Vulnerabilities > CVE-2013-0074 - Unspecified vulnerability in Microsoft Silverlight

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
microsoft
nessus
exploit available
metasploit

Summary

Microsoft Silverlight 5, and 5 Developer Runtime, before 5.1.20125.0 does not properly validate pointers during HTML object rendering, which allows remote attackers to execute arbitrary code via a crafted Silverlight application, aka "Silverlight Double Dereference Vulnerability."

Exploit-Db

descriptionMicrosoft Internet Explorer - COALineDashStyleArray Unsafe Memory Access (MS12-022). CVE-2012-0016,CVE-2013-0074. Remote exploit for windows platform
idEDB-ID:29858
last seen2016-02-03
modified2013-11-27
published2013-11-27
reportermetasploit
sourcehttps://www.exploit-db.com/download/29858/
titleMicrosoft Internet Explorer - COALineDashStyleArray Unsafe Memory Access MS12-022

Metasploit

descriptionThis module exploits a vulnerability in Microsoft Silverlight. The vulnerability exists on the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible to dereference arbitrary memory which easily leverages to arbitrary code execution. In order to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class from System.Windows.dll. This module has been tested successfully on IE6 - IE10, Windows XP SP3 / Windows 7 SP1.
idMSF:EXPLOIT/WINDOWS/BROWSER/MS13_022_SILVERLIGHT_SCRIPT_OBJECT
last seen2020-06-07
modified2017-07-24
published2013-11-22
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ms13_022_silverlight_script_object.rb
titleMS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access

Msbulletin

bulletin_idMS13-022
bulletin_url
date2013-03-12T00:00:00
impactRemote Code Execution
knowledgebase_id2814124
knowledgebase_url
severityCritical
titleVulnerability in Silverlight Could Allow Remote Code Execution

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS13-022.NASL
    descriptionThe version of Microsoft Silverlight installed on the remote host reportedly incorrectly checks a memory pointer when rendering an HTML object, which could allow a specially crafted application to access memory in an unsafe fashion. If an attacker could trick a user on the affected system into visiting a website hosting a malicious Silverlight application, the attacker could leverage this vulnerability to execute arbitrary code on the affected system, subject to the user
    last seen2020-06-01
    modified2020-06-02
    plugin id65211
    published2013-03-12
    reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/65211
    titleMS13-022: Vulnerability in Microsoft Silverlight Could Allow Remote Code Execution (2814124)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(65211);
      script_version("1.19");
      script_cvs_date("Date: 2018/11/15 20:50:31");
    
      script_cve_id("CVE-2013-0074");
      script_bugtraq_id(58327);
      script_xref(name:"MSFT", value:"MS13-022");
      script_xref(name:"MSKB", value:"2814124");
    
      script_name(english:"MS13-022: Vulnerability in Microsoft Silverlight Could Allow Remote Code Execution (2814124)");
      script_summary(english:"Checks version of Silverlight.exe");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "A browser enhancement on the remote Windows host could allow arbitrary
    code execution."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "The version of Microsoft Silverlight installed on the remote host
    reportedly incorrectly checks a memory pointer when rendering an HTML
    object, which could allow a specially crafted application to access
    memory in an unsafe fashion.
    
    If an attacker could trick a user on the affected system into visiting a
    website hosting a malicious Silverlight application, the attacker could
    leverage this vulnerability to execute arbitrary code on the affected
    system, subject to the user's privileges."
      );
      script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-022");
      script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Silverlight 5.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/03/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/03/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/03/12");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:silverlight");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");
    
      script_dependencies("smb_hotfixes.nasl", "silverlight_detect.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS13-022';
    kb = "2814124";
    
    kbs = make_list(kb);
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    
    # Silverlight 5.x
    ver = get_kb_item("SMB/Silverlight/Version");
    fix = '5.1.20125.0';
    
    if (!isnull(ver) && ver =~ '^5\\.' && ver_compare(ver:ver, fix:fix) == -1)
    {
      path = get_kb_item("SMB/Silverlight/Path");
      report +=
        '\n  Product           : Microsoft Silverlight' +
        '\n  Path              : ' + path +
        '\n  Installed version : ' + ver +
        '\n  Fixed version     : ' + fix + '\n';
      hotfix_add_report(report, bulletin:bulletin, kb:kb);
    
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_MS13-022.NASL
    descriptionThe version of Microsoft Silverlight installed on the remote host reportedly incorrectly checks a memory pointer when rendering an HTML object, which could allow a specially crafted application to access memory in an unsafe fashion. If an attacker could trick a user on the affected system into visiting a website hosting a malicious Silverlight application, the attacker could leverage this vulnerability to execute arbitrary code on the affected system, subject to the user
    last seen2020-06-01
    modified2020-06-02
    plugin id65216
    published2013-03-12
    reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/65216
    titleMS13-022: Vulnerability in Silverlight Could Allow Remote Code Execution (2814124) (Mac OS X)

Oval

  • accepted2014-04-07T04:02:00.457-04:00
    classvulnerability
    contributors
    • nameSecPod Team
      organizationSecPod Technologies
    • nameShane Shaffer
      organizationG2, Inc.
    • nameMaria Mikhno
      organizationALTX-SOFT
    definition_extensions
    commentMicrosoft Silverlight 5 is installed
    ovaloval:org.mitre.oval:def:15148
    descriptionMicrosoft Silverlight 5, and 5 Developer Runtime, before 5.1.20125.0 does not properly validate pointers during HTML object rendering, which allows remote attackers to execute arbitrary code via a crafted Silverlight application, aka "Silverlight Double Dereference Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:16516
    statusaccepted
    submitted2013-03-14T10:20:37
    titleDouble dereference vulnerability in Microsoft Silverlight - MS13-022
    version8
  • accepted2013-04-29T04:17:16.198-04:00
    classvulnerability
    contributors
    nameSecPod Team
    organizationSecPod Technologies
    definition_extensions
    commentMicrosoft Silverlight 5 is installed
    ovaloval:org.mitre.oval:def:16072
    descriptionMicrosoft Silverlight 5, and 5 Developer Runtime, before 5.1.20125.0 does not properly validate pointers during HTML object rendering, which allows remote attackers to execute arbitrary code via a crafted Silverlight application, aka "Silverlight Double Dereference Vulnerability."
    familymacos
    idoval:org.mitre.oval:def:16565
    statusaccepted
    submitted2013-03-14T10:20:37
    titleDouble dereference vulnerability in Microsoft Silverlight - MS13-022 (Mac OS X)
    version4

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/124182/ms13_022_silverlight_script_object.rb.txt
idPACKETSTORM:124182
last seen2016-12-05
published2013-11-26
reporterVitaliy Toropov
sourcehttps://packetstormsecurity.com/files/124182/Microsoft-Internet-Explorer-COALineDashStyleArray-Unsafe-Memory-Access.html
titleMicrosoft Internet Explorer COALineDashStyleArray Unsafe Memory Access

Seebug

bulletinFamilyexploit
descriptionNo description provided by source.
idSSV:83333
last seen2017-11-19
modified2014-07-01
published2014-07-01
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-83333
titleMS12-022 Microsoft Internet Explorer COALineDashStyleArray Unsafe Memory Access

The Hacker News

idTHN:BC65D2F30C85103414F6BD1EC204BB05
last seen2018-01-27
modified2014-05-21
published2014-05-21
reporterMohit Kumar
sourcehttps://thehackernews.com/2014/05/netflix-users-targeted-by-microsoft.html
titleNetflix Users Targeted by Microsoft Silverlight Exploits