[Openvas-commits] r1279 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Wed Sep 3 22:30:28 CEST 2008


Author: ckm
Date: 2008-09-03 22:30:27 +0200 (Wed, 03 Sep 2008)
New Revision: 1279

Added:
   trunk/openvas-plugins/scripts/flash_player_CB-A08-0059.nasl
   trunk/openvas-plugins/scripts/libpng_CB-A08-0064.nasl
   trunk/openvas-plugins/scripts/smbcl_flash_player_CB-A08-0059.nasl
   trunk/openvas-plugins/scripts/win_CVE-2007-6026.nasl
   trunk/openvas-plugins/scripts/win_CVE-2008-0087.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/clamav-CB-A08-0001.nasl
   trunk/openvas-plugins/scripts/cups_CB-A08-0045.nasl
   trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl
   trunk/openvas-plugins/scripts/version_func.inc
Log:
 * scripts/version_func.inc: added function find_file
 to find any file on local or remote Host using locate.
 * scripts/smbcl_CVE-2008-0234.nasl: Update
 * scripts/flash_player_CB-A08-0059.nasl: new
 * scripts/smbcl_flash_player_CB-A08-0059.nasl: new
 * scripts/win_CVE-2008-0087.nasl: new
 * scripts/win_CVE-2007-6026.nasl: new
 * scripts/libpng_CB-A08-0064.nasl: new
 * scripts/clamav-CB-A08-0001.nasl: Update
 * scripts/cups_CB-A08-0045.nasl: Update



Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2008-09-02 15:15:27 UTC (rev 1278)
+++ trunk/openvas-plugins/ChangeLog	2008-09-03 20:30:27 UTC (rev 1279)
@@ -1,3 +1,16 @@
+2008-09-03  Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>.
+
+	* scripts/version_func.inc: added function find_file
+        to find any file on local or remote Host using locate.
+	* scripts/smbcl_CVE-2008-0234.nasl: Update
+	* scripts/flash_player_CB-A08-0059.nasl: new
+	* scripts/smbcl_flash_player_CB-A08-0059.nasl: new
+	* scripts/win_CVE-2008-0087.nasl: new
+	* scripts/win_CVE-2007-6026.nasl: new
+	* scripts/libpng_CB-A08-0064.nasl: new
+        * scripts/clamav-CB-A08-0001.nasl: Update
+        * scripts/cups_CB-A08-0045.nasl: Update
+
 2008-09-02  Jan-Oliver Wagner <jan-oliver.wagner at intevation.de>
 
 	* scripts/kiwi_cattools_dir_traversal.nasl: changed ID to fit a loose

Modified: trunk/openvas-plugins/scripts/clamav-CB-A08-0001.nasl
===================================================================
--- trunk/openvas-plugins/scripts/clamav-CB-A08-0001.nasl	2008-09-02 15:15:27 UTC (rev 1278)
+++ trunk/openvas-plugins/scripts/clamav-CB-A08-0001.nasl	2008-09-03 20:30:27 UTC (rev 1279)
@@ -3,20 +3,24 @@
 # Slight modification by Vlatko Kosturjak - Kost <kost at linux.hr>
 # This script is released under the GNU GPLv2
 #
-# $Revision: 05 $
+# $Revision: 06 $
 
 if(description)
 {
 
  script_id(90000);
- script_version ("$Revision: 05 $");
- name["english"] = "ClamAV < 0.93 vulnerability";
+ script_version ("$Revision: 06 $");
+ name["english"] = "ClamAV < 0.93.1 vulnerability";
  script_name(english:name["english"]);
 
  desc["english"] = "The remote host is probably affected by the vulnerabilities described in
-CVE 2007-6335 CVE 2007-6336 CVE 2007-6337 CVE-2008-0318 CVE-2008-1100 CVE-2008-1387
+CVE 2007-6335 CVE 2007-6336 CVE 2007-6337 CVE-2008-0318 CVE-2008-1100 CVE-2008-1387 CVE-2008-2713
 
 Impact
+   CVE 2008-2713
+     libclamav/petite.c in ClamAV before 0.93.1 allows remote attackers to
+     cause a denial of service via a crafted Petite file that triggers an
+     out-of-bounds read. 
    CVE 2008-1387
      ClamAV before 0.93 allows remote attackers to cause a denial of service
      (CPU consumption) via a crafted ARJ archive, as demonstrated by the 
@@ -45,6 +49,7 @@
 
 
 References:
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2713
     http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1387
     http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1100
     http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0318
@@ -83,7 +88,7 @@
   ver = get_bin_version(full_prog_name:binary_name, version_argv:"--version", ver_pattern:"([0-9\.]+)");
   if(ver != NULL) {
     clamavcnt++;
-    if(version_is_less(version:ver[0], test_version:"0.93") ) {
+    if(version_is_less(version:ver[0], test_version:"0.93.1") ) {
       security_hole(port:0, proto:"ClamAV");
       report = string("\nFound : ") + binary_name + "  Version : " + ver[max_index(ver)-1] + string("\n");
       security_hole(port:0, proto:"ClamAV", data:report);

Modified: trunk/openvas-plugins/scripts/cups_CB-A08-0045.nasl
===================================================================
--- trunk/openvas-plugins/scripts/cups_CB-A08-0045.nasl	2008-09-02 15:15:27 UTC (rev 1278)
+++ trunk/openvas-plugins/scripts/cups_CB-A08-0045.nasl	2008-09-03 20:30:27 UTC (rev 1279)
@@ -3,19 +3,19 @@
 #
 # This script is released under the GNU GPLv2
 #
-# $Revision: 02 $
+# $Revision: 03 $
 
 if(description)
 {
 
  script_id(90017);
- script_version ("$Revision: 02 $");
-# script_cve_id("CVE-2008-0047");
- name["english"] = "Cups < 1.3.6 vulnerability";
+ script_version ("$Revision: 03 $");
+# script_cve_id("CVE-2008-1722");
+ name["english"] = "Cups < 1.3.8 vulnerability";
  script_name(english:name["english"]);
 
  desc["english"] = "The remote host is probably affected by the vulnerabilities described in
-CVE-2008-0047
+CVE-2008-1722 CVE-2008-0047
 
 Impact
 
@@ -24,9 +24,15 @@
      bundled with Apple Mac OS X 10.5.2, when printer sharing is enabled,
      allows remote attackers to execute arbitrary code via crafted search
      expressions.
-
+   CVE-2008-1722
+     Multiple integer overflows in (1) filter/image-png.c and (2)
+     filter/image-zoom.c in CUPS 1.3 allow attackers to cause a denial
+     of service (crash) and trigger memory corruption, as demonstrated
+     via a crafted PNG image. 
+ 
 References:
     http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0047
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1722
 
 Solution:
     All Cups users should upgrade to the latest version:
@@ -36,7 +42,7 @@
 ";
 
  script_description(english:desc["english"]);
- summary["english"] = "Determines Cups < 1.3.6 vulnerability";
+ summary["english"] = "Determines Cups < 1.3.8 vulnerability";
  script_summary(english:summary["english"]);
  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is under GPLv2");
@@ -62,43 +68,43 @@
    pkg = NULL;
    rls[0] = "SUSE10.0";
    ver[0] = "1.2.7";
-   rel[0] = "12.13";
+   rel[0] = "12.17";
    pkg[0] = "cups";
    rls[1] = "SUSE10.1";
    ver[1] = "1.2.7";
-   rel[1] = "12.13";
+   rel[1] = "12.17";
    pkg[1] = "cups";
    rls[2] = "SUSE10.2";
    ver[2] = "1.2.7";
-   rel[2] = "12.13";
+   rel[2] = "12.17";
    pkg[2] = "cups";
    rls[3] = "SUSE10.3";
    ver[3] = "1.2.12";
-   rel[3] = "22.11";
+   rel[3] = "22.15";
    pkg[3] = "cups";
    rls[4] = "SUSE10.0";
    ver[4] = "1.2.7";
-   rel[4] = "12.13";
+   rel[4] = "12.17";
    pkg[4] = "cups-client";
    rls[5] = "SUSE10.1";
    ver[5] = "1.2.7";
-   rel[5] = "12.13";
+   rel[5] = "12.17";
    pkg[5] = "cups-client";
    rls[6] = "SUSE10.2";
    ver[6] = "1.2.7";
-   rel[6] = "12.13";
+   rel[6] = "12.17";
    pkg[6] = "cups-client";
    rls[7] = "SUSE10.3";
    ver[7] = "1.2.12";
-   rel[7] = "22.11";
+   rel[7] = "22.15";
    pkg[7] = "cups-client";
    rls[8] = "FC7";
    ver[8] = "1.2.12";
-   rel[8] = "10.fc7";
+   rel[8] = "11.fc7";
    pkg[8] = "cups";
    rls[9] = "FC8";
-   ver[9] = "1.3.6";
-   rel[9] = "4.fc8";
+   ver[9] = "1.3.7";
+   rel[9] = "2.fc8";
    pkg[9] = "cups";
    rls[10] = "SUSE10.0";
    ver[10] = "1.2.7";
@@ -106,16 +112,20 @@
    pkg[10] = "cups-libs";
    rls[11] = "SUSE10.1";
    ver[11] = "1.2.7";
-   rel[11] = "12.13";
+   rel[11] = "12.17";
    pkg[11] = "cups-libs";
    rls[12] = "SUSE10.2";
    ver[12] = "1.2.7";
-   rel[12] = "12.13";
+   rel[12] = "12.17";
    pkg[12] = "cups-libs";
    rls[13] = "SUSE10.3";
    ver[13] = "1.2.12";
-   rel[13] = "22.11";
+   rel[13] = "22.15";
    pkg[13] = "cups-libs";
+   rls[14] = "FC9";
+   ver[14] = "1.3.7";
+   rel[14] = "2.fc9";
+   pkg[14] = "cups";
 
    foreach i (keys(rls)) {
      if( kbrls == rls[i] ) {
@@ -149,7 +159,7 @@
    pkg = NULL;
    rls[0] = "GENTOO";
    pat = "net-print/cups-([a-zA-Z0-9\.\-]+)";
-   ver[0] = "1.2.12-r7";
+   ver[0] = "1.2.12-r8";
    if( kbrls == rls[0] ) {
        pkg = get_kb_item("ssh/login/pkg");
        if(pkg) {
@@ -168,16 +178,16 @@
    rel = NULL;
    pkg = NULL;
    rls[0] = "UBUNTU6.06 LTS";
-   ver[0] = "1.2.2-0ubuntu0.6.06.8";
+   ver[0] = "1.2.2-0ubuntu0.6.06.9";
    pkg[0] = "cupsys";
    rls[1] = "UBUNTU6.10";
-   ver[1] = "1.2.4-2ubuntu3.3";
+   ver[1] = " 1.2.4-2ubuntu3.4";
    pkg[1] = "cupsys";
    rls[2] = "UBUNTU7.04";
-   ver[2] = "1.2.8-0ubuntu8.3";
+   ver[2] = "1.2.8-0ubuntu8.4";
    pkg[2] = "cupsys";
    rls[3] = "UBUNTU7.10";
-   ver[3] = "1.3.2-1ubuntu7.6";
+   ver[3] = "1.3.2-1ubuntu7.7";
    pkg[3] = "cupsys";
 
    foreach i (keys(rls)) {

Added: trunk/openvas-plugins/scripts/flash_player_CB-A08-0059.nasl
===================================================================
--- trunk/openvas-plugins/scripts/flash_player_CB-A08-0059.nasl	2008-09-02 15:15:27 UTC (rev 1278)
+++ trunk/openvas-plugins/scripts/flash_player_CB-A08-0059.nasl	2008-09-03 20:30:27 UTC (rev 1279)
@@ -0,0 +1,124 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90018);
+ script_version ("$Revision: 01 $");
+ name["english"] = "Adobe Flash Player 9.0.115.0 and earlier vulnerability";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probably affected by the vulnerabilities described in
+CVE-2007-5275, CVE-2007-6019, CVE-2007-6243, CVE-2007-6637, CVE-2008-1654, CVE-2008-1655
+
+Impact
+   CVE 2007-5275
+     The Adobe Macromedia Flash 9 plug-in allows remote attackers to cause
+     a victim machine to establish TCP sessions with arbitrary hosts via a
+     Flash (SWF) movie, related to lack of pinning of a hostname to a single
+     IP address after receiving an allow-access-from element in a 
+     cross-domain-policy XML document, and the availability of a Flash Socket
+     class that does not use the browser's DNS pins, aka DNS rebinding attacks,
+     a different issue than CVE-2002-1467 and CVE-2007-4324.
+   CVE 2007-6019
+     Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier,
+     allows remote attackers to execute arbitrary code via an SWF file with
+     a modified DeclareFunction2 Actionscript tag, which prevents an object
+     from being instantiated properly.
+   CVE 2007-6243
+     Adobe Flash Player 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x 
+     up to 7.0.70.0 does not sufficiently restrict the interpretation and 
+     usage of cross-domain policy files, which makes it easier for remote 
+     attackers to conduct cross-domain and cross-site scripting (XSS) attacks. 
+   CVE 2007-6637
+     Multiple cross-site scripting (XSS) vulnerabilities in Adobe Flash 
+     Player allow remote attackers to inject arbitrary web script or HTML
+     via a crafted SWF file, related to 'pre-generated SWF files' and Adobe
+     Dreamweaver CS3 or Adobe Acrobat Connect. NOTE: the asfunction: vector
+     is already covered by CVE-2007-6244.1. 
+   CVE 2008-1654
+     Interaction error between Adobe Flash and multiple Universal Plug and Play
+     (UPnP) services allow remote attackers to perform Cross-Site Request 
+     Forgery (CSRF) style attacks by using the Flash navigateToURL function
+     to send a SOAP message to a UPnP control point, as demonstrated by changing
+     the primary DNS server. 
+   CVE 2008-1655
+     Unspecified vulnerability in Adobe Flash Player 9.0.115.0 and earlier,
+     and 8.0.39.0 and earlier, makes it easier for remote attackers to 
+     conduct DNS rebinding attacks via unknown vectors. 
+
+
+References:
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5275
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6019
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6243
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6637
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1654
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1655
+
+Solution:
+    All Adobe Flash Player users should upgrade to the latest version:
+
+
+Risk factor : High
+";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Determines the Version of Flashplayer";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Local test";
+ script_family(english:family["english"]);
+ script_dependencies("ssh_authorization.nasl");
+ exit(0);
+}
+
+#
+# The code starts here
+#
+
+include("version_func.inc");
+
+flashplcnt = 0;
+sec_hole = 0;
+grep = find_bin(prog_name:"grep");
+grep = chomp(grep[0]);
+r = find_bin(prog_name:"flashplayer");
+r = make_list(r,find_file(file_name:"/libflashplayer.so"));
+garg[0] = "-o";
+garg[1] = "-m1";
+garg[2] = "-a";
+garg[3] = string("[0-9]\\+,[0-9]\\+,[0-9]\\+,[0-9]\\+");
+foreach binary_name (r) {
+  binary_name = chomp(binary_name);
+  if (islocalhost()) {
+    garg[4] = binary_name;
+    arg = garg;
+  } else {
+    arg = garg[0]+" "+garg[1]+" "+garg[2]+" "+raw_string(0x22)+garg[3]+raw_string(0x22)+" "+binary_name;
+  }
+  ver = get_bin_version(full_prog_name:grep, version_argv:arg, ver_pattern:"([0-9]+,[0-9]+,[0-9]+,[0-9]+)");
+  if(ver != NULL) {
+    flashplcnt++;
+    if(version_is_less_equal(version:ver[0], test_version:"9,0,115,0") ) {
+      if(sec_hole == 0) {
+        security_hole(port:0, proto:"Adobe Flash Player");
+        sec_hole = 1;
+      }
+      security_hole(port:0, proto:"Adobe Flash Player", data:string("\nFound : ") + binary_name + "  Version : " + ver[0] + string("\n"));
+    }
+  }
+}
+
+if(report_verbosity > 1) {
+  if(flashplcnt == 0) {
+    report = "Adobe Flash Player not found or ssh login not possible on this host." + string("\n");
+    security_note(port:0, proto:"Adobe Flash Player", data:report);
+  }
+}
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/flash_player_CB-A08-0059.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/libpng_CB-A08-0064.nasl
===================================================================
--- trunk/openvas-plugins/scripts/libpng_CB-A08-0064.nasl	2008-09-02 15:15:27 UTC (rev 1278)
+++ trunk/openvas-plugins/scripts/libpng_CB-A08-0064.nasl	2008-09-03 20:30:27 UTC (rev 1279)
@@ -0,0 +1,89 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90021);
+ script_version ("$Revision: 01 $");
+ script_cve_id("CVE-2008-1382");
+ name["english"] = "libpng vulnerability";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probably affected by the vulnerabilities described in
+CVE-2008-1382
+
+Impact
+      libpng 1.0.6 through 1.0.32, 1.2.0 through 1.2.26,
+      and 1.4.0beta01 through 1.4.0beta19 allows context-dependent
+      attackers to cause a denial of service (crash) and possibly
+      execute arbitrary code via a PNG file with zero length
+      unknown chunks, which trigger an access of uninitialized
+      memory. 
+
+References:
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1382
+
+Solution:
+    All users should upgrade to the latest libpng version of their Linux Distribution.
+
+
+Risk factor : High
+";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Determines the Version of libpng";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Local test";
+ script_family(english:family["english"]);
+ script_dependencies("ssh_authorization.nasl");
+ exit(0);
+}
+
+#
+# The code starts here
+#
+
+include("version_func.inc");
+
+local_var sec_proto, r;
+
+sec_proto = "libpng";
+r = find_bin(prog_name:"libpng-config");
+foreach binary_name (r) {
+  binary_name = chomp(binary_name);
+  ver = get_bin_version(full_prog_name:binary_name, version_argv:"--version", ver_pattern:"([0-9\.]+)");
+  if(ver != NULL) {
+    if(version_is_less(version:ver[0], test_version:"1.0.32") ) {
+      security_warning(port:0, proto:secproto);
+      report = string("\nFound : ") + binary_name + "  Version : " + ver[max_index(ver)-1] + string("\n");
+      security_warning(port:0, proto:secproto, data:report);
+    } else {
+      if(version_is_greater_equal(version:ver[0], test_version:"1.2.0") &&
+         version_is_less(version:ver[0], test_version:"1.2.27") ) {
+        security_warning(port:0, proto:secproto);
+        report = string("\nFound : ") + binary_name + "  Version : " + ver[max_index(ver)-1] + string("\n");
+        security_warning(port:0, proto:secproto, data:report);
+      } else {
+        if(version_is_equal(version:ver[0], test_version:"1.4.0") ) {
+          ver = get_bin_version(full_prog_name:binary_name, version_argv:"--version", ver_pattern:"(beta..)");
+          if(ver != NULL) {
+            if(version_is_greater_equal(version:ver[0], test_version:"beta01") && 
+               version_is_less(version:ver[0], test_version:"beta20") ) {
+              security_warning(port:0, proto:secproto);
+              report = string("\nFound : ") + binary_name + "  Version : " + ver[max_index(ver)-1] + string("\n");
+              security_warning(port:0, proto:secproto, data:report);
+            }
+          }
+        }
+      }
+    }
+  }
+}
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/libpng_CB-A08-0064.nasl
___________________________________________________________________
Name: svn:executable
   + *

Modified: trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl	2008-09-02 15:15:27 UTC (rev 1278)
+++ trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl	2008-09-03 20:30:27 UTC (rev 1279)
@@ -3,21 +3,21 @@
 #
 # This script is released under the GNU GPLv2
 #
-# $Revision: 01 $
+# $Revision: 02 $
 
 if(description)
 {
 
  script_id(90012);
- script_version ("$Revision: 01 $");
- script_cve_id("CVE-2008-0234");
+ script_version ("$Revision: 02 $");
+ script_cve_id("CVE-2008-2010");
  name["english"] = "Buffer overflow in Apple Quicktime Player";
  script_name(english:name["english"]);
 
  desc["english"] = "The remote host is probable affected by the vulnerabilitys described in
-CVE-2008-0234
+CVE-2008-0234 CVE-2008-2010
 
-Checking if QuickTime version is less than 7.4.1
+Checking if QuickTime version is less than 7.5
 
 Impact
       Buffer overflow in Apple Quicktime Player 7.3.1.70
@@ -27,10 +27,19 @@
       to an rtsp:// request, as demonstrated using a
       404 error message.
 
+      Unspecified vulnerability in Apple QuickTime Player
+      on Windows XP SP2 and Vista SP1 allows remote attackers
+      to execute arbitrary code via a crafted QuickTime media
+      file. NOTE: as of 20080429, the only disclosure is a
+      vague pre-advisory with no actionable information.
+      However, because it is from a well-known researcher,
+      it is being assigned a CVE identifier for tracking purposes. 
 
 References:
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0234
+    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2010
     http://lists.apple.com/archives/security-announce/2008/Feb/msg00001.html
+    http://lists.apple.com/archives/Security-announce/2008/Jun/msg00000.html
 
 Solution:
     All Users should upgrade to the latest version.
@@ -57,7 +66,7 @@
 if( !get_kb_item("SMB/smbclient") ) {
    smbclientavail();
 }
-test_version = "7.4.1";
+test_version = "7.50.51";
 
   if(get_kb_item("SMB/smbclient") ) {
     if( smbversion() == 0){

Added: trunk/openvas-plugins/scripts/smbcl_flash_player_CB-A08-0059.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_flash_player_CB-A08-0059.nasl	2008-09-02 15:15:27 UTC (rev 1278)
+++ trunk/openvas-plugins/scripts/smbcl_flash_player_CB-A08-0059.nasl	2008-09-03 20:30:27 UTC (rev 1279)
@@ -0,0 +1,132 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+#
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90019);
+ script_version ("$Revision: 01 $");
+ name["english"] = "Adobe Flash Player 9.0.115.0 and earlier vulnerability";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probably affected by the vulnerabilities described in
+CVE-2007-5275, CVE-2007-6019, CVE-2007-6243, CVE-2007-6637, CVE-2008-1654, CVE-2008-1655
+
+Impact
+   CVE 2007-5275
+     The Adobe Macromedia Flash 9 plug-in allows remote attackers to cause
+     a victim machine to establish TCP sessions with arbitrary hosts via a
+     Flash (SWF) movie, related to lack of pinning of a hostname to a single
+     IP address after receiving an allow-access-from element in a 
+     cross-domain-policy XML document, and the availability of a Flash Socket
+     class that does not use the browser's DNS pins, aka DNS rebinding attacks,
+     a different issue than CVE-2002-1467 and CVE-2007-4324.
+   CVE 2007-6019
+     Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier,
+     allows remote attackers to execute arbitrary code via an SWF file with
+     a modified DeclareFunction2 Actionscript tag, which prevents an object
+     from being instantiated properly.
+   CVE 2007-6243
+     Adobe Flash Player 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x 
+     up to 7.0.70.0 does not sufficiently restrict the interpretation and 
+     usage of cross-domain policy files, which makes it easier for remote 
+     attackers to conduct cross-domain and cross-site scripting (XSS) attacks. 
+   CVE 2007-6637
+     Multiple cross-site scripting (XSS) vulnerabilities in Adobe Flash 
+     Player allow remote attackers to inject arbitrary web script or HTML
+     via a crafted SWF file, related to 'pre-generated SWF files' and Adobe
+     Dreamweaver CS3 or Adobe Acrobat Connect. NOTE: the asfunction: vector
+     is already covered by CVE-2007-6244.1. 
+   CVE 2008-1654
+     Interaction error between Adobe Flash and multiple Universal Plug and Play
+     (UPnP) services allow remote attackers to perform Cross-Site Request 
+     Forgery (CSRF) style attacks by using the Flash navigateToURL function
+     to send a SOAP message to a UPnP control point, as demonstrated by changing
+     the primary DNS server. 
+   CVE 2008-1655
+     Unspecified vulnerability in Adobe Flash Player 9.0.115.0 and earlier,
+     and 8.0.39.0 and earlier, makes it easier for remote attackers to 
+     conduct DNS rebinding attacks via unknown vectors. 
+
+
+References:
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5275
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6019
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6243
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6637
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1654
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1655
+
+Solution:
+    All Adobe Flash Player users should upgrade to the latest version:
+
+
+Risk factor : High
+";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Determines the Version of Flashplayer";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Windows";
+ script_family(english:family["english"]);
+ exit(0);
+}
+
+#
+# The code starts here
+#
+
+include("version_func.inc");
+include("smbcl_func.inc");
+if( !get_kb_item("SMB/smbclient") ) {
+   smbclientavail();
+}
+
+  if(get_kb_item("SMB/smbclient") ) {
+    if( smbversion() == 0){
+      report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
+      security_note(port:0, proto:"SMBClient", data:report);
+      exit(0);
+    }
+  } else {
+    report = string("SMBClient not found on openvasd host !");
+    security_note(port:0, proto:"SMBClient", data:report);
+    exit(0);
+  }
+
+  sec_hole = 0;
+  test_version = "9.0.115.0";
+  win_dir = get_windir();
+  if( !isnull(win_dir) ) {
+    test_file[0] = win_dir+"System32\Macromed\Flash\NPSWF32.dll";
+    test_file[1] = win_dir+"System32\Macromed\Flash\Flash.ocx";
+    test_file[2] = win_dir+"System32\Macromed\Flash\Flash6.ocx";
+    foreach filespec (test_file) {
+      r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
+      if( !isnull(r) ) {
+          tmp_filename = get_tmp_dir()+"tmpfile"+rand();
+          if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
+            v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:filespec);
+            unlink(tmp_filename);
+            if( version_is_less_equal(version: v, test_version: test_version) ) {
+              if( sec_hole == 0 ) {
+                security_hole(port:0, proto:"Win_Flashplayer");
+                sec_hole = 1;
+              }
+              security_hole(port:0, proto:"Win_Flashplayer", data:"Fileversion : C$ "+filespec + " "+v+string("\n"));
+            }
+          } else {
+            report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
+            security_note(port:0, proto:"Win_Flashplayer", data:report);
+          }
+      }
+    }
+  }
+
+exit(0);

Modified: trunk/openvas-plugins/scripts/version_func.inc
===================================================================
--- trunk/openvas-plugins/scripts/version_func.inc	2008-09-02 15:15:27 UTC (rev 1278)
+++ trunk/openvas-plugins/scripts/version_func.inc	2008-09-03 20:30:27 UTC (rev 1279)
@@ -3,7 +3,7 @@
 #
 # This script is released under the GNU GPLv2
 #
-# $Revision: 5 $
+# $Revision: 6 $
 
 # XXX: the version tests should be eventually consolidated with
 # the methods from revisions-lib.inc.
@@ -46,8 +46,28 @@
   return (r);
 }
 
+function find_file(file_name) {
+  local_var r, sock;
+
+  r = NULL;
+  if (islocalhost()) {
+     r = split(pread(cmd:"locate", argv:make_list("locate", file_name)) );
+  } else {
+      sock = ssh_login_or_reuse_connection();
+      if (sock) {
+        r = split(ssh_cmd(socket:sock, cmd:"locate "+file_name, timeout:20));
+        ssh_close_connection();
+      } 
+  }
+  if( ("/locatedb" >< r) || ("execvp:" >< r) || ("fatal error" >< r) || ("No such file or dir" >< r) ) {
+    r = NULL;
+  }
+  return (r);
+}
+
 function get_bin_version(full_prog_name, version_argv, ver_pattern) {
   local_var loc_version, r, sock, report;
+
   if (islocalhost()) {
      r = pread(cmd:full_prog_name, argv:make_list(full_prog_name, version_argv) );
   } else {

Added: trunk/openvas-plugins/scripts/win_CVE-2007-6026.nasl
===================================================================
--- trunk/openvas-plugins/scripts/win_CVE-2007-6026.nasl	2008-09-02 15:15:27 UTC (rev 1278)
+++ trunk/openvas-plugins/scripts/win_CVE-2007-6026.nasl	2008-09-03 20:30:27 UTC (rev 1279)
@@ -0,0 +1,154 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+#
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90024);
+ script_version ("$Revision: 01 $");
+ script_cve_id("CVE-2007-6026");
+ name["english"] = "Windows Vulnerability in Microsoft Jet Database Engine";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probably affected by the vulnerability described in
+CVE-2007-6026
+
+
+Impact
+    Stack-based buffer overflow in Microsoft msjet40.dll 4.0.8618.0
+    (aka Microsoft Jet Engine), as used by Access 2003 in Microsoft
+    Office 2003 SP3, allows user-assisted attackers to execute arbitrary
+    code via a crafted MDB file database file containing a column
+    structure with a modified column count. NOTE: this might be the
+    same issue as CVE-2005-0944. 
+
+References:
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6026
+    http://www.microsoft.com/technet/security/bulletin/ms08-028.mspx
+
+Solution:
+    All Users should upgrade to the latest version.
+
+
+Risk factor : High";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Windows Vulnerability in Microsoft Jet Database Engine";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Windows";
+ script_family(english:family["english"]);
+ exit(0);
+}
+
+#
+# The code starts here
+#
+
+local_var os;
+
+include("version_func.inc");
+include("smbcl_func.inc");
+
+  if( !get_kb_item("SMB/smbclient") ) {
+    smbclientavail();
+  }
+
+  if(get_kb_item("SMB/smbclient") ) {
+    if( smbversion() == 0){
+      report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
+      security_note(port:0, proto:"SMBClient", data:report);
+      exit(0);
+    }
+  } else {
+    report = string("SMBClient not found on this host !");
+    security_note(port:0, proto:"SMBClient", data:report);
+    exit(0);
+  }
+
+  win_dir = get_windir();
+  sec_hole = 0;
+  if( !isnull(win_dir) ) {
+    os = get_kb_item("SMB/OS");
+    filespec = win_dir+"system32\Msjint40.dll";
+    test_version = NULL;
+    if( "WINDOWS 5.1" >< os ) {
+      test_version = "4.0.9502.0";
+    } else {
+      if( "WINDOWS SERVER 2003" >< os ) {
+        test_version = "4.0.9502.0";
+      } else {
+        if( "WINDOWS 5.0" >< os ) {
+          test_version = "4.0.9502.0";            
+        }
+      }
+    }
+    if( !isnull(test_version) ) {
+      r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
+      if( !isnull(r) ) {
+        tmp_filename = get_tmp_dir()+"tmpfile"+rand();
+        if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
+          v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:filespec);
+          unlink(tmp_filename);
+          if( version_is_less(version: v, test_version: test_version) ) {
+            if( sec_hole == 0 ) {
+              security_hole(port:0, proto:"Win");
+              sec_hole = 1;
+            }
+            security_hole(port:0, proto:"Win", data:"Version found : C$ "+filespec + " "+v+string("\n")+
+                                                    "Version expected : "+test_version+" or higher "+string("\n"));
+          }
+        } else {
+          report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
+          security_note(port:0, proto:"SMB", data:report);
+        }
+      } else {
+        report = string(filespec+" not found/no access -> "+get_kb_item("SMB/ERROR")) + string("\n");
+        security_note(port:0, proto:"SMB", data:report);
+      }
+    }
+    filespec = win_dir+"system32\Msjet40.dll";
+    test_version = NULL;
+    if( "WINDOWS 5.1" >< os ) {
+      test_version = "4.0.9511.0";
+    } else {
+      if( "WINDOWS SERVER 2003" >< os ) {
+        test_version = "4.0.9511.0";
+      } else {
+        if( "WINDOWS 5.0" >< os ) {
+          test_version = "4.0.9511.0";            
+        }
+      }
+    }
+    if( !isnull(test_version) ) {
+      r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
+      if( !isnull(r) ) {
+        tmp_filename = get_tmp_dir()+"tmpfile"+rand();
+        if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
+          v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:filespec);
+          unlink(tmp_filename);
+          if( version_is_less(version: v, test_version: test_version) ) {
+            if( sec_hole == 0 ) {
+              security_hole(port:0, proto:"Win");
+              sec_hole = 1;
+            }
+            security_hole(port:0, proto:"Win", data:"Version found : C$ "+filespec + " "+v+string("\n")+
+                                                    "Version expected : "+test_version+" or higher "+string("\n"));
+          }
+        } else {
+          report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
+          security_note(port:0, proto:"SMB", data:report);
+        }
+      } else {
+        report = string(filespec+" not found/no access -> "+get_kb_item("SMB/ERROR")) + string("\n");
+        security_note(port:0, proto:"SMB", data:report);
+      }
+    }
+  }
+
+exit(0);

Added: trunk/openvas-plugins/scripts/win_CVE-2008-0087.nasl
===================================================================
--- trunk/openvas-plugins/scripts/win_CVE-2008-0087.nasl	2008-09-02 15:15:27 UTC (rev 1278)
+++ trunk/openvas-plugins/scripts/win_CVE-2008-0087.nasl	2008-09-03 20:30:27 UTC (rev 1279)
@@ -0,0 +1,122 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+#
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90020);
+ script_version ("$Revision: 01 $");
+ script_cve_id("CVE-2008-0087");
+ name["english"] = "Windows vulnerability in DNS Client Could Allow Spoofing (945553)";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probably affected by the vulnerability described in
+CVE-2008-0087
+
+
+Impact
+    The DNS client in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1
+    and SP2, and Vista uses predictable DNS transaction IDs, which allows
+    remote attackers to spoof DNS responses. 
+
+References:
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0087
+    http://www.microsoft.com/technet/security/bulletin/ms08-020.mspx
+
+Solution:
+    All Users should upgrade to the latest version.
+
+
+Risk factor : High";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Windows vulnerability in DNS Client Could Allow Spoofing (945553)";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Windows";
+ script_family(english:family["english"]);
+ exit(0);
+}
+
+#
+# The code starts here
+#
+
+local_var os;
+
+include("version_func.inc");
+include("smbcl_func.inc");
+
+  if( !get_kb_item("SMB/smbclient") ) {
+    smbclientavail();
+  }
+
+  if(get_kb_item("SMB/smbclient") ) {
+    if( smbversion() == 0){
+      report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
+      security_note(port:0, proto:"SMBClient", data:report);
+      exit(0);
+    }
+  } else {
+    report = string("SMBClient not found on this host !");
+    security_note(port:0, proto:"SMBClient", data:report);
+    exit(0);
+  }
+
+  win_dir = get_windir();
+  sec_hole = 0;
+  if( !isnull(win_dir) ) {
+    os = get_kb_item("SMB/OS");
+    filespec = win_dir+"system32\Dnsapi.dll";
+    test_version = NULL;
+    if( "WINDOWS VISTA" >< os ) {
+      test_version = "6.0.6000.16615";
+    } else {
+      if( "WINDOWS 5.1" >< os ) {
+        test_version = "5.1.2600.3316";
+      } else {
+        if( "WINDOWS SERVER 2003" >< os ) {
+          if( "SERVICE PACK 2" >< os ) {
+            test_version = "5.2.3790.4238";
+          } else {
+	    test_version = "5.2.3790.3092";
+          }
+        } else {
+          if( "WINDOWS 5.0" >< os ) {
+            test_version = "5.0.2195.7151";            
+          }
+        }
+      }
+    }
+    if( !isnull(test_version) ) {
+      r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
+      if( !isnull(r) ) {
+        tmp_filename = get_tmp_dir()+"tmpfile"+rand();
+        if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
+          v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:filespec);
+          unlink(tmp_filename);
+          if( version_is_less(version: v, test_version: test_version) ) {
+            if( sec_hole == 0 ) {
+              security_hole(port:0, proto:"Win");
+              sec_hole = 1;
+            }
+            security_hole(port:0, proto:"Win", data:"Version found : C$ "+filespec + " "+v+string("\n")+
+                                                    "Version expected : "+test_version+" or higher "+string("\n"));
+          }
+        } else {
+          report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
+          security_note(port:0, proto:"SMB", data:report);
+        }
+      } else {
+        report = string(filespec+" not found/no access -> "+get_kb_item("SMB/ERROR")) + string("\n");
+        security_note(port:0, proto:"SMB", data:report);
+      }
+    }
+  }
+
+exit(0);



More information about the Openvas-commits mailing list