[Openvas-commits] r919 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Tue Jun 17 20:22:39 CEST 2008
Author: ckm
Date: 2008-06-17 20:22:38 +0200 (Tue, 17 Jun 2008)
New Revision: 919
Added:
trunk/openvas-plugins/scripts/cups_CB-A08-0045.nasl
trunk/openvas-plugins/scripts/kerberos_CB-A08-0044.nasl
trunk/openvas-plugins/scripts/mozilla_CB-A08-0017.nasl
trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl
trunk/openvas-plugins/scripts/smbcl_mozilla.nasl
trunk/openvas-plugins/scripts/win_CVE-2008-0080.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/scripts/gather-package-list.nasl
trunk/openvas-plugins/scripts/version_func.inc
Log:
* scripts/gather-package-list.nasl changed for generic
SuSE test.
* scripts/kerberos_CB-A08-0044.nasl new
* scripts/cups_CB-A08-0045.nasl new
* scripts/win_CVE-2008-0080.nasl new
* scripts/smbcl_CVE-2008-0234.nasl new
* scripts/smbcl_mozilla.nasl new
* scripts/mozilla_CB-A08-0017.nasl new
* scripts/version_func.inc added standard separator if
version string has no separator.
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2008-06-17 06:25:21 UTC (rev 918)
+++ trunk/openvas-plugins/ChangeLog 2008-06-17 18:22:38 UTC (rev 919)
@@ -1,3 +1,16 @@
+2008-06-17 Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>.
+
+ * scripts/gather-package-list.nasl changed for generic
+ SuSE test.
+ * scripts/kerberos_CB-A08-0044.nasl new
+ * scripts/cups_CB-A08-0045.nasl new
+ * scripts/win_CVE-2008-0080.nasl new
+ * scripts/smbcl_CVE-2008-0234.nasl new
+ * scripts/smbcl_mozilla.nasl new
+ * scripts/mozilla_CB-A08-0017.nasl new
+ * scripts/version_func.inc added standard separator if
+ version string has no separator.
+
2008-06-16 Jan-Oliver Wagner <jan-oliver.wagner at intevation.de>
* openvas-nvt-sync.in: Fixed path creation to not add '"'
Added: trunk/openvas-plugins/scripts/cups_CB-A08-0045.nasl
===================================================================
--- trunk/openvas-plugins/scripts/cups_CB-A08-0045.nasl 2008-06-17 06:25:21 UTC (rev 918)
+++ trunk/openvas-plugins/scripts/cups_CB-A08-0045.nasl 2008-06-17 18:22:38 UTC (rev 919)
@@ -0,0 +1,156 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+#
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90017);
+ script_version ("$Revision: 01 $");
+# script_cve_id("CVE-2008-0047");
+ name["english"] = "Cups < 1.3.6 vulnerability";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probably affected by the vulnerabilities described in
+CVE-2008-0047
+
+Impact
+
+ CVE-2008-0047: Heap-based buffer overflow in the cgiCompileSearch
+ function in CUPS 1.3.5, and other versions including the version
+ bundled with Apple Mac OS X 10.5.2, when printer sharing is enabled,
+ allows remote attackers to execute arbitrary code via crafted search
+ expressions.
+
+References:
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0047
+
+Solution:
+ All Cups users should upgrade to the latest version:
+
+
+Risk factor : High
+";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Determines Cups < 1.3.6 vulnerability";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Local test SuSE/FC/Gentoo";
+ script_family(english:family["english"]);
+ script_dependencies("gather-package-list.nasl");
+ exit(0);
+}
+
+#
+# The code starts here
+#
+
+include("version_func.inc");
+include("revisions-lib.inc");
+
+# Checking SuSE/Fedora
+ kbrls = get_kb_item("ssh/login/release");
+ rls[0] = "SUSE10.0";
+ ver[0] = "1.2.7";
+ rel[0] = "12.13";
+ pkg[0] = "cups";
+ rls[1] = "SUSE10.1";
+ ver[1] = "1.2.7";
+ rel[1] = "12.13";
+ pkg[1] = "cups";
+ rls[2] = "SUSE10.2";
+ ver[2] = "1.2.7";
+ rel[2] = "12.13";
+ pkg[2] = "cups";
+ rls[3] = "SUSE10.3";
+ ver[3] = "1.2.12";
+ rel[3] = "22.11";
+ pkg[3] = "cups";
+ rls[4] = "SUSE10.0";
+ ver[4] = "1.2.7";
+ rel[4] = "12.13";
+ pkg[4] = "cups-client";
+ rls[5] = "SUSE10.1";
+ ver[5] = "1.2.7";
+ rel[5] = "12.13";
+ pkg[5] = "cups-client";
+ rls[6] = "SUSE10.2";
+ ver[6] = "1.2.7";
+ rel[6] = "12.13";
+ pkg[6] = "cups-client";
+ rls[7] = "SUSE10.3";
+ ver[7] = "1.2.12";
+ rel[7] = "22.11";
+ pkg[7] = "cups-client";
+ rls[8] = "FC7";
+ ver[8] = "1.2.12";
+ rel[8] = "10.fc7";
+ pkg[8] = "cups";
+ rls[9] = "FC8";
+ ver[9] = "1.3.6";
+ rel[9] = "4.fc8";
+ pkg[9] = "cups";
+ rls[10] = "SUSE10.0";
+ ver[10] = "1.2.7";
+ rel[10] = "12.13";
+ pkg[10] = "cups-libs";
+ rls[11] = "SUSE10.1";
+ ver[11] = "1.2.7";
+ rel[11] = "12.13";
+ pkg[11] = "cups-libs";
+ rls[12] = "SUSE10.2";
+ ver[12] = "1.2.7";
+ rel[12] = "12.13";
+ pkg[12] = "cups-libs";
+ rls[13] = "SUSE10.3";
+ ver[13] = "1.2.12";
+ rel[13] = "22.11";
+ pkg[13] = "cups-libs";
+
+ foreach i (keys(rls)) {
+ if( kbrls == rls[i] ) {
+ rpms = get_kb_item("ssh/login/rpms");
+ if( rpms ) {
+ pat = ";"+pkg[i]+"~([0-9\.\-]+)";
+ version = get_string_version(text:rpms, ver_pattern:pat);
+ if(!isnull(version)) {
+ if( version_is_less(version:version[1], test_version:ver[i]) ) {
+ security_hole(port:0, proto:"Cups");
+ } else {
+ if( version_is_equal(version:version[1], test_version:ver[i]) ) {
+ pat = version[0]+"~([0-9\.\-]+)";
+ release = get_string_version(text:rpms, ver_pattern:pat);
+ if(!isnull(release)) {
+ if( version_is_less(version:release[1] ,test_version:rel[i]) ) {
+ security_hole(port:0, proto:"Cups");
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+
+# Checking Gentoo
+ rls = "GENTOO";
+ pat = "net-print/cups-([a-zA-Z0-9\.\-]+)";
+ ver = "1.2.12-r7";
+ if( kbrls == rls ) {
+ pkg = get_kb_item("ssh/login/pkg");
+ if(pkg) {
+ version = get_string_version(text:pkg, ver_pattern:pat);
+ if(!isnull(version)) {
+ if( revcomp(a:version[1], b: ver) == -1 ) {
+ security_hole(port:0, proto:"Cups");
+ }
+ }
+ }
+ }
+
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/cups_CB-A08-0045.nasl
___________________________________________________________________
Name: svn:executable
+ *
Modified: trunk/openvas-plugins/scripts/gather-package-list.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gather-package-list.nasl 2008-06-17 06:25:21 UTC (rev 918)
+++ trunk/openvas-plugins/scripts/gather-package-list.nasl 2008-06-17 18:22:38 UTC (rev 919)
@@ -10,12 +10,12 @@
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License Version 2
-#
+#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
-#
+#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
@@ -25,10 +25,10 @@
{
script_id(50282);
script_version("$");
-
+
name["english"] = "Determine OS and list of installed packages via SSH login";
script_name(english:name["english"]);
-
+
desc["english"] = "
This script will, if given a userid/password or
key to the remote system, login to that system,
@@ -38,12 +38,12 @@
Risk factor : None";
script_description(english:desc["english"]);
-
+
summary["english"] = "Determine OS and list of installed packages via SSH login";
script_summary(english:summary["english"]);
-
+
script_category(ACT_GATHER_INFO);
-
+
script_copyright(english:"Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com");
family["english"] = "Misc.";
script_family(english:family["english"]);
@@ -579,93 +579,18 @@
}
# How about SuSe?
# SuSE Linux 9.x (i586)
-# SUSE LINUX 11
+# SUSE LINUX 11.0
-rls = ssh_cmd(socket:sock, cmd:"cat /etc/SuSE-release");
-if("SUSE LINUX 11 "><rls) {
- set_kb_item(name: "ssh/login/release", value: "SUSE11");
+rls = toupper(ssh_cmd(socket:sock, cmd:"cat /etc/SuSE-release"));
+if("SUSE"><rls) {
+ ver = eregmatch(pattern:"VERSION = ([0-9\.]+)", string:rls);
+ if( isnull(ver) ) ver[1] = " ";
+ set_kb_item(name: "ssh/login/release", value: "SUSE"+ver[1]);
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf '%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
- security_note(port:port, data:string("We are able to login and detect that you are running SuSE Linux 11"));
+ security_note(port:port, data:string("We are able to login and detect that you are running SuSE Linux "+ver[1]));
exit(0);
}
-if("SUSE LINUX 10.3 "><rls) {
- set_kb_item(name: "ssh/login/release", value: "SUSE10.3");
- buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf '%{NAME}~%{VERSION}~%{RELEASE};'");
- set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
- security_note(port:port, data:string("We are able to login and detect that you are running SuSE Linux 10.3"));
- exit(0);
-}
-if("SUSE LINUX 10.2 "><rls) {
- set_kb_item(name: "ssh/login/release", value: "SUSE10.2");
- buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf '%{NAME}~%{VERSION}~%{RELEASE};'");
- set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
- security_note(port:port, data:string("We are able to login and detect that you are running SuSE Linux 10.2"));
- exit(0);
-}
-if("SUSE LINUX 10.1 "><rls) {
- set_kb_item(name: "ssh/login/release", value: "SUSE10.1");
- buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf '%{NAME}~%{VERSION}~%{RELEASE};'");
- set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
- security_note(port:port, data:string("We are able to login and detect that you are running SuSE Linux 10.1"));
- exit(0);
-}
-if("SuSE Linux 9.3 "><rls) {
- set_kb_item(name: "ssh/login/release", value: "SUSE9.3");
- buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf '%{NAME}~%{VERSION}~%{RELEASE};'");
- set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
- security_note(port:port, data:string("We are able to login and detect that you are running SuSE Linux 9.3"));
- exit(0);
-}
-if("SuSE Linux 9.2 "><rls) {
- set_kb_item(name: "ssh/login/release", value: "SUSE9.2");
- buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf '%{NAME}~%{VERSION}~%{RELEASE};'");
- set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
- security_note(port:port, data:string("We are able to login and detect that you are running SuSE Linux 9.2"));
- exit(0);
-}
-if("SuSE Linux 9.1 "><rls) {
- set_kb_item(name: "ssh/login/release", value: "SUSE9.1");
- buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf '%{NAME}~%{VERSION}~%{RELEASE};'");
- set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
- security_note(port:port, data:string("We are able to login and detect that you are running SuSE Linux 9.1"));
- exit(0);
-}
-if("SuSE Linux 9.0 "><rls) {
- set_kb_item(name: "ssh/login/release", value: "SUSE9.0");
- buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf '%{NAME}~%{VERSION}~%{RELEASE};'");
- set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
- security_note(port:port, data:string("We are able to login and detect that you are running SuSE Linux 9.0"));
- exit(0);
-}
-if("SuSE Linux 8.2 "><rls) {
- set_kb_item(name: "ssh/login/release", value: "SUSE8.2");
- buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf '%{NAME}~%{VERSION}~%{RELEASE};'");
- set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
- security_note(port:port, data:string("We are able to login and detect that you are running SuSE Linux 8.2"));
- exit(0);
-}
-if("SuSE Linux 8.1 "><rls) {
- set_kb_item(name: "ssh/login/release", value: "SUSE8.1");
- buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf '%{NAME}~%{VERSION}~%{RELEASE};'");
- set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
- security_note(port:port, data:string("We are able to login and detect that you are running SuSE Linux 8.1"));
- exit(0);
-}
-if("SuSE Linux 8.0 "><rls) {
- set_kb_item(name: "ssh/login/release", value: "SUSE8.0");
- buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf '%{NAME}~%{VERSION}~%{RELEASE};'");
- set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
- security_note(port:port, data:string("We are able to login and detect that you are running SuSE Linux 8.0"));
- exit(0);
-}
-if("SuSE Linux 7.3 "><rls) {
- set_kb_item(name: "ssh/login/release", value: "SUSE7.3");
- buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf '%{NAME}~%{VERSION}~%{RELEASE};'");
- set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
- security_note(port:port, data:string("We are able to login and detect that you are running SuSE Linux 7.3"));
- exit(0);
-}
# How about Trustix?
rls = ssh_cmd(socket:sock, cmd:"cat /etc/release");
Added: trunk/openvas-plugins/scripts/kerberos_CB-A08-0044.nasl
===================================================================
--- trunk/openvas-plugins/scripts/kerberos_CB-A08-0044.nasl 2008-06-17 06:25:21 UTC (rev 918)
+++ trunk/openvas-plugins/scripts/kerberos_CB-A08-0044.nasl 2008-06-17 18:22:38 UTC (rev 919)
@@ -0,0 +1,169 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+#
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90016);
+ script_version ("$Revision: 01 $");
+# script_cve_id("CVE-2008-0948");
+ name["english"] = "Kerberos < 1.6.4 vulnerability";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probably affected by the vulnerabilities described in
+CVE-2008-0062, CVE-2008-0063, CVE-2008-0947, CVE-2008-0948
+
+Impact
+
+ CVE-2008-0062: An unauthenticated remote attacker may cause a
+ krb4-enabled KDC to crash, expose information, or execute arbitrary
+ code. Successful exploitation of this vulnerability could compromise
+ the Kerberos key database and host security on the KDC host.
+
+ CVE-2008-0063: An unauthenticated remote attacker may cause a
+ krb4-enabled KDC to expose information. It is theoretically possible
+ for the exposed information to include secret key data on some
+ platforms.
+
+ CVE 2008-0947
+ Buffer overflow in the RPC library used by libgssrpc and kadmind in
+ MIT Kerberos 5 (krb5) 1.4 through 1.6.3 allows remote attackers to
+ execute arbitrary code by triggering a large number of open file descriptors.
+
+ CVE 2008-0948
+ Buffer overflow in the RPC library (lib/rpc/rpc_dtablesize.c) used by
+ libgssrpc and kadmind in MIT Kerberos 5 (krb5) 1.2.2, and probably
+ other versions before 1.3, when running on systems whose unistd.h does
+ not define the FD_SETSIZE macro, allows remote attackers to cause a denial
+ of service (crash) and possibly execute arbitrary code by triggering a
+ large number of open file descriptors.
+
+
+References:
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0062
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0063
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0947
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0948
+
+Solution:
+ All Kerberos users should upgrade to the latest version:
+
+
+Risk factor : High
+";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Determines Kerberos < 1.6.4 vulnerability";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Local test SuSE/FC/Gentoo";
+ script_family(english:family["english"]);
+ script_dependencies("gather-package-list.nasl");
+ exit(0);
+}
+
+#
+# The code starts here
+#
+
+include("version_func.inc");
+include("revisions-lib.inc");
+
+# Checking SuSE/Fedora
+ kbrls = get_kb_item("ssh/login/release");
+ rls[0] = "SUSE10.0";
+ ver[0] = "1.4.3";
+ rel[0] = "19.30.6";
+ pkg[0] = "krb5";
+ rls[1] = "SUSE10.1";
+ ver[1] = "1.4.3";
+ rel[1] = "19.30.6";
+ pkg[1] = "krb5";
+ rls[2] = "SUSE10.2";
+ ver[2] = "1.5.1";
+ rel[2] = "23.14";
+ pkg[2] = "krb5";
+ rls[3] = "SUSE10.3";
+ ver[3] = "1.6.2";
+ rel[3] = "22.4";
+ pkg[3] = "krb5";
+ rls[4] = "SUSE11.0";
+ ver[4] = "1.6.3";
+ rel[4] = "49";
+ pkg[4] = "krb5";
+ rls[5] = "SUSE10.0";
+ ver[5] = "1.4.3";
+ rel[5] = "19.30.6";
+ pkg[5] = "krb5-server";
+ rls[6] = "SUSE10.1";
+ ver[6] = "1.4.3";
+ rel[6] = "19.30.6";
+ pkg[6] = "krb5-server";
+ rls[7] = "SUSE10.2";
+ ver[7] = "1.5.1";
+ rel[7] = "23.14";
+ pkg[7] = "krb5-server";
+ rls[8] = "SUSE10.3";
+ ver[8] = "1.6.2";
+ rel[8] = "22.4";
+ pkg[8] = "krb5-server";
+ rls[9] = "SUSE11.0";
+ ver[9] = "1.6.3";
+ rel[9] = "49";
+ pkg[10] = "krb5-server";
+ rls[10] = "FC7";
+ ver[10] = "1.6.1";
+ rel[10] = "9.fc7";
+ pkg[11] = "krb5";
+ rls[11] = "FC8";
+ ver[11] = "1.6.2";
+ rel[11] = "14.fc8";
+ pkg[11] = "krb5";
+
+ foreach i (keys(rls)) {
+ if( kbrls == rls[i] ) {
+ rpms = get_kb_item("ssh/login/rpms");
+ if(rpms) {
+ pat = ";"+pkg[i]+"~([0-9\.\-]+)";
+ version = get_string_version(text:rpms, ver_pattern:pat);
+ if(!isnull(version)) {
+ if( version_is_less(version:version[1], test_version:ver[i]) ) {
+ security_hole(port:0, proto:"Kerberos");
+ } else {
+ if( version_is_equal(version:version[1], test_version:ver[i]) ) {
+ pat = version[0]+"~([0-9\.\-]+)";
+ release = get_string_version(text:rpms, ver_pattern:pat);
+ if(!isnull(release)) {
+ if( version_is_less(version:release[1] ,test_version:rel[i]) ) {
+ security_hole(port:0, proto:"Kerberos");
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+
+# Checking Gentoo
+ rls = "GENTOO";
+ pat = "app-crypt/mit-krb5-([a-zA-Z0-9\.\-]+)";
+ ver = "1.6.3-r1";
+ if( kbrls == rls ) {
+ pkg = get_kb_item("ssh/login/pkg");
+ if(pkg) {
+ version = get_string_version(text:pkg, ver_pattern:pat);
+ if(!isnull(version)) {
+ if( revcomp(a:version[1], b: ver) == -1 ) {
+ security_hole(port:0, proto:"Kerberos");
+ }
+ }
+ }
+ }
+
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/kerberos_CB-A08-0044.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/mozilla_CB-A08-0017.nasl
===================================================================
--- trunk/openvas-plugins/scripts/mozilla_CB-A08-0017.nasl 2008-06-17 06:25:21 UTC (rev 918)
+++ trunk/openvas-plugins/scripts/mozilla_CB-A08-0017.nasl 2008-06-17 18:22:38 UTC (rev 919)
@@ -0,0 +1,108 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+#
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90014);
+ script_version ("$Revision: 01 $");
+ script_cve_id("CVE-2008-1238","CVE-2008-1240","CVE-2008-1241");
+ name["english"] = "Mozilla Firefox, Thunderbird, Seamonkey. Several vulnerabilitys";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probable affected by the vulnerabilitys described in
+CVE-2008-0416, CVE-2007-4879, CVE-2008-1195, CVE-2008-1233,
+CVE-2008-1234, CVE-2008-1235, CVE-2008-1236, CVE-2008-1237,
+CVE-2008-1238, CVE-2008-1240, CVE-2008-1241 and more.
+
+
+Impact
+ Mozilla contributors moz_bug_r_a4, Boris Zbarsky,
+ and Johnny Stenback reported a series of vulnerabilities
+ which allow scripts from page content to run with elevated
+ privileges. moz_bug_r_a4 demonstrated additional variants
+ of MFSA 2007-25 and MFSA2007-35 (arbitrary code execution
+ through XPCNativeWrapper pollution). Additional
+ vulnerabilities reported separately by Boris Zbarsky,
+ Johnny Stenback, and moz_bug_r_a4 showed that the browser
+ could be forced to run JavaScript code using the wrong
+ principal leading to universal XSS and arbitrary code execution.
+ And more...
+
+
+References:
+ http://www.mozilla.org/security/announce/2008/mfsa2008-14.html
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0412
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0416
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1238
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1240
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1241
+ .
+ .
+ .
+
+Solution:
+ All Users should upgrade to the latest versions of Firefox, Thunderbird or Seamonkey.
+
+
+Risk factor : High";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Mozilla Firefox, Thunderbird, Seamonkey. Several vulnerabilitys";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Local test";
+ script_family(english:family["english"]);
+ exit(0);
+}
+
+#
+# The code starts here
+#
+
+
+include("version_func.inc");
+
+r = find_bin(prog_name:"firefox");
+foreach binary_name (r) {
+ binary_name = chomp(binary_name);
+ ver = get_bin_version(full_prog_name:binary_name, version_argv:"--version", ver_pattern:"([0-9\.]+)");
+ if(ver != NULL) {
+ if(version_is_less(version:ver[0], test_version:"2.0.0.14") ) {
+ security_hole(port:0, proto:"Mozilla");
+ report = string("\nFound : ") + binary_name + " Version : " + ver[max_index(ver)-1] + string("\n");
+ security_hole(port:0, proto:"Mozilla", data:report);
+ }
+ }
+}
+r = find_bin(prog_name:"thunderbird");
+foreach binary_name (r) {
+ binary_name = chomp(binary_name);
+ ver = get_bin_version(full_prog_name:binary_name, version_argv:"--version", ver_pattern:"([0-9\.]+)");
+ if(ver != NULL) {
+ if(version_is_less(version:ver[0], test_version:"2.0.0.14") ) {
+ security_hole(port:0, proto:"Mozilla");
+ report = string("\nFound : ") + binary_name + " Version : " + ver[max_index(ver)-1] + string("\n");
+ security_hole(port:0, proto:"Mozilla", data:report);
+ }
+ }
+}
+r = find_bin(prog_name:"seamonkey");
+foreach binary_name (r) {
+ binary_name = chomp(binary_name);
+ ver = get_bin_version(full_prog_name:binary_name, version_argv:"--version", ver_pattern:"([0-9\.]+)");
+ if(ver != NULL) {
+ if(version_is_less(version:ver[0], test_version:"1.1.9") ) {
+ security_hole(port:0, proto:"Mozilla");
+ report = string("\nFound : ") + binary_name + " Version : " + ver[max_index(ver)-1] + string("\n");
+ security_hole(port:0, proto:"Mozilla", data:report);
+ }
+ }
+}
+
+exit(0);
Added: trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl 2008-06-17 06:25:21 UTC (rev 918)
+++ trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl 2008-06-17 18:22:38 UTC (rev 919)
@@ -0,0 +1,100 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+#
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90012);
+ script_version ("$Revision: 01 $");
+ script_cve_id("CVE-2008-0234");
+ name["english"] = "Buffer overflow in Apple Quicktime Player";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probable affected by the vulnerabilitys described in
+CVE-2008-0234
+
+Checking if QuickTime version is less than 7.4.1
+
+Impact
+ Buffer overflow in Apple Quicktime Player 7.3.1.70
+ and other versions before 7.4.1, when RTSP tunneling
+ is enabled, allows remote attackers to execute
+ arbitrary code via a long Reason-Phrase response
+ to an rtsp:// request, as demonstrated using a
+ 404 error message.
+
+
+References:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0234
+ http://lists.apple.com/archives/security-announce/2008/Feb/msg00001.html
+
+Solution:
+ All Users should upgrade to the latest version.
+
+
+Risk factor : High";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Test for Buffer overflow in Apple Quicktime Player";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Windows";
+ script_family(english:family["english"]);
+ exit(0);
+}
+
+#
+# The code starts here
+#
+
+include("version_func.inc");
+include("smbcl_func.inc");
+if( !get_kb_item("SMB/smbclient") ) {
+ smbclientavail();
+}
+test_version = "7.4.1";
+
+ if(get_kb_item("SMB/smbclient") ) {
+ if( smbversion() == 0){
+ report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
+ security_note(port:0, proto:"SMBClient", data:report);
+ exit(0);
+ }
+ } else {
+ report = string("SMBClient not found on openvasd host !");
+ security_note(port:0, proto:"SMBClient", data:report);
+ exit(0);
+ }
+
+ win_dir = get_windir();
+ if( !isnull(win_dir) ) {
+ test_file[0] = win_dir+"System32\QuickTime.qts";
+ test_file[1] = "Programme\QuickTime\QuickTimePlayer.exe";
+ test_file[2] = "Program Files\QuickTime\QuickTimePlayer.exe";
+ foreach filespec (test_file) {
+ r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
+ if( !isnull(r) ) {
+ tmp_filename = get_tmp_dir()+"tmpfile"+rand();
+ if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
+ v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:filespec);
+ unlink(tmp_filename);
+ if( version_is_less(version: v, test_version: test_version) ) {
+ security_hole(port:0, proto:"Win_Quicktime");
+ report = report + "Fileversion : C$ "+filespec + " "+v+string("\n");
+ security_hole(port:0, proto:"Win_Quicktime", data:report);
+ }
+ break;
+ } else {
+ report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
+ security_note(port:0, proto:"Win_Quicktime", data:report);
+ }
+ }
+ }
+ }
+
+exit(0);
Added: trunk/openvas-plugins/scripts/smbcl_mozilla.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_mozilla.nasl 2008-06-17 06:25:21 UTC (rev 918)
+++ trunk/openvas-plugins/scripts/smbcl_mozilla.nasl 2008-06-17 18:22:38 UTC (rev 919)
@@ -0,0 +1,157 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+#
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90013);
+ script_version ("$Revision: 01 $");
+ script_cve_id("CVE-2008-1238","CVE-2008-1240","CVE-2008-1241");
+ name["english"] = "Mozilla Firefox, Thunderbird, Seamonkey. Several vulnerabilitys";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probable affected by the vulnerabilitys described in
+CVE-2008-0416, CVE-2007-4879, CVE-2008-1195, CVE-2008-1233,
+CVE-2008-1234, CVE-2008-1235, CVE-2008-1236, CVE-2008-1237,
+CVE-2008-1238, CVE-2008-1240, CVE-2008-1241 and more.
+
+
+Impact
+ Mozilla contributors moz_bug_r_a4, Boris Zbarsky,
+ and Johnny Stenback reported a series of vulnerabilities
+ which allow scripts from page content to run with elevated
+ privileges. moz_bug_r_a4 demonstrated additional variants
+ of MFSA 2007-25 and MFSA2007-35 (arbitrary code execution
+ through XPCNativeWrapper pollution). Additional
+ vulnerabilities reported separately by Boris Zbarsky,
+ Johnny Stenback, and moz_bug_r_a4 showed that the browser
+ could be forced to run JavaScript code using the wrong
+ principal leading to universal XSS and arbitrary code execution.
+ And more...
+
+
+References:
+ http://www.mozilla.org/security/announce/2008/mfsa2008-14.html
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0412
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0416
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1238
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1240
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1241
+ .
+ .
+ .
+
+Solution:
+ All Users should upgrade to the latest versions of Firefox, Thunderbird or Seamonkey.
+
+
+Risk factor : High";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Mozilla Firefox, Thunderbird, Seamonkey. Several vulnerabilitys";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Windows";
+ script_family(english:family["english"]);
+ exit(0);
+}
+
+#
+# The code starts here
+#
+
+include("version_func.inc");
+include("smbcl_func.inc");
+if( !get_kb_item("SMB/smbclient") ) {
+ smbclientavail();
+}
+
+
+ if(get_kb_item("SMB/smbclient") ) {
+ if( smbversion() == 0){
+ report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
+ security_note(port:0, proto:"SMBClient", data:report);
+ exit(0);
+ }
+ } else {
+ report = string("SMBClient not found on openvasd host !");
+ security_note(port:0, proto:"SMBClient", data:report);
+ exit(0);
+ }
+
+ win_dir = get_windir();
+ if( !isnull(win_dir) ) {
+ test_version = "2.0.0.14"; # Test Firefox
+ test_file[0] = "Programme\Mozilla Firefox\firefox.exe";
+ test_file[1] = "Prog Files\Mozilla Firefox\firefox.exe";
+ foreach filespec (test_file) {
+ r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
+ if( !isnull(r) ) {
+ tmp_filename = get_tmp_dir()+"tmpfile"+rand();
+ if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
+ v = GetPEProductVersion(tmp_filename:tmp_filename, orig_filename:filespec);
+ unlink(tmp_filename);
+ if( version_is_less(version: v, test_version: test_version) ) {
+ security_hole(port:0, proto:"Win_Mozilla");
+ report = report + "Fileversion : C$ "+filespec + " "+v+string("\n");
+ security_hole(port:0, proto:"Win_Mozilla", data:report);
+ }
+ break;
+ } else {
+ report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
+ security_note(port:0, proto:"Win_Mozilla", data:report);
+ }
+ }
+ }
+ test_version = "2.0.0.14"; # Test Thunderbird
+ test_file[0] = "Programme\Mozilla Thunderbird\thunderbird.exe";
+ test_file[1] = "Prog Files\Mozilla Thunderbird\thunderbird.exe";
+ foreach filespec (test_file) {
+ r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
+ if( !isnull(r) ) {
+ tmp_filename = get_tmp_dir()+"tmpfile"+rand();
+ if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
+ v = GetPEProductVersion(tmp_filename:tmp_filename, orig_filename:filespec);
+ unlink(tmp_filename);
+ if( version_is_less(version: v, test_version: test_version) ) {
+ security_hole(port:0, proto:"Win_Mozilla");
+ report = report + "Fileversion : C$ "+filespec + " "+v+string("\n");
+ security_hole(port:0, proto:"Win_Mozilla", data:report);
+ }
+ break;
+ } else {
+ report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
+ security_note(port:0, proto:"Win_Mozilla", data:report);
+ }
+ }
+ }
+ test_version = "1.1.9"; # Test SeaMonkey
+ test_file[0] = "Programme\mozilla.org\SeaMonkey\seamonkey.exe";
+ test_file[1] = "Prog Files\mozilla.org\SeaMonkey\seamonkey.exe";
+ foreach filespec (test_file) {
+ r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
+ if( !isnull(r) ) {
+ tmp_filename = get_tmp_dir()+"tmpfile"+rand();
+ if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
+ v = GetPEProductVersion(tmp_filename:tmp_filename, orig_filename:filespec);
+ unlink(tmp_filename);
+ if( version_is_less(version: v, test_version: test_version) ) {
+ security_hole(port:0, proto:"Win_Mozilla");
+ report = report + "Fileversion : C$ "+filespec + " "+v+string("\n");
+ security_hole(port:0, proto:"Win_Mozilla", data:report);
+ }
+ break;
+ } else {
+ report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
+ security_note(port:0, proto:"Win_Mozilla", data:report);
+ }
+ }
+ }
+ }
+
+exit(0);
Modified: trunk/openvas-plugins/scripts/version_func.inc
===================================================================
--- trunk/openvas-plugins/scripts/version_func.inc 2008-06-17 06:25:21 UTC (rev 918)
+++ trunk/openvas-plugins/scripts/version_func.inc 2008-06-17 18:22:38 UTC (rev 919)
@@ -3,7 +3,7 @@
#
# This script is released under the GNU GPLv2
#
-# $Revision: 4 $
+# $Revision: 5 $
# XXX: the version tests should be eventually consolidated with
# the methods from revisions-lib.inc.
@@ -65,7 +65,7 @@
function get_string_version(text, ver_pattern) {
local_var loc_version;
- if( isnull( ver_pattern) ) { # Standart Version Pattern for most cases
+ if( isnull( ver_pattern) ) { # Standard Version Pattern for most cases
ver_pattern = "([0-9\.]+)";
}
loc_version = eregmatch(pattern:ver_pattern, string:text);
@@ -87,10 +87,12 @@
if(icase) {
version = tolower(version);
test_version = tolower(test_version);
- }
+ }
ver_sep = ereg_replace(pattern:"([A-Za-z0-9])", string: version, replace:"");
+ if( ver_sep == "" ) ver_sep = "."; # Set Standard Separator
ver_ary = split(version, sep:ver_sep[0], keep:0);
ver_sep = ereg_replace(pattern:"([A-Za-z0-9])", string: test_version, replace:"");
+ if( ver_sep == "" ) ver_sep = "."; # Set Standard Separator
test_ary = split(test_version, sep:ver_sep[0], keep:0);
while(max_index(ver_ary) < max_index(test_ary) ) {
ver_ary[max_index(ver_ary)] = "0";
@@ -107,18 +109,18 @@
} else {
test_ary[i] = int(r[0]) + ord(s[0]);
char_found = TRUE;
- }
+ }
r = eregmatch(pattern:"([0-9]+)", string:ver_ary[i]);
s = eregmatch(pattern:"([A-Za-z])", string:ver_ary[i]);
if(isnull(s) ) {
- ver_ary[i] = int(r[0]);
+ ver_ary[i] = int(r[0]);
} else if(char_found) {
ver_ary[i] = int(r[0]) + ord(s[0]);
} else {
if(isnull(r) ) {
ver_ary[i] = ord(s[0]);
} else {
- if(! less) return (0); # If char found in test_version and no char in version it is not equal
+ if(! less) return (0); # If char found in test_version and no char in version it is not equal
ver_ary[i] = int(r[0]); # No chars if test_version has no chars on this position else 1.1.1a is > 1.1.2
}
}
@@ -127,7 +129,7 @@
if(ver_ary[i] > test_ary[i]) return (0);
} else {
if(ver_ary[i] != test_ary[i]) return (0);
- }
+ }
}
if(less) return (0); else return (1);
}
Added: trunk/openvas-plugins/scripts/win_CVE-2008-0080.nasl
===================================================================
--- trunk/openvas-plugins/scripts/win_CVE-2008-0080.nasl 2008-06-17 06:25:21 UTC (rev 918)
+++ trunk/openvas-plugins/scripts/win_CVE-2008-0080.nasl 2008-06-17 18:22:38 UTC (rev 919)
@@ -0,0 +1,120 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+#
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90015);
+ script_version ("$Revision: 01 $");
+ script_cve_id("CVE-2008-0080");
+ name["english"] = "Mini-Redirector Heap Overflow Vulnerability";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probably affected by the vulnerability described in
+CVE-2008-0080
+
+
+Impact
+ Heap-based buffer overflow in the WebDAV Mini-Redirector
+ in Microsoft Windows XP SP2, Server 2003 SP1 and SP2,
+ and Vista allows remote attackers to execute arbitrary
+ code via a crafted WebDAV response.
+
+References:
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0080
+ http://www.microsoft.com/technet/security/bulletin/ms08-007.mspx
+
+
+Workarounds
+ Disable the WebClient Service.
+
+
+Solution:
+ All Users should upgrade to the latest version.
+
+
+Risk factor : High";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Mini-Redirector Heap Overflow Vulnerability";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Windows";
+ script_family(english:family["english"]);
+ exit(0);
+}
+
+#
+# The code starts here
+#
+
+local_var os;
+
+include("version_func.inc");
+include("smbcl_func.inc");
+ if( !get_kb_item("SMB/smbclient") ) {
+ smbclientavail();
+ }
+
+ if(get_kb_item("SMB/smbclient") ) {
+ if( smbversion() == 0){
+ report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
+ security_note(port:0, proto:"SMBClient", data:report);
+ exit(0);
+ }
+ } else {
+ report = string("SMBClient not found on this host !");
+ security_note(port:0, proto:"SMBClient", data:report);
+ exit(0);
+ }
+
+ win_dir = get_windir();
+ if( !isnull(win_dir) ) {
+ os = get_kb_item("SMB/OS");
+ filespec = win_dir+"system32\drivers\mrxdav.sys";
+ test_version = NULL;
+ if( "WINDOWS VISTA" >< os ) {
+ test_version = "6.0.6000.16626";
+ } else {
+ if( "WINDOWS 5.1" >< os ) {
+ test_version = "5.1.2600.3276";
+ } else {
+ if( "WINDOWS SERVER 2003" >< os ) {
+ if( "SERVICE PACK 2" >< os ) {
+ test_version = "5.2.3790.4206";
+ } else {
+ test_version = "5.2.3790.3060";
+ }
+ }
+ }
+ }
+ if( !isnull(test_version) ) {
+ r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
+ if( !isnull(r) ) {
+ tmp_filename = get_tmp_dir()+"tmpfile"+rand();
+ orig_filename = filespec;
+ if( smbgetfile(share: "C$", filename: orig_filename, tmp_filename: tmp_filename) ) {
+ v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:orig_filename);
+ unlink(tmp_filename);
+ if( version_is_less(version: v, test_version: test_version) ) {
+ security_hole(port:0, proto:"Win");
+ report = report + "Fileversion : C$ "+orig_filename + " "+v+string("\n");
+ security_hole(port:0, proto:"Win", data:report);
+ }
+ } else {
+ report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
+ security_note(port:0, proto:"SMB", data:report);
+ }
+ } else {
+ report = string(filespec+" not found/no access -> "+get_kb_item("SMB/ERROR")) + string("\n");
+ security_note(port:0, proto:"SMB", data:report);
+ }
+ }
+ }
+
+exit(0);
More information about the Openvas-commits
mailing list