Lucene search
This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.SMB_NT_MS14-058.NASLHistoryOct 15, 2014 - 12:00 a.m.
MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061)
2014-10-1500:00:00
This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.
www.tenable.com
325
CVSS2
9.3
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS3
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
0.677
Percentile
98.0%
The remote Windows host is affected by multiple vulnerabilities :
-
A privilege escalation vulnerability allows an attacker to run arbitrary code in kernel mode due to the kernel-mode driver improperly handling objects in memory. (CVE-2014-4113)
-
A remote code execution vulnerability allows a remote attacker to run arbitrary code in kernel mode due to the kernel-mode driver improperly handling TrueType fonts.
An attacker can exploit this vulnerability by convincing a user to open a file or visit a website containing a specially crafted TrueType font file. (CVE-2014-4148)
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(78433);
script_version("1.14");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/05/25");
script_cve_id("CVE-2014-4113", "CVE-2014-4148");
script_bugtraq_id(70364, 70429);
script_xref(name:"EDB-ID", value:"35101");
script_xref(name:"MSFT", value:"MS14-058");
script_xref(name:"MSKB", value:"3000061");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/25");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/06/15");
script_name(english:"MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061)");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The remote Windows host is affected by multiple vulnerabilities :
- A privilege escalation vulnerability allows an attacker
to run arbitrary code in kernel mode due to the
kernel-mode driver improperly handling objects in
memory. (CVE-2014-4113)
- A remote code execution vulnerability allows a remote
attacker to run arbitrary code in kernel mode due to the
kernel-mode driver improperly handling TrueType fonts.
An attacker can exploit this vulnerability by convincing
a user to open a file or visit a website containing a
specially crafted TrueType font file. (CVE-2014-4148)");
script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-058");
script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2003, Vista, 2008,
7, 2008 R2, 8, 2012, 8.1, and 2012 R2.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-4148");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Windows TrackPopupMenu Win32k NULL Pointer Dereference');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/10/14");
script_set_attribute(attribute:"patch_publication_date", value:"2014/10/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/10/15");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows : Microsoft Bulletins");
script_copyright(english:"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.");
script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
script_require_keys("SMB/MS_Bulletin_Checks/Possible");
script_require_ports(139, 445, "Host/patch_management_checks");
exit(0);
}
include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");
get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
bulletin = 'MS14-058';
kb = "3000061";
kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
if (hotfix_check_sp_range(win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
if (
# Windows 8.1 / Windows Server 2012 R2
hotfix_is_vulnerable(os:"6.3", sp:0, file:"Win32k.sys", version:"6.3.9600.17353", min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||
# Windows 8 / Windows Server 2012
hotfix_is_vulnerable(os:"6.2", sp:0, file:"Win32k.sys", version:"6.2.9200.21247", min_version:"6.2.9200.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"6.2", sp:0, file:"Win32k.sys", version:"6.2.9200.17130", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||
# Windows 7 / Server 2008 R2
hotfix_is_vulnerable(os:"6.1", sp:1, file:"Win32k.sys", version:"6.1.7601.22823", min_version:"6.1.7601.22000", dir:"\system32", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"6.1", sp:1, file:"Win32k.sys", version:"6.1.7601.18615", min_version:"6.1.7600.18000", dir:"\system32", bulletin:bulletin, kb:kb) ||
# Vista / Windows Server 2008
hotfix_is_vulnerable(os:"6.0", sp:2, file:"Win32k.sys", version:"6.0.6002.23504", min_version:"6.0.6002.23000", dir:"\system32", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"6.0", sp:2, file:"Win32k.sys", version:"6.0.6002.19198", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) ||
# Windows Server 2003
hotfix_is_vulnerable(os:"5.2", sp:2, file:"Win32k.sys", version:"5.2.3790.5445", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
hotfix_security_hole();
hotfix_check_fversion_end();
exit(0);
}
else
{
hotfix_check_fversion_end();
audit(AUDIT_HOST_NOT, 'affected');
}
Related
openvas
openvas
threatpost
threatpost
Firms Detail Zero Days Targeting Windows Kernel
2014-10-15 14:58:13
50k Servers Infected with Cryptomining Malware in Nansh0u Campaign
2019-05-29 13:00:27
Tools Used by Lamberts APT Found in Vault 7 Dumps
2017-04-11 09:47:14
thn
thn
Microsoft Patches 3 Zero-day Vulnerabilities actively being Exploited in the Wild
2014-10-15 01:14:00
Hackers Infect 50,000 MS-SQL and PHPMyAdmin Servers with Rootkit Malware
2019-05-29 18:50:00
State-Sponsored SCADA Malware targeting European Energy Companies
2016-07-13 00:12:00
zdt
zdt
Microsoft Windows - Kernel 'win32k.sys' Privilege Escalation (MS14-058)
2016-04-05 00:00:00
Windows 8.0 - 8.1 x64 TrackPopupMenu Privilege Escalation (MS14-058) Exploit
2015-05-20 00:00:00
Windows TrackPopupMenu Win32k NULL Pointer Dereference Exploit
2014-10-29 00:00:00
cvelist
cvelist
CVE-2014-4113
2014-10-15 10:00:00
CVE-2014-4148
2014-10-15 10:00:00
exploitdb
exploitdb
exploitpack
exploitpack
cve
cve
CVE-2014-4148
2014-10-15 10:55:08
CVE-2014-4113
2014-10-15 10:55:07
prion
prion
Remote code execution
2014-10-15 10:55:00
Privilege escalation
2014-10-15 10:55:00
packetstorm
packetstorm
Windows TrackPopupMenu Win32k NULL Pointer Dereference
2014-10-28 00:00:00
Windows 8.0 / 8.1 x64 TrackPopupMenu Privilege Escalation
2015-05-21 00:00:00
Microsoft Windows Net-NTLMv2 Reflection DCOM/RPC Privilege Escalation
2019-01-16 00:00:00
seebug
seebug
Windows TrackPopupMenu Win32k NULL Pointer Dereference
2014-11-13 00:00:00
MS14-058 Windowsε
ζ ΈζζζΌζ΄ (CVE-2014-4113)
2016-01-29 00:00:00
symantec
symantec
metasploit
metasploit
Windows TrackPopupMenu Win32k NULL Pointer Dereference
2014-10-23 23:51:30
Windows Net-NTLMv2 Reflection DCOM/RPC
2018-08-03 06:09:24
Windows Net-NTLMv2 Reflection DCOM/RPC (Juicy)
2019-01-10 16:20:43
cisa_kev
cisa_kev
Microsoft Win32k Privilege Escalation Vulnerability
2022-05-04 00:00:00
Microsoft Windows Remote Code Execution Vulnerability
2022-05-25 00:00:00
attackerkb
attackerkb
CVE-2014-4113
2014-10-15 00:00:00
CVE-2014-4148
2014-10-15 00:00:00
nvd
nvd
CVE-2014-4113
2014-10-15 10:55:07
CVE-2014-4148
2014-10-15 10:55:08
securelist
securelist
IT threat evolution Q2 2017
2017-08-15 09:00:37
myhack58
myhack58
checkpoint_advisories
checkpoint_advisories
githubexploit
githubexploit
Exploit for Vulnerability in Winmagic Securedoc
2020-06-30 23:01:33
fireeye
fireeye
CARBANAK Week Part Two: Continuing the CARBANAK Source Code Analysis
2019-04-23 17:45:00
securityvulns
securityvulns
Microsoft Windows multiple security vulnerabilities
2014-10-15 00:00:00
kaspersky
kaspersky
KLA10601 Multiple vulnerabilities in Microsoft products
2014-11-11 00:00:00
CVSS2
9.3
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS3
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
0.677
Percentile
98.0%
Related for SMB_NT_MS14-058.NASL