[Openvas-commits] r1272 - trunk/openvas-plugins/scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Tue Sep 2 07:39:01 CEST 2008
Author: chandra
Date: 2008-09-02 07:39:00 +0200 (Tue, 02 Sep 2008)
New Revision: 1272
Added:
trunk/openvas-plugins/scripts/secpod_anzio_web_print_obj_bof_vuln_900115.nasl
trunk/openvas-plugins/scripts/secpod_eset_smart_sec_local_prv_esc_vuln_900114.nasl
trunk/openvas-plugins/scripts/secpod_justsystems_ichitaro_code_exec_vuln_900207.nasl
trunk/openvas-plugins/scripts/secpod_openoffice_code_exec_vuln_lin_900043.nasl
trunk/openvas-plugins/scripts/secpod_openoffice_code_exec_vuln_win_900042.nasl
trunk/openvas-plugins/scripts/secpod_ultra_office_activex_control_mult_vuln_900208.nasl
Log:
Added new plugins
Added: trunk/openvas-plugins/scripts/secpod_anzio_web_print_obj_bof_vuln_900115.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_anzio_web_print_obj_bof_vuln_900115.nasl 2008-09-02 05:37:55 UTC (rev 1271)
+++ trunk/openvas-plugins/scripts/secpod_anzio_web_print_obj_bof_vuln_900115.nasl 2008-09-02 05:39:00 UTC (rev 1272)
@@ -0,0 +1,144 @@
+##############################################################################
+#
+# Anzio Web Print Object ActiveX Control Remote BOF Vulnerability
+#
+# Copyright: SecPod
+#
+# Date Written: 2008/09/01
+#
+# Revision: 1.1
+#
+# Log : ssharath
+# Issue #0152
+# ------------------------------------------------------------------------
+# This program was written by SecPod and is licensed under the GNU GPL
+# license. Please refer to the below link for details,
+# http://www.gnu.org/licenses/gpl.html
+# This header contains information regarding licensing terms under the GPL,
+# and information regarding obtaining source code from the Author.
+# Consequently, pursuant to section 3(c) of the GPL, you must accompany the
+# information found in this header with any distribution you make of this
+# Program.
+# ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900115);
+ script_bugtraq_id(30545);
+ script_cve_id("CVE-2008-3480");
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Misc.");
+ script_name(english:"Anzio Web Print Object ActiveX Control Remote BOF Vulnerability");
+ script_summary(english:"Check for vulnerable version and prior of Anzio");
+ desc["english"] = "
+ Overview : The host is running Anzio, which is prone to a heap-based buffer
+ overflow vulnerability.
+
+ Vulnerability Insight :
+
+ The flaw is due to an error while handling an overly long value in
+ mainurl parameter.
+
+ Impact: An attacker can execute arbitrary code causing a stack based
+ buffer overflow by tricking a user to visit malicious web page.
+
+ Impact Level : Application
+
+ Affected Software/OS :
+ Anzio Web Print Object versions prior to 3.2.30 on Windows (All)
+
+ Fix : Upgrade to Anzio Web Print Object version 3.2.30
+ http://www.anzio.com/download-wepo.htm
+
+ References :
+ http://secunia.com/advisories/31554/
+ http://en.securitylab.ru/poc/extra/358295.php
+ http://www.coresecurity.com/content/anzio-web-print-object-buffer-overflow
+
+ CVSS Score :
+ CVSS Base Score : 6.8 (AV:N/AC:M/Au:NR/C:P/I:P/A:P)
+ CVSS Temporal Score : 5.3
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+ include("smb_nt.inc");
+ include("secpod_smb_func.inc");
+
+ if (!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+ }
+
+ anzioPath = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion"
+ + "\App Paths\pwui.exe", item:"Path");
+ if(!anzioPath){
+ exit(0);
+ }
+
+ share = ereg_replace(pattern:"([A-Z]):.*",replace:"\1$",string:anzioPath);
+ file = ereg_replace(pattern:"[A-Z]:(.*)",replace:"\1",string:anzioPath + "\pwui.exe");
+
+ name = kb_smb_name();
+ domain = kb_smb_domain();
+ login = kb_smb_login();
+ pass = kb_smb_password();
+ port = kb_smb_transport();
+
+ soc = open_sock_tcp(port);
+ if(!soc){
+ exit(0);
+ }
+ r = smb_session_request(soc:soc, remote:name);
+ if(!r){
+ close(soc);
+ exit(0);
+ }
+
+ prot = smb_neg_prot(soc:soc);
+ if(!prot){
+ close(soc);
+ exit(0);
+ }
+
+ r = smb_session_setup(soc:soc, login:login, password:pass,
+ domain:domain, prot:prot);
+ if(!r){
+ close(soc);
+ exit(0);
+ }
+
+ uid = session_extract_uid(reply:r);
+ r = smb_tconx(soc:soc, name:name, uid:uid, share:share);
+
+ tid = tconx_extract_tid(reply:r);
+ if(!tid){
+ close(soc);
+ exit(0);
+ }
+
+ fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file);
+ if(!fid){
+ close(soc);
+ exit(0);
+ }
+
+ anzioVer = GetVersion(socket:soc, uid:uid, tid:tid, fid:fid, verstr:"File Version");
+ close(soc);
+
+ if(!anzioVer){
+ exit(0);
+ }
+
+ if(egrep(pattern:"^([0-2]\..*|3\.([01](\..*)?|2(\.[0-2]?[0-9])?\.0))$",
+ string:anzioVer)){
+ security_hole(0);
+ }
Added: trunk/openvas-plugins/scripts/secpod_eset_smart_sec_local_prv_esc_vuln_900114.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_eset_smart_sec_local_prv_esc_vuln_900114.nasl 2008-09-02 05:37:55 UTC (rev 1271)
+++ trunk/openvas-plugins/scripts/secpod_eset_smart_sec_local_prv_esc_vuln_900114.nasl 2008-09-02 05:39:00 UTC (rev 1272)
@@ -0,0 +1,86 @@
+##############################################################################
+#
+# ESET Smart Security easdrv.sys Local Privilege Escalation Vulnerability
+#
+# Copyright: SecPod
+#
+# Date Written: 2008/09/01
+#
+# Revision: 1.1
+#
+# Log : ssharath
+# Issue #0150
+# ------------------------------------------------------------------------
+# This program was written by SecPod and is licensed under the GNU GPL
+# license. Please refer to the below link for details,
+# http://www.gnu.org/licenses/gpl.html
+# This header contains information regarding licensing terms under the GPL,
+# and information regarding obtaining source code from the Author.
+# Consequently, pursuant to section 3(c) of the GPL, you must accompany the
+# information found in this header with any distribution you make of this
+# Program.
+# ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900114);
+ script_bugtraq_id(30719);
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Misc.");
+ script_name(english:"ESET Smart Security easdrv.sys Local Privilege Escalation Vulnerability");
+ script_summary(english:"Check for vulnerable version and prior of ESET");
+ desc["english"] = "
+ Overview : The host is running ESET Smart Security, which is prone to a local
+ privilege escalation vulnerability.
+
+ Vulnerability Insight :
+
+ The flaw exists due to an error in easdrv.sys driver file.
+
+ Impact: Local exploitation will allow attackers to execute arbitrary
+ code with kernel level privileges to result in complete compromise of
+ the system.
+
+ Impact Level : Application
+
+ Affected Software/OS:
+ - Eset Software Smart Security 3.0.667.0 and prior on Windows (All)
+
+ Fix : No solution/patch is available as on 01st September, 2008. Information
+ regarding this issue will be update once the solution details are available.
+ For update refer, http://www.eset.com/
+
+ References : http://www.securityfocus.com/bid/30719/discuss
+
+ CVSS Score :
+ CVSS Base Score : 6.6 (AV:L/AC:M/Au:SI/C:C/I:C/A:C)
+ CVSS Temporal Score : 5.9
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+ include("smb_nt.inc");
+
+ if (!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+ }
+
+ esetVer = registry_get_sz(key:"SOFTWARE\ESET\ESET Security\CurrentVersion\Info",
+ item:"ProductVersion");
+ if(!esetVer){
+ exit(0);
+ }
+
+ # Grep Eset Software Smart Security version <= 3.0.667.0
+ if(egrep(pattern:"^([0-2]\..*|3\.0\.([0-5]?[0-9]?[0-9]|6[0-5][0-9]|66[0-7])\.0)$",
+ string:esetVer)){
+ security_warning(0);
+ }
Added: trunk/openvas-plugins/scripts/secpod_justsystems_ichitaro_code_exec_vuln_900207.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_justsystems_ichitaro_code_exec_vuln_900207.nasl 2008-09-02 05:37:55 UTC (rev 1271)
+++ trunk/openvas-plugins/scripts/secpod_justsystems_ichitaro_code_exec_vuln_900207.nasl 2008-09-02 05:39:00 UTC (rev 1272)
@@ -0,0 +1,184 @@
+##############################################################################
+#
+# Ichitaro Document Handling Unspecified Code Execution Vulnerability
+#
+# Copyright: SecPod
+#
+# Date Written: 2008/08/27
+#
+# Revision: 1.1
+#
+# Log: veerendragg
+# Issue #0147
+# ------------------------------------------------------------------------
+# This program was written by SecPod and is licensed under the GNU GPL
+# license. Please refer to the below link for details,
+# http://www.gnu.org/licenses/gpl.html
+# This header contains information regarding licensing terms under the GPL,
+# and information regarding obtaining source code from the Author.
+# Consequently, pursuant to section 3(c) of the GPL, you must accompany the
+# information found in this header with any distribution you make of this
+# Program.
+# ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900207);
+ script_bugtraq_id(30828);
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Misc.");
+ script_name(english:"Ichitaro Document Handling Unspecified Code Execution Vulnerability");
+ script_summary(english:"Check for the version of Ichitaro");
+ desc["english"] = "
+ Overview : This host is running Ichitaro, which is prone to Unspecified Remote
+ Code Execution Vulnerability.
+
+ Vulnerability Insight :
+
+ The issue is due to error that exists while processing specially
+ crafted docuement form.
+
+ Impact : Successful exploitation will allow execution arbitrary code
+ within the context of the vulnerable application.
+
+ Impact Level : Application
+
+ Affected Software/OS :
+ Justsystem Ichitaro 2008 and prior versions on Windows (All).
+
+ Fix : No solution/patch is available as on 28th August, 2008. Information
+ regarding this issue will updated once the solution details are available.
+ For updates refer, http://www.ichitaro.com
+
+ References :
+ http://secunia.com/advisories/31603/
+ http://www.justsystems.com/jp/info/pd8002.html
+
+ CVSS Score :
+ CVSS Base Score : 7.5 (AV:N/AC:L/Au:NR/C:P/I:P/A:P)
+ CVSS Temporal Score : 6.4
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+ include("smb_nt.inc");
+
+ if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+ }
+
+ if(!registry_key_exists(key:"SOFTWARE\Justsystem\ATOK")){
+ exit(0);
+ }
+
+ name = kb_smb_name();
+ login = kb_smb_login();
+ pass = kb_smb_password();
+ domain = kb_smb_domain();
+ port = kb_smb_transport();
+
+ if(!port){
+ port = 139;
+ }
+
+ if(!get_port_state(port)){
+ exit(0);
+ }
+
+ soc = open_sock_tcp(port);
+ if(!soc){
+ exit(0);
+ }
+
+ r = smb_session_request(soc:soc, remote:name);
+ if(!r)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ prot = smb_neg_prot(soc:soc);
+ if(!prot)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ r = smb_session_setup(soc:soc, login:login, password:pass,
+ domain:domain, prot:prot);
+ if(!r)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ uid = session_extract_uid(reply:r);
+ r = smb_tconx(soc:soc, name:name, uid:uid, share:"IPC$");
+
+ tid = tconx_extract_tid(reply:r);
+ if(!tid)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ r = smbntcreatex(soc:soc, uid:uid, tid:tid, name:"\winreg");
+ if(!r)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ pipe = smbntcreatex_extract_pipe(reply:r);
+ if(!pipe)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ r = pipe_accessible_registry(soc:soc, uid:uid, tid:tid, pipe:pipe);
+ if(!r)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ handle = registry_open_hklm(soc:soc, uid:uid, tid:tid, pipe:pipe);
+ if(!handle)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+ key_h = registry_get_key(soc:soc, uid:uid, tid:tid, pipe:pipe,
+ key:key, reply:handle);
+ if(!key_h)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ enumKeys = registry_enum_key(soc:soc, uid:uid, tid:tid,
+ pipe:pipe, reply:key_h);
+ foreach entry (enumKeys)
+ {
+ appName = registry_get_sz(item:"DisplayName", key:key + entry);
+ if(appName && "ATOK" >< appName)
+ {
+ if(egrep(pattern:"ATOK ([01][0-9][0-9][0-9]|200[0-8]|" +
+ "(9\.|1[0-3]\.)).*", string:appName)){
+ security_warning(0);
+ }
+ exit(0);
+ }
+ }
Property changes on: trunk/openvas-plugins/scripts/secpod_justsystems_ichitaro_code_exec_vuln_900207.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/secpod_openoffice_code_exec_vuln_lin_900043.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_openoffice_code_exec_vuln_lin_900043.nasl 2008-09-02 05:37:55 UTC (rev 1271)
+++ trunk/openvas-plugins/scripts/secpod_openoffice_code_exec_vuln_lin_900043.nasl 2008-09-02 05:39:00 UTC (rev 1272)
@@ -0,0 +1,85 @@
+#############################################################################
+#
+# OpenOffice rtl_allocateMemory() Remote Code Execution Vulnerability (Lin)
+#
+# Copyright: SecPod
+#
+# Date Written: 2008/08/29
+#
+# Revision: 1.1
+#
+# Log: schandan
+# Issue #0154
+# ------------------------------------------------------------------------
+# This program was written by SecPod and is licensed under the GNU GPL
+# license. Please refer to the below link for details,
+# http://www.gnu.org/licenses/gpl.html
+# This header contains information regarding licensing terms under the GPL,
+# and information regarding obtaining source code from the Author.
+# Consequently, pursuant to section 3(c) of the GPL, you must accompany the
+# information found in this header with any distribution you make of this
+# Program.
+# ------------------------------------------------------------------------
+###########################################################################
+
+if(description)
+{
+ script_id(900043);
+ script_bugtraq_id(30866);
+ script_cve_id("CVE-2008-3282");
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Misc.");
+ script_name(english:"OpenOffice rtl_allocateMemory() Remote Code Execution Vulnerability (Lin)");
+ script_summary(english:"Check for the vulnerable version of OpenOffice.org");
+ desc["english"] = "
+ Overview : This host has OpenOffice.Org installed, which is prone to remote
+ code execution vulnerability.
+
+ Vulnerability Insight :
+
+ The issue is due to a numeric truncation error within the rtl_allocateMemory()
+ method in alloc_global.c file.
+
+ Impact : Attackers can cause an out of bounds array access by tricking a
+ user into opening a malicious document, also allow execution of arbitrary
+ code.
+
+ Impact Level : System
+
+ Affected Software/OS :
+ OpenOffice.org 2.4.1 and prior on Linux.
+
+ Fix : No solution/patch is available as on 29th August, 2008. Information
+ regarding this issue will updated once the solution details are available.
+ For updates refer, http://download.openoffice.org/index.html
+
+ References : http://secunia.com/advisories/31640/
+ http://www.frsirt.com/english/advisories/2008/2449
+
+ CVSS Score :
+ CVSS Base Score : 6.8 (AV:N/AC:M/Au:NR/C:P/I:P/A:P)
+ CVSS Temporal Score : 5.8
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_ssh_sys_info.nasl");
+ script_require_keys("Host/uname");
+ exit(0);
+}
+
+
+ if("Linux" >!< get_kb_item("ssh/login/uname")){
+ exit(0);
+ }
+
+ foreach item (get_kb_list("ssh/*/rpms"))
+ {
+ if(egrep(pattern:"^(O|o)pen(O|o)ffice.*?~([01]\..*|2\.([0-3][^0-9]" +
+ "|4(\.[01])?[^.0-9]))", string:item))
+ {
+ security_warning(0);
+ exit(0);
+ }
+ }
Property changes on: trunk/openvas-plugins/scripts/secpod_openoffice_code_exec_vuln_lin_900043.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/secpod_openoffice_code_exec_vuln_win_900042.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_openoffice_code_exec_vuln_win_900042.nasl 2008-09-02 05:37:55 UTC (rev 1271)
+++ trunk/openvas-plugins/scripts/secpod_openoffice_code_exec_vuln_win_900042.nasl 2008-09-02 05:39:00 UTC (rev 1272)
@@ -0,0 +1,177 @@
+#############################################################################
+#
+# OpenOffice rtl_allocateMemory() Remote Code Execution Vulnerability (Win)
+#
+# Copyright: SecPod
+#
+# Date Written: 2008/08/29
+#
+# Revision: 1.1
+#
+# Log: schandan
+# Issue #0154
+# ------------------------------------------------------------------------
+# This program was written by SecPod and is licensed under the GNU GPL
+# license. Please refer to the below link for details,
+# http://www.gnu.org/licenses/gpl.html
+# This header contains information regarding licensing terms under the GPL,
+# and information regarding obtaining source code from the Author.
+# Consequently, pursuant to section 3(c) of the GPL, you must accompany the
+# information found in this header with any distribution you make of this
+# Program.
+# ------------------------------------------------------------------------
+###########################################################################
+
+if(description)
+{
+ script_id(900042);
+ script_bugtraq_id(30866);
+ script_cve_id("CVE-2008-3282");
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Misc.");
+ script_name(english:"OpenOffice rtl_allocateMemory() Remote Code Execution Vulnerability (Win)");
+ script_summary(english:"Check for the vulnerable version of OpenOffice.org");
+ desc["english"] = "
+ Overview : This host has OpenOffice.Org installed, which is prone to remote
+ code execution vulnerability.
+
+ Vulnerability Insight :
+
+ The issue is due to a numeric truncation error within the rtl_allocateMemory()
+ method in alloc_global.c file.
+
+ Impact : Attackers can cause an out of bounds array access by tricking a
+ user into opening a malicious document, also allow execution of arbitrary
+ code.
+
+ Impact Level : System
+
+ Affected Software/OS :
+ OpenOffice.org 2.4.1 and prior on Windows.
+
+ Fix : No solution/patch is available as on 29th August, 2008. Information
+ regarding this issue will updated once the solution details are available.
+ For updates refer, http://download.openoffice.org/index.html
+
+ References : http://secunia.com/advisories/31640/
+ http://www.frsirt.com/english/advisories/2008/2449
+
+ CVSS Score :
+ CVSS Base Score : 6.8 (AV:N/AC:M/Au:NR/C:P/I:P/A:P)
+ CVSS Temporal Score : 5.8
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+ include("smb_nt.inc");
+
+ if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+ }
+
+ name = kb_smb_name();
+ login = kb_smb_login();
+ pass = kb_smb_password();
+ domain = kb_smb_domain();
+ port = kb_smb_transport();
+
+ if(!port) port = 139;
+
+ if(!get_port_state(port))exit(0);
+
+ soc = open_sock_tcp(port);
+ if(!soc){
+ exit(0);
+ }
+
+ r = smb_session_request(soc:soc, remote:name);
+ if(!r)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ prot = smb_neg_prot(soc:soc);
+ if(!prot)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ r = smb_session_setup(soc:soc, login:login, password:pass,
+ domain:domain, prot:prot);
+ if(!r)
+ {
+ close(soc);
+ exit(0);
+ }
+ uid = session_extract_uid(reply:r);
+ r = smb_tconx(soc:soc, name:name, uid:uid, share:"IPC$");
+ tid = tconx_extract_tid(reply:r);
+ if(!tid)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ r = smbntcreatex(soc:soc, uid:uid, tid:tid, name:"\winreg");
+ if(!r)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ pipe = smbntcreatex_extract_pipe(reply:r);
+ if(!pipe)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ r = pipe_accessible_registry(soc:soc, uid:uid, tid:tid, pipe:pipe);
+ if(!r)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ handle = registry_open_hklm(soc:soc, uid:uid, tid:tid, pipe:pipe);
+ if(!handle)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+ key_h = registry_get_key(soc:soc, uid:uid, tid:tid, pipe:pipe,
+ key:key, reply:handle);
+ if(!key_h)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ entries = registry_enum_key(soc:soc, uid:uid, tid:tid, pipe:pipe, reply:key_h);
+ close(soc);
+
+ foreach item (entries)
+ {
+ if("OpenOffice.org" >< registry_get_sz(key:key + item, item:"DisplayName"))
+ {
+ # Grep <= 2.4.9310 (ie., 2.4.1)
+ if((egrep(pattern:"^([01]\..*|2\.([0-3](\..*)?|4(\.([0-8]?[0-9]?" +
+ "[0-9]?[0-9]|9[0-2][0-9][0-9]|930[0-9]|9310))?))$",
+ string:registry_get_sz(key:key + item,
+ item:"DisplayVersion")))){
+ security_warning(0);
+ }
+ exit(0);
+ }
+ }
Property changes on: trunk/openvas-plugins/scripts/secpod_openoffice_code_exec_vuln_win_900042.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/secpod_ultra_office_activex_control_mult_vuln_900208.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ultra_office_activex_control_mult_vuln_900208.nasl 2008-09-02 05:37:55 UTC (rev 1271)
+++ trunk/openvas-plugins/scripts/secpod_ultra_office_activex_control_mult_vuln_900208.nasl 2008-09-02 05:39:00 UTC (rev 1272)
@@ -0,0 +1,261 @@
+##############################################################################
+#
+# Ultra Office ActiveX Control Multiple Vulnerabilities
+#
+# Copyright: SecPod
+#
+# Date Written: 2008/09/01
+#
+# Revision: 1.1
+#
+# Log: veerendragg
+# Issue #0153
+# ------------------------------------------------------------------------
+# This program was written by SecPod and is licensed under the GNU GPL
+# license. Please refer to the below link for details,
+# http://www.gnu.org/licenses/gpl.html
+# This header contains information regarding licensing terms under the GPL,
+# and information regarding obtaining source code from the Author.
+# Consequently, pursuant to section 3(c) of the GPL, you must accompany the
+# information found in this header with any distribution you make of this
+# Program.
+# ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900208);
+ script_bugtraq_id(30861);
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Denial of Service");
+ script_name(english:"Ultra Office ActiveX Control Multiple Vulnerabilities");
+ script_summary(english:"Check for Vulnerable Version of Ultra Office");
+ desc["english"] = "
+ Overview : This host is running Ultra Office Control, which is prone to
+ multiple vulnerabilities.
+
+ Vulnerability Insight :
+
+ Error exists when handling parameters received by the HttpUpload()
+ and Save() methods in OfficeCtrl.ocx file.
+
+ Impact : Successful exploitation will allow execution of arbitrary
+ code, stack-based buffer overflow, can overwrite arbitrary files
+ on the vulnerable system by tricking a user into visiting a
+ malicious website.
+
+ Impact Level : Application
+
+ Affected Software/OS :
+ Ultra Office Control 2.x and prior versions on Windows (All).
+
+ Fix : No solution/patch is available as on 01st September, 2008. Information
+ regarding this issue will be update once the solution details are available.
+ For updates refer, http://www.ultrashareware.com/Ultra-Office-Control.htm
+
+ Quick Fix: Set a kill bit for the CLSID's
+ {00989888-BB72-4E31-A7C6-5F819C24D2F7}
+
+ Refer to following link to set kill-bit,
+ http://support.microsoft.com/kb/240797
+
+ References : http://secunia.com/advisories/31632/
+ http://www.juniper.net/security/auto/vulnerabilities/vuln30861.html
+
+ CVSS Score :
+ CVSS Base Score : 6.8 (AV:N/AC:M/Au:NR/C:P/I:P/A:P)
+ CVSS Temporal Score : 5.8
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+ include("smb_nt.inc");
+ include("secpod_smb_func.inc");
+
+ if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+ }
+
+ name = kb_smb_name();
+ login = kb_smb_login();
+ pass = kb_smb_password();
+ domain = kb_smb_domain();
+ port = kb_smb_transport();
+
+ if(!port) port = 139;
+
+ if(!get_port_state(port))exit(0);
+
+ soc = open_sock_tcp(port);
+ if(!soc){
+ exit(0);
+ }
+
+ r = smb_session_request(soc:soc, remote:name);
+ if(!r)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ prot = smb_neg_prot(soc:soc);
+ if(!prot)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ r = smb_session_setup(soc:soc, login:login, password:pass,
+ domain:domain, prot:prot);
+ if(!r)
+ {
+ close(soc);
+ exit(0);
+ }
+
+
+ uid = session_extract_uid(reply:r);
+ r = smb_tconx(soc:soc, name:name, uid:uid, share:"IPC$");
+
+ tid = tconx_extract_tid(reply:r);
+ if(!tid)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ r = smbntcreatex(soc:soc, uid:uid, tid:tid, name:"\winreg");
+ if(!r)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ pipe = smbntcreatex_extract_pipe(reply:r);
+ if(!pipe)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ r = pipe_accessible_registry(soc:soc, uid:uid, tid:tid, pipe:pipe);
+ if(!r)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ handle = registry_open_hklm(soc:soc, uid:uid, tid:tid, pipe:pipe);
+ if(!handle)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+ key_h = registry_get_key(soc:soc, uid:uid, tid:tid, pipe:pipe,
+ key:key, reply:handle);
+ if(!key_h)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ # To get application installed Path.
+ enumKeys = registry_enum_key(soc:soc, uid:uid, tid:tid, pipe:pipe, reply:key_h);
+ close(soc);
+
+ foreach entry (enumKeys)
+ {
+ if("Ultra Office Control" >< entry)
+ {
+ appInsLoc = registry_get_sz(item:"InstallLocation", key:key + entry);
+ if(!appInsLoc){
+ exit(0);
+ }
+ break;
+ }
+ }
+
+ # To Get File Version.
+ share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:appInsLoc);
+ file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:appInsLoc + "OfficeCtrl.ocx");
+
+ soc = open_sock_tcp(port);
+ if(!soc){
+ exit(0);
+ }
+
+ r = smb_session_request(soc:soc, remote:name);
+ if(!r)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ prot = smb_neg_prot(soc:soc);
+ if(!prot)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain, prot:prot);
+ if(!r)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ uid = session_extract_uid(reply:r);
+ r = smb_tconx(soc:soc, name:name, uid:uid, share:share);
+
+ tid = tconx_extract_tid(reply:r);
+ if(!tid)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file);
+ if(!fid)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ fileVer = GetVersion(socket:soc, uid:uid, tid:tid, fid:fid);
+ close(soc);
+
+ if(!fileVer){
+ exit(0);
+ }
+
+ # Grep for Version <= 2.0.2008.801
+ if(egrep(pattern:"^([01]\..*|2\.0\.[01]?[0-9]?[0-9]?[0-9]\..*|2\.0\.200[0-7]" +
+ "\..*|2\.0\.2008(\.[0-7]?[0-9]?[0-9]|\.80[01]))$", string:fileVer))
+ {
+ clsid = "{00989888-BB72-4E31-A7C6-5F819C24D2F7}";
+ regKey = "SOFTWARE\Classes\CLSID\"+ clsid;
+ if(registry_key_exists(key:regKey))
+ {
+ # Check for Kill-Bit set for ActiveX control
+ activeKey = "SOFTWARE\Microsoft\Internet Explorer\"+
+ "ActiveX Compatibility\" + clsid;
+ killBit = registry_get_dword(key:activeKey,
+ item:"Compatibility Flags");
+ if(killBit && (int(killBit) == 1024)){
+ exit(0);
+ }
+ security_warning(0);
+ }
+ }
Property changes on: trunk/openvas-plugins/scripts/secpod_ultra_office_activex_control_mult_vuln_900208.nasl
___________________________________________________________________
Name: svn:executable
+ *
More information about the Openvas-commits
mailing list