[Openvas-discuss] Fwd: FP on Server 2012 for MS Windows Kernel-Mode Drivers Remote Code Execution Vulnerabilities (2870008)

Christian Fischer christian.fischer at greenbone.net
Thu Aug 17 09:22:48 CEST 2017


Hi,

On 15.08.2017 03:42, Jeremy Pennington wrote:
> Thanks for this additional information. It looks like the check for
> fontsub.dll is what is causing the FP. According to
> https://support.microsoft.com/en-us/help/2847311/ms13-081-description-of-the-security-update-for-kernel-mode-drivers-oc,
> the patched file version for 2012 is 6.2.9200.16384, which is the version
> my 2012 server is reporting.
> 
> Is this something that can be corrected in the plugin?
> Thanks

thanks again for your reply. The plugin was updated to report the
version of the file where the detection happened and the vulnerable
range. This update arrived the feed once the plugin has reached revision
6938.

But i'm still wondering about the Fontsub.dll version. According to your
posted link:

https://support.microsoft.com/en-us/help/2847311/ms13-081-description-of-the-security-update-for-kernel-mode-drivers-oc

the Fontsub.dll is listed twice:

Fontsub.dll	6.2.9200.16453	96,256	08-Nov-2012	04:20	x64

Fontsub.dll	6.2.9200.16384	96,256	26-Jul-2012	03:05	x64

The plugin is checking for a version < 6.2.9200.16453 against Windows
Server 2012 but you have installed 6.2.9200.16384.

Not quite sure if this is an issue in the advisory or at the target
system where the second update in Nov 2012 was missed.

Regards,

> On Mon, Aug 14, 2017 at 3:45 AM, Christian Fischer <
> christian.fischer at greenbone.net> wrote:
> 
>> Hi,
>>
>> On 14.08.2017 04:18, Jeremy Pennington wrote:
>>> It appears the plugin for MS Windows Kernel-Mode Drivers Remote Code
>>> Execution Vulnerabilities (2870008) is producing a false positive on
>> Server
>>> 2012 (version 6.2 build 9200). If I understand the plugin's logic
>>> correctly, it is looking at the file version of
>>> %systemroot%\Windows\System32\win32k.sys. On the server the file
>> version is
>>> showing as 6.2.9200.22210, which is higher than the version that
>> addresses
>>> this Security Bulleting according to https://support.microsoft.com/
>>> en-us/help/2883150.
>>>
>>> Let me know if there is any additional information that would be helpful
>> in
>>> reviewing this or if there is a better forum or method for discussing
>> FPs.
>>>
>>> Thanks for reviewing this.
>>> JP
>>
>> thanks for your report. On a Windows Server 2012 it checks not only for
>> win32k.sys but also for various files and their version:
>>
>> %systemroot%\system32\Fontsub.dll
>> -> less then 6.2.9200.16453
>>
>> %systemroot%\system32\drivers\usbd.sys
>> -> less then 6.2.9200.16654
>> OR
>> -> in range of 6.2.9200.20000 and 6.2.9200.20760
>>
>> %systemroot%\system32\drivers\hidparse.sys"
>> -> less then 6.2.9200.16654
>> OR
>> -> in range of 6.2.9200.20000 and 6.2.9200.20762
>>
>> %systemroot%\system32\win32k.sys
>> -> less then 6.2.9200.16699
>> OR
>> -> in range of 6.2.9200.20000 and 6.2.9200.20806
>>
>> %systemroot%\system32\Wdfres.dll"
>> -> less then 6.2.9200.16384
>>
>> Might be possible that either one of those files didn't get updated
>> correctly on your system (not that likely IMHO) or that one of those
>> version checks doesn't match what the patch has actually patched.
>>
>> Regards,
>>
>> --
>>
>> Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
>> Greenbone Networks GmbH | http://greenbone.net
>> Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
>> Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
>> _______________________________________________
>> Openvas-discuss mailing list
>> Openvas-discuss at wald.intevation.org
>> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
> 

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner


More information about the Openvas-discuss mailing list