Vulnerabilities > CVE-2011-2016 - Unspecified vulnerability in Microsoft Windows 7, Windows Server 2008 and Windows Vista

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

microsoft

nessus

NVD

Published: 2011-11-08

Updated: 2023-12-07

Summary

Untrusted search path vulnerability in Windows Mail and Windows Meeting Space in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .eml or .wcinv file, aka "Windows Mail Insecure Library Loading Vulnerability."

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows Server 2008 * Microsoft Windows Server 2008 R2 Microsoft Windows Server 2008 - Microsoft Windows 7 - Microsoft Windows Vista *	9

Msbulletin

bulletin_id	MS11-085
bulletin_url
date	2011-11-08T00:00:00
impact	Remote Code Execution
knowledgebase_id	2620704
knowledgebase_url
severity	Important
title	Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS11-085.NASL
description	The remote Windows host is missing an security update. It is, therefore, affected by a flaw in Windows Mail and Windows Meeting Space related to the search path that is used when loading dynamic link library (DLL) files. This path may include directories that are not trusted or under user control. An unauthenticated, remote attacker can exploit this, by inserting a crafted Trojan horse DLL file into the search path, to execute arbitrary code with privileges of the user.
last seen	2020-06-01
modified	2020-06-02
plugin id	56738
published	2011-11-08
reporter	This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/56738
title	MS11-085: Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(56738); script_version("1.22"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id("CVE-2011-2016"); script_bugtraq_id(50507); script_xref(name:"MSFT", value:"MS11-085"); script_xref(name:"MSKB", value:"2620704"); script_name(english:"MS11-085: Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704)"); script_summary(english:"Checks the file version of wab32.dll."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The remote Windows host is missing an security update. It is, therefore, affected by a flaw in Windows Mail and Windows Meeting Space related to the search path that is used when loading dynamic link library (DLL) files. This path may include directories that are not trusted or under user control. An unauthenticated, remote attacker can exploit this, by inserting a crafted Trojan horse DLL file into the search path, to execute arbitrary code with privileges of the user."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-085"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows Vista, 2008, 7, and 2008 R2."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/11/08"); script_set_attribute(attribute:"patch_publication_date", value:"2011/11/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/11/08"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:windows_mail"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS11-085'; kb = "2620704"; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); path = ereg_replace(pattern:"^[A-Za-z](.)", replace:"\1", string:rootfile); login = kb_smb_login(); pass = kb_smb_password(); domain = kb_smb_domain(); port = kb_smb_transport(); if(! smb_session_init()) audit(AUDIT_FN_FAIL, "smb_session_init"); hcf_init = TRUE; rc = NetUseAdd(login:login, password:pass, domain:domain, share:share); if (rc != 1) { NetUseDel(); audit(AUDIT_SHARE_FAIL, share); } winsxs = ereg_replace(pattern:"^[A-Za-z]:(.)", replace:"\1\WinSxS", string:rootfile); files = list_dir(basedir:winsxs, level:0, dir_pat:"microsoft-windows-wab-core", file_pat:"^wab32\.dll$"); vuln = 0; # Windows Vista / Windows Server 2008 vuln += hotfix_check_winsxs(os:'6.0', sp:2, files:files, versions:make_list('6.0.6002.18521', '6.0.6002.22722'), max_versions:make_list('6.0.6002.20000', '6.0.6002.99999'), bulletin:bulletin, kb:kb); # Windows 7 / Windows Server 2008 R2 vuln += hotfix_check_winsxs(os:'6.1', sp:0, files:files, versions:make_list('6.1.7600.16891', '6.1.7600.21062'), max_versions:make_list('6.1.7600.20000', '6.1.7600.99999'), bulletin:bulletin, kb:kb); vuln += hotfix_check_winsxs(os:'6.1', sp:1, files:files, versions:make_list('6.1.7601.17699', '6.1.7601.21830'), max_versions:make_list('6.1.7601.20000', '6.1.7601.99999'), bulletin:bulletin, kb:kb); if (vuln) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected');

Oval

accepted

2014-06-30T04:04:43.615-04:00

class

vulnerability

contributors

name Josh Turpin
organization Symantec Corporation
name Josh Turpin
organization Symantec Corporation
name Maria Mikhno
organization ALTX-SOFT

definition_extensions

comment Microsoft Windows Vista (32-bit) Service Pack 2 is installed
oval oval:org.mitre.oval:def:6124
comment Microsoft Windows Vista x64 Edition Service Pack 2 is installed
oval oval:org.mitre.oval:def:5594
comment Microsoft Windows Server 2008 (32-bit) Service Pack 2 is installed
oval oval:org.mitre.oval:def:5653
comment Microsoft Windows Server 2008 x64 Edition Service Pack 2 is installed
oval oval:org.mitre.oval:def:6216
comment Microsoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed
oval oval:org.mitre.oval:def:6150
comment Microsoft Windows 7 (32-bit) is installed
oval oval:org.mitre.oval:def:6165
comment Microsoft Windows 7 x64 Edition is installed
oval oval:org.mitre.oval:def:5950
comment Microsoft Windows Server 2008 R2 x64 Edition is installed
oval oval:org.mitre.oval:def:6438
comment Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed
oval oval:org.mitre.oval:def:5954
comment Microsoft Windows 7 (32-bit) Service Pack 1 is installed
oval oval:org.mitre.oval:def:12292
comment Microsoft Windows 7 x64 Service Pack 1 is installed
oval oval:org.mitre.oval:def:12627
comment Microsoft Windows Server 2008 R2 x64 Service Pack 1 is installed
oval oval:org.mitre.oval:def:12567
comment Microsoft Windows Server 2008 R2 Itanium-Based Edition Service Pack 1 is installed
oval oval:org.mitre.oval:def:12583

description

family

windows

oval:org.mitre.oval:def:14028

status

accepted

submitted

2011-11-08T13:00:00

title

Windows Mail Insecure Library Loading Vulnerability

version

Seebug

bulletinFamily	exploit
description	CVE ID: CVE-2011-2016 Microsoft Windows是流行的计算机操作系统。 Microsoft Windows在实现上存在安全漏洞，可被恶意用户利用控制受影响系统。此漏洞源于Windows Mail和Windows Meeting Space以不安全方式加载某些库，通过诱使用户打开远程WebDAV或SMB共享上的EML或WCLNV文件加载任意库。 0 Microsoft Windows Vista Microsoft Windows Server 2008 Microsoft Windows 7 厂商补丁： Microsoft --------- Microsoft已经为此发布了一个安全公告（MS11-085）以及相应补丁: MS11-085：Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704) 链接：http://www.microsoft.com/technet/security/bulletin/MS11-085 .asp
id	SSV:23180
last seen	2017-11-19
modified	2011-11-09
published	2011-11-09
reporter	Root
title	Windows Mail/Meeting Space不安全库加载漏洞(MS11-085)

Summary

Vulnerable Configurations

Msbulletin

Nessus

Oval

Seebug

References