Fully Patched Box - Still showing KB's Applying

[wintermute4316]

This may not apply to windows-exploit-suggester, but I tested this process on a fully patched Windows 7 desktop (ie. WindowsUpdate reports no patches needed and there are no pending reboots) however windows-exploit-suggester was still reporting KB's that were missing and possibly exploitable. When I tried to download and install those specific KB's manually from MS, following the links take you to another KB download and the installer would report that it's already installed. Is it possible that some of the missing KB#'s may not apply or are covered/superseded by other KB's? Could this be an issue with systeminfo, the MS database, and/or windows-exploit-suggester and the way it reports KB's?

Just trying to account for the inaccuracy and if it can be compensated for in windows-exploit-suggester.

[sammbertram]

What you're describing sounds like there are unlinked KBs in the database.

I've noticed some missing KBs in the XLS file that can raise false-positives, where the KB number is noted on the Microsoft website but is not present in the Excel sheet.

If you'd like send me your redacted data and I can take a look and try and figure out where the problem lies.

I think I may need to hardcode some specific KBs.

[sammbertram]

Just hardcoded MS11-011. If anyone finds any more let me know.

[CyberBubbleHead]

IRT wintermute4316's comments from Sept 28, 2016, I have noticed that, in Windows 7, systeminfo may not list all of the hotfixes installed on the machine (might be a limitation of the array). It will show a total of over 400 hotfixes applied, but only list the first 245 hotfixes by number. In order to get a complete list, you can type from the command line:

wmic qfe get hotfixid

Or, to run remotely:

wmic /node:'computer name' get hotfixid

Using the output from the above command yields identical results to a systeminfo run on Windows 10 (which has a complete hotfix list) as long as the -o option is used to specify the OS version (e.g. -o "Windows 10 Pro 64-bit"). Alternatively, by replacing the list of hotfixes in the original systeminfo file with the complete hotfix list from wmic qfe get hotfixid, you can skip the -o option.

[CyberBubbleHead]

In reviewing the output from a scan of a Windows 10 Pro x64 v1607 (Build14393), the output from Windows-Exploit-Suggester gives a number of false positives in that it lists exploits that only apply to earlier Windows 10 builds. This might be solved by adding a function to exclude certain KBs based on Build #, since newer builds have all older patches incorporated (similar to a service pack).
More info on Windows 10 versions and Build #s can be found here:

https://technet.microsoft.com/en-us/windows/release-info.aspx

Below is the sanitized systeminfo and the resultant output.

systeminfo:
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.14393 N/A Build 14393
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
System Type: x64-based PC
Hotfix(s): 7 Hotfix(s) Installed.
[01]: KB3176936
[02]: KB3199209
[03]: KB3199986
[04]: KB3211320
[05]: KB3214628
[06]: KB4010250
[07]: KB3213986

Windows-Exploit-Suggester:
�[1;34m[]�[0;0m initiating winsploit version 3.3...
�[1;34m[]�[0;0m database file detected as xls or xlsx based on extension
�[1;34m[]�[0;0m attempting to read from the systeminfo input file
�[1;32m[+]�[0;0m systeminfo input file read successfully (ascii)
�[1;34m[]�[0;0m querying database file for potential vulnerabilities
�[1;34m[]�[0;0m comparing the 8 hotfix(es) against the 149 potential bulletins(s) with a database of 137 known exploits
�[1;34m[]�[0;0m there are now 144 remaining vulns
�[1;32m[+]�[0;0m [E] exploitdb PoC, [M] Metasploit module, [] missing bulletin
�[1;32m[+]�[0;0m windows version identified as 'Windows 10 64-bit'
�[1;34m[]�[0;0m
�[1;32m[E]�[0;0m MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important
�[1;34m[]�[0;0m https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k Denial of Service (MS16-135)
�[1;34m[]�[0;0m https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)
�[1;34m[]�[0;0m https://github.com/tinysec/public/tree/master/CVE-2016-7255
�[1;34m[]�[0;0m
�[1;32m[E]�[0;0m MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important
�[1;34m[]�[0;0m https://www.exploit-db.com/exploits/41020/ -- Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)
�[1;34m[]�[0;0m
�[1;32m[M]�[0;0m MS16-075: Security Update for Windows SMB Server (3164038) - Important
�[1;34m[]�[0;0m https://github.com/foxglovesec/RottenPotato
�[1;34m[]�[0;0m https://github.com/Kevin-Robertson/Tater
�[1;34m[]�[0;0m https://bugs.chromium.org/p/project-zero/issues/detail?id=222 -- Windows: Local WebDAV NTLM Reflection Elevation of Privilege
�[1;34m[]�[0;0m https://foxglovesecurity.com/2016/01/16/hot-potato/ -- Hot Potato - Windows Privilege Escalation
�[1;34m[]�[0;0m
�[1;32m[E]�[0;0m MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important
�[1;34m[]�[0;0m https://www.exploit-db.com/exploits/39990/ -- Windows - gdi32.dll Multiple DIB-Related EMF Record Handlers Heap-Based Out-of-Bounds Reads/Memory Disclosure (MS16-074), PoC
�[1;34m[]�[0;0m https://www.exploit-db.com/exploits/39991/ -- Windows Kernel - ATMFD.DLL NamedEscape 0x250C Pool Corruption (MS16-074), PoC
�[1;34m[]�[0;0m
�[1;32m[E]�[0;0m MS16-063: Cumulative Security Update for Internet Explorer (3163649) - Critical
�[1;34m[]�[0;0m https://www.exploit-db.com/exploits/39994/ -- Internet Explorer 11 - Garbage Collector Attribute Type Confusion (MS16-063), PoC
�[1;34m[]�[0;0m
�[1;32m[E]�[0;0m MS16-056: Security Update for Windows Journal (3156761) - Critical
�[1;34m[]�[0;0m https://www.exploit-db.com/exploits/40881/ -- Microsoft Internet Explorer - jscript9 Java­Script­Stack­Walker Memory Corruption (MS15-056)
�[1;34m[]�[0;0m http://blog.skylined.nl/20161206001.html -- MSIE jscript9 Java­Script­Stack­Walker memory corruption
�[1;34m[]�[0;0m
�[1;32m[E]�[0;0m MS16-032: Security Update for Secondary Logon to Address Elevation of Privile (3143141) - Important
�[1;34m[]�[0;0m https://www.exploit-db.com/exploits/40107/ -- MS16-032 Secondary Logon Handle Privilege Escalation, MSF
�[1;34m[]�[0;0m https://www.exploit-db.com/exploits/39574/ -- Microsoft Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032), PoC
�[1;34m[]�[0;0m https://www.exploit-db.com/exploits/39719/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell), PoC
�[1;34m[]�[0;0m https://www.exploit-db.com/exploits/39809/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (C#)
�[1;34m[]�[0;0m
�[1;32m[M]�[0;0m MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important
�[1;34m[]�[0;0m https://www.exploit-db.com/exploits/40085/ -- MS16-016 mrxdav.sys WebDav Local Privilege Escalation, MSF
�[1;34m[]�[0;0m https://www.exploit-db.com/exploits/39788/ -- Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2), PoC
�[1;34m[]�[0;0m https://www.exploit-db.com/exploits/39432/ -- Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1), PoC
�[1;34m[]�[0;0m
�[1;32m[E]�[0;0m MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228) - Important
�[1;34m[]�[0;0m Windows 7 SP1 x86 - Privilege Escalation (MS16-014), https://www.exploit-db.com/exploits/40039/, PoC
�[1;34m[]�[0;0m
�[1;32m[E]�[0;0m MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution (3124901) - Important
�[1;34m[]�[0;0m https://www.exploit-db.com/exploits/39232/ -- Microsoft Windows devenum.dll!DeviceMoniker::Load() - Heap Corruption Buffer Underflow (MS16-007), PoC
�[1;34m[]�[0;0m https://www.exploit-db.com/exploits/39233/ -- Microsoft Office / COM Object DLL Planting with WMALFXGFXDSP.dll (MS-16-007), PoC
�[1;34m[]�[0;0m
�[1;32m[E]�[0;0m MS15-132: Security Update for Microsoft Windows to Address Remote Code Execution (3116162) - Important
�[1;34m[]�[0;0m https://www.exploit-db.com/exploits/38968/ -- Microsoft Office / COM Object DLL Planting with comsvcs.dll Delay Load of mqrt.dll (MS15-132), PoC
�[1;34m[]�[0;0m https://www.exploit-db.com/exploits/38918/ -- Microsoft Office / COM Object els.dll DLL Planting (MS15-134), PoC
�[1;34m[]�[0;0m
�[1;32m[E]�[0;0m MS15-112: Cumulative Security Update for Internet Explorer (3104517) - Critical
�[1;34m[]�[0;0m https://www.exploit-db.com/exploits/39698/ -- Internet Explorer 9/10/11 - CDOMStringDataList::InitFromString Out-of-Bounds Read (MS15-112)
�[1;34m[]�[0;0m
�[1;32m[E]�[0;0m MS15-111: Security Update for Windows Kernel to Address Elevation of Privilege (3096447) - Important
�[1;34m[]�[0;0m https://www.exploit-db.com/exploits/38474/ -- Windows 10 Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111), PoC
�[1;34m[]�[0;0m
�[1;32m[E]�[0;0m MS15-102: Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657) - Important
�[1;34m[]�[0;0m https://www.exploit-db.com/exploits/38202/ -- Windows CreateObjectTask SettingsSyncDiagnostics Privilege Escalation, PoC
�[1;34m[]�[0;0m https://www.exploit-db.com/exploits/38200/ -- Windows Task Scheduler DeleteExpiredTaskAfter File Deletion Privilege Escalation, PoC
�[1;34m[]�[0;0m https://www.exploit-db.com/exploits/38201/ -- Windows CreateObjectTask TileUserBroker Privilege Escalation, PoC
�[1;34m[]�[0;0m
�[1;32m[E]�[0;0m MS15-097: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656) - Critical
�[1;34m[]�[0;0m https://www.exploit-db.com/exploits/38198/ -- Windows 10 Build 10130 - User Mode Font Driver Thread Permissions Privilege Escalation, PoC
�[1;34m[]�[0;0m https://www.exploit-db.com/exploits/38199/ -- Windows NtUserGetClipboardAccessToken Token Leak, PoC
�[1;34m[]�[0;0m
�[1;34m[]�[0;0m done