[Openvas-commits] r5361 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Mon Oct 5 08:51:45 CEST 2009


Author: chandra
Date: 2009-10-05 08:51:33 +0200 (Mon, 05 Oct 2009)
New Revision: 5361

Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/cve_current.txt
   trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl
   trunk/openvas-plugins/scripts/smbcl_flash_player_CB-A08-0059.nasl
   trunk/openvas-plugins/scripts/smbcl_gnutls_CB-A08-0079.nasl
   trunk/openvas-plugins/scripts/smbcl_mozilla.nasl
   trunk/openvas-plugins/scripts/smbcl_openoffice_CB-A08-0068.nasl
   trunk/openvas-plugins/scripts/win_CVE-2007-0043.nasl
   trunk/openvas-plugins/scripts/win_CVE-2007-6026.nasl
   trunk/openvas-plugins/scripts/win_CVE-2008-0080.nasl
   trunk/openvas-plugins/scripts/win_CVE-2008-0087.nasl
Log:
Removed dependency on smbclient

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2009-10-03 10:36:51 UTC (rev 5360)
+++ trunk/openvas-plugins/ChangeLog	2009-10-05 06:51:33 UTC (rev 5361)
@@ -1,3 +1,17 @@
+2009-10-05  Chandrashekhar B <bchandra at secpod.com>
+
+	* scripts/win_CVE-2008-0080.nasl,
+	scripts/smbcl_CVE-2008-0234.nasl,
+	scripts/win_CVE-2007-0043.nasl,
+	scripts/smbcl_flash_player_CB-A08-0059.nasl,
+	scripts/smbcl_gnutls_CB-A08-0079.nasl,
+	scripts/win_CVE-2008-0087.nasl,
+	scripts/smbcl_openoffice_CB-A08-0068.nasl,
+	scripts/smbcl_mozilla.nasl,
+	scripts/win_CVE-2007-6026.nasl:
+	Re-written as per smb_nt.inc method, to remove dependency on Samba
+	based smbclient.
+
 2009-10-02  Michael Meyer <michael.meyer at intevation.de>
 
 	* scripts/photopost_detect.nasl,

Modified: trunk/openvas-plugins/cve_current.txt
===================================================================
--- trunk/openvas-plugins/cve_current.txt	2009-10-03 10:36:51 UTC (rev 5360)
+++ trunk/openvas-plugins/cve_current.txt	2009-10-05 06:51:33 UTC (rev 5361)
@@ -102,3 +102,12 @@
 CVE-2009-3125                   Greenbone       svn             R
 36390                           Greenbone       svn             R
 CVE-2009-3165                   Greenbone       svn             R
+CVE-2009-3523			SecPod
+CVE-2009-3522			SecPod
+CVE-2009-3524			SecPod
+CVE-2009-3518			SecPod
+CVE-2009-3510			SecPod
+CVE-2009-3541			SecPod
+CVE-2009-3484			SecPod
+
+

Modified: trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl	2009-10-03 10:36:51 UTC (rev 5360)
+++ trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl	2009-10-05 06:51:33 UTC (rev 5361)
@@ -1,95 +1,74 @@
+#############################################################################
 #
+#
+#
 # This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
 #
 # This script is released under the GNU GPLv2
 #
 # $Revision: 02 $
+#
+# Updated By:
+# Antu Sanadi <santu at secpod.com> on 16/09/2009
+#
+#
+##############################################################################
 
 if(description)
 {
 
- script_id(90012);
- script_version ("$Revision: 02 $");
- script_cve_id("CVE-2008-2010");
- name = "Buffer overflow in Apple Quicktime Player";
- script_name(name);
+  script_id(90012);
+  script_version ("$Revision: 02$");
+  script_cve_id("CVE-2008-2010");
+  script_name("Buffer overflow in Apple Quicktime Player");
+  desc = "The remote host is probable affected by the vulnerabilitys described in
+  CVE-2008-0234 CVE-2008-2010
 
- desc = "The remote host is probable affected by the vulnerabilitys described in
-CVE-2008-0234 CVE-2008-2010
+  Impact
+    Buffer overflow in Apple Quicktime Player 7.3.1.70
+    and other versions before 7.4.1, when RTSP tunneling
+    is enabled, allows remote attackers to execute
+    arbitrary code via a long Reason-Phrase response
+    to an rtsp:// request, as demonstrated using a
+    404 error message.
 
-Checking if QuickTime version is less than 7.5
+    Unspecified vulnerability in Apple QuickTime Player
+    on Windows XP SP2 and Vista SP1 allows remote attackers
+    to execute arbitrary code via a crafted QuickTime media
+    file. NOTE: as of 20080429, the only disclosure is a
+    vague pre-advisory with no actionable information.
+    However, because it is from a well-known researcher,
+    it is being assigned a CVE identifier for tracking purposes.
 
-Impact
-      Buffer overflow in Apple Quicktime Player 7.3.1.70
-      and other versions before 7.4.1, when RTSP tunneling
-      is enabled, allows remote attackers to execute
-      arbitrary code via a long Reason-Phrase response
-      to an rtsp:// request, as demonstrated using a
-      404 error message.
-
-      Unspecified vulnerability in Apple QuickTime Player
-      on Windows XP SP2 and Vista SP1 allows remote attackers
-      to execute arbitrary code via a crafted QuickTime media
-      file. NOTE: as of 20080429, the only disclosure is a
-      vague pre-advisory with no actionable information.
-      However, because it is from a well-known researcher,
-      it is being assigned a CVE identifier for tracking purposes. 
-
-References:
+  References:
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0234
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2010
     http://lists.apple.com/archives/security-announce/2008/Feb/msg00001.html
     http://lists.apple.com/archives/Security-announce/2008/Jun/msg00000.html
 
-Solution:
+
+  Solution:
     All Users should upgrade to the latest version.
 
+  Risk factor : High";
 
-Risk factor : High";
-
  script_description(desc);
- summary = "Test for Buffer overflow in Apple Quicktime Player";
- script_summary(summary);
+ script_summary("Check the version of Apple Quicktime Player");
  script_category(ACT_GATHER_INFO);
  script_copyright("This script is under GPLv2");
- family = "Windows";
- script_family(family);
+ script_family("Buffer overflow");
+ script_dependencies("secpod_apple_quicktime_detection_win_900124.nasl");
  exit(0);
 }
 
-#
-# The code starts here
-#
 
 include("version_func.inc");
-include("smbcl_func.inc");
-if( check_smbcl() == 0 ) exit(0);
 
-  test_version = "7.50.51";
-  win_dir = get_windir();
-  if( !isnull(win_dir) ) {
-    test_file[0] = win_dir+"System32\QuickTime.qts";
-    test_file[1] = "Programme\QuickTime\QuickTimePlayer.exe";
-    test_file[2] = "Program Files\QuickTime\QuickTimePlayer.exe";
-    foreach filespec (test_file) {
-      r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
-      if( !isnull(r) ) {
-          tmp_filename = get_tmp_dir()+"tmpfile"+rand();
-          if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
-            v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:filespec);
-            unlink(tmp_filename);
-            if( version_is_less(version: v, test_version: test_version) ) {
-              security_hole(port:0, proto:"Win_Quicktime");
-              report = report + "Fileversion : C$ "+filespec + " "+v+string("\n");
-              security_hole(port:0, proto:"Win_Quicktime", data:report);
-            }
-            break;
-          } else {
-            report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
-            security_note(port:0, proto:"Win_Quicktime", data:report);
-          }
-      }
-    }
+qtVer = get_kb_item("QuickTime/Win/Ver");
+if(qtVer)
+{
+  # QuickTime version < 7.50.51
+  if(version_is_less(version:qtVer, test_version:"7.50.51")){
+   security_hole(0);
   }
-
-exit(0);
+}

Modified: trunk/openvas-plugins/scripts/smbcl_flash_player_CB-A08-0059.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_flash_player_CB-A08-0059.nasl	2009-10-03 10:36:51 UTC (rev 5360)
+++ trunk/openvas-plugins/scripts/smbcl_flash_player_CB-A08-0059.nasl	2009-10-05 06:51:33 UTC (rev 5361)
@@ -1,3 +1,4 @@
+##################################################################################
 #
 # This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
 #
@@ -3,115 +4,114 @@
 # This script is released under the GNU GPLv2
 #
-# $Revision: 01 $
+# $Revision: 03 $
+#
+# Modified to Implement based on 'smb_nt.inc'
+#  - By Sharath S <sharaths at secpod.com> On 2009-09-14
+#
+###############################################################################
 
 if(description)
 {
+  script_id(90019);
+  script_version ("$Revision: 03 $");
+  script_cve_id("CVE-2007-5275", "CVE-2007-6019", "CVE-2007-6243",
+                "CVE-2007-6637", "CVE-2008-1654", "CVE-2008-1655");
+  script_bugtraq_id(26930, 28694, 26966, 27034, 28696, 28697);
+  script_name("Adobe Flash Player 9.0.115.0 and earlier vulnerability (Win)");
+  desc = "
+  The remote host is probably affected by the vulnerabilities described in
+  CVE-2007-5275, CVE-2007-6019, CVE-2007-6243, CVE-2007-6637, CVE-2008-1654,
+  CVE-2008-1655.
 
- script_id(90019);
- script_version ("$Revision: 01 $");
- name = "Adobe Flash Player 9.0.115.0 and earlier vulnerability (Win)";
- script_name(name);
+  Impact:
+  - CVE 2007-5275
+    The Adobe Macromedia Flash 9 plug-in allows remote attackers to cause a
+    victim machine to establish TCP sessions with arbitrary hosts via a Flash
+    (SWF) movie, related to lack of pinning of a hostname to a single IP address
+    after receiving an allow-access-from element in a cross-domain-policy XML
+    document, and the availability of a Flash Socket class that does not use
+    the browser's DNS pins, aka DNS rebinding attacks, a different issue than
+    CVE-2002-1467 and CVE-2007-4324.
+  - CVE 2007-6019
+    Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier, allows
+    remote attackers to execute arbitrary code via an SWF file with a modified
+    DeclareFunction2 Actionscript tag, which prevents an object from being
+    instantiated properly.
+  - CVE 2007-6243
+    Adobe Flash Player 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x up to
+    7.0.70.0 does not sufficiently restrict the interpretation and usage of
+    cross-domain policy files, which makes it easier for remote attackers to
+    conduct cross-domain and cross-site scripting (XSS) attacks.
+  - CVE 2007-6637
+    Multiple cross-site scripting (XSS) vulnerabilities in Adobe Flash Player
+    allow remote attackers to inject arbitrary web script or HTML via a crafted
+    SWF file, related to 'pre-generated SWF files' and Adobe Dreamweaver CS3 or
+    Adobe Acrobat Connect. NOTE: the asfunction: vector is already covered by
+    CVE-2007-6244.1.
+  - CVE 2008-1654
+    Interaction error between Adobe Flash and multiple Universal Plug and Play
+    (UPnP) services allow remote attackers to perform Cross-Site Request Forgery
+    (CSRF) style attacks by using the Flash navigateToURL function to send a SOAP
+    message to a UPnP control point, as demonstrated by changing the primary DNS
+    server.
+  - CVE 2008-1655
+    Unspecified vulnerability in Adobe Flash Player 9.0.115.0 and earlier, and
+    8.0.39.0 and earlier, makes it easier for remote attackers to conduct DNS
+    rebinding attacks via unknown vectors.
 
- desc = "The remote host is probably affected by the vulnerabilities described in
-CVE-2007-5275, CVE-2007-6019, CVE-2007-6243, CVE-2007-6637, CVE-2008-1654, CVE-2008-1655
+  References:
+  http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5275
+  http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6019
+  http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6243
+  http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6637
+  http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1654
+  http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1655
 
-Impact
-   CVE 2007-5275
-     The Adobe Macromedia Flash 9 plug-in allows remote attackers to cause
-     a victim machine to establish TCP sessions with arbitrary hosts via a
-     Flash (SWF) movie, related to lack of pinning of a hostname to a single
-     IP address after receiving an allow-access-from element in a 
-     cross-domain-policy XML document, and the availability of a Flash Socket
-     class that does not use the browser's DNS pins, aka DNS rebinding attacks,
-     a different issue than CVE-2002-1467 and CVE-2007-4324.
-   CVE 2007-6019
-     Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier,
-     allows remote attackers to execute arbitrary code via an SWF file with
-     a modified DeclareFunction2 Actionscript tag, which prevents an object
-     from being instantiated properly.
-   CVE 2007-6243
-     Adobe Flash Player 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x 
-     up to 7.0.70.0 does not sufficiently restrict the interpretation and 
-     usage of cross-domain policy files, which makes it easier for remote 
-     attackers to conduct cross-domain and cross-site scripting (XSS) attacks. 
-   CVE 2007-6637
-     Multiple cross-site scripting (XSS) vulnerabilities in Adobe Flash 
-     Player allow remote attackers to inject arbitrary web script or HTML
-     via a crafted SWF file, related to 'pre-generated SWF files' and Adobe
-     Dreamweaver CS3 or Adobe Acrobat Connect. NOTE: the asfunction: vector
-     is already covered by CVE-2007-6244.1. 
-   CVE 2008-1654
-     Interaction error between Adobe Flash and multiple Universal Plug and Play
-     (UPnP) services allow remote attackers to perform Cross-Site Request 
-     Forgery (CSRF) style attacks by using the Flash navigateToURL function
-     to send a SOAP message to a UPnP control point, as demonstrated by changing
-     the primary DNS server. 
-   CVE 2008-1655
-     Unspecified vulnerability in Adobe Flash Player 9.0.115.0 and earlier,
-     and 8.0.39.0 and earlier, makes it easier for remote attackers to 
-     conduct DNS rebinding attacks via unknown vectors. 
+  Solution:
+  All Adobe Flash Player users should upgrade to the latest version:
+  http://get.adobe.com/flashplayer/
 
+  Risk factor : High";
 
-References:
-    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5275
-    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6019
-    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6243
-    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6637
-    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1654
-    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1655
+  script_description(desc);
+  script_summary("Determine the version of Flashplayer");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("This script is under GPLv2");
+  script_family("Windows");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_keys("SMB/WindowsVersion");
+  script_require_ports(139, 445);
+  exit(0);
+}
 
-Solution:
-    All Adobe Flash Player users should upgrade to the latest version:
 
+include("smb_nt.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
 
-Risk factor : High
-";
+if(!get_kb_item("SMB/WindowsVersion")){
+  exit(0);
+}
 
- script_description(desc);
- summary = "Determines the Version of Flashplayer";
- script_summary(summary);
- script_category(ACT_GATHER_INFO);
- script_copyright("This script is under GPLv2");
- family = "Windows";
- script_family(family);
- exit(0);
+filePath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+                          item:"Install Path");
+if(!filePath){
+  exit(0);
 }
 
-#
-# The code starts here
-#
-
-include("version_func.inc");
-include("smbcl_func.inc");
-if( check_smbcl() == 0 ) exit(0);
-
-  sec_hole = 0;
-  test_version = "9.0.115.0";
-  win_dir = get_windir();
-  if( !isnull(win_dir) ) {
-    test_file[0] = win_dir+"System32\Macromed\Flash\NPSWF32.dll";
-    test_file[1] = win_dir+"System32\Macromed\Flash\Flash.ocx";
-    test_file[2] = win_dir+"System32\Macromed\Flash\Flash6.ocx";
-    foreach filespec (test_file) {
-      r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
-      if( !isnull(r) ) {
-          tmp_filename = get_tmp_dir()+"tmpfile"+rand();
-          if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
-            v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:filespec);
-            unlink(tmp_filename);
-            if( version_is_less_equal(version: v, test_version: test_version) ) {
-              if( sec_hole == 0 ) {
-                security_hole(port:0, proto:"Win_Flashplayer");
-                sec_hole = 1;
-              }
-              security_hole(port:0, proto:"Win_Flashplayer", data:"Fileversion : C$ "+filespec + " "+v+string("\n"));
-            }
-          } else {
-            report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
-            security_note(port:0, proto:"Win_Flashplayer", data:report);
-          }
-      }
+flashPath = filePath + "\Macromed\Flash\";
+foreach filespec (make_list("NPSWF32.dll", "Flash.ocx", "Flash6.ocx"))
+{
+  share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:filePath);
+  file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+                      string:flashPath + filespec);
+  fileVer = GetVer(file:file, share:share);
+  if(fileVer)
+  {
+    if(version_is_less_equal(version:fileVer, test_version:"9.0.115.0"))
+    {
+      security_hole(0);
+      exit(0);
     }
   }
-
-exit(0);
+}

Modified: trunk/openvas-plugins/scripts/smbcl_gnutls_CB-A08-0079.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_gnutls_CB-A08-0079.nasl	2009-10-03 10:36:51 UTC (rev 5360)
+++ trunk/openvas-plugins/scripts/smbcl_gnutls_CB-A08-0079.nasl	2009-10-05 06:51:33 UTC (rev 5361)
@@ -1,3 +1,4 @@
+################################################################################
 #
 # This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
 #
@@ -3,19 +4,24 @@
 # This script is released under the GNU GPLv2
 #
-# $Revision: 01 $
+# $Revision: 03 $
+#
+# Modified to implement through 'smb_nt.inc'
+#- By Nikita MR <rnikita at secpod.com> on 2009-09-17
+#
+################################################################################
 
 if(description)
 {
 
  script_id(90027);
- script_version ("$Revision: 01 $");
+ script_version ("$Revision: 03$");
  script_cve_id("CVE-2008-1948");
- name = "GnuTLS < 2.2.5 vulnerability (Win)";
+ name = "GnuTLS < 2.2.4 vulnerability (Win)";
  script_name(name);
 
  desc = "The remote host is probably affected by the vulnerabilities described in
-CVE-2008-1948, CVE-2008-1949, CVE-2008-1950
+ CVE-2008-1948, CVE-2008-1949, CVE-2008-1950
 
-GnuTLS < 2.2.5 vulnerability
+GnuTLS < 2.2.4 vulnerability
 
 Impact
@@ -60,51 +66,25 @@
 ";
 
  script_description(desc);
- summary = "Determines GnuTLS < 2.2.5 vulnerability";
+ summary = "Determines GnuTLS < 2.2.4 vulnerability";
  script_summary(summary);
  script_category(ACT_GATHER_INFO);
  script_copyright("This script is under GPLv2");
- family = "Windows";
+ family = "General";
  script_family(family);
+ script_dependencies("gb_gnutls_detect_win.nasl");
+ script_require_keys("GnuTLS/Win/Ver");
+ script_require_ports(139, 445);
  exit(0);
 }
 
-#
-# The code starts here
-#
 
-include("smbcl_func.inc");
-include("version_func.inc");
-if( check_smbcl() == 0 ) exit(0);
+include ("version_func.inc");
 
-local_var ver, test_version, sec_hole, sec_proto, r, path, share, prog;
-
-sec_hole = 0;
-sec_proto = "GnuTLS";
-ver = NULL;
-r = NULL;
-test_version = "2.2.5";
-
-  path = "Programme\";
-  share ="C$";
-  prog = "GnuTLS*";
-  r = smbgetdir(share: share, dir: path+prog, typ: 2 );
-  if( isnull(r) ) {
-    path = "Program Files\";
-    r = smbgetdir(share: share, dir: path+prog, typ: 2 );
+gnutlsVer = get_kb_item("GnuTLS/Win/Ver");
+if(gnutlsVer != NULL)
+{
+  if(version_is_less(version:gnutlsVer, test_version:"2.2.4")){
+    security_hole(0);
   }
-  if( !isnull(r) ) {
-    foreach i (keys(r)) {
-      ver = eregmatch(pattern:"[0-9].*", string:r[i]);
-      if(!isnull(ver) ) {
-        if(version_is_less(version:ver[0], test_version:test_version) ) {
-          if(sec_hole == 0) {
-            security_hole(port:0, proto:sec_proto);
-            sec_hole = 1;
-          }
-          security_hole(port:0, proto:sec_proto, data:string("\nFound : ")+share + " " + path + r[i] + string("\n"));
-        }
-      }
-    }
-  }
-exit(0);
+}

Modified: trunk/openvas-plugins/scripts/smbcl_mozilla.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_mozilla.nasl	2009-10-03 10:36:51 UTC (rev 5360)
+++ trunk/openvas-plugins/scripts/smbcl_mozilla.nasl	2009-10-05 06:51:33 UTC (rev 5361)
@@ -1,3 +1,4 @@
+##################################################################################
 #
 # This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
 #
@@ -3,136 +4,99 @@
 # This script is released under the GNU GPLv2
 #
-# $Revision: 01 $
+# $Revision: 03 $
+#
+# Modified to implement through 'smb_nt.inc'
+#  - By Sharath S <sharaths at secpod.com> On 2009-09-17
+#
+###############################################################################
 
 if(description)
 {
+  script_id(90013);
+  script_version ("$Revision: 03 $");
+  script_cve_id("CVE-2008-1238", "CVE-2008-1240", "CVE-2008-1241");
+  script_bugtraq_id(28448);
+  script_name("Mozilla Firefox, Thunderbird, Seamonkey. Several vulnerabilitys (Win)");
+  desc = "
+  The remote host is probable affected by the vulnerabilities described in
+  CVE-2008-0416, CVE-2007-4879, CVE-2008-1195, CVE-2008-1233,
+  CVE-2008-1234, CVE-2008-1235, CVE-2008-1236, CVE-2008-1237,
+  CVE-2008-1238, CVE-2008-1240, CVE-2008-1241 and more.
 
- script_id(90013);
- script_version ("$Revision: 01 $");
- script_cve_id("CVE-2008-1238","CVE-2008-1240","CVE-2008-1241");
- name = "Mozilla Firefox, Thunderbird, Seamonkey. Several vulnerabilitys (Win)";
- script_name(name);
+  Impact:
+  Mozilla contributors moz_bug_r_a4, Boris Zbarsky, and Johnny Stenback reported
+  a series of vulnerabilities which allow scripts from page content to run with
+  elevated privileges. moz_bug_r_a4 demonstrated additional variants of MFSA
+  2007-25 and MFSA2007-35 (arbitrary code execution through XPCNativeWrapper
+  pollution). Additional vulnerabilities reported separately by Boris Zbarsky,
+  Johnny Stenback, and moz_bug_r_a4 showed that the browser could be forced to
+  run JavaScript code using the wrong principal leading to universal XSS
+  and arbitrary code execution.
 
- desc = "The remote host is probable affected by the vulnerabilitys described in 
-CVE-2008-0416, CVE-2007-4879, CVE-2008-1195, CVE-2008-1233,
-CVE-2008-1234, CVE-2008-1235, CVE-2008-1236, CVE-2008-1237,
-CVE-2008-1238, CVE-2008-1240, CVE-2008-1241 and more.
+  References:
+  http://www.mozilla.org/security/announce/2008/mfsa2008-14.html
+  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0412
+  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0416
+  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1238
+  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1240
+  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1241
 
+  Solution:
+  All Users should upgrade to the latest versions of Firefox, Thunderbird or
+  Seamonkey.
+  http://www.mozilla.com/en-US/firefox/all.html
+  http://www.seamonkey-project.org/releases/
+  http://www.mozillamessaging.com/en-US/thunderbird/all.html
 
-Impact
-     Mozilla contributors moz_bug_r_a4, Boris Zbarsky, 
-     and Johnny Stenback reported a series of vulnerabilities 
-     which allow scripts from page content to run with elevated
-     privileges. moz_bug_r_a4 demonstrated additional variants
-     of MFSA 2007-25 and MFSA2007-35 (arbitrary code execution
-     through XPCNativeWrapper pollution). Additional 
-     vulnerabilities reported separately by Boris Zbarsky, 
-     Johnny Stenback, and moz_bug_r_a4 showed that the browser
-     could be forced to run JavaScript code using the wrong 
-     principal leading to universal XSS and arbitrary code execution.
-     And more...
+  Risk factor : High";
 
-
-References:
-    http://www.mozilla.org/security/announce/2008/mfsa2008-14.html
-    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0412
-    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0416
-    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1238
-    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1240
-    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1241
-    .
-    .
-    .
-
-Solution:
-    All Users should upgrade to the latest versions of Firefox, Thunderbird or Seamonkey.
-
-
-Risk factor : High";
-
- script_description(desc);
- summary = "Mozilla Firefox, Thunderbird, Seamonkey. Several vulnerabilitys";
- script_summary(summary);
- script_category(ACT_GATHER_INFO);
- script_copyright("This script is under GPLv2");
- family = "Windows";
- script_family(family);
- exit(0);
+  script_description(desc);
+  script_summary("Mozilla Firefox, Thunderbird, Seamonkey. Several vulnerabilities");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("This script is under GPLv2");
+  script_family("General");
+  script_dependencies("gb_firefox_detect_win.nasl", "gb_seamonkey_detect_win.nasl",
+                      "gb_thunderbird_detect_win.nasl");
+  script_require_keys("Firefox/Win/Ver", "Seamonkey/Win/Ver",
+                      "Thunderbird/Win/Ver");
+  script_require_ports(139, 445);
+  exit(0);
 }
 
-#
-# The code starts here
-#
 
+include("smb_nt.inc");
 include("version_func.inc");
-include("smbcl_func.inc");
-if( check_smbcl() == 0 ) exit(0);
 
-  test_version = "2.0.0.14";        # Test Firefox
-  test_file[0] = "Programme\Mozilla Firefox\firefox.exe";
-  test_file[1] = "Prog Files\Mozilla Firefox\firefox.exe";
-  foreach filespec (test_file) {
-    r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
-    if( !isnull(r) ) {
-        tmp_filename = get_tmp_dir()+"tmpfile"+rand();
-        if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
-          v = GetPEProductVersion(tmp_filename:tmp_filename, orig_filename:filespec);
-          unlink(tmp_filename);
-          if( version_is_less(version: v, test_version: test_version) ) {
-            security_hole(port:0, proto:"Win_Mozilla");
-            report = report + "Fileversion : C$ "+filespec + " "+v+string("\n");
-            security_hole(port:0, proto:"Win_Mozilla", data:report);
-          }
-          break;
-        } else {
-          report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
-          security_note(port:0, proto:"Win_Mozilla", data:report);
-        }
-    }
+# Firefox Check
+ffVer = get_kb_item("Firefox/Win/Ver");
+if(ffVer)
+{
+  # Grep for Firefox version < 2.0.0.14
+  if(version_is_less(version:ffVer, test_version:"2.0.0.14"))
+  {
+    security_hole(0);
+    exit(0);
   }
-  test_version = "2.0.0.14";        # Test Thunderbird
-  test_file[0] = "Programme\Mozilla Thunderbird\thunderbird.exe";
-  test_file[1] = "Prog Files\Mozilla Thunderbird\thunderbird.exe";
-  foreach filespec (test_file) {
-    r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
-    if( !isnull(r) ) {
-        tmp_filename = get_tmp_dir()+"tmpfile"+rand();
-        if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
-          v = GetPEProductVersion(tmp_filename:tmp_filename, orig_filename:filespec);
-          unlink(tmp_filename);
-          if( version_is_less(version: v, test_version: test_version) ) {
-            security_hole(port:0, proto:"Win_Mozilla");
-            report = report + "Fileversion : C$ "+filespec + " "+v+string("\n");
-            security_hole(port:0, proto:"Win_Mozilla", data:report);
-          }
-          break;
-        } else {
-          report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
-          security_note(port:0, proto:"Win_Mozilla", data:report);
-        }
-    }
+}
+
+# Seamonkey Check
+smVer = get_kb_item("Seamonkey/Win/Ver");
+if(smVer)
+{
+  # Grep for Seamonkey version < 1.1.9
+  if(version_is_less(version:smVer, test_version:"1.1.9"))
+  {
+    security_hole(0);
+    exit(0);
   }
-  test_version = "1.1.9";        # Test SeaMonkey
-  test_file[0] = "Programme\mozilla.org\SeaMonkey\seamonkey.exe";
-  test_file[1] = "Prog Files\mozilla.org\SeaMonkey\seamonkey.exe";
-  foreach filespec (test_file) {
-    r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
-    if( !isnull(r) ) {
-        tmp_filename = get_tmp_dir()+"tmpfile"+rand();
-        if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
-          v = GetPEProductVersion(tmp_filename:tmp_filename, orig_filename:filespec);
-          unlink(tmp_filename);
-          if( version_is_less(version: v, test_version: test_version) ) {
-            security_hole(port:0, proto:"Win_Mozilla");
-            report = report + "Fileversion : C$ "+filespec + " "+v+string("\n");
-            security_hole(port:0, proto:"Win_Mozilla", data:report);
-          }
-          break;
-        } else {
-          report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
-          security_note(port:0, proto:"Win_Mozilla", data:report);
-        }
-    }
-  }
+}
 
-exit(0);
+# Thunderbird Check
+tbVer = get_kb_item("Thunderbird/Win/Ver");
+if(tbVer)
+{
+  # Grep for Thunderbird version < 2.0.0.14
+  if(version_is_less(version:tbVer, test_version:"2.0.0.14")){
+    security_hole(0);
+  }
+}

Modified: trunk/openvas-plugins/scripts/smbcl_openoffice_CB-A08-0068.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_openoffice_CB-A08-0068.nasl	2009-10-03 10:36:51 UTC (rev 5360)
+++ trunk/openvas-plugins/scripts/smbcl_openoffice_CB-A08-0068.nasl	2009-10-05 06:51:33 UTC (rev 5361)
@@ -1,3 +1,4 @@
+#####################################################################################
 #
 # This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
 #
@@ -3,28 +4,29 @@
 # This script is released under the GNU GPLv2
 #
-# $Revision: 01 $
+# $Revision: 03 $
+#
+# Updated By Antu Sanadi <santu at secpod.com> on 16/09/2009
+#
+#
+####################################################################################
 
 if(description)
 {
 
- script_id(90030);
- script_version ("$Revision: 01 $");
- script_cve_id("CVE-2008-2152");
- name = "OpenOffice.org <= 2.4.1 vulnerability (Win)";
- script_name(name);
+  script_id(90030);
+  script_version ("$Revision: 03 $");
+  script_cve_id("CVE-2008-2152");
+  script_bugtraq_id(29622);
+  script_name("OpenOffice.org <= 2.4.1 vulnerability (Win)");
+  desc = "The remote host is probably affected by the vulnerabilities described in
+  CVE-2008-2152 or CVE-2008-3282 on 64-bit platform's
 
- desc = "The remote host is probably affected by the vulnerabilities described in
-CVE-2008-2152 or CVE-2008-3282 on 64-bit platform's
-
-OpenOffice.org <= 2.4.1 vulnerability
-
-Impact
-
+  Impact
    CVE-2008-2152
      Integer overflow in the rtl_allocateMemory function in
      sal/rtl/source/alloc_global.c in OpenOffice.org (OOo)
      2.0 through 2.4 allows remote attackers to execute
      arbitrary code via a crafted file that triggers a
-     heap-based buffer overflow. 
+     heap-based buffer overflow.
    CVE-2008-3282
      Integer overflow in the rtl_allocateMemory function
@@ -34,78 +36,34 @@
      remote attackers to cause a denial of service (application
      crash) or possibly execute arbitrary code via a crafted
      document, related to a 'numeric truncation error,' a
-     different vulnerability than CVE-2008-2152. 
- 
-References:
+     different vulnerability than CVE-2008-2152.
+
+  References:
     http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2152
     http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3282
 
-Solution:
+  Solution:
     All OpenOffice.org users should upgrade to the latest version:
 
+  Risk factor : High";
 
-Risk factor : High
-";
-
- script_description(desc);
- summary = "Determines OpenOffice.org <= 2.4.1 vulnerability";
- script_summary(summary);
- script_category(ACT_GATHER_INFO);
- script_copyright("This script is under GPLv2");
- family = "Windows";
- script_family(family);
- exit(0);
+  script_description(desc);
+  script_summary("Check for the version of OpenOffice");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("This script is under GPLv2");
+  script_family("Buffer overflow");
+  script_dependencies("secpod_openoffice_detect_win.nasl");
+  script_require_keys("OpenOffice/Win/Ver");
+  exit(0);
 }
 
-#
-# The code starts here
-#
+
 include("version_func.inc");
-include("smbcl_func.inc");
-if( check_smbcl() == 0 ) exit(0);
 
-sec_hole = 0;
-sec_proto = "OpenOffice.org";
-test_version = "2.4.9310";
-ver = NULL;
-r = NULL;
-
-  sec_hole = 0;
-  path = "Programme\";
-  share ="C$";
-  prog = "OpenOffice.org*";
-  r = smbgetdir(share: share, dir: path+prog, typ: 2 );
-  if( isnull(r) ) {
-    path = "Program Files\";
-    r = smbgetdir(share: share, dir: path+prog, typ: 2 );
+openVer = get_kb_item("OpenOffice/Win/Ver");
+if(openVer != NULL)
+{
+  if(version_is_less_equal(version:openVer, test_version:"2.4.1")){
+    security_hole(0);
   }
-  if( !isnull(r) ) {
-    foreach oodir (r) {
-      file_spec = path+oodir+"\program\version.ini";
-      r = smbgetdir(share: "C$", dir: file_spec, typ: 1 );
-      if( !isnull(r) ) {
-        tmp_filename = get_tmp_dir()+"tmpfile"+rand();
-        if( smbgetfile(share: "C$", filename: file_spec, tmp_filename: tmp_filename) ) {
-          ver = fread(tmp_filename);
-          unlink(tmp_filename);
-          if( ! isnull(ver) ) {
-            version = ereg_replace(pattern:".+OOOBaseVersion=", string: ver, replace: "")+".";
-            version = eregmatch(pattern:"([0-9]\.)+[0-9]+", string: version);
-            build = ereg_replace(pattern:".+ProductBuildid=", string: ver, replace: "");
-            build = eregmatch(pattern:"^[0-9]+", string: build);
-            ver = version[0]+"."+build[0];
-            set_kb_item(name: "OpenOffice.org/Build", value: ver);
-            if( version_is_less(version:ver, test_version:test_version) ) {
-              if(sec_hole == 0) {
-                security_warning(port:0, proto:sec_proto);
-                sec_hole = 1;
-              }
-              security_warning(port:0, proto:sec_proto, data:string("\nFound : ") + oodir + 
-                                                                    "  Build : " + ver + string("\n"));
-            }
-          }
-        }
-      }
-    }
-  }
-exit(0);
+}

Modified: trunk/openvas-plugins/scripts/win_CVE-2007-0043.nasl
===================================================================
--- trunk/openvas-plugins/scripts/win_CVE-2007-0043.nasl	2009-10-03 10:36:51 UTC (rev 5360)
+++ trunk/openvas-plugins/scripts/win_CVE-2007-0043.nasl	2009-10-05 06:51:33 UTC (rev 5361)
@@ -1,90 +1,98 @@
+#################################################################################
 #
+#
 # This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
 #
 # This script is released under the GNU GPLv2
 #
-# $Revision: 01 $
+# $Revision: 02 $
+# Updated by:
+# Antu Sanadi <santu at secpod.com> on 16/09/22
+#
+###############################################################################
 
 if(description)
 {
+  script_id(90010);
+  script_version ("$Revision: 02 $");
+  script_cve_id("CVE-2007-0043");
+  script_bugtraq_id(24811);
+  script_name(".NET JIT Compiler Vulnerability");
+  desc = "The remote host is affected by the vulnerabilitys described in
+  CVE-2007-0043
 
- script_id(90010);
- script_version ("$Revision: 01 $");
- script_cve_id("CVE-2007-0043");
- name = ".NET JIT Compiler Vulnerability";
- script_name(name);
+  Checking if System.web.dll version is less than 2.0.50727.832
 
- desc = "The remote host is affected by the vulnerabilitys described in
-CVE-2007-0043
+  Impact:
+  The Just In Time (JIT) Compiler service in Microsoft .NET Framework 1.0, 1.1,
+  and 2.0 for Windows 2000, XP, Server 2003, and Vista allows user-assisted
+  remote attackers to execute arbitrary code via unspecified vectors involving
+  an unchecked buffer, probably a buffer overflow, aka .NET JIT Compiler
+  Vulnerability. Checking if System.web.dll version is less than 2.0.50727.832
 
-Checking if System.web.dll version is less than 2.0.50727.832
+  References:
+  http://secunia.com/advisories/26003
+  http://securitytracker.com/alerts/2007/Jul/1018356.html
+  http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0043
+  http://www.microsoft.com/technet/security/Bulletin/ms07-040.mspx
 
-Impact
-    The Just In Time (JIT) Compiler service in Microsoft 
-    .NET Framework 1.0, 1.1, and 2.0 for Windows 2000, XP, 
-    Server 2003, and Vista allows user-assisted remote 
-    attackers to execute arbitrary code via unspecified 
-    vectors involving an unchecked buffer, probably a 
-    buffer overflow, aka .NET JIT Compiler Vulnerability.
-    Checking if System.web.dll version is less than 2.0.50727.832
+  Solution:
+  All Users should upgrade to the latest version.
+  http://www.microsoft.com/technet/security/Bulletin/ms07-040.mspx
 
-References:
-    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0043
+  Risk factor : High";
 
-Solution:
-    All Users should upgrade to the latest version.
+  script_description(desc);
+  script_summary("Test for .NET JIT Compiler Vulnerability");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("This script is under GPLv2");
+  script_family("Windows : Microsoft Bulletins");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_keys("SMB/WindowsVersion");
+  script_require_ports(139, 445);
+  exit(0);
+}
 
 
-Risk factor : High";
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
 
- script_description(desc);
- summary = "Test for .NET JIT Compiler Vulnerability";
- script_summary(summary);
- script_category(ACT_GATHER_INFO);
- script_copyright("This script is under GPLv2");
- family = "Windows";
- script_family(family);
- script_require_ports(139, 445);
- exit(0);
+if(hotfix_check_sp(xp:4, win2k:5, win2003:3) <= 0){
+  exit(0);
 }
 
-#
-# The code starts here
-#
+key  = "SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\";
+foreach item (registry_enum_values(key:key))
+{
+  if("System.Web.dll" >< item)
+  {
+    path = item;
+    break;
+  }
+}
 
-include("version_func.inc");
-include("smbcl_func.inc");
-if( check_smbcl() == 0 ) exit(0);
+if(!path){
+  exit(0);
+}
 
-  test_version = "2.0.50727.832";
-  win_dir = get_windir();
-  if( !isnull(win_dir) ) {
-    path = win_dir+"Microsoft.NET\Framework\";
-    filespec = "v2*";
-    r = smbgetdir(share: "C$", dir: path+filespec, typ: 2 );
-    if( !isnull(r) ) {
-      filespec = r[0]+"\"+"system.web.dll";
-      r = smbgetdir(share: "C$", dir: path+filespec, typ: 1 );
-      if( !isnull(r) ) {
-          tmp_filename = get_tmp_dir()+"tmpfile"+rand();
-          orig_filename = path+filespec;
-          if( smbgetfile(share: "C$", filename: orig_filename, tmp_filename: tmp_filename) ) {
-            v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:orig_filename);
-            unlink(tmp_filename);
-            if( version_is_less(version: v, test_version: test_version) ) {
-              security_hole(port:0, proto:"SMB");
-              report = report + "Fileversion : C$ "+orig_filename + " "+v+string("\n");
-              security_hole(port:0, proto:"SMB", data:report);
-            }
-          } else {
-            report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
-            security_note(port:0, proto:"SMB", data:report);
-          }
-      }
-    } else {
-      report = string(".NET V2xx not found/no access -> "+get_kb_item("SMB/ERROR")) + string("\n");
-      security_note(port:0, proto:"SMB", data:report);	      
-    }
-  }
+if("c:" >< path){
+  path =  ereg_replace(pattern:"c:", replace:"C:", string:path);
+}
 
-exit(0);
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:path);
+file =  ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:path);
+dllVer = GetVer(file:file, share:share);
+
+if(!dllVer){
+  exit(0);
+}
+
+# Check for .Net Framework version 1.0 < 1.0.3705.6060, 1.1 < 1.1.4322.2407
+#                                                   and 2.0 < 2.0.50727.832
+if(version_in_range(version:dllVer, test_version:"1.0", test_version2:"1.0.3705.6059")||
+   version_in_range(version:dllVer, test_version:"1.1", test_version2:"1.1.4322.2406")||
+   version_in_range(version:dllVer, test_version:"2.0", test_version2:"2.0.50727.831")){
+   security_hole(0);
+}

Modified: trunk/openvas-plugins/scripts/win_CVE-2007-6026.nasl
===================================================================
--- trunk/openvas-plugins/scripts/win_CVE-2007-6026.nasl	2009-10-03 10:36:51 UTC (rev 5360)
+++ trunk/openvas-plugins/scripts/win_CVE-2007-6026.nasl	2009-10-05 06:51:33 UTC (rev 5361)
@@ -1,3 +1,4 @@
+##################################################################################
 #
 # This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
 #
@@ -3,137 +4,114 @@
 # This script is released under the GNU GPLv2
 #
-# $Revision: 01 $
+# $Revision: 03 $
+#
+# Updated By:
+# Antu Sanadi <santu at secpod.com> on 16/09/2009
+#
+#
+##################################################################################
 
 if(description)
 {
+  script_id(90024);
+  script_version ("$Revision: 03 $");
+  script_cve_id("CVE-2007-6026");
+  script_bugtraq_id(28398);
+  script_name("Windows Vulnerability in Microsoft Jet Database Engine");
+  desc = "The remote host is probably affected by the vulnerability described in
+  CVE-2007-6026
 
- script_id(90024);
- script_version ("$Revision: 01 $");
- script_cve_id("CVE-2007-6026");
- name = "Windows Vulnerability in Microsoft Jet Database Engine";
- script_name(name);
-
- desc = "The remote host is probably affected by the vulnerability described in
-CVE-2007-6026
-
-
-Impact
+  Impact
     Stack-based buffer overflow in Microsoft msjet40.dll 4.0.8618.0
     (aka Microsoft Jet Engine), as used by Access 2003 in Microsoft
     Office 2003 SP3, allows user-assisted attackers to execute arbitrary
     code via a crafted MDB file database file containing a column
     structure with a modified column count. NOTE: this might be the
-    same issue as CVE-2005-0944. 
+    same issue as CVE-2005-0944.
 
-References:
+  References:
+    http://www.us-cert.gov/cas/techalerts/TA08-134A.html
+    http://securitytracker.com/alerts/2007/Nov/1018976.html
     http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6026
     http://www.microsoft.com/technet/security/bulletin/ms08-028.mspx
 
-Solution:
+  Solution:
     All Users should upgrade to the latest version.
 
+  Risk factor : High";
 
-Risk factor : High";
+  script_description(desc);
+  script_summary("Windows Vulnerability in Microsoft Jet Database Engine");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("This script is under GPLv2");
+  script_family("Windows : Microsoft Bulletins");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_keys("SMB/WindowsVersion");
+  script_require_ports(139, 445);
+  exit(0);
+}
 
- script_description(desc);
- summary = "Windows Vulnerability in Microsoft Jet Database Engine";
- script_summary(summary);
- script_category(ACT_GATHER_INFO);
- script_copyright("This script is under GPLv2");
- family = "Windows";
- script_family(family);
- script_require_ports(139, 445);
- exit(0);
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(hotfix_check_sp(xp:4, win2k:5, win2003:3) <= 0){
+  exit(0);
 }
 
-#
-# The code starts here
-#
+if((hotfix_missing(name:"950749") == 0)){
+  exit(0);
+}
 
-local_var os;
+dllPath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+                          item:"Install Path");
+if(!dllPath){
+  exit(0);
+}
 
-include("version_func.inc");
-include("smbcl_func.inc");
-if( check_smbcl() == 0 ) exit(0);
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:dllPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:dllPath + "\Msjet40.dll");
 
-  win_dir = get_windir();
-  sec_hole = 0;
-  if( !isnull(win_dir) ) {
-    os = get_kb_item("SMB/OS");
-    filespec = win_dir+"system32\Msjint40.dll";
-    test_version = NULL;
-    if( "WINDOWS 5.1" >< os ) {
-      test_version = "4.0.9502.0";
-    } else {
-      if( "WINDOWS SERVER 2003" >< os ) {
-        test_version = "4.0.9502.0";
-      } else {
-        if( "WINDOWS 5.0" >< os ) {
-          test_version = "4.0.9502.0";            
-        }
-      }
+dllVer = GetVer(file:file, share:share);
+if(!dllVer){
+  exit(0);
+}
+
+# Windows 2K
+if(hotfix_check_sp(win2k:5) > 0)
+{
+  #  Grep for Msjet40.dll version < 4.0.9511.0
+  if(version_is_less(version:dllVer, test_version:"4.0.9511.0")){
+    security_hole(0);
+  }
+}
+
+# Windows XP
+else if(hotfix_check_sp(xp:3) > 0)
+{
+  SP = get_kb_item("SMB/WinXP/ServicePack");
+  if("Service Pack 2" >< SP)
+  {
+    # Grep for Msjet40.dll < 4.0.9511.0
+    if(version_is_less(version:dllVer, test_version:"4.0.9511.0")){
+     security_hole(0);
     }
-    if( !isnull(test_version) ) {
-      r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
-      if( !isnull(r) ) {
-        tmp_filename = get_tmp_dir()+"tmpfile"+rand();
-        if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
-          v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:filespec);
-          unlink(tmp_filename);
-          if( version_is_less(version: v, test_version: test_version) ) {
-            if( sec_hole == 0 ) {
-              security_hole(port:0, proto:"Win");
-              sec_hole = 1;
-            }
-            security_hole(port:0, proto:"Win", data:"Version found : C$ "+filespec + " "+v+string("\n")+
-                                                    "Version expected : "+test_version+" or higher "+string("\n"));
-          }
-        } else {
-          report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
-          security_note(port:0, proto:"SMB", data:report);
-        }
-      } else {
-        report = string(filespec+" not found/no access -> "+get_kb_item("SMB/ERROR")) + string("\n");
-        security_note(port:0, proto:"SMB", data:report);
-      }
-    }
-    filespec = win_dir+"system32\Msjet40.dll";
-    test_version = NULL;
-    if( "WINDOWS 5.1" >< os ) {
-      test_version = "4.0.9511.0";
-    } else {
-      if( "WINDOWS SERVER 2003" >< os ) {
-        test_version = "4.0.9511.0";
-      } else {
-        if( "WINDOWS 5.0" >< os ) {
-          test_version = "4.0.9511.0";
-        }
-      }
-    }
-    if( !isnull(test_version) ) {
-      r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
-      if( !isnull(r) ) {
-        tmp_filename = get_tmp_dir()+"tmpfile"+rand();
-        if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
-          v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:filespec);
-          unlink(tmp_filename);
-          if( version_is_less(version: v, test_version: test_version) ) {
-            if( sec_hole == 0 ) {
-              security_hole(port:0, proto:"Win");
-              sec_hole = 1;
-            }
-            security_hole(port:0, proto:"Win", data:"Version found : C$ "+filespec + " "+v+string("\n")+
-                                                    "Version expected : "+test_version+" or higher "+string("\n"));
-          }
-        } else {
-          report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
-          security_note(port:0, proto:"SMB", data:report);
-        }
-      } else {
-        report = string(filespec+" not found/no access -> "+get_kb_item("SMB/ERROR")) + string("\n");
-        security_note(port:0, proto:"SMB", data:report);
-      }
-    }
   }
+  else
+    security_hole(0);
+}
 
-exit(0);
+# Windows 2003
+else if(hotfix_check_sp(win2003:2) > 0)
+{
+  SP = get_kb_item("SMB/Win2003/ServicePack");
+  if("Service Pack 1" >< SP)
+  {
+    # Grep for Msjet40.dll version < 4.0.9511.0
+    if(version_is_less(version:dllVer, test_version:"4.0.9511.0")){
+      security_hole(0);
+    }
+  }
+}

Modified: trunk/openvas-plugins/scripts/win_CVE-2008-0080.nasl
===================================================================
--- trunk/openvas-plugins/scripts/win_CVE-2008-0080.nasl	2009-10-03 10:36:51 UTC (rev 5360)
+++ trunk/openvas-plugins/scripts/win_CVE-2008-0080.nasl	2009-10-05 06:51:33 UTC (rev 5361)
@@ -1,107 +1,127 @@
-#
+################################################################################
 # This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
 #
 # This script is released under the GNU GPLv2
 #
-# $Revision: 01 $
+# $Revision: 03 $
+#
+# Modified to Implement 'smb_nt.inc'
+#  - By Nikita MR <rnikita at secpod.com> On 2009-09-18
+################################################################################
 
 if(description)
 {
+  script_id(90015);
+  script_version ("$Revision: 03 $");
+  script_cve_id("CVE-2008-0080");
+  script_bugtraq_id(27670);
+  script_name("Mini-Redirector Heap Overflow Vulnerability");
+  desc = "
+  Overview: This host has critical security update missing according to
+  Microsoft Bulletin MS008-007
 
- script_id(90015);
- script_version ("$Revision: 01 $");
- script_cve_id("CVE-2008-0080");
- name = "Mini-Redirector Heap Overflow Vulnerability";
- script_name(name);
+  Vulnerability Insight:
+  A boundary error occurs in the WebDAV Mini-Redirector when handling long
+  pathnames in WebDAV responses.
 
- desc = "The remote host is probably affected by the vulnerability described in
-CVE-2008-0080
+  Impact:
+  Succesful exploitation will allow attackes to execute arbitrary code and
+  completely compromise the affected computer.
 
+  References:
+  http://secunia.com/advisories/28894
+  http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0080
+  http://www.microsoft.com/technet/security/bulletin/ms08-007.mspx
 
-Impact
-    Heap-based buffer overflow in the WebDAV Mini-Redirector
-    in Microsoft Windows XP SP2, Server 2003 SP1 and SP2,
-    and Vista allows remote attackers to execute arbitrary
-    code via a crafted WebDAV response.
+  Workarounds:
+  Disable the WebClient Service.
 
-References:
-    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0080
-    http://www.microsoft.com/technet/security/bulletin/ms08-007.mspx
+  Solution:
+  Run Windows Update and update the listed hotfixes or download and
+  update mentioned hotfixes in the advisory from the below link,
+  http://www.microsoft.com/technet/security/bulletin/ms08-007.mspx
 
+  Risk factor : Critical";
 
-Workarounds
-    Disable the WebClient Service.
+  script_description(desc);
+  script_summary("Mini-Redirector Heap Overflow Vulnerability");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("This script is under GPLv2");
+  script_family("Windows : Microsoft Bulletins");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_ports(139, 445);
+  exit(0);
+}
 
 
-Solution:
-    All Users should upgrade to the latest version.
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
 
+if(hotfix_check_sp(xp:3, win2003:3) <= 0)
+{
+  exit(0);
+}
 
-Risk factor : High";
+# MS08-007 Hotfix check
+if(hotfix_missing(name:"946026") == 0)
+{
+  exit(0);
+}
 
- script_description(desc);
- summary = "Mini-Redirector Heap Overflow Vulnerability";
- script_summary(summary);
- script_category(ACT_GATHER_INFO);
- script_copyright("This script is under GPLv2");
- family = "Windows";
- script_family(family);
- script_require_ports(139, 445);
- exit(0);
+sysPath = registry_get_sz(item:"Install Path",
+                          key:"SOFTWARE\Microsoft\COM3\Setup");
+if(!sysPath)
+{
+  exit(0);
 }
 
-#
-# The code starts here
-#
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:sysPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+                    string:sysPath + "\drivers\mrxdav.sys");
+sysVer = GetVer(file:file, share:share);
+if(!sysVer)
+{
+  exit(0);
+}
 
-local_var os;
+# Windows XP
+if(hotfix_check_sp(xp:3) > 0)
+{
+  SP = get_kb_item("SMB/WinXP/ServicePack");
+  if("Service Pack 2" >< SP)
+  {
+    # Grep for mrxdav.sys version < 5.1.2600.3276
+    if(version_in_range(version:sysVer, test_version:"5.1",
+                                       test_version2:"5.1.2600.3275")){
+      security_hole(0);
+    }
+  }
+  else
+    security_hole(0);
+}
 
-include("version_func.inc");
-include("smbcl_func.inc");
-if( check_smbcl() == 0 ) exit(0);
-
-  win_dir = get_windir();
-  if( !isnull(win_dir) ) {
-    os = get_kb_item("SMB/OS");
-    filespec = win_dir+"system32\drivers\mrxdav.sys";
-    test_version = NULL;
-    if( "WINDOWS VISTA" >< os ) {
-      test_version = "6.0.6000.16626";
-    } else {
-      if( "WINDOWS 5.1" >< os ) {
-        test_version = "5.1.2600.3276";
-      } else {
-        if( "WINDOWS SERVER 2003" >< os ) {
-          if( "SERVICE PACK 2" >< os ) {
-            test_version = "5.2.3790.4206";
-          } else {
-	    test_version = "5.2.3790.3060";
-          }
-        }
-      }
+# Windows 2003
+else if(hotfix_check_sp(win2003:3) > 0)
+{
+  SP = get_kb_item("SMB/Win2003/ServicePack");
+  if("Service Pack 2" >< SP)
+  {
+    # Grep for mrxdav.sys version < 5.2.3790.4206
+    if(version_in_range(version:sysVer, test_version:"5.2",
+                                       test_version2:"5.2.3790.4205")){
+      security_hole(0);
     }
-    if( !isnull(test_version) ) {
-      r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
-      if( !isnull(r) ) {
-        tmp_filename = get_tmp_dir()+"tmpfile"+rand();
-        orig_filename = filespec;
-        if( smbgetfile(share: "C$", filename: orig_filename, tmp_filename: tmp_filename) ) {
-          v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:orig_filename);
-          unlink(tmp_filename);
-          if( version_is_less(version: v, test_version: test_version) ) {
-            security_hole(port:0, proto:"Win");
-            report = report + "Fileversion : C$ "+orig_filename + " "+v+string("\n");
-            security_hole(port:0, proto:"Win", data:report);
-          }
-        } else {
-          report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
-          security_note(port:0, proto:"SMB", data:report);
-        }
-      } else {
-        report = string(filespec+" not found/no access -> "+get_kb_item("SMB/ERROR")) + string("\n");
-        security_note(port:0, proto:"SMB", data:report);
-      }
+  }
+  else if("Service Pack 1" >< SP)
+  {
+    # Grep for mrxdav.sys version < 5.2.3790.3060
+    if(version_in_range(version:sysVer, test_version:"5.2",
+                                       test_version2:"5.2.3790.3059")){
+      security_hole(0);
     }
   }
-
-exit(0);
+  else
+    security_hole(0);
+}

Modified: trunk/openvas-plugins/scripts/win_CVE-2008-0087.nasl
===================================================================
--- trunk/openvas-plugins/scripts/win_CVE-2008-0087.nasl	2009-10-03 10:36:51 UTC (rev 5360)
+++ trunk/openvas-plugins/scripts/win_CVE-2008-0087.nasl	2009-10-05 06:51:33 UTC (rev 5361)
@@ -1,108 +1,117 @@
-#
+#####################################################################################
 # This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
 #
 # This script is released under the GNU GPLv2
 #
-# $Revision: 01 $
+# $Revision: 03 $
+#
+# Modified to Implement 'smb_nt.inc'
+#  - By Sharath S <sharaths at secpod.com> On 2009-09-21
+#
+######################################################################################
 
 if(description)
 {
+  script_id(90020);
+  script_version ("$Revision: 03 $");
+  script_cve_id("CVE-2008-0087");
+  script_bugtraq_id(28553);
+  script_name("Windows vulnerability in DNS Client Could Allow Spoofing (945553)");
+  desc = "
+  The remote host is probably affected by the vulnerability described in
+  CVE-2008-0087
 
- script_id(90020);
- script_version ("$Revision: 01 $");
- script_cve_id("CVE-2008-0087");
- name = "Windows vulnerability in DNS Client Could Allow Spoofing (945553)";
- script_name(name);
+  Impact:
+  The DNS client in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1 and SP2,
+  and Vista uses predictable DNS transaction IDs, which allows remote attackers
+  to spoof DNS responses.
 
- desc = "The remote host is probably affected by the vulnerability described in
-CVE-2008-0087
+  References:
+  http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0087
+  http://www.microsoft.com/technet/security/bulletin/ms08-020.mspx
 
+  Solution:
+  All Users should upgrade to the latest version.
 
-Impact
-    The DNS client in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1
-    and SP2, and Vista uses predictable DNS transaction IDs, which allows
-    remote attackers to spoof DNS responses. 
+  Risk factor : High";
 
-References:
-    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0087
-    http://www.microsoft.com/technet/security/bulletin/ms08-020.mspx
+  script_description(desc);
+  script_summary("Windows vulnerability in DNS Client Could Allow Spoofing (945553)");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("This script is under GPLv2");
+  script_family("Windows : Microsoft Bulletins");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_keys("SMB/WindowsVersion");
+  script_require_ports(139, 445);
+  exit(0);
+}
 
-Solution:
-    All Users should upgrade to the latest version.
 
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
 
-Risk factor : High";
+if(hotfix_check_sp(xp:3, win2k:5, win2003:3) <= 0){
+  exit(0);
+}
 
- script_description(desc);
- summary = "Windows vulnerability in DNS Client Could Allow Spoofing (945553)";
- script_summary(summary);
- script_category(ACT_GATHER_INFO);
- script_copyright("This script is under GPLv2");
- family = "Windows";
- script_family(family);
- script_require_ports(139, 445);
- exit(0);
+# MS08-020 Hotfix check
+if(hotfix_missing(name:"945553") == 0){
+  exit(0);
 }
 
-#
-# The code starts here
-#
+dllPath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+                          item:"Install Path");
+if(!dllPath){
+  exit(0);
+}
 
-local_var os;
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:dllPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+                    string:dllPath + "\Dnsapi.dll");
 
-include("version_func.inc");
-include("smbcl_func.inc");
-if( check_smbcl() == 0 ) exit(0);
+dllVer = GetVer(file:file, share:share);
+if(!dllVer){
+  exit(0);
+}
 
-  win_dir = get_windir();
-  sec_hole = 0;
-  if( !isnull(win_dir) ) {
-    os = get_kb_item("SMB/OS");
-    filespec = win_dir+"system32\Dnsapi.dll";
-    test_version = NULL;
-    if( "WINDOWS VISTA" >< os ) {
-      test_version = "6.0.6000.16615";
-    } else {
-      if( "WINDOWS 5.1" >< os ) {
-        test_version = "5.1.2600.3316";
-      } else {
-        if( "WINDOWS SERVER 2003" >< os ) {
-          if( "SERVICE PACK 2" >< os ) {
-            test_version = "5.2.3790.4238";
-          } else {
-	    test_version = "5.2.3790.3092";
-          }
-        } else {
-          if( "WINDOWS 5.0" >< os ) {
-            test_version = "5.0.2195.7151";            
-          }
-        }
-      }
+# Windows 2K
+if(hotfix_check_sp(win2k:5) > 0)
+{
+  # Grep for Dnsapi.dll version < 5.0.2195.7151
+  if(version_is_less(version:dllVer, test_version:"5.0.2195.7151")){
+    security_hole(0);
+  }
+}
+
+# Windows XP
+else if(hotfix_check_sp(xp:3) > 0)
+{
+  # Grep for Dnsapi.dll < 5.1.2600.3316
+  if(version_is_less(version:dllVer, test_version:"5.1.2600.3316")){
+    security_hole(0);
+  }
+}
+
+# Windows 2003
+else if(hotfix_check_sp(win2003:3) > 0)
+{
+  SP = get_kb_item("SMB/Win2003/ServicePack");
+  if("Service Pack 2" >< SP)
+  {
+    # Grep for Dnsapi.dll version < 5.2.3790.4238
+    if(version_is_less(version:dllVer, test_version:"5.2.3790.4238")){
+      security_hole(0);
     }
-    if( !isnull(test_version) ) {
-      r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
-      if( !isnull(r) ) {
-        tmp_filename = get_tmp_dir()+"tmpfile"+rand();
-        if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
-          v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:filespec);
-          unlink(tmp_filename);
-          if( version_is_less(version: v, test_version: test_version) ) {
-            if( sec_hole == 0 ) {
-              security_hole(port:0, proto:"Win");
-              sec_hole = 1;
-            }
-            security_hole(port:0, proto:"Win", data:"Version found : C$ "+filespec + " "+v+string("\n")+
-                                                    "Version expected : "+test_version+" or higher "+string("\n"));
-          }
-        } else {
-          report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
-          security_note(port:0, proto:"SMB", data:report);
-        }
-      } else {
-        report = string(filespec+" not found/no access -> "+get_kb_item("SMB/ERROR")) + string("\n");
-        security_note(port:0, proto:"SMB", data:report);
-      }
+  }
+  if("Service Pack 1" >< SP)
+  {
+    # Grep for Dnsapi.dll version < 5.2.3790.3092
+    if(version_is_less(version:dllVer, test_version:"5.2.3790.3092")){
+      security_hole(0);
     }
   }
-
-exit(0);
+  else
+    security_hole(0);
+}



More information about the Openvas-commits mailing list