[Openvas-commits] r1314 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Tue Sep 9 22:57:13 CEST 2008


Author: ckm
Date: 2008-09-09 22:57:12 +0200 (Tue, 09 Sep 2008)
New Revision: 1314

Added:
   trunk/openvas-plugins/scripts/openoffice_CB-A08-0068.nasl
   trunk/openvas-plugins/scripts/smbcl_openoffice_CB-A08-0068.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/gnutls_CB-A08-0079.nasl
   trunk/openvas-plugins/scripts/libpng_CB-A08-0064.nasl
   trunk/openvas-plugins/scripts/mozilla_CB-A08-0017.nasl
   trunk/openvas-plugins/scripts/samba_CB-A08-0085.nasl
   trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl
   trunk/openvas-plugins/scripts/smbcl_flash_player_CB-A08-0059.nasl
   trunk/openvas-plugins/scripts/smbcl_func.inc
   trunk/openvas-plugins/scripts/smbcl_gnutls_CB-A08-0079.nasl
   trunk/openvas-plugins/scripts/smbcl_mozilla.nasl
   trunk/openvas-plugins/scripts/version_func.inc
   trunk/openvas-plugins/scripts/win_CVE-2007-0043.nasl
   trunk/openvas-plugins/scripts/win_CVE-2007-6026.nasl
   trunk/openvas-plugins/scripts/win_CVE-2008-0080.nasl
   trunk/openvas-plugins/scripts/win_CVE-2008-0087.nasl
Log:
  * scripts/samba_CB-A08-0085.nasl: changed proto.
  * scripts/smbcl_func: Added function check_smbcl() for easy
    smbclient/win check. Added function to all scripts using
    smbcl_func.inc.
  * scripts/libpng_CB-A08-0064.nasl: fixed proto
  * scripts/smbcl_openoffice_CB-A08-0068.nasl: New.
  * scripts/version_func.inc: changed function find_file
  * scripts/gnutls_CB-A08-0079.nasl: fixed script_dependencies
  * scripts/openoffice_CB-A08-0068.nasl: new
  * scripts/smbcl_mozilla.nasl: removed win_dir check, cosmetics.



Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/ChangeLog	2008-09-09 20:57:12 UTC (rev 1314)
@@ -1,3 +1,16 @@
+2008-09-09  Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>.
+
+        * scripts/samba_CB-A08-0085.nasl: changed proto.
+        * scripts/smbcl_func: Added function check_smbcl() for easy
+          smbclient/win check. Added function to all scripts using 
+          smbcl_func.inc.
+        * scripts/libpng_CB-A08-0064.nasl: fixed proto
+        * scripts/smbcl_openoffice_CB-A08-0068.nasl: New.
+        * scripts/version_func.inc: changed function find_file
+        * scripts/gnutls_CB-A08-0079.nasl: fixed script_dependencies
+        * scripts/openoffice_CB-A08-0068.nasl: new
+        * scripts/smbcl_mozilla.nasl: removed win_dir check, cosmetics.
+
 2008-09-09   Vlatko Kosturjak <kost at linux.hr>
 
 	* added contribution from Christian Eric Edjenguele

Modified: trunk/openvas-plugins/scripts/gnutls_CB-A08-0079.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gnutls_CB-A08-0079.nasl	2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/gnutls_CB-A08-0079.nasl	2008-09-09 20:57:12 UTC (rev 1314)
@@ -65,7 +65,7 @@
  script_copyright(english:"This script is under GPLv2");
  family["english"] = "Local test";
  script_family(english:family["english"]);
- script_dependencies("gather-package-list.nasl");
+ script_dependencies("ssh_authorization.nasl");
  exit(0);
 }
 
@@ -89,6 +89,7 @@
     r[0] = chomp(r[0]);
     ver = get_bin_version(full_prog_name:r[0], version_argv:"--version", ver_pattern:"([0-9\.]+)");
   }
+  r = NULL;
   if(isnull(ver) || version_is_less(version:ver[0], test_version:"2.2.5") ) {
     grep = find_bin(prog_name:"grep");
     grep = chomp(grep[0]);

Modified: trunk/openvas-plugins/scripts/libpng_CB-A08-0064.nasl
===================================================================
--- trunk/openvas-plugins/scripts/libpng_CB-A08-0064.nasl	2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/libpng_CB-A08-0064.nasl	2008-09-09 20:57:12 UTC (rev 1314)
@@ -60,24 +60,24 @@
   ver = get_bin_version(full_prog_name:binary_name, version_argv:"--version", ver_pattern:"([0-9\.]+)");
   if(ver != NULL) {
     if(version_is_less(version:ver[0], test_version:"1.0.32") ) {
-      security_warning(port:0, proto:secproto);
+      security_warning(port:0, proto:sec_proto);
       report = string("\nFound : ") + binary_name + "  Version : " + ver[max_index(ver)-1] + string("\n");
-      security_warning(port:0, proto:secproto, data:report);
+      security_warning(port:0, proto:sec_proto, data:report);
     } else {
       if(version_is_greater_equal(version:ver[0], test_version:"1.2.0") &&
          version_is_less(version:ver[0], test_version:"1.2.27") ) {
-        security_warning(port:0, proto:secproto);
+        security_warning(port:0, proto:sec_proto);
         report = string("\nFound : ") + binary_name + "  Version : " + ver[max_index(ver)-1] + string("\n");
-        security_warning(port:0, proto:secproto, data:report);
+        security_warning(port:0, proto:sec_proto, data:report);
       } else {
         if(version_is_equal(version:ver[0], test_version:"1.4.0") ) {
           ver = get_bin_version(full_prog_name:binary_name, version_argv:"--version", ver_pattern:"(beta..)");
           if(ver != NULL) {
             if(version_is_greater_equal(version:ver[0], test_version:"beta01") && 
                version_is_less(version:ver[0], test_version:"beta20") ) {
-              security_warning(port:0, proto:secproto);
+              security_warning(port:0, proto:sec_proto);
               report = string("\nFound : ") + binary_name + "  Version : " + ver[max_index(ver)-1] + string("\n");
-              security_warning(port:0, proto:secproto, data:report);
+              security_warning(port:0, proto:sec_proto, data:report);
             }
           }
         }

Modified: trunk/openvas-plugins/scripts/mozilla_CB-A08-0017.nasl
===================================================================
--- trunk/openvas-plugins/scripts/mozilla_CB-A08-0017.nasl	2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/mozilla_CB-A08-0017.nasl	2008-09-09 20:57:12 UTC (rev 1314)
@@ -58,6 +58,7 @@
  script_copyright(english:"This script is under GPLv2");
  family["english"] = "Local test";
  script_family(english:family["english"]);
+ script_dependencies("ssh_authorization.nasl");
  exit(0);
 }
 

Added: trunk/openvas-plugins/scripts/openoffice_CB-A08-0068.nasl
===================================================================
--- trunk/openvas-plugins/scripts/openoffice_CB-A08-0068.nasl	2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/openoffice_CB-A08-0068.nasl	2008-09-09 20:57:12 UTC (rev 1314)
@@ -0,0 +1,124 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+#
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90029);
+ script_version ("$Revision: 01 $");
+ script_cve_id("CVE-2008-2152");
+ name["english"] = "OpenOffice.org <= 2.4.1 vulnerability";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probably affected by the vulnerabilities described in
+CVE-2008-2152 or CVE-2008-3282 on 64-bit platform's
+
+OpenOffice.org <= 2.4.1 vulnerability
+
+Impact
+
+   CVE-2008-2152
+     Integer overflow in the rtl_allocateMemory function in
+     sal/rtl/source/alloc_global.c in OpenOffice.org (OOo)
+     2.0 through 2.4 allows remote attackers to execute
+     arbitrary code via a crafted file that triggers a
+     heap-based buffer overflow. 
+   CVE-2008-3282
+     Integer overflow in the rtl_allocateMemory function
+     in sal/rtl/source/alloc_global.c in the memory allocator
+     in OpenOffice.org (OOo) 2.4.1, on 64-bit platforms, allows
+     remote attackers to cause a denial of service (application
+     crash) or possibly execute arbitrary code via a crafted
+     document, related to a 'numeric truncation error,' a
+     different vulnerability than CVE-2008-2152. 
+ 
+References:
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2152
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3282
+
+Solution:
+    All OpenOffice.org users should upgrade to the latest version:
+
+
+Risk factor : High
+";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Determines OpenOffice.org <= 2.4.1 vulnerability";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Local test";
+ script_family(english:family["english"]);
+ script_dependencies("ssh_authorization.nasl");
+ exit(0);
+}
+
+#
+# The code starts here
+#
+
+include("version_func.inc");
+
+local_var ver, sec_hole, sec_proto, garg, file_name, arg, r, i, t, l, p;
+
+sec_hole = 0;
+sec_proto = "OpenOffice.org";
+test_version = "2.4.9310";
+ver = NULL;
+r = NULL;
+
+  l = find_file(file_name:"soffice.bin");
+  if( isnull(l) ) {
+    l = find_file(file_path:"/usr/lib/", file_name:"soffice.bin");
+    if( isnull(l) ) {    
+      l = find_file(file_path:"/usr/lib64/", file_name:"soffice.bin");	      
+    }
+  }
+  if( ! isnull(l) ) {
+    i = 0;
+    foreach t (l) {
+      if( "soffice.bin" >< t ) {
+        p = chomp(ereg_replace(string:t, pattern:"soffice.bin", replace:""));
+        if( !isnull(find_file(file_path:p, file_name:"versionrc")) ) {
+          r[i++] =  p + "versionrc";
+        }
+      }
+    }
+    foreach file_name (r) {
+      file_name = chomp(file_name);
+      if(islocalhost()) { 
+        arg = file_name;
+      } else {
+        arg = raw_string(0x22)+file_name+raw_string(0x22);
+      }
+      ver = get_bin_version(full_prog_name:"cat", version_argv:arg, ver_pattern:".+");
+      if( ! isnull(ver) && !((ver[0] =~ "Vendor=Debian") && (ver[0] !~ "Ubuntu")) ) {
+        version = ereg_replace(pattern:".+OOOBaseVersion=", string: ver[0], replace: "")+".";
+        version = eregmatch(pattern:"([0-9]\.)+[0-9]+", string: version);
+        build = ereg_replace(pattern:".+ProductBuildid=", string: ver[0], replace: "");
+        build = eregmatch(pattern:"^[0-9]+", string: build);
+        ver = version[0]+"."+build[0];
+        set_kb_item(name: "OpenOffice.org/Build", value: ver);
+        if( "/lib64" >< t ) {
+          test_version = "2.4.9311";
+        } else {
+          test_version = "2.4.9310";          
+        }
+        if( version_is_less(version:ver, test_version:test_version) ) {
+          if(sec_hole == 0) {
+            security_warning(port:0, proto:sec_proto);
+            sec_hole = 1;
+          }
+          security_warning(port:0, proto:sec_proto, data:string("\nFound : ") + 
+                       (ereg_replace(string:file_name, pattern:"versionrc", replace:"soffice.bin")) +
+                       " Build : " + ver + string("\n"));
+        }  
+      }
+    }
+  }
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/openoffice_CB-A08-0068.nasl
___________________________________________________________________
Name: svn:executable
   + *

Modified: trunk/openvas-plugins/scripts/samba_CB-A08-0085.nasl
===================================================================
--- trunk/openvas-plugins/scripts/samba_CB-A08-0085.nasl	2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/samba_CB-A08-0085.nasl	2008-09-09 20:57:12 UTC (rev 1314)
@@ -10,7 +10,7 @@
 
  script_id(90028);
  script_version ("$Revision: 01 $");
-# script_cve_id("CVE-2008-1105");
+ script_cve_id("CVE-2008-1105");
  name["english"] = "Samba 3.0.0 > 3.0.29 vulnerability";
  script_name(english:name["english"]);
 
@@ -54,6 +54,7 @@
 include("version_func.inc");
 include("revisions-lib.inc");
 include("pkg-lib-deb.inc");
+sec_proto = "Samba";
 
 # Checking SuSE/Fedora
    kbrls = get_kb_item("ssh/login/release");
@@ -94,14 +95,14 @@
          version = get_string_version(text:rpms, ver_pattern:pat);
          if(!isnull(version)) {
 	   if( version_is_less(version:version[1], test_version:ver[i]) ) {
-             security_hole(port:0, proto:"Cups");
+             security_hole(port:0, proto:sec_proto);
            } else {
              if( version_is_equal(version:version[1], test_version:ver[i]) ) {
                pat = version[0]+"~([0-9\.\-]+)";
                release = get_string_version(text:rpms, ver_pattern:pat);
                if(!isnull(release)) {
                  if( version_is_less(version:release[1] ,test_version:rel[i]) ) {
-                   security_hole(port:0, proto:"Cups");
+                   security_hole(port:0, proto:sec_proto);
                  }
                }
              }
@@ -125,7 +126,7 @@
          version = get_string_version(text:pkg, ver_pattern:pat);
          if(!isnull(version)) {
 	   if( revcomp(a:version[1], b: ver[0]) == -1 ) {
-             security_hole(port:0, proto:"Cups");
+             security_hole(port:0, proto:sec_proto);
            }
          }
        }
@@ -152,7 +153,7 @@
    foreach i (keys(rls)) {
      if( kbrls == rls[i] ) {
        if(isdpkgvuln(pkg:pkg[i], ver:ver[i], rls:rls[i])) {
-         security_hole(port:0, proto:"Cups");
+         security_hole(port:0, proto:sec_proto);
        }
      }
    }

Modified: trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl	2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl	2008-09-09 20:57:12 UTC (rev 1314)
@@ -63,23 +63,9 @@
 
 include("version_func.inc");
 include("smbcl_func.inc");
-if( !get_kb_item("SMB/smbclient") ) {
-   smbclientavail();
-}
-test_version = "7.50.51";
+if( check_smbcl() == 0 ) exit(0);
 
-  if(get_kb_item("SMB/smbclient") ) {
-    if( smbversion() == 0){
-      report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
-      security_note(port:0, proto:"SMBClient", data:report);
-      exit(0);
-    }
-  } else {
-    report = string("SMBClient not found on openvasd host !");
-    security_note(port:0, proto:"SMBClient", data:report);
-    exit(0);
-  }
-
+  test_version = "7.50.51";
   win_dir = get_windir();
   if( !isnull(win_dir) ) {
     test_file[0] = win_dir+"System32\QuickTime.qts";

Modified: trunk/openvas-plugins/scripts/smbcl_flash_player_CB-A08-0059.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_flash_player_CB-A08-0059.nasl	2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/smbcl_flash_player_CB-A08-0059.nasl	2008-09-09 20:57:12 UTC (rev 1314)
@@ -84,22 +84,8 @@
 
 include("version_func.inc");
 include("smbcl_func.inc");
-if( !get_kb_item("SMB/smbclient") ) {
-   smbclientavail();
-}
+if( check_smbcl() == 0 ) exit(0);
 
-  if(get_kb_item("SMB/smbclient") ) {
-    if( smbversion() == 0){
-      report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
-      security_note(port:0, proto:"SMBClient", data:report);
-      exit(0);
-    }
-  } else {
-    report = string("SMBClient not found on openvasd host !");
-    security_note(port:0, proto:"SMBClient", data:report);
-    exit(0);
-  }
-
   sec_hole = 0;
   test_version = "9.0.115.0";
   win_dir = get_windir();

Modified: trunk/openvas-plugins/scripts/smbcl_func.inc
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_func.inc	2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/smbcl_func.inc	2008-09-09 20:57:12 UTC (rev 1314)
@@ -6,7 +6,28 @@
 
 include("misc_func.inc");
 
+function check_smbcl() {
+  local_var ret;
 
+  if( !get_kb_item("SMB/smbclient") ) {
+    smbclientavail();
+  }
+  if(get_kb_item("SMB/smbclient") ) {
+    if( smbversion() == 0){
+      report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
+      security_note(port:0, proto:"SMBClient", data:report);
+      ret = 0;
+    } else {
+      ret = 1;
+    }    
+  } else {
+    report = string("SMBClient not found on openvasd host !");
+    security_note(port:0, proto:"SMBClient", data:report);
+    ret = 0;
+  }
+  return(ret);  
+}
+
 function smbclientavail() {
   if( find_in_path("smbclient") ){
     replace_or_set_kb_item(name: "SMB/smbclient", value: 1);

Modified: trunk/openvas-plugins/scripts/smbcl_gnutls_CB-A08-0079.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_gnutls_CB-A08-0079.nasl	2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/smbcl_gnutls_CB-A08-0079.nasl	2008-09-09 20:57:12 UTC (rev 1314)
@@ -66,7 +66,6 @@
  script_copyright(english:"This script is under GPLv2");
  family["english"] = "Windows";
  script_family(english:family["english"]);
- script_dependencies("gather-package-list.nasl");
  exit(0);
 }
 
@@ -76,6 +75,8 @@
 
 include("smbcl_func.inc");
 include("version_func.inc");
+if( check_smbcl() == 0 ) exit(0);
+
 local_var ver, test_version, sec_hole, sec_proto, r, path, share, prog;
 
 sec_hole = 0;
@@ -83,20 +84,7 @@
 ver = NULL;
 r = NULL;
 test_version = "2.2.5";
-  if( !get_kb_item("SMB/smbclient") ) {
-     smbclientavail();
-  }
-  if(get_kb_item("SMB/smbclient") ) {
-    if( smbversion() == 0){
-      report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
-      security_note(port:0, proto:"SMBClient", data:report);
-      exit(0);
-    }
-  } else {
-    report = string("SMBClient not found on openvasd host !");
-    security_note(port:0, proto:"SMBClient", data:report);
-    exit(0);
-  }
+
   path = "Programme\";
   share ="C$";
   prog = "GnuTLS*";

Modified: trunk/openvas-plugins/scripts/smbcl_mozilla.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_mozilla.nasl	2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/smbcl_mozilla.nasl	2008-09-09 20:57:12 UTC (rev 1314)
@@ -67,91 +67,73 @@
 
 include("version_func.inc");
 include("smbcl_func.inc");
-if( !get_kb_item("SMB/smbclient") ) {
-   smbclientavail();
-}
+if( check_smbcl() == 0 ) exit(0);
 
-
-  if(get_kb_item("SMB/smbclient") ) {
-    if( smbversion() == 0){
-      report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
-      security_note(port:0, proto:"SMBClient", data:report);
-      exit(0);
+  test_version = "2.0.0.14";        # Test Firefox
+  test_file[0] = "Programme\Mozilla Firefox\firefox.exe";
+  test_file[1] = "Prog Files\Mozilla Firefox\firefox.exe";
+  foreach filespec (test_file) {
+    r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
+    if( !isnull(r) ) {
+        tmp_filename = get_tmp_dir()+"tmpfile"+rand();
+        if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
+          v = GetPEProductVersion(tmp_filename:tmp_filename, orig_filename:filespec);
+          unlink(tmp_filename);
+          if( version_is_less(version: v, test_version: test_version) ) {
+            security_hole(port:0, proto:"Win_Mozilla");
+            report = report + "Fileversion : C$ "+filespec + " "+v+string("\n");
+            security_hole(port:0, proto:"Win_Mozilla", data:report);
+          }
+          break;
+        } else {
+          report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
+          security_note(port:0, proto:"Win_Mozilla", data:report);
+        }
     }
-  } else {
-    report = string("SMBClient not found on openvasd host !");
-    security_note(port:0, proto:"SMBClient", data:report);
-    exit(0);
   }
-
-  win_dir = get_windir();
-  if( !isnull(win_dir) ) {
-    test_version = "2.0.0.14";        # Test Firefox
-    test_file[0] = "Programme\Mozilla Firefox\firefox.exe";
-    test_file[1] = "Prog Files\Mozilla Firefox\firefox.exe";
-    foreach filespec (test_file) {
-      r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
-      if( !isnull(r) ) {
-          tmp_filename = get_tmp_dir()+"tmpfile"+rand();
-          if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
-            v = GetPEProductVersion(tmp_filename:tmp_filename, orig_filename:filespec);
-            unlink(tmp_filename);
-            if( version_is_less(version: v, test_version: test_version) ) {
-              security_hole(port:0, proto:"Win_Mozilla");
-              report = report + "Fileversion : C$ "+filespec + " "+v+string("\n");
-              security_hole(port:0, proto:"Win_Mozilla", data:report);
-            }
-            break;
-          } else {
-            report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
-            security_note(port:0, proto:"Win_Mozilla", data:report);
+  test_version = "2.0.0.14";        # Test Thunderbird
+  test_file[0] = "Programme\Mozilla Thunderbird\thunderbird.exe";
+  test_file[1] = "Prog Files\Mozilla Thunderbird\thunderbird.exe";
+  foreach filespec (test_file) {
+    r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
+    if( !isnull(r) ) {
+        tmp_filename = get_tmp_dir()+"tmpfile"+rand();
+        if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
+          v = GetPEProductVersion(tmp_filename:tmp_filename, orig_filename:filespec);
+          unlink(tmp_filename);
+          if( version_is_less(version: v, test_version: test_version) ) {
+            security_hole(port:0, proto:"Win_Mozilla");
+            report = report + "Fileversion : C$ "+filespec + " "+v+string("\n");
+            security_hole(port:0, proto:"Win_Mozilla", data:report);
           }
-      }
+          break;
+        } else {
+          report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
+          security_note(port:0, proto:"Win_Mozilla", data:report);
+        }
     }
-    test_version = "2.0.0.14";        # Test Thunderbird
-    test_file[0] = "Programme\Mozilla Thunderbird\thunderbird.exe";
-    test_file[1] = "Prog Files\Mozilla Thunderbird\thunderbird.exe";
-    foreach filespec (test_file) {
-      r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
-      if( !isnull(r) ) {
-          tmp_filename = get_tmp_dir()+"tmpfile"+rand();
-          if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
-            v = GetPEProductVersion(tmp_filename:tmp_filename, orig_filename:filespec);
-            unlink(tmp_filename);
-            if( version_is_less(version: v, test_version: test_version) ) {
-              security_hole(port:0, proto:"Win_Mozilla");
-              report = report + "Fileversion : C$ "+filespec + " "+v+string("\n");
-              security_hole(port:0, proto:"Win_Mozilla", data:report);
-            }
-            break;
-          } else {
-            report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
-            security_note(port:0, proto:"Win_Mozilla", data:report);
+  }
+  test_version = "1.1.9";        # Test SeaMonkey
+  test_file[0] = "Programme\mozilla.org\SeaMonkey\seamonkey.exe";
+  test_file[1] = "Prog Files\mozilla.org\SeaMonkey\seamonkey.exe";
+  foreach filespec (test_file) {
+    r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
+    if( !isnull(r) ) {
+        tmp_filename = get_tmp_dir()+"tmpfile"+rand();
+        if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
+          v = GetPEProductVersion(tmp_filename:tmp_filename, orig_filename:filespec);
+          unlink(tmp_filename);
+          if( version_is_less(version: v, test_version: test_version) ) {
+            security_hole(port:0, proto:"Win_Mozilla");
+            report = report + "Fileversion : C$ "+filespec + " "+v+string("\n");
+            security_hole(port:0, proto:"Win_Mozilla", data:report);
           }
-      }
+          break;
+        } else {
+          report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
+          security_note(port:0, proto:"Win_Mozilla", data:report);
+        }
     }
-    test_version = "1.1.9";        # Test SeaMonkey
-    test_file[0] = "Programme\mozilla.org\SeaMonkey\seamonkey.exe";
-    test_file[1] = "Prog Files\mozilla.org\SeaMonkey\seamonkey.exe";
-    foreach filespec (test_file) {
-      r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
-      if( !isnull(r) ) {
-          tmp_filename = get_tmp_dir()+"tmpfile"+rand();
-          if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
-            v = GetPEProductVersion(tmp_filename:tmp_filename, orig_filename:filespec);
-            unlink(tmp_filename);
-            if( version_is_less(version: v, test_version: test_version) ) {
-              security_hole(port:0, proto:"Win_Mozilla");
-              report = report + "Fileversion : C$ "+filespec + " "+v+string("\n");
-              security_hole(port:0, proto:"Win_Mozilla", data:report);
-            }
-            break;
-          } else {
-            report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
-            security_note(port:0, proto:"Win_Mozilla", data:report);
-          }
-      }
-    }
   }
 
 exit(0);

Added: trunk/openvas-plugins/scripts/smbcl_openoffice_CB-A08-0068.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_openoffice_CB-A08-0068.nasl	2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/smbcl_openoffice_CB-A08-0068.nasl	2008-09-09 20:57:12 UTC (rev 1314)
@@ -0,0 +1,111 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+#
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90030);
+ script_version ("$Revision: 01 $");
+ script_cve_id("CVE-2008-2152");
+ name["english"] = "OpenOffice.org <= 2.4.1 vulnerability";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probably affected by the vulnerabilities described in
+CVE-2008-2152 or CVE-2008-3282 on 64-bit platform's
+
+OpenOffice.org <= 2.4.1 vulnerability
+
+Impact
+
+   CVE-2008-2152
+     Integer overflow in the rtl_allocateMemory function in
+     sal/rtl/source/alloc_global.c in OpenOffice.org (OOo)
+     2.0 through 2.4 allows remote attackers to execute
+     arbitrary code via a crafted file that triggers a
+     heap-based buffer overflow. 
+   CVE-2008-3282
+     Integer overflow in the rtl_allocateMemory function
+     in sal/rtl/source/alloc_global.c in the memory allocator
+     in OpenOffice.org (OOo) 2.4.1, on 64-bit platforms, allows
+     remote attackers to cause a denial of service (application
+     crash) or possibly execute arbitrary code via a crafted
+     document, related to a 'numeric truncation error,' a
+     different vulnerability than CVE-2008-2152. 
+ 
+References:
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2152
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3282
+
+Solution:
+    All OpenOffice.org users should upgrade to the latest version:
+
+
+Risk factor : High
+";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Determines OpenOffice.org <= 2.4.1 vulnerability";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Windows";
+ script_family(english:family["english"]);
+ exit(0);
+}
+
+#
+# The code starts here
+#
+include("version_func.inc");
+include("smbcl_func.inc");
+if( check_smbcl() == 0 ) exit(0);
+
+sec_hole = 0;
+sec_proto = "OpenOffice.org";
+test_version = "2.4.9310";
+ver = NULL;
+r = NULL;
+
+  sec_hole = 0;
+  path = "Programme\";
+  share ="C$";
+  prog = "OpenOffice.org*";
+  r = smbgetdir(share: share, dir: path+prog, typ: 2 );
+  if( isnull(r) ) {
+    path = "Program Files\";
+    r = smbgetdir(share: share, dir: path+prog, typ: 2 );
+  }
+  if( !isnull(r) ) {
+    foreach oodir (r) {
+      file_spec = path+oodir+"\program\version.ini";
+      r = smbgetdir(share: "C$", dir: file_spec, typ: 1 );
+      if( !isnull(r) ) {
+        tmp_filename = get_tmp_dir()+"tmpfile"+rand();
+        if( smbgetfile(share: "C$", filename: file_spec, tmp_filename: tmp_filename) ) {
+          ver = fread(tmp_filename);
+          unlink(tmp_filename);
+          if( ! isnull(ver) ) {
+            version = ereg_replace(pattern:".+OOOBaseVersion=", string: ver, replace: "")+".";
+            version = eregmatch(pattern:"([0-9]\.)+[0-9]+", string: version);
+            build = ereg_replace(pattern:".+ProductBuildid=", string: ver, replace: "");
+            build = eregmatch(pattern:"^[0-9]+", string: build);
+            ver = version[0]+"."+build[0];
+            set_kb_item(name: "OpenOffice.org/Build", value: ver);
+            if( version_is_less(version:ver, test_version:test_version) ) {
+              if(sec_hole == 0) {
+                security_warning(port:0, proto:sec_proto);
+                sec_hole = 1;
+              }
+              security_warning(port:0, proto:sec_proto, data:string("\nFound : ") + oodir + 
+                                                                    "  Build : " + ver + string("\n"));
+            }
+          }
+        }
+      }
+    }
+  }
+exit(0);

Modified: trunk/openvas-plugins/scripts/version_func.inc
===================================================================
--- trunk/openvas-plugins/scripts/version_func.inc	2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/version_func.inc	2008-09-09 20:57:12 UTC (rev 1314)
@@ -3,7 +3,7 @@
 #
 # This script is released under the GNU GPLv2
 #
-# $Revision: 6 $
+# $Revision: 8 $
 
 # XXX: the version tests should be eventually consolidated with
 # the methods from revisions-lib.inc.
@@ -29,8 +29,8 @@
          r = NULL;
       }
   }
-  if( ("/locatedb" >< r) || ("execvp:" >< r) || ("fatal error" >< r) || ("No such file or dir" >< r) ) {
-    if("execvp:" >!< whe) {
+  if( "bin/"+prog_name >!< r ) {
+    if( "bin/"+prog_name >< whe ) {
        r = split(substr(whe - (prog_name + ":"), 1), sep:" ");
     } else {
        r = NULL;
@@ -47,7 +47,7 @@
 }
 
 function find_file(file_name, file_path) {
-  local_var r, f, sock;
+  local_var r, f, sock, fname;
 
   r = NULL;
   if (islocalhost()) {
@@ -58,15 +58,21 @@
   } else {
       sock = ssh_login_or_reuse_connection();
       if (sock) {
-        r = split(ssh_cmd(socket:sock, cmd:"locate "+file_path+file_name, timeout:60));
-        if(! isnull(file_path) ) {
-          f = split(ssh_cmd(socket:sock, cmd:"find "+file_path+" -name "+file_name+" -type f"));
+        r = split(ssh_cmd(socket:sock, cmd:"locate "+raw_string(0x22)+file_path+file_name+raw_string(0x22), timeout:60));
+        if(!isnull(file_path) ) {
+          f = split(ssh_cmd(socket:sock, cmd:"find "+raw_string(0x22)+file_path+raw_string(0x22)+
+                                             " -name "+raw_string(0x22)+file_name+raw_string(0x22)+" -type f"));
         }
         ssh_close_connection();
       } 
   }
-  if( ("/locatedb" >< r) || ("execvp:" >< r) || ("fatal error" >< r) || ("No such file or dir" >< r) ) {
-     r = f;
+  fname = ereg_replace(pattern:"\*.+", string:file_name, replace:"");
+  if( fname >!< r ) {
+    if( fname >< f ) {
+      r = f;
+    } else {
+      r = NULL;
+    }
   }
   return (r);
 }

Modified: trunk/openvas-plugins/scripts/win_CVE-2007-0043.nasl
===================================================================
--- trunk/openvas-plugins/scripts/win_CVE-2007-0043.nasl	2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/win_CVE-2007-0043.nasl	2008-09-09 20:57:12 UTC (rev 1314)
@@ -53,24 +53,9 @@
 
 include("version_func.inc");
 include("smbcl_func.inc");
-if( !get_kb_item("SMB/smbclient") ) {
-   smbclientavail();
-}
-test_version = "2.0.50727.832";
+if( check_smbcl() == 0 ) exit(0);
 
-
-  if(get_kb_item("SMB/smbclient") ) {
-    if( smbversion() == 0){
-      report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
-      security_note(port:0, proto:"SMBClient", data:report);
-      exit(0);
-    }
-  } else {
-    report = string("SMBClient not found on this host !");
-    security_note(port:0, proto:"SMBClient", data:report);
-    exit(0);
-  }
-
+  test_version = "2.0.50727.832";
   win_dir = get_windir();
   if( !isnull(win_dir) ) {
     path = win_dir+"Microsoft.NET\Framework\";

Modified: trunk/openvas-plugins/scripts/win_CVE-2007-6026.nasl
===================================================================
--- trunk/openvas-plugins/scripts/win_CVE-2007-6026.nasl	2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/win_CVE-2007-6026.nasl	2008-09-09 20:57:12 UTC (rev 1314)
@@ -54,23 +54,8 @@
 
 include("version_func.inc");
 include("smbcl_func.inc");
+if( check_smbcl() == 0 ) exit(0);
 
-  if( !get_kb_item("SMB/smbclient") ) {
-    smbclientavail();
-  }
-
-  if(get_kb_item("SMB/smbclient") ) {
-    if( smbversion() == 0){
-      report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
-      security_note(port:0, proto:"SMBClient", data:report);
-      exit(0);
-    }
-  } else {
-    report = string("SMBClient not found on this host !");
-    security_note(port:0, proto:"SMBClient", data:report);
-    exit(0);
-  }
-
   win_dir = get_windir();
   sec_hole = 0;
   if( !isnull(win_dir) ) {

Modified: trunk/openvas-plugins/scripts/win_CVE-2008-0080.nasl
===================================================================
--- trunk/openvas-plugins/scripts/win_CVE-2008-0080.nasl	2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/win_CVE-2008-0080.nasl	2008-09-09 20:57:12 UTC (rev 1314)
@@ -57,22 +57,8 @@
 
 include("version_func.inc");
 include("smbcl_func.inc");
-  if( !get_kb_item("SMB/smbclient") ) {
-    smbclientavail();
-  }
+if( check_smbcl() == 0 ) exit(0);
 
-  if(get_kb_item("SMB/smbclient") ) {
-    if( smbversion() == 0){
-      report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
-      security_note(port:0, proto:"SMBClient", data:report);
-      exit(0);
-    }
-  } else {
-    report = string("SMBClient not found on this host !");
-    security_note(port:0, proto:"SMBClient", data:report);
-    exit(0);
-  }
-
   win_dir = get_windir();
   if( !isnull(win_dir) ) {
     os = get_kb_item("SMB/OS");

Modified: trunk/openvas-plugins/scripts/win_CVE-2008-0087.nasl
===================================================================
--- trunk/openvas-plugins/scripts/win_CVE-2008-0087.nasl	2008-09-09 14:54:39 UTC (rev 1313)
+++ trunk/openvas-plugins/scripts/win_CVE-2008-0087.nasl	2008-09-09 20:57:12 UTC (rev 1314)
@@ -51,23 +51,8 @@
 
 include("version_func.inc");
 include("smbcl_func.inc");
+if( check_smbcl() == 0 ) exit(0);
 
-  if( !get_kb_item("SMB/smbclient") ) {
-    smbclientavail();
-  }
-
-  if(get_kb_item("SMB/smbclient") ) {
-    if( smbversion() == 0){
-      report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
-      security_note(port:0, proto:"SMBClient", data:report);
-      exit(0);
-    }
-  } else {
-    report = string("SMBClient not found on this host !");
-    security_note(port:0, proto:"SMBClient", data:report);
-    exit(0);
-  }
-
   win_dir = get_windir();
   sec_hole = 0;
   if( !isnull(win_dir) ) {



More information about the Openvas-commits mailing list