Details of VAR-201303-0226

ID

VAR-201303-0226

CVE

CVE-2013-0074

TITLE

Microsoft Silverlight 5 and Silverlight 5 Developer Runtime Vulnerability to execute arbitrary code in

Trust: 0.8

sources: JVNDB: JVNDB-2013-001803

DESCRIPTION

Microsoft Silverlight 5, and 5 Developer Runtime, before 5.1.20125.0 does not properly validate pointers during HTML object rendering, which allows remote attackers to execute arbitrary code via a crafted Silverlight application, aka "Silverlight Double Dereference Vulnerability.". Microsoft Silverlight is prone to a remote code-execution vulnerability. An attacker can exploit this issue to execute arbitrary code with the privileges of the currently logged-in user. Failed exploit attempts will likely result in a denial-of-service condition. The platform enables building interactive applications for web, desktop and mobile devices. The vulnerability is caused by the program not properly validating pointers during rendering of HTML objects. These details were obtained through the Packet Storm Bug Bounty program and are being released to the community. +------------------------------------------------------------------------------+ +---------+ | DETAILS | +---------+ A memory disclosure vulnerability exists in the public WriteableBitmap class from System.Windows.dll. This class allows reading of image pixels from the user-defined data stream via the public SetSource() method. BitmapSource.ReadStream() allocates and returns byte array and a count of array items as out parameters. These returned values are taken from the input stream and they can be fully controlled by the untrusted code. When returned "count" is greater than "array.Length", then data outside the "array" are used as input stream data by the native BitmapSource_SetSource() from agcore.dll. Later all data can be viewed via the public WriteableBitmap.Pixels[] property. +------------------------------------------------------------------------------+ +------------------+ | PROOF OF CONCEPT | +------------------+ The full exploit code demonstrating code execution is available here: http://packetstormsecurity.com/files/123731/ +------------------------------------------------------------------------------+ +---------------+ | RELATED LINKS | +---------------+ http://technet.microsoft.com/en-us/security/bulletin/ms13-022 http://technet.microsoft.com/en-us/security/bulletin/ms13-087 +------------------------------------------------------------------------------+ +----------------+ | SHAMELESS PLUG | +----------------+ The Packet Storm Bug Bounty program gives researchers the ability to profit from their discoveries. You can get paid thousands of dollars for one day and zero day exploits. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Awareness System TA13-071A: Microsoft Updates for Multiple Vulnerabilities Original release date: March 12, 2013 Systems Affected * Microsoft Windows * Microsoft Internet Explorer * Microsoft Office * Microsoft Server Software * Microsoft Silverlight Overview Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities. Description The Microsoft Security Bulletin Summary for March 2013 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address these vulnerabilities. Solution Apply Updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for March 2013, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates. References * Microsoft Security Bulletin Summary for March 2013 * Microsoft Windows Server Update Services * Microsoft Update * Microsoft Update Overview * Turn Automatic Updating On or Off Revision History * March 12, 2013: Initial release Relevant URL(s): <http://technet.microsoft.com/en-us/security/bulletin/ms13-mar> <http://www.update.microsoft.com/windowsupdate/v6/thanks.aspx?ln=en&amp;&amp;thankspage=5&ln=en&thankspage=5> <http://windows.microsoft.com/en-us/windows7/Updating-your-computer> <http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx> <http://technet.microsoft.com/en-us/wsus/default.aspx> <http://windows.microsoft.com/en-us/windows-vista/Turn-automatic-updating-on-or-off> <http://technet.microsoft.com/en-us/security/bulletin/ms13-mar> ____________________________________________________________________ Produced by US-CERT, a government organization. ____________________________________________________________________ This product is provided subject to this Notification: http://www.us-cert.gov/privacy/notification/ Privacy & Use policy: http://www.us-cert.gov/privacy/ This document can also be found at http://www.us-cert.gov/ncas/alerts/TA13-071A For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/mailing-lists-and-feeds/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBUT98/HdnhE8Qi3ZhAQKWWAf/fFZnHgZvmXQXTRrAfeBn+/18xGeY63vY sMMFOdouCtqpG4C9ITzdIsBjRvTCdnAGPHRAArLrwzUxNVGw0ItIMlZ+tiNQ5wnK lPa//1eqCnNmVcZQCui28R4NJ/tCn09MJD3GANhRHsy6v6bp09xuGDF5RXTJuY4x gGfkc3t0+RQNdvpk3iFh0DtasMLnc6+u2bXMpfFD2aptKXGkFWQ9fQQOBECukPTZ 4BoQxT4+rUoeWUDn2qQvorSy7NHLGJI4m81Wm3JF+El9by/BuMKr3zArM0eV/3eq onzUCjhoBC8VEhtAK5h+ZvizRMGJO26XY+YE9fi8/R/zULJRikFmBw== =xdJ3 -----END PGP SIGNATURE-----

Trust: 2.25

sources: NVD: CVE-2013-0074 // JVNDB: JVNDB-2013-001803 // BID: 58327 // VULHUB: VHN-60076 // VULMON: CVE-2013-0074 // PACKETSTORM: 123732 // PACKETSTORM: 120779

AFFECTED PRODUCTS

vendor:	microsoft	model:	silverlight	scope:	gte	version:	5.0	Trust: 1.0
vendor:	microsoft	model:	silverlight	scope:	lt	version:	5.1.20125.0	Trust: 1.0
vendor:	マイクロソフト	model:	microsoft silverlight	scope:	eq	version:	-	Trust: 0.8
vendor:	マイクロソフト	model:	microsoft silverlight	scope:	eq	version:	5	Trust: 0.8
vendor:	マイクロソフト	model:	microsoft silverlight	scope:	eq	version:	5 developer runtime 5.1.20125.0	Trust: 0.8
vendor:	microsoft	model:	silverlight	scope:	eq	version:	5.0.60401.0	Trust: 0.6
vendor:	microsoft	model:	silverlight	scope:	eq	version:	5.0.60818.0	Trust: 0.6
vendor:	microsoft	model:	silverlight	scope:	eq	version:	5.0.61118.0	Trust: 0.6
vendor:	microsoft	model:	silverlight	scope:	eq	version:	5.0	Trust: 0.3

sources: BID: 58327 // JVNDB: JVNDB-2013-001803 // CNNVD: CNNVD-201303-258 // NVD: CVE-2013-0074

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-0074
value:	HIGH
Trust: 1.0
NVD:	CVE-2013-0074
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201303-258
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-60076
value:	HIGH
Trust: 0.1
VULMON:	CVE-2013-0074
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2013-0074
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-60076
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2013-0074
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2013-0074
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-60076 // VULMON: CVE-2013-0074 // JVNDB: JVNDB-2013-001803 // CNNVD: CNNVD-201303-258 // NVD: CVE-2013-0074

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	Lack of information (CWE-noinfo) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2013-001803 // NVD: CVE-2013-0074

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 123731 // CNNVD: CNNVD-201303-258

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-201303-258

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-60076 // VULMON: CVE-2013-0074

PATCH

title:	TA13-071A	url:	https://technet.microsoft.com/en-us/security/bulletin/ms13-022	Trust: 0.8
title:	The Register	url:	https://www.theregister.co.uk/2015/02/18/jamie_oliver_exploit_kit/	Trust: 0.2
title:	The Register	url:	https://www.theregister.co.uk/2015/02/13/rig_exploit_kit_source_code_leak/	Trust: 0.2
title:	The Register	url:	https://www.theregister.co.uk/2014/08/20/oi_rip_van_winkle_patch_already/	Trust: 0.2
title:	https://github.com/omriher/CapTipper	url:	https://github.com/omriher/CapTipper	Trust: 0.1
title:	Known Exploited Vulnerabilities Detector	url:	https://github.com/Ostorlab/KEV	Trust: 0.1
title:	Threatpost	url:	https://threatpost.com/archie-exploit-kit-targets-adobe-silverlight-vulnerabilities/108317/	Trust: 0.1
title:	Threatpost	url:	https://threatpost.com/netflixers-beware-angler-exploit-kit-targets-silverlight-vulnerability/102968/	Trust: 0.1

sources: VULMON: CVE-2013-0074 // JVNDB: JVNDB-2013-001803

EXTERNAL IDS

db:	NVD	id:	CVE-2013-0074	Trust: 3.9
db:	USCERT	id:	TA13-071A	Trust: 2.7
db:	USCERT	id:	TA15-119A	Trust: 0.8
db:	JVNDB	id:	JVNDB-2013-001803	Trust: 0.8
db:	CNNVD	id:	CNNVD-201303-258	Trust: 0.7
db:	BID	id:	58327	Trust: 0.5
db:	EXPLOIT-DB	id:	41702	Trust: 0.2
db:	PACKETSTORM	id:	123731	Trust: 0.2
db:	PACKETSTORM	id:	123732	Trust: 0.2
db:	EXPLOIT-DB	id:	29858	Trust: 0.1
db:	PACKETSTORM	id:	124182	Trust: 0.1
db:	VULHUB	id:	VHN-60076	Trust: 0.1
db:	VULMON	id:	CVE-2013-0074	Trust: 0.1
db:	PACKETSTORM	id:	120779	Trust: 0.1

sources: VULHUB: VHN-60076 // VULMON: CVE-2013-0074 // BID: 58327 // JVNDB: JVNDB-2013-001803 // PACKETSTORM: 123732 // PACKETSTORM: 123731 // PACKETSTORM: 120779 // CNNVD: CNNVD-201303-258 // NVD: CVE-2013-0074

REFERENCES

url:	http://www.us-cert.gov/ncas/alerts/ta13-071a	Trust: 2.7
url:	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-022	Trust: 1.8
url:	https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a16516	Trust: 1.8
url:	https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a16565	Trust: 1.8
url:	http://jvn.jp/cert/jvnta13-071a/index.html	Trust: 0.8
url:	http://jvn.jp/ta/jvnta99041988/	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-0074	Trust: 0.8
url:	http://www.jpcert.or.jp/at/2013/at130015.txt	Trust: 0.8
url:	http://www.npa.go.jp/cyberpolice/topics/?seq=11017	Trust: 0.8
url:	https://www.us-cert.gov/ncas/alerts/ta15-119a	Trust: 0.8
url:	https://cisa.gov/known-exploited-vulnerabilities-catalog	Trust: 0.8
url:	http://www.microsoft.com	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2013-3896	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2013-0074	Trust: 0.2
url:	https://cwe.mitre.org/data/definitions/.html	Trust: 0.1
url:	https://github.com/omriher/captipper	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://www.securityfocus.com/bid/58327	Trust: 0.1
url:	https://www.exploit-db.com/exploits/41702/	Trust: 0.1
url:	https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/58327	Trust: 0.1
url:	http://packetstormsecurity.com/bugbounty/	Trust: 0.1
url:	http://technet.microsoft.com/en-us/security/bulletin/ms13-022	Trust: 0.1
url:	http://technet.microsoft.com/en-us/security/bulletin/ms13-087	Trust: 0.1
url:	http://packetstormsecurity.com/	Trust: 0.1
url:	http://packetstormsecurity.com/files/123731/	Trust: 0.1
url:	http://www.us-cert.gov/privacy/notification/	Trust: 0.1
url:	http://www.us-cert.gov/privacy/	Trust: 0.1
url:	http://windows.microsoft.com/en-us/windows-vista/turn-automatic-updating-on-or-off>	Trust: 0.1
url:	http://technet.microsoft.com/en-us/security/bulletin/ms13-mar>	Trust: 0.1
url:	http://www.update.microsoft.com/windowsupdate/v6/thanks.aspx?ln=en&amp;&amp;thankspage=5&ln=en&thankspage=5>	Trust: 0.1
url:	http://www.us-cert.gov/mailing-lists-and-feeds/	Trust: 0.1
url:	http://windows.microsoft.com/en-us/windows7/updating-your-computer>	Trust: 0.1
url:	http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx>	Trust: 0.1
url:	http://technet.microsoft.com/en-us/wsus/default.aspx>	Trust: 0.1

CREDITS

James Forshaw of Context Information Security

Trust: 0.3

sources: BID: 58327

SOURCES

db:	VULHUB	id:	VHN-60076
db:	VULMON	id:	CVE-2013-0074
db:	BID	id:	58327
db:	JVNDB	id:	JVNDB-2013-001803
db:	PACKETSTORM	id:	123732
db:	PACKETSTORM	id:	123731
db:	PACKETSTORM	id:	120779
db:	CNNVD	id:	CNNVD-201303-258
db:	NVD	id:	CVE-2013-0074

LAST UPDATE DATE

2024-08-14T12:43:03.890000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-60076	date:	2019-02-26T00:00:00
db:	VULMON	id:	CVE-2013-0074	date:	2021-09-22T00:00:00
db:	BID	id:	58327	date:	2013-11-27T00:24:00
db:	JVNDB	id:	JVNDB-2013-001803	date:	2024-07-04T06:49:00
db:	CNNVD	id:	CNNVD-201303-258	date:	2019-02-27T00:00:00
db:	NVD	id:	CVE-2013-0074	date:	2024-06-28T17:26:06.253

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-60076	date:	2013-03-13T00:00:00
db:	VULMON	id:	CVE-2013-0074	date:	2013-03-13T00:00:00
db:	BID	id:	58327	date:	2013-03-12T00:00:00
db:	JVNDB	id:	JVNDB-2013-001803	date:	2013-03-14T00:00:00
db:	PACKETSTORM	id:	123732	date:	2013-10-23T01:03:08
db:	PACKETSTORM	id:	123731	date:	2013-10-23T00:55:43
db:	PACKETSTORM	id:	120779	date:	2013-03-13T05:05:00
db:	CNNVD	id:	CNNVD-201303-258	date:	2013-03-14T00:00:00
db:	NVD	id:	CVE-2013-0074	date:	2013-03-13T00:55:01.137