Vulnerabilities > CVE-2012-0164 - Unspecified vulnerability in Microsoft .Net Framework 4.0

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
microsoft
nessus

Summary

Microsoft .NET Framework 4 does not properly compare index values, which allows remote attackers to cause a denial of service (application hang) via crafted requests to a Windows Presentation Foundation (WPF) application, aka ".NET Framework Index Comparison Vulnerability."

Vulnerable Configurations

Part Description Count
Application
Microsoft
1

Msbulletin

bulletin_idMS12-034
bulletin_url
date2012-05-08T00:00:00
impactRemote Code Execution
knowledgebase_id2681578
knowledgebase_url
severityCritical
titleCombined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS12-034.NASL
descriptionThe remote Windows host is missing a security update. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the Win32k TrueType font parsing engine that allows an unauthenticated, remote attacker to execute arbitrary code by convincing a user to open a Word document containing malicious font data. (CVE-2011-3402) - A flaw exists in the t2embed.dll module when parsing TrueType fonts. An unauthenticated, remote attacker can exploit this, via a crafted TTF file, to execute arbitrary code. (CVE-2012-0159) - A flaw exists in the .NET Framework due to a buffer allocation error when handling an XBAP or .NET application. An unauthenticated, remote attacker can exploit this, via a specially crafted application, to execute arbitrary code. (CVE-2012-0162) - A flaw exists in the .NET Framework due to an error when comparing the value of an index in a WPF application. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2012-0164) - A flaw exists in GDI+ when handling specially crafted EMF images that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2012-0165) - A heap buffer overflow condition exists in Microsoft Office in the GDI+ library when handling EMF images embedded in an Office document. An unauthenticated, remote attacker can exploit this to execute arbitrary code by convincing a user to open a specially crafted document. (CVE-2012-0167) - A double-free error exists in agcore.dll when rendering XAML strings containing Hebrew Unicode glyphs of certain values. An unauthenticated, remote attacker can exploit this to execute arbitrary code by convincing a user to visit a specially crafted web page. (CVE-2012-0176) - A privilege escalation vulnerability exists in the way the Windows kernel-mode driver manages the functions related to Windows and Messages handling. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2012-0180) - A privilege escalation vulnerability exists in the way the Windows kernel-mode driver manages Keyboard Layout files. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2012-0181) - A privilege escalation vulnerability exists in the way the Windows kernel-mode driver manages scrollbar calculations. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2012-1848)
last seen2020-06-01
modified2020-06-02
plugin id59042
published2012-05-09
reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/59042
titleMS12-034: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(59042);
  script_version("1.49");
  script_cvs_date("Date: 2018/11/15 20:50:31");

  script_cve_id(
    "CVE-2011-3402",
    "CVE-2012-0159",
    "CVE-2012-0162",
    "CVE-2012-0164",
    "CVE-2012-0165",
    "CVE-2012-0167",
    "CVE-2012-0176",
    "CVE-2012-0180",
    "CVE-2012-0181",
    "CVE-2012-1848"
  );
  script_bugtraq_id(
    50462,
    53324,
    53326,
    53327,
    53335,
    53347,
    53351,
    53358,
    53360,
    53363
  );
  script_xref(name:"MSFT", value:"MS12-034");
  script_xref(name:"IAVA", value:"2012-A-0079");
  script_xref(name:"EDB-ID", value:"18894");
  script_xref(name:"ZDI", value:"ZDI-12-131");
  script_xref(name:"MSKB", value:"2589337");
  script_xref(name:"MSKB", value:"2596672");
  script_xref(name:"MSKB", value:"2596792");
  script_xref(name:"MSKB", value:"2598253");
  script_xref(name:"MSKB", value:"2636927");
  script_xref(name:"MSKB", value:"2656405");
  script_xref(name:"MSKB", value:"2656407");
  script_xref(name:"MSKB", value:"2656409");
  script_xref(name:"MSKB", value:"2656410");
  script_xref(name:"MSKB", value:"2656411");
  script_xref(name:"MSKB", value:"2658846");
  script_xref(name:"MSKB", value:"2659262");
  script_xref(name:"MSKB", value:"2660649");
  script_xref(name:"MSKB", value:"2676562");
  script_xref(name:"MSKB", value:"2686509");
  script_xref(name:"MSKB", value:"2690729");

  script_name(english:"MS12-034: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)");
  script_summary(english:"Checks the version of multiple files.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is missing a security update. It is,
therefore, affected by multiple vulnerabilities :

  - A flaw exists in the Win32k TrueType font parsing engine
    that allows an unauthenticated, remote attacker to
    execute arbitrary code by convincing a user to open a
    Word document containing malicious font data.
    (CVE-2011-3402)

  - A flaw exists in the t2embed.dll module when parsing
    TrueType fonts. An unauthenticated, remote attacker can
    exploit this, via a crafted TTF file, to execute
    arbitrary code. (CVE-2012-0159)

  - A flaw exists in the .NET Framework due to a buffer
    allocation error when handling an XBAP or .NET
    application. An unauthenticated, remote attacker can
    exploit this, via a specially crafted application, to
    execute arbitrary code. (CVE-2012-0162)

  - A flaw exists in the .NET Framework due to an error
    when comparing the value of an index in a WPF
    application. An unauthenticated, remote attacker can
    exploit this to cause a denial of service condition.
    (CVE-2012-0164)

  - A flaw exists in GDI+ when handling specially crafted
    EMF images that allows an unauthenticated, remote
    attacker to execute arbitrary code. (CVE-2012-0165)

  - A heap buffer overflow condition exists in Microsoft
    Office in the GDI+ library when handling EMF images
    embedded in an Office document. An unauthenticated,
    remote attacker can exploit this to execute arbitrary
    code by convincing a user to open a specially crafted
    document. (CVE-2012-0167)

  - A double-free error exists in agcore.dll when rendering
    XAML strings containing Hebrew Unicode glyphs of certain
    values. An unauthenticated, remote attacker can exploit
    this to execute arbitrary code by convincing a user to
    visit a specially crafted web page. (CVE-2012-0176)

  - A privilege escalation vulnerability exists in the
    way the Windows kernel-mode driver manages the functions
    related to Windows and Messages handling. A local
    attacker can exploit this, via a specially crafted
    application, to gain elevated privileges.
    (CVE-2012-0180)

  - A privilege escalation vulnerability exists in the way
    the Windows kernel-mode driver manages Keyboard Layout
    files. A local attacker can exploit this, via a
    specially crafted application, to gain elevated
    privileges. (CVE-2012-0181)

  - A privilege escalation vulnerability exists in the way
    the Windows kernel-mode driver manages scrollbar
    calculations. A local attacker can exploit this, via a
    specially crafted application, to gain elevated
    privileges. (CVE-2012-1848)");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-12-131/");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2012/Aug/60");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-034");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows XP, 2003, Vista,
2008, 7, 2008 R2; Office 2003, 2007, and 2010; .NET Framework 3.0,
3.5.1, and 4.0; and Silverlight 4 and 5.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/10/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/05/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/09");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:silverlight");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:.net_framework");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");

  script_dependencies(
    "smb_hotfixes.nasl",
    "office_installed.nasl",
    "silverlight_detect.nasl",
    "ms_bulletin_checks_possible.nasl"
  );
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("smb_reg_query.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS12-034';
kbs = make_list(
  '2589337',
  '2596672',
  '2596672',
  '2596792',
  '2598253',
  '2636927',
  '2656405',
  '2656407',
  '2656409',
  '2656410',
  '2656411',
  '2658846',
  '2659262',
  '2660649',
  '2676562',
  '2686509',
  '2690729'
);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

vuln = 0;

#######################
# KB2686509           #
#######################
winver = get_kb_item('SMB/WindowsVersion');
spver = get_kb_item('SMB/CSDVersion');
prodname = get_kb_item('SMB/ProductName');
if (spver)
  spver = int(ereg_replace(string:spver, pattern:'.*Service Pack ([0-9]).*', replace:"\1"));
if (
  winver && spver && prodname &&
  ((winver == '5.2' && spver == 2) ||
  (winver == '5.1' && spver == 3))
)
{
  if (winver == '5.2' && spver == 2 && 'XP' >< prodname)
    reg_name = "SOFTWARE\Microsoft\Updates\Windows XP Version 2003\SP3\KB2686509\Description";
  else if (winver == '5.2' && spver == 2)
    reg_name = "SOFTWARE\Microsoft\Updates\Windows Server 2003\SP3\KB2686509\Description";
  else if (winver == '5.1' && spver == 3)
    reg_name = "SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB2686509\Description";

  registry_init();
  hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
  desc = get_registry_value(handle:hklm, item:reg_name);
  RegCloseKey(handle:hklm);
  close_registry();

  if (isnull(desc))
  {
    hotfix_add_report('  According to the registry, KB2686509 is missing.\n', bulletin:bulletin, kb:"2686509");
    vuln++;
  }
}

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
path  = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:"\1$", string:rootfile);

login  = kb_smb_login();
pass   = kb_smb_password();
domain = kb_smb_domain();
port   = kb_smb_transport();

if(! smb_session_init()) audit(AUDIT_FN_FAIL, "smb_session_init");

hcf_init = TRUE;

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

office_versions = hotfix_check_office_version();
cdir = hotfix_get_commonfilesdir();

################################################################
# Office Checks                                                #
################################################################

#############################
# Office 2003 SP3 KB2598253 #
#############################
if (office_versions["11.0"])
{
  office_sp = get_kb_item("SMB/Office/2003/SP");
  if (!isnull(office_sp) && office_sp == 3)
  {
    path = hotfix_get_officeprogramfilesdir(officever:'11.0') + "\Microsoft Office\Office11";

    if (hotfix_is_vulnerable(file:"Gdiplus.dll", version:"11.0.8345.0", min_version:"11.0.0.0", path:path, bulletin:bulletin, kb:'2598253'))
      vuln++;
  }
}

#############################
# Office 2007 SP2           #
#   KB2596672, KB2596792    #
#############################
if (office_versions["12.0"])
{
  office_sp = get_kb_item("SMB/Office/2007/SP");
  if (!isnull(office_sp) && (office_sp == 2 || office_sp == 3))
  {
    path = cdir + "\Microsoft Shared\Office12";
    if (hotfix_is_vulnerable(file:"Ogl.dll", version:"12.0.6659.5000", path:path, bulletin:bulletin, kb:'2596672'))
      vuln++;

    path = cdir + "\Microsoft SHared\MODI\12.0";
    if (hotfix_is_vulnerable(file:"Mspcore.dll", version:"12.0.6658.5001", path:path, bulletin:bulletin, kb:'2596792'))
      vuln++;
  }
}

#############################
# Office 2010 KB2589337     #
#############################
if (office_versions["14.0"])
{
  office_sp = get_kb_item("SMB/Office/2010/SP");
  if (!isnull(office_sp) && (office_sp == 0 || office_sp == 1))
  {
    path = cdir + "\Microsoft Shared\Office14";
    if (hotfix_is_vulnerable(file:"Ogl.dll", version:"14.0.6117.5001", path:path, bulletin:bulletin, kb:'2589337'))
      vuln++;
  }
}

# Silverlight 4.x / 5.x
slfix = NULL;
slkb = NULL;
ver = get_kb_item("SMB/Silverlight/Version");
if (ver =~ '^4\\.' && ver_compare(ver:ver, fix:'4.1.10329.0') == -1)
{
  slfix = '4.1.10329';
  slkb = '2690729';
}
else if (ver =~ '^5\\.' && ver_compare(ver:ver, fix:'5.1.10411.0') == -1)
{
  slfix = '5.1.10411';
  slkb = '2636927';
}
if (slfix)
{
  path = get_kb_item("SMB/Silverlight/Path");
  report +=
    '\n  Product           : Microsoft Silverlight' +
    '\n  Path              : ' + path +
    '\n  Installed version : ' + ver +
    '\n  Fixed version     : ' + slfix + '\n';
  hotfix_add_report(report, bulletin:bulletin, kb:slkb);
  vuln++;
}

if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0)
{
  if (vuln > 0)
  {
    set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
    hotfix_security_hole();
    hotfix_check_fversion_end();
    exit(0);
  }
  else audit(AUDIT_OS_SP_NOT_VULN);
}

if (!is_accessible_share()) exit(1, "is_accessible_share() failed.");
################################################################
# .NET Framework Checks                                        #
################################################################


net3path = hotfix_get_programfilesdir() + "\Reference Assemblies\Microsoft\Framework\v3.0";
if (!isnull(net3path))
{
  # .NET Framework 3.0 on Windows XP / Windows Server 2003
  missing = 0;
  missing += hotfix_is_vulnerable(os:"5.1", file:"PresentationCore.dll", version:"3.0.6920.4021", min_version:"3.0.6920.0", dir:net3path);
  missing += hotfix_is_vulnerable(os:"5.1", file:"PresentationCore.dll", version:"3.0.6920.5810", min_version:"3.0.6920.5700", dir:net3path);
  missing += hotfix_is_vulnerable(os:"5.2", file:"PresentationCore.dll", version:"3.0.6920.4021", min_version:"3.0.6920.0", dir:net3path);
  missing += hotfix_is_vulnerable(os:"5.2", file:"PresentationCore.dll", version:"3.0.6920.5810", min_version:"3.0.6920.5700", dir:net3path);
  if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"2656407");
  vuln += missing;

  # .NET Framework 3.0 on Windows Vista / Windows Server 2008
  missing = 0;
  missing += hotfix_is_vulnerable(os:"6.0", file:"PresentationCore.dll", version:"3.0.6920.4213", min_version:"3.0.6920.0", dir:net3path);
  missing += hotfix_is_vulnerable(os:"6.0", file:"PresentationCore.dll", version:"3.0.6920.5794", min_version:"3.0.6920.5700", dir:net3path);
  if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"2656409");
  vuln += missing;

  # .NET Framework 3.5.1 on Windows 7 / Server 2008 R2
  missing = 0;
  missing += hotfix_is_vulnerable(os:"6.1", sp:0, file:"PresentationCore.dll", version:"3.0.6920.5809", min_version:"3.0.6920.5700", dir:net3path);
  missing += hotfix_is_vulnerable(os:"6.1", sp:0, file:"PresentationCore.dll", version:"3.0.6920.5005", min_version:"3.0.6920.5000", dir:net3path);

  if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"2656410");
  vuln += missing;

  # .NET Framework 3.5.1 on Windows 7 SP1 / Server 2008 R2 SP1
  missing = 0;
  missing += hotfix_is_vulnerable(os:"6.1", sp:1, file:"PresentationCore.dll", version:"3.0.6920.5794", min_version:"3.0.6920.5700", dir:net3path);
  missing += hotfix_is_vulnerable(os:"6.1", sp:1, file:"PresentationCore.dll", version:"3.0.6920.5448", min_version:"3.0.6920.5000", dir:net3path);

  if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"2633873");
  vuln += missing;
}
# .NET Framework 4.0 on all supported versions of Windows
missing = 0;
missing += hotfix_is_vulnerable(os:"5.1", file:"PresentationCore.dll", version:"4.0.30319.275", min_version:"4.0.30319.0",   dir:"\Microsoft.NET\Framework\v4.0.30319\WPF");
missing += hotfix_is_vulnerable(os:"5.1", file:"PresentationCore.dll", version:"4.0.30319.550", min_version:"4.0.30319.400", dir:"\Microsoft.NET\Framework\v4.0.30319\WPF");
missing += hotfix_is_vulnerable(os:"5.2", file:"PresentationCore.dll", version:"4.0.30319.275", min_version:"4.0.30319.0",   dir:"\Microsoft.NET\Framework\v4.0.30319\WPF");
missing += hotfix_is_vulnerable(os:"5.2", file:"PresentationCore.dll", version:"4.0.30319.550", min_version:"4.0.30319.400", dir:"\Microsoft.NET\Framework\v4.0.30319\WPF");
missing += hotfix_is_vulnerable(os:"6.0", file:"PresentationCore.dll", version:"4.0.30319.275", min_version:"4.0.30319.0",   dir:"\Microsoft.NET\Framework\v4.0.30319\WPF");
missing += hotfix_is_vulnerable(os:"6.0", file:"PresentationCore.dll", version:"4.0.30319.550", min_version:"4.0.30319.400", dir:"\Microsoft.NET\Framework\v4.0.30319\WPF");
missing += hotfix_is_vulnerable(os:"6.1", file:"PresentationCore.dll", version:"4.0.30319.275", min_version:"4.0.30319.0",   dir:"\Microsoft.NET\Framework\v4.0.30319\WPF");
missing += hotfix_is_vulnerable(os:"6.1", file:"PresentationCore.dll", version:"4.0.30319.550", min_version:"4.0.30319.400", dir:"\Microsoft.NET\Framework\v4.0.30319\WPF");

if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"2656405");
vuln += missing;

################################################################
# Windows Checks                                               #
################################################################

#######################
# KB2676562           #
#######################
missing = 0;
# Windows 7 / 2008 R2
missing += hotfix_is_vulnerable(os:"6.1", sp:1, file:"Win32k.sys", version:"6.1.7601.21955", min_version:"6.1.7601.21000", dir:"\system32");
missing += hotfix_is_vulnerable(os:"6.1", sp:1, file:"Win32k.sys", version:"6.1.7601.17803", min_version:"6.1.7601.17000", dir:"\system32");
missing += hotfix_is_vulnerable(os:"6.1", sp:0, file:"Win32k.sys", version:"6.1.7600.21179", min_version:"6.1.7600.20000", dir:"\system32");
missing += hotfix_is_vulnerable(os:"6.1", sp:0, file:"Win32k.sys", version:"6.1.7600.16988", min_version:"6.1.7600.16000", dir:"\system32");

# Windows Vista / 2008
missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"Win32k.sys", version:"6.0.6002.22831", min_version:"6.0.6002.22000", dir:"\system32");
missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"Win32k.sys", version:"6.0.6002.18607", min_version:"6.0.6002.18000", dir:"\system32");

# Windows 2003 / XP 64-bit
missing += hotfix_is_vulnerable(os:"5.2", sp:2, file:"Win32k.sys", version:"5.2.3790.4980", dir:"\system32");

# Windows XP 32-bit
missing += hotfix_is_vulnerable(os:"5.1", sp:3, file:"Win32k.sys", version:"5.1.2600.6206", dir:"\system32");
if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2676562');
vuln+= missing;

################################
# WinSxS Checks                #
################################
winsxs = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:"\1\WinSxS", string:rootfile);

#######################
# KB2659262           #
#######################
kb = '2659262';
files = list_dir(basedir:winsxs, level:0, dir_pat:'microsoft.windows.gdiplus', file_pat:'^gdiplus\\.dll$');

# Windows XP / 2003
vuln += hotfix_check_winsxs(os:'5.1', sp:3, files:files, versions:make_list('5.2.6002.22791'), bulletin:bulletin, kb:kb);
vuln += hotfix_check_winsxs(os:'5.2', sp:2, files:files, versions:make_list('5.2.6002.22791'), bulletin:bulletin, kb:kb);

# Windows Vista / 2008
versions = make_list('5.2.6002.18581', '5.2.6002.22795', '6.0.6002.18581', '6.0.6002.22795');
max_versions = make_list('5.2.6002.20000', '5.2.6002.99999', '6.0.6002.20000', '6.0.6002.99999');
vuln += hotfix_check_winsxs(os:'6.0', sp:2, files:files, versions:versions, max_versions:max_versions, bulletin:bulletin, kb:kb);

# Windows 7 / 2008 R2
versions = make_list('5.2.7600.17007', '5.2.7600.21198', '5.2.7601.17825', '5.2.7601.21977', '6.1.7600.17007', '6.1.7600.21198', '6.1.7601.17825', '6.1.7601.21977');
max_versions = make_list('5.2.7600.20000', '5.2.7600.99999', '5.2.7601.20000', '5.2.7601.99999', '6.1.7600.20000', '6.1.7600.99999', '6.1.7601.20000', '6.1.7601.99999');
vuln += hotfix_check_winsxs(os:'6.1', files:files, versions:versions, max_versions:max_versions, bulletin:bulletin, kb:kb);

#######################
# KB2658846           #
#######################
kb = '2658846';
files = list_dir(basedir:winsxs, level:0, dir_pat:'microsoft-windows-directwrite', file_pat:'^Dwrite\\.dll$');

# Windows Vista / Windows Server 2008
vuln += hotfix_check_winsxs(os:'6.0', files:files, versions:make_list('7.0.6002.18592', '7.0.6002.22807'), max_versions:make_list('7.0.6002.20000', '7.0.6002.99999'), bulletin:bulletin, kb:kb);

# Windows 7 2008 R2
versions = make_list('6.1.7600.16972', '6.1.7600.21162', '6.1.7601.17789', '6.1.7601.21935');
max_versions = make_list('6.1.7600.20000', '6.1.7600.99999', '6.1.7601.20000', '');
vuln += hotfix_check_winsxs(os:'6.1', files:files, versions:versions, max_versions:max_versions, bulletin:bulletin, kb:kb);

#######################
# KB2660649           #
#######################
kb = '2660649';

# Windows XP / Windows Server 2003
#(hotfix_check_sp(xp:4, win2003:3) > 0 && (version_cmp(a:ver, b:'1.7.2600.6189') >= 0)) ||

base_path = hotfix_get_programfilesdir();
if (!base_path) base_path = hotfix_get_programfilesdirx86();

if (!base_path) audit(AUDIT_PATH_NOT_DETERMINED, "Common Files");

full_path = hotfix_append_path(path:base_path, value:"\windows journal");

if (
  # Vista
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"jnwdrv.dll", version:"0.3.6002.22789", min_version:"0.3.6002.20000", path:full_path, bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"jnwdrv.dll", version:"0.3.6002.18579", min_version:"0.3.6002.18000", path:full_path, bulletin:bulletin, kb:kb) ||

  # Windows 7
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"jnwdrv.dll", version:"0.3.7601.21955", min_version:"0.3.7601.18000", path:full_path, bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"jnwdrv.dll", version:"0.3.7601.17803", min_version:"0.3.7601.16000", path:full_path, bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"jnwdrv.dll", version:"0.3.7600.21179", min_version:"0.3.7600.18000", path:full_path, bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"jnwdrv.dll", version:"0.3.7600.16988", min_version:"0.3.7600.16000", path:full_path, bulletin:bulletin, kb:kb)
)
  vuln += 1;
hotfix_check_fversion_end();
#######################
# Report              #
#######################
if (vuln > 0)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2014-08-18T04:01:19.689-04:00
classvulnerability
contributors
  • nameDragos Prisaca
    organizationSymantec Corporation
  • nameMaria Mikhno
    organizationALTX-SOFT
definition_extensions
  • commentMicrosoft Windows XP (32-bit) is installed
    ovaloval:org.mitre.oval:def:1353
  • commentMicrosoft Windows XP x64 is installed
    ovaloval:org.mitre.oval:def:15247
  • commentMicrosoft Windows Server 2003 (32-bit) is installed
    ovaloval:org.mitre.oval:def:1870
  • commentMicrosoft Windows Server 2003 (x64) is installed
    ovaloval:org.mitre.oval:def:730
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows 7 (32-bit) is installed
    ovaloval:org.mitre.oval:def:6165
  • commentMicrosoft Windows 7 x64 Edition is installed
    ovaloval:org.mitre.oval:def:5950
  • commentMicrosoft Windows Server 2008 R2 x64 Edition is installed
    ovaloval:org.mitre.oval:def:6438
  • commentMicrosoft .NET Framework 4.0 is installed
    ovaloval:org.mitre.oval:def:6749
descriptionMicrosoft .NET Framework 4 does not properly compare index values, which allows remote attackers to cause a denial of service (application hang) via crafted requests to a Windows Presentation Foundation (WPF) application, aka ".NET Framework Index Comparison Vulnerability."
familywindows
idoval:org.mitre.oval:def:15580
statusaccepted
submitted2012-05-08T13:00:00
title.NET Framework Index Comparison Vulnerability
version41

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 53363 CVE ID: CVE-2012-0164 Microsoft Windows是流行的计算机操作系统。 .NET Framework 比较索引值的方式中存在一个拒绝服务漏洞。成功利用此漏洞的攻击者可能导致使用 WPF API 的应用程序停止响应,直至被手动重新启动。请注意,攻击者无法利用拒绝服务漏洞来以任何方式执行代码或提升其用户权限。 0 Microsoft .NET Framework 4.0 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS12-034)以及相应补丁: MS12-034:Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578) 链接:http://www.microsoft.com/technet/security/bulletin/MS12-034.asp
idSSV:60119
last seen2017-11-19
modified2012-05-09
published2012-05-09
reporterRoot
titleMicrosoft .NET Framework索引比较拒绝服务漏洞(CVE-2012-0164)(MS12-034)