Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.SMB_NT_MS12-039.NASL
HistoryJun 13, 2012 - 12:00 a.m.

MS12-039: Vulnerabilities in Lync Could Allow Remote Code Execution (2707956)

2012-06-1300:00:00
This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
www.tenable.com
86

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.968 High

EPSS

Percentile

99.7%

JSON

The remote Windows host is potentially affected by the following vulnerabilities :

  • Multiple code execution vulnerabilities exist in the handling of specially crafted TrueType font files.
    (CVE-2011-3402, CVE-2012-0159)

  • An insecure library loading vulnerability exists in the way that Microsoft Lync handles the loading of DLL files. (CVE-2012-1849)

  • An HTML sanitization vulnerability exists in the way that HTML is filtered. (CVE-2012-1858)

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(59457);
  script_version("1.31");
  script_cvs_date("Date: 2018/11/15 20:50:31");

  script_cve_id("CVE-2011-3402", "CVE-2012-0159", "CVE-2012-1849", "CVE-2012-1858");
  script_bugtraq_id(50462, 53335, 53831, 53842);
  script_xref(name:"EDB-ID", value:"19777");
  script_xref(name:"MSFT", value:"MS12-039");
  script_xref(name:"MSKB", value:"2693282");
  script_xref(name:"MSKB", value:"2693283");
  script_xref(name:"MSKB", value:"2696031");
  script_xref(name:"MSKB", value:"2702444");
  script_xref(name:"MSKB", value:"2708980");

  script_name(english:"MS12-039: Vulnerabilities in Lync Could Allow Remote Code Execution (2707956)");
  script_summary(english:"Checks version of multiple files");

  script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through Microsoft
Lync.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is potentially affected by the following
vulnerabilities :

  - Multiple code execution vulnerabilities exist in the
    handling of specially crafted TrueType font files.
    (CVE-2011-3402, CVE-2012-0159)

  - An insecure library loading vulnerability exists in the
    way that Microsoft Lync handles the loading of DLL
    files. (CVE-2012-1849)

  - An HTML sanitization vulnerability exists in the way
    that HTML is filtered. (CVE-2012-1858)");
  # http://blog.watchfire.com/wfblog/2012/07/tostatichtml-the-second-encounter-cve-2012-1858-html-sanitizing-information-disclosure-introduction-t.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c7d49512");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-12-129/");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2012/Aug/58");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-039");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Lync 2010, Lync 2010
Attendee, Lync 2010 Attendant, and Communicator 2007 R2.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/06/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/06/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/06/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office_communicator");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:lync");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("smb_reg_query.inc");
include("misc_func.inc");

global_var bulletin;

function get_user_dirs()
{
  local_var appdir, dirpat, domain, hklm, iter, lcpath, login, pass;
  local_var path, paths, pdir, port, rc, root, share, user, ver;

  paths = make_list();

  registry_init();
  hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
  pdir = get_registry_value(handle:hklm, item:"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory");
  if (pdir && stridx(tolower(pdir), "%systemdrive%") == 0)
  {
    root = get_registry_value(handle:hklm, item:"SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot");
    if (!isnull(root))
    {
      share = ereg_replace(string:root, pattern:"^([A-Za-z]):.*", replace:"\1:");
      pdir = share + substr(pdir, strlen("%systemdrive%"));
    }
  }
  RegCloseKey(handle:hklm);
  close_registry(close:FALSE);

  if (!pdir)
    return NULL;

  ver = get_kb_item("SMB/WindowsVersion");

  share = ereg_replace(string:pdir, pattern:"^([A-Za-z]):.*", replace:"\1$");
  dirpat = ereg_replace(string:pdir, pattern:"^[A-Za-z]:(.*)", replace:"\1\*");

  port    =  kb_smb_transport();
  if (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);
  login   =  kb_smb_login();
  pass    =  kb_smb_password();
  domain  =  kb_smb_domain();

  rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
  if (rc != 1)
  {
    NetUseDel(close:FALSE);
    return NULL;
  }

  # 2000 / XP / 2003
  if (ver < 6)
    appdir += "\Local Settings\Application Data";
  # Vista / 7 / 2008
  else
    appdir += "\AppData\Local";

  paths = make_array();
  iter = FindFirstFile(pattern:dirpat);
  while (!isnull(iter[1]))
  {
    user = iter[1];
    iter = FindNextFile(handle:iter);

    if (user == "." || user == "..")
      continue;

    path = pdir + "\" + user + appdir;

    lcpath = tolower(path);
    if (isnull(paths[lcpath]))
      paths[lcpath] = path;
  }

  NetUseDel(close:FALSE);

  return paths;
}

function check_vuln(file, fix, kb, key, min, paths)
{
  local_var base, hklm, path, result, rc, share;

  if (!isnull(key))
  {
    registry_init();
    hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
    base = get_registry_value(handle:hklm, item:key);
    RegCloseKey(handle:hklm);
    close_registry(close:FALSE);

    if (isnull(base))
      return FALSE;
  }

  if (isnull(paths))
    paths = make_list("");

  result = FALSE;
  foreach path (paths)
  {
    path = base + path;

    share = ereg_replace(string:path, pattern:"^([A-Za-z]):.*", replace:"\1$");
    if (!is_accessible_share(share:share))
      continue;

    rc = hotfix_check_fversion(file:file, version:fix, min_version:min, path:path, bulletin:bulletin, kb:kb);

    if (rc == HCF_OLDER)
      result = TRUE;
  }

  return result;
}

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = "MS12-039";
kbs = make_list("2693282", "2693283", "2696031", "2702444", "2708980");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated", exit_code:1);
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

# Add an extra node to the registry key if needed.
arch = get_kb_item_or_exit("SMB/ARCH", exit_code:1);
if (arch == "x64")
  extra = "\Wow6432Node";

######################################################################
# Microsoft Communicator 2007 R2
######################################################################
vuln = check_vuln(
  key  : "SOFTWARE\Microsoft\Communicator\InstallationDirectory",
  file : "Communicator.exe",
  min  : "3.5.0.0",
  fix  : "3.5.6907.253",
  kb   : "2708980"
);

######################################################################
# Microsoft Lync 2010
######################################################################
if (!vuln)
{
  vuln = check_vuln(
    key  : "SOFTWARE" + extra + "\Microsoft\Communicator\InstallationDirectory",
    file : "Communicator.exe",
    min  : "4.0.0.0",
    fix  : "4.0.7577.4098",
    kb   : "2693282"
  );
}

######################################################################
# Microsoft Lync 2010 Attendant
######################################################################
vuln = check_vuln(
  key  : "SOFTWARE" + extra + "\Microsoft\Attendant\InstallationDirectory",
  file : "AttendantConsole.exe",
  min  : "4.0.0.0",
  fix  : "4.0.7577.4098",
  kb   : "2702444"
) || vuln;

######################################################################
# Microsoft Lync 2010 Attendee (admin-level install)
######################################################################
vuln = check_vuln(
  key  : "SOFTWARE\Microsoft\AttendeeCommunicator\InstallationDirectory",
  file : "CURes.dll",
  min  : "4.0.0.0",
  fix  : "4.0.7577.4098",
  kb   : "2696031"
) || vuln;

######################################################################
# Microsoft Lync 2010 Attendee (user-level install)
######################################################################
paths = get_user_dirs();

if (!isnull(paths))
{
  vuln = check_vuln(
    paths : paths,
    file  : "\Microsoft Lync Attendee\System.dll",
    min   : "4.0.0.0",
    fix   : "4.0.60831.0",
    kb    : "2693283"
  ) || vuln;
}

# Disconnect from registry.
close_registry();

if (vuln)
{
  set_kb_item(name:"www/0/XSS", value:TRUE);

  set_kb_item(name:"SMB/Missing/" + bulletin, value:TRUE);
  hotfix_security_hole();

  hotfix_check_fversion_end();
  exit(0);
}

hotfix_check_fversion_end();
exit(0, "The host is not affected.");
VendorProductVersionCPE
microsoftoffice_communicatorcpe:/a:microsoft:office_communicator
microsoftlynccpe:/a:microsoft:lync

Related

openvas 13
securityvulns 6
kaspersky 1
nessus 6
checkpoint_advisories 7
prion 5
nvd 5
threatpost 5
mskb 4
metasploit 1
thn 1
cve 5
cert 1
cvelist 5
exploitpack 1
seebug 3
symantec 3
zdi 1
packetstorm 1
exploitdb 1
openvas
openvas
Microsoft Lync Remote Code Execution Vulnerabilities (2707956)
2012-06-13 00:00:00
Microsoft Lync Remote Code Execution Vulnerabilities (2707956)
2012-06-13 00:00:00
Microsoft Silverlight Code Execution Vulnerabilities - 2681578 (Mac OS X)
2012-05-14 00:00:00
securityvulns
securityvulns
Mictosoft Lync multiple security vulnerabilities
2012-06-13 00:00:00
ZDI-12-129: Microsoft Windows TrueType Font Parsing Remote Code Execution Vulnerability &#40;Remote Kernel&#41;
2012-08-13 00:00:00
Microsoft Windows multiple security vulnerabilities
2011-12-26 00:00:00
kaspersky
kaspersky
KLA10544 Code execution vulnerabilities in Microsoft Silverlight
2012-05-08 00:00:00
nessus
nessus
MS12-034: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578) (Mac OS X)
2012-05-09 00:00:00
MS11-087: Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)
2011-12-13 00:00:00
MS KB2639658: Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege (DEPRECATED)
2011-11-04 00:00:00
checkpoint_advisories
checkpoint_advisories
Microsoft Windows TrueType Font File Parsing Code Execution (CVE-2011-3402)
2011-11-06 00:00:00
Microsoft Windows TrueType Font File Parsing Code Execution - Ver2 (CVE-2011-3402)
2015-05-18 00:00:00
Preemptive Protection against Microsoft SharePoint HTML Sanitization Cross-site Scripting (MS12-050; CVE-2012-1858)
2012-07-10 00:00:00
prion
prion
Design/Logic Flaw
2011-11-04 21:55:00
Design/Logic Flaw
2012-06-12 22:55:00
Cross site scripting
2012-06-12 22:55:00
nvd
nvd
CVE-2011-3402
2011-11-04 21:55:04
CVE-2012-1849
2012-06-12 22:55:01
CVE-2012-1858
2012-06-12 22:55:01
threatpost
threatpost
Stars Attack on Iran Was Early Version of Duqu
2011-11-05 21:08:37
TrueType Font Exploits Gateway to Kernel Attacks
2013-07-11 14:10:56
Anatomy of the Duqu Attacks
2011-11-21 15:51:38
mskb
mskb
MS11-087: Vulnerability in Windows kernel-mode drivers could allow remote code execution: December 13, 2011
2017-01-07 00:00:00
MS12-034: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight: May 8, 2012
2012-05-08 00:00:00
MS12-050: Vulnerabilities in SharePoint could allow elevation of privilege: July 10, 2012
2012-07-10 00:00:00
metasploit
metasploit
Windows Gather Forensics Duqu Registry Check
2011-11-10 21:20:48
thn
thn
Duqu malware was created to spy on Iran's nuclear program
2011-11-06 06:24:00
cve
cve
CVE-2011-3402
2011-11-04 21:55:04
CVE-2012-1858
2012-06-12 22:55:01
CVE-2012-1849
2012-06-12 22:55:01
cert
cert
Microsoft Windows TrueType font parsing vulnerability
2011-11-04 00:00:00
cvelist
cvelist
CVE-2011-3402
2011-11-04 21:00:00
CVE-2012-1858
2012-06-12 22:00:00
CVE-2012-0159
2012-05-09 00:00:00
exploitpack
exploitpack
Microsoft Internet Explorer 9 SharePoint Lync - toStaticHTML HTML Sanitizing Bypass (MS12-037MS12-039MS12-050)
2012-07-12 00:00:00
seebug
seebug
Microsoft Lync/Office Communicator HTMLδ»£η θΏ‡ζ»€ζΌζ΄ž (CVE-2012-1858) (MS12-039)
2012-06-13 00:00:00
IE9, SharePoint, Lync toStaticHTML HTML Sanitizing Bypass
2014-07-01 00:00:00
Microsoft Windows TrueTypeε­—δ½“εΌ•ζ“ŽθΏœη¨‹δ»£η ζ‰§θ‘ŒζΌζ΄ž(CVE-2012-0159)(MS12-034)
2012-05-09 00:00:00
symantec
symantec
Microsoft Lync CVE-2012-1849 DLL Loading Arbitrary Code Execution Vulnerability
2012-06-12 00:00:00
Microsoft Windows TrueType Font Engine CVE-2012-0159 Remote Code Execution Vulnerability
2012-05-08 00:00:00
Microsoft Internet Explorer And Microsoft Lync HTML Sanitizing Information Disclosure Vulnerability
2012-06-12 00:00:00
zdi
zdi
Microsoft Windows TrueType Font Parsing Remote Code Execution Vulnerability (Remote Kernel)
2012-08-03 00:00:00
packetstorm
packetstorm
toStaticHTML HTML Sanitizing Bypass
2012-07-11 00:00:00
exploitdb
exploitdb
Microsoft Internet Explorer 9 / SharePoint / Lync - toStaticHTML HTML Sanitizing Bypass (MS12-037/MS12-039/MS12-050)
2012-07-12 00:00:00

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.968 High

EPSS

Percentile

99.7%

JSON
Related for SMB_NT_MS12-039.NASL
openvas13securityvulns6kaspersky1nessus6checkpoint_advisories7prion5nvd5threatpost5mskb4metasploit1thn1cve5cert1cvelist5exploitpack1seebug3symantec3zdi1packetstorm1exploitdb1