[Openvas-commits] r1459 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Fri Sep 26 14:12:59 CEST 2008
Author: chandra
Date: 2008-09-26 14:12:58 +0200 (Fri, 26 Sep 2008)
New Revision: 1459
Added:
trunk/openvas-plugins/scripts/gb_apple_quicktime_mult_vuln_win.nasl
trunk/openvas-plugins/scripts/gb_ca_etrust_scm_mult_vuln.nasl
trunk/openvas-plugins/scripts/gb_vmware_prdts_prv_esc_vuln.nasl
trunk/openvas-plugins/scripts/gb_vmware_tools_local_prv_esc_vuln_lin.nasl
trunk/openvas-plugins/scripts/gb_vmware_tools_local_prv_esc_vuln_win.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_win.nasl
trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_win.nasl
trunk/openvas-plugins/scripts/secpod_smb_func.inc
Log:
Added new plugins and addressed few issues
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2008-09-26 11:36:10 UTC (rev 1458)
+++ trunk/openvas-plugins/ChangeLog 2008-09-26 12:12:58 UTC (rev 1459)
@@ -1,3 +1,16 @@
+2008-09-26 Chandrashekhar <bchandra at secpod.com>
+ * scripts/gb_vmware_tools_local_prv_esc_vuln_win.nasl,
+ scripts/gb_vmware_prdts_prv_esc_vuln.nasl,
+ scripts/gb_apple_quicktime_mult_vuln_win.nasl,
+ scripts/gb_ca_etrust_scm_mult_vuln.nasl,
+ scripts/gb_vmware_tools_local_prv_esc_vuln_lin.nasl:
+ Added new plugins
+
+ * scripts/secpod_smb_func.inc,
+ scripts/gb_vmware_prdts_detect_win.nasl,
+ scripts/gb_vmware_prdts_mult_vuln_win.nasl:
+ Incorporated review changes
+
2008-09-26 Chandrashekhar B <bchandra at secpod.com>
* scripts/gb_vmware_prdts_detect_win.nasl,
scripts/freebsd_opendchub.nasl:
Added: trunk/openvas-plugins/scripts/gb_apple_quicktime_mult_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_apple_quicktime_mult_vuln_win.nasl 2008-09-26 11:36:10 UTC (rev 1458)
+++ trunk/openvas-plugins/scripts/gb_apple_quicktime_mult_vuln_win.nasl 2008-09-26 12:12:58 UTC (rev 1459)
@@ -0,0 +1,90 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_apple_quicktime_mult_vuln_win.nasl 0284 2008-09-25 10:53:46Z sep $
+#
+# Apple QuickTime Multiple Arbitrary Code Execution Vulnerabilities (Win)
+#
+# Authors:
+# Veerendra GG <veerendragg at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(800102);
+ script_version("$Revision: 1.1 $");
+ script_cve_id("CVE-2008-1581","CVE-2008-1582","CVE-2008-1583",
+ "CVE-2008-1584","CVE-2008-1585");
+ script_bugtraq_id(29619);
+ script_xref(name:"CB-A", value:"08-0094");
+ script_name(english:"Apple QuickTime Multiple Arbitrary Code Execution Vulnerabilities (Win)");
+ desc["english"] = "
+
+ Overview : The host is installed with Apple QuickTime which is prone to
+ Multiple Arbitrary Code Execution Vulnerabilities.
+
+ Vulnerability Insight:
+
+ The flaws are caused due to,
+ - boundary error when parsing packed scanlines from a PixData
+ structure in a PICT file which can be exploited via specially crafted
+ PICT file.
+ - memory corruption issue in AAC-encoded media content can be
+ exploited via a specially crafted media file.
+ - error in the handling of PICT files or Indeo video codec content that
+ can be exploited via a specially crafted PICT file or movie file with
+ Indeo video codec content respectively.
+ - error in the handling of file URLs that can be exploited by making user
+ to play maliciously crafted QuickTime content.
+
+ Impact : Successful exploitation allow attackers to execute arbitrary
+ code or unexpected application termination.
+
+ Impact Level : Application
+
+ Affected Software/OS:
+ Apple QuickTime before 7.5 on Windows (Any).
+
+ Fix : Upgrade to Apple QuickTime version 7.5 or later,
+ http://www.apple.com/quicktime/download/
+
+ References :
+ http://support.apple.com/kb/HT1991
+ http://secunia.com/advisories/29293
+ http://www.nruns.com/security_advisory_quicktime_arbitrary_code_execution.php
+
+ CVSS Score :
+ CVSS Base Score : 8.3 (AV:N/AC:M/Au:NR/C:P/I:P/A:C)
+ CVSS Temporal Score : 6.1
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of Apple QuickTime");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+ script_family(english:"Misc.");
+ script_dependencies("secpod_apple_quicktime_detection_win_900124.nasl");
+ exit(0);
+}
+
+
+# Grep for QuickTime version <= 7.5
+if(egrep(pattern:"^([0-6]\..*|7\.([0-4](\..*)?))$",
+ string:get_kb_item("QuickTime/Win/Ver"))){
+ security_hole(0);
+}
Property changes on: trunk/openvas-plugins/scripts/gb_apple_quicktime_mult_vuln_win.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/gb_ca_etrust_scm_mult_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ca_etrust_scm_mult_vuln.nasl 2008-09-26 11:36:10 UTC (rev 1458)
+++ trunk/openvas-plugins/scripts/gb_ca_etrust_scm_mult_vuln.nasl 2008-09-26 12:12:58 UTC (rev 1459)
@@ -0,0 +1,114 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_ca_etrust_scm_mult_vuln.nasl 0280 2008-09-24 12:42:42Z sep $
+#
+# CA eTrust SCM Multiple HTTP Gateway Service Vulnerabilities
+#
+# Authors:
+# Veerendra GG <veerendragg at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(800101);
+ script_version("$Revision: 1.1 $");
+ script_cve_id("CVE-2008-2541");
+ script_bugtraq_id(29528);
+ script_xref(name:"CB-A", value:"08-0091");
+ script_name(english:"CA eTrust SCM Multiple HTTP Gateway Service Vulnerabilities");
+ desc["english"] = "
+
+ Overview : The host is installed with CA eTrust Secure Content Manager which
+ is prone to arbitrary code execution and DoS Vulnerabilities.
+
+ Vulnerability Insight:
+ The flaws are caused due to,
+ - boundary error in the HTTP Gateway service (icihttp.exe running on
+ port 8080), when converting content of an FTP request listing from raw
+ text to HTML.
+ - insufficient bounds checking on certain FTP requests by sending a specially
+ crafted FTP requests containing an overly long LIST/PASV commands that can
+ cause stack-based buffer overflow.
+
+ Impact:
+ Successful exploitation allow attackers to execute arbitrary code or
+ compromise complete system under the system context or denying of service.
+
+ Impact Level : System
+
+ Affected Software/OS:
+ CA eTrust Secure Content Manager version 8.0 - Windows (Any).
+
+ Fix : Apply patch QO99987,
+ https://support.ca.com/irj/portal/ano...s?reqPage=search&searchID=QO99987
+
+ *****
+ NOTE : Ignore this warning, if above mentioned patch is applied already.
+ *****
+
+ References:
+ http://secunia.com/advisories/30518
+ http://www.zerodayinitiative.com/advisories/ZDI-08-035/
+ http://www.zerodayinitiative.com/advisories/ZDI-08-036/
+ http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=36408
+
+ CVSS Score:
+ CVSS Base Score : 7.5 (AV:N/AC:L/Au:NR/C:P/I:P/A:P)
+ CVSS Temporal Score : 5.5
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of CA eTrust SCM");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+ script_family(english:"Denial of Service");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ script_require_ports("Services/www", 8080);
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){ # Confirm it is Windows
+ exit(0);
+}
+
+port = 8080;
+if(!get_port_state(port)){ # Confirm port is open (8080)
+ exit(0);
+}
+
+# Confirm SCM is installed
+if(!registry_key_exists(key:"SOFTWARE\ComputerAssociates\eTrust\SCM")){
+ exit(0);
+}
+
+# Get CA SCM Version
+scmVer = registry_get_sz(item:"Version",
+ key:"SOFTWARE\ComputerAssociates\eTrust Common Services");
+if(!scmVer){
+ exit(0);
+}
+
+# Grep for CSM version <= 8.0.28
+if(egrep(pattern:"^([0-7]\..*|8\.0\.([01]?[0-9]|2[0-8]))$", string:scmVer)){
+ security_hole(port);
+}
Property changes on: trunk/openvas-plugins/scripts/gb_ca_etrust_scm_mult_vuln.nasl
___________________________________________________________________
Name: svn:executable
+ *
Modified: trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_win.nasl 2008-09-26 11:36:10 UTC (rev 1458)
+++ trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_win.nasl 2008-09-26 12:12:58 UTC (rev 1459)
@@ -85,14 +85,16 @@
"SOFTWARE\VMware, Inc.\VMware Player",
"SOFTWARE\VMWare, Inc.\VMWare Server",
"SOFTWARE\VMware, Inc.\VMware ACE");
+
foreach vmKey (vmwarePrdts)
{
vmwareCode = registry_get_sz(key:vmKey, item:"ProductCode");
if(vmwareCode)
{
- vmVer = registry_get_sz(item:"DisplayVersion",
- key:"SOFTWARE\Microsoft\Windows\CurrentVersion" +
- "\Uninstall\" + vmwareCode);
+ key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" + vmwareCode;
+ vmVer = registry_get_sz(key:key, item:"DisplayVersion");
+ vmPath = registry_get_sz(key:vmKey, item:"InstallPath");
+
break;
}
}
@@ -102,18 +104,74 @@
{
vmware = split(vmVer, sep:".", keep:0);
vmwareVer = vmware[0] + "." + vmware[1] + "." + vmware[2];
- vmwareBuild = vmware[3];
# Check for strange vmware workstation versions
if(vmwareBuild == "19175" && vmwareVer == "5.5.0"){
vmwareVer = "5.5.1";
}
+ if(vmPath)
+ {
+ share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:vmPath);
+ file1 = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:vmPath + "vmware.exe");
+ file2 = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:vmPath + "vmplayer.exe");
+
+ soc = open_sock_tcp(port);
+ if(!soc){
+ exit(0);
+ }
+
+ r = smb_session_request(soc:soc, remote:name);
+ if(!r){
+ close(soc);
+ exit(0);
+ }
+
+ prot = smb_neg_prot(soc:soc);
+ if(!prot){
+ close(soc);
+ exit(0);
+ }
+
+ r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain,
+ prot:prot);
+ if(!r){
+ close(soc);
+ exit(0);
+ }
+
+ uid = session_extract_uid(reply:r);
+ r = smb_tconx(soc:soc, name:name, uid:uid, share:share);
+
+ tid = tconx_extract_tid(reply:r);
+ if(!tid){
+ close(soc);
+ exit(0);
+ }
+
+ fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file1);
+ if(!fid)
+ {
+ fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file2);
+ if(!fid)
+ {
+ close(soc);
+ exit(0);
+ }
+ }
+
+ vmwareBuild = GetVersion(socket:soc, uid:uid, tid:tid, fid:fid, verstr:"build-");
+ close(soc);
+ }
product = ereg_replace(pattern:"SOFTWARE\\VMWare, Inc.\\VMWare (.*)",
string:vmKey, replace:"\1", icase:TRUE);
# Set KB's for GSX Server, Workstation, Player, Server or ACE
set_kb_item(name:"VMware/Win/Installed", value:TRUE);
set_kb_item(name:"VMware/" + product + "/Win/Ver", value:vmwareVer);
- set_kb_item(name:"VMware/" + product + "/Win/Build", value:vmwareBuild);
+ if(vmwareBuild){
+ set_kb_item(name:"VMware/" + product + "/Win/Build", value:vmwareBuild);
+ }
}
Modified: trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_win.nasl 2008-09-26 11:36:10 UTC (rev 1458)
+++ trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_win.nasl 2008-09-26 12:12:58 UTC (rev 1459)
@@ -84,16 +84,11 @@
script_category(ACT_GATHER_INFO);
script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
script_family(english:"Misc.");
- script_dependencies("secpod_reg_enum.nasl", "gb_vmware_prdts_detect_win.nasl");
- script_require_keys("SMB/WindowsVersion");
+ script_dependencies("gb_vmware_prdts_detect_win.nasl");
exit(0);
}
-if(!get_kb_item("SMB/WindowsVersion")){ # Confirm it is Windows
- exit(0);
-}
-
if(!get_kb_item("VMware/Win/Installed")){ # Is VMWare installed?
exit(0);
}
Added: trunk/openvas-plugins/scripts/gb_vmware_prdts_prv_esc_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_vmware_prdts_prv_esc_vuln.nasl 2008-09-26 11:36:10 UTC (rev 1458)
+++ trunk/openvas-plugins/scripts/gb_vmware_prdts_prv_esc_vuln.nasl 2008-09-26 12:12:58 UTC (rev 1459)
@@ -0,0 +1,118 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_vmware_prdts_prv_esc_vuln.nasl 283 2008-09-25 09:27:22Z sep $
+#
+# VMware Product(s) Local Privilege Escalation Vulnerability
+#
+# Authors: Chandan S <schandan at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(800006);
+ script_version("$Revision: 1.1 $");
+ script_cve_id("CVE-2008-0967");
+ script_xref(name:"CB-A", value:"08-0093");
+ script_name(english:"VMware Product(s) Local Privilege Escalation Vulnerability");
+ desc["english"] = "
+
+ Overview : The host is installed with VMWare product(s) that are vulnerable
+ to local privilege escalation vulnerability.
+
+ Vulnerability Insight:
+ Issue is due to local exploitation of an untrusted library path in
+ vmware-authd.
+
+ Impact : Successful exploitation could result in arbitrary code execution on
+ linux based host system by an unprivileged user.
+
+ Local access is required in order to execute the set-uid vmware-authd.
+
+ Impact Level : System
+
+ Affected Software/OS:
+ VMware Player 1.x - before 1.0.7 build 91707 on Linux
+ VMware Player 2.x - before 2.0.4 build 93057 on Linux
+ VMware Server 1.x - before 1.0.6 build 91891 on Linux
+ VMware Workstation 5.x - before 5.5.7 build 91707 on Linux
+ VMware Workstation 6.x - before 6.0.4 build 93057 on Linux
+
+ Fix:
+ Upgrade VMware Product(s) to below version,
+ VMware Player 1.0.7 build 91707 or 2.0.4 build 93057 or later
+ www.vmware.com/download/player/
+
+ VMware Server 1.0.6 build 91891 or later
+ www.vmware.com/download/server/
+
+ VMware Workstation 5.5.7 build 91707 or 6.0.4 build 93057 or later
+ www.vmware.com/download/ws/
+
+ References : http://secunia.com/advisories/30556
+ http://www.vmware.com/security/advisories/VMSA-2008-0009.html
+
+ CVSS Score:
+ CVSS Base Score : 4.1 (AV:L/AC:M/Au:SI/C:P/I:P/A:P)
+ CVSS Temporal Score : 3.0
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of VMware Products");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+ script_family(english:"Misc.");
+ script_dependencies("gb_vmware_prdts_detect_lin.nasl");
+ exit(0);
+}
+
+
+if(!get_kb_item("VMware/Linux/Installed")){
+ exit(0);
+}
+
+# VMware Player
+playerVer = get_kb_item("VMware/Player/Linux/Ver");
+if(playerVer)
+{
+ if(ereg(pattern:"^(1\.0(\.[0-6])?|2\.0(\.[0-3])?)($|[^.0-9])",
+ string:playerVer)){
+ security_warning(0);
+ }
+ exit(0);
+}
+
+# VMware Server
+serverVer = get_kb_item("VMware/Server/Linux/Ver");
+if(serverVer)
+{
+ if(ereg(pattern:"^1\.0(\.[0-5])?($|[^.0-9])", string:serverVer)){
+ security_warning(0);
+ }
+ exit(0);
+}
+
+# VMware Workstation
+wrkstnVer = get_kb_item("VMware/Workstation/Linux/Ver");
+if(wrkstnVer)
+{
+ if(ereg(pattern:"^(5\.([0-4](\..*)?|5(\.[0-6])?)|6\.0(\.[0-3])?)($|[^.0-9])",
+ string:wrkstnVer)){
+ security_warning(0);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_vmware_prdts_prv_esc_vuln.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/gb_vmware_tools_local_prv_esc_vuln_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_vmware_tools_local_prv_esc_vuln_lin.nasl 2008-09-26 11:36:10 UTC (rev 1458)
+++ trunk/openvas-plugins/scripts/gb_vmware_tools_local_prv_esc_vuln_lin.nasl 2008-09-26 12:12:58 UTC (rev 1459)
@@ -0,0 +1,119 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_vmware_tools_local_prv_esc_vuln_lin.nasl 0279 2008-09-26 14:47:14Z sep $
+#
+# VMware Tools Local Privilege Escalation Vulnerability (Linux)
+#
+# Authors:
+# Chandan S <schandan at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(800005);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2007-5671");
+ script_xref(name:"CB-A", value:"08-0093");
+ script_name(english:"VMware Tools Local Privilege Escalation Vulnerability (Linux)");
+ desc["english"] = "
+
+ Overview : The host is installed with VMWare product(s) that are vulnerable
+ to local privilege escalation vulnerability.
+
+ Vulnerability Insight:
+ An input validation error is present in the Windows-based VMware HGFS.sys
+ driver. Exploitation of this flaw might result in arbitrary code execution
+ on the guest system by an unprivileged guest user. The HGFS.sys driver is
+ present in the guest operating system if the VMware Tools package is loaded
+ on Windows based Guest OS.
+
+ Impact:
+ Successful exploitation could result in guest OS users to modify arbitrary
+ memory locations in guest kernel memory and gain privileges.
+
+ Issue still exists even if the host has HGFS disabled and has no shared
+ folders.
+
+ Impact Level : System
+
+ Affected Software/OS :
+ VMware Player 1.x - before 1.0.6 build 80404 on Linux
+ VMware Server 1.x - before 1.0.5 build 80187 on Linux
+ VMware Workstation 5.x - before 5.5.6 build 80404 on Linux
+
+ Fix : Upgrade VMware Product(s) to below version,
+ VMware Player 1.0.6 build 80404 or later
+ www.vmware.com/download/player/
+
+ VMware Server 1.0.5 build 80187 or later
+ www.vmware.com/download/server/
+
+ VMware Workstation 5.5.6 build 80404 or later
+ www.vmware.com/download/ws/
+
+ References : http://secunia.com/advisories/30556
+ http://www.vmware.com/security/advisories/VMSA-2008-0009.html
+
+ CVSS Score :
+ CVSS Base Score : 4.1 (AV:L/AC:M/Au:SI/C:P/I:P/A:P)
+ CVSS Temporal Score : 3.0
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of VMware Products");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+ script_family(english:"Misc.");
+ script_dependencies("gb_vmware_prdts_detect_lin.nasl");
+ exit(0);
+}
+
+
+if(!get_kb_item("VMware/Linux/Installed")){
+ exit(0);
+}
+
+# VMware Player
+playerVer = get_kb_item("VMware/Player/Linux/Ver");
+if(playerVer)
+{
+ if(ereg(pattern:"^1\.0(\.[0-5])?($|[^.0-9])", string:playerVer)){
+ security_warning(0);
+ }
+ exit(0);
+}
+
+# VMware Server
+serverVer = get_kb_item("VMware/Server/Linux/Ver");
+if(serverVer)
+{
+ if(ereg(pattern:"^1\.0(\.[0-4])?($|[^.0-9])", string:serverVer)){
+ security_warning(0);
+ }
+ exit(0);
+}
+
+# VMware Workstation
+wrkstnVer = get_kb_item("VMware/Workstation/Linux/Ver");
+if(wrkstnVer)
+{
+ if(ereg(pattern:"^5\.([0-4](\..*)?|5(\.[0-5])?)($|[^.0-9])", string:wrkstnVer)){
+ security_warning(0);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_vmware_tools_local_prv_esc_vuln_lin.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/gb_vmware_tools_local_prv_esc_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_vmware_tools_local_prv_esc_vuln_win.nasl 2008-09-26 11:36:10 UTC (rev 1458)
+++ trunk/openvas-plugins/scripts/gb_vmware_tools_local_prv_esc_vuln_win.nasl 2008-09-26 12:12:58 UTC (rev 1459)
@@ -0,0 +1,134 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_vmware_tools_local_prv_esc_vuln_win.nasl 279 2008-09-24 12:38:09Z sep $
+#
+# VMware Tools Local Privilege Escalation Vulnerability (Win)
+#
+# Authors:
+# Chandan S <schandan at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(800004);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2007-5671");
+ script_xref(name:"CB-A", value:"08-0093");
+ script_name(english:"VMware Tools Local Privilege Escalation Vulnerability (Win)");
+ desc["english"] = "
+
+ Overview : The host is installed with VMWare product(s) that are vulnerable
+ to local privilege escalation vulnerability.
+
+ Vulnerability Insight:
+ An input validation error is present in the Windows-based VMware HGFS.sys
+ driver. Exploitation of this flaw might result in arbitrary code execution
+ on the guest system by an unprivileged guest user. The HGFS.sys driver is
+ present in the guest operating system if the VMware Tools package is loaded
+ on Windows based Guest OS.
+
+ Impact: Successful exploitation could result in guest OS users to modify
+ arbitrary memory locations in guest kernel memory and gain privileges.
+
+ Impact Level : System
+
+ Affected Software/OS :
+ VMware ACE 1.x - 1.0.5 build 79846 on Windows
+ VMware Player 1.x - before 1.0.6 build 80404 on Windows
+ VMware Server 1.x - before 1.0.5 build 80187 on Windows
+ VMware Workstation 5.x - before 5.5.6 build 80404 on Windows
+
+ Fix:
+ Upgrade VMware Product(s) to below version,
+ VMware ACE 1.0.5 build 79846 or later
+ www.vmware.com/download/ace/
+
+ VMware Player 1.0.6 build 80404 or later
+ www.vmware.com/download/player/
+
+ VMware Server 1.0.5 build 80187 or later
+ www.vmware.com/download/server/
+
+ VMware Workstation 5.5.6 build 80404 or later
+ www.vmware.com/download/ws/
+
+ References : http://secunia.com/advisories/30556
+ http://www.vmware.com/security/advisories/VMSA-2008-0009.html
+
+ CVSS Score :
+ CVSS Base Score : 4.1 (AV:L/AC:M/Au:SI/C:P/I:P/A:P)
+ CVSS Temporal Score : 3.0
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of VMware Products");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+ script_family(english:"Misc.");
+ script_dependencies("gb_vmware_prdts_detect_win.nasl");
+ exit(0);
+}
+
+
+if(!get_kb_item("VMware/Win/Installed")){ # Is VMWare installed?
+ exit(0);
+}
+
+# VMware ACE
+vmaceVer = get_kb_item("VMware/ACE/Win/Ver");
+if(!vmaceVer){
+ vmaceVer = get_kb_item("VMware/ACE\Dormant/Win/Ver");
+}
+
+if(vmaceVer)
+{
+ if(ereg(pattern:"^1\.0(\.[0-4])?$", string:vmaceVer)){
+ security_warning(0);
+ }
+ exit(0);
+}
+
+# VMware Player
+vmplayerVer = get_kb_item("VMware/Player/Win/Ver");
+if(vmplayerVer)
+{
+ if(ereg(pattern:"^1\.0\.[0-5]($|\..*)", string:vmplayerVer)){
+ security_warning(0);
+ }
+ exit(0);
+}
+
+# VMware Server
+vmserverVer = get_kb_item("VMware/Server/Win/Ver");
+if(vmserverVer)
+{
+ if(ereg(pattern:"^1\.0(\.[0-4])?$", string:vmserverVer)){
+ security_warning(0);
+ }
+ exit(0);
+}
+
+# VMware Workstation
+vmworkstnVer = get_kb_item("VMware/Workstation/Win/Ver");
+if(vmworkstnVer)
+{
+ if(ereg(pattern:"^5\.([0-4](\..*)?|5(\.[0-5])?)$", string:vmworkstnVer)){
+ security_warning(0);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_vmware_tools_local_prv_esc_vuln_win.nasl
___________________________________________________________________
Name: svn:executable
+ *
Modified: trunk/openvas-plugins/scripts/secpod_smb_func.inc
===================================================================
--- trunk/openvas-plugins/scripts/secpod_smb_func.inc 2008-09-26 11:36:10 UTC (rev 1458)
+++ trunk/openvas-plugins/scripts/secpod_smb_func.inc 2008-09-26 12:12:58 UTC (rev 1459)
@@ -24,6 +24,7 @@
# ------------------------------------------------------------------------
##############################################################################
+
#
# Get File version or product version reading through a file. An
# offset can be sent indicating the start location. By default
@@ -36,12 +37,15 @@
local_var fsize, data, i, offset, tmp, version, ver, vers, len, retVal;
-
pattern = "FileVersion";
if(verstr == "prod"){
pattern = "ProductVersion";
}
-
+
+ else if(verstr){
+ pattern = verstr;
+ }
+
patlen = strlen(pattern);
fsize = smb_get_file_size(socket:socket, uid:uid, tid:tid, fid:fid);
More information about the Openvas-commits
mailing list