[Openvas-discuss] Fwd: FP on Server 2012 for MS Windows Kernel-Mode Drivers Remote Code Execution Vulnerabilities (2870008)

Christian Fischer christian.fischer at greenbone.net
Mon Aug 14 10:45:51 CEST 2017


Hi,

On 14.08.2017 04:18, Jeremy Pennington wrote:
> It appears the plugin for MS Windows Kernel-Mode Drivers Remote Code
> Execution Vulnerabilities (2870008) is producing a false positive on Server
> 2012 (version 6.2 build 9200). If I understand the plugin's logic
> correctly, it is looking at the file version of
> %systemroot%\Windows\System32\win32k.sys. On the server the file version is
> showing as 6.2.9200.22210, which is higher than the version that addresses
> this Security Bulleting according to https://support.microsoft.com/
> en-us/help/2883150.
> 
> Let me know if there is any additional information that would be helpful in
> reviewing this or if there is a better forum or method for discussing FPs.
> 
> Thanks for reviewing this.
> JP

thanks for your report. On a Windows Server 2012 it checks not only for
win32k.sys but also for various files and their version:

%systemroot%\system32\Fontsub.dll
-> less then 6.2.9200.16453

%systemroot%\system32\drivers\usbd.sys
-> less then 6.2.9200.16654
OR
-> in range of 6.2.9200.20000 and 6.2.9200.20760

%systemroot%\system32\drivers\hidparse.sys"
-> less then 6.2.9200.16654
OR
-> in range of 6.2.9200.20000 and 6.2.9200.20762

%systemroot%\system32\win32k.sys
-> less then 6.2.9200.16699
OR
-> in range of 6.2.9200.20000 and 6.2.9200.20806

%systemroot%\system32\Wdfres.dll"
-> less then 6.2.9200.16384

Might be possible that either one of those files didn't get updated
correctly on your system (not that likely IMHO) or that one of those
version checks doesn't match what the patch has actually patched.

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner


More information about the Openvas-discuss mailing list