MS17-006: Cumulative Security Update for Internet Explorer (4013073) - Nessus

High   Plugin ID: 97729

---

This page contains detailed information about the MS17-006: Cumulative Security Update for Internet Explorer (4013073) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Plugin Overview

---

ID: 97729
Name: MS17-006: Cumulative Security Update for Internet Explorer (4013073)
Filename: smb_nt_ms17-006.nasl
Vulnerability Published: 2017-02-23
This Plugin Published: 2017-03-14
Last Modification Time: 2022-03-29
Plugin Version: 1.15
Plugin Type: local
Plugin Family: Windows : Microsoft Bulletins
Dependencies: ms_bulletin_checks_possible.nasl, smb_check_rollup.nasl, smb_hotfixes.nasl
Required KB Items [?]: SMB/MS_Bulletin_Checks/Possible

Vulnerability Information

---

Severity: High
Vulnerability Published: 2017-02-23
Patch Published: 2017-03-14
CVE [?]: CVE-2017-0008, CVE-2017-0009, CVE-2017-0012, CVE-2017-0018, CVE-2017-0033, CVE-2017-0037, CVE-2017-0040, CVE-2017-0049, CVE-2017-0059, CVE-2017-0130, CVE-2017-0149, CVE-2017-0154
CPE [?]: cpe:/a:microsoft:ie, cpe:/o:microsoft:windows
Exploited by Malware: True

Synopsis

The remote host has a web browser installed that is affected by multiple vulnerabilities.

Description

The version of Internet Explorer installed on the remote Windows host is missing Cumulative Security Update 4013073. It is, therefore, affected by multiple vulnerabilities, the most severe of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these vulnerabilities by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user.

Solution

Microsoft has released a set of patches for Internet Explorer 9, 10, and 11.

Note that security update 3218362 in MS17-006 must also be installed in order to fully resolve CVE-2017-0008 on Windows Vista and Windows Server 2008.

Public Exploits

---

Target Network Port(s): 139, 445
Target Asset(s): Host/patch_management_checks
Exploit Available: True (GitHub)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the MS17-006: Cumulative Security Update for Internet Explorer (4013073) vulnerability:

1. GitHub: https://github.com/LyleMi/dom-vuln-db
   [CVE-2017-0037]
2. GitHub: https://github.com/chattopadhyaykittu/CVE-2017-0037
   [CVE-2017-0037]
3. GitHub: https://github.com/googleprojectzero/domato
   [CVE-2017-0037]
4. GitHub: https://github.com/redr2e/exploits
   [CVE-2017-0037]
5. GitHub: https://github.com/xinali/articles
   [CVE-2017-0037]
6. GitHub: https://redr2e.com/cve-to-poc-cve-2017-0037/
   [CVE-2017-0037]
7. GitHub: https://github.com/googleprojectzero/domato
   [CVE-2017-0059]
8. GitHub: https://github.com/redr2e/exploits
   [CVE-2017-0059]
9. GitHub: https://redr2e.com/cve-to-poc-cve-2017-0059/
   [CVE-2017-0059]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

---

CVSS Score Source [?]: CVE-2017-0149
CVSS V2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C

CVSS Base Score:	7.6 (High)
Impact Subscore:	10.0
Exploitability Subscore:	4.9
CVSS Temporal Score:	6.6 (Medium)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	6.6 (Medium)

CVSS V3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C

CVSS Base Score:	7.5 (High)
Impact Subscore:	5.9
Exploitability Subscore:	1.6
CVSS Temporal Score:	7.2 (High)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	7.2 (High)

Go back to menu.

Plugin Source

---

This is the smb_nt_ms17-006.nasl nessus plugin source code. This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(97729);
  script_version("1.15");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/03/29");

  script_cve_id(
    "CVE-2017-0008",
    "CVE-2017-0009",
    "CVE-2017-0012",
    "CVE-2017-0018",
    "CVE-2017-0033",
    "CVE-2017-0037",
    "CVE-2017-0040",
    "CVE-2017-0049",
    "CVE-2017-0059",
    "CVE-2017-0130",
    "CVE-2017-0149",
    "CVE-2017-0154"
  );
  script_bugtraq_id(
    96073,
    96077,
    96085,
    96086,
    96087,
    96088,
    96094,
    96095,
    96645,
    96647,
    96724,
    96766
  );
  script_xref(name:"MSFT", value:"MS17-006");
  script_xref(name:"MSKB", value:"3218362");
  script_xref(name:"MSKB", value:"4012204");
  script_xref(name:"MSKB", value:"4012215");
  script_xref(name:"MSKB", value:"4012216");
  script_xref(name:"MSKB", value:"4012217");
  script_xref(name:"MSKB", value:"4012606");
  script_xref(name:"MSKB", value:"4013198");
  script_xref(name:"MSKB", value:"4013429");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/04/18");

  script_name(english:"MS17-006: Cumulative Security Update for Internet Explorer (4013073)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host has a web browser installed that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Internet Explorer installed on the remote Windows host
is missing Cumulative Security Update 4013073. It is, therefore,
affected by multiple vulnerabilities, the most severe of which are
remote code execution vulnerabilities. An unauthenticated, remote
attacker can exploit these vulnerabilities by convincing a user to
visit a specially crafted website, resulting in the execution of
arbitrary code in the context of the current user.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-006");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Internet Explorer 9, 10,
and 11.

Note that security update 3218362 in MS17-006 must also be installed
in order to fully resolve CVE-2017-0008 on Windows Vista and Windows
Server 2008.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-0149");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/02/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/03/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl", "smb_check_rollup.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS17-006';
kbs = make_list(
  '4012204', # ie9 ; vista and 2008
  '3218362', # ie9 ; api messaging ; vista and 2008
  '4012204', # ie10 sec rollup ; 2012
  '4012217', # ie10 reg rollup ; 2012
  '4012204', # ie11 sec rollup ; 7 and 2008 r2
  '4012215', # ie11 reg rollup ; 7 and 2008 r2
  '4012204', # ie11 sec rollup ; 8.1 and 2012 r2
  '4012216', # ie11 reg rollup ; 8.1 and 2012 r2
  '4012606', # ie11 rollup ; win 10
  '4013198', # ie11 rollup ; win 10 1511
  '4013429'  # ie11 rollup ; win 10 1607
);

if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0',  win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
if ("Windows 8" >< productname && "8.1" >!< productname)
 audit(AUDIT_OS_SP_NOT_VULN);

if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);

share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  # Windows 10 1607
  smb_check_rollup(os:"10", sp:0, os_build:"14393", rollup_date: "03_2017", bulletin:bulletin, rollup_kb_list:make_list(4013429)) ||
  # Windows 10 1511
  smb_check_rollup(os:"10", sp:0, os_build:"10586", rollup_date: "03_2017", bulletin:bulletin, rollup_kb_list:make_list(4013198)) ||
  # Windows 10
  smb_check_rollup(os:"10", sp:0, os_build:"10240", rollup_date: "03_2017", bulletin:bulletin, rollup_kb_list:make_list(4012606)) ||

  # Windows 8.1 / Windows Server 2012 R2
  # Internet Explorer 11
  ( smb_check_rollup(os:"6.3", sp:0, rollup_date: "03_2017", bulletin:bulletin, rollup_kb_list:make_list(4012216)) &&
    hotfix_is_vulnerable(os:"6.3", sp:0, file:"mshtml.dll", version:"11.0.9600.18618", min_version:"11.0.9600.16000", dir:"\system32", bulletin:bulletin, kb:"4012204")) ||

  # Windows Server 2012
  # Internet Explorer 10
  ( smb_check_rollup(os:"6.2", sp:0, rollup_date: "03_2017", bulletin:bulletin, rollup_kb_list:make_list(4012217)) &&
    hotfix_is_vulnerable(os:"6.2", sp:0, file:"mshtml.dll", version:"10.0.9200.22104", min_version:"10.0.9200.16000", dir:"\system32", bulletin:bulletin, kb:"4012204")) ||

  # Windows 7 / Server 2008 R2
  # Internet Explorer 11
  ( smb_check_rollup(os:"6.1", sp:1, rollup_date: "03_2017", bulletin:bulletin, rollup_kb_list:make_list(4012215)) &&
    hotfix_is_vulnerable(os:"6.1", sp:1, file:"mshtml.dll", version:"11.0.9600.18618", min_version:"11.0.9600.16000", dir:"\system32", bulletin:bulletin, kb:"4012204")) ||

  # Vista / Windows Server 2008
  # Internet Explorer 9
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"mshtml.dll", version:"9.0.8112.20985", min_version:"9.0.8112.20000", dir:"\system32", bulletin:bulletin, kb:"4012204") ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"mshtml.dll", version:"9.0.8112.16871", min_version:"9.0.8112.16000", dir:"\system32", bulletin:bulletin, kb:"4012204") ||

  # KB 3218362 / Vista and Windows Server 2008 / Inetcomm.dll
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"inetcomm.dll", version:"6.0.6002.24052", min_version:"6.0.6002.23000", dir:"\system32", bulletin:bulletin, kb:"3218362") ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"inetcomm.dll", version:"6.0.6002.19728", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:"3218362")
)
{
  set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
}

The latest version of this script can be found in these locations depending on your platform:

• Linux / Unix:
  /opt/nessus/lib/nessus/plugins/smb_nt_ms17-006.nasl
• Windows:
  C:\ProgramData\Tenable\Nessus\nessus\plugins\smb_nt_ms17-006.nasl
• Mac OS X:
  /Library/Nessus/run/lib/nessus/plugins/smb_nt_ms17-006.nasl

Go back to menu.

How to Run

---

Here is how to run the MS17-006: Cumulative Security Update for Internet Explorer (4013073) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

1. Click to start a New Scan.
2. Select Advanced Scan.
3. Navigate to the Plugins tab.
4. On the top right corner click to Disable All plugins.
5. On the left side table select Windows : Microsoft Bulletins plugin family.
6. On the right side table select MS17-006: Cumulative Security Update for Internet Explorer (4013073) plugin ID 97729.
7. Specify the target on the Settings tab and click to Save the scan.
8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl smb_nt_ms17-006.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a smb_nt_ms17-006.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - smb_nt_ms17-006.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state smb_nt_ms17-006.nasl -t <IP/HOST>

Go back to menu.

References

---

BID | SecurityFocus Bugtraq ID:

• 96073, 96077, 96085, 96086, 96087, 96088, 96094, 96095, 96645, 96647, 96724, 96766

MSKB | Microsoft Knowledge Base:

• 3218362, 4012204, 4012215, 4012216, 4012217, 4012606, 4013198, 4013429

MSFT | Microsoft Security Bulletin:

• MS17-006

See also:

• https://www.tenable.com/plugins/nessus/97729
• https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-006
• https://vulners.com/nessus/SMB_NT_MS17-006.NASL

Similar and related Nessus plugins:

• 97730 - MS17-007: Cumulative Security Update for Microsoft Edge (4013071)
• 96392 - MS17-003: Security Update for Adobe Flash Player (3214628)
• 97745 - MS17-008: Security Update for Windows Hyper-V (4013082)
• 97737 - MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)
• 97732 - MS17-011: Security Update for Microsoft Uniscribe (4013076)
• 97743 - MS17-012: Security Update for Microsoft Windows (4013078)
• 97794 - MS17-013: Security Update for Microsoft Graphics Component (4013075)
• 97733 - MS17-017: Security Update for Windows Kernel (4013081)
• 97734 - MS17-020: Security Update for Windows DVD Maker (3208223)
• 97735 - MS17-023: Security Update for Adobe Flash Player (4014329)
• 97833 - MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)

Version

---

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file smb_nt_ms17-006.nasl version 1.15. For more plugins, visit the Nessus Plugin Library.

Go back to menu.