Vulnerabilities > CVE-2016-7200 - Out-of-bounds Write vulnerability in Microsoft Edge

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
microsoft
CWE-787
nessus
exploit available

Summary

The Chakra JavaScript scripting engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-7201, CVE-2016-7202, CVE-2016-7203, CVE-2016-7208, CVE-2016-7240, CVE-2016-7242, and CVE-2016-7243.

Common Weakness Enumeration (CWE)

Exploit-Db

  • descriptionMicrosoft Edge (Windows 10) - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution. CVE-2016-7200,CVE-2016-7201. Remote exploit for Windows platform...
    fileexploits/windows/remote/40990.txt
    idEDB-ID:40990
    last seen2017-01-06
    modified2017-01-05
    platformwindows
    port
    published2017-01-05
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/40990/
    titleMicrosoft Edge (Windows 10) - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution
    typeremote
  • descriptionMicrosoft Edge - 'Array.filter' Info Leak. CVE-2016-7200. Dos exploit for Windows platform
    fileexploits/windows/dos/40785.html
    idEDB-ID:40785
    last seen2016-11-19
    modified2016-11-18
    platformwindows
    port
    published2016-11-18
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/40785/
    titleMicrosoft Edge - 'Array.filter' Info Leak
    typedos

Msbulletin

bulletin_idMS16-129
bulletin_url
date2016-11-08T00:00:00
impactRemote Code Execution
knowledgebase_id3199057
knowledgebase_url
severityCritical
titleCumulative Security Update for Microsoft Edge

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS16-129.NASL
descriptionThe version of Microsoft Edge installed on the remote Windows host is missing Cumulative Security Update 3199057. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these vulnerabilities by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user.
last seen2020-06-01
modified2020-06-02
plugin id94630
published2016-11-08
reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/94630
titleMS16-129: Cumulative Security Update for Microsoft Edge (3199057)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(94630);
  script_version("1.13");
  script_cvs_date("Date: 2019/11/14");

  script_cve_id(
    "CVE-2016-7195",
    "CVE-2016-7196",
    "CVE-2016-7198",
    "CVE-2016-7199",
    "CVE-2016-7200",
    "CVE-2016-7201",
    "CVE-2016-7202",
    "CVE-2016-7203",
    "CVE-2016-7204",
    "CVE-2016-7208",
    "CVE-2016-7209",
    "CVE-2016-7227",
    "CVE-2016-7239",
    "CVE-2016-7240",
    "CVE-2016-7241",
    "CVE-2016-7242",
    "CVE-2016-7243"
  );
  script_bugtraq_id(
    93968,
    94038,
    94039,
    94041,
    94042,
    94044,
    94046,
    94047,
    94049,
    94051,
    94052,
    94053,
    94055,
    94057,
    94059,
    94065
  );
  script_xref(name:"MSFT", value:"MS16-129");
  script_xref(name:"MSKB", value:"3198585");
  script_xref(name:"MSKB", value:"3198586");
  script_xref(name:"MSKB", value:"3200970");

  script_name(english:"MS16-129: Cumulative Security Update for Microsoft Edge (3199057)");
  script_summary(english:"Checks the file version of edgehtml.dll.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host has a web browser installed that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Microsoft Edge installed on the remote Windows host is
missing Cumulative Security Update 3199057. It is, therefore, affected
by multiple vulnerabilities, including remote code execution
vulnerabilities. An unauthenticated, remote attacker can exploit these
vulnerabilities by convincing a user to visit a specially crafted
website, resulting in the execution of arbitrary code in the context
of the current user.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-129");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 10 and Windows
Server 2016.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-7243");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/11/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:edge");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_reg_query.inc");
include("misc_func.inc");

get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');

bulletin = 'MS16-129';
kbs = make_list('3198585', '3198586', '3200970');

if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);

# Server core is not affected
if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);

if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

share = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"10", sp:0, file:"edgehtml.dll", version:"11.0.14393.447", os_build:"14393", dir:"\system32", bulletin:bulletin, kb:"3200970") ||
  hotfix_is_vulnerable(os:"10", sp:0, file:"edgehtml.dll", version:"11.0.10586.672", os_build:"10586", dir:"\system32", bulletin:bulletin, kb:"3198586") ||
  hotfix_is_vulnerable(os:"10", sp:0, file:"edgehtml.dll", version:"11.0.10240.17184", os_build:"10240", dir:"\system32", bulletin:bulletin, kb:"3198585")
)
{
  set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}