[Openvas-commits] r1314 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Tue Sep 9 22:57:13 CEST 2008
Author: ckm
Date: 2008-09-09 22:57:12 +0200 (Tue, 09 Sep 2008)
New Revision: 1314
Added:
trunk/openvas-plugins/scripts/openoffice_CB-A08-0068.nasl
trunk/openvas-plugins/scripts/smbcl_openoffice_CB-A08-0068.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/scripts/gnutls_CB-A08-0079.nasl
trunk/openvas-plugins/scripts/libpng_CB-A08-0064.nasl
trunk/openvas-plugins/scripts/mozilla_CB-A08-0017.nasl
trunk/openvas-plugins/scripts/samba_CB-A08-0085.nasl
trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl
trunk/openvas-plugins/scripts/smbcl_flash_player_CB-A08-0059.nasl
trunk/openvas-plugins/scripts/smbcl_func.inc
trunk/openvas-plugins/scripts/smbcl_gnutls_CB-A08-0079.nasl
trunk/openvas-plugins/scripts/smbcl_mozilla.nasl
trunk/openvas-plugins/scripts/version_func.inc
trunk/openvas-plugins/scripts/win_CVE-2007-0043.nasl
trunk/openvas-plugins/scripts/win_CVE-2007-6026.nasl
trunk/openvas-plugins/scripts/win_CVE-2008-0080.nasl
trunk/openvas-plugins/scripts/win_CVE-2008-0087.nasl
Log:
* scripts/samba_CB-A08-0085.nasl: changed proto.
* scripts/smbcl_func: Added function check_smbcl() for easy
smbclient/win check. Added function to all scripts using
smbcl_func.inc.
* scripts/libpng_CB-A08-0064.nasl: fixed proto
* scripts/smbcl_openoffice_CB-A08-0068.nasl: New.
* scripts/version_func.inc: changed function find_file
* scripts/gnutls_CB-A08-0079.nasl: fixed script_dependencies
* scripts/openoffice_CB-A08-0068.nasl: new
* scripts/smbcl_mozilla.nasl: removed win_dir check, cosmetics.
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/ChangeLog 2008-09-09 20:57:12 UTC (rev 1314)
@@ -1,3 +1,16 @@
+2008-09-09 Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>.
+
+ * scripts/samba_CB-A08-0085.nasl: changed proto.
+ * scripts/smbcl_func: Added function check_smbcl() for easy
+ smbclient/win check. Added function to all scripts using
+ smbcl_func.inc.
+ * scripts/libpng_CB-A08-0064.nasl: fixed proto
+ * scripts/smbcl_openoffice_CB-A08-0068.nasl: New.
+ * scripts/version_func.inc: changed function find_file
+ * scripts/gnutls_CB-A08-0079.nasl: fixed script_dependencies
+ * scripts/openoffice_CB-A08-0068.nasl: new
+ * scripts/smbcl_mozilla.nasl: removed win_dir check, cosmetics.
+
2008-09-09 Vlatko Kosturjak <kost at linux.hr>
* added contribution from Christian Eric Edjenguele
Modified: trunk/openvas-plugins/scripts/gnutls_CB-A08-0079.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gnutls_CB-A08-0079.nasl 2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/gnutls_CB-A08-0079.nasl 2008-09-09 20:57:12 UTC (rev 1314)
@@ -65,7 +65,7 @@
script_copyright(english:"This script is under GPLv2");
family["english"] = "Local test";
script_family(english:family["english"]);
- script_dependencies("gather-package-list.nasl");
+ script_dependencies("ssh_authorization.nasl");
exit(0);
}
@@ -89,6 +89,7 @@
r[0] = chomp(r[0]);
ver = get_bin_version(full_prog_name:r[0], version_argv:"--version", ver_pattern:"([0-9\.]+)");
}
+ r = NULL;
if(isnull(ver) || version_is_less(version:ver[0], test_version:"2.2.5") ) {
grep = find_bin(prog_name:"grep");
grep = chomp(grep[0]);
Modified: trunk/openvas-plugins/scripts/libpng_CB-A08-0064.nasl
===================================================================
--- trunk/openvas-plugins/scripts/libpng_CB-A08-0064.nasl 2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/libpng_CB-A08-0064.nasl 2008-09-09 20:57:12 UTC (rev 1314)
@@ -60,24 +60,24 @@
ver = get_bin_version(full_prog_name:binary_name, version_argv:"--version", ver_pattern:"([0-9\.]+)");
if(ver != NULL) {
if(version_is_less(version:ver[0], test_version:"1.0.32") ) {
- security_warning(port:0, proto:secproto);
+ security_warning(port:0, proto:sec_proto);
report = string("\nFound : ") + binary_name + " Version : " + ver[max_index(ver)-1] + string("\n");
- security_warning(port:0, proto:secproto, data:report);
+ security_warning(port:0, proto:sec_proto, data:report);
} else {
if(version_is_greater_equal(version:ver[0], test_version:"1.2.0") &&
version_is_less(version:ver[0], test_version:"1.2.27") ) {
- security_warning(port:0, proto:secproto);
+ security_warning(port:0, proto:sec_proto);
report = string("\nFound : ") + binary_name + " Version : " + ver[max_index(ver)-1] + string("\n");
- security_warning(port:0, proto:secproto, data:report);
+ security_warning(port:0, proto:sec_proto, data:report);
} else {
if(version_is_equal(version:ver[0], test_version:"1.4.0") ) {
ver = get_bin_version(full_prog_name:binary_name, version_argv:"--version", ver_pattern:"(beta..)");
if(ver != NULL) {
if(version_is_greater_equal(version:ver[0], test_version:"beta01") &&
version_is_less(version:ver[0], test_version:"beta20") ) {
- security_warning(port:0, proto:secproto);
+ security_warning(port:0, proto:sec_proto);
report = string("\nFound : ") + binary_name + " Version : " + ver[max_index(ver)-1] + string("\n");
- security_warning(port:0, proto:secproto, data:report);
+ security_warning(port:0, proto:sec_proto, data:report);
}
}
}
Modified: trunk/openvas-plugins/scripts/mozilla_CB-A08-0017.nasl
===================================================================
--- trunk/openvas-plugins/scripts/mozilla_CB-A08-0017.nasl 2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/mozilla_CB-A08-0017.nasl 2008-09-09 20:57:12 UTC (rev 1314)
@@ -58,6 +58,7 @@
script_copyright(english:"This script is under GPLv2");
family["english"] = "Local test";
script_family(english:family["english"]);
+ script_dependencies("ssh_authorization.nasl");
exit(0);
}
Added: trunk/openvas-plugins/scripts/openoffice_CB-A08-0068.nasl
===================================================================
--- trunk/openvas-plugins/scripts/openoffice_CB-A08-0068.nasl 2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/openoffice_CB-A08-0068.nasl 2008-09-09 20:57:12 UTC (rev 1314)
@@ -0,0 +1,124 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+#
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90029);
+ script_version ("$Revision: 01 $");
+ script_cve_id("CVE-2008-2152");
+ name["english"] = "OpenOffice.org <= 2.4.1 vulnerability";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probably affected by the vulnerabilities described in
+CVE-2008-2152 or CVE-2008-3282 on 64-bit platform's
+
+OpenOffice.org <= 2.4.1 vulnerability
+
+Impact
+
+ CVE-2008-2152
+ Integer overflow in the rtl_allocateMemory function in
+ sal/rtl/source/alloc_global.c in OpenOffice.org (OOo)
+ 2.0 through 2.4 allows remote attackers to execute
+ arbitrary code via a crafted file that triggers a
+ heap-based buffer overflow.
+ CVE-2008-3282
+ Integer overflow in the rtl_allocateMemory function
+ in sal/rtl/source/alloc_global.c in the memory allocator
+ in OpenOffice.org (OOo) 2.4.1, on 64-bit platforms, allows
+ remote attackers to cause a denial of service (application
+ crash) or possibly execute arbitrary code via a crafted
+ document, related to a 'numeric truncation error,' a
+ different vulnerability than CVE-2008-2152.
+
+References:
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2152
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3282
+
+Solution:
+ All OpenOffice.org users should upgrade to the latest version:
+
+
+Risk factor : High
+";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Determines OpenOffice.org <= 2.4.1 vulnerability";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Local test";
+ script_family(english:family["english"]);
+ script_dependencies("ssh_authorization.nasl");
+ exit(0);
+}
+
+#
+# The code starts here
+#
+
+include("version_func.inc");
+
+local_var ver, sec_hole, sec_proto, garg, file_name, arg, r, i, t, l, p;
+
+sec_hole = 0;
+sec_proto = "OpenOffice.org";
+test_version = "2.4.9310";
+ver = NULL;
+r = NULL;
+
+ l = find_file(file_name:"soffice.bin");
+ if( isnull(l) ) {
+ l = find_file(file_path:"/usr/lib/", file_name:"soffice.bin");
+ if( isnull(l) ) {
+ l = find_file(file_path:"/usr/lib64/", file_name:"soffice.bin");
+ }
+ }
+ if( ! isnull(l) ) {
+ i = 0;
+ foreach t (l) {
+ if( "soffice.bin" >< t ) {
+ p = chomp(ereg_replace(string:t, pattern:"soffice.bin", replace:""));
+ if( !isnull(find_file(file_path:p, file_name:"versionrc")) ) {
+ r[i++] = p + "versionrc";
+ }
+ }
+ }
+ foreach file_name (r) {
+ file_name = chomp(file_name);
+ if(islocalhost()) {
+ arg = file_name;
+ } else {
+ arg = raw_string(0x22)+file_name+raw_string(0x22);
+ }
+ ver = get_bin_version(full_prog_name:"cat", version_argv:arg, ver_pattern:".+");
+ if( ! isnull(ver) && !((ver[0] =~ "Vendor=Debian") && (ver[0] !~ "Ubuntu")) ) {
+ version = ereg_replace(pattern:".+OOOBaseVersion=", string: ver[0], replace: "")+".";
+ version = eregmatch(pattern:"([0-9]\.)+[0-9]+", string: version);
+ build = ereg_replace(pattern:".+ProductBuildid=", string: ver[0], replace: "");
+ build = eregmatch(pattern:"^[0-9]+", string: build);
+ ver = version[0]+"."+build[0];
+ set_kb_item(name: "OpenOffice.org/Build", value: ver);
+ if( "/lib64" >< t ) {
+ test_version = "2.4.9311";
+ } else {
+ test_version = "2.4.9310";
+ }
+ if( version_is_less(version:ver, test_version:test_version) ) {
+ if(sec_hole == 0) {
+ security_warning(port:0, proto:sec_proto);
+ sec_hole = 1;
+ }
+ security_warning(port:0, proto:sec_proto, data:string("\nFound : ") +
+ (ereg_replace(string:file_name, pattern:"versionrc", replace:"soffice.bin")) +
+ " Build : " + ver + string("\n"));
+ }
+ }
+ }
+ }
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/openoffice_CB-A08-0068.nasl
___________________________________________________________________
Name: svn:executable
+ *
Modified: trunk/openvas-plugins/scripts/samba_CB-A08-0085.nasl
===================================================================
--- trunk/openvas-plugins/scripts/samba_CB-A08-0085.nasl 2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/samba_CB-A08-0085.nasl 2008-09-09 20:57:12 UTC (rev 1314)
@@ -10,7 +10,7 @@
script_id(90028);
script_version ("$Revision: 01 $");
-# script_cve_id("CVE-2008-1105");
+ script_cve_id("CVE-2008-1105");
name["english"] = "Samba 3.0.0 > 3.0.29 vulnerability";
script_name(english:name["english"]);
@@ -54,6 +54,7 @@
include("version_func.inc");
include("revisions-lib.inc");
include("pkg-lib-deb.inc");
+sec_proto = "Samba";
# Checking SuSE/Fedora
kbrls = get_kb_item("ssh/login/release");
@@ -94,14 +95,14 @@
version = get_string_version(text:rpms, ver_pattern:pat);
if(!isnull(version)) {
if( version_is_less(version:version[1], test_version:ver[i]) ) {
- security_hole(port:0, proto:"Cups");
+ security_hole(port:0, proto:sec_proto);
} else {
if( version_is_equal(version:version[1], test_version:ver[i]) ) {
pat = version[0]+"~([0-9\.\-]+)";
release = get_string_version(text:rpms, ver_pattern:pat);
if(!isnull(release)) {
if( version_is_less(version:release[1] ,test_version:rel[i]) ) {
- security_hole(port:0, proto:"Cups");
+ security_hole(port:0, proto:sec_proto);
}
}
}
@@ -125,7 +126,7 @@
version = get_string_version(text:pkg, ver_pattern:pat);
if(!isnull(version)) {
if( revcomp(a:version[1], b: ver[0]) == -1 ) {
- security_hole(port:0, proto:"Cups");
+ security_hole(port:0, proto:sec_proto);
}
}
}
@@ -152,7 +153,7 @@
foreach i (keys(rls)) {
if( kbrls == rls[i] ) {
if(isdpkgvuln(pkg:pkg[i], ver:ver[i], rls:rls[i])) {
- security_hole(port:0, proto:"Cups");
+ security_hole(port:0, proto:sec_proto);
}
}
}
Modified: trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl 2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl 2008-09-09 20:57:12 UTC (rev 1314)
@@ -63,23 +63,9 @@
include("version_func.inc");
include("smbcl_func.inc");
-if( !get_kb_item("SMB/smbclient") ) {
- smbclientavail();
-}
-test_version = "7.50.51";
+if( check_smbcl() == 0 ) exit(0);
- if(get_kb_item("SMB/smbclient") ) {
- if( smbversion() == 0){
- report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
- security_note(port:0, proto:"SMBClient", data:report);
- exit(0);
- }
- } else {
- report = string("SMBClient not found on openvasd host !");
- security_note(port:0, proto:"SMBClient", data:report);
- exit(0);
- }
-
+ test_version = "7.50.51";
win_dir = get_windir();
if( !isnull(win_dir) ) {
test_file[0] = win_dir+"System32\QuickTime.qts";
Modified: trunk/openvas-plugins/scripts/smbcl_flash_player_CB-A08-0059.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_flash_player_CB-A08-0059.nasl 2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/smbcl_flash_player_CB-A08-0059.nasl 2008-09-09 20:57:12 UTC (rev 1314)
@@ -84,22 +84,8 @@
include("version_func.inc");
include("smbcl_func.inc");
-if( !get_kb_item("SMB/smbclient") ) {
- smbclientavail();
-}
+if( check_smbcl() == 0 ) exit(0);
- if(get_kb_item("SMB/smbclient") ) {
- if( smbversion() == 0){
- report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
- security_note(port:0, proto:"SMBClient", data:report);
- exit(0);
- }
- } else {
- report = string("SMBClient not found on openvasd host !");
- security_note(port:0, proto:"SMBClient", data:report);
- exit(0);
- }
-
sec_hole = 0;
test_version = "9.0.115.0";
win_dir = get_windir();
Modified: trunk/openvas-plugins/scripts/smbcl_func.inc
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_func.inc 2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/smbcl_func.inc 2008-09-09 20:57:12 UTC (rev 1314)
@@ -6,7 +6,28 @@
include("misc_func.inc");
+function check_smbcl() {
+ local_var ret;
+ if( !get_kb_item("SMB/smbclient") ) {
+ smbclientavail();
+ }
+ if(get_kb_item("SMB/smbclient") ) {
+ if( smbversion() == 0){
+ report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
+ security_note(port:0, proto:"SMBClient", data:report);
+ ret = 0;
+ } else {
+ ret = 1;
+ }
+ } else {
+ report = string("SMBClient not found on openvasd host !");
+ security_note(port:0, proto:"SMBClient", data:report);
+ ret = 0;
+ }
+ return(ret);
+}
+
function smbclientavail() {
if( find_in_path("smbclient") ){
replace_or_set_kb_item(name: "SMB/smbclient", value: 1);
Modified: trunk/openvas-plugins/scripts/smbcl_gnutls_CB-A08-0079.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_gnutls_CB-A08-0079.nasl 2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/smbcl_gnutls_CB-A08-0079.nasl 2008-09-09 20:57:12 UTC (rev 1314)
@@ -66,7 +66,6 @@
script_copyright(english:"This script is under GPLv2");
family["english"] = "Windows";
script_family(english:family["english"]);
- script_dependencies("gather-package-list.nasl");
exit(0);
}
@@ -76,6 +75,8 @@
include("smbcl_func.inc");
include("version_func.inc");
+if( check_smbcl() == 0 ) exit(0);
+
local_var ver, test_version, sec_hole, sec_proto, r, path, share, prog;
sec_hole = 0;
@@ -83,20 +84,7 @@
ver = NULL;
r = NULL;
test_version = "2.2.5";
- if( !get_kb_item("SMB/smbclient") ) {
- smbclientavail();
- }
- if(get_kb_item("SMB/smbclient") ) {
- if( smbversion() == 0){
- report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
- security_note(port:0, proto:"SMBClient", data:report);
- exit(0);
- }
- } else {
- report = string("SMBClient not found on openvasd host !");
- security_note(port:0, proto:"SMBClient", data:report);
- exit(0);
- }
+
path = "Programme\";
share ="C$";
prog = "GnuTLS*";
Modified: trunk/openvas-plugins/scripts/smbcl_mozilla.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_mozilla.nasl 2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/smbcl_mozilla.nasl 2008-09-09 20:57:12 UTC (rev 1314)
@@ -67,91 +67,73 @@
include("version_func.inc");
include("smbcl_func.inc");
-if( !get_kb_item("SMB/smbclient") ) {
- smbclientavail();
-}
+if( check_smbcl() == 0 ) exit(0);
-
- if(get_kb_item("SMB/smbclient") ) {
- if( smbversion() == 0){
- report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
- security_note(port:0, proto:"SMBClient", data:report);
- exit(0);
+ test_version = "2.0.0.14"; # Test Firefox
+ test_file[0] = "Programme\Mozilla Firefox\firefox.exe";
+ test_file[1] = "Prog Files\Mozilla Firefox\firefox.exe";
+ foreach filespec (test_file) {
+ r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
+ if( !isnull(r) ) {
+ tmp_filename = get_tmp_dir()+"tmpfile"+rand();
+ if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
+ v = GetPEProductVersion(tmp_filename:tmp_filename, orig_filename:filespec);
+ unlink(tmp_filename);
+ if( version_is_less(version: v, test_version: test_version) ) {
+ security_hole(port:0, proto:"Win_Mozilla");
+ report = report + "Fileversion : C$ "+filespec + " "+v+string("\n");
+ security_hole(port:0, proto:"Win_Mozilla", data:report);
+ }
+ break;
+ } else {
+ report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
+ security_note(port:0, proto:"Win_Mozilla", data:report);
+ }
}
- } else {
- report = string("SMBClient not found on openvasd host !");
- security_note(port:0, proto:"SMBClient", data:report);
- exit(0);
}
-
- win_dir = get_windir();
- if( !isnull(win_dir) ) {
- test_version = "2.0.0.14"; # Test Firefox
- test_file[0] = "Programme\Mozilla Firefox\firefox.exe";
- test_file[1] = "Prog Files\Mozilla Firefox\firefox.exe";
- foreach filespec (test_file) {
- r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
- if( !isnull(r) ) {
- tmp_filename = get_tmp_dir()+"tmpfile"+rand();
- if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
- v = GetPEProductVersion(tmp_filename:tmp_filename, orig_filename:filespec);
- unlink(tmp_filename);
- if( version_is_less(version: v, test_version: test_version) ) {
- security_hole(port:0, proto:"Win_Mozilla");
- report = report + "Fileversion : C$ "+filespec + " "+v+string("\n");
- security_hole(port:0, proto:"Win_Mozilla", data:report);
- }
- break;
- } else {
- report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
- security_note(port:0, proto:"Win_Mozilla", data:report);
+ test_version = "2.0.0.14"; # Test Thunderbird
+ test_file[0] = "Programme\Mozilla Thunderbird\thunderbird.exe";
+ test_file[1] = "Prog Files\Mozilla Thunderbird\thunderbird.exe";
+ foreach filespec (test_file) {
+ r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
+ if( !isnull(r) ) {
+ tmp_filename = get_tmp_dir()+"tmpfile"+rand();
+ if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
+ v = GetPEProductVersion(tmp_filename:tmp_filename, orig_filename:filespec);
+ unlink(tmp_filename);
+ if( version_is_less(version: v, test_version: test_version) ) {
+ security_hole(port:0, proto:"Win_Mozilla");
+ report = report + "Fileversion : C$ "+filespec + " "+v+string("\n");
+ security_hole(port:0, proto:"Win_Mozilla", data:report);
}
- }
+ break;
+ } else {
+ report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
+ security_note(port:0, proto:"Win_Mozilla", data:report);
+ }
}
- test_version = "2.0.0.14"; # Test Thunderbird
- test_file[0] = "Programme\Mozilla Thunderbird\thunderbird.exe";
- test_file[1] = "Prog Files\Mozilla Thunderbird\thunderbird.exe";
- foreach filespec (test_file) {
- r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
- if( !isnull(r) ) {
- tmp_filename = get_tmp_dir()+"tmpfile"+rand();
- if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
- v = GetPEProductVersion(tmp_filename:tmp_filename, orig_filename:filespec);
- unlink(tmp_filename);
- if( version_is_less(version: v, test_version: test_version) ) {
- security_hole(port:0, proto:"Win_Mozilla");
- report = report + "Fileversion : C$ "+filespec + " "+v+string("\n");
- security_hole(port:0, proto:"Win_Mozilla", data:report);
- }
- break;
- } else {
- report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
- security_note(port:0, proto:"Win_Mozilla", data:report);
+ }
+ test_version = "1.1.9"; # Test SeaMonkey
+ test_file[0] = "Programme\mozilla.org\SeaMonkey\seamonkey.exe";
+ test_file[1] = "Prog Files\mozilla.org\SeaMonkey\seamonkey.exe";
+ foreach filespec (test_file) {
+ r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
+ if( !isnull(r) ) {
+ tmp_filename = get_tmp_dir()+"tmpfile"+rand();
+ if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
+ v = GetPEProductVersion(tmp_filename:tmp_filename, orig_filename:filespec);
+ unlink(tmp_filename);
+ if( version_is_less(version: v, test_version: test_version) ) {
+ security_hole(port:0, proto:"Win_Mozilla");
+ report = report + "Fileversion : C$ "+filespec + " "+v+string("\n");
+ security_hole(port:0, proto:"Win_Mozilla", data:report);
}
- }
+ break;
+ } else {
+ report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
+ security_note(port:0, proto:"Win_Mozilla", data:report);
+ }
}
- test_version = "1.1.9"; # Test SeaMonkey
- test_file[0] = "Programme\mozilla.org\SeaMonkey\seamonkey.exe";
- test_file[1] = "Prog Files\mozilla.org\SeaMonkey\seamonkey.exe";
- foreach filespec (test_file) {
- r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
- if( !isnull(r) ) {
- tmp_filename = get_tmp_dir()+"tmpfile"+rand();
- if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
- v = GetPEProductVersion(tmp_filename:tmp_filename, orig_filename:filespec);
- unlink(tmp_filename);
- if( version_is_less(version: v, test_version: test_version) ) {
- security_hole(port:0, proto:"Win_Mozilla");
- report = report + "Fileversion : C$ "+filespec + " "+v+string("\n");
- security_hole(port:0, proto:"Win_Mozilla", data:report);
- }
- break;
- } else {
- report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
- security_note(port:0, proto:"Win_Mozilla", data:report);
- }
- }
- }
}
exit(0);
Added: trunk/openvas-plugins/scripts/smbcl_openoffice_CB-A08-0068.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_openoffice_CB-A08-0068.nasl 2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/smbcl_openoffice_CB-A08-0068.nasl 2008-09-09 20:57:12 UTC (rev 1314)
@@ -0,0 +1,111 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+#
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90030);
+ script_version ("$Revision: 01 $");
+ script_cve_id("CVE-2008-2152");
+ name["english"] = "OpenOffice.org <= 2.4.1 vulnerability";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probably affected by the vulnerabilities described in
+CVE-2008-2152 or CVE-2008-3282 on 64-bit platform's
+
+OpenOffice.org <= 2.4.1 vulnerability
+
+Impact
+
+ CVE-2008-2152
+ Integer overflow in the rtl_allocateMemory function in
+ sal/rtl/source/alloc_global.c in OpenOffice.org (OOo)
+ 2.0 through 2.4 allows remote attackers to execute
+ arbitrary code via a crafted file that triggers a
+ heap-based buffer overflow.
+ CVE-2008-3282
+ Integer overflow in the rtl_allocateMemory function
+ in sal/rtl/source/alloc_global.c in the memory allocator
+ in OpenOffice.org (OOo) 2.4.1, on 64-bit platforms, allows
+ remote attackers to cause a denial of service (application
+ crash) or possibly execute arbitrary code via a crafted
+ document, related to a 'numeric truncation error,' a
+ different vulnerability than CVE-2008-2152.
+
+References:
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2152
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3282
+
+Solution:
+ All OpenOffice.org users should upgrade to the latest version:
+
+
+Risk factor : High
+";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Determines OpenOffice.org <= 2.4.1 vulnerability";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Windows";
+ script_family(english:family["english"]);
+ exit(0);
+}
+
+#
+# The code starts here
+#
+include("version_func.inc");
+include("smbcl_func.inc");
+if( check_smbcl() == 0 ) exit(0);
+
+sec_hole = 0;
+sec_proto = "OpenOffice.org";
+test_version = "2.4.9310";
+ver = NULL;
+r = NULL;
+
+ sec_hole = 0;
+ path = "Programme\";
+ share ="C$";
+ prog = "OpenOffice.org*";
+ r = smbgetdir(share: share, dir: path+prog, typ: 2 );
+ if( isnull(r) ) {
+ path = "Program Files\";
+ r = smbgetdir(share: share, dir: path+prog, typ: 2 );
+ }
+ if( !isnull(r) ) {
+ foreach oodir (r) {
+ file_spec = path+oodir+"\program\version.ini";
+ r = smbgetdir(share: "C$", dir: file_spec, typ: 1 );
+ if( !isnull(r) ) {
+ tmp_filename = get_tmp_dir()+"tmpfile"+rand();
+ if( smbgetfile(share: "C$", filename: file_spec, tmp_filename: tmp_filename) ) {
+ ver = fread(tmp_filename);
+ unlink(tmp_filename);
+ if( ! isnull(ver) ) {
+ version = ereg_replace(pattern:".+OOOBaseVersion=", string: ver, replace: "")+".";
+ version = eregmatch(pattern:"([0-9]\.)+[0-9]+", string: version);
+ build = ereg_replace(pattern:".+ProductBuildid=", string: ver, replace: "");
+ build = eregmatch(pattern:"^[0-9]+", string: build);
+ ver = version[0]+"."+build[0];
+ set_kb_item(name: "OpenOffice.org/Build", value: ver);
+ if( version_is_less(version:ver, test_version:test_version) ) {
+ if(sec_hole == 0) {
+ security_warning(port:0, proto:sec_proto);
+ sec_hole = 1;
+ }
+ security_warning(port:0, proto:sec_proto, data:string("\nFound : ") + oodir +
+ " Build : " + ver + string("\n"));
+ }
+ }
+ }
+ }
+ }
+ }
+exit(0);
Modified: trunk/openvas-plugins/scripts/version_func.inc
===================================================================
--- trunk/openvas-plugins/scripts/version_func.inc 2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/version_func.inc 2008-09-09 20:57:12 UTC (rev 1314)
@@ -3,7 +3,7 @@
#
# This script is released under the GNU GPLv2
#
-# $Revision: 6 $
+# $Revision: 8 $
# XXX: the version tests should be eventually consolidated with
# the methods from revisions-lib.inc.
@@ -29,8 +29,8 @@
r = NULL;
}
}
- if( ("/locatedb" >< r) || ("execvp:" >< r) || ("fatal error" >< r) || ("No such file or dir" >< r) ) {
- if("execvp:" >!< whe) {
+ if( "bin/"+prog_name >!< r ) {
+ if( "bin/"+prog_name >< whe ) {
r = split(substr(whe - (prog_name + ":"), 1), sep:" ");
} else {
r = NULL;
@@ -47,7 +47,7 @@
}
function find_file(file_name, file_path) {
- local_var r, f, sock;
+ local_var r, f, sock, fname;
r = NULL;
if (islocalhost()) {
@@ -58,15 +58,21 @@
} else {
sock = ssh_login_or_reuse_connection();
if (sock) {
- r = split(ssh_cmd(socket:sock, cmd:"locate "+file_path+file_name, timeout:60));
- if(! isnull(file_path) ) {
- f = split(ssh_cmd(socket:sock, cmd:"find "+file_path+" -name "+file_name+" -type f"));
+ r = split(ssh_cmd(socket:sock, cmd:"locate "+raw_string(0x22)+file_path+file_name+raw_string(0x22), timeout:60));
+ if(!isnull(file_path) ) {
+ f = split(ssh_cmd(socket:sock, cmd:"find "+raw_string(0x22)+file_path+raw_string(0x22)+
+ " -name "+raw_string(0x22)+file_name+raw_string(0x22)+" -type f"));
}
ssh_close_connection();
}
}
- if( ("/locatedb" >< r) || ("execvp:" >< r) || ("fatal error" >< r) || ("No such file or dir" >< r) ) {
- r = f;
+ fname = ereg_replace(pattern:"\*.+", string:file_name, replace:"");
+ if( fname >!< r ) {
+ if( fname >< f ) {
+ r = f;
+ } else {
+ r = NULL;
+ }
}
return (r);
}
Modified: trunk/openvas-plugins/scripts/win_CVE-2007-0043.nasl
===================================================================
--- trunk/openvas-plugins/scripts/win_CVE-2007-0043.nasl 2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/win_CVE-2007-0043.nasl 2008-09-09 20:57:12 UTC (rev 1314)
@@ -53,24 +53,9 @@
include("version_func.inc");
include("smbcl_func.inc");
-if( !get_kb_item("SMB/smbclient") ) {
- smbclientavail();
-}
-test_version = "2.0.50727.832";
+if( check_smbcl() == 0 ) exit(0);
-
- if(get_kb_item("SMB/smbclient") ) {
- if( smbversion() == 0){
- report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
- security_note(port:0, proto:"SMBClient", data:report);
- exit(0);
- }
- } else {
- report = string("SMBClient not found on this host !");
- security_note(port:0, proto:"SMBClient", data:report);
- exit(0);
- }
-
+ test_version = "2.0.50727.832";
win_dir = get_windir();
if( !isnull(win_dir) ) {
path = win_dir+"Microsoft.NET\Framework\";
Modified: trunk/openvas-plugins/scripts/win_CVE-2007-6026.nasl
===================================================================
--- trunk/openvas-plugins/scripts/win_CVE-2007-6026.nasl 2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/win_CVE-2007-6026.nasl 2008-09-09 20:57:12 UTC (rev 1314)
@@ -54,23 +54,8 @@
include("version_func.inc");
include("smbcl_func.inc");
+if( check_smbcl() == 0 ) exit(0);
- if( !get_kb_item("SMB/smbclient") ) {
- smbclientavail();
- }
-
- if(get_kb_item("SMB/smbclient") ) {
- if( smbversion() == 0){
- report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
- security_note(port:0, proto:"SMBClient", data:report);
- exit(0);
- }
- } else {
- report = string("SMBClient not found on this host !");
- security_note(port:0, proto:"SMBClient", data:report);
- exit(0);
- }
-
win_dir = get_windir();
sec_hole = 0;
if( !isnull(win_dir) ) {
Modified: trunk/openvas-plugins/scripts/win_CVE-2008-0080.nasl
===================================================================
--- trunk/openvas-plugins/scripts/win_CVE-2008-0080.nasl 2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/win_CVE-2008-0080.nasl 2008-09-09 20:57:12 UTC (rev 1314)
@@ -57,22 +57,8 @@
include("version_func.inc");
include("smbcl_func.inc");
- if( !get_kb_item("SMB/smbclient") ) {
- smbclientavail();
- }
+if( check_smbcl() == 0 ) exit(0);
- if(get_kb_item("SMB/smbclient") ) {
- if( smbversion() == 0){
- report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
- security_note(port:0, proto:"SMBClient", data:report);
- exit(0);
- }
- } else {
- report = string("SMBClient not found on this host !");
- security_note(port:0, proto:"SMBClient", data:report);
- exit(0);
- }
-
win_dir = get_windir();
if( !isnull(win_dir) ) {
os = get_kb_item("SMB/OS");
Modified: trunk/openvas-plugins/scripts/win_CVE-2008-0087.nasl
===================================================================
--- trunk/openvas-plugins/scripts/win_CVE-2008-0087.nasl 2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/win_CVE-2008-0087.nasl 2008-09-09 20:57:12 UTC (rev 1314)
@@ -51,23 +51,8 @@
include("version_func.inc");
include("smbcl_func.inc");
+if( check_smbcl() == 0 ) exit(0);
- if( !get_kb_item("SMB/smbclient") ) {
- smbclientavail();
- }
-
- if(get_kb_item("SMB/smbclient") ) {
- if( smbversion() == 0){
- report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
- security_note(port:0, proto:"SMBClient", data:report);
- exit(0);
- }
- } else {
- report = string("SMBClient not found on this host !");
- security_note(port:0, proto:"SMBClient", data:report);
- exit(0);
- }
-
win_dir = get_windir();
sec_hole = 0;
if( !isnull(win_dir) ) {
More information about the Openvas-commits
mailing list