[Openvas-commits] r1692 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Tue Nov 11 15:58:45 CET 2008 

Author: chandra
Date: 2008-11-11 15:58:44 +0100 (Tue, 11 Nov 2008)
New Revision: 1692

Added:
   trunk/openvas-plugins/scripts/secpod_chilkat_crypt_activex_cntl_vuln_900171.nasl
   trunk/openvas-plugins/scripts/secpod_ms_win_media_player_detect_900173.nasl
   trunk/openvas-plugins/scripts/secpod_ms_win_media_player_dos_vuln_900172.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
Log:
Added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2008-11-11 14:25:08 UTC (rev 1691)
+++ trunk/openvas-plugins/ChangeLog	2008-11-11 14:58:44 UTC (rev 1692)
@@ -1,4 +1,10 @@
 2008-11-11 Chandrashekhar B <bchandra at secpod.com>
+	* scripts/secpod_chilkat_crypt_activex_cntl_vuln_900171.nasl,
+	  scripts/secpod_ms_win_media_player_detect_900173.nasl,
+	  scripts/secpod_ms_win_media_player_dos_vuln_900172.nasl:
+	  Added new plugins
+
+2008-11-11 Chandrashekhar B <bchandra at secpod.com>
 	* scripts/gb_aflog_cookie_auth_bypass_vuln.nasl,
 	  scripts/gb_e107_alternate_profiles_remote_sql_inj_vuln.nasl,
 	  scripts/gb_e107_easyshop_remote_sql_inj_vuln.nasl,

Added: trunk/openvas-plugins/scripts/secpod_chilkat_crypt_activex_cntl_vuln_900171.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_chilkat_crypt_activex_cntl_vuln_900171.nasl	2008-11-11 14:25:08 UTC (rev 1691)
+++ trunk/openvas-plugins/scripts/secpod_chilkat_crypt_activex_cntl_vuln_900171.nasl	2008-11-11 14:58:44 UTC (rev 1692)
@@ -0,0 +1,109 @@
+##############################################################################
+#
+#  Chilkat Crypt ActiveX Control 'ChilkatCrypt2.dll' File Overwrite Vulnerability
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/11/05
+#
+#  Revision: 1.0
+#
+#  Log: ssharath
+#  Issue #0435
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+if(description)
+{
+  script_id(900171);
+  script_bugtraq_id(32073);
+  script_copyright(english:"Copyright (C) 2008 SecPod");
+  script_version("Revision: 1.0 ");
+  script_category(ACT_GATHER_INFO);
+  script_family(english:"Misc.");
+  script_name(english:"Chilkat Crypt ActiveX Control 'ChilkatCrypt2.dll' File Overwrite Vulnerability");
+  script_summary(english:"Check for vulnerable version of Chilkat Crypt");
+  desc["english"] = "
+
+  Overview: The host is installed Chilkat Crypt, which is prone to ActiveX 
+  Control based arbitrary file overwrite vulnerability.
+
+  Vulnerability Insight:
+  The vulnerability is caused due to the error in the 'ChilkatCrypt2.dll' ActiveX
+  Control component that does not restrict access to the 'WriteFile()' method.
+
+  Impact:
+  Successful exploitation will allow execution of arbitrary code.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Chilkat Crypt ActiveX Component version 4.3.2.1 and prior
+ 
+  Fix: Set the kill-bit for the CLSID {3352B5B9-82E8-4FFD-9EB1-1A3E60056904}.
+  No solution/patch is available as on 05th November, 2008.
+
+  References:
+  http://milw0rm.com/exploits/6963
+  http://secunia.com/advisories/32513/
+
+  CVSS Score:
+    CVSS Base Score     : 8.8 (AV:N/AC:M/Au:NR/C:C/I:C/A:N)
+    CVSS Temporal Score : 7.9
+  Risk factor : High";
+
+  script_description(english:desc["english"]);
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_keys("SMB/WindowsVersion");
+  exit(0);
+}
+
+
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+  exit(0);
+}
+
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+enumKeys = registry_enum_keys(key);
+
+if(!enumKeys){
+  exit(0);
+}
+
+foreach entry (enumKeys)
+{
+  if("Chilkat Crypt ActiveX" ><
+     registry_get_sz(key: key + entry, item:"DisplayName"))
+  {
+    # Grep for version 4.3.2.1 and prior
+    if(egrep(pattern:"^4\.([0-2](\..*)?|3(\.[0-2](\.[01])?)?)$",
+             string:registry_get_sz(key: key + entry, item:"DisplayVersion")))
+    {
+      # Check if Kill-Bit is set for ActiveX control
+      clsid = "{3352B5B9-82E8-4FFD-9EB1-1A3E60056904}";
+      regKey = "SOFTWARE\Classes\CLSID\" + clsid;
+      if(registry_key_exists(key:regKey))
+      {
+        activeKey = "SOFTWARE\Microsoft\Internet Explorer\" +
+                    "ActiveX Compatibility\" + clsid;
+        killBit = registry_get_dword(key:activeKey, item:"Compatibility Flags");
+        if(killBit && (int(killBit) == 1024)){
+          exit(0);
+        }
+        security_warning(0);
+      }
+    }
+    exit(0);
+  }
+}

Added: trunk/openvas-plugins/scripts/secpod_ms_win_media_player_detect_900173.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms_win_media_player_detect_900173.nasl	2008-11-11 14:25:08 UTC (rev 1691)
+++ trunk/openvas-plugins/scripts/secpod_ms_win_media_player_detect_900173.nasl	2008-11-11 14:58:44 UTC (rev 1692)
@@ -0,0 +1,71 @@
+##############################################################################
+#
+#  Microsoft Windows Media Player Version Detection
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/11/06
+#
+#  Revision: 1.0
+#
+#  Log: ssharath
+#  Issue #0437
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+if(description)
+{
+  script_id(900173);
+  script_copyright(english:"Copyright (C) 2008 SecPod");
+  script_version("Revision: 1.0 ");
+  script_category(ACT_GATHER_INFO);
+  script_family(english:"General");
+  script_name(english:"Microsoft Windows Media Player Version Detection");
+  script_summary(english:"Set File Version of Windows Media Player in KB");
+  desc["english"] = "
+  Overview : This script find the Windows Media Player installed version and 
+  save the version in KB.
+
+  Risk factor : Informational";
+
+  script_description(english:desc["english"]);
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_keys("SMB/WindowsVersion");
+  exit(0);
+}
+
+
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+  exit(0);
+}
+
+keyX = "SOFTWARE\Microsoft\Active setup\Installed Components\";
+ 
+# CLSID matchs with Win Media Player versions 7 or above
+wmpVer = registry_get_sz(key:keyX + "{6BF52A52-394A-11d3-B153-00C04F79FAA6}",
+                         item:"Version");
+if(!wmpVer)
+{
+  wmpVer = registry_get_sz(key:keyX + "{22d6f312-b0f6-11d0-94ab-0080c74c7e95}",
+                           item:"Version");
+  if(!wmpVer){
+    exit(0);
+  }
+}
+
+# For replacing comma (,) with dot (.)
+wmpVer = ereg_replace(string:wmpVer, pattern:",", replace:".");
+
+# Set the KB item for Windows Media Player.
+set_kb_item(name:"Win/MediaPlayer/Ver", value:wmpVer);

Added: trunk/openvas-plugins/scripts/secpod_ms_win_media_player_dos_vuln_900172.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms_win_media_player_dos_vuln_900172.nasl	2008-11-11 14:25:08 UTC (rev 1691)
+++ trunk/openvas-plugins/scripts/secpod_ms_win_media_player_dos_vuln_900172.nasl	2008-11-11 14:58:44 UTC (rev 1692)
@@ -0,0 +1,79 @@
+##############################################################################
+#
+#  Microsoft Windows Media Player 'MIDI' or 'DAT' File DoS Vulnerability
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/11/05
+#
+#  Revision: 1.0
+#
+#  Log: ssharath
+#  Issue #0437
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+if(description)
+{
+  script_id(900172);
+  script_bugtraq_id(32077);
+  script_cve_id("CVE-2008-4927");
+  script_copyright(english:"Copyright (C) 2008 SecPod");
+  script_version("Revision: 1.0 ");
+  script_category(ACT_GATHER_INFO);
+  script_family(english:"Denial of Service");
+  script_name(english:"Microsoft Windows Media Player 'MIDI' or 'DAT' File DoS Vulnerability");
+  script_summary(english:"Check for vulnerable version of Windows Media Player");
+  desc["english"] = "
+  Overview: This host is installed with Windows Media Player and is prone to
+  denial of service vulnerability.
+
+  The vulnerability is caused due to error in handling 'MIDI' or 'DAT' file,
+  related to 'MThd Header Parsing'.
+
+  Impact:
+  Successful exploitation will cause denial of service.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Microsoft Windows Media Player versions 9.x, 10.x and 11.x
+
+  Fix: No solution/patch is available as on 05th November, 2008.
+
+  References:
+  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4927
+  http://www.securityfocus.com/data/vulnerabilities/exploits/32077.py
+
+  CVSS Score:
+    CVSS Base Score     : 7.1 (AV:N/AC:M/Au:NR/C:N/I:N/A:C)
+    CVSS Temporal Score : 6.1
+  Risk factor : High";
+
+  script_description(english:desc["english"]);
+  script_dependencies("secpod_reg_enum.nasl",
+                      "secpod_ms_win_media_player_detect_900173.nasl");
+  script_require_keys("SMB/WindowsVersion");
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+  exit(0);
+}
+
+# Check the versions 9.x , 10.x and 11.x
+if(get_kb_item("Win/MediaPlayer/Ver") =~ "^(9|1[01])\..*$"){
+  security_warning(0);
+}

More information about the Openvas-commits mailing list