[Openvas-commits] r1272 - trunk/openvas-plugins/scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Tue Sep 2 07:39:01 CEST 2008


Author: chandra
Date: 2008-09-02 07:39:00 +0200 (Tue, 02 Sep 2008)
New Revision: 1272

Added:
   trunk/openvas-plugins/scripts/secpod_anzio_web_print_obj_bof_vuln_900115.nasl
   trunk/openvas-plugins/scripts/secpod_eset_smart_sec_local_prv_esc_vuln_900114.nasl
   trunk/openvas-plugins/scripts/secpod_justsystems_ichitaro_code_exec_vuln_900207.nasl
   trunk/openvas-plugins/scripts/secpod_openoffice_code_exec_vuln_lin_900043.nasl
   trunk/openvas-plugins/scripts/secpod_openoffice_code_exec_vuln_win_900042.nasl
   trunk/openvas-plugins/scripts/secpod_ultra_office_activex_control_mult_vuln_900208.nasl
Log:
Added new plugins

Added: trunk/openvas-plugins/scripts/secpod_anzio_web_print_obj_bof_vuln_900115.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_anzio_web_print_obj_bof_vuln_900115.nasl	2008-09-02 05:37:55 UTC (rev 1271)
+++ trunk/openvas-plugins/scripts/secpod_anzio_web_print_obj_bof_vuln_900115.nasl	2008-09-02 05:39:00 UTC (rev 1272)
@@ -0,0 +1,144 @@
+##############################################################################
+#
+#  Anzio Web Print Object ActiveX Control Remote BOF Vulnerability
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/09/01
+#
+#  Revision: 1.1
+#
+#  Log : ssharath
+#  Issue #0152
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900115);
+ script_bugtraq_id(30545);
+ script_cve_id("CVE-2008-3480");
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Misc.");
+ script_name(english:"Anzio Web Print Object ActiveX Control Remote BOF Vulnerability");
+ script_summary(english:"Check for vulnerable version and prior of Anzio");
+ desc["english"] = "
+ Overview : The host is running Anzio, which is prone to a heap-based buffer
+ overflow vulnerability.
+
+ Vulnerability Insight :
+
+        The flaw is due to an error while handling an overly long value in 
+        mainurl parameter.
+
+        Impact: An attacker can execute arbitrary code causing a stack based 
+        buffer overflow by tricking a user to visit malicious web page. 
+
+ Impact Level : Application
+
+ Affected Software/OS :
+        Anzio Web Print Object versions prior to 3.2.30 on Windows (All)
+
+ Fix : Upgrade to Anzio Web Print Object version 3.2.30
+ http://www.anzio.com/download-wepo.htm
+
+ References :
+ http://secunia.com/advisories/31554/
+ http://en.securitylab.ru/poc/extra/358295.php
+ http://www.coresecurity.com/content/anzio-web-print-object-buffer-overflow
+
+ CVSS Score :
+        CVSS Base Score     : 6.8 (AV:N/AC:M/Au:NR/C:P/I:P/A:P)
+        CVSS Temporal Score : 5.3
+ Risk factor : High"; 
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+ include("smb_nt.inc");
+ include("secpod_smb_func.inc");
+
+ if (!get_kb_item("SMB/WindowsVersion")){
+        exit(0);
+ }
+
+ anzioPath = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion"
+				+ "\App Paths\pwui.exe", item:"Path");
+ if(!anzioPath){
+        exit(0);
+ }
+
+ share = ereg_replace(pattern:"([A-Z]):.*",replace:"\1$",string:anzioPath);
+ file = ereg_replace(pattern:"[A-Z]:(.*)",replace:"\1",string:anzioPath + "\pwui.exe");
+
+ name = kb_smb_name();
+ domain = kb_smb_domain();
+ login = kb_smb_login();
+ pass = kb_smb_password();
+ port = kb_smb_transport();
+
+ soc = open_sock_tcp(port);
+ if(!soc){
+        exit(0);
+ }
+ r = smb_session_request(soc:soc, remote:name);
+ if(!r){
+        close(soc);
+        exit(0);
+ }
+
+ prot = smb_neg_prot(soc:soc);
+ if(!prot){
+        close(soc);
+        exit(0);
+ }
+
+ r = smb_session_setup(soc:soc, login:login, password:pass,
+                       domain:domain, prot:prot);
+ if(!r){
+        close(soc);
+        exit(0);
+ }
+
+ uid = session_extract_uid(reply:r);
+ r = smb_tconx(soc:soc, name:name, uid:uid, share:share);
+
+ tid = tconx_extract_tid(reply:r);
+ if(!tid){
+        close(soc);
+        exit(0);
+ }
+
+ fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file);
+ if(!fid){
+        close(soc);
+        exit(0);
+ }
+
+ anzioVer = GetVersion(socket:soc, uid:uid, tid:tid, fid:fid, verstr:"File Version");
+ close(soc);
+
+ if(!anzioVer){
+        exit(0);
+ }
+
+ if(egrep(pattern:"^([0-2]\..*|3\.([01](\..*)?|2(\.[0-2]?[0-9])?\.0))$",
+	  string:anzioVer)){
+ 	security_hole(0);
+ }

Added: trunk/openvas-plugins/scripts/secpod_eset_smart_sec_local_prv_esc_vuln_900114.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_eset_smart_sec_local_prv_esc_vuln_900114.nasl	2008-09-02 05:37:55 UTC (rev 1271)
+++ trunk/openvas-plugins/scripts/secpod_eset_smart_sec_local_prv_esc_vuln_900114.nasl	2008-09-02 05:39:00 UTC (rev 1272)
@@ -0,0 +1,86 @@
+##############################################################################
+#
+#  ESET Smart Security easdrv.sys Local Privilege Escalation Vulnerability
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/09/01
+#
+#  Revision: 1.1
+#
+#  Log : ssharath
+#  Issue #0150
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900114);
+ script_bugtraq_id(30719);
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Misc.");
+ script_name(english:"ESET Smart Security easdrv.sys Local Privilege Escalation Vulnerability");
+ script_summary(english:"Check for vulnerable version and prior of ESET");
+ desc["english"] = "
+ Overview : The host is running ESET Smart Security, which is prone to a local
+ privilege escalation vulnerability.
+
+ Vulnerability Insight :
+
+        The flaw exists due to an error in easdrv.sys driver file.
+
+        Impact: Local exploitation will allow attackers to execute arbitrary
+        code with kernel level privileges to result in complete compromise of
+        the system.
+
+ Impact Level : Application
+
+ Affected Software/OS:
+ - Eset Software Smart Security 3.0.667.0 and prior on Windows (All)
+
+ Fix : No solution/patch is available as on 01st September, 2008. Information
+ regarding this issue will be update once the solution details are available.
+ For update refer, http://www.eset.com/
+
+ References : http://www.securityfocus.com/bid/30719/discuss
+
+ CVSS Score :
+        CVSS Base Score     : 6.6 (AV:L/AC:M/Au:SI/C:C/I:C/A:C)
+        CVSS Temporal Score : 5.9
+ Risk factor : High"; 
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+ include("smb_nt.inc");
+
+ if (!get_kb_item("SMB/WindowsVersion")){
+        exit(0);
+ }
+ 
+ esetVer = registry_get_sz(key:"SOFTWARE\ESET\ESET Security\CurrentVersion\Info",
+			   item:"ProductVersion");
+ if(!esetVer){
+	exit(0);
+ } 
+
+ # Grep Eset Software Smart Security version <= 3.0.667.0
+ if(egrep(pattern:"^([0-2]\..*|3\.0\.([0-5]?[0-9]?[0-9]|6[0-5][0-9]|66[0-7])\.0)$",
+	  string:esetVer)){
+	security_warning(0);
+ }

Added: trunk/openvas-plugins/scripts/secpod_justsystems_ichitaro_code_exec_vuln_900207.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_justsystems_ichitaro_code_exec_vuln_900207.nasl	2008-09-02 05:37:55 UTC (rev 1271)
+++ trunk/openvas-plugins/scripts/secpod_justsystems_ichitaro_code_exec_vuln_900207.nasl	2008-09-02 05:39:00 UTC (rev 1272)
@@ -0,0 +1,184 @@
+##############################################################################
+#
+#  Ichitaro Document Handling Unspecified Code Execution Vulnerability
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/08/27
+#
+#  Revision: 1.1
+#
+#  Log: veerendragg
+#  Issue #0147
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900207);
+ script_bugtraq_id(30828);
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Misc.");
+ script_name(english:"Ichitaro Document Handling Unspecified Code Execution Vulnerability");
+ script_summary(english:"Check for the version of Ichitaro");
+ desc["english"] = "
+ Overview : This host is running Ichitaro, which is prone to Unspecified Remote
+ Code Execution Vulnerability.
+
+ Vulnerability Insight :
+
+        The issue is due to error that exists while processing specially 
+        crafted docuement form.
+
+        Impact : Successful exploitation will allow execution arbitrary code
+        within the context of the vulnerable application. 
+
+ Impact Level : Application
+
+ Affected Software/OS :
+        Justsystem Ichitaro 2008 and prior versions on Windows (All).
+
+ Fix : No solution/patch is available as on 28th August, 2008. Information
+ regarding this issue will updated once the solution details are available.
+ For updates refer, http://www.ichitaro.com
+
+ References :
+ http://secunia.com/advisories/31603/
+ http://www.justsystems.com/jp/info/pd8002.html
+
+ CVSS Score :
+        CVSS Base Score     : 7.5 (AV:N/AC:L/Au:NR/C:P/I:P/A:P)
+        CVSS Temporal Score : 6.4
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+ include("smb_nt.inc");
+
+ if(!get_kb_item("SMB/WindowsVersion")){
+        exit(0);
+ }
+
+ if(!registry_key_exists(key:"SOFTWARE\Justsystem\ATOK")){
+        exit(0);
+ }
+
+ name   =  kb_smb_name();
+ login  =  kb_smb_login();
+ pass   =  kb_smb_password();
+ domain =  kb_smb_domain();
+ port   =  kb_smb_transport();
+
+ if(!port){
+	port = 139;
+ }
+
+ if(!get_port_state(port)){
+	exit(0);
+ }
+
+ soc = open_sock_tcp(port);
+ if(!soc){
+        exit(0);
+ }
+
+ r = smb_session_request(soc:soc, remote:name);
+ if(!r)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ prot = smb_neg_prot(soc:soc);
+ if(!prot)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ r = smb_session_setup(soc:soc, login:login, password:pass,
+                       domain:domain, prot:prot);
+ if(!r)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ uid = session_extract_uid(reply:r);
+ r = smb_tconx(soc:soc, name:name, uid:uid, share:"IPC$");
+
+ tid = tconx_extract_tid(reply:r);
+ if(!tid)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ r = smbntcreatex(soc:soc, uid:uid, tid:tid, name:"\winreg");
+ if(!r)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ pipe = smbntcreatex_extract_pipe(reply:r);
+ if(!pipe)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ r = pipe_accessible_registry(soc:soc, uid:uid, tid:tid, pipe:pipe);
+ if(!r)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ handle = registry_open_hklm(soc:soc, uid:uid, tid:tid, pipe:pipe);
+ if(!handle)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+ key_h = registry_get_key(soc:soc, uid:uid, tid:tid, pipe:pipe,
+                          key:key, reply:handle);
+ if(!key_h)
+ {
+	close(soc);
+ 	exit(0);
+ }
+ 
+ enumKeys = registry_enum_key(soc:soc, uid:uid, tid:tid,
+                              pipe:pipe, reply:key_h);
+ foreach entry (enumKeys)
+ {
+        appName = registry_get_sz(item:"DisplayName", key:key + entry);
+        if(appName && "ATOK" >< appName)
+        {
+                if(egrep(pattern:"ATOK ([01][0-9][0-9][0-9]|200[0-8]|" +
+			 	 "(9\.|1[0-3]\.)).*", string:appName)){
+                        security_warning(0);
+                }
+                exit(0);
+        }
+ }


Property changes on: trunk/openvas-plugins/scripts/secpod_justsystems_ichitaro_code_exec_vuln_900207.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_openoffice_code_exec_vuln_lin_900043.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_openoffice_code_exec_vuln_lin_900043.nasl	2008-09-02 05:37:55 UTC (rev 1271)
+++ trunk/openvas-plugins/scripts/secpod_openoffice_code_exec_vuln_lin_900043.nasl	2008-09-02 05:39:00 UTC (rev 1272)
@@ -0,0 +1,85 @@
+#############################################################################
+#
+#  OpenOffice rtl_allocateMemory() Remote Code Execution Vulnerability (Lin)
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/08/29
+#
+#  Revision: 1.1
+#
+#  Log: schandan
+#  Issue #0154
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL,
+#  and information regarding obtaining source code from the Author.
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the
+#  information found in this header with any distribution you make of this
+#  Program.
+#  ------------------------------------------------------------------------
+###########################################################################
+
+if(description)
+{
+ script_id(900043);
+ script_bugtraq_id(30866);
+ script_cve_id("CVE-2008-3282");
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Misc.");
+ script_name(english:"OpenOffice rtl_allocateMemory() Remote Code Execution Vulnerability (Lin)");
+ script_summary(english:"Check for the vulnerable version of OpenOffice.org");
+ desc["english"] = "
+ Overview : This host has OpenOffice.Org installed, which is prone to remote
+ code execution vulnerability.
+ 
+ Vulnerability Insight :
+
+        The issue is due to a numeric truncation error within the rtl_allocateMemory()
+        method in alloc_global.c file.
+
+        Impact : Attackers can cause an out of bounds array access by tricking a
+        user into opening a malicious document, also allow execution of arbitrary
+        code.
+ 
+ Impact Level : System
+ 
+ Affected Software/OS :
+        OpenOffice.org 2.4.1 and prior on Linux.
+ 
+ Fix : No solution/patch is available as on 29th August, 2008. Information
+ regarding this issue will updated once the solution details are available.
+ For updates refer, http://download.openoffice.org/index.html
+ 
+ References : http://secunia.com/advisories/31640/
+ http://www.frsirt.com/english/advisories/2008/2449
+ 
+ CVSS Score :
+        CVSS Base Score     : 6.8 (AV:N/AC:M/Au:NR/C:P/I:P/A:P)
+        CVSS Temporal Score : 5.8
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_ssh_sys_info.nasl");
+ script_require_keys("Host/uname"); 
+ exit(0);
+}
+
+
+ if("Linux" >!< get_kb_item("ssh/login/uname")){
+        exit(0);
+ }
+
+ foreach item (get_kb_list("ssh/*/rpms"))
+ {
+	if(egrep(pattern:"^(O|o)pen(O|o)ffice.*?~([01]\..*|2\.([0-3][^0-9]" +
+			 "|4(\.[01])?[^.0-9]))", string:item))
+	{
+ 		security_warning(0);
+      		exit(0);
+        }
+ }


Property changes on: trunk/openvas-plugins/scripts/secpod_openoffice_code_exec_vuln_lin_900043.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_openoffice_code_exec_vuln_win_900042.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_openoffice_code_exec_vuln_win_900042.nasl	2008-09-02 05:37:55 UTC (rev 1271)
+++ trunk/openvas-plugins/scripts/secpod_openoffice_code_exec_vuln_win_900042.nasl	2008-09-02 05:39:00 UTC (rev 1272)
@@ -0,0 +1,177 @@
+#############################################################################
+#
+#  OpenOffice rtl_allocateMemory() Remote Code Execution Vulnerability (Win)
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/08/29
+#
+#  Revision: 1.1
+#
+#  Log: schandan
+#  Issue #0154
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL,
+#  and information regarding obtaining source code from the Author.
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the
+#  information found in this header with any distribution you make of this
+#  Program.
+#  ------------------------------------------------------------------------
+###########################################################################
+
+if(description)
+{
+ script_id(900042);
+ script_bugtraq_id(30866);
+ script_cve_id("CVE-2008-3282");
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Misc.");
+ script_name(english:"OpenOffice rtl_allocateMemory() Remote Code Execution Vulnerability (Win)");
+ script_summary(english:"Check for the vulnerable version of OpenOffice.org");
+ desc["english"] = "
+ Overview : This host has OpenOffice.Org installed, which is prone to remote
+ code execution vulnerability.
+
+ Vulnerability Insight :
+
+        The issue is due to a numeric truncation error within the rtl_allocateMemory()
+        method in alloc_global.c file.
+
+        Impact : Attackers can cause an out of bounds array access by tricking a
+        user into opening a malicious document, also allow execution of arbitrary
+        code.
+
+ Impact Level : System
+
+ Affected Software/OS :
+        OpenOffice.org 2.4.1 and prior on Windows.
+
+ Fix : No solution/patch is available as on 29th August, 2008. Information
+ regarding this issue will updated once the solution details are available.
+ For updates refer, http://download.openoffice.org/index.html
+
+ References : http://secunia.com/advisories/31640/
+ http://www.frsirt.com/english/advisories/2008/2449
+
+ CVSS Score :
+        CVSS Base Score     : 6.8 (AV:N/AC:M/Au:NR/C:P/I:P/A:P)
+        CVSS Temporal Score : 5.8
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+ include("smb_nt.inc");
+
+ if(!get_kb_item("SMB/WindowsVersion")){
+        exit(0);
+ }
+
+ name   =  kb_smb_name();
+ login  =  kb_smb_login();
+ pass   =  kb_smb_password();
+ domain =  kb_smb_domain();
+ port   =  kb_smb_transport();
+ 
+ if(!port) port = 139;
+ 
+ if(!get_port_state(port))exit(0);
+ 
+ soc = open_sock_tcp(port);
+ if(!soc){
+        exit(0);
+ }
+ 
+ r = smb_session_request(soc:soc, remote:name);
+ if(!r)
+ {
+        close(soc);
+        exit(0);
+ }
+ 
+ prot = smb_neg_prot(soc:soc);
+ if(!prot)
+ {
+        close(soc);
+        exit(0);
+ }
+ 
+ r = smb_session_setup(soc:soc, login:login, password:pass,
+                       domain:domain, prot:prot);
+ if(!r)
+ {
+        close(soc);
+        exit(0);
+ }
+ uid = session_extract_uid(reply:r);
+ r = smb_tconx(soc:soc, name:name, uid:uid, share:"IPC$");
+ tid = tconx_extract_tid(reply:r);
+ if(!tid)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ r = smbntcreatex(soc:soc, uid:uid, tid:tid, name:"\winreg");
+ if(!r)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ pipe = smbntcreatex_extract_pipe(reply:r);
+ if(!pipe)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ r = pipe_accessible_registry(soc:soc, uid:uid, tid:tid, pipe:pipe);
+ if(!r)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ handle = registry_open_hklm(soc:soc, uid:uid, tid:tid, pipe:pipe);
+ if(!handle)
+ {
+        close(soc);
+        exit(0);
+ }
+ 
+ key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+ key_h = registry_get_key(soc:soc, uid:uid, tid:tid, pipe:pipe,
+                          key:key, reply:handle);
+ if(!key_h)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ entries = registry_enum_key(soc:soc, uid:uid, tid:tid, pipe:pipe, reply:key_h);
+ close(soc);
+
+ foreach item (entries)
+ {
+        if("OpenOffice.org" >< registry_get_sz(key:key + item, item:"DisplayName"))
+        {
+		# Grep <= 2.4.9310 (ie., 2.4.1)
+ 		if((egrep(pattern:"^([01]\..*|2\.([0-3](\..*)?|4(\.([0-8]?[0-9]?" +
+				  "[0-9]?[0-9]|9[0-2][0-9][0-9]|930[0-9]|9310))?))$",
+                    	  string:registry_get_sz(key:key + item,
+                    	  item:"DisplayVersion")))){
+			security_warning(0);
+		}
+		exit(0);
+        }
+ }


Property changes on: trunk/openvas-plugins/scripts/secpod_openoffice_code_exec_vuln_win_900042.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_ultra_office_activex_control_mult_vuln_900208.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ultra_office_activex_control_mult_vuln_900208.nasl	2008-09-02 05:37:55 UTC (rev 1271)
+++ trunk/openvas-plugins/scripts/secpod_ultra_office_activex_control_mult_vuln_900208.nasl	2008-09-02 05:39:00 UTC (rev 1272)
@@ -0,0 +1,261 @@
+##############################################################################
+#
+#  Ultra Office ActiveX Control Multiple Vulnerabilities
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/09/01
+#
+#  Revision: 1.1
+#
+#  Log: veerendragg
+#  Issue #0153
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900208);
+ script_bugtraq_id(30861);
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Denial of Service");
+ script_name(english:"Ultra Office ActiveX Control Multiple Vulnerabilities");
+ script_summary(english:"Check for Vulnerable Version of Ultra Office");
+ desc["english"] = "
+ Overview : This host is running Ultra Office Control, which is prone to 
+ multiple vulnerabilities.
+
+ Vulnerability Insight :
+
+        Error exists when handling parameters received by the HttpUpload()
+        and Save() methods in OfficeCtrl.ocx file.
+
+        Impact : Successful exploitation will allow execution of arbitrary
+        code, stack-based buffer overflow, can overwrite arbitrary files
+        on the vulnerable system by tricking a user into visiting a
+        malicious website.
+
+ Impact Level : Application
+
+ Affected Software/OS :
+        Ultra Office Control 2.x and prior versions on Windows (All). 
+
+ Fix : No solution/patch is available as on 01st September, 2008. Information
+ regarding this issue will be update once the solution details are available.
+ For updates refer, http://www.ultrashareware.com/Ultra-Office-Control.htm 
+
+ Quick Fix: Set a kill bit for the CLSID's
+ {00989888-BB72-4E31-A7C6-5F819C24D2F7}
+
+ Refer to following link to set kill-bit,
+ http://support.microsoft.com/kb/240797
+
+ References : http://secunia.com/advisories/31632/
+ http://www.juniper.net/security/auto/vulnerabilities/vuln30861.html
+ 
+ CVSS Score :
+        CVSS Base Score     : 6.8 (AV:N/AC:M/Au:NR/C:P/I:P/A:P) 
+        CVSS Temporal Score : 5.8
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+ include("smb_nt.inc");
+ include("secpod_smb_func.inc");
+
+ if(!get_kb_item("SMB/WindowsVersion")){
+        exit(0);
+ }
+
+ name   =  kb_smb_name();
+ login  =  kb_smb_login();
+ pass   =  kb_smb_password();
+ domain =  kb_smb_domain();
+ port   =  kb_smb_transport();
+
+ if(!port) port = 139;
+
+ if(!get_port_state(port))exit(0);
+
+ soc = open_sock_tcp(port);
+ if(!soc){
+        exit(0);
+ }
+
+ r = smb_session_request(soc:soc, remote:name);
+ if(!r)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ prot = smb_neg_prot(soc:soc);
+ if(!prot)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ r = smb_session_setup(soc:soc, login:login, password:pass,
+                       domain:domain, prot:prot);
+ if(!r)
+ {
+        close(soc);
+        exit(0);
+ }
+
+
+ uid = session_extract_uid(reply:r);
+ r = smb_tconx(soc:soc, name:name, uid:uid, share:"IPC$");
+
+ tid = tconx_extract_tid(reply:r);
+ if(!tid)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ r = smbntcreatex(soc:soc, uid:uid, tid:tid, name:"\winreg");
+ if(!r)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ pipe = smbntcreatex_extract_pipe(reply:r);
+ if(!pipe)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ r = pipe_accessible_registry(soc:soc, uid:uid, tid:tid, pipe:pipe);
+ if(!r)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ handle = registry_open_hklm(soc:soc, uid:uid, tid:tid, pipe:pipe);
+ if(!handle)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+ key_h = registry_get_key(soc:soc, uid:uid, tid:tid, pipe:pipe,
+                          key:key, reply:handle);
+ if(!key_h)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ # To get application installed Path.
+ enumKeys = registry_enum_key(soc:soc, uid:uid, tid:tid, pipe:pipe, reply:key_h);
+ close(soc);
+
+ foreach entry (enumKeys)
+ {
+        if("Ultra Office Control" >< entry)
+        {
+                appInsLoc = registry_get_sz(item:"InstallLocation", key:key + entry);
+                if(!appInsLoc){
+                        exit(0); 
+                }
+		break;
+        }
+ }
+
+ # To Get File Version.
+ share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:appInsLoc);
+ file =  ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+                      string:appInsLoc + "OfficeCtrl.ocx");
+
+ soc = open_sock_tcp(port);
+ if(!soc){
+        exit(0);
+ }
+
+ r = smb_session_request(soc:soc, remote:name);
+ if(!r)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ prot = smb_neg_prot(soc:soc);
+ if(!prot)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain, prot:prot);
+ if(!r)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ uid = session_extract_uid(reply:r);
+ r = smb_tconx(soc:soc, name:name, uid:uid, share:share);
+
+ tid = tconx_extract_tid(reply:r);
+ if(!tid)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file);
+ if(!fid)
+ {
+        close(soc);
+	exit(0);
+ }
+
+ fileVer = GetVersion(socket:soc, uid:uid, tid:tid, fid:fid);
+ close(soc);
+
+ if(!fileVer){
+	exit(0);
+ }
+
+ # Grep for Version <= 2.0.2008.801  
+ if(egrep(pattern:"^([01]\..*|2\.0\.[01]?[0-9]?[0-9]?[0-9]\..*|2\.0\.200[0-7]" +
+		  "\..*|2\.0\.2008(\.[0-7]?[0-9]?[0-9]|\.80[01]))$", string:fileVer))
+ {
+        clsid = "{00989888-BB72-4E31-A7C6-5F819C24D2F7}";
+        regKey = "SOFTWARE\Classes\CLSID\"+ clsid;
+        if(registry_key_exists(key:regKey))
+        {
+                # Check for Kill-Bit set for ActiveX control
+                activeKey = "SOFTWARE\Microsoft\Internet Explorer\"+
+                            "ActiveX Compatibility\" + clsid;
+                killBit = registry_get_dword(key:activeKey,
+                          		     item:"Compatibility Flags");
+                if(killBit && (int(killBit) == 1024)){
+                        exit(0);
+                }
+                security_warning(0);        
+        }
+ }


Property changes on: trunk/openvas-plugins/scripts/secpod_ultra_office_activex_control_mult_vuln_900208.nasl
___________________________________________________________________
Name: svn:executable
   + *



More information about the Openvas-commits mailing list