Vulnerabilities > CVE-2017-8651 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Internet Explorer 10/9

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
#
include("compat.inc");

if (description)
{
  script_id(104890);
  script_version("1.6");
  script_cvs_date("Date: 2018/08/03 11:35:09");

  script_cve_id(
    "CVE-2017-0228",
    "CVE-2017-8635",
    "CVE-2017-8636",
    "CVE-2017-8641",
    "CVE-2017-8651",
    "CVE-2017-8653",
    "CVE-2017-8669"
  );
  script_bugtraq_id(
    98164,
    100055,
    100056,
    100057,
    100058,
    100059,
    100068
  );
  script_xref(name:"MSKB", value:"4034733");
  script_xref(name:"MSKB", value:"4034681");
  script_xref(name:"MSKB", value:"4034664");
  script_xref(name:"MSKB", value:"4034665");
  script_xref(name:"MSFT", value:"MS17-4034733");
  script_xref(name:"MSFT", value:"MS17-4034681");
  script_xref(name:"MSFT", value:"MS17-4034664");
  script_xref(name:"MSFT", value:"MS17-4034665");

  script_name(english:"Security Updates for Internet Explorer (August 2017)");
  script_summary(english:"Checks for Microsoft security updates.");

  script_set_attribute(attribute:"synopsis", value:
"The Internet Explorer installation on the remote host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The Internet Explorer installation on the remote host is
missing security updates. It is, therefore, affected by
multiple vulnerabilities :

  - A remote code execution vulnerability exists in the way
    JavaScript engines render when handling objects in
    memory in Microsoft browsers. The vulnerability could
    corrupt memory in such a way that an attacker could
    execute arbitrary code in the context of the current
    user. An attacker who successfully exploited the
    vulnerability could gain the same user rights as the
    current user.  (CVE-2017-0228)

  - A remote code execution vulnerability exists when
    Internet Explorer improperly accesses objects in memory.
    The vulnerability could corrupt memory in such a way
    that an attacker could execute arbitrary code in the
    context of the current user. An attacker who
    successfully exploited the vulnerability could gain the
    same user rights as the current user.  (CVE-2017-8651)

  - A remote code execution vulnerability exists in the way
    JavaScript engines render when handling objects in
    memory in Microsoft browsers. The vulnerability could
    corrupt memory in such a way that an attacker could
    execute arbitrary code in the context of the current
    user. An attacker who successfully exploited the
    vulnerability could gain the same user rights as the
    current user.  (CVE-2017-8635, CVE-2017-8641)

  - A remote code execution vulnerability exists in the way
    Microsoft browsers handle objects in memory while
    rendering content. The vulnerability could corrupt
    memory in such a way that an attacker could execute
    arbitrary code in the context of the current user. An
    attacker who successfully exploited the vulnerability
    could gain the same user rights as the current user.
    (CVE-2017-8669)

  - A remote code execution vulnerability exists when
    Microsoft browsers improperly access objects in memory.
    The vulnerability could corrupt memory in such a way
    that enables an attacker to execute arbitrary code in
    the context of the current user. An attacker who
    successfully exploited the vulnerability could gain the
    same user rights as the current user.  (CVE-2017-8653)

  - A remote code execution vulnerability exists in the way
    that Microsoft browser JavaScript engines render content
    when handling objects in memory. The vulnerability could
    corrupt memory in such a way that an attacker could
    execute arbitrary code in the context of the current
    user. In a web-based attack scenario, an attacker could
    host a specially crafted website that is designed to
    exploit the vulnerability through Microsoft browsers and
    then convince a user to view the website. An attacker
    could also embed an ActiveX control marked "safe
    for initialization" in an application or Microsoft
    Office document that hosts the related rendering engine.
    The attacker could also take advantage of compromised
    websites, and websites that accept or host user-provided
    content or advertisements. These websites could contain
    specially crafted content that could exploit the
    vulnerability. An attacker who successfully exploited
    the vulnerability could gain the same user rights as the
    current user.  (CVE-2017-8636)");
  # https://support.microsoft.com/en-us/help/4034733/cumulative-security-update-for-internet-explorer
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8d0edc6a");
  # https://support.microsoft.com/en-us/help/4034681/windows-8-1-windows-server-2012-r2-update-kb4034681
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1d4d1833");
  # https://support.microsoft.com/en-us/help/4034664/windows-7-sp1-windows-server-2008-r2-sp1-update-kb4034664
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bf044da8");
  # https://support.microsoft.com/en-us/help/4034665/windows-server-2012-update-kb4034665
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5a9af664");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released security updates for the affected versions of Internet Explorer.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");


  script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/08/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/30");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie"); 
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");
  script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");
  script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS17-08';
kbs = make_list(
  '4034733',
  '4034681',
  '4034664',
  '4034665'
);

if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
os = get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0',  win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
if ("Windows 8" >< productname && "8.1" >!< productname)
 audit(AUDIT_OS_SP_NOT_VULN);
if ("Vista" >< productname) audit(AUDIT_OS_SP_NOT_VULN);

if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);

share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  # Windows 8.1 / Windows Server 2012 R2
  # Internet Explorer 11
  hotfix_is_vulnerable(os:"6.3", sp:0, file:"mshtml.dll", version:"11.0.9600.18763", min_version:"11.0.9600.16000", dir:"\system32", bulletin:bulletin, kb:"4034733") ||

  # Windows Server 2012
  # Internet Explorer 10
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"mshtml.dll", version:"10.0.9200.22227", min_version:"10.0.9200.16000", dir:"\system32", bulletin:bulletin, kb:"4034733") ||

  # Windows 7 / Server 2008 R2
  # Internet Explorer 11
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"mshtml.dll", version:"11.0.9600.18763", min_version:"11.0.9600.16000", dir:"\system32", bulletin:bulletin, kb:"4034733") ||

  # Vista / Windows Server 2008
  # Internet Explorer 9
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"mshtml.dll", version:"9.0.8112.21040", min_version:"9.0.8112.20000", dir:"\system32", bulletin:bulletin, kb:"4034733") ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"mshtml.dll", version:"9.0.8112.16929", min_version:"9.0.8112.16000", dir:"\system32", bulletin:bulletin, kb:"4034733")
)
{
  report =  '\nNote: The fix for this issue is available in either of the following updates:\n';
  report += '  - KB4034733 : Cumulative Security Update for Internet Explorer\n';
  if(os == "6.3")
  {
    report += '  - KB4034681 : Windows 8.1 / Server 2012 R2 Monthly Rollup\n';
    hotfix_add_report(bulletin:'MS17-08', kb:'4034681', report);
  }
  else if(os == "6.2")
  {
    report += '  - KB4034665 : Windows Server 2012 Monthly Rollup\n';
    hotfix_add_report(bulletin:'MS17-08', kb:'4034665', report);
  }
  else if(os == "6.1")
  {
    report += '  - KB4034664 : Windows 7 / Server 2008 R2 Monthly Rollup\n';
    hotfix_add_report(bulletin:'MS17-08', kb:'4034664', report);
  }
  set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
#

include("compat.inc");

if (description)
{
  script_id(102273);
  script_version("1.16");
  script_cvs_date("Date: 2019/11/12");

  script_cve_id(
    "CVE-2017-0174",
    "CVE-2017-0250",
    "CVE-2017-0299",
    "CVE-2017-8593",
    "CVE-2017-8620",
    "CVE-2017-8624",
    "CVE-2017-8633",
    "CVE-2017-8636",
    "CVE-2017-8641",
    "CVE-2017-8651",
    "CVE-2017-8653",
    "CVE-2017-8666",
    "CVE-2017-8668",
    "CVE-2017-8691"
  );
  script_bugtraq_id(
    98100,
    100032,
    100034,
    100038,
    100061,
    100089
  );
  script_xref(name:"MSKB", value:"4022750");
  script_xref(name:"MSFT", value:"MS17-4022750");
  script_xref(name:"MSKB", value:"4034733");
  script_xref(name:"MSFT", value:"MS17-4034733");
  script_xref(name:"MSKB", value:"4034034");
  script_xref(name:"MSFT", value:"MS17-4034034");
  script_xref(name:"MSKB", value:"4034741");
  script_xref(name:"MSFT", value:"MS17-4034741");
  script_xref(name:"MSKB", value:"4034744");
  script_xref(name:"MSFT", value:"MS17-4034744");
  script_xref(name:"MSKB", value:"4034745");
  script_xref(name:"MSFT", value:"MS17-4034745");
  script_xref(name:"MSKB", value:"4034775");
  script_xref(name:"MSFT", value:"MS17-4034775");
  script_xref(name:"MSKB", value:"4035055");
  script_xref(name:"MSFT", value:"MS17-4035055");
  script_xref(name:"MSKB", value:"4035056");
  script_xref(name:"MSFT", value:"MS17-4035056");
  script_xref(name:"MSKB", value:"4035679");
  script_xref(name:"MSFT", value:"MS17-4035679");

  script_name(english:"Windows 2008 August 2017 Multiple Security Updates");
  script_summary(english:"Checks the existence of Windows Server 2008 August 2017 Patches.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is missing multiple security updates released
on 2017/08/08. It is, therefore, affected by multiple
vulnerabilities :

- A denial of service vulnerability exists when Microsoft Windows
    improperly handles NetBIOS packets. An attacker who successfully
    exploited this vulnerability could cause a target computer to
    become completely unresponsive. A remote unauthenticated attacker
    could exploit this vulnerability by sending a series of TCP
    packets to a target system, resulting in a permanent denial of
    service condition. The update addresses the vulnerability by
    correcting how the Windows network stack handles NetBIOS traffic.
    (CVE-2017-0174)

  - A buffer overflow vulnerability exists in the Microsoft JET
    Database Engine that could allow remote code execution on an
    affected system. An attacker who successfully exploited this
    vulnerability could take complete control of an affected system.
    An attacker could then install programs; view, change, or delete
    data; or create new accounts with full user rights. Users whose
    accounts are configured to have fewer user rights on the system
    could be less impacted than users who operate with administrative
    user rights. Exploitation of this vulnerability requires that a
    user open or preview a specially crafted database file while using
    an affected version of Microsoft Windows. In an email attack
    scenario, an attacker could exploit the vulnerability by sending a
    specially crafted database file to the user and then convincing
    the user to open the file. The update addresses the vulnerability
    by modifying how the Microsoft JET Database Engine handles objects
    in memory. (CVE-2017-0250)

  - An information disclosure vulnerability exists when the Windows 
    kernel fails to properly initialize a memory address, allowing an 
    attacker to retrieve information that could lead to a Kernel Address 
    Space Layout Randomization (KASLR) bypass. (CVE-2017-0299)

  - An elevation of privilege vulnerability exists in Windows when the
    Win32k component fails to properly handle objects in memory. An
    attacker who successfully exploited this vulnerability could run
    arbitrary code in kernel mode. An attacker could then install
    programs; view, change, or delete data; or create new accounts
    with full user rights. To exploit this vulnerability, an attacker
    would first have to log on to the system. An attacker could then
    run a specially crafted application that could exploit the
    vulnerability and take control of an affected system. The update
    addresses this vulnerability by correcting how Win32k handles
    objects in memory. (CVE-2017-8593)

  - A remote code execution vulnerability exists when Windows Search
    handles objects in memory. An attacker who successfully exploited
    this vulnerability could take control of the affected system. An
    attacker could then install programs; view, change, or delete
    data; or create new accounts with full user rights. To exploit the
    vulnerability, the attacker could send specially crafted messages
    to the Windows Search service. An attacker with access to a target
    computer could exploit this vulnerability to elevate privileges
    and take control of the computer. Additionally, in an enterprise
    scenario, a remote unauthenticated attacker could remotely trigger
    the vulnerability through an SMB connection and then take control
    of a target computer. The security update addresses the
    vulnerability by correcting how Windows Search handles objects in
    memory. (CVE-2017-8620)

  - An elevation of privilege vulnerability exists when the Windows
    Common Log File System (CLFS) driver improperly handles objects in
    memory. In a local attack scenario, an attacker could exploit this
    vulnerability by running a specially crafted application to take
    control of the affected system. An attacker who successfully
    exploited this vulnerability could run processes in an elevated
    context. The update addresses the vulnerability by correcting how
    CLFS handles objects in memory. Note: The Common Log File System
    (CLFS) is a high-performance, general-purpose log file subsystem
    that dedicated client applications can use and multiple clients
    can share to optimize log access. (CVE-2017-8624)

  - This security update resolves a vulnerability in Windows Error
    Reporting (WER). The vulnerability could allow elevation of
    privilege if successfully exploited by an attacker. An attacker
    who successfully exploited this vulnerability could gain greater
    access to sensitive information and system functionality. This
    update corrects the way the WER handles and executes files.
    (CVE-2017-8633)

  - A remote code execution vulnerability exists in the way that 
    Microsoft browser JavaScript engines render content when 
    handling objects in memory. The vulnerability could corrupt 
    memory in such a way that an attacker could execute arbitrary
    code in the context of the current user. (CVE-2017-8636)

  - A remote code execution vulnerability exists in the way 
    JavaScript engines render when handling objects in memory 
    in Microsoft browsers. The vulnerability could corrupt memory 
    in such a way that an attacker could execute arbitrary code in 
    the context of the current user. An attacker who successfully 
    exploited the vulnerability could gain the same user rights as 
    the current user. If the current user is logged on with 
    administrative user rights, an attacker who successfully exploited 
    the vulnerability could take control of an affected system. An 
    attacker could then install programs; view, change, or delete 
    data; or create new accounts with full user rights.
    (CVE-2017-8641)

  - A remote code execution vulnerability exists when Internet 
    Explorer improperly accesses objects in memory. The vulnerability 
    could corrupt memory in such a way that an attacker could execute 
    arbitrary code in the context of the current user.
    (CVE-2017-8651)

  - A remote code execution vulnerability exists when Microsoft 
    browsers improperly access objects in memory. The vulnerability 
    could corrupt memory in such a way that enables an attacker to 
    execute arbitrary code in the context of the current user.
    (CVE-2017-8653)

  - An information disclosure vulnerability exists when the win32k 
    component improperly provides kernel information. An attacker 
    who successfully exploited the vulnerability could obtain 
    information to further compromise the user's system.
    (CVE-2017-8666)

  - An information disclosure vulnerability exists when the Volume
    Manager Extension Drivercomponent improperly provides kernel
    information. An attacker who successfully exploited the
    vulnerability could obtain information to further compromise the
    users system. To exploit this vulnerability, an attacker would
    have to log on to an affected system and run a specially crafted
    application. The security update addresses the vulnerability by
    correcting how Volume Manager Extension Driver handles objects in
    memory. (CVE-2017-8668)

  - A remote code execution vulnerability exists when the Windows font
    library improperly handles specially crafted embedded fonts. An
    attacker who successfully exploited this vulnerability
    would gain code execution on the target system. Users whose
    accounts are configured to have fewer user rights on the system
    could be less impacted than users who operate with administrative
    user rights. There are multiple ways an attacker could exploit the
    vulnerability: In a web-based attack scenario, an attacker could
    host a specially crafted website that is designed to exploit the
    vulnerability and then convince users to view the website. An
    attacker would have no way to force users to view the
    attacker-controlled content. Instead, an attacker would have to
    convince users to take action, typically by getting them to click
    a link in an email or Instant Messenger message that takes users
    to the attacker's website, or by opening an attachment sent
    through email. In a file sharing attack scenario, an attacker
    could provide a specially crafted document file that is designed
    to exploit the vulnerability, and then convince users to open the
    document file. The security update addresses the vulnerability by
    correcting how the Windows font library handles embedded fonts.
    (CVE-2017-8691)");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4022750/windows-netbios-denial-of-service-vulnerability");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4034034/windows-search-remote-code-execution-vulnerability");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4034744/volume-manager-extension-driver-information-disclosure-vulnerability");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4034745/windows-clfs-elevation-of-privilege-vulnerability");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4034775/microsoft-jet-database-engine-remote-code-exec-vulnerability");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4035055/win32k-information-disclosure-vulnerability");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4035056/express-compressed-fonts-remote-code-execution-vulnerability-in-window");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4035679/windows-error-reporting-elevation-of-privilege-vulnerability");
  script_set_attribute(attribute:"solution", value:
"Apply the following security updates :

  - KB4022750
  - KB4034034
  - KB4034733
  - KB4034741
  - KB4034744 
  - KB4034745
  - KB4034775
  - KB4035055 
  - KB4035056
  - KB4035679");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-8691");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/08/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS17-08';

kbs = make_list(
    "4035679",
    "4035056",
    "4035055",
    "4034775",
    "4034745",
    "4034744",
    "4034741",
    "4034733",
    "4034034",
    "4022750"
);

if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

# KBs only apply to Windows 2008
if (hotfix_check_sp_range(vista:'2') <= 0)
  audit(AUDIT_OS_SP_NOT_VULN);

productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
if ("Vista" >< productname) audit(AUDIT_OS_SP_NOT_VULN);

systemroot = hotfix_get_systemroot();
if (!systemroot) audit(AUDIT_PATH_NOT_DETERMINED, 'system root');

port   = kb_smb_transport();
login  = kb_smb_login();
pass   = kb_smb_password();
domain = kb_smb_domain();

if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');

winsxs = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:"\1\WinSxS", string:systemroot);
winsxs_share = hotfix_path2share(path:systemroot);

rc = NetUseAdd(login:login, password:pass, domain:domain, share:winsxs_share);
if (rc != 1)
{
  NetUseDel();
  audit(AUDIT_SHARE_FAIL, winsxs_share);
}

the_session = make_array(
  'login',    login,
  'password', pass,
  'domain',   domain,
  'share',    winsxs_share
);

# 4035679
files = list_dir(basedir:winsxs, level:0, dir_pat:"errorreportingcore_31bf3856ad364e35", file_pat:"^wer\.dll$", max_recurse:1);
vuln += hotfix_check_winsxs(os:'6.0',
                            sp:2,
                            files:files,
                            versions:make_list('6.0.6002.19848','6.0.6002.24169'),
                            max_versions:make_list('6.0.6002.20000','6.0.6002.99999'),
                            bulletin:bulletin,
                            kb:"4035679", session:the_session);

# 4035056
files = list_dir(basedir:winsxs, level:0, dir_pat:"font-embedding_31bf3856ad364e35", file_pat:"^t2embed\.dll$", max_recurse:1);
vuln += hotfix_check_winsxs(os:'6.0',
                            sp:2,
                            files:files,
                            versions:make_list('6.0.6002.19834','6.0.6002.24154'),
                            max_versions:make_list('6.0.6002.20000','6.0.6002.99999'),
                            bulletin:bulletin,
                            kb:"4035056", session:the_session);

# 4035055
files = list_dir(basedir:winsxs, level:0, dir_pat:"win32k_31bf3856ad364e35", file_pat:"^win32k\.sys$", max_recurse:1);
vuln += hotfix_check_winsxs(os:'6.0',
                            sp:2,
                            files:files,
                            versions:make_list('6.0.6002.19836','6.0.6002.24157'),
                            max_versions:make_list('6.0.6002.20000','6.0.6002.99999'),
                            bulletin:bulletin,
                            kb:"4035055", session:the_session);

# 4034775
files = list_dir(basedir:winsxs, level:0, dir_pat:"components-jetcore_31bf3856ad364e35", file_pat:"^msjet40\.dll$", max_recurse:1);
vuln += hotfix_check_winsxs(os:'6.0',
                            sp:2,
                            files:files,
                            versions:make_list('4.0.9801.0'),
                            max_versions:make_list('4.0.9801.10000'),
                            bulletin:bulletin,
                            kb:"4034775", session:the_session);

# 4034745
files = list_dir(basedir:winsxs, level:0, dir_pat:"commonlog_31bf3856ad364e35", file_pat:"^clfs\.sys$", max_recurse:1);
vuln += hotfix_check_winsxs(os:'6.0',
                            sp:2,
                            files:files,
                            versions:make_list('6.0.6002.19837', '6.0.6002.24158'),
                            max_versions:make_list('6.0.6002.20000','6.0.6002.99999'),
                            bulletin:bulletin,
                            kb:"4034745", session:the_session);

# 4034744
files = list_dir(basedir:winsxs, level:0, dir_pat:"dynamicvolumemanager_31bf3856ad364e35", file_pat:"^volmgrx\.sys$", max_recurse:1);
vuln += hotfix_check_winsxs(os:'6.0',
                            sp:2,
                            files:files,
                            versions:make_list('6.0.6002.19834', '6.0.6002.24154'),
                            max_versions:make_list('6.0.6002.20000','6.0.6002.99999'),
                            bulletin:bulletin,
                            kb:"4034744", session:the_session);

# 4034034
files = list_dir(basedir:winsxs, level:0, dir_pat:"indexing-common_31bf3856ad364e35", file_pat:"^query\.dll$", max_recurse:1);
vuln += hotfix_check_winsxs(os:'6.0',
                            sp:2,
                            files:files,
                            versions:make_list('6.0.6002.19836', '6.0.6002.24154'),
                            max_versions:make_list('6.0.6002.20000','6.0.6002.99999'),
                            bulletin:bulletin,
                            kb:"4034034", session:the_session);

# 4022750
files = list_dir(basedir:winsxs, level:0, dir_pat:"tdi-over-tcpip_31bf3856ad364e35", file_pat:"^tdx\.sys$", max_recurse:1);
vuln += hotfix_check_winsxs(os:'6.0',
                            sp:2,
                            files:files,
                            versions:make_list('6.0.6002.19832', '6.0.6002.24152'),
                            max_versions:make_list('6.0.6002.20000','6.0.6002.99999'),
                            bulletin:bulletin,
                            kb:"4022750", session:the_session);

# 4034741
if(
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"ntoskrnl.exe", version:"6.0.6002.19834", min_version:"6.0.6002.16000", dir:"\system32", bulletin:bulletin, kb:"4034741") ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"ntoskrnl.exe", version:"6.0.6002.24154", min_version:"6.0.6002.20000", dir:"\system32", bulletin:bulletin, kb:"4034741")
  )
  vuln++;

# 4034733
if(
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"mshtml.dll", version:"9.0.8112.21040", min_version:"9.0.8112.20000", dir:"\system32", bulletin:bulletin, kb:"4034733") ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"mshtml.dll", version:"9.0.8112.16929", min_version:"9.0.8112.16000", dir:"\system32", bulletin:bulletin, kb:"4034733")
)
  vuln++;

if (vuln > 0)
{
  replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
#
include("compat.inc");

if (description)
{
  script_id(102268);
  script_version("1.13");
  script_cvs_date("Date: 2019/11/12");

  script_cve_id(
    "CVE-2017-0174",
    "CVE-2017-0250",
    "CVE-2017-0293",
    "CVE-2017-8591",
    "CVE-2017-8593",
    "CVE-2017-8620",
    "CVE-2017-8624",
    "CVE-2017-8633",
    "CVE-2017-8635",
    "CVE-2017-8636",
    "CVE-2017-8641",
    "CVE-2017-8651",
    "CVE-2017-8653",
    "CVE-2017-8664",
    "CVE-2017-8666",
    "CVE-2017-8668"
  );
  script_bugtraq_id(
    98100,
    99430,
    100032,
    100034,
    100038,
    100039,
    100055,
    100056,
    100057,
    100058,
    100059,
    100061,
    100069,
    100085,
    100089,
    100092
  );
  script_xref(name:"MSKB", value:"4034665");
  script_xref(name:"MSFT", value:"MS17-4034665");
  script_xref(name:"MSKB", value:"4034666");
  script_xref(name:"MSFT", value:"MS17-4034666");

  script_name(english:"Windows Server 2012 August 2017 Security Updates");
  script_summary(english:"Checks for rollup.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is missing security update 4034666
or cumulative update 4034665. It is, therefore, affected by
multiple vulnerabilities :

  - A denial of service vulnerability exists when Microsoft
    Windows improperly handles NetBIOS packets. An attacker
    who successfully exploited this vulnerability could
    cause a target computer to become completely
    unresponsive. A remote unauthenticated attacker could
    exploit this vulnerability by sending a series of TCP
    packets to a target system, resulting in a permanent
    denial of service condition. The update addresses the
    vulnerability by correcting how the Windows network
    stack handles NetBIOS traffic. (CVE-2017-0174)

  - A buffer overflow vulnerability exists in the Microsoft
    JET Database Engine that could allow remote code
    execution on an affected system. An attacker who
    successfully exploited this vulnerability could take
    complete control of an affected system. An attacker
    could then install programs; view, change, or delete
    data; or create new accounts with full user rights.
    (CVE-2017-0250)

  - A remote code execution vulnerability exists when
    Microsoft Windows PDF Library improperly handles objects
    in memory. The vulnerability could corrupt memory in a
    way that enables an attacker to execute arbitrary code
    in the context of the current user. An attacker who
    successfully exploited the vulnerability could gain the
    same user rights as the current user. (CVE-2017-0293)

  - A remote code execution vulnerability exists in Windows
    Input Method Editor (IME) when IME improperly handles
    parameters in a method of a DCOM class. The DCOM server
    is a Windows component installed regardless of which
    languages/IMEs are enabled. An attacker can instantiate
    the DCOM class and exploit the system even if IME is not
    enabled. (CVE-2017-8591)

  - An elevation of privilege vulnerability exists in
    Windows when the Win32k component fails to properly
    handle objects in memory. An attacker who successfully
    exploited this vulnerability could run arbitrary code in
    kernel mode. An attacker could then install programs;
    view, change, or delete data; or create new accounts
    with full user rights. (CVE-2017-8593)

  - A remote code execution vulnerability exists when
    Windows Search handles objects in memory. An attacker
    who successfully exploited this vulnerability could take
    control of the affected system. An attacker could then
    install programs; view, change, or delete data; or
    create new accounts with full user rights.To exploit the
    vulnerability, the attacker could send specially crafted
    messages to the Windows Search service. An attacker with
    access to a target computer could exploit this
    vulnerability to elevate privileges and take control of
    the computer. Additionally, in an enterprise scenario, a
    remote unauthenticated attacker could remotely trigger
    the vulnerability through an SMB connection and then
    take control of a target computer.The security update
    addresses the vulnerability by correcting how Windows
    Search handles objects in memory. (CVE-2017-8620)

  - An elevation of privilege vulnerability exists when the
    Windows Common Log File System (CLFS) driver improperly
    handles objects in memory. (CVE-2017-8624)

  - This security update resolves a vulnerability in Windows
    Error Reporting (WER). The vulnerability could allow
    elevation of privilege if successfully exploited by an
    attacker. An attacker who successfully exploited this
    vulnerability could gain greater access to sensitive
    information and system functionality. This update
    corrects the way the WER handles and executes files.
    (CVE-2017-8633)

  - A remote code execution vulnerability exists in the way
    JavaScript engines render when handling objects in
    memory in Microsoft browsers. The vulnerability could
    corrupt memory in such a way that an attacker could
    execute arbitrary code in the context of the current
    user. An attacker who successfully exploited the
    vulnerability could gain the same user rights as the
    current user. (CVE-2017-8635)

  - A remote code execution vulnerability exists in the way
    that Microsoft browser JavaScript engines render content
    when handling objects in memory. The vulnerability could
    corrupt memory in such a way that an attacker could
    execute arbitrary code in the context of the current
    user. (CVE-2017-8636)

  - A remote code execution vulnerability exists in the way
    JavaScript engines render when handling objects in
    memory in Microsoft browsers. The vulnerability could
    corrupt memory in such a way that an attacker could
    execute arbitrary code in the context of the current
    user. An attacker who successfully exploited the
    vulnerability could gain the same user rights as the
    current user. (CVE-2017-8641)

  - A remote code execution vulnerability exists when
    Internet Explorer improperly accesses objects in memory.
    The vulnerability could corrupt memory in such a way
    that an attacker could execute arbitrary code in the
    context of the current user. An attacker who
    successfully exploited the vulnerability could gain the
    same user rights as the current user. (CVE-2017-8651)

  - A remote code execution vulnerability exists when
    Microsoft browsers improperly access objects in memory.
    The vulnerability could corrupt memory in such a way
    that enables an attacker to execute arbitrary code in
    the context of the current user. An attacker who
    successfully exploited the vulnerability could gain the
    same user rights as the current user. (CVE-2017-8653)

  - A remote code execution vulnerability exists when
    Windows Hyper-V on a host server fails to properly
    validate input from an authenticated user on a guest
    operating system. (CVE-2017-8664)

  - An information disclosure vulnerability exists when the
    win32k component improperly provides kernel information.
    An attacker who successfully exploited the vulnerability
    could obtain information to further compromise the users
    system. (CVE-2017-8666)

  - An information disclosure vulnerability exists when the
    Volume Manager Extension Driver component improperly
    provides kernel information. An attacker who
    successfully exploited the vulnerability could obtain
    information to further compromise the users system.To
    exploit this vulnerability, an attacker would have to
    log on to an affected system and run a specially crafted
    application.The security update addresses the
    vulnerability by correcting how Volume Manager Extension
    Driver handles objects in memory. (CVE-2017-8668)");
  # https://support.microsoft.com/en-us/help/4034665/windows-server-2012-update-kb4034665
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5a9af664");
  # https://support.microsoft.com/en-us/help/4034666/windows-server-2012-update-kb4034666
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bb07fa4c");
  script_set_attribute(attribute:"solution", value:
"Apply Security Only update KB4034666 or Cumulative update KB4034665.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-8620");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/08/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = "MS17-08";
kbs = make_list('4034665', '4034666');

if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

# Windows 8 EOL
productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
if ("Windows 8" >< productname) audit(AUDIT_OS_SP_NOT_VULN);

share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  smb_check_rollup(os:"6.2",
                   sp:0,
                   rollup_date:"08_2017",
                   bulletin:bulletin,
                   rollup_kb_list:[4034665, 4034666])
)
{
  replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
}