[Openvas-commits] r6117 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Wed Dec 9 14:31:54 CET 2009


Author: chandra
Date: 2009-12-09 14:31:51 +0100 (Wed, 09 Dec 2009)
New Revision: 6117

Added:
   trunk/openvas-plugins/scripts/secpod_ms09-071.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/gb_ms_ie_style_object_remote_code_exec_vuln.nasl
Log:
Added MS Bulletin - Dec09 plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2009-12-09 12:16:50 UTC (rev 6116)
+++ trunk/openvas-plugins/ChangeLog	2009-12-09 13:31:51 UTC (rev 6117)
@@ -1,3 +1,9 @@
+2009-12-09  Chandrashekhar B <bchandra at secpod.com>
+
+	* scripts/gb_ms_ie_style_object_remote_code_exec_vuln.nasl,
+	scripts/secpod_ms09-071.nasl:
+	Added MS Bulletin plugins - Dec09.
+
 009-12-09 Michael Meyer <michael.meyer at intevation.de>
 
 	* scripts/rt_37162.nasl,

Modified: trunk/openvas-plugins/scripts/gb_ms_ie_style_object_remote_code_exec_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ms_ie_style_object_remote_code_exec_vuln.nasl	2009-12-09 12:16:50 UTC (rev 6116)
+++ trunk/openvas-plugins/scripts/gb_ms_ie_style_object_remote_code_exec_vuln.nasl	2009-12-09 13:31:51 UTC (rev 6117)
@@ -7,6 +7,10 @@
 # Authors:
 # Sujit Ghosal <sghosal at secpod.com>
 #
+# Updated By
+# Antu Sanadi <santu at secpod.com> on  2009-12-09
+# Included the  Microsoft Bulletin MS09-072 #6097
+#
 # Copyright:
 # Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net
 #
@@ -28,56 +32,140 @@
 {
   script_id(800727);
   script_version("$Revision: 1.0 $");
-  script_cve_id("CVE-2009-3672");
+  script_cve_id("CVE-2009-2493", "CVE-2009-3671", "CVE-2009-3672",
+                "CVE-2009-3673", "CVE-2009-3674");
   script_bugtraq_id(37085);
   script_name("MS Internet Explorer 'Style' Object Remote Code Execution Vulnerability");
   desc = "
-  Overview: This host has Microsoft Internet Explorer installed and is prone to
-  Remote Code Execution Vulnerability.
+  Overview: This host has critical security update missing according to
+  Microsoft Bulletin MS09-072.
 
   Vulnerability Insight:
-  This flaw is caused due to CSS information inside HTML rendering engine,
-  inside mshtml.dll library file. Malicious use of 'outerHTML' property
-  causes the remote browser to spray the heap memory allocated area.
+  Multiple flaws are due to:
+  - The 'tdc.ocx' ActiveX control being built with vulnerable Active Template
+    Library (ATL) headers, which could allow the instantiation of arbitrary objects
+    that can bypass certain security related policies.
+  - Memory corruption error occurs when the browser attempts to access an object
+    that has not been initialized or has been deleted, which could be exploited
+    to execute arbitrary code via a specially crafted web page.
+  - Memory corruption occurs when processing 'CSS' objects.
+  - Race condition occurs while repetitively clicking between two elements at
+    a fast rate, which could be exploited to execute arbitrary code via a
+    specially crafted web page.
+  - A dangling pointer during deallocation of a circular dereference for a
+    CAttrArray object, which could be exploited to execute arbitrary code via
+    a specially crafted web page.
 
   Impact:
-  Successful attack could allow malicious people to execute arbitrary code in the
-  context of the user running the application or compromise the application and
-  possibly the system. failed attacks may cause denial-of-service condition.
+  Successful exploitation will let the attacker execute arbitrary code via
+  specially crafted HTML page in the context of the affected system and cause
+  memory corruption thus causing remote machine compromise.
 
-  Impact Level: System/Application
+  Impact Level: System
 
   Affected Software/OS:
-  Microsoft Internet Explorer 6.x and 7.x
+  Microsoft Internet Explorer version 5.x/6.x/7.x/8.x
 
   Fix:
-  No solution or patch is available as on 04th December, 2009. Information
-  regarding this issue will be updated once the solution details are available.
-  For updates refer, http://www.microsoft.com/technet/security/advisory/977981.mspx
+  Run Windows Update and update the listed hotfixes or download and
+  update mentioned hotfixes in the advisory from the below link,
+  http://www.microsoft.com/technet/security/Bulletin/MS09-072.mspx
 
   References:
-  http://www.securityfocus.com/archive/1/archive/1/507984/100/0/threaded
-  http://www.symantec.com/connect/blogs/zero-day-internet-explorer-exploit-published
+  http://www.vupen.com/english/advisories/2009/3437
+  http://www.microsoft.com/technet/security/Bulletin/MS09-072.mspx
 
-  CVSS Score:
-    CVSS Base Score      : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
-    CVSS Temporal Score  : 8.4
-  Risk factor: Critical";
+  Risk factor : Critical";
 
   script_description(desc);
-  script_summary("Check for the version of Microsoft Internet Explorer");
+  script_summary("Check for the vulnerable mshtml.dll file version");
   script_category(ACT_GATHER_INFO);
   script_copyright("Copyright (C) 2009 Greenbone Networks GmbH");
-  script_family("General");
+  script_family("Windows : Microsoft Bulletins");
   script_dependencies("gb_ms_ie_detect.nasl");
   script_require_keys("MS/IE/Version");
+  script_require_ports(139, 445);
   exit(0);
 }
 
 
+include("smb_nt.inc");
+include("secpod_reg.inc");
 include("version_func.inc");
+include("secpod_smb_func.inc");
 
+if(hotfix_check_sp(xp:4, win2k:5, win2003:3) <= 0){
+  exit(0);
+}
+
 ieVer = get_kb_item("MS/IE/Version");
-if(ieVer =~ "^(6|7)\..*"){
+if(!ieVer){
+  exit(0);
+}
+
+# Check for MS09-072 Hotfix (976325)
+if(hotfix_missing(name:"976325") == 0){
+  exit(0);
+}
+
+dllPath = registry_get_sz(item:"Install Path",
+                          key:"SOFTWARE\Microsoft\COM3\Setup");
+dllPath += "\mshtml.dll";
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:dllPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:dllPath);
+
+vers = GetVer(file:file, share:share);
+if(!vers){
+  exit(0);
+}
+
+if(hotfix_check_sp(win2k:5) > 0)
+{
+  if(version_in_range(version:vers, test_version:"5.0", test_version2:"5.0.3882.2699") ||
+     version_in_range(version:vers, test_version:"6.0", test_version2:"6.0.2800.1641")){
+    security_hole(0);
+  }
+}
+else if(hotfix_check_sp(xp:4) > 0)
+{
+  SP = get_kb_item("SMB/WinXP/ServicePack");
+  if("Service Pack 2" >< SP)
+  {
+    if(version_in_range(version:vers, test_version:"6.0", test_version2:"6.0.2800.1641") ||
+       version_in_range(version:vers, test_version:"6.0.2900.0000", test_version2:"6.0.2900.3639")||
+       version_in_range(version:vers, test_version:"7.0", test_version2:"7.0.6000.21128")||
+       version_in_range(version:vers, test_version:"8.0", test_version2:"8.0.6001.18853")){
+      security_hole(0);
+    }
+    exit(0);
+  }
+  else if("Service Pack 3" >< SP)
+  {
+    if(version_in_range(version:vers, test_version:"6.0", test_version2:"6.0.2800.1641")||
+       version_in_range(version:vers, test_version:"6.0.2900.0000", test_version2:"6.0.2900.5896")||
+       version_in_range(version:vers, test_version:"7.0", test_version2:"7.0.6000.16944") ||
+       version_in_range(version:vers, test_version:"7.0.6000.20000", test_version2:"7.00.6000.21128") ||
+       version_in_range(version:vers, test_version:"8.0", test_version2:"8.0.6001.18853")||
+       version_in_range(version:vers, test_version:"8.0.6001.00000", test_version2:"8.00.6001.22927")){
+      security_hole(0);
+    }
+    exit(0);
+  }
   security_hole(0);
 }
+else if(hotfix_check_sp(win2003:3) > 0)
+{
+  SP = get_kb_item("SMB/Win2003/ServicePack");
+  if("Service Pack 2" >< SP)
+  {
+    if(version_in_range(version:vers, test_version:"6.0", test_version2:"6.0.3790.4610") ||
+       version_in_range(version:vers, test_version:"7.0", test_version2:"7.0.6000.16944") ||
+       version_in_range(version:vers, test_version:"7.0.6000.20000", test_version2:"7.00.6000.21128")||
+       version_in_range(version:vers, test_version:"8.0", test_version2:"8.0.6001.18853")||
+       version_in_range(version:vers, test_version:"8.00.6001.00000", test_version2:"8.00.6001.22927")){
+      security_hole(0);
+    }
+    exit(0);
+  }
+  security_hole(0);
+}

Added: trunk/openvas-plugins/scripts/secpod_ms09-071.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms09-071.nasl	2009-12-09 12:16:50 UTC (rev 6116)
+++ trunk/openvas-plugins/scripts/secpod_ms09-071.nasl	2009-12-09 13:31:51 UTC (rev 6117)
@@ -0,0 +1,150 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms09-071.nasl 6096 2009-12-08 04:48:09Z dec $
+#
+# Microsoft Windows IAS Remote Code Execution Vulnerability (974318)
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(901065);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-2505","CVE-2009-3677");
+  script_name("Microsoft Windows IAS Remote Code Execution Vulnerability (974318)");
+  desc = "
+  Overview: This host has critical security update missing according to
+  Microsoft Bulletin MS09-071.
+
+  Vulnerability Insight:
+  This issue is caused by an error when messages received by the Internet
+  Authentication Service server are being copied incorrectly into memory
+  while handling PEAP authentication attempts.
+
+  Impact:
+  Successful exploitation will let the remote attackers take complete control
+  of an affected system. Servers using Internet Authentication Service are only
+  affected when using PEAP with MS-CHAP v2 authentication.
+
+  Impact Level: System
+
+  Affected Software/OS:
+  Microsoft Windows 2k Service Pack 4 and prior.
+  Microsoft Windows Xp Service Pack 3 and prior.
+  Microsoft Windows 2k3 Service Pack 2 and prior.
+
+  Fix:
+  Run Windows Update and update the listed hotfixes or download and
+  update mentioned hotfixes in the advisory from the below link,
+  http://www.microsoft.com/technet/security/bulletin/ms09-071.mspx
+
+  References:
+  http://support.microsoft.com/kb/974318
+  http://www.microsoft.com/technet/security/bulletin/MS09-071.mspx
+
+  Risk factor: Critical";
+
+  script_description(desc);
+  script_summary("Check for the version of Rastls.dll file");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 SecPod");
+  script_family("Windows : Microsoft Bulletins");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_ports(139, 445);
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(hotfix_check_sp(xp:4, win2003:3, win2k:5) <= 0){
+  exit(0);
+}
+# MS09-071 Hotfix check
+if(hotfix_missing(name:"974318") == 0){
+  exit(0);
+}
+
+dllPath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+                          item:"Install Path");
+if(!dllPath){
+  exit(0);
+}
+
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:dllPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+                    string:dllPath + "\Rastls.dll");
+
+dllVer = GetVer(file:file, share:share);
+if(!dllVer){
+  exit(0);
+}
+
+# Windows 2k
+if(hotfix_check_sp(win2k:5) > 0)
+{
+  # Check for Rastls.dll version < 5.0.2195.7344
+  if(version_is_less(version:dllVer, test_version:"5.0.2195.7344")){
+     security_hole(0);
+  }
+}
+
+# Windows XP
+else if(hotfix_check_sp(xp:4) > 0)
+{
+  SP = get_kb_item("SMB/WinXP/ServicePack");
+  if("Service Pack 2" >< SP)
+  {
+    # Check for Rastls.dll < 5.1.2600.3632
+    if(version_is_less(version:dllVer, test_version:"5.1.2600.3632")){
+      security_hole(0);
+    }
+    exit(0);
+  }
+
+  else if("Service Pack 3" >< SP)
+  {
+    # Check for Rastls.dll < 5.1.2600.5886
+    if(version_is_less(version:dllVer, test_version:"5.1.2600.5886")){
+      security_hole(0);
+    }
+    exit(0);
+  }
+  security_hole(0);
+}
+
+# Windows 2k3
+else if(hotfix_check_sp(win2003:3) > 0)
+{
+  SP = get_kb_item("SMB/Win2003/ServicePack");
+  if("Service Pack 2" >< SP)
+  {
+    # Check for Rastls.dll version <  5.2.3790.4600
+    if(version_is_less(version:dllVer, test_version:"5.2.3790.4600")){
+      security_hole(0);
+    }
+    exit(0);
+  }
+  security_hole(0);
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_ms09-071.nasl
___________________________________________________________________
Name: svn:executable
   + *



More information about the Openvas-commits mailing list