Vulnerabilities > CVE-2013-3906 - Code Injection vulnerability in Microsoft products
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
GDI+ in Microsoft Windows Vista SP2 and Server 2008 SP2; Office 2003 SP3, 2007 SP3, and 2010 SP1 and SP2; Office Compatibility Pack SP3; and Lync 2010, 2010 Attendee, 2013, and Basic 2013 allows remote attackers to execute arbitrary code via a crafted TIFF image, as demonstrated by an image in a Word document, and exploited in the wild in October and November 2013.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 11 | |
| OS | 2 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Manipulating User-Controlled Variables This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Exploit-Db
| description | Microsoft Tagged Image File Format (TIFF) Integer Overflow. CVE-2013-3906. Remote exploit for windows platform |
| file | exploits/windows/remote/30011.rb |
| id | EDB-ID:30011 |
| last seen | 2016-02-03 |
| modified | 2013-12-03 |
| platform | windows |
| port | |
| published | 2013-12-03 |
| reporter | metasploit |
| source | https://www.exploit-db.com/download/30011/ |
| title | Microsoft Tagged Image File Format TIFF Integer Overflow |
| type | remote |
Metasploit
| description | This module exploits a vulnerability found in Microsoft's Tagged Image File Format. It was originally discovered in the wild, targeting Windows XP and Windows Server 2003 users running Microsoft Office, specifically in the Middle East and South Asia region. The flaw is due to a DWORD value extracted from the TIFF file that is embedded as a drawing in Microsoft Office, and how it gets calculated with user-controlled inputs, and stored in the EAX register. The 32-bit register will run out of storage space to represent the large value, which ends up being 0, but it still gets pushed as a dwBytes argument (size) for a HeapAlloc call. The HeapAlloc function will allocate a chunk anyway with size 0, and the address of this chunk is used as the destination buffer of a memcpy function, where the source buffer is the EXIF data (an extended image format supported by TIFF), and is also user-controlled. A function pointer in the chunk returned by HeapAlloc will end up being overwritten by the memcpy function, and then later used in OGL!GdipCreatePath. By successfully controlling this function pointer, and the memory layout using ActiveX, it is possible to gain arbitrary code execution under the context of the user. |
| id | MSF:EXPLOIT/WINDOWS/FILEFORMAT/MSWIN_TIFF_OVERFLOW |
| last seen | 2020-06-13 |
| modified | 2017-09-14 |
| published | 2013-11-22 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/mswin_tiff_overflow.rb |
| title | MS13-096 Microsoft Tagged Image File Format (TIFF) Integer Overflow |
Msbulletin
| bulletin_id | MS13-096 |
| bulletin_url | |
| date | 2013-12-10T00:00:00 |
| impact | Remote Code Execution |
| knowledgebase_id | 2908005 |
| knowledgebase_url | |
| severity | Critical |
| title | Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS13-096.NASL description The version of Microsoft last seen 2020-06-01 modified 2020-06-02 plugin id 71311 published 2013-12-11 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71311 title MS13-096: Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution (2908005) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(71311); script_version("1.17"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id("CVE-2013-3906"); script_bugtraq_id(63530); script_xref(name:"EDB-ID", value:"30011"); script_xref(name:"MSFT", value:"MS13-096"); script_xref(name:"MSKB", value:"2901674"); script_xref(name:"MSKB", value:"2850047"); script_xref(name:"MSKB", value:"2817641"); script_xref(name:"MSKB", value:"2817670"); script_xref(name:"MSKB", value:"2899397"); script_xref(name:"MSKB", value:"2899393"); script_xref(name:"MSKB", value:"2899395"); script_xref(name:"MSKB", value:"2850057"); script_name(english:"MS13-096: Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution (2908005)"); script_summary(english:"Checks file versions"); script_set_attribute(attribute:"synopsis", value:"The remote Windows host has a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The version of Microsoft's Graphics Component installed on the remote host is affected by a heap overflow vulnerability. Specially crafted TrueType font files are not processed properly. A remote, unauthenticated attacker could exploit this vulnerability by getting a user to view content that contains malicious TrueType font files, resulting in arbitrary code execution. Note that this issue is currently being exploited by malware in the wild."); # https://blogs.technet.microsoft.com/srd/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6c6729d6"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-096"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2008, Windows Vista, Office 2003, Office 2007, Office 2010, Office Compatibility Pack, Lync 2010, Lync 2010 Attendee, Lync 2013, and Lync Basic 2013. Note: KB2896666 was previously released for this issue. The fix for KB2896666 can be removed after applying MS13-096 in order to view TIFF files."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS13-096 Microsoft Tagged Image File Format (TIFF) Integer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/11/05"); script_set_attribute(attribute:"patch_publication_date", value:"2013/12/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/12/11"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:excel_viewer"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:lync"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:lync_basic"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office_compatibility_pack"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:powerpoint_viewer"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:word_viewer"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "office_installed.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_reg_query.inc"); include("misc_func.inc"); global_var bulletin, vuln; # ######################### # # Get list of all user Directories # # ######################### function get_user_dirs() { local_var appdir, dirpat, domain, hklm, iter, lcpath, login, pass; local_var path, paths, pdir, port, rc, root, share, user, ver; paths = make_list(); registry_init(); hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE); pdir = get_registry_value(handle:hklm, item:"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory"); if (pdir && stridx(tolower(pdir), "%systemdrive%") == 0) { root = get_registry_value(handle:hklm, item:"SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot"); if (!isnull(root)) { share = hotfix_path2share(path:root); pdir = share - '$' + ':' + substr(pdir, strlen("%systemdrive%")); } } RegCloseKey(handle:hklm); close_registry(close:FALSE); if (!pdir) return NULL; ver = get_kb_item_or_exit("SMB/WindowsVersion"); share = hotfix_path2share(path:pdir); dirpat = ereg_replace(string:pdir, pattern:"^[A-Za-z]:(.*)", replace:"\1\*"); port = kb_smb_transport(); if (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port); login = kb_smb_login(); pass = kb_smb_password(); domain = kb_smb_domain(); rc = NetUseAdd(login:login, password:pass, domain:domain, share:share); if (rc != 1) { NetUseDel(close:FALSE); return NULL; } # 2000 / XP / 2003 if (ver < 6) appdir += "\Local Settings\Application Data"; # Vista / 7 / 2008 else appdir += "\AppData\Local"; paths = make_array(); iter = FindFirstFile(pattern:dirpat); while (!isnull(iter[1])) { user = iter[1]; iter = FindNextFile(handle:iter); if (user == "." || user == "..") continue; path = pdir + '\\' + user + appdir; lcpath = tolower(path); if (isnull(paths[lcpath])) paths[lcpath] = path; } NetUseDel(close:FALSE); return paths; } # ######################### # # Get file version # # ######################### function get_ver() { local_var fh, path, rc, share, ver; path = _FCT_ANON_ARGS[0]; share = hotfix_path2share(path:path); rc = NetUseAdd(share:share); if (rc != 1) { NetUseDel(); audit(AUDIT_SHARE_FAIL, share); } ver = NULL; path = ereg_replace(string:path, pattern:"^[A-Za-z]:(.*)", replace:'\\1\\'); fh = CreateFile( file : path, desired_access : GENERIC_READ, file_attributes : FILE_ATTRIBUTE_NORMAL, share_mode : FILE_SHARE_READ, create_disposition : OPEN_EXISTING ); if (!isnull(fh)) { ver = GetFileVersion(handle:fh); ver = join(ver, sep:"."); CloseFile(handle:fh); } NetUseDel(close:FALSE); return ver; } # ######################### # # Check if a file path/version is vulnerable # # ######################### function check_vuln(fix, kb, name, path, ver, min_ver) { local_var info; if (isnull(ver)) ver = get_ver(path); if (isnull(ver) || ver_compare(ver:ver, fix:fix, strict:FALSE) >= 0) return 0; # If min_ver is supplied, make sure the version is higher than the min_ver if (min_ver && ver_compare(ver:ver, fix:min_ver, strict:FALSE) == -1) return 0; info = '\n Product : ' + name + '\n Path : ' + path + '\n Installed version : ' + ver + '\n Fixed version : ' + fix + '\n\n'; hotfix_add_report(info, bulletin:bulletin, kb:kb); vuln = TRUE; } function _is_accessible_share() { local_var path, share; path = _FCT_ANON_ARGS[0]; if (isnull(path)) return FALSE; share = hotfix_path2share(path:path); if (is_accessible_share(share:share)) return TRUE; if (vuln) return FALSE; # only exit if nothing there is nothing to report (nothing has already been # identified as vulnerable) hotfix_check_fversion_end(); audit(AUDIT_SHARE_FAIL, share); } # ######################### # # Main # # ######################### get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible'); bulletin = 'MS13-054'; kbs = make_list( '2901674', # Windows Vista / 2008 '2850047', # Office 2003 / Word Viewer '2817641', # Office 2007 / Compatibility Pack / Excel Viewer '2817670', # Office 2010 / PowerPoint Viewer '2899397', # Lync 2010 '2899393', # Lync 2010 Attendee (user level) '2899395', # Lync 2010 Attendee (admin level) '2850057' # Lync 2013 ); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated", exit_code:1); vuln = FALSE; # Connect to the registry userpaths = get_user_dirs(); arch = get_kb_item_or_exit("SMB/ARCH", exit_code:1); if (arch == "x64") extra = "\Wow6432Node"; registry_init(); hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE); # Microsoft Lync 2010 lync2010_path = get_registry_value( handle : hklm, item : 'SOFTWARE'+extra+'\\Microsoft\\Communicator\\InstallationDirectory' ); # Microsoft Lync 2010 Attendee (admin level install) lync2010_att_admin_path = get_registry_value( handle : hklm, item : 'SOFTWARE\\Microsoft\\AttendeeCommunicator\\InstallationDirectory' ); # Microsoft Lync Basic 2013 lync2013_path = get_registry_value( handle : hklm, item : 'Software\\Microsoft\\Office\\15.0\\Lync\\InstallationDirectory' ); # Microsoft Visual Studio .NET 2003 vs2003_path = get_registry_value( handle : hklm, item : 'Software\\Microsoft\\VisualStudio\\7.1\\InstallDir' ); # Close connection to registry RegCloseKey(handle:hklm); close_registry(close:FALSE); # Lync 2010 # if (lync2010_path) { check_vuln( name : 'Microsoft Lync 2010', kb : "2899397", path : lync2010_path + "\communicator.exe", min_ver : "4.0.0.0", fix : "4.0.7577.4415" ); } # Lync Attendee Admin Level Install # if (lync2010_att_admin_path) { check_vuln( name : 'Microsoft Lync 2010 Attendee (admin level install)', kb : "2899395", path : lync2010_att_admin_path + "\MeetingJoinAxAOC.DLL", min_ver : "4.0.0.0", fix : "4.0.7577.4415" ); } # Lync 2010 Attendee User Level Install # foreach userdir (keys(userpaths)) { check_vuln( name : 'Microsoft Lync 2010 Attendee (user level install)', kb : "2899393", path : userdir + "\Microsoft Lync Attendee\MeetingJoinAxAOC.DLL", min_ver : "4.0.0.0", fix : "4.0.7577.4415" ); } # Lync 2013 # if (lync2013_path) { check_vuln( name : 'Microsoft Lync 2013', kb : "2850057", path : lync2013_path + "\Lync.exe", min_ver : "15.0.0.0", fix : "15.0.4551.1007" ); } office_versions = hotfix_check_office_version(); # Office 2003 SP3 # if (office_versions["11.0"]) { office_sp = get_kb_item("SMB/Office/2003/SP"); if (office_sp == 3) { path = hotfix_get_officeprogramfilesdir(officever:"11.0") + "\Microsoft Office\OFFICE11"; if ( hotfix_is_vulnerable(file:"Gdiplus.dll", version:"11.0.8408.0", min_version:"11.0.0.0", path:path, bulletin:bulletin, kb:'2850047') ) { vuln++; } NetUseDel(close:FALSE); } } commonfiles = hotfix_get_commonfilesdir(); # Office 2007 SP3 # if (office_versions["12.0"]) { office_sp = get_kb_item("SMB/Office/2007/SP"); if (office_sp == 3) { if ( commonfiles && hotfix_is_vulnerable(file:"Ogl.dll", version:"12.0.6688.5000", min_version:"12.0.0.0", path:commonfiles + "\Microsoft Shared\Office12", bulletin:bulletin, kb:'2817641') ) { vuln++; } NetUseDel(close:FALSE); } } # Office 2010 SP1 # if (office_versions["14.0"]) { office_sp = get_kb_item("SMB/Office/2010/SP"); if (office_sp == 1 || office_sp == 2) { if ( commonfiles && hotfix_is_vulnerable(file:"Ogl.dll", version:"14.0.7110.5004", min_version:"14.0.0.0", path:commonfiles + "\Microsoft Shared\OFFICE14", bulletin:bulletin, kb:'2817670') ) { vuln++; } NetUseDel(close:FALSE); } } systemroot = hotfix_get_systemroot(); # Vista # Server 2008 if ( hotfix_check_sp_range(vista:'2') > 0 ) { kb = '2901674'; login = kb_smb_login(); pass = kb_smb_password(); domain = kb_smb_domain(); winsxs = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\WinSxS", string:systemroot); winsxs_share = hotfix_path2share(path:systemroot); rc = NetUseAdd(login:login, password:pass, domain:domain, share:winsxs_share); if (rc != 1) NetUseDel(close:FALSE); files = list_dir(basedir:winsxs, level:0, dir_pat:"microsoft.windows.gdiplus", file_pat:"^gdiplus\.dll$", max_recurse:1); vuln += hotfix_check_winsxs(os:'6.0', sp:2, files:files, versions:make_list('6.0.6002.18971', '6.0.6002.23256'), max_versions:make_list('6.0.6002.20000', '6.0.6002.99999'), bulletin:bulletin, kb:kb); } if (vuln) { set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }NASL family Windows NASL id SMB_KB2896666.NASL description The remote host is missing one of the workarounds referenced in KB 2896666. The remote host has a version of the Microsoft Graphics Component installed that is potentially affected by a code execution vulnerability due to the way the application handles specially crafted TIFF images. last seen 2017-10-29 modified 2017-08-30 plugin id 70773 published 2013-11-06 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=70773 title MS KB2896666: Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution (deprecated) code #%NASL_MIN_LEVEL 999999 # # (C) Tenable Network Security, Inc. # #@DEPRECATED@ # # Disabled on 2013/12/11. Deprecated by smb_nt_ms13-096.nasl include("compat.inc"); if (description) { script_id(70773); script_version("1.11"); script_cvs_date("Date: 2018/07/27 18:38:15"); script_cve_id("CVE-2013-3906"); script_bugtraq_id(63530); script_xref(name:"MSKB", value:"2896666"); script_name(english:"MS KB2896666: Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution (deprecated)"); script_summary(english:"Checks for Workaround"); script_set_attribute(attribute:"synopsis", value: "The remote host is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The remote host is missing one of the workarounds referenced in KB 2896666. The remote host has a version of the Microsoft Graphics Component installed that is potentially affected by a code execution vulnerability due to the way the application handles specially crafted TIFF images."); script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/advisory/2896666"); script_set_attribute(attribute:"solution", value: "Microsoft has provided a workaround for Windows Vista, 2008, Office 2003, Office 2007, Office 2010, Office Compatibility Pack, Lync 2010 and Lync 2013."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Microsoft Tagged Image File Format (TIFF) Integer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/11/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/11/06"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office_compatibility_pack"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("office_installed.nasl", "smb_hotfixes.nasl", "microsoft_emet_installed.nasl"); script_require_keys("SMB/Registry/Enumerated", "SMB/WindowsVersion"); script_require_ports(139, 445); exit(0); } exit(0, "This plugin has been deprecated. Use smb_nt_ms13-096.nasl (plugin ID 71311) instead."); include("audit.inc"); include("global_settings.inc"); include("smb_hotfixes.inc"); include("misc_func.inc"); include("smb_func.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_reg_query.inc"); get_kb_item_or_exit('SMB/Registry/Enumerated', exit_code:1); vuln = FALSE; arch = get_kb_item_or_exit('SMB/ARCH', exit_code:1); if (arch == 'x64') extra = "\Wow6432Node"; registry_init(); hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE); # Check if the OS is Vista / 2008 affected = FALSE; if (hotfix_check_sp_range(vista:'2') > 0) affected = TRUE; # Check for Office, Office Compat Pack, or Lync office_vers = hotfix_check_office_version(); office = make_list(); if (!affected && office_versions['11.0']) { sp = get_kb_item('SMB/Office/2003/SP'); if (int(sp) == 3) { affected = TRUE; office = make_list(office, '11'); } } if (!affected && office_versions['12.0']) { sp = get_kb_item('SMB/Office/2007/SP'); if (int(sp) == 3) { affected = TRUE; office = make_list(office, '12'); } } if (!affected && office_versions['13.0']) { office2010sp = get_kb_item('SMB/Office/2010/SP'); if (int(office2010sp) == 1 || int(office2010sp) == 2) { affected = TRUE; office = make_list(office, '13'); } } if (!affected && (get_kb_list('SMB/Office/WordViewer/*/ProductPath') || get_kb_list('SMB/Office/PowerPointViewer/*/ProductPath'))) affected = TRUE; lync2010_path = get_registry_value(handle:hklm, item:'SOFTWARE'+extra+"\Microsoft\Communicator\InstallationDirectory"); lync2010_att_admin_path = get_registry_value(handle:hklm, item:"SOFTWARE\Microsoft\AttendeeCommunicator\InstallationDirectory"); lync2013_path = get_registry_value(handle:hklm, item:"SOFTWARE\Microsoft\Office\15.0\Lync\InstallationDirectory"); if (!affected && (lync2010_path || lync2010_att_admin_path || lync2013_path)) affected = TRUE; if (!affected) exit(0, 'No affected operating systems or applications were found on the remote host.'); # First check for the TIFF codec workaround ret = get_registry_value(handle:hklm, item:"SOFTWARE\Microsoft\Gdiplus\DisableTIFFCodec"); if (!isnull(ret) && ret == 1) exit(0, 'The host is not affected since the \'DisableTIFFCodec\' workaround has been applied.'); RegCloseKey(handle:hklm); close_registry(); # Check for EMET emet_installed = FALSE; if (!isnull(get_kb_item("SMB/Microsoft/EMET/Installed"))) emet_installed = TRUE; # Check if EMET is configured with Office, Lync, and # the Office compat pack emet_configured = make_array(); wordviewers = get_kb_list('SMB/Office/WordViewer/*/ProductPath'); pptviewers = get_kb_list('SMB/Office/PowerPointViewer/*/ProductPath'); if (max_index(keys(office)) > 0) { for (i=0; i < max_index(office); i++) { item = office[i]; if (path = get_kb_item('SMB/Office/Word/'+item+'.0/Path')) { path = str_replace(find:"\\", replace:'\\', string:path); emet_configured[path + "word.exe"] = FALSE; } if (path = get_kb_item('SMB/Office/Excel/'+item+'.0/Path')) { path = str_replace(find:"\\", replace:'\\', string:path); emet_configured[path + "excel.exe"] = FALSE; } if (path = get_kb_item('SMB/Office/Powerpoint/'+item+'.0/Path')) { path = str_replace(find:"\\", replace:'\\', string:path); emet_configured[path + "powerpoint.exe"] = FALSE; } if (path = get_kb_item('SMB/Office/Infopath/'+item+'.0/Path')) { path = str_replace(find:"\\", replace:'\\', string:path); emet_configured[path + "infopath.exe"] = FALSE; } if (path = get_kb_item('SMB/Office/Outlook/'+item+'.0/Path')) { path = str_replace(find:"\\", replace:'\\', string:path); emet_configured[path + "outlook.exe"] = FALSE; } if (path = get_kb_item('SMB/Office/Publisher/'+item+'.0/Path')) { path = str_replace(find:"\\", replace:'\\', string:path); emet_configured[path + "publisher.exe"] = FALSE; } if (path = get_kb_item('SMB/Office/Onenote/'+item+'.0/Path')) { path = str_replace(find:"\\", replace:'\\', string:path); emet_configured[path + "onenote.exe"] = FALSE; } foreach viewer (keys(wordviewers)) { if ('WordViewer/'+item+'.0' >< viewer) { path = wordviewers[viewer]; path = str_replace(find:"\\", replace:'\\', string:path); emet_configured[path + "wordview.exe"] = FALSE; } } foreach viewer (keys(pptviewers)) { if ('PowerPointViewer/'+item+'.0' >< viewer) { path = pptviewers[viewer]; path = str_replace(find:"\\", replace:'\\', string:path); emet_configured[path + "pptview.exe"] = FALSE; } } } } if (lync2010_path || lync2010_att_admin_path) emet_configured['communicator.exe'] = FALSE; if (lync2013_path) emet_configured['lync.exe'] = FALSE; emet_list = get_kb_list("SMB/Microsoft/EMET/*"); if (!isnull(emet_list)) { foreach entry (keys(emet_list)) { foreach item (keys(emet_configured)) { if (tolower(item) >< tolower(entry) && '/dep' >< entry) { dep = get_kb_item(entry); if (!isnull(dep) && dep == 1) emet_configured[item] = TRUE; } } } } # Check if any of the applications are not # configured with emet info = ''; emet_info = ''; if (!emet_installed) { emet_info = 'Microsoft Enhanced Mitigation Experience Toolkit (EMET) is not' + '\ninstalled.\n'; } else { foreach item (keys(emet_configured)) { if (!emet_configured[item]) info += ' Application : ' + item + '\n'; } if (info) { emet_info = 'Microsoft Enhanced Mitigation Experience Toolkit (EMET) is' + '\ninstalled, however the following applications are not configured' + '\nwith EMET :' + info; } } port = kb_smb_transport(); if (report_verbosity > 0) { report = '\nThe remote host is missing the disable TIFF codec workaround.'; if(emet_info) report += 'Further\nthe ' + emet_info; else report += '\n'; security_hole(port:port, extra:report); } else security_hole(port);
Packetstorm
| data source | https://packetstormsecurity.com/files/download/124203/mswin_tiff_overflow.rb.txt |
| id | PACKETSTORM:124203 |
| last seen | 2016-12-05 |
| published | 2013-11-27 |
| reporter | sinn3r |
| source | https://packetstormsecurity.com/files/124203/Microsoft-Tagged-Image-File-Format-TIFF-Integer-Overflow.html |
| title | Microsoft Tagged Image File Format (TIFF) Integer Overflow |
Seebug
| bulletinFamily | exploit |
| description | No description provided by source. |
| id | SSV:83479 |
| last seen | 2017-11-19 |
| modified | 2014-07-01 |
| published | 2014-07-01 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-83479 |
| title | Microsoft Tagged Image File Format (TIFF) Integer Overflow |
The Hacker News
id THN:CADECF0C3693E2AC6BFAF8AEC2E8C655 last seen 2017-01-08 modified 2013-11-06 published 2013-11-05 reporter Mohit Kumar source http://thehackernews.com/2013/11/cve-2013-3906-zero-day-vulnerability-Microsoft-Graphics-Component.html title CVE-2013-3906 : Zero Day Vulnerability in Microsoft Graphics Component id THN:58E1F5F9A7CD8CD10D601F3F29999167 last seen 2017-01-08 modified 2013-11-11 published 2013-11-11 reporter Pierluigi Paganini source http://thehackernews.com/2013/11/internet-explorer-zero-day-vulnerability-watering-hole-attack.html title Internet Explorer zero-day vulnerability actively being exploited in the wild id THN:065106D683940E9C40A0D11427F18ED3 last seen 2017-01-08 modified 2013-11-09 published 2013-11-09 reporter Wang Wei source http://thehackernews.com/2013/11/microsoft-set-to-deliver-patches-for.html title Microsoft set to deliver Patches for three Critical flaws, but no patch for Office Zero-day vulnerability
References
- http://blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2
- http://technet.microsoft.com/security/advisory/2896666
- http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx
- http://www.exploit-db.com/exploits/30011
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-096