[Openvas-commits] r1550 - trunk/openvas-plugins/scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Wed Oct 15 19:56:50 CEST 2008
Author: chandra
Date: 2008-10-15 19:56:48 +0200 (Wed, 15 Oct 2008)
New Revision: 1550
Added:
trunk/openvas-plugins/scripts/secpod_ms08-056_900047.nasl
trunk/openvas-plugins/scripts/secpod_ms08-057_900048.nasl
trunk/openvas-plugins/scripts/secpod_ms08-058_900054.nasl
trunk/openvas-plugins/scripts/secpod_ms08-059_900049.nasl
trunk/openvas-plugins/scripts/secpod_ms08-060_900050.nasl
trunk/openvas-plugins/scripts/secpod_ms08-061_900051.nasl
trunk/openvas-plugins/scripts/secpod_ms08-062_900052.nasl
trunk/openvas-plugins/scripts/secpod_ms08-063_900053.nasl
trunk/openvas-plugins/scripts/secpod_ms08-064_900225.nasl
trunk/openvas-plugins/scripts/secpod_ms08-065_900224.nasl
trunk/openvas-plugins/scripts/secpod_ms08-066_900223.nasl
Modified:
trunk/openvas-plugins/scripts/secpod_office_products_version_900032.nasl
trunk/openvas-plugins/scripts/secpod_smb_func.inc
Log:
Microsoft bulletin plugins - Oct 08
Added: trunk/openvas-plugins/scripts/secpod_ms08-056_900047.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms08-056_900047.nasl 2008-10-15 12:40:51 UTC (rev 1549)
+++ trunk/openvas-plugins/scripts/secpod_ms08-056_900047.nasl 2008-10-15 17:56:48 UTC (rev 1550)
@@ -0,0 +1,91 @@
+##############################################################################
+#
+# Microsoft Office Information Disclosure Vulnerability (957699)
+#
+# Copyright: SecPod
+#
+# Date Written: 2008/10/15
+#
+# Revision: 1.0
+#
+# Log: schandan
+# Issue #0322
+# ------------------------------------------------------------------------
+# This program was written by SecPod and is licensed under the GNU GPL
+# license. Please refer to the below link for details,
+# http://www.gnu.org/licenses/gpl.html
+# This header contains information regarding licensing terms under the GPL,
+# and information regarding obtaining source code from the Author.
+# Consequently, pursuant to section 3(c) of the GPL, you must accompany the
+# information found in this header with any distribution you make of this
+# Program.
+# ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900047);
+ script_bugtraq_id(31693);
+ script_cve_id("CVE-2008-4020");
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.0 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Windows");
+ script_name(english:"Microsoft Office nformation Disclosure Vulnerability (957699)");
+ script_summary(english:"Check for Microsoft Office file version");
+ desc["english"] = "
+ MS08-055
+
+ Overview: This host is missing critical security update according to
+ Microsoft Bulletin MS08-056.
+
+ Vulnerability Insight:
+ The flaw exists due to the way that Office processes documents using the CDO
+ Protocol (cdo:) and the Content-Disposition Attachment header.
+
+ Impact: Successful exploitation could allow documents incorrectly rendered
+ in the web browser, leading to cross site scripting attack.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Microsoft Office XP Service Pack 3 on Windows (All).
+
+ Fix: Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link.
+ http://www.microsoft.com/technet/security/bulletin/ms08-056.mspx
+
+ References: http://www.microsoft.com/technet/security/bulletin/ms08-056.mspx
+
+ CVSS Score:
+ CVSS Base Score : 4.3 (AV:N/AC:M/Au:NR/C:P/I:N/A:N)
+ CVSS Temporal Score : 3.2
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_ms_office_detection_900025.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+
+if(hotfix_check_sp(xp:4, win2k:5, win2003:3) <= 0){
+ exit(0);
+}
+
+offVer = get_kb_item("MS/Office/Ver");
+if(!offVer){
+ exit(0);
+}
+
+if(offVer =~ "^10\.")
+{
+ if(registry_key_exists(key:"SOFTWARE\Classes\PROTOCOLS\Handler\cdo") &&
+ registry_key_exists(key:"SOFTWARE\Classes\CDO")){
+ security_warning(0);
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_ms08-057_900048.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms08-057_900048.nasl 2008-10-15 12:40:51 UTC (rev 1549)
+++ trunk/openvas-plugins/scripts/secpod_ms08-057_900048.nasl 2008-10-15 17:56:48 UTC (rev 1550)
@@ -0,0 +1,95 @@
+##############################################################################
+#
+# Microsoft Excel Remote Code Execution Vulnerability (956416)
+#
+# Copyright: SecPod
+#
+# Date Written: 2008/10/15
+#
+# Revision: 1.1
+#
+# Log: schandan
+# Issue #0323
+# ------------------------------------------------------------------------
+# This program was written by SecPod and is licensed under the GNU GPL
+# license. Please refer to the below link for details,
+# http://www.gnu.org/licenses/gpl.html
+# This header contains information regarding licensing terms under the GPL,
+# and information regarding obtaining source code from the Author.
+# Consequently, pursuant to section 3(c) of the GPL, you must accompany the
+# information found in this header with any distribution you make of this
+# Program.
+# ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900048);
+ script_bugtraq_id(31702, 31705, 31706);
+ script_cve_id("CVE-2008-3471", "CVE-2008-3477", "CVE-2008-4019");
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Windows");
+ script_name(english:"Microsoft Excel Remote Code Execution Vulnerability (956416)");
+ script_summary(english:"Check for Microsoft Excel file version");
+ desc["english"] = "
+ MS08-057
+
+ Overview: This host is missing critical security update according to
+ Microsoft Bulletin MS08-057.
+
+ Vulnerability Insight:
+ The flaws are caused due to,
+ - insufficient validation of data in a VBA Performance Cache.
+ - an error in the loading of Excel objects, which in corrupt memory via
+ a specially crafted file.
+ - an integer overflow in the REPT function when handling formulas inside
+ cells.
+
+ Impact: Remote attackers could corrupt memory via a specially
+ crafted Excel (.xls) files.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ Microsoft Execel 2002/XP/2003/2007 on Windows (All).
+ Microsoft Execel Viewer 2003/2007 on Windows (All).
+
+ Fix: Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link.
+ http://www.microsoft.com/technet/security/bulletin/ms08-057.mspx
+
+ References: http://www.microsoft.com/technet/security/bulletin/ms08-057.mspx
+
+ CVSS Score:
+ CVSS Base Score : 8.3 (AV:N/AC:M/Au:NR/C:P/I:P/A:C)
+ CVSS Temporal Score : 6.1
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_office_products_version_900032.nasl",
+ "secpod_ms_office_detection_900025.nasl");
+ script_require_keys("SMB/WindowsVersion", "SMB/Office/Word/Version");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+}
+
+if(egrep(pattern:"^(9|10|11|12)\..*", string:get_kb_item("MS/Office/Ver")))
+{
+ # Grep for MS Office Excel Version < (9.0.8972, 10.0.6847, 11.0.8231, and 12.0.6324.5001)
+ if(egrep(pattern:"^(9\.0\.([0-7]?[0-9]?[0-9]?[0-9]|8([0-8][0-9][0-9]|9[0-6][0-9]|97[01]))|" +
+ "10\.0\.([0-5]?[0-9]?[0-9]?[0-9]|6([0-7][0-9][0-9]|8([0-3][0-9]|4[0-6])))|" +
+ "11\.0\.([0-7]?[0-9]?[0-9]?[0-9]|8([01][0-9][0-9]|2[0-2][0-9]|230))|" +
+ "12\.0\.([0-5].*|6([0-2].*|31.*|32[0-3].*|324\.([0-4]?[0-9]?[0-9]?[0-9]|5000))))$",
+ string:get_kb_item("SMB/Office/Excel/Version"))){
+ security_hole(0);
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_ms08-058_900054.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms08-058_900054.nasl 2008-10-15 12:40:51 UTC (rev 1549)
+++ trunk/openvas-plugins/scripts/secpod_ms08-058_900054.nasl 2008-10-15 17:56:48 UTC (rev 1550)
@@ -0,0 +1,235 @@
+##############################################################################
+#
+# Cumulative Security Update for Internet Explorer (956390)
+#
+# Copyright: SecPod
+#
+# Date Written: 2008/10/15
+#
+# Revision: 1.0
+#
+# Log: schandan
+# Issue #0324
+# ------------------------------------------------------------------------
+# This program was written by SecPod and is licensed under the GNU GPL
+# license. Please refer to the below link for details,
+# http://www.gnu.org/licenses/gpl.html
+# This header contains information regarding licensing terms under the GPL,
+# and information regarding obtaining source code from the Author.
+# Consequently, pursuant to section 3(c) of the GPL, you must accompany the
+# information found in this header with any distribution you make of this
+# Program.
+# ------------------------------------------------------------------------
+##############################################################################
+
+if(description)
+{
+ script_id(900054);
+ script_bugtraq_id(29960, 31615, 31616, 31617, 31618, 31654);
+ script_cve_id("CVE-2008-2947", "CVE-2008-3472", "CVE-2008-3473",
+ "CVE-2008-3474", "CVE-2008-3475", "CVE-2008-3476");
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("$Revision: 1.0 $");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Windows");
+ script_name(english:"Cumulative Security Update for Internet Explorer (956390)");
+ script_summary(english:"Check for the vulnerable version of Internet Explorer");
+ desc["english"] = "
+ MS08-058
+
+ Overview: This host is missing critical security update according to
+ Microsoft Bulletin MS08-058.
+
+ Vulnerability Insight:
+ Multiple flaws are due to,
+ - the browser incorrectly interpreting the origin of scripts when setting the
+ Window location object.
+ - the browser incorrectly interpreting the origin of scripts when handling
+ certain HTML elements.
+ - the browser incorrectly interpreting the origin of scripts when handling
+ certain events.
+ - a memory corruption error when the browser attempts to access an object
+ which has not been initialized or has been deleted.
+ - a memory corruption error when the browser attempts to access uninitialized
+ memory while processing certain HTML objects.
+
+ Impact: Successful exploitation could allow attackers to execute arbitrary
+ code via a malicious web page and can gain access to a browser window in
+ another domain leading read cookies or cross domain scripting attacks.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ Internet Explorer 5.01 & 6 on MS Windows 2000
+ Internet Explorer 6 on MS Windows 2003 and XP
+ Internet Explorer 7 on MS Windows 2003 and XP
+
+ Fix: Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://www.microsoft.com/technet/security/bulletin/ms08-058.mspx
+
+ References: http://www.microsoft.com/technet/security/bulletin/ms08-058.mspx
+
+ CVSS Score:
+ CVSS Base Score : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
+ CVSS Temporal Score : 6.9
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("secpod_smb_func.inc");
+
+if(hotfix_check_sp(xp:4, win2k:5, win2003:3) <= 0){
+ exit(0);
+}
+
+ieVer = registry_get_sz(key:"SOFTWARE\Microsoft\Internet Explorer",
+ item:"Version");
+if(!ieVer){
+ ieVer = registry_get_sz(item:"IE",
+ key:"SOFTWARE\Microsoft\Internet Explorer\Version Vector");
+}
+
+if(!ieVer){
+ exit(0);
+}
+
+if(hotfix_missing(name:"956390") == 0){
+ exit(0);
+}
+
+dllPath = registry_get_sz(item:"Install Path",
+ key:"SOFTWARE\Microsoft\COM3\Setup");
+
+dllPath += "\mshtml.dll";
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:dllPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:dllPath);
+
+vers = GetVer(file:file, share:share);
+if(!vers){
+ exit(0);
+}
+
+if(hotfix_check_sp(win2k:5) > 0)
+{
+ # Check for IE version 5
+ if(ereg(pattern:"^5\..*", string:ieVer))
+ {
+ # Grep < 5.0.3868.2000
+ if(ereg(pattern:"^(5\.0?0\.(([0-2]?[0-9]?[0-9]?[0-9]|3?([0-7]?"+
+ "[0-9]?[0-9]|8?([0-5]?[0-9]|6[0-7])))(\..*)|"+
+ "3868\.[01]?[0-9]?[0-9]?[0-9]))$", string:vers)){
+ security_hole(0);
+ }
+ exit(0);
+ }
+
+ # Check for IE version 6
+ if(ereg(pattern:"^6\..*", string:ieVer))
+ {
+ # Grep < 6.0.2800.1615
+ if(ereg(pattern:"^(6\.0?0\.(([01]?[0-9]?[0-9]?[0-9]|2?([0-7]?["+
+ "0-9]?[0-9]))(\..*)|2800\.(0?[0-9]?[0-9]?[0-"+
+ "9]|1([0-5][0-9][0-9]|6(0[0-9]|1[0-4])))))$",
+ string:vers)){
+ security_hole(0);
+ }
+ exit(0);
+ }
+}
+
+if(hotfix_check_sp(xp:4) > 0)
+{
+ SP = get_kb_item("SMB/WinXP/ServicePack");
+ # Check for IE version 6
+ if(ereg(pattern:"^6\..*", string:ieVer))
+ {
+ if("Service Pack 2" >< SP)
+ {
+ # Grep < 6.0.2900.3429
+ if(ereg(pattern:"^(6\.0?0\.(([01]?[0-9]?[0-9]?[0-9]|2?([0-8]?["+
+ "0-9]?[0-9]))(\..*)|2900\.([0-2]?[0-9]?[0-9]"+
+ "?[0-9]|3([0-3][0-9][0-9]|4([01][0-9]"+
+ "|2[0-8])))))$", string:vers)){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ if("Service Pack 3" >< SP)
+ {
+ # Grep < 6.0.2900.5659
+ if(ereg(pattern:"^(6\.0?0\.(([01]?[0-9]?[0-9]?[0-9]|2?([0-8]?["+
+ "0-9]?[0-9]))(\..*)|2900\.([0-4]?[0-9]?[0-9]"+
+ "?[0-9]|5([0-5][0-9][0-9]|6([0-4][0-9]"+
+ "|5[0-8])))))$", string:vers)){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ else security_hole(0);
+ }
+
+ # Check for IE version 7
+ if(ereg(pattern:"^7\..*", string:ieVer))
+ {
+ # Grep < 7.0.6000.16735
+ if(ereg(pattern:"^(7\.0?0\.([0-5]?[0-9]?[0-9]?[0-9]\..*|6000\."+
+ "(0?[0-9]?[0-9]?[0-9]?[0-9]|1([0-5][0-9]"+
+ "[0-9][0-9]|6([0-6][0-9][0-9]|7[0-2][0-9]|73[0-4])))))$",
+ string:vers)){
+ security_hole(0);
+ }
+ exit(0);
+ }
+}
+
+if(hotfix_check_sp(win2003:3) > 0)
+{
+ SP = get_kb_item("SMB/Win2003/ServicePack");
+ # Check for IE version 6
+ if(ereg(pattern:"^6\..*", string:ieVer))
+ {
+ if("Service Pack 1" >< SP)
+ {
+ # Grep < 6.0.3790.3194
+ if(ereg(pattern:"(6\.0?0\.(([0-2]?[0-9]?[0-9]?[0-9]|3([0-6]"+
+ "[0-9][0-9]|7[0-8][0-9]))(\..*)|3790\.([0"+
+ "-2]?[0-9]?[0-9]?[0-9]|3(0[0-9][0-9]|1(["+
+ "0-8][0-9]|9[0-3])))))$", string:vers)){
+ security_hole(0);
+ }
+ exit(0);
+ }
+
+ if("Service Pack 2" >< SP)
+ {
+ # Grep < 6.0.3790.4357
+ if(ereg(pattern:"(6\.0?0\.(([0-2]?[0-9]?[0-9]?[0-9]|3([0-6]"+
+ "[0-9][0-9]|7[0-8][0-9]))(\..*)|3790\.([0"+
+ "-3]?[0-9]?[0-9]?[0-9]|4([0-2][0-9][0-9]|3(["+
+ "0-4][0-9]|5[0-6])))))$", string:vers)){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ else security_hole(0);
+ }
+ # Check for IE version 7
+ if(ereg(pattern:"^7\..*", string:ieVer))
+ {
+ # Grep < 7.0.6000.16735
+ if(ereg(pattern:"(7\.0?0\.([0-5]?[0-9]?[0-9]?[0-9]\..*|6000\."+
+ "(0?[0-9]?[0-9]?[0-9]?[0-9]|1([0-5][0-9]"+
+ "[0-9][0-9]|6([0-6][0-9][0-9]|7[0-2][0-9]|73[0-4])))))$",
+ string:vers)){
+ security_hole(0);
+ }
+ exit(0);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_ms08-058_900054.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/secpod_ms08-059_900049.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms08-059_900049.nasl 2008-10-15 12:40:51 UTC (rev 1549)
+++ trunk/openvas-plugins/scripts/secpod_ms08-059_900049.nasl 2008-10-15 17:56:48 UTC (rev 1550)
@@ -0,0 +1,104 @@
+##############################################################################
+#
+# Host Integration Server RPC Service Remote Code Execution Vulnerability (956695)
+#
+# Copyright: SecPod
+#
+# Date Written: 2008/10/15
+#
+# Revision: 1.0
+#
+# Log: schandan
+# Issue #0325
+# ------------------------------------------------------------------------
+# This program was written by SecPod and is licensed under the GNU GPL
+# license. Please refer to the below link for details,
+# http://www.gnu.org/licenses/gpl.html
+# This header contains information regarding licensing terms under the GPL,
+# and information regarding obtaining source code from the Author.
+# Consequently, pursuant to section 3(c) of the GPL, you must accompany the
+# information found in this header with any distribution you make of this
+# Program.
+# ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900049);
+ script_bugtraq_id(31620);
+ script_cve_id("CVE-2008-3466");
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.0 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Windows");
+ script_name(english:"Host Integration Server RPC Service Remote Code Execution Vulnerability (956695)");
+ script_summary(english:"Check for Hotfix and version of Host Integration Server");
+ desc["english"] = "
+ MS08-059
+
+ Overview: This host has critical security update missing according to
+ Microsoft Bulletin MS08-059.
+
+ Vulnerability Insight:
+ The issue is due to an error in the SNA Remote Procedure Call (RPC) service.
+
+ Impact: Successful exploitation could allow local attackers to bypass the
+ authentication mechanism and can access administrative functionalities via
+ a specially crafted RPC request.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ Microsoft Host Integration Server 2000/2004/2006 (Server) on Windows.
+ Microsoft Host Integration Server 2000/2004 (Client) on Windows.
+
+ Fix: Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://www.microsoft.com/technet/security/bulletin/ms08-059.mspx
+
+ References: http://www.microsoft.com/technet/security/bulletin/ms08-059.mspx
+
+ CVSS Score:
+ CVSS Base Score : 6.9 (AV:L/AC:M/Au:NR/C:C/I:C/A:C)
+ CVSS Temporal Score : 5.1
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("secpod_smb_func.inc");
+
+if(hotfix_check_sp(xp:4, win2k:5, win2003:3) <= 0){
+ exit(0);
+}
+
+if(!registry_key_exists(key:"SOFTWARE\Microsoft\Host Integration Server")){
+ exit(0);
+}
+
+if(hotfix_missing(name:"956695") == 0){
+ exit(0);
+}
+
+hisPath = registry_get_sz(item:"Path",
+ key:"SOFTWARE\Microsoft\Host Integration Server\ConfigFramework");
+if(!hisPath){
+ exit(0);
+}
+
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:hisPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:hisPath + "system\Snarpcsv.exe");
+
+hisVer = GetVer(file:file, share:share);
+# Grep Snarpcsv.exe version < 7.0.2900.0
+if(ereg(pattern:"^7\.0\.([01]?[0-9]?[0-9]?[0-9]|2[0-8][0-9][0-9])\.0$",
+ string:hisVer)){
+ security_hole(0);
+}
Added: trunk/openvas-plugins/scripts/secpod_ms08-060_900050.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms08-060_900050.nasl 2008-10-15 12:40:51 UTC (rev 1549)
+++ trunk/openvas-plugins/scripts/secpod_ms08-060_900050.nasl 2008-10-15 17:56:48 UTC (rev 1550)
@@ -0,0 +1,109 @@
+##############################################################################
+#
+# Active Directory Could Allow Remote Code Execution Vulnerability (957280)
+#
+# Copyright: SecPod
+#
+# Date Written: 2008/10/15
+#
+# Revision: 1.1
+#
+# Log: schandan
+# Issue #0326
+# ------------------------------------------------------------------------
+# This program was written by SecPod and is licensed under the GNU GPL
+# license. Please refer to the below link for details,
+# http://www.gnu.org/licenses/gpl.html
+# This header contains information regarding licensing terms under the GPL,
+# and information regarding obtaining source code from the Author.
+# Consequently, pursuant to section 3(c) of the GPL, you must accompany the
+# information found in this header with any distribution you make of this
+# Program.
+# ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900050);
+ script_bugtraq_id(31609);
+ script_cve_id("CVE-2008-4023");
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.0 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Windows");
+ script_name(english:"Active Directory Could Allow Remote Code Execution Vulnerability (957280)");
+ script_summary(english:"Check for Hotfix and version of Active Directory");
+ desc["english"] = "
+ MS08-060
+
+ Overview: This host has critical security update missing according to
+ Microsoft Bulletin MS08-060.
+
+ Vulnerability Insight:
+ The flaw is due to an incorrect memory allocation when processing LDAP
+ and LDAPS requests.
+
+ Impact: Successful exploitation could result in buffer overflow via a
+ specially crafted request.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ Microsoft Windows 2000 Server Service Pack 4 and prior.
+
+ Fix: Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://www.microsoft.com/technet/security/bulletin/ms08-060.mspx
+
+ References: http://www.microsoft.com/technet/security/bulletin/ms08-060.mspx
+
+ CVSS Score:
+ CVSS Base Score : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
+ CVSS Temporal Score : 6.9
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("secpod_smb_func.inc");
+
+if(hotfix_check_sp(win2k:5) <= 0){
+ exit(0);
+}
+
+# Active Directory
+if(!registry_key_exists(key:"SYSTEM\CurrentControlSet\Services\NTDS\Performance")){
+ exit(0);
+}
+
+# Check for Hotfix 957280 (MS08-060)
+if(hotfix_missing(name:"957280") == 0){
+ exit(0);
+}
+
+ntdsPath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+ item:"Install Path");
+if(!ntdsPath){
+ exit(0);
+}
+
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:ntdsPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:ntdsPath + "\ntdsa.dll");
+
+ntdsVer = GetVer(file:file, share:share);
+if(!ntdsVer){
+ exit(0);
+}
+
+# Grep Snarpcsv.exe version < 5.0.2195.7178
+if(ereg(pattern:"^5\.0\.2195\.([0-6]?[0-9]?[0-9]?[0-9]|70[0-9][0-9]|" +
+ "71([0-6][0-9]|7[0-7]))$", string:ntdsVer)){
+ security_hole(ldapPort);
+}
Added: trunk/openvas-plugins/scripts/secpod_ms08-061_900051.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms08-061_900051.nasl 2008-10-15 12:40:51 UTC (rev 1549)
+++ trunk/openvas-plugins/scripts/secpod_ms08-061_900051.nasl 2008-10-15 17:56:48 UTC (rev 1550)
@@ -0,0 +1,166 @@
+##############################################################################
+#
+# Windows Kernel Elevation of Privilege Vulnerability (954211)
+#
+# Copyright: SecPod
+#
+# Date Written: 2008/10/15
+#
+# Revision: 1.1
+#
+# Log: schandan
+# Issue #0331
+# ------------------------------------------------------------------------
+# This program was written by SecPod and is licensed under the GNU GPL
+# license. Please refer to the below link for details,
+# http://www.gnu.org/licenses/gpl.html
+# This header contains information regarding licensing terms under the GPL,
+# and information regarding obtaining source code from the Author.
+# Consequently, pursuant to section 3(c) of the GPL, you must accompany the
+# information found in this header with any distribution you make of this
+# Program.
+# ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900051);
+ script_bugtraq_id(31651, 31652, 31653);
+ script_cve_id("CVE-2008-2250", "CVE-2008-2251", "CVE-2008-2252");
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Windows");
+ script_name(english:"Windows Kernel Elevation of Privilege Vulnerability (954211)");
+ script_summary(english:"Check for Hotfix and version of Windows Kernel File");
+ desc["english"] = "
+ MS08-061
+
+ Overview: This host has critical security update missing according to
+ Microsoft Bulletin MS08-061.
+
+ Vulnerability Insight:
+ Multiple flaws are due to,
+ - an error within the processing of window properties passed from
+ a parent to a child window when a new window is created.
+ - an error while processing unspecified user mode input.
+ - a double-free error within the handling of system calls from multiple
+ threads.
+
+ Impact: Successfull local exploitation could result in denial of service
+ condition due to memory corruption and can execute arbitrary code with
+ elevated privileges.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ Microsoft Windows 2K Service Pack 4 and prior.
+ Microsoft Windows XP Service Pack 3 and prior.
+ Microsoft Windows 2003 Service Pack 2 and prior.
+
+ Fix: Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://www.microsoft.com/technet/security/bulletin/ms08-061.mspx
+
+ References: http://www.microsoft.com/technet/security/bulletin/ms08-061.mspx
+
+ CVSS Score:
+ CVSS Base Score : 4.6 (AV:L/AC:L/Au:NR/C:P/I:P/A:P)
+ CVSS Temporal Score : 3.4
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("secpod_smb_func.inc");
+
+if(hotfix_check_sp(win2k:5, xp:4, win2003:3) <= 0){
+ exit(0);
+}
+
+# Check for Hotfix 954211 (MS08-061)
+if(hotfix_missing(name:"954211") == 0){
+ exit(0);
+}
+
+sysPath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+ item:"Install Path");
+if(!sysPath){
+ exit(0);
+}
+
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:sysPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:sysPath + "\Win32k.sys");
+
+sysVer = GetVer(file:file, share:share);
+if(!sysVer){
+ exit(0);
+}
+
+# Windows 2K
+if(hotfix_check_sp(win2k:5) > 0)
+{
+ # Grep for Win32k.sys version < 5.0.2195.7194
+ if(egrep(pattern:"^5\.0\.2195\.([0-6]?[0-9]?[0-9]?[0-9]|7(0[0-9][0-9]|" +
+ "1[0-8][0-9]|19[0-3]))$", string:sysVer)){
+ security_warning(0);
+ }
+ exit(0);
+}
+
+# Windows XP
+if(hotfix_check_sp(xp:4) > 0)
+{
+ SP = get_kb_item("SMB/WinXP/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ # Grep for Win32k.sys < 5.1.2600.3446
+ if(egrep(pattern:"^5\.1\.2600\.([0-2]?[0-9]?[0-9]?[0-9]|3([0-3][0-9][0-9]|" +
+ "4([0-3][0-9]|4[0-5])))$", string:sysVer)){
+ security_warning(0);
+ }
+ exit(0);
+ }
+ else if("Service Pack 3" >< SP)
+ {
+ # Grep for Win32k.sys < 5.1.2600.5676
+ if(egrep(pattern:"^5\.1\.2600\.([0-4]?[0-9]?[0-9]?[0-9]|5([0-5][0-9][0-9]|" +
+ "6([0-6][0-9]|7[0-5])))$", string:sysVer)){
+ security_warning(0);
+ }
+ exit(0);
+ }
+ security_warning(0);
+}
+
+# Windows 2003
+if(hotfix_check_sp(win2003:3) > 0)
+{
+ SP = get_kb_item("SMB/Win2003/ServicePack");
+ if("Service Pack 1" >< SP)
+ {
+ # Grep for Win32k.sys version < 5.2.3790.3212
+ if(egrep(pattern:"^5\.2\.3790\.([0-2]?[0-9]?[0-9]?[0-9]|3([01][0-9][0-9]|" +
+ "2(0[0-9]|1[01])))$", string:sysVer)){
+ security_warning(0);
+ }
+ exit(0);
+ }
+ else if("Service Pack 2" >< SP)
+ {
+ # Grep for Win32k.sys version < 5.2.3790.4375
+ if(egrep(pattern:"^5\.2\.3790\.([0-3]?[0-9]?[0-9]?[0-9]|4([0-2][0-9][0-9]|" +
+ "3([0-6][0-9]|7[0-4])))$", string:sysVer)){
+ security_warning(0);
+ }
+ exit(0);
+ }
+ security_warning(0);
+}
Added: trunk/openvas-plugins/scripts/secpod_ms08-062_900052.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms08-062_900052.nasl 2008-10-15 12:40:51 UTC (rev 1549)
+++ trunk/openvas-plugins/scripts/secpod_ms08-062_900052.nasl 2008-10-15 17:56:48 UTC (rev 1550)
@@ -0,0 +1,163 @@
+##############################################################################
+#
+# Windows Internet Printing Service Allow Remote Code Execution Vulnerability (953155)
+#
+# Copyright: SecPod
+#
+# Date Written: 2008/10/15
+#
+# Revision: 1.1
+#
+# Log: schandan
+# Issue #0333
+# ------------------------------------------------------------------------
+# This program was written by SecPod and is licensed under the GNU GPL
+# license. Please refer to the below link for details,
+# http://www.gnu.org/licenses/gpl.html
+# This header contains information regarding licensing terms under the GPL,
+# and information regarding obtaining source code from the Author.
+# Consequently, pursuant to section 3(c) of the GPL, you must accompany the
+# information found in this header with any distribution you make of this
+# Program.
+# ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900052);
+ script_bugtraq_id(31682);
+ script_cve_id("CVE-2008-1446");
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Windows");
+ script_name(english:"Windows Internet Printing Service Allow Remote Code Execution Vulnerability (953155)");
+ script_summary(english:"Check for Hotfix and version of Internet Printing Service");
+ desc["english"] = "
+ MS08-062
+
+ Overview: This host has critical security update missing according to
+ Microsoft Bulletin MS08-062.
+
+ Vulnerability Insight:
+ The flaw is caused due to an integer overflow error within the IPP
+ (Internet Printing Protocol) ISAPI extension for IIS when processing
+ specially crafted IPP responses.
+
+ Impact: Successful exploitation result in execution of arbitrary code by
+ tricking Web Server into visting to a malicious IPP server via a specially
+ crafted HTTP POST request.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ Microsoft Windows 2K Service Pack 4 and prior.
+ Microsoft Windows XP Service Pack 3 and prior.
+ Microsoft Windows 2003 Service Pack 2 and prior.
+
+ Fix: Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://www.microsoft.com/technet/security/bulletin/ms08-062.mspx
+
+ References: http://www.microsoft.com/technet/security/bulletin/ms08-062.mspx
+
+ CVSS Score:
+ CVSS Base Score : 6.8 (AV:N/AC:M/Au:NR/C:P/I:P/A:P)
+ CVSS Temporal Score : 5.0
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("secpod_smb_func.inc");
+
+if(hotfix_check_sp(win2k:5, xp:4, win2003:3) <= 0){
+ exit(0);
+}
+
+# Check Hotfix Missing 953155 (MS08-062)
+if(hotfix_missing(name:"953155") == 0){
+ exit(0);
+}
+
+sysPath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+ item:"Install Path");
+if(!sysPath){
+ exit(0);
+}
+
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:sysPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:sysPath + "\Win32spl.dll");
+
+sysVer = GetVer(file:file, share:share);
+if(!sysVer){
+ exit(0);
+}
+
+# Windows 2K
+if(hotfix_check_sp(win2k:5) > 0)
+{
+ # Grep for Win32spl.dll version < 5.0.2195.7188
+ if(egrep(pattern:"^5\.0\.2195\.([0-6]?[0-9]?[0-9]?[0-9]|7(0[0-9][0-9]|" +
+ "1[0-7][0-9]|18[0-7]))$", string:sysVer)){
+ security_warning(0);
+ }
+ exit(0);
+}
+
+# Windows XP
+if(hotfix_check_sp(xp:4) > 0)
+{
+ SP = get_kb_item("SMB/WinXP/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ # Grep for Win32spl.dll < 5.1.2600.3435
+ if(egrep(pattern:"^5\.1\.2600\.([0-2]?[0-9]?[0-9]?[0-9]|3([0-3][0-9][0-9]|" +
+ "4([0-2][0-9]|3[0-4])))$", string:sysVer)){
+ security_warning(0);
+ }
+ exit(0);
+ }
+ else if("Service Pack 3" >< SP)
+ {
+ # Grep for Win32spl.dll < 5.1.2600.5664
+ if(egrep(pattern:"^5\.1\.2600\.([0-4]?[0-9]?[0-9]?[0-9]|5([0-5][0-9][0-9]|" +
+ "6([0-5][0-9]|6[0-3])))$", string:sysVer)){
+ security_warning(0);
+ }
+ exit(0);
+ }
+ security_warning(0);
+}
+
+# Windows 2003
+if(hotfix_check_sp(win2003:3) > 0)
+{
+ SP = get_kb_item("SMB/Win2003/ServicePack");
+ if("Service Pack 1" >< SP)
+ {
+ # Grep for Win32spl.dll version < 5.2.3790.3208
+ if(egrep(pattern:"^5\.2\.3790\.([0-2]?[0-9]?[0-9]?[0-9]|3([01][0-9][0-9]|" +
+ "20[0-7]))$", string:sysVer)){
+ security_warning(0);
+ }
+ exit(0);
+ }
+ else if("Service Pack 2" >< SP)
+ {
+ # Grep for Win32spl.dll version < 5.2.3790.4371
+ if(egrep(pattern:"^5\.2\.3790\.([0-3]?[0-9]?[0-9]?[0-9]|4([0-2][0-9][0-9]|" +
+ "3([0-6][0-9]|70)))$", string:sysVer)){
+ security_warning(0);
+ }
+ exit(0);
+ }
+ security_warning(0);
+}
Added: trunk/openvas-plugins/scripts/secpod_ms08-063_900053.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms08-063_900053.nasl 2008-10-15 12:40:51 UTC (rev 1549)
+++ trunk/openvas-plugins/scripts/secpod_ms08-063_900053.nasl 2008-10-15 17:56:48 UTC (rev 1550)
@@ -0,0 +1,161 @@
+##############################################################################
+#
+# SMB Remote Code Execution Vulnerability (957095)
+#
+# Copyright: SecPod
+#
+# Date Written: 2008/10/15
+#
+# Revision: 1.1
+#
+# Log: schandan
+# Issue #0334
+# ------------------------------------------------------------------------
+# This program was written by SecPod and is licensed under the GNU GPL
+# license. Please refer to the below link for details,
+# http://www.gnu.org/licenses/gpl.html
+# This header contains information regarding licensing terms under the GPL,
+# and information regarding obtaining source code from the Author.
+# Consequently, pursuant to section 3(c) of the GPL, you must accompany the
+# information found in this header with any distribution you make of this
+# Program.
+# ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900053);
+ script_bugtraq_id(31647);
+ script_cve_id("CVE-2008-4038");
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.0");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Windows");
+ script_name(english:"SMB Remote Code Execution Vulnerability (957095)");
+ script_summary(english:"Check for Hotfix and version of SMB");
+ desc["english"] = "
+ MS08-063
+
+ Overview: This host has critical security update missing according to
+ Microsoft Bulletin MS08-063.
+
+ Vulnerability Insight:
+ The issue is caused due to an input validation error in the handling of
+ file names in the Microsoft SMB (Server Message Block) protocol.
+
+ Impact: Successful exploitation could allow remote attackers to cause
+ a buffer underflow.
+
+ Impact Level: System/Network
+
+ Affected Software/OS:
+ Microsoft Windows 2K Service Pack 4 and prior.
+ Microsoft Windows XP Service Pack 3 and prior.
+ Microsoft Windows 2003 Service Pack 2 and prior.
+
+ Fix: Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://www.microsoft.com/technet/security/bulletin/ms08-063.mspx
+
+ References: http://www.microsoft.com/technet/security/bulletin/ms08-063.mspx
+
+ CVSS Score:
+ CVSS Base Score : 7.1 (AV:N/AC:M/Au:NR/C:N/I:N/A:C)
+ CVSS Temporal Score : 5.3
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("secpod_smb_func.inc");
+
+if(hotfix_check_sp(win2k:5, xp:4, win2003:3) <= 0){
+ exit(0);
+}
+
+# Check Hotfix Missing 957095 (MS08-063)
+if(hotfix_missing(name:"957095") == 0){
+ exit(0);
+}
+
+sysPath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+ item:"Install Path");
+if(!sysPath){
+ exit(0);
+}
+
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:sysPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:sysPath + "\drivers\Srv.sys");
+
+sysVer = GetVer(file:file, share:share);
+if(!sysVer){
+ exit(0);
+}
+
+# Windows 2K
+if(hotfix_check_sp(win2k:5) > 0)
+{
+ # Grep for Srv.sys version < 5.0.2195.7177
+ if(egrep(pattern:"^5\.0\.2195\.([0-6]?[0-9]?[0-9]?[0-9]|7(0[0-9][0-9]|" +
+ "1[0-6][0-9]|17[0-6]))$", string:sysVer)){
+ security_hole(0);
+ }
+ exit(0);
+}
+
+# Windows XP
+if(hotfix_check_sp(xp:4) > 0)
+{
+ SP = get_kb_item("SMB/WinXP/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ # Grep for Srv.sys < 5.1.2600.3436
+ if(egrep(pattern:"^5\.1\.2600\.([0-2]?[0-9]?[0-9]?[0-9]|3([0-3][0-9][0-9]|" +
+ "4([0-2][0-9]|3[0-5])))$", string:sysVer)){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ else if("Service Pack 3" >< SP)
+ {
+ # Grep for Srv.sys < 5.1.2600.5671
+ if(egrep(pattern:"^5\.1\.2600\.([0-4]?[0-9]?[0-9]?[0-9]|5([0-5][0-9][0-9]|" +
+ "6([0-6][0-9]|70)))$", string:sysVer)){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ security_hole(0);
+}
+
+# Windows 2003
+if(hotfix_check_sp(win2003:3) > 0)
+{
+ SP = get_kb_item("SMB/Win2003/ServicePack");
+ if("Service Pack 1" >< SP)
+ {
+ # Grep for Srv.sys version < 5.2.3790.3200
+ if(egrep(pattern:"^5\.2\.3790\.([0-2]?[0-9]?[0-9]?[0-9]|3[01][0-9][0-9])$",
+ string:sysVer)){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ else if("Service Pack 2" >< SP)
+ {
+ # Grep for Srv.sys version < 5.2.3790.4363
+ if(egrep(pattern:"^5\.2\.3790\.([0-3]?[0-9]?[0-9]?[0-9]|4([0-2][0-9][0-9]|" +
+ "3([0-5][0-9]|6[0-2])))$", string:sysVer)){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ security_hole(0);
+}
Added: trunk/openvas-plugins/scripts/secpod_ms08-064_900225.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms08-064_900225.nasl 2008-10-15 12:40:51 UTC (rev 1549)
+++ trunk/openvas-plugins/scripts/secpod_ms08-064_900225.nasl 2008-10-15 17:56:48 UTC (rev 1550)
@@ -0,0 +1,148 @@
+##############################################################################
+#
+# Virtual Address Descriptor Manipulation Elevation of Privilege Vulnerability (956841)
+#
+# Copyright: SecPod
+#
+# Date Written: 2008/10/15
+#
+# Revision: 1.0
+#
+# Log: veerendragg
+# Issue #0329
+# ------------------------------------------------------------------------
+# This program was written by SecPod and is licensed under the GNU GPL
+# license. Please refer to the below link for details,
+# http://www.gnu.org/licenses/gpl.html
+# This header contains information regarding licensing terms under the GPL,
+# and information regarding obtaining source code from the Author.
+# Consequently, pursuant to section 3(c) of the GPL, you must accompany the
+# information found in this header with any distribution you make of this
+# Program.
+# ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900225);
+ script_bugtraq_id(31675);
+ script_cve_id("CVE-2008-4036");
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.0 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Windows");
+ script_name(english:"Virtual Address Descriptor Manipulation Elevation of Privilege Vulnerability (956841)");
+ script_summary(english:"Check for the Hotfix and version of MS08-064");
+ desc["english"] = "
+ MS08-064
+
+ Overview: This host is missing important security update according to
+ Microsoft Bulletin MS08-064.
+
+ Vulnerability Insight:
+ The flaw exists due to the way that Memory Manager handles memory allocation
+ and Virtual Address Descriptors (VADs).
+
+ Impact: Successful exploitation could allow elevation of privilege and can
+ cause a memory allocation mapping error and corrupt memory on affected system.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ Microsoft Windows XP Service Pack 3 and prior.
+ Microsoft Windows Server 2003 Service Pack 2 and prior.
+
+ Fix: Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link.
+ http://www.microsoft.com/technet/security/Bulletin/MS08-064.mspx
+
+ References : http://www.microsoft.com/technet/security/Bulletin/MS08-064.mspx
+
+ CVSS Score:
+ CVSS Base Score : 6.8 (AV:L/AC:L/Au:SI/C:C/I:C/A:C)
+ CVSS Temporal Score : 5.0
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("secpod_smb_func.inc");
+
+if(hotfix_check_sp(xp:4, win2003:3) <= 0){
+ exit(0);
+}
+
+# Check for Hotfix 956841 (MS08-064).
+if(hotfix_missing(name:"956841") == 0){
+ exit(0);
+}
+
+# Get System32 Path
+sysPath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+ item:"Install Path");
+if(!sysPath){
+ exit(0);
+}
+
+exePath = sysPath + "\Ntoskrnl.exe";
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:exePath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:exePath);
+
+fileVer = GetVer(file:file, share:share);
+if(fileVer == NULL){
+ exit(0);
+}
+
+if(hotfix_check_sp(xp:4) > 0)
+{
+ SP = get_kb_item("SMB/WinXP/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ # Grep Ntoskrnl.exe version < 5.1.2600.3427
+ if(egrep(pattern:"^5\.1\.2600\.([0-2]?[0-9]?[0-9]?[0-9]|3([0-3][0-9]" +
+ "[0-9]|4([01][0-9]|2[0-6])))$", string:fileVer)){
+ security_warning(0);
+ }
+ exit(0);
+ }
+ else if("Service Pack 3" >< SP)
+ {
+ # Grep Ntoskrnl.exe version < 5.1.2600.5657
+ if(egrep(pattern:"^5\.1\.2600\.([0-4]?[0-9]?[0-9]?[0-9]|5([0-5][0-9]" +
+ "[0-9]|6([0-4][0-9]|5[0-6])))$", string:fileVer)){
+ security_warning(0);
+ }
+ exit(0);
+ }
+ security_warning(0);
+}
+
+if(hotfix_check_sp(win2003:3) > 0)
+{
+ SP = get_kb_item("SMB/Win2003/ServicePack");
+ if("Service Pack 1" >< SP)
+ {
+ # Grep Ntoskrnl.exe version < 5.2.3790.3191
+ if(egrep(pattern:"^5\.2\.3790\.([0-2]?[0-9]?[0-9]?[0-9]|3(0[0-9][0-9]" +
+ "|1([0-8][0-9]|90)))$", string:fileVer)){
+ security_warning(0);
+ }
+ exit(0);
+ }
+ else if("Service Pack 2" >< SP)
+ {
+ # Grep Ntoskrnl.exe version < 5.2.3790.4354
+ if(egrep(pattern:"^5\.2\.3790\.([0-3]?[0-9]?[0-9]?[0-9]|4([0-2][0-9]" +
+ "[0-9]|3([0-4][0-9]|5[0-3])))$", string:fileVer)){
+ security_warning(0);
+ }
+ exit(0);
+ }
+ security_warning(0);
+}
Added: trunk/openvas-plugins/scripts/secpod_ms08-065_900224.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms08-065_900224.nasl 2008-10-15 12:40:51 UTC (rev 1549)
+++ trunk/openvas-plugins/scripts/secpod_ms08-065_900224.nasl 2008-10-15 17:56:48 UTC (rev 1550)
@@ -0,0 +1,112 @@
+##############################################################################
+#
+# Message Queuing Remote Code Execution Vulnerability (951071)
+#
+# Copyright: SecPod
+#
+# Date Written: 2008/10/15
+#
+# Revision: 1.0
+#
+# Log: veerendragg
+# Issue #0328
+# ------------------------------------------------------------------------
+# This program was written by SecPod and is licensed under the GNU GPL
+# license. Please refer to the below link for details,
+# http://www.gnu.org/licenses/gpl.html
+# This header contains information regarding licensing terms under the GPL,
+# and information regarding obtaining source code from the Author.
+# Consequently, pursuant to section 3(c) of the GPL, you must accompany the
+# information found in this header with any distribution you make of this
+# Program.
+# ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900224);
+ script_bugtraq_id(31637);
+ script_cve_id("CVE-2008-3479");
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.0 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Windows");
+ script_name(english:"Message Queuing Remote Code Execution Vulnerability (951071)");
+ script_summary(english:"Check for the Hotfix and version of Message Queue component");
+ desc["english"] = "
+ MS08-065
+
+ Overview: This host is missing important security update according to
+ Microsoft Bulletin MS08-065.
+
+ Vulnerability Insight:
+ The flaw exists due to a boundary error when parsing RPC requests to the
+ Message Queuing (MSMQ).
+
+ Impact: Successful exploitation could allow remote code execution by
+ sending a specially crafted RPC request and can take complete control
+ of an affected system.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ Microsoft Windows 2000 Service Pack 4 and prior.
+
+ Fix: Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link.
+ http://www.microsoft.com/technet/security/Bulletin/MS08-065.mspx
+
+ References: http://www.microsoft.com/technet/security/Bulletin/MS08-065.mspx
+
+ CVSS Score:
+ CVSS Base Score : 10.0 (AV:N/AC:L/Au:NR/C:C/I:C/A:C)
+ CVSS Temporal Score : 7.4
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("secpod_smb_func.inc");
+
+if(hotfix_check_sp(win2k:5) <= 0){
+ exit(0);
+}
+
+msmqIns = registry_get_sz(key:"SOFTWARE\Microsoft\MSMQ\Parameters",
+ item:"CurrentBuild");
+if(!msmqIns){
+ exit(0);
+}
+
+# Check for Hotfix 951071 (MS08-065).
+if(hotfix_missing(name:"951071") == 0){
+ exit(0);
+}
+
+# Get System32 Path
+sysPath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+ item:"Install Path");
+if(!sysPath){
+ exit(0);
+}
+
+exePath = sysPath + "\Mqsvc.exe";
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:exePath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:exePath);
+
+fileVer = GetVer(file:file, share:share);
+if(fileVer == NULL){
+ exit(0);
+}
+
+# Grep Mqsvc.exe version < 5.0.0.807
+if(egrep(pattern:"^(5\.0\.0\.([0-7]?[0-9]?[0-9]|80[0-6]))$",
+ string:fileVer)){
+ security_warning(0);
+}
Added: trunk/openvas-plugins/scripts/secpod_ms08-066_900223.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms08-066_900223.nasl 2008-10-15 12:40:51 UTC (rev 1549)
+++ trunk/openvas-plugins/scripts/secpod_ms08-066_900223.nasl 2008-10-15 17:56:48 UTC (rev 1550)
@@ -0,0 +1,148 @@
+##############################################################################
+#
+# Microsoft Ancillary Function Driver Elevation of Privilege Vulnerability (956803)
+#
+# Copyright: SecPod
+#
+# Date Written: 2008/10/15
+#
+# Revision: 1.0
+#
+# Log: veerendragg
+# Issue #0327
+# ------------------------------------------------------------------------
+# This program was written by SecPod and is licensed under the GNU GPL
+# license. Please refer to the below link for details,
+# http://www.gnu.org/licenses/gpl.html
+# This header contains information regarding licensing terms under the GPL,
+# and information regarding obtaining source code from the Author.
+# Consequently, pursuant to section 3(c) of the GPL, you must accompany the
+# information found in this header with any distribution you make of this
+# Program.
+# ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900223);
+ script_bugtraq_id(31673);
+ script_cve_id("CVE-2008-3464");
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.0 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Windows");
+ script_name(english:"Microsoft Ancillary Function Driver Elevation of Privilege Vulnerability (956803)");
+ script_summary(english:"Check for the Hotfix and version of MS08-066");
+ desc["english"] = "
+ MS08-066
+
+ Overview: This host is missing important security update according to
+ Microsoft Bulletin MS08-066.
+
+ Vulnerability Insight:
+ The flaw exists due to the Ancillary Function Driver (afd.sys) not properly
+ checking user supplied memory ranges before writing to them into location.
+
+ Impact: Successful exploitation could allow an attacker to run arbitrary
+ code in kernal mode with elevated privileges and take complete control of
+ an affected system.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ Microsoft Windows XP Service Pack 3 and prior.
+ Microsoft Windows Server 2003 Service Pack 2 and prior.
+
+ Fix: Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link.
+ http://www.microsoft.com/technet/security/Bulletin/MS08-066.mspx
+
+ References: http://www.microsoft.com/technet/security/Bulletin/MS08-066.mspx
+
+ CVSS Score:
+ CVSS Base Score : 6.8 (AV:N/AC:M/Au:NR/C:P/I:P/A:P)
+ CVSS Temporal Score : 5.0
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("secpod_smb_func.inc");
+
+if(hotfix_check_sp(xp:4, win2003:3) <= 0){
+ exit(0);
+}
+
+sysFile = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+ item:"Install Path");
+if(!sysFile){
+ exit(0);
+}
+
+# Check for Hotfix 956803 (MS08-066)
+if(hotfix_missing(name:"956803") == 0){
+ exit(0);
+}
+
+sysFile += "\drivers\Afd.sys";
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:sysFile);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:sysFile);
+
+fileVer = GetVer(file:file, share:share);
+if(fileVer == NULL){
+ exit(0);
+}
+
+if(hotfix_check_sp(xp:4) > 0)
+{
+ SP = get_kb_item("SMB/WinXP/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ # Grep Afd.sys version < 5.1.2600.3427
+ if(egrep(pattern:"^5\.1\.2600\.([0-2]?[0-9]?[0-9]?[0-9]|3([0-3][0-9]" +
+ "[0-9]|4([01][0-9]|2[0-6])))$", string:fileVer)){
+ security_warning(0);
+ }
+ exit(0);
+ }
+ else if("Service Pack 3" >< SP)
+ {
+ # Grep Afd.sys version < 5.1.2600.5657
+ if(egrep(pattern:"^5\.1\.2600\.([0-4]?[0-9]?[0-9]?[0-9]|5([0-5][0-9]" +
+ "[0-9]|6([0-4][0-9]|5[0-6])))$", string:fileVer)){
+ security_warning(0);
+ }
+ exit(0);
+ }
+ security_warning(0);
+}
+
+if(hotfix_check_sp(win2003:3) > 0)
+{
+ SP = get_kb_item("SMB/Win2003/ServicePack");
+ if("Service Pack 1" >< SP)
+ {
+ # Grep Afd.sys version < 5.2.3790.3192
+ if(egrep(pattern:"^5\.2\.3790\.([0-2]?[0-9]?[0-9]?[0-9]|3(0[0-9][0-9]" +
+ "|1([0-8][0-9]|9[01])))$", string:fileVer)){
+ security_warning(0);
+ }
+ exit(0);
+ }
+ else if("Service Pack 2" >< SP)
+ {
+ # Grep Afd.sys version < 5.2.3790.4355
+ if(egrep(pattern:"^5\.2\.3790\.([0-3]?[0-9]?[0-9]?[0-9]|4([0-2][0-9]" +
+ "[0-9]|3([0-4][0-9]|5[0-4])))$", string:fileVer)){
+ security_warning(0);
+ }
+ exit(0);
+ }
+ security_warning(0);
+}
Modified: trunk/openvas-plugins/scripts/secpod_office_products_version_900032.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_office_products_version_900032.nasl 2008-10-15 12:40:51 UTC (rev 1549)
+++ trunk/openvas-plugins/scripts/secpod_office_products_version_900032.nasl 2008-10-15 17:56:48 UTC (rev 1550)
@@ -26,7 +26,7 @@
if(description)
{
script_id(900032);
- script_version("$Revision: 1.1 $");
+ script_version("$Revision: 1.0 $");
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_name(english:"MS Office Products Version Detection");
@@ -118,7 +118,7 @@
wordFile += "\winword.exe";
share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:wordFile);
word = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:wordFile);
- wordVer = Get_FileVersion(file:word, share:share, offset:-1500000);
+ wordVer = Get_FileVersion(file:word, share:share, offset:1500000);
if(wordVer){
set_kb_item(name:"SMB/Office/Word/Version", value:wordVer);
}
@@ -131,7 +131,7 @@
excelFile += "\excel.exe";
share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:excelFile);
excel = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:excelFile);
- excelVer = Get_FileVersion(file:excel, share:share, offset:-1500000);
+ excelVer = Get_FileVersion(file:excel, share:share, offset:1500000);
if(excelVer){
set_kb_item(name:"SMB/Office/Excel/Version", value:excelVer);
}
@@ -144,7 +144,7 @@
accessFile += "\msaccess.exe";
share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:accessFile);
access = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:accessFile);
- accessVer = Get_FileVersion(file:access, share:share, offset:-1500000);
+ accessVer = Get_FileVersion(file:access, share:share, offset:1500000);
if(accessVer){
set_kb_item(name:"SMB/Office/Access/Version", value:accessVer);
}
@@ -157,7 +157,7 @@
powerpointFile+= "\powerpnt.exe";
share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:powerpointFile);
power = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:powerpointFile);
- powerPptVer = Get_FileVersion(file:power, share:share, offset:-1500000);
+ powerPptVer = Get_FileVersion(file:power, share:share, offset:1500000);
if(powerPptVer){
set_kb_item(name:"SMB/Office/PowerPnt/Version", value:powerPptVer);
}
Modified: trunk/openvas-plugins/scripts/secpod_smb_func.inc
===================================================================
--- trunk/openvas-plugins/scripts/secpod_smb_func.inc 2008-10-15 12:40:51 UTC (rev 1549)
+++ trunk/openvas-plugins/scripts/secpod_smb_func.inc 2008-10-15 17:56:48 UTC (rev 1550)
@@ -24,7 +24,15 @@
# ------------------------------------------------------------------------
##############################################################################
+###############################################################################
+# GetVer(), bin_word(), bin_dword() are a derivative of smbcl_func.inc available
+# in the OpenVAS repository
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+#
+# This script is released under the GNU GPLv2
+###############################################################################
+
#
# Get File version or product version reading through a file. An
# offset can be sent indicating the start location. By default
@@ -547,5 +555,129 @@
}
content = ReadAndX(socket:soc, uid:uid, tid:tid, fid:fid,
count:count, off:offset);
- return content;
+ return content;
}
+
+function GetVer(file, share, prodvers)
+{
+ local_var r, pe_offset, sections_cnt, sections_offset, sections_data, i, rsrc_start, rsrc_virtstart;
+ local_var dir_data, dir_offset, dir_entries, sub_dir, dir_tmp, vs_data, vs_length, r, recurs, max_recurs, vs_offset;
+
+ if(isnull(prodvers)){
+ prodvers = 0;
+ }
+
+ pe_offset = bin_word(data: read_file(share:share, file:file, offset:60, count:2));
+
+ if(read_file(share:share, file:file, offset:pe_offset, count:2) != "PE"){
+ return NULL;
+ }
+
+ sections_cnt = bin_word(data: read_file(share:share, file:file,
+ offset:pe_offset+6, count:2));
+ section_offset = pe_offset + bin_word(data: read_file(share:share, file:file,
+ offset:pe_offset+20, count:2)) + 24;
+ rsrc_start = NULL;
+ max_recurs = 20;
+
+ for( i=0; i<sections_cnt; i++ )
+ {
+ sections_data = read_file(share:share, file:file, offset:section_offset + i * 40,
+ count:40);
+ if(substr(sections_data, 0, 4) == ".rsrc")
+ {
+ rsrc_start = bin_dword(data:substr(sections_data, 20));
+ rsrc_virtstart = bin_dword(data:substr(sections_data, 12));
+ break;
+ }
+
+ if(i > max_recurs){
+ break;
+ }
+ }
+ if(isnull(rsrc_start)){
+ return NULL;
+ }
+
+ dir_data = read_file(share:share, file:file, offset:rsrc_start, count:16);
+ dir_entries = bin_word(data:substr(dir_data,12)) + bin_word(data:substr(dir_data,14));
+ dir_offset = NULL;
+ sub_dir = 0;
+ max_recurs = 100;
+ recurs = 0;
+ for(i = 0; i < dir_entries; i++)
+ {
+ dir_data = read_file(file:file, offset:rsrc_start+16+i*8, count:8);
+ if(bin_dword(data:substr(dir_data,0)) == 0x10)
+ {
+ repeat
+ {
+ dir_tmp = bin_dword(data:substr(dir_data,4));
+ if((dir_tmp & 0x80000000) == 0x80000000)
+ {
+ dir_offset = dir_tmp - 0x80000000;
+ sub_dir = 1;
+ }
+ else
+ {
+ dir_offset = dir_tmp;
+ sub_dir = 0;
+ }
+
+ dir_data = read_file(share:share, file:file, offset:rsrc_start+dir_offset+16,
+ count:8);
+ if(strlen(dir_data) != 8){
+ return NULL;
+ }
+ if(++recurs > max_recurs){
+ return NULL;
+ }
+ }
+ until sub_dir == 0;
+ break;
+ }
+ if(i > max_recurs){
+ break;
+ }
+ }
+ if(isnull(dir_offset)){
+ return NULL;
+ }
+
+ dir_data = read_file(share:share, file:file, offset:rsrc_start+dir_offset,
+ count:4);
+ dir_offset = bin_dword(data:substr(dir_data,0));
+ rsrc_start = rsrc_start + (dir_offset - rsrc_virtstart);
+ vs_data = read_file(share:share, file:file, offset:rsrc_start, count:2);
+ vs_length = bin_word(data:substr(vs_data,0));
+ vs_data = read_file(share:share, file:file, offset:rsrc_start, count:vs_length);
+
+ if(bin_dword(data:substr(vs_data,40)) != 0xfeef04bd){
+ return NULL;
+ }
+
+ if(prodvers == 0){
+ vs_offset = 48;
+ }
+ else{
+ vs_offset = 56;
+ }
+
+ r = NULL;
+ r = string((bin_dword(data:substr(vs_data, vs_offset)) >>> 16) + ".");
+ r = r + string((bin_dword(data:substr(vs_data, vs_offset)) & 0xffff) + ".");
+ r = r + string((bin_dword(data:substr(vs_data, vs_offset+4)) >>> 16) + ".");
+ r = r + string((bin_dword(data:substr(vs_data, vs_offset+4)) & 0xffff));
+ return r;
+}
+
+function bin_word(data){
+ return( ord(data[0]) + (ord(data[1]) << 8) );
+}
+
+
+function bin_dword(data)
+{
+ return(ord(data[0]) + (ord(data[1]) << 8) +
+ (ord(data[2]) << 16) + (ord(data[3]) << 24));
+}
More information about the Openvas-commits
mailing list