[Openvas-commits] r1459 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Fri Sep 26 14:12:59 CEST 2008


Author: chandra
Date: 2008-09-26 14:12:58 +0200 (Fri, 26 Sep 2008)
New Revision: 1459

Added:
   trunk/openvas-plugins/scripts/gb_apple_quicktime_mult_vuln_win.nasl
   trunk/openvas-plugins/scripts/gb_ca_etrust_scm_mult_vuln.nasl
   trunk/openvas-plugins/scripts/gb_vmware_prdts_prv_esc_vuln.nasl
   trunk/openvas-plugins/scripts/gb_vmware_tools_local_prv_esc_vuln_lin.nasl
   trunk/openvas-plugins/scripts/gb_vmware_tools_local_prv_esc_vuln_win.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_win.nasl
   trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_win.nasl
   trunk/openvas-plugins/scripts/secpod_smb_func.inc
Log:
Added new plugins and addressed few issues

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2008-09-26 11:36:10 UTC (rev 1458)
+++ trunk/openvas-plugins/ChangeLog	2008-09-26 12:12:58 UTC (rev 1459)
@@ -1,3 +1,16 @@
+2008-09-26 Chandrashekhar <bchandra at secpod.com>
+	* scripts/gb_vmware_tools_local_prv_esc_vuln_win.nasl,
+	  scripts/gb_vmware_prdts_prv_esc_vuln.nasl,
+	  scripts/gb_apple_quicktime_mult_vuln_win.nasl,
+	  scripts/gb_ca_etrust_scm_mult_vuln.nasl,
+	  scripts/gb_vmware_tools_local_prv_esc_vuln_lin.nasl:
+	  Added new plugins
+
+	* scripts/secpod_smb_func.inc,
+	  scripts/gb_vmware_prdts_detect_win.nasl,
+	  scripts/gb_vmware_prdts_mult_vuln_win.nasl:
+	  Incorporated review changes
+
 2008-09-26 Chandrashekhar B <bchandra at secpod.com>
 	* scripts/gb_vmware_prdts_detect_win.nasl,
 	  scripts/freebsd_opendchub.nasl:

Added: trunk/openvas-plugins/scripts/gb_apple_quicktime_mult_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_apple_quicktime_mult_vuln_win.nasl	2008-09-26 11:36:10 UTC (rev 1458)
+++ trunk/openvas-plugins/scripts/gb_apple_quicktime_mult_vuln_win.nasl	2008-09-26 12:12:58 UTC (rev 1459)
@@ -0,0 +1,90 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_apple_quicktime_mult_vuln_win.nasl 0284 2008-09-25 10:53:46Z sep $
+#
+# Apple QuickTime Multiple Arbitrary Code Execution Vulnerabilities (Win)
+#
+# Authors:
+# Veerendra GG <veerendragg at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(800102);
+  script_version("$Revision: 1.1 $");
+  script_cve_id("CVE-2008-1581","CVE-2008-1582","CVE-2008-1583",
+                "CVE-2008-1584","CVE-2008-1585");
+  script_bugtraq_id(29619);
+  script_xref(name:"CB-A", value:"08-0094");
+  script_name(english:"Apple QuickTime Multiple Arbitrary Code Execution Vulnerabilities (Win)");
+  desc["english"] = "
+
+  Overview : The host is installed with Apple QuickTime which is prone to
+  Multiple Arbitrary Code Execution Vulnerabilities.
+
+  Vulnerability Insight:
+
+  The flaws are caused due to,
+  - boundary error when parsing packed scanlines from a PixData
+    structure in a PICT file which can be exploited via specially crafted
+    PICT file.
+  - memory corruption issue in AAC-encoded media content can be
+    exploited via a specially crafted media file.
+  - error in the handling of PICT files or Indeo video codec content that
+    can be exploited via a specially crafted PICT file or movie file with
+    Indeo video codec content respectively.
+  - error in the handling of file URLs that can be exploited by making user
+    to play maliciously crafted QuickTime content.
+
+  Impact : Successful exploitation allow attackers to execute arbitrary
+  code or unexpected application termination.
+
+  Impact Level : Application
+
+  Affected Software/OS:
+  Apple QuickTime before 7.5 on Windows (Any).
+
+  Fix : Upgrade to Apple QuickTime version 7.5 or later,
+  http://www.apple.com/quicktime/download/
+
+  References :
+  http://support.apple.com/kb/HT1991
+  http://secunia.com/advisories/29293
+  http://www.nruns.com/security_advisory_quicktime_arbitrary_code_execution.php
+
+  CVSS Score :
+    CVSS Base Score     : 8.3 (AV:N/AC:M/Au:NR/C:P/I:P/A:C)
+    CVSS Temporal Score : 6.1
+  Risk factor : High";
+
+  script_description(english:desc["english"]);
+  script_summary(english:"Check for the version of Apple QuickTime");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+  script_family(english:"Misc.");
+  script_dependencies("secpod_apple_quicktime_detection_win_900124.nasl");
+  exit(0);
+}
+
+
+# Grep for QuickTime version <= 7.5
+if(egrep(pattern:"^([0-6]\..*|7\.([0-4](\..*)?))$",
+         string:get_kb_item("QuickTime/Win/Ver"))){
+  security_hole(0);
+}


Property changes on: trunk/openvas-plugins/scripts/gb_apple_quicktime_mult_vuln_win.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_ca_etrust_scm_mult_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ca_etrust_scm_mult_vuln.nasl	2008-09-26 11:36:10 UTC (rev 1458)
+++ trunk/openvas-plugins/scripts/gb_ca_etrust_scm_mult_vuln.nasl	2008-09-26 12:12:58 UTC (rev 1459)
@@ -0,0 +1,114 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_ca_etrust_scm_mult_vuln.nasl 0280 2008-09-24 12:42:42Z sep $
+#
+# CA eTrust SCM Multiple HTTP Gateway Service Vulnerabilities
+#
+# Authors:
+# Veerendra GG <veerendragg at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(800101);
+  script_version("$Revision: 1.1 $");
+  script_cve_id("CVE-2008-2541");
+  script_bugtraq_id(29528);
+  script_xref(name:"CB-A", value:"08-0091");
+  script_name(english:"CA eTrust SCM Multiple HTTP Gateway Service Vulnerabilities");
+  desc["english"] = "
+
+  Overview : The host is installed with CA eTrust Secure Content Manager which
+  is prone to arbitrary code execution and DoS Vulnerabilities.
+
+  Vulnerability Insight:
+  The flaws are caused due to,
+  - boundary error in the HTTP Gateway service (icihttp.exe running on
+    port 8080), when converting content of an FTP request listing from raw
+    text to HTML.
+  - insufficient bounds checking on certain FTP requests by sending a specially
+    crafted FTP requests containing an overly long LIST/PASV commands that can
+    cause stack-based buffer overflow.
+
+  Impact:
+  Successful exploitation allow attackers to execute arbitrary code or
+  compromise complete system under the system context or denying of service.
+
+  Impact Level : System
+
+  Affected Software/OS:
+  CA eTrust Secure Content Manager version 8.0 - Windows (Any).
+
+  Fix : Apply patch QO99987,
+  https://support.ca.com/irj/portal/ano...s?reqPage=search&searchID=QO99987
+
+  *****
+  NOTE : Ignore this warning, if above mentioned patch is applied already.
+  *****
+
+  References:
+  http://secunia.com/advisories/30518
+  http://www.zerodayinitiative.com/advisories/ZDI-08-035/
+  http://www.zerodayinitiative.com/advisories/ZDI-08-036/
+  http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=36408
+
+  CVSS Score:
+    CVSS Base Score     : 7.5 (AV:N/AC:L/Au:NR/C:P/I:P/A:P)
+    CVSS Temporal Score : 5.5
+  Risk factor : High";
+
+  script_description(english:desc["english"]);
+  script_summary(english:"Check for the version of CA eTrust SCM");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+  script_family(english:"Denial of Service");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_keys("SMB/WindowsVersion");
+  script_require_ports("Services/www", 8080);
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){ # Confirm it is Windows
+  exit(0);
+}
+
+port = 8080;
+if(!get_port_state(port)){ # Confirm port is open (8080)
+  exit(0);
+}
+
+# Confirm SCM is installed
+if(!registry_key_exists(key:"SOFTWARE\ComputerAssociates\eTrust\SCM")){
+  exit(0);
+}
+
+# Get CA SCM Version
+scmVer = registry_get_sz(item:"Version",
+                  key:"SOFTWARE\ComputerAssociates\eTrust Common Services");
+if(!scmVer){
+  exit(0);
+}
+
+# Grep for CSM version <= 8.0.28
+if(egrep(pattern:"^([0-7]\..*|8\.0\.([01]?[0-9]|2[0-8]))$", string:scmVer)){
+  security_hole(port);
+}


Property changes on: trunk/openvas-plugins/scripts/gb_ca_etrust_scm_mult_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *

Modified: trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_win.nasl	2008-09-26 11:36:10 UTC (rev 1458)
+++ trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_win.nasl	2008-09-26 12:12:58 UTC (rev 1459)
@@ -85,14 +85,16 @@
                           "SOFTWARE\VMware, Inc.\VMware Player",
                           "SOFTWARE\VMWare, Inc.\VMWare Server",
                           "SOFTWARE\VMware, Inc.\VMware ACE");
+
   foreach vmKey (vmwarePrdts)
   {
     vmwareCode = registry_get_sz(key:vmKey, item:"ProductCode");
     if(vmwareCode)
     {
-      vmVer = registry_get_sz(item:"DisplayVersion",
-                              key:"SOFTWARE\Microsoft\Windows\CurrentVersion" +
-                                  "\Uninstall\" + vmwareCode);
+      key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" + vmwareCode;
+      vmVer = registry_get_sz(key:key, item:"DisplayVersion");
+      vmPath = registry_get_sz(key:vmKey, item:"InstallPath");
+
       break;
     }
   }
@@ -102,18 +104,74 @@
 {
   vmware = split(vmVer, sep:".", keep:0);
   vmwareVer = vmware[0] + "." + vmware[1] + "." + vmware[2];
-  vmwareBuild = vmware[3];
 
   # Check for strange vmware workstation versions
   if(vmwareBuild == "19175" && vmwareVer == "5.5.0"){
     vmwareVer = "5.5.1";
   }
 
+  if(vmPath)
+  {
+    share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:vmPath);
+    file1 = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+                         string:vmPath + "vmware.exe");
+    file2 = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", 
+                         string:vmPath + "vmplayer.exe");
+  
+    soc = open_sock_tcp(port);
+    if(!soc){
+      exit(0);
+    } 
+  
+    r = smb_session_request(soc:soc, remote:name);
+    if(!r){
+      close(soc);
+      exit(0);
+    } 
+
+    prot = smb_neg_prot(soc:soc);
+    if(!prot){
+      close(soc);
+      exit(0);
+    }
+
+    r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain,
+                          prot:prot);
+    if(!r){
+      close(soc);
+      exit(0);
+    }
+
+    uid = session_extract_uid(reply:r);
+    r = smb_tconx(soc:soc, name:name, uid:uid, share:share);
+
+    tid = tconx_extract_tid(reply:r);
+    if(!tid){
+      close(soc);
+      exit(0);
+    }
+
+    fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file1);
+    if(!fid)
+    {
+      fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file2);
+      if(!fid)
+      {
+        close(soc);
+        exit(0);
+      }
+    }
+
+    vmwareBuild = GetVersion(socket:soc, uid:uid, tid:tid, fid:fid, verstr:"build-");
+    close(soc);
+  }
   product = ereg_replace(pattern:"SOFTWARE\\VMWare, Inc.\\VMWare (.*)",
                          string:vmKey, replace:"\1", icase:TRUE);
 
   # Set KB's for GSX Server, Workstation, Player, Server or ACE
   set_kb_item(name:"VMware/Win/Installed", value:TRUE);
   set_kb_item(name:"VMware/" + product + "/Win/Ver", value:vmwareVer);
-  set_kb_item(name:"VMware/" + product + "/Win/Build", value:vmwareBuild);
+  if(vmwareBuild){
+    set_kb_item(name:"VMware/" + product + "/Win/Build", value:vmwareBuild);
+  }
 }

Modified: trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_win.nasl	2008-09-26 11:36:10 UTC (rev 1458)
+++ trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_win.nasl	2008-09-26 12:12:58 UTC (rev 1459)
@@ -84,16 +84,11 @@
   script_category(ACT_GATHER_INFO);
   script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
   script_family(english:"Misc.");
-  script_dependencies("secpod_reg_enum.nasl", "gb_vmware_prdts_detect_win.nasl");
-  script_require_keys("SMB/WindowsVersion");
+  script_dependencies("gb_vmware_prdts_detect_win.nasl");
   exit(0);
 }
 
 
-if(!get_kb_item("SMB/WindowsVersion")){ # Confirm it is Windows
-  exit(0);
-}
-
 if(!get_kb_item("VMware/Win/Installed")){ # Is VMWare installed?
   exit(0);
 }

Added: trunk/openvas-plugins/scripts/gb_vmware_prdts_prv_esc_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_vmware_prdts_prv_esc_vuln.nasl	2008-09-26 11:36:10 UTC (rev 1458)
+++ trunk/openvas-plugins/scripts/gb_vmware_prdts_prv_esc_vuln.nasl	2008-09-26 12:12:58 UTC (rev 1459)
@@ -0,0 +1,118 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_vmware_prdts_prv_esc_vuln.nasl 283 2008-09-25 09:27:22Z sep $
+#
+# VMware Product(s) Local Privilege Escalation Vulnerability
+#
+# Authors: Chandan S <schandan at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(800006);
+  script_version("$Revision: 1.1 $");
+  script_cve_id("CVE-2008-0967");
+  script_xref(name:"CB-A", value:"08-0093");
+  script_name(english:"VMware Product(s) Local Privilege Escalation Vulnerability");
+  desc["english"] = "
+
+  Overview : The host is installed with VMWare product(s) that are vulnerable
+  to local privilege escalation vulnerability.
+
+  Vulnerability Insight:
+  Issue is due to local exploitation of an untrusted library path in
+  vmware-authd.
+
+  Impact : Successful exploitation could result in arbitrary code execution on
+  linux based host system by an unprivileged user.
+
+  Local access is required in order to execute the set-uid vmware-authd.
+
+  Impact Level : System
+
+  Affected Software/OS:
+  VMware Player 1.x - before 1.0.7 build 91707 on Linux
+  VMware Player 2.x - before 2.0.4 build 93057 on Linux
+  VMware Server 1.x - before 1.0.6 build 91891 on Linux
+  VMware Workstation 5.x - before 5.5.7 build 91707 on Linux
+  VMware Workstation 6.x - before 6.0.4 build 93057 on Linux
+
+  Fix:
+  Upgrade VMware Product(s) to below version,
+  VMware Player 1.0.7 build 91707 or 2.0.4 build 93057 or later
+  www.vmware.com/download/player/
+
+  VMware Server 1.0.6 build 91891 or later
+  www.vmware.com/download/server/
+
+  VMware Workstation 5.5.7 build 91707 or 6.0.4 build 93057 or later
+  www.vmware.com/download/ws/
+
+  References : http://secunia.com/advisories/30556
+  http://www.vmware.com/security/advisories/VMSA-2008-0009.html
+
+  CVSS Score:
+    CVSS Base Score     : 4.1 (AV:L/AC:M/Au:SI/C:P/I:P/A:P)
+    CVSS Temporal Score : 3.0
+  Risk factor : Medium";
+
+  script_description(english:desc["english"]);
+  script_summary(english:"Check for the version of VMware Products");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+  script_family(english:"Misc.");
+  script_dependencies("gb_vmware_prdts_detect_lin.nasl");
+  exit(0);
+}
+
+
+if(!get_kb_item("VMware/Linux/Installed")){
+  exit(0);
+}
+
+# VMware Player
+playerVer = get_kb_item("VMware/Player/Linux/Ver");
+if(playerVer)
+{
+  if(ereg(pattern:"^(1\.0(\.[0-6])?|2\.0(\.[0-3])?)($|[^.0-9])",
+          string:playerVer)){
+    security_warning(0);
+  }
+  exit(0);
+}
+
+# VMware Server
+serverVer = get_kb_item("VMware/Server/Linux/Ver");
+if(serverVer)
+{
+  if(ereg(pattern:"^1\.0(\.[0-5])?($|[^.0-9])", string:serverVer)){
+    security_warning(0);
+  }
+  exit(0);
+}
+
+# VMware Workstation
+wrkstnVer = get_kb_item("VMware/Workstation/Linux/Ver");
+if(wrkstnVer)
+{
+  if(ereg(pattern:"^(5\.([0-4](\..*)?|5(\.[0-6])?)|6\.0(\.[0-3])?)($|[^.0-9])",
+          string:wrkstnVer)){
+    security_warning(0);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_vmware_prdts_prv_esc_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_vmware_tools_local_prv_esc_vuln_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_vmware_tools_local_prv_esc_vuln_lin.nasl	2008-09-26 11:36:10 UTC (rev 1458)
+++ trunk/openvas-plugins/scripts/gb_vmware_tools_local_prv_esc_vuln_lin.nasl	2008-09-26 12:12:58 UTC (rev 1459)
@@ -0,0 +1,119 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_vmware_tools_local_prv_esc_vuln_lin.nasl 0279 2008-09-26 14:47:14Z sep $
+#
+# VMware Tools Local Privilege Escalation Vulnerability (Linux)
+#
+# Authors:
+# Chandan S <schandan at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(800005);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2007-5671");
+  script_xref(name:"CB-A", value:"08-0093");
+  script_name(english:"VMware Tools Local Privilege Escalation Vulnerability (Linux)");
+  desc["english"] = "
+
+  Overview : The host is installed with VMWare product(s) that are vulnerable
+  to local privilege escalation vulnerability.
+
+  Vulnerability Insight:
+  An input validation error is present in the Windows-based VMware HGFS.sys
+  driver. Exploitation of this flaw might result in arbitrary code execution
+  on the guest system by an unprivileged guest user. The HGFS.sys driver is
+  present in the guest operating system if the VMware Tools package is loaded
+  on Windows based Guest OS.
+
+  Impact:
+  Successful exploitation could result in guest OS users to modify arbitrary
+  memory locations in guest kernel memory and gain privileges.
+
+  Issue still exists even if the host has HGFS disabled and has no shared
+  folders.
+
+  Impact Level : System
+
+  Affected Software/OS :
+  VMware Player 1.x - before 1.0.6 build 80404 on Linux
+  VMware Server 1.x - before 1.0.5 build 80187 on Linux
+  VMware Workstation 5.x - before 5.5.6 build 80404 on Linux
+
+  Fix : Upgrade VMware Product(s) to below version,
+  VMware Player 1.0.6 build 80404 or later
+  www.vmware.com/download/player/
+
+  VMware Server 1.0.5 build 80187 or later
+  www.vmware.com/download/server/
+
+  VMware Workstation 5.5.6 build 80404 or later
+  www.vmware.com/download/ws/
+
+  References : http://secunia.com/advisories/30556
+  http://www.vmware.com/security/advisories/VMSA-2008-0009.html
+
+  CVSS Score :
+    CVSS Base Score     : 4.1 (AV:L/AC:M/Au:SI/C:P/I:P/A:P)
+    CVSS Temporal Score : 3.0
+  Risk factor : Medium";
+
+  script_description(english:desc["english"]);
+  script_summary(english:"Check for the version of VMware Products");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+  script_family(english:"Misc.");
+  script_dependencies("gb_vmware_prdts_detect_lin.nasl");
+  exit(0);
+}
+
+
+if(!get_kb_item("VMware/Linux/Installed")){
+  exit(0);
+}
+
+# VMware Player
+playerVer = get_kb_item("VMware/Player/Linux/Ver");
+if(playerVer)
+{
+  if(ereg(pattern:"^1\.0(\.[0-5])?($|[^.0-9])", string:playerVer)){
+    security_warning(0);
+  }
+  exit(0);
+}
+
+# VMware Server
+serverVer = get_kb_item("VMware/Server/Linux/Ver");
+if(serverVer)
+{
+  if(ereg(pattern:"^1\.0(\.[0-4])?($|[^.0-9])", string:serverVer)){
+    security_warning(0);
+  }
+  exit(0);
+}
+
+# VMware Workstation
+wrkstnVer = get_kb_item("VMware/Workstation/Linux/Ver");
+if(wrkstnVer)
+{
+  if(ereg(pattern:"^5\.([0-4](\..*)?|5(\.[0-5])?)($|[^.0-9])", string:wrkstnVer)){
+    security_warning(0);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_vmware_tools_local_prv_esc_vuln_lin.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_vmware_tools_local_prv_esc_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_vmware_tools_local_prv_esc_vuln_win.nasl	2008-09-26 11:36:10 UTC (rev 1458)
+++ trunk/openvas-plugins/scripts/gb_vmware_tools_local_prv_esc_vuln_win.nasl	2008-09-26 12:12:58 UTC (rev 1459)
@@ -0,0 +1,134 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_vmware_tools_local_prv_esc_vuln_win.nasl 279 2008-09-24 12:38:09Z sep $
+#
+# VMware Tools Local Privilege Escalation Vulnerability (Win)
+#
+# Authors:
+# Chandan S <schandan at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(800004);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2007-5671");
+  script_xref(name:"CB-A", value:"08-0093");
+  script_name(english:"VMware Tools Local Privilege Escalation Vulnerability (Win)");
+  desc["english"] = "
+
+  Overview : The host is installed with VMWare product(s) that are vulnerable
+  to local privilege escalation vulnerability.
+
+  Vulnerability Insight:
+  An input validation error is present in the Windows-based VMware HGFS.sys
+  driver. Exploitation of this flaw might result in arbitrary code execution
+  on the guest system by an unprivileged guest user. The HGFS.sys driver is
+  present in the guest operating system if the VMware Tools package is loaded
+  on Windows based Guest OS.
+
+  Impact: Successful exploitation could result in guest OS users to modify
+  arbitrary memory locations in guest kernel memory and gain privileges.
+  
+  Impact Level : System
+
+  Affected Software/OS :
+  VMware ACE 1.x - 1.0.5 build 79846 on Windows
+  VMware Player 1.x - before 1.0.6 build 80404 on Windows
+  VMware Server 1.x - before 1.0.5 build 80187 on Windows
+  VMware Workstation 5.x - before 5.5.6 build 80404 on Windows
+
+  Fix:
+  Upgrade VMware Product(s) to below version,
+  VMware ACE 1.0.5 build 79846 or later
+  www.vmware.com/download/ace/
+
+  VMware Player 1.0.6 build 80404 or later
+  www.vmware.com/download/player/
+
+  VMware Server 1.0.5 build 80187 or later
+  www.vmware.com/download/server/
+
+  VMware Workstation 5.5.6 build 80404 or later
+  www.vmware.com/download/ws/
+
+  References : http://secunia.com/advisories/30556
+  http://www.vmware.com/security/advisories/VMSA-2008-0009.html
+
+  CVSS Score :
+    CVSS Base Score     : 4.1 (AV:L/AC:M/Au:SI/C:P/I:P/A:P)
+    CVSS Temporal Score : 3.0
+  Risk factor : Medium";
+
+  script_description(english:desc["english"]);
+  script_summary(english:"Check for the version of VMware Products");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+  script_family(english:"Misc.");
+  script_dependencies("gb_vmware_prdts_detect_win.nasl");
+  exit(0);
+}
+
+
+if(!get_kb_item("VMware/Win/Installed")){ # Is VMWare installed?
+  exit(0);
+}
+
+# VMware ACE
+vmaceVer = get_kb_item("VMware/ACE/Win/Ver");
+if(!vmaceVer){
+  vmaceVer = get_kb_item("VMware/ACE\Dormant/Win/Ver");
+}
+
+if(vmaceVer)
+{
+  if(ereg(pattern:"^1\.0(\.[0-4])?$", string:vmaceVer)){
+    security_warning(0);
+  }
+  exit(0);
+}
+
+# VMware Player
+vmplayerVer = get_kb_item("VMware/Player/Win/Ver");
+if(vmplayerVer)
+{
+  if(ereg(pattern:"^1\.0\.[0-5]($|\..*)", string:vmplayerVer)){
+    security_warning(0);
+  }
+  exit(0);
+}
+
+# VMware Server
+vmserverVer = get_kb_item("VMware/Server/Win/Ver");
+if(vmserverVer)
+{
+  if(ereg(pattern:"^1\.0(\.[0-4])?$", string:vmserverVer)){
+    security_warning(0);
+  }
+  exit(0);
+}
+
+# VMware Workstation
+vmworkstnVer = get_kb_item("VMware/Workstation/Win/Ver");
+if(vmworkstnVer)
+{
+  if(ereg(pattern:"^5\.([0-4](\..*)?|5(\.[0-5])?)$", string:vmworkstnVer)){
+    security_warning(0);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_vmware_tools_local_prv_esc_vuln_win.nasl
___________________________________________________________________
Name: svn:executable
   + *

Modified: trunk/openvas-plugins/scripts/secpod_smb_func.inc
===================================================================
--- trunk/openvas-plugins/scripts/secpod_smb_func.inc	2008-09-26 11:36:10 UTC (rev 1458)
+++ trunk/openvas-plugins/scripts/secpod_smb_func.inc	2008-09-26 12:12:58 UTC (rev 1459)
@@ -24,6 +24,7 @@
 #  ------------------------------------------------------------------------
 ##############################################################################
 
+
 #
 # Get File version or product version reading through a file. An 
 # offset can be sent indicating the start location. By default
@@ -36,12 +37,15 @@
 
         local_var fsize, data, i, offset, tmp, version, ver, vers, len, retVal;
 
-       
         pattern = "FileVersion";
         if(verstr == "prod"){
         	pattern = "ProductVersion";
         }
- 
+
+	else if(verstr){
+		pattern = verstr;
+	}
+
         patlen = strlen(pattern);
  
         fsize = smb_get_file_size(socket:socket, uid:uid, tid:tid, fid:fid);



More information about the Openvas-commits mailing list