ID

VAR-201303-0226


CVE

CVE-2013-0074


TITLE

Microsoft Silverlight 5  and  Silverlight 5 Developer Runtime  Vulnerability to execute arbitrary code in

Trust: 0.8

sources: JVNDB: JVNDB-2013-001803

DESCRIPTION

Microsoft Silverlight 5, and 5 Developer Runtime, before 5.1.20125.0 does not properly validate pointers during HTML object rendering, which allows remote attackers to execute arbitrary code via a crafted Silverlight application, aka "Silverlight Double Dereference Vulnerability.". Microsoft Silverlight is prone to a remote code-execution vulnerability. An attacker can exploit this issue to execute arbitrary code with the privileges of the currently logged-in user. Failed exploit attempts will likely result in a denial-of-service condition. The platform enables building interactive applications for web, desktop and mobile devices. The vulnerability is caused by the program not properly validating pointers during rendering of HTML objects. These details were obtained through the Packet Storm Bug Bounty program and are being released to the community. +------------------------------------------------------------------------------+ +---------+ | DETAILS | +---------+ A memory disclosure vulnerability exists in the public WriteableBitmap class from System.Windows.dll. This class allows reading of image pixels from the user-defined data stream via the public SetSource() method. BitmapSource.ReadStream() allocates and returns byte array and a count of array items as out parameters. These returned values are taken from the input stream and they can be fully controlled by the untrusted code. When returned "count" is greater than "array.Length", then data outside the "array" are used as input stream data by the native BitmapSource_SetSource() from agcore.dll. Later all data can be viewed via the public WriteableBitmap.Pixels[] property. +------------------------------------------------------------------------------+ +------------------+ | PROOF OF CONCEPT | +------------------+ The full exploit code demonstrating code execution is available here: http://packetstormsecurity.com/files/123731/ +------------------------------------------------------------------------------+ +---------------+ | RELATED LINKS | +---------------+ http://technet.microsoft.com/en-us/security/bulletin/ms13-022 http://technet.microsoft.com/en-us/security/bulletin/ms13-087 +------------------------------------------------------------------------------+ +----------------+ | SHAMELESS PLUG | +----------------+ The Packet Storm Bug Bounty program gives researchers the ability to profit from their discoveries. You can get paid thousands of dollars for one day and zero day exploits. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Awareness System TA13-071A: Microsoft Updates for Multiple Vulnerabilities Original release date: March 12, 2013 Systems Affected * Microsoft Windows * Microsoft Internet Explorer * Microsoft Office * Microsoft Server Software * Microsoft Silverlight Overview Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities. Description The Microsoft Security Bulletin Summary for March 2013 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address these vulnerabilities. Solution Apply Updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for March 2013, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates. References * Microsoft Security Bulletin Summary for March 2013 * Microsoft Windows Server Update Services * Microsoft Update * Microsoft Update Overview * Turn Automatic Updating On or Off Revision History * March 12, 2013: Initial release Relevant URL(s): <http://technet.microsoft.com/en-us/security/bulletin/ms13-mar> <http://www.update.microsoft.com/windowsupdate/v6/thanks.aspx?ln=en&amp;amp;&amp;amp;thankspage=5&amp;ln=en&amp;thankspage=5> <http://windows.microsoft.com/en-us/windows7/Updating-your-computer> <http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx> <http://technet.microsoft.com/en-us/wsus/default.aspx> <http://windows.microsoft.com/en-us/windows-vista/Turn-automatic-updating-on-or-off> <http://technet.microsoft.com/en-us/security/bulletin/ms13-mar> ____________________________________________________________________ Produced by US-CERT, a government organization. ____________________________________________________________________ This product is provided subject to this Notification: http://www.us-cert.gov/privacy/notification/ Privacy & Use policy: http://www.us-cert.gov/privacy/ This document can also be found at http://www.us-cert.gov/ncas/alerts/TA13-071A For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/mailing-lists-and-feeds/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBUT98/HdnhE8Qi3ZhAQKWWAf/fFZnHgZvmXQXTRrAfeBn+/18xGeY63vY sMMFOdouCtqpG4C9ITzdIsBjRvTCdnAGPHRAArLrwzUxNVGw0ItIMlZ+tiNQ5wnK lPa//1eqCnNmVcZQCui28R4NJ/tCn09MJD3GANhRHsy6v6bp09xuGDF5RXTJuY4x gGfkc3t0+RQNdvpk3iFh0DtasMLnc6+u2bXMpfFD2aptKXGkFWQ9fQQOBECukPTZ 4BoQxT4+rUoeWUDn2qQvorSy7NHLGJI4m81Wm3JF+El9by/BuMKr3zArM0eV/3eq onzUCjhoBC8VEhtAK5h+ZvizRMGJO26XY+YE9fi8/R/zULJRikFmBw== =xdJ3 -----END PGP SIGNATURE-----

Trust: 2.25

sources: NVD: CVE-2013-0074 // JVNDB: JVNDB-2013-001803 // BID: 58327 // VULHUB: VHN-60076 // VULMON: CVE-2013-0074 // PACKETSTORM: 123732 // PACKETSTORM: 120779

AFFECTED PRODUCTS

vendor:microsoftmodel:silverlightscope:gteversion:5.0

Trust: 1.0

vendor:microsoftmodel:silverlightscope:ltversion:5.1.20125.0

Trust: 1.0

vendor:マイクロソフトmodel:microsoft silverlightscope:eqversion: -

Trust: 0.8

vendor:マイクロソフトmodel:microsoft silverlightscope:eqversion:5

Trust: 0.8

vendor:マイクロソフトmodel:microsoft silverlightscope:eqversion:5 developer runtime 5.1.20125.0

Trust: 0.8

vendor:microsoftmodel:silverlightscope:eqversion:5.0.60401.0

Trust: 0.6

vendor:microsoftmodel:silverlightscope:eqversion:5.0.60818.0

Trust: 0.6

vendor:microsoftmodel:silverlightscope:eqversion:5.0.61118.0

Trust: 0.6

vendor:microsoftmodel:silverlightscope:eqversion:5.0

Trust: 0.3

sources: BID: 58327 // JVNDB: JVNDB-2013-001803 // CNNVD: CNNVD-201303-258 // NVD: CVE-2013-0074

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-0074
value: HIGH

Trust: 1.0

NVD: CVE-2013-0074
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201303-258
value: CRITICAL

Trust: 0.6

VULHUB: VHN-60076
value: HIGH

Trust: 0.1

VULMON: CVE-2013-0074
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2013-0074
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-60076
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2013-0074
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2013-0074
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-60076 // VULMON: CVE-2013-0074 // JVNDB: JVNDB-2013-001803 // CNNVD: CNNVD-201303-258 // NVD: CVE-2013-0074

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:Lack of information (CWE-noinfo) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2013-001803 // NVD: CVE-2013-0074

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 123731 // CNNVD: CNNVD-201303-258

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-201303-258

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-60076 // VULMON: CVE-2013-0074

PATCH

title:TA13-071Aurl:https://technet.microsoft.com/en-us/security/bulletin/ms13-022

Trust: 0.8

title:The Registerurl:https://www.theregister.co.uk/2015/02/18/jamie_oliver_exploit_kit/

Trust: 0.2

title:The Registerurl:https://www.theregister.co.uk/2015/02/13/rig_exploit_kit_source_code_leak/

Trust: 0.2

title:The Registerurl:https://www.theregister.co.uk/2014/08/20/oi_rip_van_winkle_patch_already/

Trust: 0.2

title:https://github.com/omriher/CapTipperurl:https://github.com/omriher/CapTipper

Trust: 0.1

title:Known Exploited Vulnerabilities Detectorurl:https://github.com/Ostorlab/KEV

Trust: 0.1

title:Threatposturl:https://threatpost.com/archie-exploit-kit-targets-adobe-silverlight-vulnerabilities/108317/

Trust: 0.1

title:Threatposturl:https://threatpost.com/netflixers-beware-angler-exploit-kit-targets-silverlight-vulnerability/102968/

Trust: 0.1

sources: VULMON: CVE-2013-0074 // JVNDB: JVNDB-2013-001803

EXTERNAL IDS

db:NVDid:CVE-2013-0074

Trust: 3.9

db:USCERTid:TA13-071A

Trust: 2.7

db:USCERTid:TA15-119A

Trust: 0.8

db:JVNDBid:JVNDB-2013-001803

Trust: 0.8

db:CNNVDid:CNNVD-201303-258

Trust: 0.7

db:BIDid:58327

Trust: 0.5

db:EXPLOIT-DBid:41702

Trust: 0.2

db:PACKETSTORMid:123731

Trust: 0.2

db:PACKETSTORMid:123732

Trust: 0.2

db:EXPLOIT-DBid:29858

Trust: 0.1

db:PACKETSTORMid:124182

Trust: 0.1

db:VULHUBid:VHN-60076

Trust: 0.1

db:VULMONid:CVE-2013-0074

Trust: 0.1

db:PACKETSTORMid:120779

Trust: 0.1

sources: VULHUB: VHN-60076 // VULMON: CVE-2013-0074 // BID: 58327 // JVNDB: JVNDB-2013-001803 // PACKETSTORM: 123732 // PACKETSTORM: 123731 // PACKETSTORM: 120779 // CNNVD: CNNVD-201303-258 // NVD: CVE-2013-0074

REFERENCES

url:http://www.us-cert.gov/ncas/alerts/ta13-071a

Trust: 2.7

url:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-022

Trust: 1.8

url:https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a16516

Trust: 1.8

url:https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a16565

Trust: 1.8

url:http://jvn.jp/cert/jvnta13-071a/index.html

Trust: 0.8

url:http://jvn.jp/ta/jvnta99041988/

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-0074

Trust: 0.8

url:http://www.jpcert.or.jp/at/2013/at130015.txt

Trust: 0.8

url:http://www.npa.go.jp/cyberpolice/topics/?seq=11017

Trust: 0.8

url:https://www.us-cert.gov/ncas/alerts/ta15-119a

Trust: 0.8

url:https://cisa.gov/known-exploited-vulnerabilities-catalog

Trust: 0.8

url:http://www.microsoft.com

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2013-3896

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2013-0074

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/.html

Trust: 0.1

url:https://github.com/omriher/captipper

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://www.securityfocus.com/bid/58327

Trust: 0.1

url:https://www.exploit-db.com/exploits/41702/

Trust: 0.1

url:https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/58327

Trust: 0.1

url:http://packetstormsecurity.com/bugbounty/

Trust: 0.1

url:http://technet.microsoft.com/en-us/security/bulletin/ms13-022

Trust: 0.1

url:http://technet.microsoft.com/en-us/security/bulletin/ms13-087

Trust: 0.1

url:http://packetstormsecurity.com/

Trust: 0.1

url:http://packetstormsecurity.com/files/123731/

Trust: 0.1

url:http://www.us-cert.gov/privacy/notification/

Trust: 0.1

url:http://www.us-cert.gov/privacy/

Trust: 0.1

url:http://windows.microsoft.com/en-us/windows-vista/turn-automatic-updating-on-or-off>

Trust: 0.1

url:http://technet.microsoft.com/en-us/security/bulletin/ms13-mar>

Trust: 0.1

url:http://www.update.microsoft.com/windowsupdate/v6/thanks.aspx?ln=en&amp;amp;&amp;amp;thankspage=5&amp;ln=en&amp;thankspage=5>

Trust: 0.1

url:http://www.us-cert.gov/mailing-lists-and-feeds/

Trust: 0.1

url:http://windows.microsoft.com/en-us/windows7/updating-your-computer>

Trust: 0.1

url:http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx>

Trust: 0.1

url:http://technet.microsoft.com/en-us/wsus/default.aspx>

Trust: 0.1

sources: VULHUB: VHN-60076 // VULMON: CVE-2013-0074 // BID: 58327 // JVNDB: JVNDB-2013-001803 // PACKETSTORM: 123732 // PACKETSTORM: 123731 // PACKETSTORM: 120779 // CNNVD: CNNVD-201303-258 // NVD: CVE-2013-0074

CREDITS

James Forshaw of Context Information Security

Trust: 0.3

sources: BID: 58327

SOURCES

db:VULHUBid:VHN-60076
db:VULMONid:CVE-2013-0074
db:BIDid:58327
db:JVNDBid:JVNDB-2013-001803
db:PACKETSTORMid:123732
db:PACKETSTORMid:123731
db:PACKETSTORMid:120779
db:CNNVDid:CNNVD-201303-258
db:NVDid:CVE-2013-0074

LAST UPDATE DATE

2024-08-14T12:43:03.890000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-60076date:2019-02-26T00:00:00
db:VULMONid:CVE-2013-0074date:2021-09-22T00:00:00
db:BIDid:58327date:2013-11-27T00:24:00
db:JVNDBid:JVNDB-2013-001803date:2024-07-04T06:49:00
db:CNNVDid:CNNVD-201303-258date:2019-02-27T00:00:00
db:NVDid:CVE-2013-0074date:2024-06-28T17:26:06.253

SOURCES RELEASE DATE

db:VULHUBid:VHN-60076date:2013-03-13T00:00:00
db:VULMONid:CVE-2013-0074date:2013-03-13T00:00:00
db:BIDid:58327date:2013-03-12T00:00:00
db:JVNDBid:JVNDB-2013-001803date:2013-03-14T00:00:00
db:PACKETSTORMid:123732date:2013-10-23T01:03:08
db:PACKETSTORMid:123731date:2013-10-23T00:55:43
db:PACKETSTORMid:120779date:2013-03-13T05:05:00
db:CNNVDid:CNNVD-201303-258date:2013-03-14T00:00:00
db:NVDid:CVE-2013-0074date:2013-03-13T00:55:01.137