[Openvas-commits] r5361 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Mon Oct 5 08:51:45 CEST 2009
Author: chandra
Date: 2009-10-05 08:51:33 +0200 (Mon, 05 Oct 2009)
New Revision: 5361
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/cve_current.txt
trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl
trunk/openvas-plugins/scripts/smbcl_flash_player_CB-A08-0059.nasl
trunk/openvas-plugins/scripts/smbcl_gnutls_CB-A08-0079.nasl
trunk/openvas-plugins/scripts/smbcl_mozilla.nasl
trunk/openvas-plugins/scripts/smbcl_openoffice_CB-A08-0068.nasl
trunk/openvas-plugins/scripts/win_CVE-2007-0043.nasl
trunk/openvas-plugins/scripts/win_CVE-2007-6026.nasl
trunk/openvas-plugins/scripts/win_CVE-2008-0080.nasl
trunk/openvas-plugins/scripts/win_CVE-2008-0087.nasl
Log:
Removed dependency on smbclient
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2009-10-03 10:36:51 UTC (rev 5360)
+++ trunk/openvas-plugins/ChangeLog 2009-10-05 06:51:33 UTC (rev 5361)
@@ -1,3 +1,17 @@
+2009-10-05 Chandrashekhar B <bchandra at secpod.com>
+
+ * scripts/win_CVE-2008-0080.nasl,
+ scripts/smbcl_CVE-2008-0234.nasl,
+ scripts/win_CVE-2007-0043.nasl,
+ scripts/smbcl_flash_player_CB-A08-0059.nasl,
+ scripts/smbcl_gnutls_CB-A08-0079.nasl,
+ scripts/win_CVE-2008-0087.nasl,
+ scripts/smbcl_openoffice_CB-A08-0068.nasl,
+ scripts/smbcl_mozilla.nasl,
+ scripts/win_CVE-2007-6026.nasl:
+ Re-written as per smb_nt.inc method, to remove dependency on Samba
+ based smbclient.
+
2009-10-02 Michael Meyer <michael.meyer at intevation.de>
* scripts/photopost_detect.nasl,
Modified: trunk/openvas-plugins/cve_current.txt
===================================================================
--- trunk/openvas-plugins/cve_current.txt 2009-10-03 10:36:51 UTC (rev 5360)
+++ trunk/openvas-plugins/cve_current.txt 2009-10-05 06:51:33 UTC (rev 5361)
@@ -102,3 +102,12 @@
CVE-2009-3125 Greenbone svn R
36390 Greenbone svn R
CVE-2009-3165 Greenbone svn R
+CVE-2009-3523 SecPod
+CVE-2009-3522 SecPod
+CVE-2009-3524 SecPod
+CVE-2009-3518 SecPod
+CVE-2009-3510 SecPod
+CVE-2009-3541 SecPod
+CVE-2009-3484 SecPod
+
+
Modified: trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl 2009-10-03 10:36:51 UTC (rev 5360)
+++ trunk/openvas-plugins/scripts/smbcl_CVE-2008-0234.nasl 2009-10-05 06:51:33 UTC (rev 5361)
@@ -1,95 +1,74 @@
+#############################################################################
#
+#
+#
# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
#
# This script is released under the GNU GPLv2
#
# $Revision: 02 $
+#
+# Updated By:
+# Antu Sanadi <santu at secpod.com> on 16/09/2009
+#
+#
+##############################################################################
if(description)
{
- script_id(90012);
- script_version ("$Revision: 02 $");
- script_cve_id("CVE-2008-2010");
- name = "Buffer overflow in Apple Quicktime Player";
- script_name(name);
+ script_id(90012);
+ script_version ("$Revision: 02$");
+ script_cve_id("CVE-2008-2010");
+ script_name("Buffer overflow in Apple Quicktime Player");
+ desc = "The remote host is probable affected by the vulnerabilitys described in
+ CVE-2008-0234 CVE-2008-2010
- desc = "The remote host is probable affected by the vulnerabilitys described in
-CVE-2008-0234 CVE-2008-2010
+ Impact
+ Buffer overflow in Apple Quicktime Player 7.3.1.70
+ and other versions before 7.4.1, when RTSP tunneling
+ is enabled, allows remote attackers to execute
+ arbitrary code via a long Reason-Phrase response
+ to an rtsp:// request, as demonstrated using a
+ 404 error message.
-Checking if QuickTime version is less than 7.5
+ Unspecified vulnerability in Apple QuickTime Player
+ on Windows XP SP2 and Vista SP1 allows remote attackers
+ to execute arbitrary code via a crafted QuickTime media
+ file. NOTE: as of 20080429, the only disclosure is a
+ vague pre-advisory with no actionable information.
+ However, because it is from a well-known researcher,
+ it is being assigned a CVE identifier for tracking purposes.
-Impact
- Buffer overflow in Apple Quicktime Player 7.3.1.70
- and other versions before 7.4.1, when RTSP tunneling
- is enabled, allows remote attackers to execute
- arbitrary code via a long Reason-Phrase response
- to an rtsp:// request, as demonstrated using a
- 404 error message.
-
- Unspecified vulnerability in Apple QuickTime Player
- on Windows XP SP2 and Vista SP1 allows remote attackers
- to execute arbitrary code via a crafted QuickTime media
- file. NOTE: as of 20080429, the only disclosure is a
- vague pre-advisory with no actionable information.
- However, because it is from a well-known researcher,
- it is being assigned a CVE identifier for tracking purposes.
-
-References:
+ References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0234
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2010
http://lists.apple.com/archives/security-announce/2008/Feb/msg00001.html
http://lists.apple.com/archives/Security-announce/2008/Jun/msg00000.html
-Solution:
+
+ Solution:
All Users should upgrade to the latest version.
+ Risk factor : High";
-Risk factor : High";
-
script_description(desc);
- summary = "Test for Buffer overflow in Apple Quicktime Player";
- script_summary(summary);
+ script_summary("Check the version of Apple Quicktime Player");
script_category(ACT_GATHER_INFO);
script_copyright("This script is under GPLv2");
- family = "Windows";
- script_family(family);
+ script_family("Buffer overflow");
+ script_dependencies("secpod_apple_quicktime_detection_win_900124.nasl");
exit(0);
}
-#
-# The code starts here
-#
include("version_func.inc");
-include("smbcl_func.inc");
-if( check_smbcl() == 0 ) exit(0);
- test_version = "7.50.51";
- win_dir = get_windir();
- if( !isnull(win_dir) ) {
- test_file[0] = win_dir+"System32\QuickTime.qts";
- test_file[1] = "Programme\QuickTime\QuickTimePlayer.exe";
- test_file[2] = "Program Files\QuickTime\QuickTimePlayer.exe";
- foreach filespec (test_file) {
- r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
- if( !isnull(r) ) {
- tmp_filename = get_tmp_dir()+"tmpfile"+rand();
- if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
- v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:filespec);
- unlink(tmp_filename);
- if( version_is_less(version: v, test_version: test_version) ) {
- security_hole(port:0, proto:"Win_Quicktime");
- report = report + "Fileversion : C$ "+filespec + " "+v+string("\n");
- security_hole(port:0, proto:"Win_Quicktime", data:report);
- }
- break;
- } else {
- report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
- security_note(port:0, proto:"Win_Quicktime", data:report);
- }
- }
- }
+qtVer = get_kb_item("QuickTime/Win/Ver");
+if(qtVer)
+{
+ # QuickTime version < 7.50.51
+ if(version_is_less(version:qtVer, test_version:"7.50.51")){
+ security_hole(0);
}
-
-exit(0);
+}
Modified: trunk/openvas-plugins/scripts/smbcl_flash_player_CB-A08-0059.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_flash_player_CB-A08-0059.nasl 2009-10-03 10:36:51 UTC (rev 5360)
+++ trunk/openvas-plugins/scripts/smbcl_flash_player_CB-A08-0059.nasl 2009-10-05 06:51:33 UTC (rev 5361)
@@ -1,3 +1,4 @@
+##################################################################################
#
# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
#
@@ -3,115 +4,114 @@
# This script is released under the GNU GPLv2
#
-# $Revision: 01 $
+# $Revision: 03 $
+#
+# Modified to Implement based on 'smb_nt.inc'
+# - By Sharath S <sharaths at secpod.com> On 2009-09-14
+#
+###############################################################################
if(description)
{
+ script_id(90019);
+ script_version ("$Revision: 03 $");
+ script_cve_id("CVE-2007-5275", "CVE-2007-6019", "CVE-2007-6243",
+ "CVE-2007-6637", "CVE-2008-1654", "CVE-2008-1655");
+ script_bugtraq_id(26930, 28694, 26966, 27034, 28696, 28697);
+ script_name("Adobe Flash Player 9.0.115.0 and earlier vulnerability (Win)");
+ desc = "
+ The remote host is probably affected by the vulnerabilities described in
+ CVE-2007-5275, CVE-2007-6019, CVE-2007-6243, CVE-2007-6637, CVE-2008-1654,
+ CVE-2008-1655.
- script_id(90019);
- script_version ("$Revision: 01 $");
- name = "Adobe Flash Player 9.0.115.0 and earlier vulnerability (Win)";
- script_name(name);
+ Impact:
+ - CVE 2007-5275
+ The Adobe Macromedia Flash 9 plug-in allows remote attackers to cause a
+ victim machine to establish TCP sessions with arbitrary hosts via a Flash
+ (SWF) movie, related to lack of pinning of a hostname to a single IP address
+ after receiving an allow-access-from element in a cross-domain-policy XML
+ document, and the availability of a Flash Socket class that does not use
+ the browser's DNS pins, aka DNS rebinding attacks, a different issue than
+ CVE-2002-1467 and CVE-2007-4324.
+ - CVE 2007-6019
+ Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier, allows
+ remote attackers to execute arbitrary code via an SWF file with a modified
+ DeclareFunction2 Actionscript tag, which prevents an object from being
+ instantiated properly.
+ - CVE 2007-6243
+ Adobe Flash Player 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x up to
+ 7.0.70.0 does not sufficiently restrict the interpretation and usage of
+ cross-domain policy files, which makes it easier for remote attackers to
+ conduct cross-domain and cross-site scripting (XSS) attacks.
+ - CVE 2007-6637
+ Multiple cross-site scripting (XSS) vulnerabilities in Adobe Flash Player
+ allow remote attackers to inject arbitrary web script or HTML via a crafted
+ SWF file, related to 'pre-generated SWF files' and Adobe Dreamweaver CS3 or
+ Adobe Acrobat Connect. NOTE: the asfunction: vector is already covered by
+ CVE-2007-6244.1.
+ - CVE 2008-1654
+ Interaction error between Adobe Flash and multiple Universal Plug and Play
+ (UPnP) services allow remote attackers to perform Cross-Site Request Forgery
+ (CSRF) style attacks by using the Flash navigateToURL function to send a SOAP
+ message to a UPnP control point, as demonstrated by changing the primary DNS
+ server.
+ - CVE 2008-1655
+ Unspecified vulnerability in Adobe Flash Player 9.0.115.0 and earlier, and
+ 8.0.39.0 and earlier, makes it easier for remote attackers to conduct DNS
+ rebinding attacks via unknown vectors.
- desc = "The remote host is probably affected by the vulnerabilities described in
-CVE-2007-5275, CVE-2007-6019, CVE-2007-6243, CVE-2007-6637, CVE-2008-1654, CVE-2008-1655
+ References:
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5275
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6019
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6243
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6637
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1654
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1655
-Impact
- CVE 2007-5275
- The Adobe Macromedia Flash 9 plug-in allows remote attackers to cause
- a victim machine to establish TCP sessions with arbitrary hosts via a
- Flash (SWF) movie, related to lack of pinning of a hostname to a single
- IP address after receiving an allow-access-from element in a
- cross-domain-policy XML document, and the availability of a Flash Socket
- class that does not use the browser's DNS pins, aka DNS rebinding attacks,
- a different issue than CVE-2002-1467 and CVE-2007-4324.
- CVE 2007-6019
- Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier,
- allows remote attackers to execute arbitrary code via an SWF file with
- a modified DeclareFunction2 Actionscript tag, which prevents an object
- from being instantiated properly.
- CVE 2007-6243
- Adobe Flash Player 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x
- up to 7.0.70.0 does not sufficiently restrict the interpretation and
- usage of cross-domain policy files, which makes it easier for remote
- attackers to conduct cross-domain and cross-site scripting (XSS) attacks.
- CVE 2007-6637
- Multiple cross-site scripting (XSS) vulnerabilities in Adobe Flash
- Player allow remote attackers to inject arbitrary web script or HTML
- via a crafted SWF file, related to 'pre-generated SWF files' and Adobe
- Dreamweaver CS3 or Adobe Acrobat Connect. NOTE: the asfunction: vector
- is already covered by CVE-2007-6244.1.
- CVE 2008-1654
- Interaction error between Adobe Flash and multiple Universal Plug and Play
- (UPnP) services allow remote attackers to perform Cross-Site Request
- Forgery (CSRF) style attacks by using the Flash navigateToURL function
- to send a SOAP message to a UPnP control point, as demonstrated by changing
- the primary DNS server.
- CVE 2008-1655
- Unspecified vulnerability in Adobe Flash Player 9.0.115.0 and earlier,
- and 8.0.39.0 and earlier, makes it easier for remote attackers to
- conduct DNS rebinding attacks via unknown vectors.
+ Solution:
+ All Adobe Flash Player users should upgrade to the latest version:
+ http://get.adobe.com/flashplayer/
+ Risk factor : High";
-References:
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5275
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6019
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6243
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6637
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1654
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1655
+ script_description(desc);
+ script_summary("Determine the version of Flashplayer");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("This script is under GPLv2");
+ script_family("Windows");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ script_require_ports(139, 445);
+ exit(0);
+}
-Solution:
- All Adobe Flash Player users should upgrade to the latest version:
+include("smb_nt.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
-Risk factor : High
-";
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+}
- script_description(desc);
- summary = "Determines the Version of Flashplayer";
- script_summary(summary);
- script_category(ACT_GATHER_INFO);
- script_copyright("This script is under GPLv2");
- family = "Windows";
- script_family(family);
- exit(0);
+filePath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+ item:"Install Path");
+if(!filePath){
+ exit(0);
}
-#
-# The code starts here
-#
-
-include("version_func.inc");
-include("smbcl_func.inc");
-if( check_smbcl() == 0 ) exit(0);
-
- sec_hole = 0;
- test_version = "9.0.115.0";
- win_dir = get_windir();
- if( !isnull(win_dir) ) {
- test_file[0] = win_dir+"System32\Macromed\Flash\NPSWF32.dll";
- test_file[1] = win_dir+"System32\Macromed\Flash\Flash.ocx";
- test_file[2] = win_dir+"System32\Macromed\Flash\Flash6.ocx";
- foreach filespec (test_file) {
- r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
- if( !isnull(r) ) {
- tmp_filename = get_tmp_dir()+"tmpfile"+rand();
- if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
- v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:filespec);
- unlink(tmp_filename);
- if( version_is_less_equal(version: v, test_version: test_version) ) {
- if( sec_hole == 0 ) {
- security_hole(port:0, proto:"Win_Flashplayer");
- sec_hole = 1;
- }
- security_hole(port:0, proto:"Win_Flashplayer", data:"Fileversion : C$ "+filespec + " "+v+string("\n"));
- }
- } else {
- report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
- security_note(port:0, proto:"Win_Flashplayer", data:report);
- }
- }
+flashPath = filePath + "\Macromed\Flash\";
+foreach filespec (make_list("NPSWF32.dll", "Flash.ocx", "Flash6.ocx"))
+{
+ share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:filePath);
+ file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:flashPath + filespec);
+ fileVer = GetVer(file:file, share:share);
+ if(fileVer)
+ {
+ if(version_is_less_equal(version:fileVer, test_version:"9.0.115.0"))
+ {
+ security_hole(0);
+ exit(0);
}
}
-
-exit(0);
+}
Modified: trunk/openvas-plugins/scripts/smbcl_gnutls_CB-A08-0079.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_gnutls_CB-A08-0079.nasl 2009-10-03 10:36:51 UTC (rev 5360)
+++ trunk/openvas-plugins/scripts/smbcl_gnutls_CB-A08-0079.nasl 2009-10-05 06:51:33 UTC (rev 5361)
@@ -1,3 +1,4 @@
+################################################################################
#
# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
#
@@ -3,19 +4,24 @@
# This script is released under the GNU GPLv2
#
-# $Revision: 01 $
+# $Revision: 03 $
+#
+# Modified to implement through 'smb_nt.inc'
+#- By Nikita MR <rnikita at secpod.com> on 2009-09-17
+#
+################################################################################
if(description)
{
script_id(90027);
- script_version ("$Revision: 01 $");
+ script_version ("$Revision: 03$");
script_cve_id("CVE-2008-1948");
- name = "GnuTLS < 2.2.5 vulnerability (Win)";
+ name = "GnuTLS < 2.2.4 vulnerability (Win)";
script_name(name);
desc = "The remote host is probably affected by the vulnerabilities described in
-CVE-2008-1948, CVE-2008-1949, CVE-2008-1950
+ CVE-2008-1948, CVE-2008-1949, CVE-2008-1950
-GnuTLS < 2.2.5 vulnerability
+GnuTLS < 2.2.4 vulnerability
Impact
@@ -60,51 +66,25 @@
";
script_description(desc);
- summary = "Determines GnuTLS < 2.2.5 vulnerability";
+ summary = "Determines GnuTLS < 2.2.4 vulnerability";
script_summary(summary);
script_category(ACT_GATHER_INFO);
script_copyright("This script is under GPLv2");
- family = "Windows";
+ family = "General";
script_family(family);
+ script_dependencies("gb_gnutls_detect_win.nasl");
+ script_require_keys("GnuTLS/Win/Ver");
+ script_require_ports(139, 445);
exit(0);
}
-#
-# The code starts here
-#
-include("smbcl_func.inc");
-include("version_func.inc");
-if( check_smbcl() == 0 ) exit(0);
+include ("version_func.inc");
-local_var ver, test_version, sec_hole, sec_proto, r, path, share, prog;
-
-sec_hole = 0;
-sec_proto = "GnuTLS";
-ver = NULL;
-r = NULL;
-test_version = "2.2.5";
-
- path = "Programme\";
- share ="C$";
- prog = "GnuTLS*";
- r = smbgetdir(share: share, dir: path+prog, typ: 2 );
- if( isnull(r) ) {
- path = "Program Files\";
- r = smbgetdir(share: share, dir: path+prog, typ: 2 );
+gnutlsVer = get_kb_item("GnuTLS/Win/Ver");
+if(gnutlsVer != NULL)
+{
+ if(version_is_less(version:gnutlsVer, test_version:"2.2.4")){
+ security_hole(0);
}
- if( !isnull(r) ) {
- foreach i (keys(r)) {
- ver = eregmatch(pattern:"[0-9].*", string:r[i]);
- if(!isnull(ver) ) {
- if(version_is_less(version:ver[0], test_version:test_version) ) {
- if(sec_hole == 0) {
- security_hole(port:0, proto:sec_proto);
- sec_hole = 1;
- }
- security_hole(port:0, proto:sec_proto, data:string("\nFound : ")+share + " " + path + r[i] + string("\n"));
- }
- }
- }
- }
-exit(0);
+}
Modified: trunk/openvas-plugins/scripts/smbcl_mozilla.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_mozilla.nasl 2009-10-03 10:36:51 UTC (rev 5360)
+++ trunk/openvas-plugins/scripts/smbcl_mozilla.nasl 2009-10-05 06:51:33 UTC (rev 5361)
@@ -1,3 +1,4 @@
+##################################################################################
#
# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
#
@@ -3,136 +4,99 @@
# This script is released under the GNU GPLv2
#
-# $Revision: 01 $
+# $Revision: 03 $
+#
+# Modified to implement through 'smb_nt.inc'
+# - By Sharath S <sharaths at secpod.com> On 2009-09-17
+#
+###############################################################################
if(description)
{
+ script_id(90013);
+ script_version ("$Revision: 03 $");
+ script_cve_id("CVE-2008-1238", "CVE-2008-1240", "CVE-2008-1241");
+ script_bugtraq_id(28448);
+ script_name("Mozilla Firefox, Thunderbird, Seamonkey. Several vulnerabilitys (Win)");
+ desc = "
+ The remote host is probable affected by the vulnerabilities described in
+ CVE-2008-0416, CVE-2007-4879, CVE-2008-1195, CVE-2008-1233,
+ CVE-2008-1234, CVE-2008-1235, CVE-2008-1236, CVE-2008-1237,
+ CVE-2008-1238, CVE-2008-1240, CVE-2008-1241 and more.
- script_id(90013);
- script_version ("$Revision: 01 $");
- script_cve_id("CVE-2008-1238","CVE-2008-1240","CVE-2008-1241");
- name = "Mozilla Firefox, Thunderbird, Seamonkey. Several vulnerabilitys (Win)";
- script_name(name);
+ Impact:
+ Mozilla contributors moz_bug_r_a4, Boris Zbarsky, and Johnny Stenback reported
+ a series of vulnerabilities which allow scripts from page content to run with
+ elevated privileges. moz_bug_r_a4 demonstrated additional variants of MFSA
+ 2007-25 and MFSA2007-35 (arbitrary code execution through XPCNativeWrapper
+ pollution). Additional vulnerabilities reported separately by Boris Zbarsky,
+ Johnny Stenback, and moz_bug_r_a4 showed that the browser could be forced to
+ run JavaScript code using the wrong principal leading to universal XSS
+ and arbitrary code execution.
- desc = "The remote host is probable affected by the vulnerabilitys described in
-CVE-2008-0416, CVE-2007-4879, CVE-2008-1195, CVE-2008-1233,
-CVE-2008-1234, CVE-2008-1235, CVE-2008-1236, CVE-2008-1237,
-CVE-2008-1238, CVE-2008-1240, CVE-2008-1241 and more.
+ References:
+ http://www.mozilla.org/security/announce/2008/mfsa2008-14.html
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0412
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0416
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1238
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1240
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1241
+ Solution:
+ All Users should upgrade to the latest versions of Firefox, Thunderbird or
+ Seamonkey.
+ http://www.mozilla.com/en-US/firefox/all.html
+ http://www.seamonkey-project.org/releases/
+ http://www.mozillamessaging.com/en-US/thunderbird/all.html
-Impact
- Mozilla contributors moz_bug_r_a4, Boris Zbarsky,
- and Johnny Stenback reported a series of vulnerabilities
- which allow scripts from page content to run with elevated
- privileges. moz_bug_r_a4 demonstrated additional variants
- of MFSA 2007-25 and MFSA2007-35 (arbitrary code execution
- through XPCNativeWrapper pollution). Additional
- vulnerabilities reported separately by Boris Zbarsky,
- Johnny Stenback, and moz_bug_r_a4 showed that the browser
- could be forced to run JavaScript code using the wrong
- principal leading to universal XSS and arbitrary code execution.
- And more...
+ Risk factor : High";
-
-References:
- http://www.mozilla.org/security/announce/2008/mfsa2008-14.html
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0412
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0416
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1238
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1240
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1241
- .
- .
- .
-
-Solution:
- All Users should upgrade to the latest versions of Firefox, Thunderbird or Seamonkey.
-
-
-Risk factor : High";
-
- script_description(desc);
- summary = "Mozilla Firefox, Thunderbird, Seamonkey. Several vulnerabilitys";
- script_summary(summary);
- script_category(ACT_GATHER_INFO);
- script_copyright("This script is under GPLv2");
- family = "Windows";
- script_family(family);
- exit(0);
+ script_description(desc);
+ script_summary("Mozilla Firefox, Thunderbird, Seamonkey. Several vulnerabilities");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("This script is under GPLv2");
+ script_family("General");
+ script_dependencies("gb_firefox_detect_win.nasl", "gb_seamonkey_detect_win.nasl",
+ "gb_thunderbird_detect_win.nasl");
+ script_require_keys("Firefox/Win/Ver", "Seamonkey/Win/Ver",
+ "Thunderbird/Win/Ver");
+ script_require_ports(139, 445);
+ exit(0);
}
-#
-# The code starts here
-#
+include("smb_nt.inc");
include("version_func.inc");
-include("smbcl_func.inc");
-if( check_smbcl() == 0 ) exit(0);
- test_version = "2.0.0.14"; # Test Firefox
- test_file[0] = "Programme\Mozilla Firefox\firefox.exe";
- test_file[1] = "Prog Files\Mozilla Firefox\firefox.exe";
- foreach filespec (test_file) {
- r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
- if( !isnull(r) ) {
- tmp_filename = get_tmp_dir()+"tmpfile"+rand();
- if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
- v = GetPEProductVersion(tmp_filename:tmp_filename, orig_filename:filespec);
- unlink(tmp_filename);
- if( version_is_less(version: v, test_version: test_version) ) {
- security_hole(port:0, proto:"Win_Mozilla");
- report = report + "Fileversion : C$ "+filespec + " "+v+string("\n");
- security_hole(port:0, proto:"Win_Mozilla", data:report);
- }
- break;
- } else {
- report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
- security_note(port:0, proto:"Win_Mozilla", data:report);
- }
- }
+# Firefox Check
+ffVer = get_kb_item("Firefox/Win/Ver");
+if(ffVer)
+{
+ # Grep for Firefox version < 2.0.0.14
+ if(version_is_less(version:ffVer, test_version:"2.0.0.14"))
+ {
+ security_hole(0);
+ exit(0);
}
- test_version = "2.0.0.14"; # Test Thunderbird
- test_file[0] = "Programme\Mozilla Thunderbird\thunderbird.exe";
- test_file[1] = "Prog Files\Mozilla Thunderbird\thunderbird.exe";
- foreach filespec (test_file) {
- r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
- if( !isnull(r) ) {
- tmp_filename = get_tmp_dir()+"tmpfile"+rand();
- if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
- v = GetPEProductVersion(tmp_filename:tmp_filename, orig_filename:filespec);
- unlink(tmp_filename);
- if( version_is_less(version: v, test_version: test_version) ) {
- security_hole(port:0, proto:"Win_Mozilla");
- report = report + "Fileversion : C$ "+filespec + " "+v+string("\n");
- security_hole(port:0, proto:"Win_Mozilla", data:report);
- }
- break;
- } else {
- report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
- security_note(port:0, proto:"Win_Mozilla", data:report);
- }
- }
+}
+
+# Seamonkey Check
+smVer = get_kb_item("Seamonkey/Win/Ver");
+if(smVer)
+{
+ # Grep for Seamonkey version < 1.1.9
+ if(version_is_less(version:smVer, test_version:"1.1.9"))
+ {
+ security_hole(0);
+ exit(0);
}
- test_version = "1.1.9"; # Test SeaMonkey
- test_file[0] = "Programme\mozilla.org\SeaMonkey\seamonkey.exe";
- test_file[1] = "Prog Files\mozilla.org\SeaMonkey\seamonkey.exe";
- foreach filespec (test_file) {
- r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
- if( !isnull(r) ) {
- tmp_filename = get_tmp_dir()+"tmpfile"+rand();
- if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
- v = GetPEProductVersion(tmp_filename:tmp_filename, orig_filename:filespec);
- unlink(tmp_filename);
- if( version_is_less(version: v, test_version: test_version) ) {
- security_hole(port:0, proto:"Win_Mozilla");
- report = report + "Fileversion : C$ "+filespec + " "+v+string("\n");
- security_hole(port:0, proto:"Win_Mozilla", data:report);
- }
- break;
- } else {
- report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
- security_note(port:0, proto:"Win_Mozilla", data:report);
- }
- }
- }
+}
-exit(0);
+# Thunderbird Check
+tbVer = get_kb_item("Thunderbird/Win/Ver");
+if(tbVer)
+{
+ # Grep for Thunderbird version < 2.0.0.14
+ if(version_is_less(version:tbVer, test_version:"2.0.0.14")){
+ security_hole(0);
+ }
+}
Modified: trunk/openvas-plugins/scripts/smbcl_openoffice_CB-A08-0068.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_openoffice_CB-A08-0068.nasl 2009-10-03 10:36:51 UTC (rev 5360)
+++ trunk/openvas-plugins/scripts/smbcl_openoffice_CB-A08-0068.nasl 2009-10-05 06:51:33 UTC (rev 5361)
@@ -1,3 +1,4 @@
+#####################################################################################
#
# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
#
@@ -3,28 +4,29 @@
# This script is released under the GNU GPLv2
#
-# $Revision: 01 $
+# $Revision: 03 $
+#
+# Updated By Antu Sanadi <santu at secpod.com> on 16/09/2009
+#
+#
+####################################################################################
if(description)
{
- script_id(90030);
- script_version ("$Revision: 01 $");
- script_cve_id("CVE-2008-2152");
- name = "OpenOffice.org <= 2.4.1 vulnerability (Win)";
- script_name(name);
+ script_id(90030);
+ script_version ("$Revision: 03 $");
+ script_cve_id("CVE-2008-2152");
+ script_bugtraq_id(29622);
+ script_name("OpenOffice.org <= 2.4.1 vulnerability (Win)");
+ desc = "The remote host is probably affected by the vulnerabilities described in
+ CVE-2008-2152 or CVE-2008-3282 on 64-bit platform's
- desc = "The remote host is probably affected by the vulnerabilities described in
-CVE-2008-2152 or CVE-2008-3282 on 64-bit platform's
-
-OpenOffice.org <= 2.4.1 vulnerability
-
-Impact
-
+ Impact
CVE-2008-2152
Integer overflow in the rtl_allocateMemory function in
sal/rtl/source/alloc_global.c in OpenOffice.org (OOo)
2.0 through 2.4 allows remote attackers to execute
arbitrary code via a crafted file that triggers a
- heap-based buffer overflow.
+ heap-based buffer overflow.
CVE-2008-3282
Integer overflow in the rtl_allocateMemory function
@@ -34,78 +36,34 @@
remote attackers to cause a denial of service (application
crash) or possibly execute arbitrary code via a crafted
document, related to a 'numeric truncation error,' a
- different vulnerability than CVE-2008-2152.
-
-References:
+ different vulnerability than CVE-2008-2152.
+
+ References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2152
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3282
-Solution:
+ Solution:
All OpenOffice.org users should upgrade to the latest version:
+ Risk factor : High";
-Risk factor : High
-";
-
- script_description(desc);
- summary = "Determines OpenOffice.org <= 2.4.1 vulnerability";
- script_summary(summary);
- script_category(ACT_GATHER_INFO);
- script_copyright("This script is under GPLv2");
- family = "Windows";
- script_family(family);
- exit(0);
+ script_description(desc);
+ script_summary("Check for the version of OpenOffice");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("This script is under GPLv2");
+ script_family("Buffer overflow");
+ script_dependencies("secpod_openoffice_detect_win.nasl");
+ script_require_keys("OpenOffice/Win/Ver");
+ exit(0);
}
-#
-# The code starts here
-#
+
include("version_func.inc");
-include("smbcl_func.inc");
-if( check_smbcl() == 0 ) exit(0);
-sec_hole = 0;
-sec_proto = "OpenOffice.org";
-test_version = "2.4.9310";
-ver = NULL;
-r = NULL;
-
- sec_hole = 0;
- path = "Programme\";
- share ="C$";
- prog = "OpenOffice.org*";
- r = smbgetdir(share: share, dir: path+prog, typ: 2 );
- if( isnull(r) ) {
- path = "Program Files\";
- r = smbgetdir(share: share, dir: path+prog, typ: 2 );
+openVer = get_kb_item("OpenOffice/Win/Ver");
+if(openVer != NULL)
+{
+ if(version_is_less_equal(version:openVer, test_version:"2.4.1")){
+ security_hole(0);
}
- if( !isnull(r) ) {
- foreach oodir (r) {
- file_spec = path+oodir+"\program\version.ini";
- r = smbgetdir(share: "C$", dir: file_spec, typ: 1 );
- if( !isnull(r) ) {
- tmp_filename = get_tmp_dir()+"tmpfile"+rand();
- if( smbgetfile(share: "C$", filename: file_spec, tmp_filename: tmp_filename) ) {
- ver = fread(tmp_filename);
- unlink(tmp_filename);
- if( ! isnull(ver) ) {
- version = ereg_replace(pattern:".+OOOBaseVersion=", string: ver, replace: "")+".";
- version = eregmatch(pattern:"([0-9]\.)+[0-9]+", string: version);
- build = ereg_replace(pattern:".+ProductBuildid=", string: ver, replace: "");
- build = eregmatch(pattern:"^[0-9]+", string: build);
- ver = version[0]+"."+build[0];
- set_kb_item(name: "OpenOffice.org/Build", value: ver);
- if( version_is_less(version:ver, test_version:test_version) ) {
- if(sec_hole == 0) {
- security_warning(port:0, proto:sec_proto);
- sec_hole = 1;
- }
- security_warning(port:0, proto:sec_proto, data:string("\nFound : ") + oodir +
- " Build : " + ver + string("\n"));
- }
- }
- }
- }
- }
- }
-exit(0);
+}
Modified: trunk/openvas-plugins/scripts/win_CVE-2007-0043.nasl
===================================================================
--- trunk/openvas-plugins/scripts/win_CVE-2007-0043.nasl 2009-10-03 10:36:51 UTC (rev 5360)
+++ trunk/openvas-plugins/scripts/win_CVE-2007-0043.nasl 2009-10-05 06:51:33 UTC (rev 5361)
@@ -1,90 +1,98 @@
+#################################################################################
#
+#
# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
#
# This script is released under the GNU GPLv2
#
-# $Revision: 01 $
+# $Revision: 02 $
+# Updated by:
+# Antu Sanadi <santu at secpod.com> on 16/09/22
+#
+###############################################################################
if(description)
{
+ script_id(90010);
+ script_version ("$Revision: 02 $");
+ script_cve_id("CVE-2007-0043");
+ script_bugtraq_id(24811);
+ script_name(".NET JIT Compiler Vulnerability");
+ desc = "The remote host is affected by the vulnerabilitys described in
+ CVE-2007-0043
- script_id(90010);
- script_version ("$Revision: 01 $");
- script_cve_id("CVE-2007-0043");
- name = ".NET JIT Compiler Vulnerability";
- script_name(name);
+ Checking if System.web.dll version is less than 2.0.50727.832
- desc = "The remote host is affected by the vulnerabilitys described in
-CVE-2007-0043
+ Impact:
+ The Just In Time (JIT) Compiler service in Microsoft .NET Framework 1.0, 1.1,
+ and 2.0 for Windows 2000, XP, Server 2003, and Vista allows user-assisted
+ remote attackers to execute arbitrary code via unspecified vectors involving
+ an unchecked buffer, probably a buffer overflow, aka .NET JIT Compiler
+ Vulnerability. Checking if System.web.dll version is less than 2.0.50727.832
-Checking if System.web.dll version is less than 2.0.50727.832
+ References:
+ http://secunia.com/advisories/26003
+ http://securitytracker.com/alerts/2007/Jul/1018356.html
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0043
+ http://www.microsoft.com/technet/security/Bulletin/ms07-040.mspx
-Impact
- The Just In Time (JIT) Compiler service in Microsoft
- .NET Framework 1.0, 1.1, and 2.0 for Windows 2000, XP,
- Server 2003, and Vista allows user-assisted remote
- attackers to execute arbitrary code via unspecified
- vectors involving an unchecked buffer, probably a
- buffer overflow, aka .NET JIT Compiler Vulnerability.
- Checking if System.web.dll version is less than 2.0.50727.832
+ Solution:
+ All Users should upgrade to the latest version.
+ http://www.microsoft.com/technet/security/Bulletin/ms07-040.mspx
-References:
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0043
+ Risk factor : High";
-Solution:
- All Users should upgrade to the latest version.
+ script_description(desc);
+ script_summary("Test for .NET JIT Compiler Vulnerability");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("This script is under GPLv2");
+ script_family("Windows : Microsoft Bulletins");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ script_require_ports(139, 445);
+ exit(0);
+}
-Risk factor : High";
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
- script_description(desc);
- summary = "Test for .NET JIT Compiler Vulnerability";
- script_summary(summary);
- script_category(ACT_GATHER_INFO);
- script_copyright("This script is under GPLv2");
- family = "Windows";
- script_family(family);
- script_require_ports(139, 445);
- exit(0);
+if(hotfix_check_sp(xp:4, win2k:5, win2003:3) <= 0){
+ exit(0);
}
-#
-# The code starts here
-#
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\";
+foreach item (registry_enum_values(key:key))
+{
+ if("System.Web.dll" >< item)
+ {
+ path = item;
+ break;
+ }
+}
-include("version_func.inc");
-include("smbcl_func.inc");
-if( check_smbcl() == 0 ) exit(0);
+if(!path){
+ exit(0);
+}
- test_version = "2.0.50727.832";
- win_dir = get_windir();
- if( !isnull(win_dir) ) {
- path = win_dir+"Microsoft.NET\Framework\";
- filespec = "v2*";
- r = smbgetdir(share: "C$", dir: path+filespec, typ: 2 );
- if( !isnull(r) ) {
- filespec = r[0]+"\"+"system.web.dll";
- r = smbgetdir(share: "C$", dir: path+filespec, typ: 1 );
- if( !isnull(r) ) {
- tmp_filename = get_tmp_dir()+"tmpfile"+rand();
- orig_filename = path+filespec;
- if( smbgetfile(share: "C$", filename: orig_filename, tmp_filename: tmp_filename) ) {
- v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:orig_filename);
- unlink(tmp_filename);
- if( version_is_less(version: v, test_version: test_version) ) {
- security_hole(port:0, proto:"SMB");
- report = report + "Fileversion : C$ "+orig_filename + " "+v+string("\n");
- security_hole(port:0, proto:"SMB", data:report);
- }
- } else {
- report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
- security_note(port:0, proto:"SMB", data:report);
- }
- }
- } else {
- report = string(".NET V2xx not found/no access -> "+get_kb_item("SMB/ERROR")) + string("\n");
- security_note(port:0, proto:"SMB", data:report);
- }
- }
+if("c:" >< path){
+ path = ereg_replace(pattern:"c:", replace:"C:", string:path);
+}
-exit(0);
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:path);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:path);
+dllVer = GetVer(file:file, share:share);
+
+if(!dllVer){
+ exit(0);
+}
+
+# Check for .Net Framework version 1.0 < 1.0.3705.6060, 1.1 < 1.1.4322.2407
+# and 2.0 < 2.0.50727.832
+if(version_in_range(version:dllVer, test_version:"1.0", test_version2:"1.0.3705.6059")||
+ version_in_range(version:dllVer, test_version:"1.1", test_version2:"1.1.4322.2406")||
+ version_in_range(version:dllVer, test_version:"2.0", test_version2:"2.0.50727.831")){
+ security_hole(0);
+}
Modified: trunk/openvas-plugins/scripts/win_CVE-2007-6026.nasl
===================================================================
--- trunk/openvas-plugins/scripts/win_CVE-2007-6026.nasl 2009-10-03 10:36:51 UTC (rev 5360)
+++ trunk/openvas-plugins/scripts/win_CVE-2007-6026.nasl 2009-10-05 06:51:33 UTC (rev 5361)
@@ -1,3 +1,4 @@
+##################################################################################
#
# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
#
@@ -3,137 +4,114 @@
# This script is released under the GNU GPLv2
#
-# $Revision: 01 $
+# $Revision: 03 $
+#
+# Updated By:
+# Antu Sanadi <santu at secpod.com> on 16/09/2009
+#
+#
+##################################################################################
if(description)
{
+ script_id(90024);
+ script_version ("$Revision: 03 $");
+ script_cve_id("CVE-2007-6026");
+ script_bugtraq_id(28398);
+ script_name("Windows Vulnerability in Microsoft Jet Database Engine");
+ desc = "The remote host is probably affected by the vulnerability described in
+ CVE-2007-6026
- script_id(90024);
- script_version ("$Revision: 01 $");
- script_cve_id("CVE-2007-6026");
- name = "Windows Vulnerability in Microsoft Jet Database Engine";
- script_name(name);
-
- desc = "The remote host is probably affected by the vulnerability described in
-CVE-2007-6026
-
-
-Impact
+ Impact
Stack-based buffer overflow in Microsoft msjet40.dll 4.0.8618.0
(aka Microsoft Jet Engine), as used by Access 2003 in Microsoft
Office 2003 SP3, allows user-assisted attackers to execute arbitrary
code via a crafted MDB file database file containing a column
structure with a modified column count. NOTE: this might be the
- same issue as CVE-2005-0944.
+ same issue as CVE-2005-0944.
-References:
+ References:
+ http://www.us-cert.gov/cas/techalerts/TA08-134A.html
+ http://securitytracker.com/alerts/2007/Nov/1018976.html
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6026
http://www.microsoft.com/technet/security/bulletin/ms08-028.mspx
-Solution:
+ Solution:
All Users should upgrade to the latest version.
+ Risk factor : High";
-Risk factor : High";
+ script_description(desc);
+ script_summary("Windows Vulnerability in Microsoft Jet Database Engine");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("This script is under GPLv2");
+ script_family("Windows : Microsoft Bulletins");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ script_require_ports(139, 445);
+ exit(0);
+}
- script_description(desc);
- summary = "Windows Vulnerability in Microsoft Jet Database Engine";
- script_summary(summary);
- script_category(ACT_GATHER_INFO);
- script_copyright("This script is under GPLv2");
- family = "Windows";
- script_family(family);
- script_require_ports(139, 445);
- exit(0);
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(hotfix_check_sp(xp:4, win2k:5, win2003:3) <= 0){
+ exit(0);
}
-#
-# The code starts here
-#
+if((hotfix_missing(name:"950749") == 0)){
+ exit(0);
+}
-local_var os;
+dllPath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+ item:"Install Path");
+if(!dllPath){
+ exit(0);
+}
-include("version_func.inc");
-include("smbcl_func.inc");
-if( check_smbcl() == 0 ) exit(0);
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:dllPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:dllPath + "\Msjet40.dll");
- win_dir = get_windir();
- sec_hole = 0;
- if( !isnull(win_dir) ) {
- os = get_kb_item("SMB/OS");
- filespec = win_dir+"system32\Msjint40.dll";
- test_version = NULL;
- if( "WINDOWS 5.1" >< os ) {
- test_version = "4.0.9502.0";
- } else {
- if( "WINDOWS SERVER 2003" >< os ) {
- test_version = "4.0.9502.0";
- } else {
- if( "WINDOWS 5.0" >< os ) {
- test_version = "4.0.9502.0";
- }
- }
+dllVer = GetVer(file:file, share:share);
+if(!dllVer){
+ exit(0);
+}
+
+# Windows 2K
+if(hotfix_check_sp(win2k:5) > 0)
+{
+ # Grep for Msjet40.dll version < 4.0.9511.0
+ if(version_is_less(version:dllVer, test_version:"4.0.9511.0")){
+ security_hole(0);
+ }
+}
+
+# Windows XP
+else if(hotfix_check_sp(xp:3) > 0)
+{
+ SP = get_kb_item("SMB/WinXP/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ # Grep for Msjet40.dll < 4.0.9511.0
+ if(version_is_less(version:dllVer, test_version:"4.0.9511.0")){
+ security_hole(0);
}
- if( !isnull(test_version) ) {
- r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
- if( !isnull(r) ) {
- tmp_filename = get_tmp_dir()+"tmpfile"+rand();
- if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
- v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:filespec);
- unlink(tmp_filename);
- if( version_is_less(version: v, test_version: test_version) ) {
- if( sec_hole == 0 ) {
- security_hole(port:0, proto:"Win");
- sec_hole = 1;
- }
- security_hole(port:0, proto:"Win", data:"Version found : C$ "+filespec + " "+v+string("\n")+
- "Version expected : "+test_version+" or higher "+string("\n"));
- }
- } else {
- report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
- security_note(port:0, proto:"SMB", data:report);
- }
- } else {
- report = string(filespec+" not found/no access -> "+get_kb_item("SMB/ERROR")) + string("\n");
- security_note(port:0, proto:"SMB", data:report);
- }
- }
- filespec = win_dir+"system32\Msjet40.dll";
- test_version = NULL;
- if( "WINDOWS 5.1" >< os ) {
- test_version = "4.0.9511.0";
- } else {
- if( "WINDOWS SERVER 2003" >< os ) {
- test_version = "4.0.9511.0";
- } else {
- if( "WINDOWS 5.0" >< os ) {
- test_version = "4.0.9511.0";
- }
- }
- }
- if( !isnull(test_version) ) {
- r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
- if( !isnull(r) ) {
- tmp_filename = get_tmp_dir()+"tmpfile"+rand();
- if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
- v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:filespec);
- unlink(tmp_filename);
- if( version_is_less(version: v, test_version: test_version) ) {
- if( sec_hole == 0 ) {
- security_hole(port:0, proto:"Win");
- sec_hole = 1;
- }
- security_hole(port:0, proto:"Win", data:"Version found : C$ "+filespec + " "+v+string("\n")+
- "Version expected : "+test_version+" or higher "+string("\n"));
- }
- } else {
- report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
- security_note(port:0, proto:"SMB", data:report);
- }
- } else {
- report = string(filespec+" not found/no access -> "+get_kb_item("SMB/ERROR")) + string("\n");
- security_note(port:0, proto:"SMB", data:report);
- }
- }
}
+ else
+ security_hole(0);
+}
-exit(0);
+# Windows 2003
+else if(hotfix_check_sp(win2003:2) > 0)
+{
+ SP = get_kb_item("SMB/Win2003/ServicePack");
+ if("Service Pack 1" >< SP)
+ {
+ # Grep for Msjet40.dll version < 4.0.9511.0
+ if(version_is_less(version:dllVer, test_version:"4.0.9511.0")){
+ security_hole(0);
+ }
+ }
+}
Modified: trunk/openvas-plugins/scripts/win_CVE-2008-0080.nasl
===================================================================
--- trunk/openvas-plugins/scripts/win_CVE-2008-0080.nasl 2009-10-03 10:36:51 UTC (rev 5360)
+++ trunk/openvas-plugins/scripts/win_CVE-2008-0080.nasl 2009-10-05 06:51:33 UTC (rev 5361)
@@ -1,107 +1,127 @@
-#
+################################################################################
# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
#
# This script is released under the GNU GPLv2
#
-# $Revision: 01 $
+# $Revision: 03 $
+#
+# Modified to Implement 'smb_nt.inc'
+# - By Nikita MR <rnikita at secpod.com> On 2009-09-18
+################################################################################
if(description)
{
+ script_id(90015);
+ script_version ("$Revision: 03 $");
+ script_cve_id("CVE-2008-0080");
+ script_bugtraq_id(27670);
+ script_name("Mini-Redirector Heap Overflow Vulnerability");
+ desc = "
+ Overview: This host has critical security update missing according to
+ Microsoft Bulletin MS008-007
- script_id(90015);
- script_version ("$Revision: 01 $");
- script_cve_id("CVE-2008-0080");
- name = "Mini-Redirector Heap Overflow Vulnerability";
- script_name(name);
+ Vulnerability Insight:
+ A boundary error occurs in the WebDAV Mini-Redirector when handling long
+ pathnames in WebDAV responses.
- desc = "The remote host is probably affected by the vulnerability described in
-CVE-2008-0080
+ Impact:
+ Succesful exploitation will allow attackes to execute arbitrary code and
+ completely compromise the affected computer.
+ References:
+ http://secunia.com/advisories/28894
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0080
+ http://www.microsoft.com/technet/security/bulletin/ms08-007.mspx
-Impact
- Heap-based buffer overflow in the WebDAV Mini-Redirector
- in Microsoft Windows XP SP2, Server 2003 SP1 and SP2,
- and Vista allows remote attackers to execute arbitrary
- code via a crafted WebDAV response.
+ Workarounds:
+ Disable the WebClient Service.
-References:
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0080
- http://www.microsoft.com/technet/security/bulletin/ms08-007.mspx
+ Solution:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://www.microsoft.com/technet/security/bulletin/ms08-007.mspx
+ Risk factor : Critical";
-Workarounds
- Disable the WebClient Service.
+ script_description(desc);
+ script_summary("Mini-Redirector Heap Overflow Vulnerability");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("This script is under GPLv2");
+ script_family("Windows : Microsoft Bulletins");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_ports(139, 445);
+ exit(0);
+}
-Solution:
- All Users should upgrade to the latest version.
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+if(hotfix_check_sp(xp:3, win2003:3) <= 0)
+{
+ exit(0);
+}
-Risk factor : High";
+# MS08-007 Hotfix check
+if(hotfix_missing(name:"946026") == 0)
+{
+ exit(0);
+}
- script_description(desc);
- summary = "Mini-Redirector Heap Overflow Vulnerability";
- script_summary(summary);
- script_category(ACT_GATHER_INFO);
- script_copyright("This script is under GPLv2");
- family = "Windows";
- script_family(family);
- script_require_ports(139, 445);
- exit(0);
+sysPath = registry_get_sz(item:"Install Path",
+ key:"SOFTWARE\Microsoft\COM3\Setup");
+if(!sysPath)
+{
+ exit(0);
}
-#
-# The code starts here
-#
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:sysPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:sysPath + "\drivers\mrxdav.sys");
+sysVer = GetVer(file:file, share:share);
+if(!sysVer)
+{
+ exit(0);
+}
-local_var os;
+# Windows XP
+if(hotfix_check_sp(xp:3) > 0)
+{
+ SP = get_kb_item("SMB/WinXP/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ # Grep for mrxdav.sys version < 5.1.2600.3276
+ if(version_in_range(version:sysVer, test_version:"5.1",
+ test_version2:"5.1.2600.3275")){
+ security_hole(0);
+ }
+ }
+ else
+ security_hole(0);
+}
-include("version_func.inc");
-include("smbcl_func.inc");
-if( check_smbcl() == 0 ) exit(0);
-
- win_dir = get_windir();
- if( !isnull(win_dir) ) {
- os = get_kb_item("SMB/OS");
- filespec = win_dir+"system32\drivers\mrxdav.sys";
- test_version = NULL;
- if( "WINDOWS VISTA" >< os ) {
- test_version = "6.0.6000.16626";
- } else {
- if( "WINDOWS 5.1" >< os ) {
- test_version = "5.1.2600.3276";
- } else {
- if( "WINDOWS SERVER 2003" >< os ) {
- if( "SERVICE PACK 2" >< os ) {
- test_version = "5.2.3790.4206";
- } else {
- test_version = "5.2.3790.3060";
- }
- }
- }
+# Windows 2003
+else if(hotfix_check_sp(win2003:3) > 0)
+{
+ SP = get_kb_item("SMB/Win2003/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ # Grep for mrxdav.sys version < 5.2.3790.4206
+ if(version_in_range(version:sysVer, test_version:"5.2",
+ test_version2:"5.2.3790.4205")){
+ security_hole(0);
}
- if( !isnull(test_version) ) {
- r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
- if( !isnull(r) ) {
- tmp_filename = get_tmp_dir()+"tmpfile"+rand();
- orig_filename = filespec;
- if( smbgetfile(share: "C$", filename: orig_filename, tmp_filename: tmp_filename) ) {
- v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:orig_filename);
- unlink(tmp_filename);
- if( version_is_less(version: v, test_version: test_version) ) {
- security_hole(port:0, proto:"Win");
- report = report + "Fileversion : C$ "+orig_filename + " "+v+string("\n");
- security_hole(port:0, proto:"Win", data:report);
- }
- } else {
- report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
- security_note(port:0, proto:"SMB", data:report);
- }
- } else {
- report = string(filespec+" not found/no access -> "+get_kb_item("SMB/ERROR")) + string("\n");
- security_note(port:0, proto:"SMB", data:report);
- }
+ }
+ else if("Service Pack 1" >< SP)
+ {
+ # Grep for mrxdav.sys version < 5.2.3790.3060
+ if(version_in_range(version:sysVer, test_version:"5.2",
+ test_version2:"5.2.3790.3059")){
+ security_hole(0);
}
}
-
-exit(0);
+ else
+ security_hole(0);
+}
Modified: trunk/openvas-plugins/scripts/win_CVE-2008-0087.nasl
===================================================================
--- trunk/openvas-plugins/scripts/win_CVE-2008-0087.nasl 2009-10-03 10:36:51 UTC (rev 5360)
+++ trunk/openvas-plugins/scripts/win_CVE-2008-0087.nasl 2009-10-05 06:51:33 UTC (rev 5361)
@@ -1,108 +1,117 @@
-#
+#####################################################################################
# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
#
# This script is released under the GNU GPLv2
#
-# $Revision: 01 $
+# $Revision: 03 $
+#
+# Modified to Implement 'smb_nt.inc'
+# - By Sharath S <sharaths at secpod.com> On 2009-09-21
+#
+######################################################################################
if(description)
{
+ script_id(90020);
+ script_version ("$Revision: 03 $");
+ script_cve_id("CVE-2008-0087");
+ script_bugtraq_id(28553);
+ script_name("Windows vulnerability in DNS Client Could Allow Spoofing (945553)");
+ desc = "
+ The remote host is probably affected by the vulnerability described in
+ CVE-2008-0087
- script_id(90020);
- script_version ("$Revision: 01 $");
- script_cve_id("CVE-2008-0087");
- name = "Windows vulnerability in DNS Client Could Allow Spoofing (945553)";
- script_name(name);
+ Impact:
+ The DNS client in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1 and SP2,
+ and Vista uses predictable DNS transaction IDs, which allows remote attackers
+ to spoof DNS responses.
- desc = "The remote host is probably affected by the vulnerability described in
-CVE-2008-0087
+ References:
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0087
+ http://www.microsoft.com/technet/security/bulletin/ms08-020.mspx
+ Solution:
+ All Users should upgrade to the latest version.
-Impact
- The DNS client in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1
- and SP2, and Vista uses predictable DNS transaction IDs, which allows
- remote attackers to spoof DNS responses.
+ Risk factor : High";
-References:
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0087
- http://www.microsoft.com/technet/security/bulletin/ms08-020.mspx
+ script_description(desc);
+ script_summary("Windows vulnerability in DNS Client Could Allow Spoofing (945553)");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("This script is under GPLv2");
+ script_family("Windows : Microsoft Bulletins");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ script_require_ports(139, 445);
+ exit(0);
+}
-Solution:
- All Users should upgrade to the latest version.
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
-Risk factor : High";
+if(hotfix_check_sp(xp:3, win2k:5, win2003:3) <= 0){
+ exit(0);
+}
- script_description(desc);
- summary = "Windows vulnerability in DNS Client Could Allow Spoofing (945553)";
- script_summary(summary);
- script_category(ACT_GATHER_INFO);
- script_copyright("This script is under GPLv2");
- family = "Windows";
- script_family(family);
- script_require_ports(139, 445);
- exit(0);
+# MS08-020 Hotfix check
+if(hotfix_missing(name:"945553") == 0){
+ exit(0);
}
-#
-# The code starts here
-#
+dllPath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+ item:"Install Path");
+if(!dllPath){
+ exit(0);
+}
-local_var os;
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:dllPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:dllPath + "\Dnsapi.dll");
-include("version_func.inc");
-include("smbcl_func.inc");
-if( check_smbcl() == 0 ) exit(0);
+dllVer = GetVer(file:file, share:share);
+if(!dllVer){
+ exit(0);
+}
- win_dir = get_windir();
- sec_hole = 0;
- if( !isnull(win_dir) ) {
- os = get_kb_item("SMB/OS");
- filespec = win_dir+"system32\Dnsapi.dll";
- test_version = NULL;
- if( "WINDOWS VISTA" >< os ) {
- test_version = "6.0.6000.16615";
- } else {
- if( "WINDOWS 5.1" >< os ) {
- test_version = "5.1.2600.3316";
- } else {
- if( "WINDOWS SERVER 2003" >< os ) {
- if( "SERVICE PACK 2" >< os ) {
- test_version = "5.2.3790.4238";
- } else {
- test_version = "5.2.3790.3092";
- }
- } else {
- if( "WINDOWS 5.0" >< os ) {
- test_version = "5.0.2195.7151";
- }
- }
- }
+# Windows 2K
+if(hotfix_check_sp(win2k:5) > 0)
+{
+ # Grep for Dnsapi.dll version < 5.0.2195.7151
+ if(version_is_less(version:dllVer, test_version:"5.0.2195.7151")){
+ security_hole(0);
+ }
+}
+
+# Windows XP
+else if(hotfix_check_sp(xp:3) > 0)
+{
+ # Grep for Dnsapi.dll < 5.1.2600.3316
+ if(version_is_less(version:dllVer, test_version:"5.1.2600.3316")){
+ security_hole(0);
+ }
+}
+
+# Windows 2003
+else if(hotfix_check_sp(win2003:3) > 0)
+{
+ SP = get_kb_item("SMB/Win2003/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ # Grep for Dnsapi.dll version < 5.2.3790.4238
+ if(version_is_less(version:dllVer, test_version:"5.2.3790.4238")){
+ security_hole(0);
}
- if( !isnull(test_version) ) {
- r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
- if( !isnull(r) ) {
- tmp_filename = get_tmp_dir()+"tmpfile"+rand();
- if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
- v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:filespec);
- unlink(tmp_filename);
- if( version_is_less(version: v, test_version: test_version) ) {
- if( sec_hole == 0 ) {
- security_hole(port:0, proto:"Win");
- sec_hole = 1;
- }
- security_hole(port:0, proto:"Win", data:"Version found : C$ "+filespec + " "+v+string("\n")+
- "Version expected : "+test_version+" or higher "+string("\n"));
- }
- } else {
- report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
- security_note(port:0, proto:"SMB", data:report);
- }
- } else {
- report = string(filespec+" not found/no access -> "+get_kb_item("SMB/ERROR")) + string("\n");
- security_note(port:0, proto:"SMB", data:report);
- }
+ }
+ if("Service Pack 1" >< SP)
+ {
+ # Grep for Dnsapi.dll version < 5.2.3790.3092
+ if(version_is_less(version:dllVer, test_version:"5.2.3790.3092")){
+ security_hole(0);
}
}
-
-exit(0);
+ else
+ security_hole(0);
+}
More information about the Openvas-commits
mailing list