[Openvas-commits] r1474 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Tue Sep 30 14:16:18 CEST 2008


Author: chandra
Date: 2008-09-30 14:16:17 +0200 (Tue, 30 Sep 2008)
New Revision: 1474

Added:
   trunk/openvas-plugins/scripts/gb_ms08-030.nasl
   trunk/openvas-plugins/scripts/gb_ms08-033.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
Log:
Released new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2008-09-30 10:18:27 UTC (rev 1473)
+++ trunk/openvas-plugins/ChangeLog	2008-09-30 12:16:17 UTC (rev 1474)
@@ -1,3 +1,8 @@
+2008-09-30 Chandrashekhar B <bchandra at secpod.com>
+	* scripts/gb_ms08-033.nasl,
+	  scripts/gb_ms08-030.nasl:
+	  Added new plugins
+
 2008-09-29 Chandrashekhar B <bchandra at secpod.com>
 	* scripts/gb_vmware_prdts_prv_esc_vuln.nasl,
 	  scripts/gb_vmware_prdts_detect_win.nasl:

Added: trunk/openvas-plugins/scripts/gb_ms08-030.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ms08-030.nasl	2008-09-30 10:18:27 UTC (rev 1473)
+++ trunk/openvas-plugins/scripts/gb_ms08-030.nasl	2008-09-30 12:16:17 UTC (rev 1474)
@@ -0,0 +1,182 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_ms08-030.nasl 0292 30 12:54:43Z sep $
+#
+# Bluetooth Stack Could Allow Remote Code Execution Vulnerability (951376)
+#
+# Authors:      Chandan S <schandan at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(800008);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2008-1453");
+  script_bugtraq_id(29522);
+  script_xref(name:"CB-A", value:"08-0099");
+  script_name(english:"Bluetooth Stack Could Allow Remote Code Execution Vulnerability (951376)");
+  desc["english"] = "
+  Overview : This host has critical security update missing according to
+  Microsoft Bulletin MS08-030.
+
+  Vulnerability Insight :
+  The flaw is caused due to an error in the Bluetooth stack when processing
+  large number of service description requests.
+
+  Impact: Successful exploitation could allow remote attackers to execute
+  arbitrary code with elevated privileges by rapidly sending a large number
+  of specially crafted SDP (Service Discovery Protocol) packets to the
+  vulnerable system.
+
+  Impact Level: System.
+ 
+  Affected Software/OS: Microsoft Windows XP SP2/SP3.
+
+  Fix : Run Windows Update and update the listed hotfixes or download and
+  update mentioned hotfixes in the advisory from the below link.
+  http://www.microsoft.com/technet/security/bulletin/ms08-030.mspx
+
+  References:
+  http://www.us-cert.gov/cas/techalerts/TA08-162B.html
+  http://www.microsoft.com/technet/security/bulletin/ms08-030.mspx
+
+  CVSS Score:
+    CVSS Base Score     : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
+    CVSS Temporal Score : 6.9
+  Risk factor : High";
+
+  script_description(english:desc["english"]);
+  script_summary(english:"Check for the Hotfix and version of MS08-030");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+  script_family(english:"Windows");
+  script_dependencies("secpod_reg_enum.nasl");
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("secpod_smb_func.inc");
+
+# Check OS applicability. Only Windows XP is verified, Vista is affected as
+# well but, not supported at this point in time.
+if(hotfix_check_sp(xp:4) <= 0){
+  exit(0);
+}
+
+function Get_FileVersion()
+{
+  sysFile = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+                            item:"Install Path");
+  if(!sysFile){
+    exit(0);
+  }
+  
+  sysFile += "\drivers\Bthport.sys";
+  share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:sysFile);
+  file =  ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:sysFile);
+  
+  soc = open_sock_tcp(port);
+  if(!soc){
+    exit(0);
+  }
+  
+  r = smb_session_request(soc:soc, remote:name);
+  if(!r)
+  { 
+    close(soc);
+    exit(0);
+  }
+  
+  prot = smb_neg_prot(soc:soc);
+  if(!prot)
+  { 
+    close(soc);
+    exit(0);
+  }
+  
+  r = smb_session_setup(soc:soc, login:login, password:pass,
+                        domain:domain, prot:prot);
+  if(!r)
+  { 
+    close(soc);
+    exit(0);
+  }
+
+  uid = session_extract_uid(reply:r);
+  r = smb_tconx(soc:soc, name:name, uid:uid, share:share);
+
+  tid = tconx_extract_tid(reply:r);
+  if(!tid)
+  {
+    close(soc);
+    exit(0);
+  }
+
+  fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file);
+  if(!fid)
+  {
+    close(soc);
+    exit(0);
+  }
+
+  v = GetVersion(socket:soc, uid:uid, tid:tid, fid:fid, verstr:"prod",
+                 offset:260000);
+  close(soc);
+  return v;
+}
+
+
+# Check for Hotfix 951376 (MS08-030). 
+if(hotfix_missing(name:"951376") == 0){
+  exit(0);
+}
+
+SP = get_kb_item("SMB/WinXP/ServicePack");
+if("Service Pack 2" >< SP)
+{
+  sysVer = Get_FileVersion();
+  if(sysVer == NULL){
+    exit(0);
+  }
+
+  # Grep for Bthport.sys version < 5.1.2600.3389
+  if(egrep(pattern:"^5\.0?1\.2600\.([0-2]?[0-9]?[0-9]?[0-9]|3[0-2][0-9][0-9]" +
+                   "|33([0-7][0-9]|8[0-8]))$",
+           string:sysVer)){
+    security_hole(0);
+  }
+  exit(0);
+}
+
+else if("Service Pack 3" >< SP)
+{
+  sysVer = Get_FileVersion();
+  if(sysVer == NULL){
+      exit(0);
+  }
+
+  # Grep for Bthport.sys version < 5.1.2600.5620
+  if(egrep(pattern:"5\.0?1\.2600\.([0-4]?[0-9]?[0-9]?[0-9]|5[0-5][0-9][0-9]|" +
+                   "56[01][0-9])$",
+           string:sysVer)){
+    security_hole(0);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_ms08-030.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_ms08-033.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ms08-033.nasl	2008-09-30 10:18:27 UTC (rev 1473)
+++ trunk/openvas-plugins/scripts/gb_ms08-033.nasl	2008-09-30 12:16:17 UTC (rev 1474)
@@ -0,0 +1,250 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_ms08-033.nasl  0291 30 11:22:07Z sep $
+#
+# Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)
+#
+# Authors:
+# Veerendra GG <veerendragg at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(800104);
+  script_version("$Revision: 1.1 $");
+  script_cve_id("CVE-2008-0011","CVE-2008-1444");
+  script_bugtraq_id(29581, 29578);
+  script_xref(name:"CB-A", value:"08-0097");
+  script_name(english:"Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)");
+  desc["english"] = "
+
+  Overview : This host has DirectX installed, which is prone to Remote Code
+  Execution Vulnerabilities.
+
+  Vulnerability Insight:
+  The flaws are caused due to,
+  - error in the Windows MJPEG Codec when performing error checking on MJPEG
+    video streams embedded in ASF or AVI media files can be exploited with a
+    specially crafted MJPEG file.
+  - error in the parsing of Class Name variables in Synchronized Accessible
+    Media Interchange (SAMI) files can be exploited with a specially crafted
+    SAMI file.
+
+  Impact:
+  Successful exploitation allows remote attackers to execute arbitrary code when
+  a user opens a specially crafted media file. An attacker could take complete
+  control of an affected system.
+
+  Impact Level: System
+
+  Affected Software/OS:
+  DirectX 7.0, 8.1, 9.0, 9.0a, 9.0b and 9.0c on Microsoft Windows 2000
+  DirectX 9.0, 9.0a, 9.0b and 9.0c on Microsoft Windows XP and 2003
+
+  Fix:
+  Run Windows Update and update the listed hotfixes or download and update
+  mentioned hotfixes in the advisory from the below link.
+  http://www.microsoft.com/technet/security/bulletin/ms08-033.mspx
+
+  References:
+  http://secunia.com/advisories/30579
+  http://www.frsirt.com/english/advisories/2008/1780
+  http://www.us-cert.gov/cas/techalerts/TA08-162B.html
+  http://www.zerodayinitiative.com/advisories/ZDI-08-040/
+  http://www.microsoft.com/technet/security/bulletin/ms08-033.mspx
+
+  CVSS Score:
+    CVSS Base Score     : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
+    CVSS Temporal Score : 6.9
+  Risk factor : High";
+
+  script_description(english:desc["english"]);
+  script_summary(english:"Check for the version of Internet Explorer");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+  script_family(english:"Windows");
+  script_dependencies("secpod_reg_enum.nasl");
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("secpod_smb_func.inc");
+
+# Check the hotfix applicability to each OS
+if(hotfix_check_sp(win2k:5, xp:4, win2003:3) <= 0){
+  exit(0);
+}
+
+function Get_FileVersion()
+{
+  dllFile = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+                            item:"Install Path");
+  if(!dllFile){
+    exit(0);
+  }
+
+  dllFile += "\quartz.dll";
+  share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:dllFile);
+  file =  ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:dllFile);
+
+  soc = open_sock_tcp(port);
+  if(!soc){
+    exit(0);
+  }
+
+  r = smb_session_request(soc:soc, remote:name);
+  if(!r)
+  {
+    close(soc);
+    exit(0);
+  }
+
+  prot = smb_neg_prot(soc:soc);
+  if(!prot)
+  {
+    close(soc);
+    exit(0);
+  }
+
+  r = smb_session_setup(soc:soc, login:login, password:pass,
+                        domain:domain, prot:prot);
+  if(!r)
+  {
+    close(soc);
+    exit(0);
+  }
+
+  uid = session_extract_uid(reply:r);
+  r = smb_tconx(soc:soc, name:name, uid:uid, share:share);
+
+  tid = tconx_extract_tid(reply:r);
+  if(!tid)
+  {
+    close(soc);
+    exit(0);
+  }
+
+  fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file);
+  if(!fid)
+  {
+    close(soc);
+    exit(0);
+  }
+
+  v = GetVersion(socket:soc, uid:uid, tid:tid, fid:fid, verstr:"prod",
+                 offset:600000);
+  close(soc);
+  return v;
+}
+
+# Check DirectX is installed
+directXver = registry_get_sz(key:"SOFTWARE\Microsoft\DirectX", item:"Version");
+if(!egrep(pattern:"^4\.0[7-9]\..*", string:directXver)){
+  exit(0);
+}
+
+# MS08-033 Hotfix check
+if(hotfix_missing(name:"951698") == 0){
+  exit(0);
+}
+
+fileVer = Get_FileVersion();
+if(fileVer == NULL){
+  exit(0);
+}
+
+if(hotfix_check_sp(win2k:5) > 0)
+{
+  if(egrep(pattern:"^4\.07", string:directXver))
+  {
+    # Grep Quartz.dll version < 6.1.9.734
+    if(egrep(pattern:"^6\.01\.09\.0?([0-6]?[0-9]?[0-9]|7([0-2][0-9]|3[0-3]))$",
+             string:fileVer)){
+      security_hole(0);
+    }
+  }
+  else if(egrep(pattern:"^4\.08", string:directXver))
+  {
+    # Grep Quartz.dll version < 6.3.1.891
+    if(egrep(pattern:"^6\.03\.01\.0?([0-7]?[0-9]?[0-9]|8([0-8][0-9]|90))$",
+             string:fileVer)){
+      security_hole(0);
+    }
+  }
+  else if(egrep(pattern:"^4\.09", string:directXver))
+  {
+    # Grep Quartz.dll version < 6.5.1.909
+    if(egrep(pattern:"^6\.05\.01\.0?([0-8]?[0-9]?[0-9]|90[0-8])$",
+             string:fileVer)){
+      security_hole(0);
+    }
+  }
+  exit(0);
+}
+
+if(hotfix_check_sp(xp:4) > 0)
+{
+  if(egrep(pattern:"^4\.09", string:directXver))
+  {
+    SP = get_kb_item("SMB/WinXP/ServicePack");
+    if("Service Pack 2" >< SP)
+    {
+      # Grep Quartz.dll version < 6.5.2600.3367
+      if(egrep(pattern:"^6\.05\.2600\.([0-2]?[0-9]?[0-9]?[0-9]|3([0-2][0-9]" +
+                       "[0-9]|3([0-5][0-9]|6[0-6])))$", string:fileVer)){
+        security_hole(0);
+      }
+    }
+    else if("Service Pack 3" >< SP)
+    {
+      # Grep Quartz.dll version < 6.5.2600.5596
+      if(egrep(pattern:"^6\.05\.2600\.([0-4]?[0-9]?[0-9]?[0-9]|5([0-4][0-9]" +
+                       "[0-9]|5([0-8][0-9]|9[0-5])))$", string:fileVer)){
+        security_hole(0);
+      }
+    }
+  }
+  exit(0);
+}
+
+if(hotfix_check_sp(win2003:3) > 0)
+{
+  if(egrep(pattern:"^4\.09", string:directXver))
+  {
+    SP = get_kb_item("SMB/Win2003/ServicePack");
+    if("Service Pack 1" >< SP)
+    {
+      # Grep Quartz.dll version < 6.5.3790.3130
+      if(egrep(pattern:"^6\.05\.3790\.([0-2]?[0-9]?[0-9]?[0-9]|3(0[0-9]" +
+                       "[0-9]|1[0-2][0-9]))$", string:fileVer)){
+        security_hole(0);
+      }
+    }
+    else if("Service Pack 2" >< SP)
+    {
+      # Grep Quartz.dll version < 6.5.3790.4283
+      if(egrep(pattern:"^6\.05\.3790\.([0-3]?[0-9]?[0-9]?[0-9]|4([01][0-9]" +
+                       "[0-9]|2([0-7][0-9]|8[0-2])))$", string:fileVer)){
+        security_hole(0);
+      }
+    }
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_ms08-033.nasl
___________________________________________________________________
Name: svn:executable
   + *



More information about the Openvas-commits mailing list