MS Security Advisory 4022344: Security Update for Microsoft Malware Protection Engine - Nessus
High Plugin ID: 100051This page contains detailed information about the MS Security Advisory 4022344: Security Update for Microsoft Malware Protection Engine Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 100051
Name: MS Security Advisory 4022344: Security Update for Microsoft Malware Protection Engine
Filename: smb_kb4022344.nasl
Vulnerability Published: 2017-05-09
This Plugin Published: 2017-05-09
Last Modification Time: 2019-11-13
Plugin Version: 1.10
Plugin Type: local
Plugin Family: Windows
Dependencies:
fcs_installed.nasl, smb_hotfixes.nasl
Required KB Items [?]: SMB/Registry/Enumerated
Vulnerability Information
Severity: High
Vulnerability Published: 2017-05-09
Patch Published: 2017-05-09
CVE [?]: CVE-2017-0290
CPE [?]: cpe:/a:microsoft:malware_protection_engine, cpe:/o:microsoft:windows
Exploited by Malware: True
Synopsis
The remote host has an antimalware application installed that is affected by a remote code execution vulnerability.
Description
The version of Microsoft Malware Protection Engine (MMPE) installed on the remote Windows host is prior to 1.1.13704.0. It is, therefore, affected by a remote code execution vulnerability in the NScript component in mpengine.dll due to a type confusion error. An unauthenticated, remote attacker can exploit this, via a specially crafted file, to execute arbitrary code in the security context of the LocalSystem account.
Nessus has checked if a vulnerable version of MMPE is being used by any of the following applications :
- Microsoft Forefront Endpoint Protection 2010 - Microsoft Endpoint Protection - Microsoft Forefront Security for SharePoint - Microsoft System Center Endpoint Protection - Microsoft Security Essentials - Windows Defender for Windows 7, Windows 8.1, Windows RT 8.1, Windows 10, Windows 10 1511, Windows 10 1607, Windows 10 1703, and Windows Server 2016 - Windows Intune Endpoint Protection
Solution
Enable automatic updates to update the scan engine for the relevant antimalware applications. Refer to KB4022344 for information on how to verify MMPE has been updated.
Public Exploits
Target Network Port(s): 139, 445
Target Asset(s): N/A
Exploit Available: True (GitHub)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the MS Security Advisory 4022344: Security Update for Microsoft Malware Protection Engine vulnerability:
- GitHub: https://github.com/homjxi0e/CVE-2017-0290-
[CVE-2017-0290] - GitHub: https://github.com/qazbnm456/awesome-cve-poc/blob/master/CVE-2017-0290.md
[CVE-2017-0290] - GitHub: https://github.com/ycdxsb/WindowsPrivilegeEscalation
[CVE-2017-0290]
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS Score Source [?]: CVE-2017-0290
CVSS V2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C
| CVSS Base Score: | 9.3 (High) |
| Impact Subscore: | 10.0 |
| Exploitability Subscore: | 8.6 |
| CVSS Temporal Score: | 8.1 (High) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 8.1 (High) |
| CVSS Base Score: | 7.8 (High) |
| Impact Subscore: | 5.9 |
| Exploitability Subscore: | 1.8 |
| CVSS Temporal Score: | 7.5 (High) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 7.5 (High) |
Go back to menu.
Plugin Source
This is the smb_kb4022344.nasl nessus plugin source code. This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(100051);
script_version("1.10");
script_cvs_date("Date: 2019/11/13");
script_cve_id("CVE-2017-0290");
script_bugtraq_id(98330);
script_xref(name:"MSKB", value:"4022344");
script_name(english:"MS Security Advisory 4022344: Security Update for Microsoft Malware Protection Engine");
script_summary(english:"Checks engine version.");
script_set_attribute(attribute:"synopsis", value:
"The remote host has an antimalware application installed that is
affected by a remote code execution vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of Microsoft Malware Protection Engine (MMPE) installed on
the remote Windows host is prior to 1.1.13704.0. It is, therefore,
affected by a remote code execution vulnerability in the NScript
component in mpengine.dll due to a type confusion error. An
unauthenticated, remote attacker can exploit this, via a specially
crafted file, to execute arbitrary code in the security context of the
LocalSystem account.
Nessus has checked if a vulnerable version of MMPE is being used by
any of the following applications :
- Microsoft Forefront Endpoint Protection 2010
- Microsoft Endpoint Protection
- Microsoft Forefront Security for SharePoint
- Microsoft System Center Endpoint Protection
- Microsoft Security Essentials
- Windows Defender for Windows 7, Windows 8.1, Windows RT
8.1, Windows 10, Windows 10 1511, Windows 10 1607,
Windows 10 1703, and Windows Server 2016
- Windows Intune Endpoint Protection");
script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2017/4022344");
script_set_attribute(attribute:"solution", value:
"Enable automatic updates to update the scan engine for the relevant
antimalware applications. Refer to KB4022344 for information on how to
verify MMPE has been updated.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-0290");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/09");
script_set_attribute(attribute:"patch_publication_date", value:"2017/05/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/09");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:malware_protection_engine");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("smb_hotfixes.nasl", "fcs_installed.nasl");
script_require_keys("SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("smb_func.inc");
get_kb_item_or_exit("SMB/Registry/Enumerated");
# indicates if any antimalware products were found. this is used
# to determine whether or not the plugin should check if defender is affected
antimalware_installed = FALSE;
# Connect to the appropriate share.
port = kb_smb_transport();
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
NetUseDel();
audit(AUDIT_SHARE_FAIL, "IPC$");
}
# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
NetUseDel();
audit(AUDIT_REG_FAIL);
}
# Figure out where it is installed.
path = NULL;
info = '';
info2 = '';
engine_version = NULL;
fixed_engine_version = "1.1.13704.0";
last_vulnerable = "1.1.13701.0";
# Forefront Client Security (either both or neither of these will be in the KB)
engine_version = get_kb_item("Antivirus/Forefront_Client_Security/engine_version");
fcs_path = get_kb_item("Antivirus/Forefront_Client_Security/path");
if (!isnull(engine_version))
{
antimalware_installed = TRUE;
if (ver_compare(ver:engine_version, fix:last_vulnerable) <= 0)
{
info +=
'\n Product : Microsoft Forefront Client Security'+
'\n Path : ' + fcs_path +
'\n Installed version : ' + engine_version +
'\n Fixed version : ' + fixed_engine_version + '\n';
}
else info2 += 'Microsoft Forefront Client Security with MMPE version '+ engine_version + ". ";
}
# Microsoft Security Essentials
# Forefront Endpoint Protection
# System Center Endpoint Protection
engine_version = NULL;
NetUseDel(close:FALSE);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
NetUseDel();
audit(AUDIT_SHARE_FAIL, "IPC$");
}
# Connect to remote registry again.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
NetUseDel();
audit(AUDIT_REG_FAIL);
}
key = "SOFTWARE\Microsoft\Microsoft Antimalware\Signature Updates";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
value = RegQueryValue(handle:key_h, item:"EngineVersion");
if (!isnull(value)) engine_version = value[1];
RegCloseKey(handle:key_h);
}
path = NULL;
key = "SOFTWARE\Microsoft\Microsoft Antimalware";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
value = RegQueryValue(handle:key_h, item:"InstallLocation");
if (!isnull(value)) path = value[1];
RegCloseKey(handle:key_h);
}
if(!isnull(path))
{
found = 0;
# Check if the main exe exists.
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
exe = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\MsMpEng.exe", string:path);
NetUseDel(close:FALSE);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
NetUseDel();
audit(AUDIT_SHARE_FAIL, share);
}
fh = CreateFile(
file:exe,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
if (!isnull(fh))
{
antimalware_installed = TRUE;
found = 1;
CloseFile(handle:fh);
}
if (found && !isnull(engine_version))
{
if (ver_compare(ver:engine_version, fix:last_vulnerable) <= 0)
{
info +=
'\n Product : Microsoft Security Essentials / Forefront Endpoint Protection / System Center Endpoint Protection'+
'\n Path : ' + share[0] + ':' + exe +
'\n Installed version : ' + engine_version +
'\n Fixed version : ' + fixed_engine_version + '\n';
}
else info2 += 'Microsoft Security Essentials / Forefront Endpoint Protection / System Center Endpoint Protection with MMPE version ' + engine_version + ". ";
}
}
# Microsoft Windows Defender
# defender is apparently disabled when other antimalware products are installed,
# so it will only be checked if the plugin hasn't detected other products are present
if (!antimalware_installed)
{
defender_enabled = TRUE;
engine_version = NULL;
# Check if Windows Defender is disabled via group policy
key = "SOFTWARE\Policies\Microsoft\Windows Defender";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
value = RegQueryValue(handle:key_h, item:"DisableAntiSpyware");
if (!isnull(value))
{
if (value[1] > 0)
{
defender_enabled = FALSE;
}
}
RegCloseKey(handle:key_h);
}
key = "SOFTWARE\Microsoft\Windows Defender";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
value = RegQueryValue(handle:key_h, item:"DisableAntiSpyware");
if (!isnull(value))
{
if (value[1] > 0)
{
defender_enabled = FALSE;
}
}
RegCloseKey(handle:key_h);
}
if (defender_enabled)
{
key = "SOFTWARE\Microsoft\Windows Defender\Signature Updates";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
value = RegQueryValue(handle:key_h, item:"EngineVersion");
if (!isnull(value)) engine_version = value[1];
RegCloseKey(handle:key_h);
}
path = NULL;
key = "SOFTWARE\Microsoft\Windows Defender\Signature Updates";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
value = RegQueryValue(handle:key_h, item:"SignatureLocation");
if (!isnull(value)) path = value[1];
RegCloseKey(handle:key_h);
}
if(!isnull(path))
{
found = 0;
defender_dll = NULL;
# Check the version of the main exe.
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
# this is the path smb_kb4022344.nasl checks
dll1 = ereg_replace(pattern:"^[A-Za-z]:(.+Windows Defender\\Definition Updates).+", replace:"\1\Default\MpEngine.dll", string:path);
# this path works for Windows Defender on Windows 8
dll2 = ereg_replace(pattern:"^[A-Za-z]:(.+)$", replace:"\1\MpEngine.dll", string:path);
NetUseDel(close:FALSE);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
NetUseDel();
audit(AUDIT_SHARE_FAIL, share);
}
fh = CreateFile(
file:dll1,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
if (!isnull(fh))
{
found =1 ;
defender_dll = share[0] + ':' + dll1;
CloseFile(handle:fh);
}
if (found == 0)
{
fh = CreateFile(
file:dll2,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
if (!isnull(fh))
{
found =1 ;
defender_dll = share[0] + ':' + dll2;
CloseFile(handle:fh);
}
}
if (found && !isnull(engine_version))
{
if (ver_compare(ver:engine_version, fix:last_vulnerable) <= 0)
{
info +=
'\n Product : Microsoft Windows Defender'+
'\n Path : ' + defender_dll +
'\n Installed version : ' + engine_version +
'\n Fixed version : ' + fixed_engine_version + '\n';
}
else info2 += 'Microsoft Windows Defender with MMPE version ' + engine_version + ". ";
}
}
}
}
RegCloseKey(handle:hklm);
NetUseDel();
if (info)
{
report = '\n' +
"Nessus found following vulnerable product(s) installed :" +'\n'+
info;
security_report_v4(severity:SECURITY_HOLE, port:port, extra:report);
exit(0);
}
else if(info2) exit(0,"The following instance(s) of MMPE are installed and not vulnerable : "+ info2);
else exit(0, "Nessus could not find evidence of affected Microsoft antimalware products installed.");
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/smb_kb4022344.nasl - Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\smb_kb4022344.nasl - Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/smb_kb4022344.nasl
Go back to menu.
How to Run
Here is how to run the MS Security Advisory 4022344: Security Update for Microsoft Malware Protection Engine as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select Windows plugin family.
- On the right side table select MS Security Advisory 4022344: Security Update for Microsoft Malware Protection Engine plugin ID 100051.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl smb_kb4022344.nasl -t <IP/HOST>Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a smb_kb4022344.nasl -t <IP/HOST>Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - smb_kb4022344.nasl -t <IP/HOST>Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state smb_kb4022344.nasl -t <IP/HOST>Go back to menu.
References
BID | SecurityFocus Bugtraq ID: MSKB | Microsoft Knowledge Base: See also:
- https://www.tenable.com/plugins/nessus/100051
- https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2017/4022344
- https://vulners.com/nessus/SMB_KB4022344.NASL
- 47045 - MS KB2219475: Windows Help Center hcp:// Protocol Handler Arbitrary Code Execution
- 47750 - MS KB2286198: Windows Shell Shortcut Icon Parsing Arbitrary Code Execution (EASYHOOKUP)
- 49274 - MS KB2401593: Microsoft Outlook Web Access (OWA) CSRF
- 51587 - MS KB2488013: Internet Explorer CSS Import Rule Processing Arbitrary Code Execution
- 62224 - MS KB2755399: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10
- 63372 - MS KB2794220: Vulnerability in Internet Explorer Could Allow Remote Code Execution (deprecated)
- 64508 - MS KB2811522: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10
- 66423 - MS KB2820197: Update Rollup for ActiveX Kill Bits
- 71325 - MS KB2907997: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10
- 72286 - MS KB2929825: Update for Vulnerability in Adobe Flash Player in Internet Explorer
- 73742 - MS KB2961887: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
- 73865 - MS KB2962393: Update for Vulnerability in Juniper Networks Windows In-Box Junos Pulse Client (Heartbleed)
- 76416 - MS KB2974008: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
- 77170 - MS KB2982794: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
- 77580 - MS KB2987114: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
- 78444 - MS KB3001237: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
- 79145 - MS KB3004150: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
- 78447 - MS KB3009008: Vulnerability in SSL 3.0 Could Allow Information Disclosure (POODLE)
- 81209 - MS KB3021953: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
- 81046 - MS KB3035034: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
- 81732 - MS KB3044132: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
- 82823 - MS KB3049508: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
- 83369 - MS KB3061904: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
- 84058 - MS KB3062760: Update for Vulnerability in Juniper Networks Windows In-Box Junos Pulse Client (FREAK)
- 84052 - MS KB3065820: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
- 84645 - MS KB3065823: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
- 84367 - MS KB3074219: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
- 84809 - MS KB3079777: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
- 85329 - MS KB3087916: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
- 86469 - MS KB3105216: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge
- 87671 - MS KB3132372: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge
- 35634 - MS KB960715: Cumulative Security Update of ActiveX Kill Bits
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file smb_kb4022344.nasl version 1.10. For more plugins, visit the Nessus Plugin Library.
Go back to menu.
