[Openvas-commits] r1279 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Wed Sep 3 22:30:28 CEST 2008
Author: ckm
Date: 2008-09-03 22:30:27 +0200 (Wed, 03 Sep 2008)
New Revision: 1279
Added:
trunk/openvas-plugins/scripts/flash_player_CB-A08-0059.nasl
trunk/openvas-plugins/scripts/libpng_CB-A08-0064.nasl
trunk/openvas-plugins/scripts/smbcl_flash_player_CB-A08-0059.nasl
trunk/openvas-plugins/scripts/win_CVE-2007-6026.nasl
trunk/openvas-plugins/scripts/win_CVE-2008-0087.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/scripts/clamav-CB-A08-0001.nasl
trunk/openvas-plugins/scripts/cups_CB-A08-0045.nasl
trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl
trunk/openvas-plugins/scripts/version_func.inc
Log:
* scripts/version_func.inc: added function find_file
to find any file on local or remote Host using locate.
* scripts/smbcl_CVE-2008-0234.nasl: Update
* scripts/flash_player_CB-A08-0059.nasl: new
* scripts/smbcl_flash_player_CB-A08-0059.nasl: new
* scripts/win_CVE-2008-0087.nasl: new
* scripts/win_CVE-2007-6026.nasl: new
* scripts/libpng_CB-A08-0064.nasl: new
* scripts/clamav-CB-A08-0001.nasl: Update
* scripts/cups_CB-A08-0045.nasl: Update
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2008-09-02 15:15:27 UTC (rev 1278)
+++ trunk/openvas-plugins/ChangeLog 2008-09-03 20:30:27 UTC (rev 1279)
@@ -1,3 +1,16 @@
+2008-09-03 Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>.
+
+ * scripts/version_func.inc: added function find_file
+ to find any file on local or remote Host using locate.
+ * scripts/smbcl_CVE-2008-0234.nasl: Update
+ * scripts/flash_player_CB-A08-0059.nasl: new
+ * scripts/smbcl_flash_player_CB-A08-0059.nasl: new
+ * scripts/win_CVE-2008-0087.nasl: new
+ * scripts/win_CVE-2007-6026.nasl: new
+ * scripts/libpng_CB-A08-0064.nasl: new
+ * scripts/clamav-CB-A08-0001.nasl: Update
+ * scripts/cups_CB-A08-0045.nasl: Update
+
2008-09-02 Jan-Oliver Wagner <jan-oliver.wagner at intevation.de>
* scripts/kiwi_cattools_dir_traversal.nasl: changed ID to fit a loose
Modified: trunk/openvas-plugins/scripts/clamav-CB-A08-0001.nasl
===================================================================
--- trunk/openvas-plugins/scripts/clamav-CB-A08-0001.nasl 2008-09-02 15:15:27 UTC (rev 1278)
+++ trunk/openvas-plugins/scripts/clamav-CB-A08-0001.nasl 2008-09-03 20:30:27 UTC (rev 1279)
@@ -3,20 +3,24 @@
# Slight modification by Vlatko Kosturjak - Kost <kost at linux.hr>
# This script is released under the GNU GPLv2
#
-# $Revision: 05 $
+# $Revision: 06 $
if(description)
{
script_id(90000);
- script_version ("$Revision: 05 $");
- name["english"] = "ClamAV < 0.93 vulnerability";
+ script_version ("$Revision: 06 $");
+ name["english"] = "ClamAV < 0.93.1 vulnerability";
script_name(english:name["english"]);
desc["english"] = "The remote host is probably affected by the vulnerabilities described in
-CVE 2007-6335 CVE 2007-6336 CVE 2007-6337 CVE-2008-0318 CVE-2008-1100 CVE-2008-1387
+CVE 2007-6335 CVE 2007-6336 CVE 2007-6337 CVE-2008-0318 CVE-2008-1100 CVE-2008-1387 CVE-2008-2713
Impact
+ CVE 2008-2713
+ libclamav/petite.c in ClamAV before 0.93.1 allows remote attackers to
+ cause a denial of service via a crafted Petite file that triggers an
+ out-of-bounds read.
CVE 2008-1387
ClamAV before 0.93 allows remote attackers to cause a denial of service
(CPU consumption) via a crafted ARJ archive, as demonstrated by the
@@ -45,6 +49,7 @@
References:
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2713
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1387
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1100
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0318
@@ -83,7 +88,7 @@
ver = get_bin_version(full_prog_name:binary_name, version_argv:"--version", ver_pattern:"([0-9\.]+)");
if(ver != NULL) {
clamavcnt++;
- if(version_is_less(version:ver[0], test_version:"0.93") ) {
+ if(version_is_less(version:ver[0], test_version:"0.93.1") ) {
security_hole(port:0, proto:"ClamAV");
report = string("\nFound : ") + binary_name + " Version : " + ver[max_index(ver)-1] + string("\n");
security_hole(port:0, proto:"ClamAV", data:report);
Modified: trunk/openvas-plugins/scripts/cups_CB-A08-0045.nasl
===================================================================
--- trunk/openvas-plugins/scripts/cups_CB-A08-0045.nasl 2008-09-02 15:15:27 UTC (rev 1278)
+++ trunk/openvas-plugins/scripts/cups_CB-A08-0045.nasl 2008-09-03 20:30:27 UTC (rev 1279)
@@ -3,19 +3,19 @@
#
# This script is released under the GNU GPLv2
#
-# $Revision: 02 $
+# $Revision: 03 $
if(description)
{
script_id(90017);
- script_version ("$Revision: 02 $");
-# script_cve_id("CVE-2008-0047");
- name["english"] = "Cups < 1.3.6 vulnerability";
+ script_version ("$Revision: 03 $");
+# script_cve_id("CVE-2008-1722");
+ name["english"] = "Cups < 1.3.8 vulnerability";
script_name(english:name["english"]);
desc["english"] = "The remote host is probably affected by the vulnerabilities described in
-CVE-2008-0047
+CVE-2008-1722 CVE-2008-0047
Impact
@@ -24,9 +24,15 @@
bundled with Apple Mac OS X 10.5.2, when printer sharing is enabled,
allows remote attackers to execute arbitrary code via crafted search
expressions.
-
+ CVE-2008-1722
+ Multiple integer overflows in (1) filter/image-png.c and (2)
+ filter/image-zoom.c in CUPS 1.3 allow attackers to cause a denial
+ of service (crash) and trigger memory corruption, as demonstrated
+ via a crafted PNG image.
+
References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0047
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1722
Solution:
All Cups users should upgrade to the latest version:
@@ -36,7 +42,7 @@
";
script_description(english:desc["english"]);
- summary["english"] = "Determines Cups < 1.3.6 vulnerability";
+ summary["english"] = "Determines Cups < 1.3.8 vulnerability";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is under GPLv2");
@@ -62,43 +68,43 @@
pkg = NULL;
rls[0] = "SUSE10.0";
ver[0] = "1.2.7";
- rel[0] = "12.13";
+ rel[0] = "12.17";
pkg[0] = "cups";
rls[1] = "SUSE10.1";
ver[1] = "1.2.7";
- rel[1] = "12.13";
+ rel[1] = "12.17";
pkg[1] = "cups";
rls[2] = "SUSE10.2";
ver[2] = "1.2.7";
- rel[2] = "12.13";
+ rel[2] = "12.17";
pkg[2] = "cups";
rls[3] = "SUSE10.3";
ver[3] = "1.2.12";
- rel[3] = "22.11";
+ rel[3] = "22.15";
pkg[3] = "cups";
rls[4] = "SUSE10.0";
ver[4] = "1.2.7";
- rel[4] = "12.13";
+ rel[4] = "12.17";
pkg[4] = "cups-client";
rls[5] = "SUSE10.1";
ver[5] = "1.2.7";
- rel[5] = "12.13";
+ rel[5] = "12.17";
pkg[5] = "cups-client";
rls[6] = "SUSE10.2";
ver[6] = "1.2.7";
- rel[6] = "12.13";
+ rel[6] = "12.17";
pkg[6] = "cups-client";
rls[7] = "SUSE10.3";
ver[7] = "1.2.12";
- rel[7] = "22.11";
+ rel[7] = "22.15";
pkg[7] = "cups-client";
rls[8] = "FC7";
ver[8] = "1.2.12";
- rel[8] = "10.fc7";
+ rel[8] = "11.fc7";
pkg[8] = "cups";
rls[9] = "FC8";
- ver[9] = "1.3.6";
- rel[9] = "4.fc8";
+ ver[9] = "1.3.7";
+ rel[9] = "2.fc8";
pkg[9] = "cups";
rls[10] = "SUSE10.0";
ver[10] = "1.2.7";
@@ -106,16 +112,20 @@
pkg[10] = "cups-libs";
rls[11] = "SUSE10.1";
ver[11] = "1.2.7";
- rel[11] = "12.13";
+ rel[11] = "12.17";
pkg[11] = "cups-libs";
rls[12] = "SUSE10.2";
ver[12] = "1.2.7";
- rel[12] = "12.13";
+ rel[12] = "12.17";
pkg[12] = "cups-libs";
rls[13] = "SUSE10.3";
ver[13] = "1.2.12";
- rel[13] = "22.11";
+ rel[13] = "22.15";
pkg[13] = "cups-libs";
+ rls[14] = "FC9";
+ ver[14] = "1.3.7";
+ rel[14] = "2.fc9";
+ pkg[14] = "cups";
foreach i (keys(rls)) {
if( kbrls == rls[i] ) {
@@ -149,7 +159,7 @@
pkg = NULL;
rls[0] = "GENTOO";
pat = "net-print/cups-([a-zA-Z0-9\.\-]+)";
- ver[0] = "1.2.12-r7";
+ ver[0] = "1.2.12-r8";
if( kbrls == rls[0] ) {
pkg = get_kb_item("ssh/login/pkg");
if(pkg) {
@@ -168,16 +178,16 @@
rel = NULL;
pkg = NULL;
rls[0] = "UBUNTU6.06 LTS";
- ver[0] = "1.2.2-0ubuntu0.6.06.8";
+ ver[0] = "1.2.2-0ubuntu0.6.06.9";
pkg[0] = "cupsys";
rls[1] = "UBUNTU6.10";
- ver[1] = "1.2.4-2ubuntu3.3";
+ ver[1] = " 1.2.4-2ubuntu3.4";
pkg[1] = "cupsys";
rls[2] = "UBUNTU7.04";
- ver[2] = "1.2.8-0ubuntu8.3";
+ ver[2] = "1.2.8-0ubuntu8.4";
pkg[2] = "cupsys";
rls[3] = "UBUNTU7.10";
- ver[3] = "1.3.2-1ubuntu7.6";
+ ver[3] = "1.3.2-1ubuntu7.7";
pkg[3] = "cupsys";
foreach i (keys(rls)) {
Added: trunk/openvas-plugins/scripts/flash_player_CB-A08-0059.nasl
===================================================================
--- trunk/openvas-plugins/scripts/flash_player_CB-A08-0059.nasl 2008-09-02 15:15:27 UTC (rev 1278)
+++ trunk/openvas-plugins/scripts/flash_player_CB-A08-0059.nasl 2008-09-03 20:30:27 UTC (rev 1279)
@@ -0,0 +1,124 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90018);
+ script_version ("$Revision: 01 $");
+ name["english"] = "Adobe Flash Player 9.0.115.0 and earlier vulnerability";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probably affected by the vulnerabilities described in
+CVE-2007-5275, CVE-2007-6019, CVE-2007-6243, CVE-2007-6637, CVE-2008-1654, CVE-2008-1655
+
+Impact
+ CVE 2007-5275
+ The Adobe Macromedia Flash 9 plug-in allows remote attackers to cause
+ a victim machine to establish TCP sessions with arbitrary hosts via a
+ Flash (SWF) movie, related to lack of pinning of a hostname to a single
+ IP address after receiving an allow-access-from element in a
+ cross-domain-policy XML document, and the availability of a Flash Socket
+ class that does not use the browser's DNS pins, aka DNS rebinding attacks,
+ a different issue than CVE-2002-1467 and CVE-2007-4324.
+ CVE 2007-6019
+ Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier,
+ allows remote attackers to execute arbitrary code via an SWF file with
+ a modified DeclareFunction2 Actionscript tag, which prevents an object
+ from being instantiated properly.
+ CVE 2007-6243
+ Adobe Flash Player 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x
+ up to 7.0.70.0 does not sufficiently restrict the interpretation and
+ usage of cross-domain policy files, which makes it easier for remote
+ attackers to conduct cross-domain and cross-site scripting (XSS) attacks.
+ CVE 2007-6637
+ Multiple cross-site scripting (XSS) vulnerabilities in Adobe Flash
+ Player allow remote attackers to inject arbitrary web script or HTML
+ via a crafted SWF file, related to 'pre-generated SWF files' and Adobe
+ Dreamweaver CS3 or Adobe Acrobat Connect. NOTE: the asfunction: vector
+ is already covered by CVE-2007-6244.1.
+ CVE 2008-1654
+ Interaction error between Adobe Flash and multiple Universal Plug and Play
+ (UPnP) services allow remote attackers to perform Cross-Site Request
+ Forgery (CSRF) style attacks by using the Flash navigateToURL function
+ to send a SOAP message to a UPnP control point, as demonstrated by changing
+ the primary DNS server.
+ CVE 2008-1655
+ Unspecified vulnerability in Adobe Flash Player 9.0.115.0 and earlier,
+ and 8.0.39.0 and earlier, makes it easier for remote attackers to
+ conduct DNS rebinding attacks via unknown vectors.
+
+
+References:
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5275
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6019
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6243
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6637
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1654
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1655
+
+Solution:
+ All Adobe Flash Player users should upgrade to the latest version:
+
+
+Risk factor : High
+";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Determines the Version of Flashplayer";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Local test";
+ script_family(english:family["english"]);
+ script_dependencies("ssh_authorization.nasl");
+ exit(0);
+}
+
+#
+# The code starts here
+#
+
+include("version_func.inc");
+
+flashplcnt = 0;
+sec_hole = 0;
+grep = find_bin(prog_name:"grep");
+grep = chomp(grep[0]);
+r = find_bin(prog_name:"flashplayer");
+r = make_list(r,find_file(file_name:"/libflashplayer.so"));
+garg[0] = "-o";
+garg[1] = "-m1";
+garg[2] = "-a";
+garg[3] = string("[0-9]\\+,[0-9]\\+,[0-9]\\+,[0-9]\\+");
+foreach binary_name (r) {
+ binary_name = chomp(binary_name);
+ if (islocalhost()) {
+ garg[4] = binary_name;
+ arg = garg;
+ } else {
+ arg = garg[0]+" "+garg[1]+" "+garg[2]+" "+raw_string(0x22)+garg[3]+raw_string(0x22)+" "+binary_name;
+ }
+ ver = get_bin_version(full_prog_name:grep, version_argv:arg, ver_pattern:"([0-9]+,[0-9]+,[0-9]+,[0-9]+)");
+ if(ver != NULL) {
+ flashplcnt++;
+ if(version_is_less_equal(version:ver[0], test_version:"9,0,115,0") ) {
+ if(sec_hole == 0) {
+ security_hole(port:0, proto:"Adobe Flash Player");
+ sec_hole = 1;
+ }
+ security_hole(port:0, proto:"Adobe Flash Player", data:string("\nFound : ") + binary_name + " Version : " + ver[0] + string("\n"));
+ }
+ }
+}
+
+if(report_verbosity > 1) {
+ if(flashplcnt == 0) {
+ report = "Adobe Flash Player not found or ssh login not possible on this host." + string("\n");
+ security_note(port:0, proto:"Adobe Flash Player", data:report);
+ }
+}
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/flash_player_CB-A08-0059.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/libpng_CB-A08-0064.nasl
===================================================================
--- trunk/openvas-plugins/scripts/libpng_CB-A08-0064.nasl 2008-09-02 15:15:27 UTC (rev 1278)
+++ trunk/openvas-plugins/scripts/libpng_CB-A08-0064.nasl 2008-09-03 20:30:27 UTC (rev 1279)
@@ -0,0 +1,89 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90021);
+ script_version ("$Revision: 01 $");
+ script_cve_id("CVE-2008-1382");
+ name["english"] = "libpng vulnerability";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probably affected by the vulnerabilities described in
+CVE-2008-1382
+
+Impact
+ libpng 1.0.6 through 1.0.32, 1.2.0 through 1.2.26,
+ and 1.4.0beta01 through 1.4.0beta19 allows context-dependent
+ attackers to cause a denial of service (crash) and possibly
+ execute arbitrary code via a PNG file with zero length
+ unknown chunks, which trigger an access of uninitialized
+ memory.
+
+References:
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1382
+
+Solution:
+ All users should upgrade to the latest libpng version of their Linux Distribution.
+
+
+Risk factor : High
+";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Determines the Version of libpng";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Local test";
+ script_family(english:family["english"]);
+ script_dependencies("ssh_authorization.nasl");
+ exit(0);
+}
+
+#
+# The code starts here
+#
+
+include("version_func.inc");
+
+local_var sec_proto, r;
+
+sec_proto = "libpng";
+r = find_bin(prog_name:"libpng-config");
+foreach binary_name (r) {
+ binary_name = chomp(binary_name);
+ ver = get_bin_version(full_prog_name:binary_name, version_argv:"--version", ver_pattern:"([0-9\.]+)");
+ if(ver != NULL) {
+ if(version_is_less(version:ver[0], test_version:"1.0.32") ) {
+ security_warning(port:0, proto:secproto);
+ report = string("\nFound : ") + binary_name + " Version : " + ver[max_index(ver)-1] + string("\n");
+ security_warning(port:0, proto:secproto, data:report);
+ } else {
+ if(version_is_greater_equal(version:ver[0], test_version:"1.2.0") &&
+ version_is_less(version:ver[0], test_version:"1.2.27") ) {
+ security_warning(port:0, proto:secproto);
+ report = string("\nFound : ") + binary_name + " Version : " + ver[max_index(ver)-1] + string("\n");
+ security_warning(port:0, proto:secproto, data:report);
+ } else {
+ if(version_is_equal(version:ver[0], test_version:"1.4.0") ) {
+ ver = get_bin_version(full_prog_name:binary_name, version_argv:"--version", ver_pattern:"(beta..)");
+ if(ver != NULL) {
+ if(version_is_greater_equal(version:ver[0], test_version:"beta01") &&
+ version_is_less(version:ver[0], test_version:"beta20") ) {
+ security_warning(port:0, proto:secproto);
+ report = string("\nFound : ") + binary_name + " Version : " + ver[max_index(ver)-1] + string("\n");
+ security_warning(port:0, proto:secproto, data:report);
+ }
+ }
+ }
+ }
+ }
+ }
+}
+
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/libpng_CB-A08-0064.nasl
___________________________________________________________________
Name: svn:executable
+ *
Modified: trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl 2008-09-02 15:15:27 UTC (rev 1278)
+++ trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl 2008-09-03 20:30:27 UTC (rev 1279)
@@ -3,21 +3,21 @@
#
# This script is released under the GNU GPLv2
#
-# $Revision: 01 $
+# $Revision: 02 $
if(description)
{
script_id(90012);
- script_version ("$Revision: 01 $");
- script_cve_id("CVE-2008-0234");
+ script_version ("$Revision: 02 $");
+ script_cve_id("CVE-2008-2010");
name["english"] = "Buffer overflow in Apple Quicktime Player";
script_name(english:name["english"]);
desc["english"] = "The remote host is probable affected by the vulnerabilitys described in
-CVE-2008-0234
+CVE-2008-0234 CVE-2008-2010
-Checking if QuickTime version is less than 7.4.1
+Checking if QuickTime version is less than 7.5
Impact
Buffer overflow in Apple Quicktime Player 7.3.1.70
@@ -27,10 +27,19 @@
to an rtsp:// request, as demonstrated using a
404 error message.
+ Unspecified vulnerability in Apple QuickTime Player
+ on Windows XP SP2 and Vista SP1 allows remote attackers
+ to execute arbitrary code via a crafted QuickTime media
+ file. NOTE: as of 20080429, the only disclosure is a
+ vague pre-advisory with no actionable information.
+ However, because it is from a well-known researcher,
+ it is being assigned a CVE identifier for tracking purposes.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0234
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2010
http://lists.apple.com/archives/security-announce/2008/Feb/msg00001.html
+ http://lists.apple.com/archives/Security-announce/2008/Jun/msg00000.html
Solution:
All Users should upgrade to the latest version.
@@ -57,7 +66,7 @@
if( !get_kb_item("SMB/smbclient") ) {
smbclientavail();
}
-test_version = "7.4.1";
+test_version = "7.50.51";
if(get_kb_item("SMB/smbclient") ) {
if( smbversion() == 0){
Added: trunk/openvas-plugins/scripts/smbcl_flash_player_CB-A08-0059.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_flash_player_CB-A08-0059.nasl 2008-09-02 15:15:27 UTC (rev 1278)
+++ trunk/openvas-plugins/scripts/smbcl_flash_player_CB-A08-0059.nasl 2008-09-03 20:30:27 UTC (rev 1279)
@@ -0,0 +1,132 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+#
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90019);
+ script_version ("$Revision: 01 $");
+ name["english"] = "Adobe Flash Player 9.0.115.0 and earlier vulnerability";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probably affected by the vulnerabilities described in
+CVE-2007-5275, CVE-2007-6019, CVE-2007-6243, CVE-2007-6637, CVE-2008-1654, CVE-2008-1655
+
+Impact
+ CVE 2007-5275
+ The Adobe Macromedia Flash 9 plug-in allows remote attackers to cause
+ a victim machine to establish TCP sessions with arbitrary hosts via a
+ Flash (SWF) movie, related to lack of pinning of a hostname to a single
+ IP address after receiving an allow-access-from element in a
+ cross-domain-policy XML document, and the availability of a Flash Socket
+ class that does not use the browser's DNS pins, aka DNS rebinding attacks,
+ a different issue than CVE-2002-1467 and CVE-2007-4324.
+ CVE 2007-6019
+ Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier,
+ allows remote attackers to execute arbitrary code via an SWF file with
+ a modified DeclareFunction2 Actionscript tag, which prevents an object
+ from being instantiated properly.
+ CVE 2007-6243
+ Adobe Flash Player 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x
+ up to 7.0.70.0 does not sufficiently restrict the interpretation and
+ usage of cross-domain policy files, which makes it easier for remote
+ attackers to conduct cross-domain and cross-site scripting (XSS) attacks.
+ CVE 2007-6637
+ Multiple cross-site scripting (XSS) vulnerabilities in Adobe Flash
+ Player allow remote attackers to inject arbitrary web script or HTML
+ via a crafted SWF file, related to 'pre-generated SWF files' and Adobe
+ Dreamweaver CS3 or Adobe Acrobat Connect. NOTE: the asfunction: vector
+ is already covered by CVE-2007-6244.1.
+ CVE 2008-1654
+ Interaction error between Adobe Flash and multiple Universal Plug and Play
+ (UPnP) services allow remote attackers to perform Cross-Site Request
+ Forgery (CSRF) style attacks by using the Flash navigateToURL function
+ to send a SOAP message to a UPnP control point, as demonstrated by changing
+ the primary DNS server.
+ CVE 2008-1655
+ Unspecified vulnerability in Adobe Flash Player 9.0.115.0 and earlier,
+ and 8.0.39.0 and earlier, makes it easier for remote attackers to
+ conduct DNS rebinding attacks via unknown vectors.
+
+
+References:
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5275
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6019
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6243
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6637
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1654
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1655
+
+Solution:
+ All Adobe Flash Player users should upgrade to the latest version:
+
+
+Risk factor : High
+";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Determines the Version of Flashplayer";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Windows";
+ script_family(english:family["english"]);
+ exit(0);
+}
+
+#
+# The code starts here
+#
+
+include("version_func.inc");
+include("smbcl_func.inc");
+if( !get_kb_item("SMB/smbclient") ) {
+ smbclientavail();
+}
+
+ if(get_kb_item("SMB/smbclient") ) {
+ if( smbversion() == 0){
+ report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
+ security_note(port:0, proto:"SMBClient", data:report);
+ exit(0);
+ }
+ } else {
+ report = string("SMBClient not found on openvasd host !");
+ security_note(port:0, proto:"SMBClient", data:report);
+ exit(0);
+ }
+
+ sec_hole = 0;
+ test_version = "9.0.115.0";
+ win_dir = get_windir();
+ if( !isnull(win_dir) ) {
+ test_file[0] = win_dir+"System32\Macromed\Flash\NPSWF32.dll";
+ test_file[1] = win_dir+"System32\Macromed\Flash\Flash.ocx";
+ test_file[2] = win_dir+"System32\Macromed\Flash\Flash6.ocx";
+ foreach filespec (test_file) {
+ r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
+ if( !isnull(r) ) {
+ tmp_filename = get_tmp_dir()+"tmpfile"+rand();
+ if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
+ v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:filespec);
+ unlink(tmp_filename);
+ if( version_is_less_equal(version: v, test_version: test_version) ) {
+ if( sec_hole == 0 ) {
+ security_hole(port:0, proto:"Win_Flashplayer");
+ sec_hole = 1;
+ }
+ security_hole(port:0, proto:"Win_Flashplayer", data:"Fileversion : C$ "+filespec + " "+v+string("\n"));
+ }
+ } else {
+ report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
+ security_note(port:0, proto:"Win_Flashplayer", data:report);
+ }
+ }
+ }
+ }
+
+exit(0);
Modified: trunk/openvas-plugins/scripts/version_func.inc
===================================================================
--- trunk/openvas-plugins/scripts/version_func.inc 2008-09-02 15:15:27 UTC (rev 1278)
+++ trunk/openvas-plugins/scripts/version_func.inc 2008-09-03 20:30:27 UTC (rev 1279)
@@ -3,7 +3,7 @@
#
# This script is released under the GNU GPLv2
#
-# $Revision: 5 $
+# $Revision: 6 $
# XXX: the version tests should be eventually consolidated with
# the methods from revisions-lib.inc.
@@ -46,8 +46,28 @@
return (r);
}
+function find_file(file_name) {
+ local_var r, sock;
+
+ r = NULL;
+ if (islocalhost()) {
+ r = split(pread(cmd:"locate", argv:make_list("locate", file_name)) );
+ } else {
+ sock = ssh_login_or_reuse_connection();
+ if (sock) {
+ r = split(ssh_cmd(socket:sock, cmd:"locate "+file_name, timeout:20));
+ ssh_close_connection();
+ }
+ }
+ if( ("/locatedb" >< r) || ("execvp:" >< r) || ("fatal error" >< r) || ("No such file or dir" >< r) ) {
+ r = NULL;
+ }
+ return (r);
+}
+
function get_bin_version(full_prog_name, version_argv, ver_pattern) {
local_var loc_version, r, sock, report;
+
if (islocalhost()) {
r = pread(cmd:full_prog_name, argv:make_list(full_prog_name, version_argv) );
} else {
Added: trunk/openvas-plugins/scripts/win_CVE-2007-6026.nasl
===================================================================
--- trunk/openvas-plugins/scripts/win_CVE-2007-6026.nasl 2008-09-02 15:15:27 UTC (rev 1278)
+++ trunk/openvas-plugins/scripts/win_CVE-2007-6026.nasl 2008-09-03 20:30:27 UTC (rev 1279)
@@ -0,0 +1,154 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+#
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90024);
+ script_version ("$Revision: 01 $");
+ script_cve_id("CVE-2007-6026");
+ name["english"] = "Windows Vulnerability in Microsoft Jet Database Engine";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probably affected by the vulnerability described in
+CVE-2007-6026
+
+
+Impact
+ Stack-based buffer overflow in Microsoft msjet40.dll 4.0.8618.0
+ (aka Microsoft Jet Engine), as used by Access 2003 in Microsoft
+ Office 2003 SP3, allows user-assisted attackers to execute arbitrary
+ code via a crafted MDB file database file containing a column
+ structure with a modified column count. NOTE: this might be the
+ same issue as CVE-2005-0944.
+
+References:
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6026
+ http://www.microsoft.com/technet/security/bulletin/ms08-028.mspx
+
+Solution:
+ All Users should upgrade to the latest version.
+
+
+Risk factor : High";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Windows Vulnerability in Microsoft Jet Database Engine";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Windows";
+ script_family(english:family["english"]);
+ exit(0);
+}
+
+#
+# The code starts here
+#
+
+local_var os;
+
+include("version_func.inc");
+include("smbcl_func.inc");
+
+ if( !get_kb_item("SMB/smbclient") ) {
+ smbclientavail();
+ }
+
+ if(get_kb_item("SMB/smbclient") ) {
+ if( smbversion() == 0){
+ report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
+ security_note(port:0, proto:"SMBClient", data:report);
+ exit(0);
+ }
+ } else {
+ report = string("SMBClient not found on this host !");
+ security_note(port:0, proto:"SMBClient", data:report);
+ exit(0);
+ }
+
+ win_dir = get_windir();
+ sec_hole = 0;
+ if( !isnull(win_dir) ) {
+ os = get_kb_item("SMB/OS");
+ filespec = win_dir+"system32\Msjint40.dll";
+ test_version = NULL;
+ if( "WINDOWS 5.1" >< os ) {
+ test_version = "4.0.9502.0";
+ } else {
+ if( "WINDOWS SERVER 2003" >< os ) {
+ test_version = "4.0.9502.0";
+ } else {
+ if( "WINDOWS 5.0" >< os ) {
+ test_version = "4.0.9502.0";
+ }
+ }
+ }
+ if( !isnull(test_version) ) {
+ r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
+ if( !isnull(r) ) {
+ tmp_filename = get_tmp_dir()+"tmpfile"+rand();
+ if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
+ v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:filespec);
+ unlink(tmp_filename);
+ if( version_is_less(version: v, test_version: test_version) ) {
+ if( sec_hole == 0 ) {
+ security_hole(port:0, proto:"Win");
+ sec_hole = 1;
+ }
+ security_hole(port:0, proto:"Win", data:"Version found : C$ "+filespec + " "+v+string("\n")+
+ "Version expected : "+test_version+" or higher "+string("\n"));
+ }
+ } else {
+ report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
+ security_note(port:0, proto:"SMB", data:report);
+ }
+ } else {
+ report = string(filespec+" not found/no access -> "+get_kb_item("SMB/ERROR")) + string("\n");
+ security_note(port:0, proto:"SMB", data:report);
+ }
+ }
+ filespec = win_dir+"system32\Msjet40.dll";
+ test_version = NULL;
+ if( "WINDOWS 5.1" >< os ) {
+ test_version = "4.0.9511.0";
+ } else {
+ if( "WINDOWS SERVER 2003" >< os ) {
+ test_version = "4.0.9511.0";
+ } else {
+ if( "WINDOWS 5.0" >< os ) {
+ test_version = "4.0.9511.0";
+ }
+ }
+ }
+ if( !isnull(test_version) ) {
+ r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
+ if( !isnull(r) ) {
+ tmp_filename = get_tmp_dir()+"tmpfile"+rand();
+ if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
+ v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:filespec);
+ unlink(tmp_filename);
+ if( version_is_less(version: v, test_version: test_version) ) {
+ if( sec_hole == 0 ) {
+ security_hole(port:0, proto:"Win");
+ sec_hole = 1;
+ }
+ security_hole(port:0, proto:"Win", data:"Version found : C$ "+filespec + " "+v+string("\n")+
+ "Version expected : "+test_version+" or higher "+string("\n"));
+ }
+ } else {
+ report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
+ security_note(port:0, proto:"SMB", data:report);
+ }
+ } else {
+ report = string(filespec+" not found/no access -> "+get_kb_item("SMB/ERROR")) + string("\n");
+ security_note(port:0, proto:"SMB", data:report);
+ }
+ }
+ }
+
+exit(0);
Added: trunk/openvas-plugins/scripts/win_CVE-2008-0087.nasl
===================================================================
--- trunk/openvas-plugins/scripts/win_CVE-2008-0087.nasl 2008-09-02 15:15:27 UTC (rev 1278)
+++ trunk/openvas-plugins/scripts/win_CVE-2008-0087.nasl 2008-09-03 20:30:27 UTC (rev 1279)
@@ -0,0 +1,122 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+#
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90020);
+ script_version ("$Revision: 01 $");
+ script_cve_id("CVE-2008-0087");
+ name["english"] = "Windows vulnerability in DNS Client Could Allow Spoofing (945553)";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probably affected by the vulnerability described in
+CVE-2008-0087
+
+
+Impact
+ The DNS client in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1
+ and SP2, and Vista uses predictable DNS transaction IDs, which allows
+ remote attackers to spoof DNS responses.
+
+References:
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0087
+ http://www.microsoft.com/technet/security/bulletin/ms08-020.mspx
+
+Solution:
+ All Users should upgrade to the latest version.
+
+
+Risk factor : High";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Windows vulnerability in DNS Client Could Allow Spoofing (945553)";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Windows";
+ script_family(english:family["english"]);
+ exit(0);
+}
+
+#
+# The code starts here
+#
+
+local_var os;
+
+include("version_func.inc");
+include("smbcl_func.inc");
+
+ if( !get_kb_item("SMB/smbclient") ) {
+ smbclientavail();
+ }
+
+ if(get_kb_item("SMB/smbclient") ) {
+ if( smbversion() == 0){
+ report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
+ security_note(port:0, proto:"SMBClient", data:report);
+ exit(0);
+ }
+ } else {
+ report = string("SMBClient not found on this host !");
+ security_note(port:0, proto:"SMBClient", data:report);
+ exit(0);
+ }
+
+ win_dir = get_windir();
+ sec_hole = 0;
+ if( !isnull(win_dir) ) {
+ os = get_kb_item("SMB/OS");
+ filespec = win_dir+"system32\Dnsapi.dll";
+ test_version = NULL;
+ if( "WINDOWS VISTA" >< os ) {
+ test_version = "6.0.6000.16615";
+ } else {
+ if( "WINDOWS 5.1" >< os ) {
+ test_version = "5.1.2600.3316";
+ } else {
+ if( "WINDOWS SERVER 2003" >< os ) {
+ if( "SERVICE PACK 2" >< os ) {
+ test_version = "5.2.3790.4238";
+ } else {
+ test_version = "5.2.3790.3092";
+ }
+ } else {
+ if( "WINDOWS 5.0" >< os ) {
+ test_version = "5.0.2195.7151";
+ }
+ }
+ }
+ }
+ if( !isnull(test_version) ) {
+ r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
+ if( !isnull(r) ) {
+ tmp_filename = get_tmp_dir()+"tmpfile"+rand();
+ if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
+ v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:filespec);
+ unlink(tmp_filename);
+ if( version_is_less(version: v, test_version: test_version) ) {
+ if( sec_hole == 0 ) {
+ security_hole(port:0, proto:"Win");
+ sec_hole = 1;
+ }
+ security_hole(port:0, proto:"Win", data:"Version found : C$ "+filespec + " "+v+string("\n")+
+ "Version expected : "+test_version+" or higher "+string("\n"));
+ }
+ } else {
+ report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
+ security_note(port:0, proto:"SMB", data:report);
+ }
+ } else {
+ report = string(filespec+" not found/no access -> "+get_kb_item("SMB/ERROR")) + string("\n");
+ security_note(port:0, proto:"SMB", data:report);
+ }
+ }
+ }
+
+exit(0);
More information about the Openvas-commits
mailing list