Vulnerabilities > CVE-2002-0076

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
hp
microsoft
sun
nessus

Summary

Java Runtime Environment (JRE) Bytecode Verifier allows remote attackers to escape the Java sandbox and execute commands via an applet containing an illegal cast operation, as seen in (1) Microsoft VM build 3802 and earlier as used in Internet Explorer 4.x and 5.x, (2) Netscape 6.2.1 and earlier, and possibly other implementations that use vulnerable versions of SDK or JDK, aka a variant of the "Virtual Machine Verifier" vulnerability.

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS02-013.NASL
descriptionThe Microsoft VM is a virtual machine for the Win32 operating environment. There are numerous security flaws in the remote Microsoft VM that could allow an attacker to execute arbitrary code on this host. To exploit these flaws, an attacker would need to set up a malicious web site with a rogue Java applet and lure the user of this host to visit it. The Java applet could then execute arbitrary commands on this host.
last seen2020-06-01
modified2020-06-02
plugin id11326
published2003-03-06
reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11326
titleMS02-013: Cumulative VM Update (300845)
code
#
# (C) Tenable Network Security, Inc.
#

# Ref: https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2002/ms02-013
#
# Supercedes : MS99-031, MS99-045, MS00-011, MS00-059, MS00-075, MS00-081
#


include("compat.inc");

if (description)
{
 script_id(11326);
 script_version("1.49");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2002-0058", "CVE-2002-0076");
 script_bugtraq_id(4228, 4313);
 script_xref(name:"MSFT", value:"MS02-013");
 script_xref(name:"MSKB", value:"300845");

 script_name(english:"MS02-013: Cumulative VM Update (300845)");
 script_summary(english:"Determines the version of JView.exe");

 script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host through the VM.");
 script_set_attribute(attribute:"description", value:
"The Microsoft VM is a virtual machine for the Win32 operating
environment.

There are numerous security flaws in the remote Microsoft VM that could
allow an attacker to execute arbitrary code on this host.

To exploit these flaws, an attacker would need to set up a malicious web
site with a rogue Java applet and lure the user of this host to visit
it.  The Java applet could then execute arbitrary commands on this
host.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2002/ms02-013");
 script_set_attribute(attribute:"solution", value:
"Microsoft VM is no longer supported, and previous updates are no no
longer available.  Upgrade to an actively supported product.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"2002/03/04");
 script_set_attribute(attribute:"patch_publication_date", value:"2002/03/04");
 script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/06");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_nt_ms03-011.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

#

include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");


include("misc_func.inc");
get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS02-013';
kb = '300845';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

if (hotfix_check_sp(nt:7, win2k:4, xp:1) <= 0) exit(0, 'The host is not affected based on its version / service pack.');

if (  get_kb_item("KB816093") ) exit(0, "KB816093 is installed.");
if (!is_accessible_share()) exit(1, "is_accessible_share() failed.");


if (hotfix_is_vulnerable(file:"Jview.exe",version:"5.0.3.3805",dir:"\system32", bulletin:bulletin, kb:kb))
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  exit(0, "The host is not affected");
}