windows host is 10.x equal to or earlier than 10.3.183.14 or 11.x equal to or earlier than11.1.102.55. It is, therefore, reportedly affected by several critical vulnerabilities :
- Multiple unspecified memory corruption issues exist that could lead to code execution. (CVE-2012-0751, CVE-2012-0754)
- An unspecified type confusion memory corruption vulnerability exists that could lead to code execution.(CVE-2012-0752)
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 73
- An MP4 parsing memory corruption issue exists that could lead to code execution. (CVE-2012-0753)
- Multiple unspecified security bypass vulnerabilities exist that could lead to code execution. (CVE-2012-0755, CVE-2012-0756)
- A universal cross-site scripting issue exists that could be used to take actions on a user's behalf on any website or webmail provider. (CVE-2012-0767)
Solution: Upgrade to Adobe Flash version 10.3.183.15 / 11.1.102.62 or later.
See Also: http://www.nessus.org/u?2bd088e6http://zerodayinitiative.com/advisories/ZDI-12-047/http://www.adobe.com/support/security/bulletins/apsb12-03.html
Risk Factor: High
STIG Severity: I
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
Plugin Output:Product : ActiveX control (for Internet Explorer)Path : C:\WINDOWS\system32\Macromed\Flash\Flash6.ocxInstalled version : 6.0.88.0Fixed version : 10.3.183.15 / 11.1.102.62
CPE: cpe:/a:adobe:flash_player
CVE: CVE-2012-0751, CVE-2012-0752, CVE-2012-0753, CVE-2012-0754, CVE-2012-0755, CVE-2012-0756, CVE-2012-0767
BID: 52032, 52033, 52034, 52035, 52036, 52037, 52040
Crossref: EDB-ID #18572, IAVA #2012-A-0029, OSVDB #79296, OSVDB #79297, OSVDB #79298, OSVDB #79299, OSVDB #79300, OSVDB #79301, OSVDB #79302
Vulnerability Publication Date: 2012/02/15
Patch Publication Date: 2012/02/15
Plugin Publication Date: 2012/02/17
Plugin Modification Date: 2012/03/22
Exploit Available: true
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 74
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: flash_player_apsb12-03.nasl
Exploit Frameworks: Metasploit (windows/browser/adobe_flash_mp4_cprt.rb)
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 75
10.0.0.54
NetBIOS Name: ITSDEPT\DT0007
IP Address: 10.0.0.54
Vulnerabilities: Critical: 2, High: 10, Medium: 10, Low: 5, Info: 55
MAC Address: 00:10:60:df:1e:2b
DNS Name: dt0007.itsdept.com
Repository: repo
Last Scan: May 9, 2012 @ 8:25PM
Metasploit Exploitable Vulnerability Details:
Plugin Plugin Name Severity Port Protocol Family Exploit?
27599
FLEXnet ConnectUpdate ServiceActiveX ControlMultiple CodeExecutionVulnerabilities
High 445 TCP Windows Yes
Synopsis: The remote Windows host has an ActiveX control that allows execution of arbitrary code.
Description: Macrovision FLEXnet Connect, formerly known as InstallShield Update Service, is installed on the remote host. It is a software management solution for internally-developed and third-party applications, and may have been installed as part of the FLEXnet Connect SDK, other InstallShield software, or by running FLEXnet Connect-enabledWindows software.
The version of the FLEXnet Connect client on the remote host includes an ActiveX control -- the InstallShield Update Service Agent -- that is marked as 'safe for scripting' andcontains several methods that allow for downloading and launching arbitrary programs. If a remote attacker can trick a user on the affected host into visiting a specially crafted webpage, he may be able to leverage this issue to execute arbitrary code on the host subject to the user's privileges.
Additionally, it is reportedly affected by a buffer overflow that can be triggered by passing a long argument for 'ProductCode' to the 'DownloadAndExecute()' method.
Solution: Upgrade to version 6.0.100.65101 or later of the FLEXnet Connect client.
See Also: http://www.nessus.org/u?85aedec1
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 76
http://www.securityfocus.com/archive/1/483062/30/0/threadedhttp://archives.neohapsis.com/archives/fulldisclosure/2007-12/0553.htmlhttp://support.installshield.com/kb/view.asp?articleid=Q113602http://support.installshield.com/kb/view.asp?articleid=Q113020
Risk Factor: High
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 8.1
CVSS Temporal Vector: CVSS2#E:H/RL:OF/RC:C
Plugin Output: Version 2.20.100.1166 of the vulnerable control is installed as :
C:\WINDOWS\Downloaded Program Files\isusweb.dll
Moreover, its 'kill' bit is not set so it is accessible via InternetExplorer.
CVE: CVE-2007-5660, CVE-2007-6654
BID: 26280, 27013
Crossref: OSVDB #38347, OSVDB #39980, CWE #119
Vulnerability Publication Date: 2007/10/30
Plugin Publication Date: 2007/11/01
Plugin Modification Date: 2011/09/26
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: flexnet_connect_isusweb_activex.nasl
Exploit Frameworks: Canvas (CANVAS), Metasploit (Macrovision InstallShield Update Service Buffer Overflow)
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 77
Plugin Plugin Name Severity Port Protocol Family Exploit?
53473Wireshark < 1.2.16 /1.4.5 MultipleVulnerabilities
High 445 TCP Windows Yes
Synopsis: The remote Windows host contains an application that is affected by multiple vulnerabilities.
Description: The installed version of Wireshark is 1.2.x less than 1.2.16 or 1.4.x less than 1.4.5. Such versions are affected by the following vulnerabilities :
- A data type mismatch error exists in the function 'dissect_nfs_clientaddr4' in the file 'packet-nfs.c' of the NFS dissector and could lead to application crashes while decoding'SETCLIENTID' calls. (5209)- A use-after-free error exists in the file 'asn1/x509if/x509if.cnf' of the X.509if dissector that could lead to application crashes. (5754, 5793)- An buffer overflow vulnerability exists in the file 'packet-dect.c' of the DECT dissector that could allow arbitrary code execution. (5836)
Solution: Upgrade to Wireshark version 1.2.16 / 1.4.5 or later.
See Also: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5209https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5754https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5793https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836http://www.wireshark.org/security/wnpa-sec-2011-05.htmlhttp://www.wireshark.org/security/wnpa-sec-2011-06.htmlhttp://www.wireshark.org/docs/relnotes/wireshark-1.2.16.htmlhttp://www.wireshark.org/docs/relnotes/wireshark-1.4.5.html
Risk Factor: High
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:The following vulnerable instance of Wireshark is installed :
Path : C:\Program Files\WiresharkInstalled version : 1.4.4Fixed version : 1.2.16 / 1.4.5
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 78
CPE: cpe:/a:wireshark:wireshark
CVE: CVE-2011-1590, CVE-2011-1591, CVE-2011-1592
BID: 47392
Crossref: OSVDB #71846, OSVDB #71847, OSVDB #71848, EDB-ID #17185, EDB-ID #18145, Secunia #44172
Vulnerability Publication Date: 2011/04/15
Patch Publication Date: 2011/04/15
Plugin Publication Date: 2011/04/18
Plugin Modification Date: 2012/04/23
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: wireshark_1_4_5.nasl
Exploit Frameworks: Canvas (CANVAS), Metasploit (Wireshark <= 1.4.4 packet-dect.c Stack Buffer Overflow), Core Impact
Plugin Plugin Name Severity Port Protocol Family Exploit?
56163Wireshark 1.4.x< 1.4.9 MultipleVulnerabilities
Medium 445 TCP Windows Yes
Synopsis: The remote Windows host contains an application that is affected by multiple vulnerabilities.
Description: The installed version of Wireshark is 1.4.x before 1.4.9. This version is affected by the following vulnerabilities :
- An error exists in IKE dissector that can allow denial of service attacks when processing certain malformed packets. (CVE-2011-3266)
- A buffer exception handling vulnerability exists that can allow denial of service attacks when processing certain malformed packets. (Issue #6135)
- It may be possible to make Wireshark execute Lua scripts using a method similar to DLL hijacking. (Issue #6136)
Solution: Upgrade to Wireshark version 1.4.9 or later.
See Also: http://www.wireshark.org/security/wnpa-sec-2011-13.htmlhttp://www.wireshark.org/security/wnpa-sec-2011-14.html
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 79
http://www.wireshark.org/security/wnpa-sec-2011-15.htmlhttp://www.wireshark.org/docs/relnotes/wireshark-1.4.9.html
Risk Factor: Medium
CVSS Base Score: 5.0
CVSS Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P
Plugin Output:The following vulnerable instance of Wireshark is installed :
Path : C:\Program Files\WiresharkInstalled version : 1.4.4Fixed version : 1.4.9
CPE: cpe:/a:wireshark:wireshark
CVE: CVE-2011-3266, CVE-2011-3360
BID: 49377, 49521, 49528
Crossref: OSVDB #74732, OSVDB #75347
Vulnerability Publication Date: 2011/07/28
Patch Publication Date: 2011/09/07
Plugin Publication Date: 2011/09/12
Plugin Modification Date: 2011/12/01
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: wireshark_1_4_9.nasl
Exploit Frameworks: Canvas (D2ExploitPack), Metasploit (windows/misc/wireshark_lua.rb)
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 80
Plugin Plugin Name Severity Port Protocol Family Exploit?
58659
MS12-027:Vulnerability inWindows CommonControls CouldAllow Remote CodeExecution (2664258)
High 445 TCP Windows : Microsoft Bulletins Yes
Synopsis: The remote Windows host has a code execution vulnerability.
Description: There is an unspecified remote code execution vulnerability in Windows common controls, which is included in several Microsoft products. An attacker could exploit thisby tricking a user into viewing a maliciously crafted web page, resulting in arbitrary code execution.
Solution: Microsoft has released a set of patches for Office 2003, 2007 and 2010, Office 2003 Web Components, SQL Server 2005 and 2008, BizTalk Server 2002, Visual FoxPro8.0 and 9.0, and Visual Basic 6.0 Runtime :
http://technet.microsoft.com/en-us/security/bulletin/ms12-027
If this control has been included with a third-party application, contact the third-party vendor for a fix.
Risk Factor: High
STIG Severity: II
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:The following vulnerable controls do not have the kill bit set :
Class identifier : {bdd1f04b-858b-11d1-b16a-00c0f0283628}Filename : C:\WINDOWS\system32\MSCOMCTL.OCXInstalled version : 6.1.95.45
Class identifier : {C74190B6-8589-11d1-B16A-00C0F0283628}Filename : C:\WINDOWS\system32\MSCOMCTL.OCXInstalled version : 6.1.95.45
Nessus was unable to determine which Microsoft applications are using
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 81
these controls. It is possible they were installed by a third-party application.Refer to the Microsoft advisory for more information.
CPE: cpe:/o:microsoft:windows
CVE: CVE-2012-0158
BID: 52911
Crossref: OSVDB #81125, EDB-ID #18780, IAVA #2012-A-0059, MSFT #MS12-027
Vulnerability Publication Date: 2012/04/10
Patch Publication Date: 2012/04/10
Plugin Publication Date: 2012/04/11
Plugin Modification Date: 2012/04/25
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: smb_nt_ms12-027.nasl
Exploit Frameworks: Metasploit (MS12-027 MSCOMCTL ActiveX Buffer Overflow)
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 82
10.0.100.40
NetBIOS Name: UNKNOWN\MAC0001
IP Address: 10.0.100.40
Vulnerabilities: Critical: 2, High: 17, Medium: 2, Low: 0, Info: 44
MAC Address: 60:c5:47:10:a7:1b
DNS Name: mac0001.itsdept.com
Repository: repo
Last Scan: May 9, 2012 @ 8:25PM
Metasploit Exploitable Vulnerability Details:
Plugin Plugin Name Severity Port Protocol Family Exploit?
55804
Flash Playerfor Mac <=10.3.181.36 MultipleVulnerabilities(APSB11-21)
High 0 TCP MacOS X Local Security Checks Yes
Synopsis: The remote Mac OS X host has a browser plugin that is affected by multiple vulnerabilities.
Description: According to its version, the instance of Flash Player installed on the remote Mac OS X host is 10.3.181.36 or earlier. As such, it is reportedly affected by several criticalvulnerabilities :
- Multiple buffer overflow vulnerabilities could lead to code execution. (CVE-2011-2130, CVE-2011-2134, CVE-2011-2137, CVE-2011-2414, CVE-2011-2415)
- Multiple memory corruption vulnerabilities could lead to code execution. (CVE-2011-2135, CVE-2011-2140, CVE-2011-2417, CVE-2011-2424, CVE-2011-2425)
- Multiple integer overflow vulnerabilities could lead to code execution. (CVE-2011-2136, CVE-2011-2138, CVE-2011-2416)
- A cross-site information disclosure vulnerability exists that could lead to code execution. (CVE-2011-2139)
By tricking a user on the affected system into opening a specially crafted document with Flash content, an attacker could leverage these vulnerabilities to execute arbitrary coderemotely on the system subject to the user's privileges.
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 83
Solution: Upgrade to Adobe Flash for Mac version 10.3.183.5 or later.
See Also: http://www.adobe.com/support/security/bulletins/apsb11-21.html
Risk Factor: High
STIG Severity: II
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
Plugin Output:Installed version : 10.2.159.1Fixed version : 10.3.183.5
CPE: cpe:/a:adobe:flash_player
CVE: CVE-2011-2130, CVE-2011-2134, CVE-2011-2135, CVE-2011-2136, CVE-2011-2137, CVE-2011-2138, CVE-2011-2139, CVE-2011-2140, CVE-2011-2414, CVE-2011-2415,CVE-2011-2416, CVE-2011-2417, CVE-2011-2424, CVE-2011-2425
BID: 49073, 49074, 49075, 49076, 49077, 49079, 49080, 49081, 49082, 49083, 49084, 49085, 49086, 49186
Crossref: OSVDB #74432, OSVDB #74433, OSVDB #74434, OSVDB #74435, OSVDB #74436, OSVDB #74437, OSVDB #74438, OSVDB #74439, OSVDB #74440, OSVDB#74441, OSVDB #74442, OSVDB #74443, OSVDB #74444, OSVDB #75201, IAVA #2011-A-0110
Vulnerability Publication Date: 2011/08/09
Patch Publication Date: 2011/08/09
Plugin Publication Date: 2011/08/10
Plugin Modification Date: 2012/02/13
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: macosx_flash_player_10_3_183_5.nasl
Exploit Frameworks: Metasploit (windows/browser/adobe_flash_sps.rb)
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 84
Plugin Plugin Name Severity Port Protocol Family Exploit?
56199
Adobe Reader< 10.1.1 / 9.4.6 /8.3.1 MultipleVulnerabilities(APSB11-21,APSB11-24) (MacOS X)
High 0 TCP MacOS X Local Security Checks Yes
Synopsis: The version of Adobe Reader on the remote Mac OS X host is affected by multiple vulnerabilities.
Description: The version of Adobe Reader installed on the remote Mac OS X host is earlier than 10.1.1 / 9.4.6 / 8.3.1. It is therefore potentially affected by the followingvulnerabilities :
- An unspecified error exists that can allow an attacker to bypass security leading to code execution. (CVE-2011-2431)
- Several errors exist that allow buffer overflows leading to code execution. (CVE-2011-2432, CVE-2011-2435)
- Several errors exist that allow heap overflows leading to code execution. (CVE-2011-2433, CVE-2011-2434, CVE-2011-2436, CVE-2011-2437)
- Several errors exist that allow stack overflows leading to code execution. (CVE-2011-2438)
- An error exists that can allow memory leaks leading to code execution. (CVE-2011-2439)
- A use-after-free error exists that can allow code exection. (CVE-2011-2440)
- Several errors exist in the 'CoolType.dll' library that can allow stack overflows leading to code execution.(CVE-2011-2441)
- A logic error exists that can lead to code execution.(CVE-2011-2442)
- Multiple issues exist as noted in APSB11-21, a security update for Adobe Flash Player. (CVE-2011-2130, CVE-2011-2134, CVE-2011-2135, CVE-2011-2136, CVE-2011-2137,CVE-2011-2138, CVE-2011-2139, CVE-2011-2140, CVE-2011-2414, CVE-2011-2415, CVE-2011-2416, CVE-2011-2417, CVE-2011-2425, CVE-2011-2424)
Solution: Upgrade to Adobe Reader 10.1.1 / 9.4.6 / 8.3.1 or later.
See Also: http://www.adobe.com/support/security/bulletins/apsb11-21.htmlhttp://www.adobe.com/support/security/bulletins/apsb11-24.html
Risk Factor: High
STIG Severity: I
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 85
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
Plugin Output:Path : /Applications/Adobe Reader.appInstalled version : 10.0.0Fixed version : 10.1.1 / 9.4.6 / 8.3.1
CPE: cpe:/a:adobe:reader
CVE: CVE-2011-2130, CVE-2011-2134, CVE-2011-2135, CVE-2011-2136, CVE-2011-2137, CVE-2011-2138, CVE-2011-2139, CVE-2011-2140, CVE-2011-2414, CVE-2011-2415,CVE-2011-2416, CVE-2011-2417, CVE-2011-2424, CVE-2011-2425, CVE-2011-2431, CVE-2011-2432, CVE-2011-2433, CVE-2011-2434, CVE-2011-2435, CVE-2011-2436,CVE-2011-2437, CVE-2011-2438, CVE-2011-2439, CVE-2011-2440, CVE-2011-2441, CVE-2011-2442
BID: 49073, 49074, 49075, 49076, 49077, 49079, 49080, 49081, 49082, 49083, 49084, 49085, 49086, 49186, 49572, 49575, 49576, 49577, 49578, 49579, 49580, 49581, 49582,49583, 49584, 49585
Crossref: OSVDB #74432, OSVDB #74433, OSVDB #74434, OSVDB #74435, OSVDB #74436, OSVDB #74437, OSVDB #74438, OSVDB #74439, OSVDB #74440, OSVDB#74441, OSVDB #74442, OSVDB #74443, OSVDB #74444, OSVDB #75201, OSVDB #75430, OSVDB #75431, OSVDB #75432, OSVDB #75433, OSVDB #75434, OSVDB#75435, OSVDB #75436, OSVDB #75437, OSVDB #75438, OSVDB #75439, OSVDB #75440, OSVDB #75441, IAVA #2011-A-0110, IAVA #2011-A-0127
Vulnerability Publication Date: 2011/09/13
Patch Publication Date: 2011/09/13
Plugin Publication Date: 2011/09/14
Plugin Modification Date: 2012/02/13
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: macosx_adobe_reader_apsb11-24.nasl
Exploit Frameworks: Metasploit (windows/browser/adobe_flash_sps.rb)
Plugin Plugin Name Severity Port Protocol Family Exploit?
57044Adobe Reader <=10.1.1 / 9.4.6 U3D
High 0 TCP MacOS X Local Security Checks Yes
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 86
Memory Corruption(APSA11-04) (MacOS X)
Synopsis: The version of Adobe Reader on the remote Mac OS X host is affected by a memory corruption vulnerability.
Description: The version of Adobe Reader installed on the remote Mac OS X host is earlier or equal to 10.1.1 / 9.4.6 and is affected by a memory corruption vulnerability related tothe 'Universal 3D' (U3D) file format.
A remote attacker could exploit this by tricking a user into viewing a maliciously crafted PDF file, causing application crashes and potentially resulting in arbitrary code execution.
Note that the Adobe Reader X user-specific option to use 'Protected Mode' prevents an exploit of this kind from executing and that Nessus cannot test for this configuration option.
Solution: At the time of this writing there is no vendor supplied patch. If the installed product is Reader X, then the user-specific option to use 'Protected Mode' should be enabled.
See Also: http://www.adobe.com/support/security/bulletins/apsa11-04.html
Risk Factor: High
STIG Severity: I
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 7.7
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Plugin Output:Path : /Applications/Adobe Reader.appInstalled version : 10.0.0Fixed version : A workaround is available.
CPE: cpe:/a:adobe:reader
CVE: CVE-2011-2462
BID: 50922
Crossref: OSVDB #77529, IAVA #2011-A-0174, IAVA #2012-A-0008
Vulnerability Publication Date: 2011/12/06
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 87
Plugin Publication Date: 2011/12/07
Plugin Modification Date: 2012/04/25
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: macosx_adobe_reader_apsa11-04.nasl
Exploit Frameworks: Canvas (CANVAS), Metasploit (Adobe Reader U3D Memory Corruption Vulnerability)
Plugin Plugin Name Severity Port Protocol Family Exploit?
58002
Flash Player for Mac<= 10.3.183.14 /11.1.102.62 MultipleVulnerabilities(APSB12-03)
High 0 TCP MacOS X Local Security Checks Yes
Synopsis: The remote Mac OS X host has a browser plugin that is affected by multiple vulnerabilities.
Description: According to its version, the instance of Flash Player installed on the remote Mac OS X host is 10.x equal to or earlier than 10.3.183.14 or 11.x equal to or earlier than11.1.102.62. It is, therefore, reportedly affected by several critical vulnerabilities :
- An unspecified memory corruption issue exists that could lead to code execution. (CVE-2012-0754)
- An unspecified type confusion memory corruption vulnerability exists that could lead to code execution.(CVE-2012-0752)
- An MP4 parsing memory corruption issue exists that could lead to code execution. (CVE-2012-0753)
- Multiple unspecified security bypass vulnerabilities exist that could lead to code execution. (CVE-2012-0755, CVE-2012-0756)
- A universal cross-site scripting issue exists that could be used to take actions on a user's behalf on any website or webmail provider. (CVE-2012-0767)
Solution: Upgrade to Adobe Flash version 10.3.183.15 / 11.1.102.62 or later.
See Also: http://www.adobe.com/support/security/bulletins/apsb12-03.html
Risk Factor: High
STIG Severity: I
Exploit Frameworks SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012
Metasploit
Tenable Network Security 88
CVSS Base Score: 9.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
Plugin Output:Installed version : 10.2.159.1Fixed version : 10.3.183.15
CPE: cpe:/a:adobe:flash_player
CVE: CVE-2012-0752, CVE-2012-0753, CVE-2012-0754, CVE-2012-0755, CVE-2012-0756, CVE-2012-0767
BID: 52032, 52033, 52034, 52035, 52036, 52040
Crossref: IAVA #2012-A-0029, OSVDB #79296, OSVDB #79297, OSVDB #79298, OSVDB #79299, OSVDB #79300, OSVDB #79301, OSVDB #79302
Vulnerability Publication Date: 2012/02/15
Patch Publication Date: 2012/02/15
Plugin Publication Date: 2012/02/17
Plugin Modification Date: 2012/03/08
Exploit Available: true
Exploitability Ease: Exploits are available
Plugin Type: local
Source File: macosx_flash_player_11_1_102_62.nasl
Exploit Frameworks: Metasploit (windows/browser/adobe_flash_mp4_cprt.rb)