[Openvas-commits] r3105 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Wed Apr 15 18:21:31 CEST 2009
Author: chandra
Date: 2009-04-15 18:21:29 +0200 (Wed, 15 Apr 2009)
New Revision: 3105
Added:
trunk/openvas-plugins/scripts/secpod_ms09-011.nasl
trunk/openvas-plugins/scripts/secpod_ms09-012.nasl
trunk/openvas-plugins/scripts/secpod_ms09-013.nasl
trunk/openvas-plugins/scripts/secpod_ms09-014.nasl
trunk/openvas-plugins/scripts/secpod_ms09-015.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/scripts/secpod_ms_excel_remote_code_exec_vuln.nasl
trunk/openvas-plugins/scripts/secpod_ms_wordpad_mult_vuln.nasl
Log:
Added MS Bulletin plugins for Apr-09
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2009-04-15 10:02:53 UTC (rev 3104)
+++ trunk/openvas-plugins/ChangeLog 2009-04-15 16:21:29 UTC (rev 3105)
@@ -1,3 +1,13 @@
+2009-04-15 Chandrashekhar B <bchandra at secpod.com>
+ * scripts/secpod_ms09-014.nasl
+ scripts/secpod_ms_wordpad_mult_vuln.nasl
+ scripts/secpod_ms09-011.nasl
+ scripts/secpod_ms09-013.nasl
+ scripts/secpod_ms09-015.nasl
+ scripts/secpod_ms_excel_remote_code_exec_vuln.nasl
+ scripts/secpod_ms09-012.nasl:
+ Added MS Bulletin plugins for Apr-09
+
2009-04-14 Michael Wiegand <michael.wiegand at intevation.de>
* scripts/gb_magic_iso_maker_detect.nasl: Fixed missing parenthesis.
Added: trunk/openvas-plugins/scripts/secpod_ms09-011.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms09-011.nasl 2009-04-15 10:02:53 UTC (rev 3104)
+++ trunk/openvas-plugins/scripts/secpod_ms09-011.nasl 2009-04-15 16:21:29 UTC (rev 3105)
@@ -0,0 +1,173 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms09-011.nasl 1698 2009-04-15 11:27:04Z apr $
+#
+# Microsoft DirectShow Remote Code Execution Vulnerability (961373)
+#
+# Authors:
+# Chandan S <schandan at secpod.com>
+#
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900093);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2009-0084");
+ script_bugtraq_id(34460);
+ script_name(english:"Microsoft DirectShow Remote Code Execution Vulnerability (961373)");
+ desc["english"] = "
+
+ Overview: This host has critical security update missing according to
+ Microsoft Bulletin MS09-011.
+
+ Vulnerability Insight:
+ DirectX application throws an an error when decompressing MJPEG content,
+ and can be exploited via a specially crafted MJPEG file.
+
+ Impact:
+ Successful exploitation on remote vulnerable system allow arbitrary code
+ execution and can potentially compromise a user's system.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ DirectX 8.1 and 9.0 on Microsoft Windows 2000
+ DirectX 9.0 on Microsoft Windows XP and 2003
+
+ Fix:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://www.microsoft.com/technet/security/bulletin/ms09-011.mspx
+
+ References:
+ http://www.microsoft.com/technet/security/bulletin/ms09-011.mspx
+
+ CVSS Score:
+ CVSS Base Score : 10.0 (AV:N/AC:L/Au:NR/C:C/I:C/A:C)
+ CVSS Temporal Score : 7.4
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of Directx and Hotfix");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Windows : Microsoft Bulletins");
+ script_dependencies("secpod_reg_enum.nasl");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+# OS with Hotfix Check
+if(hotfix_check_sp(win2k:5, xp:4, win2003:3) <= 0){
+ exit(0);
+}
+
+# Check DirectX is installed
+directXver = registry_get_sz(key:"SOFTWARE\Microsoft\DirectX", item:"Version");
+if(!egrep(pattern:"^4\.0[89]\..*", string:directXver)){
+ exit(0);
+}
+
+# MS09-011 Hotfix check
+if(hotfix_missing(name:"961373") == 0){
+ exit(0);
+}
+
+dllFile = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+ item:"Install Path");
+if(!dllFile){
+ exit(0);
+}
+
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:dllFile);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:dllFile + "\quartz.dll");
+
+dllVer = GetVer(file:file, share:share);
+if(!dllVer){
+ exit(0);
+}
+
+if(hotfix_check_sp(win2k:5) > 0)
+{
+ if(directXver =~ "^4\.08")
+ {
+ # Grep Quartz.dll version < 6.3.1.892
+ if(version_is_less(version:dllVer, test_version:"6.3.1.892")){
+ security_hole(0);
+ }
+ }
+ else if(directXver =~ "^4\.09")
+ {
+ # Grep Quartz.dll version < 6.5.1.910
+ if(version_is_less(version:dllVer, test_version:"6.5.1.910")){
+ security_hole(0);
+ }
+ }
+ exit(0);
+}
+
+if(hotfix_check_sp(xp:4) > 0)
+{
+ if(directXver =~ "^4\.09")
+ {
+ SP = get_kb_item("SMB/WinXP/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ # Grep Quartz.dll version < 6.5.2600.3497
+ if(version_is_less(version:dllVer, test_version:"6.5.2600.3497")){
+ security_hole(0);
+ }
+ }
+ else if("Service Pack 3" >< SP)
+ {
+ # Grep Quartz.dll version < 6.5.2600.5731
+ if(version_is_less(version:dllVer, test_version:"6.5.2600.5731")){
+ security_hole(0);
+ }
+ }
+ }
+ exit(0);
+}
+
+if(hotfix_check_sp(win2003:3) > 0)
+{
+ if(directXver =~ "^4\.09")
+ {
+ SP = get_kb_item("SMB/Win2003/ServicePack");
+ if("Service Pack 1" >< SP)
+ {
+ # Grep Quartz.dll version < 6.5.3790.3266
+ if(version_is_less(version:dllVer, test_version:"6.5.3790.3266")){
+ security_hole(0);
+ }
+ }
+ else if("Service Pack 2" >< SP)
+ {
+ # Grep Quartz.dll version < 6.5.3790.4431
+ if(version_is_less(version:dllVer, test_version:"6.5.3790.4431")){
+ security_hole(0);
+ }
+ }
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_ms09-012.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms09-012.nasl 2009-04-15 10:02:53 UTC (rev 3104)
+++ trunk/openvas-plugins/scripts/secpod_ms09-012.nasl 2009-04-15 16:21:29 UTC (rev 3105)
@@ -0,0 +1,177 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms09-012.nasl 1707 2009-04-15 16:35:06Z apr $
+#
+# Vulnerabilities in Windows Could Allow Elevation of Privilege (959454)
+#
+# Authors:
+# Chandan S <schandan at secpod.com>
+#
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900094);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2008-1436", "CVE-2009-0078", "CVE-2009-0079", "CVE-2009-0080");
+ script_bugtraq_id(28833, 34442, 34443, 34444);
+ script_name(english:"Vulnerabilities in Windows Could Allow Elevation of Privilege (959454)");
+ desc["english"] = "
+
+ Overview: This host has critical security update missing according to
+ Microsoft Bulletin MS09-012.
+
+ Vulnerability Insight:
+ - Microsoft Distributed Transaction Coordinator (MSDTC) transaction facility
+ allowing the NetworkService token to be obtained and used when making an
+ RPC call.
+ - Windows Management Instrumentation (WMI) provider improperly isolating
+ processes that run under the NetworkService or LocalService accounts.
+ - RPCSS service improperly isolating processes that run under the
+ NetworkService or LocalService accounts.
+ - Windows placing incorrect access control lists (ACLs) on threads in the
+ current ThreadPool.
+
+ Impact:
+ Successful exploitation could allow attackers to execute arbitrary code by
+ gaining elevated privileges.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ Microsoft Windows 2K Service Pack 4 and prior.
+ Microsoft Windows XP Service Pack 3 and prior.
+ Microsoft Windows 2003 Service Pack 2 and prior.
+
+ Fix:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://www.microsoft.com/technet/security/bulletin/ms09-012.mspx
+
+ References:
+ http://support.microsoft.com/kb/959454
+ http://www.microsoft.com/technet/security/bulletin/ms09-012.mspx
+
+ CVSS Score:
+ CVSS Base Score : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
+ CVSS Temporal Score : 7.3
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the vulnerable File Version and Hotfix");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Windows : Microsoft Bulletins");
+ script_dependencies("secpod_reg_enum.nasl");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(hotfix_check_sp(win2k:5, xp:4, win2003:3) <= 0){
+ exit(0);
+}
+
+# Check for Hotfix 952004 (MS09-012)
+if(hotfix_missing(name:"952004") == 0){
+ exit(0);
+}
+
+sysPath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+ item:"Install Path");
+if(!sysPath){
+ exit(0);
+}
+
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:sysPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:sysPath + "\Msdtcprx.dll");
+
+sysVer = GetVer(file:file, share:share);
+if(!sysVer){
+ exit(0);
+}
+
+# Windows 2K
+if(hotfix_check_sp(win2k:5) > 0)
+{
+ # Grep for Msdtcprx.dll version < 2000.2.3549.0
+ if(version_is_less(version:sysVer, test_version:"2000.2.3549.0")){
+ security_hole(0);
+ }
+ exit(0);
+}
+
+# Windows XP
+if(hotfix_check_sp(xp:4) > 0)
+{
+ # Check for Hotfix 956572 (MS09-012)
+ if(hotfix_missing(name:"956572") == 0){
+ exit(0);
+ }
+
+ SP = get_kb_item("SMB/WinXP/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ # Grep for Msdtcprx.dll < 2001.12.4414.320
+ if(version_is_less(version:sysVer, test_version:"2001.12.4414.320")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ else if("Service Pack 3" >< SP)
+ {
+ # Grep for Msdtcprx.dll < 2001.12.4414.706
+ if(version_is_less(version:sysVer, test_version:"2001.12.4414.706")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ security_hole(0);
+}
+
+# Windows 2003
+if(hotfix_check_sp(win2003:3) > 0)
+{
+ # Check for Hotfix 956572 (MS09-012)
+ if(hotfix_missing(name:"956572") == 0){
+ exit(0);
+ }
+
+ SP = get_kb_item("SMB/Win2003/ServicePack");
+ if("Service Pack 1" >< SP)
+ {
+ # Grep for Msdtcprx.dll version < 2001.12.4720.3180
+ if(version_is_less(version:sysVer, test_version:"2001.12.4720.3180")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ else if("Service Pack 2" >< SP)
+ {
+ # Grep for Msdtcprx.dll version < 2001.12.4720.4340
+ if(version_is_less(version:sysVer, test_version:"2001.12.4720.4340")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ security_hole(0);
+}
Added: trunk/openvas-plugins/scripts/secpod_ms09-013.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms09-013.nasl 2009-04-15 10:02:53 UTC (rev 3104)
+++ trunk/openvas-plugins/scripts/secpod_ms09-013.nasl 2009-04-15 16:21:29 UTC (rev 3105)
@@ -0,0 +1,164 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms09-013.nasl 1697 2009-04-15 08:27:50Z apr $
+#
+# Windows HTTP Services Could Allow Remote Code Execution Vulnerabilities (960803)
+#
+# Authors:
+# Chandan S <schandan at secpod.com>
+#
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900092);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2009-0086", "CVE-2009-0089", "CVE-2009-0550");
+ script_bugtraq_id(34435, 34437, 34439);
+ script_name(english:"Windows HTTP Services Could Allow Remote Code Execution Vulnerabilities (960803)");
+ desc["english"] = "
+
+ Overview: This host has critical security update missing according to
+ Microsoft Bulletin MS09-013.
+
+ Vulnerability Insight:
+ - Integer underflow error in Windows HTTP Services allow to execute arbitrary
+ code via a specially crafted parameter returned by a malicious web server.
+ - Error in Windows HTTP Services while validating the distinguished name
+ of a certificate can leads to spoof a valid certificate.
+ Successful exploitation requires the ability to perform DNS spoofing attacks.
+ - Error in Windows HTTP Services reflect NTLM credentials and execute arbitrary
+ code by tricking a user into connecting to a malicious web server.
+
+ Impact:
+ Attacker who successfully exploited could allow malicious people to conduct
+ spoofing attacks and compromise a user's system.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ Microsoft Windows 2K Service Pack 4 and prior.
+ Microsoft Windows XP Service Pack 3 and prior.
+ Microsoft Windows 2003 Service Pack 2 and prior.
+
+ Fix:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://www.microsoft.com/technet/security/bulletin/ms09-013.mspx
+
+ References:
+ http://www.microsoft.com/technet/security/bulletin/ms09-013.mspx
+
+ CVSS Score:
+ CVSS Base Score : 10.0 (AV:N/AC:L/Au:NR/C:C/I:C/A:C)
+ CVSS Temporal Score : 7.4
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the vulnerable File Version and Hotfix");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Windows : Microsoft Bulletins");
+ script_dependencies("secpod_reg_enum.nasl");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(hotfix_check_sp(win2k:5, xp:4, win2003:3) <= 0){
+ exit(0);
+}
+
+# Check for Hotfix 960803 (MS09-013)
+if(hotfix_missing(name:"960803") == 0){
+ exit(0);
+}
+
+sysPath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+ item:"Install Path");
+if(!sysPath){
+ exit(0);
+}
+
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:sysPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:sysPath + "\Winhttp.dll");
+
+sysVer = GetVer(file:file, share:share);
+if(!sysVer){
+ exit(0);
+}
+
+# Windows 2K
+if(hotfix_check_sp(win2k:5) > 0)
+{
+ # Grep for Winhttp.dll version < 5.1.2600.3490
+ if(version_is_less(version:sysVer, test_version:"5.1.2600.3490")){
+ security_hole(0);
+ }
+ exit(0);
+}
+
+# Windows XP
+if(hotfix_check_sp(xp:4) > 0)
+{
+ SP = get_kb_item("SMB/WinXP/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ # Grep for Winhttp.dll < 5.1.2600.3494
+ if(version_is_less(version:sysVer, test_version:"5.1.2600.3494")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ else if("Service Pack 3" >< SP)
+ {
+ # Grep for Winhttp.dll < 5.1.2600.5727
+ if(version_is_less(version:sysVer, test_version:"5.1.2600.5727")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ security_hole(0);
+}
+
+# Windows 2003
+if(hotfix_check_sp(win2003:3) > 0)
+{
+ SP = get_kb_item("SMB/Win2003/ServicePack");
+ if("Service Pack 1" >< SP)
+ {
+ # Grep for Winhttp.dll version < 5.2.3790.3262
+ if(version_is_less(version:sysVer, test_version:"5.2.3790.3262")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ else if("Service Pack 2" >< SP)
+ {
+ # Grep for Winhttp.dll version < 5.2.3790.4427
+ if(version_is_less(version:sysVer, test_version:"5.2.3790.4427")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ security_hole(0);
+}
Added: trunk/openvas-plugins/scripts/secpod_ms09-014.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms09-014.nasl 2009-04-15 10:02:53 UTC (rev 3104)
+++ trunk/openvas-plugins/scripts/secpod_ms09-014.nasl 2009-04-15 16:21:29 UTC (rev 3105)
@@ -0,0 +1,174 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms09-014.nasl 1694 2009-04-15 10:55:42Z apr $
+#
+# Microsoft Internet Explorer Remote Code Execution Vulnerability (963027)
+#
+# Authors:
+# Sharath S <sharaths at secpod.com>
+#
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900328);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2008-2540", "CVE-2009-0550", "CVE-2009-0551", "CVE-2009-0552",
+ "CVE-2009-0553", "CVE-2009-0554");
+ script_bugtraq_id(29445, 34439, 34438, 34423, 34424, 34426);
+ script_name(english:"Microsoft Internet Explorer Remote Code Execution Vulnerability (963027)");
+ desc["english"] = "
+
+ Overview: This host has critical security update missing according to
+ Microsoft Bulletin MS09-014.
+
+ Vulnerability Insight:
+ Flaws are due to
+ - Blended threat issue which allows executables to be downloaded in user's
+ computer without prompting.
+ - Vulnerability in NT LAN Manager which allows the attacker to replay NTLM
+ credentials.
+ - Arbitrary code execution in Internet Explorer at run time of Internet
+ Explorer Browser.
+ - Internet Explorer Uninitialized Memory Variant which lets the attacker
+ cause remote code execution.
+
+ Impact:
+ Successful exploitation will let the attacker execute arbitrary codes into
+ the context of the affected system and can cause denial of service in the
+ affected system.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ Microsoft Internet Explorer version 5.x/6.x/7.x
+
+ Fix:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://www.microsoft.com/technet/security/Bulletin/MS09-014.mspx
+
+ References:
+ http://support.microsoft.com/kb/963027
+ http://www.microsoft.com/technet/security/Bulletin/MS09-014.mspx
+
+ CVSS Score:
+ CVSS Base Score : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
+ CVSS Temporal Score : 6.9
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the vulnerable file version");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Windows : Microsoft Bulletins");
+ script_dependencies("gb_ms_ie_detect.nasl");
+ script_require_keys("MS/IE/Version");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(hotfix_check_sp(xp:4, win2k:5, win2003:3) <= 0){
+ exit(0);
+}
+
+ieVer = get_kb_item("MS/IE/Version");
+if(!ieVer){
+ exit(0);
+}
+
+# MS08-073 Hotfix (958215)
+if(hotfix_missing(name:"963027") == 0){
+ exit(0);
+}
+
+dllPath = registry_get_sz(item:"Install Path",
+ key:"SOFTWARE\Microsoft\COM3\Setup");
+
+dllPath += "\mshtml.dll";
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:dllPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:dllPath);
+
+vers = GetVer(file:file, share:share);
+if(!vers){
+ exit(0);
+}
+
+if(hotfix_check_sp(win2k:5) > 0)
+{
+ # Check for mshtml.dll version 5 < 5.0.3874.1900
+ if(version_in_range(version:vers, test_version:"5.0",
+ test_version2:"5.0.3874.1899")){
+ security_hole(0);
+ }
+ # Check for mshtml.dll version 6 < 6.0.2800.1625
+ else if(version_in_range(version:vers, test_version:"6.0",
+ test_version2:"6.0.2800.1624")){
+ security_hole(0);
+ }
+}
+
+else if(hotfix_check_sp(xp:4) > 0)
+{
+ SP = get_kb_item("SMB/WinXP/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ # Check for mshtml.dll version 6 < 6.0.2900.3527
+ if(version_in_range(version:vers, test_version:"6.0",
+ test_version2:"6.0.2900.3526")){
+ security_hole(0);
+ }
+ }
+ else if("Service Pack 3" >< SP)
+ {
+ # Check for mshtml.dll version 6 < 6.0.2900.5764 or 7.0 < 7.0.6000.16825
+ if(version_in_range(version:vers, test_version:"6.0",
+ test_version2:"6.0.2900.5763") ||
+ version_in_range(version:vers, test_version:"7.0",
+ test_version2:"7.0.6000.16824")){
+ security_hole(0);
+ }
+ }
+}
+
+else if(hotfix_check_sp(win2003:3) > 0)
+{
+ SP = get_kb_item("SMB/Win2003/ServicePack");
+ if("Service Pack 1" >< SP)
+ {
+ # Check for mshtml.dll version 6 < 6.0.3790.3304
+ if(version_in_range(version:vers, test_version:"6.0",
+ test_version2:"6.0.3790.3303")){
+ security_hole(0);
+ }
+ }
+ else if("Service Pack 2" >< SP)
+ {
+ # Check for mshtml.dll version 6 < 6.0.3790.4470 or 7.0 < 7.0.6000.16825
+ if(version_in_range(version:vers, test_version:"6.0",
+ test_version2:"6.0.3790.4469") ||
+ version_in_range(version:vers, test_version:"7.0",
+ test_version2:"7.0.6000.16824")){
+ security_hole(0);
+ }
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_ms09-015.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms09-015.nasl 2009-04-15 10:02:53 UTC (rev 3104)
+++ trunk/openvas-plugins/scripts/secpod_ms09-015.nasl 2009-04-15 16:21:29 UTC (rev 3105)
@@ -0,0 +1,158 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms09-015.nasl 1696 2009-04-15 09:16:04Z apr $
+#
+# Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426)
+#
+# Authors:
+# Nikita MR <rnikita at secpod.com>
+#
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+
+if(description)
+{
+ script_id(900533);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2008-2540");
+ script_bugtraq_id(29445);
+ script_name(english:"Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426)");
+ desc["english"] = "
+
+ Overview: This host has critical security update missing according to
+ Microsoft Bulletin MS09-015.
+
+ Vulnerability Insight:
+ The flaw is caused due to an error in the way SearchPath function in
+ Windows locates and opens files on the system.
+
+ Impact:
+ Remote attackers could execute arbitrary code by convincing a user to
+ download a crafted file to a specific location, and then open an
+ application that loads the file.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ Microsoft Windows 2K Service Pack 4 and prior.
+ Microsoft Windows XP Service Pack 3 and prior.
+ Microsoft Windows 2003 Service Pack 2 and prior.
+
+ Fix:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link.
+ http://www.microsoft.com/technet/security/bulletin/ms09-015.mspx
+
+ References:
+ http://www.microsoft.com/technet/security/bulletin/ms09-015.mspx
+
+ CVSS Score:
+ CVSS Base Score : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
+ CVSS Temporal Score : 6.9
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the vulnerable File Version and Hotfix");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Windows : Microsoft Bulletins");
+ script_dependencies("secpod_reg_enum.nasl");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(hotfix_check_sp(xp:4, win2k:5, win2003:3) <= 0){
+ exit(0);
+}
+
+# Check for Hotfix 959426 (MS09-015).
+if(hotfix_missing(name:"959426") == 0){
+ exit(0);
+}
+
+dllPath = registry_get_sz(item:"Install Path",
+ key:"SOFTWARE\Microsoft\COM3\Setup");
+if(!dllPath){
+ exit(0);
+}
+
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:dllPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:dllPath + "\secur32.dll");
+
+dllVer = GetVer(file:file, share:share);
+if(!dllVer){
+ exit(0);
+}
+
+if(hotfix_check_sp(win2k:5) > 0)
+{
+ # Check for secur32.dll version < 5.0.2195.7244
+ if(version_is_less(version:dllVer, test_version:"5.0.2195.7244")){
+ security_hole(0);
+ }
+ exit(0);
+}
+
+else if(hotfix_check_sp(xp:4) > 0)
+{
+ SP = get_kb_item("SMB/WinXP/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ # Check for secur32.dll version < 5.1.2600.3518
+ if(version_is_less(version:dllVer, test_version:"5.1.2600.3518")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ else if("Service Pack 3" >< SP)
+ {
+ # Check for secur32.dll version < 5.1.2600.5753
+ if(version_is_less(version:dllVer, test_version:"5.1.2600.5753")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ security_hole(0);
+}
+
+else if(hotfix_check_sp(win2003:3) > 0)
+{
+ SP = get_kb_item("SMB/Win2003/ServicePack");
+ if("Service Pack 1" >< SP)
+ {
+ # Check for secur32.dll version < 5.2.3790.3290
+ if(version_is_less(version:dllVer, test_version:"5.2.3790.3290")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ else if("Service Pack 2" >< SP)
+ {
+ # Check for secur32.dll version < 5.2.3790.4455
+ if(version_is_less(version:dllVer, test_version:"5.2.3790.4455")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ security_hole(0);
+}
Modified: trunk/openvas-plugins/scripts/secpod_ms_excel_remote_code_exec_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms_excel_remote_code_exec_vuln.nasl 2009-04-15 10:02:53 UTC (rev 3104)
+++ trunk/openvas-plugins/scripts/secpod_ms_excel_remote_code_exec_vuln.nasl 2009-04-15 16:21:29 UTC (rev 3105)
@@ -2,11 +2,14 @@
# OpenVAS Vulnerability Test
# $Id: secpod_ms_excel_remote_code_exec_vuln.nasl 633 2009-03-17 18:20:09Z mar $
#
-# Microsoft Excel Remote Code Execution Vulnerability (968272)
+# Microsoft Excel Remote Code Execution Vulnerabilities (968557)
#
# Authors:
# Sujit Ghosal <sghosal at secpod.com>
#
+# Update description and file check to reflect MS09-009 Bulletin.
+# - By Chandan S, 2009-04-15 14:47:49
+#
# Copyright:
# Copyright (c) 2009 SecPod, http://www.secpod.com
#
@@ -28,44 +31,42 @@
{
script_id(900476);
script_version("$Revision: 1.0 $");
- script_cve_id("CVE-2009-0238");
- script_bugtraq_id(33870);
- script_name(english:"Microsoft Excel Remote Code Execution Vulnerability (968272)");
+ script_cve_id("CVE-2009-0238", "CVE-2009-0100");
+ script_bugtraq_id(33870, 34413);
+ script_name(english:"Microsoft Excel Remote Code Execution Vulnerabilities (968557)");
desc["english"] = "
- Overview: This host has installed Microsoft Excel and is prone to remote
- code execution vulnerability.
+ Overview: This host has critical security update missing according to
+ Microsoft Bulletin MS09-009.
Vulnerability Insight:
- A vulnerability exists while opening a specially crafted excel file which
- in triggers an access attempt on an invalid object causes remote code
- execution.
+ This flaw is due to parsing error while processing an excel file in an
+ invalid object which causes memory corruption.
Impact:
- Successful exploitation could execution of arbitrary codes on the remote
- system in the context of affected excel application.
+ Successful exploitation could allow execution of arbitrary codes by tricking
+ a user into opening a specially crafted Excel file.
Impact Level: System
Affected Software/OS:
- Microsoft Office Excel 2k SP 3
- Microsoft Office Excel 2k2 SP 3
- Microsoft Office Excel 2k3 SP 3
- Microsoft Office Excel 2k7 SP 1
+ Microsoft Office Excel 2K SP3
+ Microsoft Office Excel 2k2 SP3
+ Microsoft Office Excel 2k3 SP3
+ Microsoft Office Excel 2k7 SP1
Fix:
- Solution/Patch not available as on 17th March 2009. For further updates
- refer, http://office.microsoft.com/excel
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link.
+ http://www.microsoft.com/technet/security/bulletin/ms09-009.mspx
References:
- http://blogs.zdnet.com/security/?p=2658
- http://isc.sans.org/diary.html?storyid=5923
- http://securitytracker.com/alerts/2009/Feb/1021744.html
- http://www.microsoft.com/technet/security/advisory/968272.mspx
+ http://support.microsoft.com/kb/968557
+ http://www.microsoft.com/technet/security/bulletin/ms09-009.mspx
CVSS Score:
- CVSS Base Score : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
- CVSS Temporal Score : 7.9
+ CVSS Base Score : 10.0 (AV:N/AC:L/Au:NR/C:C/I:C/A:C)
+ CVSS Temporal Score : 7.4
Risk factor : High";
script_description(english:desc["english"]);
@@ -94,19 +95,19 @@
}
if(version_in_range(version:excelVer, test_version:"9.0",
- test_version2:"9.0.8974")){
+ test_version2:"9.0.8976")){
security_hole(0);
}
else if(version_in_range(version:excelVer, test_version:"10.0",
- test_version2:"10.0.6850")){
+ test_version2:"10.0.6851")){
security_hole(0);
}
else if(version_in_range(version:excelVer, test_version:"11.0",
- test_version2:"11.0.8237")){
+ test_version2:"11.0.8301")){
security_hole(0);
}
else if(version_in_range(version:excelVer, test_version:"12.0",
- test_version2:"12.0.6331.5000")){
+ test_version2:"12.0.6341.5000")){
security_hole(0);
}
}
Modified: trunk/openvas-plugins/scripts/secpod_ms_wordpad_mult_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms_wordpad_mult_vuln.nasl 2009-04-15 10:02:53 UTC (rev 3104)
+++ trunk/openvas-plugins/scripts/secpod_ms_wordpad_mult_vuln.nasl 2009-04-15 16:21:29 UTC (rev 3105)
@@ -1,14 +1,17 @@
###############################################################################
# OpenVAS Vulnerability Test
-# $Id: secpod_ms_wordpad_mult_vuln.nasl 655 2008-12-11 16:37:35Z dec $
+# $Id: secpod_ms_wordpad_mult_vuln.nasl 1695 2008-12-11 16:37:35Z dec $
#
-# Vulnerability in WordPad Text Converter Could Allow Remote Code Execution (960906)
+# WordPad and Office Text Converter Memory Corruption Vulnerability (960477)
#
# Authors:
# Chandan S <schandan at secpod.com>
#
-# Copyright: SecPod
+# Update description and file check to reflect MS09-010 Bulletin.
+# - By Chandan S, 2009-04-15 21:34:24
#
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
@@ -23,57 +26,58 @@
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
-
if(description)
{
script_id(900065);
- script_version("$Revision: 1.0 $");
- script_cve_id("CVE-2008-4841");
- script_bugtraq_id(31399, 32718);
- script_name(english:"Vulnerability in WordPad Text Converter Could Allow Remote Code Execution (960906)");
+ script_version("$Revision: 1.1 $");
+ script_cve_id("CVE-2008-4841", "CVE-2009-0087", "CVE-2009-0088", "CVE-2009-0235");
+ script_bugtraq_id(29769);
+ script_name(english:"WordPad and Office Text Converter Memory Corruption Vulnerability (960477)");
desc["english"] = "
- Overview: This host has Microsoft WordPad installed and is prone to multiple
- vulnerabilities.
+ Overview: This host has critical security update missing according to Microsoft
+ Bulletin MS09-010.
Vulnerability Insight:
- The issue is caused due to an error in the WordPad Text Converter for Word 97
- files.
+ - Input validation error when parsing document files i.e. Office files, RTF,
+ Wordperfect files or Write files.
Impact:
- Successful exploitation will allow remote arbitrary code execution on the
- vulnerable system and could also corrupt memory to deny the service.
+ Successful exploitation will let the attacker craft malicious arbitrary codes
+ into the files and can trick the user to open those crafted documents which
+ may lead to remote arbitrary code execution inside the context of the affected
+ system.
- Impact Level: Application
+ Impact Level: System
- Affected Software/OS: Microsoft Windows 2K/XP/2003
+ Affected Software/OS:
+ WordPad on MS Windows 2K/XP/2K3
+ MS Office 2000 Word Service Pack 3
+ MS Office XP Word Service Pack 3
+ MS Office Converters Pack
- Fix: No solution or patch is available as on 11th December,2008. Information
- regarding this issue will be updated once the solution details are available.
- For updates refer, http://www.microsoft.com/en/us/default.aspx
+ Fix:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://www.microsoft.com/technet/security/bulletin/ms09-010.mspx
- Workaround:
- Go through the workaround section in the below advisory reference link.
-
- *****
- NOTE : Microsoft Windows XP SP3 is not vulnerable to this issue.
- *****
-
References:
- http://milw0rm.com/sploits/2008-crash.doc.rar
- http://www.microsoft.com/technet/security/advisory/960906.mspx
+ http://support.microsoft.com/default.aspx/kb/960477
+ http://www.microsoft.com/technet/security/bulletin/ms09-010.mspx
CVSS Score:
- CVSS Base Score : 7.1 (AV:N/AC:M/Au:NR/C:N/I:N/A:C)
- CVSS Temporal Score : 6.1
+ CVSS Base Score : 10.0 (AV:N/AC:L/Au:NR/C:C/I:C/A:C)
+ CVSS Temporal Score : 7.8
Risk factor : High";
script_description(english:desc["english"]);
- script_summary(english:"Check for the vulnerable File Version");
+ script_summary(english:"Check for the vulnerable File Versions");
script_category(ACT_GATHER_INFO);
- script_copyright(english:"Copyright (C) 2008 SecPod");
- script_family(english:"Windows");
- script_dependencies("secpod_reg_enum.nasl");
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Windows : Microsoft Bulletins");
+ script_dependencies("secpod_reg_enum.nasl", "secpod_ms_office_detection_900025.nasl",
+ "secpod_office_products_version_900032.nasl");
+ script_require_keys("SMB/WindowsVersion", "SMB/Office/Word/Version");
exit(0);
}
@@ -83,45 +87,102 @@
include("version_func.inc");
include("secpod_smb_func.inc");
-if(hotfix_check_sp(xp:3, win2k:5, win2003:3) <= 0){
+if(hotfix_check_sp(win2k:5, xp:4, win2003:3) <= 0){
exit(0);
}
-if(!registry_key_exists(key:"SOFTWARE\Microsoft\Windows\CurrentVersion" +
- "\App Paths\WORDPAD.EXE")){
+dllPath = registry_get_sz(key:"SOFTWARE\Microsoft\Shared Tools Location",
+ item:"TEXTCONV");
+if(!dllPath){
exit(0);
}
-key = "SOFTWARE\Microsoft\Shared Tools\MSWord8\Clients";
-foreach item (registry_enum_values(key:key))
+ share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:dllPath);
+ file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:dllPath + "\MSCONV97.DLL");
+
+dllVer = GetVer(file:file, share:share);
+
+# Patch check for Office 2K and XP
+if(get_kb_item("SMB/Office/Word/Version") =~ "^(9|10)\..*" &&
+ get_kb_item("MS/Office/Ver") =~ "^(9|10)\..*")
{
- if("wordpad" >< item)
+ if(dllVer)
{
- share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:item);
- file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:item);
-
- wpVer = GetVer(file:file, share:share);
- if(wpVer != NULL)
- {
- if(hotfix_check_sp(win2k:5) > 0) # Check <= 2K SP4
+ # Check for Hotfix 921606 (Office 2K) or 933399 (Office XP).
+ if(hotfix_missing(name:"921606") == 1 || hotfix_missing(name:"933399") == 1)
{
- if(version_is_less_equal(version:wpVer, test_version:"5.0.2195.6991")){
+ if(version_is_less(version:dllVer, test_version:"2003.1100.8202.0"))
+ {
security_hole(0);
+ exit(0);
}
}
- else if(hotfix_check_sp(xp:3) > 0) # Check < XP SP3
+ }
+}
+
+# Patch check for WordPad
+if(registry_key_exists(key:"SOFTWARE\Microsoft\Windows\CurrentVersion" +
+ "\App Paths\WORDPAD.EXE"))
+{
+ key = "SOFTWARE\Microsoft\Shared Tools\MSWord8\Clients";
+ foreach item (registry_enum_values(key:key))
+ {
+ if("wordpad" >< item)
+ {
+ # Check for Wordpad Hotfix 923561 (MS09-010).
+ if(hotfix_missing(name:"923561") == 0){
+ exit(0);
+ }
+
+ share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:item);
+ file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:item);
+
+ wpVer = GetVer(file:file, share:share);
+ if(wpVer != NULL)
{
- if(version_is_less_equal(version:wpVer, test_version:"5.1.2600.2180")){
- security_hole(0);
+ if(hotfix_check_sp(win2k:5) > 0) # Check <= 2K SP4
+ {
+ if(version_is_less(version:wpVer, test_version:"5.0.2195.7155")){
+ security_hole(0);
+ }
}
- }
- else if(hotfix_check_sp(win2003:3) > 0) # Check <= SP2
- {
- if(version_is_less_equal(version:wpVer, test_version:"5.2.3790.3959")){
- security_hole(0);
+ else if(hotfix_check_sp(xp:3) > 0) # Check < XP SP3
+ {
+ if(version_is_less(version:wpVer, test_version:"5.1.2600.5584")){
+ security_hole(0);
+ }
}
+ else if(hotfix_check_sp(win2003:3) > 0) # Check <= SP2
+ {
+ if(version_is_less(version:wpVer, test_version:"5.2.3790.4282")){
+ security_hole(0);
+ }
+ }
}
}
+ }
+}
+
+# Patch check for Office Converter Pack
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+foreach item (registry_enum_keys(key:key))
+{
+ convName = registry_get_sz(key:key + item, item:"DisplayName");
+ if("Microsoft Office Converter" >< convName)
+ {
+ if(!dllVer){
+ exit(0);
+ }
+
+ # Check for Office Converter Hotfix 960476 (MS09-010).
+ if(hotfix_missing(name:"960476") == 0){
+ exit(0);
+ }
+
+ if(version_is_less(version:dllVer, test_version:"2003.1100.8202.0")){
+ security_hole(0);
+ }
exit(0);
}
}
More information about the Openvas-commits
mailing list