Vulnerabilities > CVE-2017-8619 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Edge

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
#
include("compat.inc");

if (description)
{
  script_id(104383);
  script_version("1.7");
  script_cvs_date("Date: 2018/08/03 11:35:09");

  script_cve_id(
    "CVE-2017-0170",
    "CVE-2017-8463",
    "CVE-2017-8467",
    "CVE-2017-8486",
    "CVE-2017-8495",
    "CVE-2017-8556",
    "CVE-2017-8557",
    "CVE-2017-8561",
    "CVE-2017-8562",
    "CVE-2017-8563",
    "CVE-2017-8564",
    "CVE-2017-8565",
    "CVE-2017-8573",
    "CVE-2017-8577",
    "CVE-2017-8578",
    "CVE-2017-8580",
    "CVE-2017-8581",
    "CVE-2017-8582",
    "CVE-2017-8585",
    "CVE-2017-8587",
    "CVE-2017-8588",
    "CVE-2017-8589",
    "CVE-2017-8590",
    "CVE-2017-8592",
    "CVE-2017-8595",
    "CVE-2017-8599",
    "CVE-2017-8601",
    "CVE-2017-8602",
    "CVE-2017-8605",
    "CVE-2017-8606",
    "CVE-2017-8607",
    "CVE-2017-8608",
    "CVE-2017-8609",
    "CVE-2017-8611",
    "CVE-2017-8618",
    "CVE-2017-8619"
  );
  script_bugtraq_id(
    99387,
    99388,
    99389,
    99390,
    99391,
    99392,
    99393,
    99394,
    99396,
    99397,
    99398,
    99399,
    99400,
    99402,
    99403,
    99408,
    99409,
    99410,
    99412,
    99413,
    99414,
    99416,
    99418,
    99419,
    99420,
    99421,
    99423,
    99424,
    99425,
    99426,
    99427,
    99428,
    99429,
    99431,
    99432,
    99439
  );
  script_xref(name:"MSKB", value:"4025338");
  script_xref(name:"MSFT", value:"MS17-4025338");

  script_name(english:"KB4025338: Windows 10 July 2017 Cumulative Update");
  script_summary(english:"Checks for rollup.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is missing security update 4025338.
It is, therefore, affected by multiple vulnerabilities :

  - A remote code execution vulnerability exists when
    Windows Search handles objects in memory. An attacker
    who successfully exploited this vulnerability could take
    control of the affected system. An attacker could then
    install programs; view, change, or delete data; or
    create new accounts with full user rights.
    (CVE-2017-8589)

  - A remote code execution vulnerability exists in the way
    that the VBScript engine, when rendered in Internet
    Explorer, handles objects in memory. In a web-based
    attack scenario, an attacker could host a specially
    crafted website that is designed to exploit this
    vulnerability through Internet Explorer and then
    convince a user to view the website. An attacker could
    also embed an ActiveX control marked "safe for
    initialization in an application or Microsoft
    Office document that hosts the Internet Explorer
    rendering engine. The attacker could also take advantage
    of compromised websites and websites that accept or host
    user-provided content or advertisements. These websites
    could contain specially crafted content that could
    exploit this vulnerability. An attacker who successfully
    exploited this vulnerability could gain the same user
    rights as the current user.  (CVE-2017-8618)

  - An elevation of privilege vulnerability exists in
    Windows when the Win32k component fails to properly
    handle objects in memory. An attacker who successfully
    exploited this vulnerability could run arbitrary code in
    kernel mode. An attacker could then install programs;
    view, change, or delete data; or create new accounts
    with full user rights.  (CVE-2017-8467, CVE-2017-8556,
    CVE-2017-8573, CVE-2017-8577, CVE-2017-8578,
    CVE-2017-8580)

  - A Denial Of Service vulnerability exists when Windows
    Explorer attempts to open a non-existent file. An
    attacker who successfully exploited this vulnerability
    could cause a denial of service. A attacker could
    exploit this vulnerability by hosting a specially
    crafted web site and convince a user to browse to the
    page, containing the reference to the non-existing file,
    and cause the victim's system to stop responding. An
    attacker could not force a user to view the attacker-
    controlled content. Instead, an attacker would have to
    convince a user to take action. For example, an attacker
    could trick a user into clicking a link that takes the
    user to the attacker's site The update addresses the
    vulnerability by correcting how Windows Explorer handles
    open attempts for non-existent files. (CVE-2017-8587)

  - A remote code execution vulnerability exists in the way
    JavaScript engines render when handling objects in
    memory in Microsoft browsers. The vulnerability could
    corrupt memory in such a way that an attacker could
    execute arbitrary code in the context of the current
    user. An attacker who successfully exploited the
    vulnerability could gain the same user rights as the
    current user.  (CVE-2017-8606, CVE-2017-8607,
    CVE-2017-8608)

  - A security feature bypass vulnerability exists in
    Microsoft Windows when Kerberos fails to prevent
    tampering with the SNAME field during ticket exchange.
    An attacker who successfully exploited this
    vulnerability could use it to bypass Extended Protection
    for Authentication.  (CVE-2017-8495)

  - A remote code execution vulnerability exists in the way
    that the Scripting Engine renders when handling objects
    in memory in Microsoft browsers. The vulnerability could
    corrupt memory in such a way that an attacker could
    execute arbitrary code in the context of the current
    user.  (CVE-2017-8609)

  - An elevation of privilege vulnerability exists in the
    way that the Windows Kernel handles objects in memory.
    An attacker who successfully exploited the vulnerability
    could execute code with elevated permissions.
    (CVE-2017-8561)

  - A remote code execution vulnerability exists in
    PowerShell when PSObject wraps a CIM Instance. An
    attacker who successfully exploited this vulnerability
    could execute malicious code on a vulnerable system. In
    an attack scenario, an attacker could execute malicious
    code in a PowerShell remote session. The update
    addresses the vulnerability by correcting how PowerShell
    deserializes user supplied scripts. (CVE-2017-8565)

  - An elevation of privilege vulnerability exists when
    Windows improperly handles calls to Advanced Local
    Procedure Call (ALPC). An attacker who successfully
    exploited this vulnerability could run arbitrary code in
    the security context of the local system. An attacker
    could then install programs; view, change, or delete
    data; or create new accounts with full user rights.
    (CVE-2017-8562)

  - An information disclosure vulnerability exists in
    Microsoft Windows when Win32k fails to properly handle
    objects in memory. An attacker who successfully
    exploited the vulnerability could obtain information to
    further compromise the users system.  (CVE-2017-8486)

  - An information disclosure vulnerability exists in the
    Windows Performance Monitor Console when it improperly
    parses XML input containing a reference to an external
    entity. An attacker who successfully exploited this
    vulnerability could read arbitrary files via an XML
    external entity (XXE) declaration.  (CVE-2017-0170)

  - A remote code execution vulnerability exists in the way
    Microsoft Edge handles objects in memory. The
    vulnerability could corrupt memory in such a way that an
    attacker could execute arbitrary code in the context of
    the current user. An attacker who successfully exploited
    the vulnerability could gain the same user rights as the
    current user.  (CVE-2017-8595, CVE-2017-8605,
    CVE-2017-8619)

  - An elevation of privilege vulnerability exists when the
    Windows Common Log File System (CLFS) driver improperly
    handles objects in memory.  (CVE-2017-8590)

  - An information disclosure vulnerability exists when the
    Windows kernel fails to properly initialize a memory
    address, allowing an attacker to retrieve information
    that could lead to a Kernel Address Space Layout
    Randomization (KASLR) bypass. An attacker who
    successfully exploited this vulnerability could retrieve
    the base address of the kernel driver from a compromised
    process.  (CVE-2017-8564)

  - A security feature bypass vulnerability exists when
    Microsoft Browsers improperly handle redirect requests.
    This vulnerability allows Microsoft Browsers to bypass
    CORS redirect restrictions and to follow redirect
    requests that should otherwise be ignored. An attacker
    who successfully exploited this vulnerability could
    force the browser to send data that would otherwise be
    restricted to a destination web site of their choice.
    (CVE-2017-8592)

  - An Information Disclosure vulnerability exists when the
    HTTP.sys server application component improperly handles
    objects in memory. An attacker who successfully
    exploited this vulnerability could obtain information to
    further compromise the HTTP.sys server application
    system. A remote unauthenticated attacker could exploit
    this vulnerability by issuing a request to the HTTP.sys
    server application. The update addresses the
    vulnerability by correcting how the HTTP.sys server
    application handles objects in memory. (CVE-2017-8582)

  - A spoofing vulnerability exists when an affected
    Microsoft browser does not properly parse HTTP content.
    An attacker who successfully exploited this
    vulnerability could trick a user by redirecting the user
    to a specially crafted website. The specially crafted
    website could either spoof content or serve as a pivot
    to chain an attack with other vulnerabilities in web
    services.  (CVE-2017-8602)

  - A denial of service vulnerability exists when Microsoft
    Common Object Runtime Library improperly handles web
    requests. An attacker who successfully exploited this
    vulnerability could cause a denial of service against a
    .NET web application. A remote unauthenticated attacker
    could exploit this vulnerability by issuing specially
    crafted requests to the .NET application. The update
    addresses the vulnerability by correcting how the .NET
    web application handles web requests. (CVE-2017-8585)

  - An elevation of privilege vulnerability exists when
    Windows improperly handles objects in memory. An
    attacker who successfully exploited this vulnerability
    could run processes in an elevated context.
    (CVE-2017-8581)

  - An elevation of privilege vulnerability exists in
    Microsoft Windows when a man-in-the-middle attacker is
    able to successfully forward an authentication request
    to a Windows LDAP server, such as a system running
    Active Directory Domain Services (AD DS) or Active
    Directory Lightweight Directory Services (AD LDS), which
    has been configured to require signing or sealing on
    incoming connections. The update addresses this
    vulnerability by incorporating support for Extended
    Protection for Authentication security feature, which
    allows the LDAP server to detect and block such
    forwarded authentication requests once enabled.
    (CVE-2017-8563)

  - A spoofing vulnerability exists when Microsoft Edge
    improperly handles specific HTML content. An attacker
    who successfully exploited this vulnerability could
    trick a user into believing that the user was on a
    legitimate website. The specially crafted website could
    either spoof content or serve as a pivot to chain an
    attack with other vulnerabilities in web services.
    (CVE-2017-8611)

  - A security feature bypass vulnerability exists when
    Microsoft Edge fails to correctly apply Same Origin
    Policy for HTML elements present in other browser
    windows. An attacker could use this vulnerability to
    trick a user into loading a page with malicious content.
    (CVE-2017-8599)

  - A remote code execution vulnerability exists in the way
    that Microsoft WordPad parses specially crafted files.
    Exploitation of this vulnerability requires that a user
    open a specially crafted file with an affected version
    of Microsoft WordPad.  (CVE-2017-8588)

  - A remote code execution vulnerability exists when
    Windows Explorer improperly handles executable files and
    shares during rename operations. An attacker who
    successfully exploited this vulnerability could run
    arbitrary code in the context of another user. Users not
    running as administrators would be less affected.
    (CVE-2017-8463)

  - A remote code execution vulnerability exists in the way
    that Microsoft browser JavaScript engines render content
    when handling objects in memory. The vulnerability could
    corrupt memory in such a way that an attacker could
    execute arbitrary code in the context of the current
    user. In a web-based attack scenario, an attacker could
    host a specially crafted website that is designed to
    exploit the vulnerability through Microsoft browsers and
    then convince a user to view the website. An attacker
    could also embed an ActiveX control marked "safe
    for initialization" in an application or Microsoft
    Office document that hosts the related rendering engine.
    The attacker could also take advantage of compromised
    websites, and websites that accept or host user-provided
    content or advertisements. These websites could contain
    specially crafted content that could exploit the
    vulnerability. An attacker who successfully exploited
    the vulnerability could gain the same user rights as the
    current user.  (CVE-2017-8601)

  - An information disclosure vulnerability exists in the
    Windows System Information Console when it improperly
    parses XML input containing a reference to an external
    entity. An attacker who successfully exploited this
    vulnerability could read arbitrary files via an XML
    external entity (XXE) declaration.  (CVE-2017-8557)");
  # https://support.microsoft.com/en-us/help/4025338/windows-10-update-kb4025338
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?aa6f9fa1");
  script_set_attribute(attribute:"solution", value:
"Apply security update KB4025338.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/07/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/07/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = "MS17-07";
kbs = make_list('4025338');

if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
os_name = get_kb_item_or_exit("SMB/ProductName");

if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
if("LTSB" >!< os_name) audit(AUDIT_OS_NOT, "Windows 10 version 1507 LTSB");

share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  smb_check_rollup(os:"10",
                   sp:0,
                   os_build:"10240",
                   rollup_date:"07_2017",
                   bulletin:bulletin,
                   rollup_kb_list:[4025338])
)
{
  replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(101369);
  script_version("1.10");
  script_cvs_date("Date: 2018/09/13 14:38:31");

  script_cve_id(
    "CVE-2017-0170",
    "CVE-2017-8463",
    "CVE-2017-8467",
    "CVE-2017-8486",
    "CVE-2017-8495",
    "CVE-2017-8556",
    "CVE-2017-8557",
    "CVE-2017-8561",
    "CVE-2017-8562",
    "CVE-2017-8563",
    "CVE-2017-8564",
    "CVE-2017-8565",
    "CVE-2017-8573",
    "CVE-2017-8577",
    "CVE-2017-8578",
    "CVE-2017-8580",
    "CVE-2017-8581",
    "CVE-2017-8582",
    "CVE-2017-8585",
    "CVE-2017-8587",
    "CVE-2017-8588",
    "CVE-2017-8589",
    "CVE-2017-8590",
    "CVE-2017-8592",
    "CVE-2017-8595",
    "CVE-2017-8598",
    "CVE-2017-8599",
    "CVE-2017-8601",
    "CVE-2017-8602",
    "CVE-2017-8603",
    "CVE-2017-8604",
    "CVE-2017-8605",
    "CVE-2017-8606",
    "CVE-2017-8607",
    "CVE-2017-8608",
    "CVE-2017-8609",
    "CVE-2017-8611",
    "CVE-2017-8618",
    "CVE-2017-8619"
  );
  script_bugtraq_id(
    99439,
    99432,
    99431,
    99429,
    99428,
    99427,
    99426,
    99425,
    99424,
    99423,
    99421,
    99420,
    99419,
    99418,
    99417,
    99416,
    99414,
    99413,
    99412,
    99410,
    99409,
    99408,
    99407,
    99406,
    99403,
    99402,
    99400,
    99399,
    99398,
    99397,
    99396,
    99394,
    99393,
    99392,
    99391,
    99390,
    99389,
    99388,
    99387
  );
  script_xref(name:"MSKB", value:"4025344");
  script_xref(name:"MSFT", value:"MS17-4025344");

  script_name(english:"KB4025344: Windows 10 Version 1511 July 2017 Cumulative Update");
  script_summary(english:"Checks for rollup.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote Windows 10 version 1511 host is missing security update
KB4025344. It is, therefore, affected by multiple vulnerabilities :

  - An information disclosure vulnerability exists in the
    Windows Performance Monitor Console due to improper
    parsing of XML input that contains a reference to an
    external entity. An unauthenticated, remote attacker
    can exploit this, by convincing a user to create a
    Data Collector Set and import a specially crafted XML
    file, to disclose arbitrary files via an XML external
    entity (XXE) declaration. (CVE-2017-0170)

  - A remote code execution vulnerability exists in Windows
    Explorer due to improper handling of executable files
    and shares during rename operations. An unauthenticated,
    remote attacker can exploit this, by convincing a user
    to open a specially crafted file, to execute arbitrary
    code in the context of the current user. (CVE-2017-8463)

  - Multiple elevation of privilege vulnerabilities exist in
    the Microsoft Graphics component due to improper
    handling of objects in memory. A local attacker can
    exploit these, via a specially crafted application, to
    run arbitrary code in kernel mode. (CVE-2017-8467,
    CVE-2017-8556, CVE-2017-8573, CVE-2017-8577,
    CVE-2017-8578, CVE-2017-8580)

  - An information disclosure vulnerability exists in Win32k
    due to improper handling of objects in memory. A local
    attacker can exploit this, via a specially crafted
    application, to disclose sensitive information.
    (CVE-2017-8486)

  - A security bypass vulnerability exists in Microsoft
    Windows when handling Kerberos ticket exchanges due to a
    failure to prevent tampering with the SNAME field. A
    man-in-the-middle attacker can exploit this to bypass
    the Extended Protection for Authentication security
    feature. (CVE-2017-8495)

  - An information disclosure vulnerability exists in the
    Windows System Information Console due to improper
    parsing of XML input that contains a reference to an
    external entity. An unauthenticated, remote attacker
    can exploit this, by convincing a user to open a
    specially crafted file, to disclose arbitrary files via
    an XML external entity (XXE) declaration.
    (CVE-2017-8557)

  - An elevation of privilege vulnerability exists in the
    Windows kernel due to improper handling of objects in
    memory. A local attacker can exploit this, via a
    specially crafted application, to execute arbitrary code
    with elevated permissions. (CVE-2017-8561)

  - An elevation of privilege vulnerability exists in
    Windows due to improper handling of calls to Advanced
    Local Procedure Call (ALPC). An authenticated, remote
    attacker can exploit this via a specially crafted
    application, to run processes in an elevated context.
    (CVE-2017-8562)

  - An elevation of privilege vulnerability exists in
    Windows due to Kerberos falling back to NT LAN Manager
    (NTLM) Authentication Protocol as the default
    authentication protocol. An authenticated, remote
    attacker can exploit this, via an application that
    sends specially crafted traffic to a domain controller,
    to run processes in an elevated context. (CVE-2017-8563)

  - An information disclosure vulnerability exists in the
    Windows kernel due to improper initialization of objects
    in memory. An authenticated, remote attacker can exploit
    this, via a specially crafted application, to bypass
    Kernel Address Space Layout Randomization (KASLR) and
    disclose the base address of the kernel driver.
    (CVE-2017-8564)

  - A remote code execution vulnerability exists in
    PowerShell when handling a PSObject that wraps a CIM
    instance. An authenticated, remote attacker can exploit
    this, via a specially crafted script, to execute
    arbitrary code in a PowerShell remote session.
    (CVE-2017-8565)

  - An elevation of privilege vulnerability exists in
    Windows due to improper handling of objects in memory. A
    local attacker can exploit this, via a specially crafted
    application, to run arbitrary code in kernel mode.
    (CVE-2017-8581)

  - An information disclosure vulnerability exists in the
    HTTP.sys server application component due to improper
    handling of objects in memory. An unauthenticated,
    remote attacker can exploit this, via a specially
    crafted request, to disclose sensitive information.
    (CVE-2017-8582)

  - A denial of service vulnerability exists in the
    Microsoft Common Runtime Library component due to
    improper handling of web requests. An unauthenticated,
    remote attacker can exploit this, via a specially
    crafted request, to cause a denial of service condition
    in a .NET application. (CVE-2017-8585)

  - A denial of service vulnerability exists in Windows
    Explorer that is triggered when Explorer attempts to
    open a non-existent file. An unauthenticated, remote
    attacker can exploit this, by convincing a user to visit
    a specially crafted website, to cause a user's system to
    stop responding. (CVE-2017-8587)

  - A remote code execution vulnerability exists in WordPad
    due to improper parsing of specially crafted files. An
    unauthenticated, remote attacker can exploit this, by
    convincing a user to open a specially crafted file, to
    execute arbitrary code in the context of the current
    user. (CVE-2017-8588)

  - A remote code execution vulnerability exists in the
    Windows Search component due to improper handling of
    objects in memory. An unauthenticated, remote attacker
    can exploit this, by sending specially crafted messages
    to the Windows Search service, to elevate privileges and
    execute arbitrary code. (CVE-2017-8589)

  - An elevation of privilege vulnerability exists in the
    Windows Common Log File System (CLFS) driver due to
    improper handling of objects in memory. A local attacker
    can exploit this, via a specially crafted application,
    to run processes in an elevated context. (CVE-2017-8590)

  - A security bypass vulnerability exists in Microsoft
    browsers due to improper handling of redirect requests.
    An unauthenticated, remote attacker can exploit this, by
    convincing a user to visit a specially crafted website,
    to bypass CORS redirect restrictions. (CVE-2017-8592)

  - Multiple remote code execution vulnerability exist in
    Microsoft Edge in the scripting engine due to improper
    handling of objects in memory. An unauthenticated,
    remote attacker can exploit these, by convincing a user
    to visit a specially crafted website, to execute
    arbitrary code in the context of the current user.
    (CVE-2017-8595, CVE-2017-8598, CVE-2017-8603,
    CVE-2017-8604, CVE-2017-8605, CVE-2017-8619)

  - A security bypass vulnerability exists in Microsoft Edge
    due to a failure to correctly apply the same-origin
    policy for HTML elements present in other browser
    windows. An unauthenticated, remote attacker can exploit
    this, by convincing a user to follow a link, to cause
    the user to load a malicious website. (CVE-2017-8599)

  - A remote code execution vulnerability exists in
    Microsoft Edge in the Chakra JavaScript engine due to
    improper handling of objects in memory. An
    unauthenticated, remote attacker can exploit this, by
    convincing a user to visit a specially crafted website,
    to execute arbitrary code in the context of the current
    user. (CVE-2017-8601)

  - A spoofing vulnerability exists in Microsoft browsers
    due to improper parsing of HTTP content. An
    unauthenticated, remote attacker can exploit this, by
    convincing a user to click a specially crafted URL, to
    redirect the user to a malicious website.
    (CVE-2017-8602)

  - Multiple remote code execution vulnerabilities exist in
    Microsoft browsers in the JavaScript engines due to
    improper handling of objects in memory. An
    unauthenticated, remote attacker can exploit these, by
    convincing a user to visit a specially crafted website,
    to execute arbitrary code in the context of the current
    user. (CVE-2017-8606, CVE-2017-8607, CVE-2017-8608)

  - A remote code execution vulnerability exists in
    Microsoft browsers in the scripting engine due to
    improper handling of objects in memory. An
    unauthenticated, remote attacker can exploit this, by
    convincing a user to visit a specially crafted website,
    to execute arbitrary code in the context of the current
    user. (CVE-2017-8609)

  - A spoofing vulnerability exists in Microsoft Edge due to
    improper parsing of HTTP content. An unauthenticated,
    remote attacker can exploit this, by convincing a user
    to click a specially crafted URL, to redirect the user
    to a malicious website. (CVE-2017-8611)

  - A remote code execution vulnerability exists in Internet
    Explorer in the VBScript engine due to improper handling
    of objects in memory. An unauthenticated, remote
    attacker can exploit this, by convincing a user to visit
    a specially crafted website, to execute arbitrary code
    in the context of the current user. (CVE-2017-8618)");
  # https://support.microsoft.com/en-us/help/4025344/windows-10-update-kb4025344
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e69fa96a");
  script_set_attribute(attribute:"solution", value:
"Apply security update KB4025344.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/07/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/07/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl", "smb_check_rollup.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 'Host/patch_management_checks');

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("smb_reg_query.inc");
include("misc_func.inc");

get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');

bulletin = 'MS17-07';
kb = make_list(
  '4025344' # 10 1151
);

if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kb, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);

if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
if ("2016" >< productname) audit(AUDIT_OS_SP_NOT_VULN);

share = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  # 10 (1511)
  smb_check_rollup(os:"10",
                   sp:0,
                   os_build:"10586",
                   rollup_date: "07_2017",
                   bulletin:bulletin,
                   rollup_kb_list:make_list(4025344))
)
{
  replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(101368);
  script_version("1.10");
  script_cvs_date("Date: 2018/09/13 14:38:31");

  script_cve_id(
    "CVE-2017-0170",
    "CVE-2017-8463",
    "CVE-2017-8467",
    "CVE-2017-8486",
    "CVE-2017-8495",
    "CVE-2017-8556",
    "CVE-2017-8557",
    "CVE-2017-8561",
    "CVE-2017-8562",
    "CVE-2017-8563",
    "CVE-2017-8564",
    "CVE-2017-8565",
    "CVE-2017-8566",
    "CVE-2017-8573",
    "CVE-2017-8574",
    "CVE-2017-8577",
    "CVE-2017-8578",
    "CVE-2017-8580",
    "CVE-2017-8581",
    "CVE-2017-8582",
    "CVE-2017-8585",
    "CVE-2017-8588",
    "CVE-2017-8589",
    "CVE-2017-8590",
    "CVE-2017-8592",
    "CVE-2017-8596",
    "CVE-2017-8598",
    "CVE-2017-8599",
    "CVE-2017-8601",
    "CVE-2017-8602",
    "CVE-2017-8603",
    "CVE-2017-8604",
    "CVE-2017-8605",
    "CVE-2017-8606",
    "CVE-2017-8607",
    "CVE-2017-8608",
    "CVE-2017-8609",
    "CVE-2017-8610",
    "CVE-2017-8611",
    "CVE-2017-8617",
    "CVE-2017-8618",
    "CVE-2017-8619"
  );
  script_bugtraq_id(
    99387,
    99388,
    99389,
    99390,
    99391,
    99392,
    99393,
    99394,
    99396,
    99397,
    99398,
    99399,
    99400,
    99402,
    99404,
    99405,
    99406,
    99407,
    99408,
    99409,
    99410,
    99412,
    99414,
    99415,
    99416,
    99417,
    99418,
    99419,
    99420,
    99421,
    99422,
    99423,
    99424,
    99425,
    99426,
    99427,
    99428,
    99429,
    99431,
    99432,
    99438,
    99439
  );
  script_xref(name:"MSKB", value:"4025342");
  script_xref(name:"MSFT", value:"MS17-4025342");

  script_name(english:"KB4025342: Windows 10 Version 1703 July 2017 Cumulative Update");
  script_summary(english:"Checks for rollup.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote Windows 10 version 1703 host is missing security update
KB4025342. It is, therefore, affected by multiple vulnerabilities :

  - An information disclosure vulnerability exists in the
    Windows Performance Monitor Console due to improper
    parsing of XML input that contains a reference to an
    external entity. An unauthenticated, remote attacker
    can exploit this, by convincing a user to create a
    Data Collector Set and import a specially crafted XML
    file, to disclose arbitrary files via an XML external
    entity (XXE) declaration. (CVE-2017-0170)

  - A remote code execution vulnerability exists in Windows
    Explorer due to improper handling of executable files
    and shares during rename operations. An unauthenticated,
    remote attacker can exploit this, by convincing a user
    to open a specially crafted file, to execute arbitrary
    code in the context of the current user. (CVE-2017-8463)

  - Multiple elevation of privilege vulnerabilities exist in
    the Microsoft Graphics component due to improper
    handling of objects in memory. A local attacker can
    exploit these, via a specially crafted application, to
    run arbitrary code in kernel mode. (CVE-2017-8467,
    CVE-2017-8556, CVE-2017-8573, CVE-2017-8574,
    CVE-2017-8577, CVE-2017-8578, CVE-2017-8580)

  - An information disclosure vulnerability exists in Win32k
    due to improper handling of objects in memory. A local
    attacker can exploit this, via a specially crafted
    application, to disclose sensitive information.
    (CVE-2017-8486)

  - A security bypass vulnerability exists in Microsoft
    Windows when handling Kerberos ticket exchanges due to a
    failure to prevent tampering with the SNAME field. A
    man-in-the-middle attacker can exploit this to bypass
    the Extended Protection for Authentication security
    feature. (CVE-2017-8495)

  - An information disclosure vulnerability exists in the
    Windows System Information Console due to improper
    parsing of XML input that contains a reference to an
    external entity. An unauthenticated, remote attacker
    can exploit this, by convincing a user to open a
    specially crafted file, to disclose arbitrary files via
    an XML external entity (XXE) declaration.
    (CVE-2017-8557)

  - An elevation of privilege vulnerability exists in the
    Windows kernel due to improper handling of objects in
    memory. A local attacker can exploit this, via a
    specially crafted application, to execute arbitrary code
    with elevated permissions. (CVE-2017-8561)

  - An elevation of privilege vulnerability exists in
    Windows due to improper handling of calls to Advanced
    Local Procedure Call (ALPC). An authenticated, remote
    attacker can exploit this via a specially crafted
    application, to run processes in an elevated context.
    (CVE-2017-8562)

  - An elevation of privilege vulnerability exists in
    Windows due to Kerberos falling back to NT LAN Manager
    (NTLM) Authentication Protocol as the default
    authentication protocol. An authenticated, remote
    attacker can exploit this, via an application that
    sends specially crafted traffic to a domain controller,
    to run processes in an elevated context. (CVE-2017-8563)

  - An information disclosure vulnerability exists in the
    Windows kernel due to improper initialization of objects
    in memory. An authenticated, remote attacker can exploit
    this, via a specially crafted application, to bypass
    Kernel Address Space Layout Randomization (KASLR) and
    disclose the base address of the kernel driver.
    (CVE-2017-8564)

  - A remote code execution vulnerability exists in
    PowerShell when handling a PSObject that wraps a CIM
    instance. An authenticated, remote attacker can exploit
    this, via a specially crafted script, to execute
    arbitrary code in a PowerShell remote session.
    (CVE-2017-8565)

  - An elevation of privilege vulnerability exists in
    Windows Input Method Editor (IME) due to improper
    handling of parameters in a method of a DCOM class. A
    local attacker can exploit this, via a specially crafted
    application, to run processes in an elevated context.
    (CVE-2017-8566)

  - An elevation of privilege vulnerability exists in
    Windows due to improper handling of objects in memory. A
    local attacker can exploit this, via a specially crafted
    application, to run arbitrary code in kernel mode.
    (CVE-2017-8581)

  - An information disclosure vulnerability exists in the
    HTTP.sys server application component due to improper
    handling of objects in memory. An unauthenticated,
    remote attacker can exploit this, via a specially
    crafted request, to disclose sensitive information.
    (CVE-2017-8582)

  - A denial of service vulnerability exists in the
    Microsoft Common Runtime Library component due to
    improper handling of web requests. An unauthenticated,
    remote attacker can exploit this, via a specially
    crafted request, to cause a denial of service condition
    in a .NET application. (CVE-2017-8585)

  - A remote code execution vulnerability exists in WordPad
    due to improper parsing of specially crafted files. An
    unauthenticated, remote attacker can exploit this, by
    convincing a user to open a specially crafted file, to
    execute arbitrary code in the context of the current
    user. (CVE-2017-8588)

  - A remote code execution vulnerability exists in the
    Windows Search component due to improper handling of
    objects in memory. An unauthenticated, remote attacker
    can exploit this, by sending specially crafted messages
    to the Windows Search service, to elevate privileges and
    execute arbitrary code. (CVE-2017-8589)

  - An elevation of privilege vulnerability exists in the
    Windows Common Log File System (CLFS) driver due to
    improper handling of objects in memory. A local attacker
    can exploit this, via a specially crafted application,
    to run processes in an elevated context. (CVE-2017-8590)

  - A security bypass vulnerability exists in Microsoft
    browsers due to improper handling of redirect requests.
    An unauthenticated, remote attacker can exploit this, by
    convincing a user to visit a specially crafted website,
    to bypass CORS redirect restrictions. (CVE-2017-8592)

  - A remote code execution vulnerability exists in
    Microsoft Edge due to improper handling of objects in
    memory. An unauthenticated, remote attacker can exploit
    this, by convincing a user to visit a specially crafted
    website, to execute arbitrary code in the context of the
    current user. (CVE-2017-8596)

  - Multiple remote code execution vulnerability exist in
    Microsoft Edge in the scripting engine due to improper
    handling of objects in memory. An unauthenticated,
    remote attacker can exploit these, by convincing a user
    to visit a specially crafted website, to execute
    arbitrary code in the context of the current user.
    (CVE-2017-8598, CVE-2017-8603, CVE-2017-8604,
    CVE-2017-8605, CVE-2017-8610, CVE-2017-8619)

  - A security bypass vulnerability exists in Microsoft Edge
    due to a failure to correctly apply the same-origin
    policy for HTML elements present in other browser
    windows. An unauthenticated, remote attacker can exploit
    this, by convincing a user to follow a link, to cause
    the user to load a malicious website. (CVE-2017-8599)

  - A remote code execution vulnerability exists in
    Microsoft Edge in the Chakra JavaScript engine due to
    improper handling of objects in memory. An
    unauthenticated, remote attacker can exploit this, by
    convincing a user to visit a specially crafted website,
    to execute arbitrary code in the context of the current
    user. (CVE-2017-8601)

  - A spoofing vulnerability exists in Microsoft browsers
    due to improper parsing of HTTP content. An
    unauthenticated, remote attacker can exploit this, by
    convincing a user to click a specially crafted URL, to
    redirect the user to a malicious website.
    (CVE-2017-8602)

  - Multiple remote code execution vulnerabilities exist in
    Microsoft browsers in the JavaScript engines due to
    improper handling of objects in memory. An
    unauthenticated, remote attacker can exploit these, by
    convincing a user to visit a specially crafted website,
    to execute arbitrary code in the context of the current
    user. (CVE-2017-8606, CVE-2017-8607, CVE-2017-8608)

  - A remote code execution vulnerability exists in
    Microsoft browsers in the scripting engine due to
    improper handling of objects in memory. An
    unauthenticated, remote attacker can exploit this, by
    convincing a user to visit a specially crafted website,
    to execute arbitrary code in the context of the current
    user. (CVE-2017-8609)

  - A spoofing vulnerability exists in Microsoft Edge due to
    improper parsing of HTTP content. An unauthenticated,
    remote attacker can exploit this, by convincing a user
    to click a specially crafted URL, to redirect the user
    to a malicious website. (CVE-2017-8611)

  - A remote code execution vulnerability exists in
    Microsoft Edge due to improper handling of objects in
    memory. An unauthenticated, remote attacker can exploit
    this, by convincing a user to visit a specially crafted
    website, to execute arbitrary code in the context of the
    current user. (CVE-2017-8617)

  - A remote code execution vulnerability exists in Internet
    Explorer in the VBScript engine due to improper handling
    of objects in memory. An unauthenticated, remote
    attacker can exploit this, by convincing a user to visit
    a specially crafted website, to execute arbitrary code
    in the context of the current user. (CVE-2017-8618)");
  # https://support.microsoft.com/en-us/help/4025342/windows-10-update-kb4025342
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8811feb6");
  script_set_attribute(attribute:"solution", value:
"Apply security update KB4025342.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date",value:"2017/07/11");
  script_set_attribute(attribute:"patch_publication_date",value:"2017/07/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/11");

  script_set_attribute(attribute:"plugin_type",value:"local");
  script_set_attribute(attribute:"cpe",value:"cpe:/o:microsoft:windows");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl", "smb_check_rollup.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 'Host/patch_management_checks');

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("smb_reg_query.inc");
include("misc_func.inc");

get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');

bulletin = 'ms17-07';
kbs = make_list(
  '4025342' # 10 1703 
);

if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);

if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
if ("2016" >< productname) audit(AUDIT_OS_SP_NOT_VULN);

if (
  # 10 (1703)
  smb_check_rollup(os:"10",
                   sp:0,
                   os_build:"15063",
                   rollup_date: "07_2017",
                   bulletin:bulletin,
                   rollup_kb_list:make_list(4025342))
)
{
  replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
}