[Openvas-commits] r7298 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Wed Apr 14 17:51:57 CEST 2010
Author: schandan
Date: 2010-04-14 17:51:53 +0200 (Wed, 14 Apr 2010)
New Revision: 7298
Added:
trunk/openvas-plugins/scripts/secpod_ms10-019.nasl
trunk/openvas-plugins/scripts/secpod_ms10-020.nasl
trunk/openvas-plugins/scripts/secpod_ms10-021.nasl
trunk/openvas-plugins/scripts/secpod_ms10-022.nasl
trunk/openvas-plugins/scripts/secpod_ms10-023.nasl
trunk/openvas-plugins/scripts/secpod_ms10-025.nasl
trunk/openvas-plugins/scripts/secpod_ms10-026.nasl
trunk/openvas-plugins/scripts/secpod_ms10-027.nasl
trunk/openvas-plugins/scripts/secpod_ms10-028.nasl
trunk/openvas-plugins/scripts/secpod_ms10-029.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/scripts/secpod_ssl_ciphers.nasl
Log:
April MS Bulltein scripts release.
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2010-04-14 15:07:48 UTC (rev 7297)
+++ trunk/openvas-plugins/ChangeLog 2010-04-14 15:51:53 UTC (rev 7298)
@@ -1,3 +1,20 @@
+2010-04-14 Chandan S <schandan at secpod.com>
+
+ * scripts/secpod_ms10-027.nasl,
+ scripts/secpod_ms10-021.nasl,
+ scripts/secpod_ms10-019.nasl,
+ scripts/secpod_ms10-028.nasl,
+ scripts/secpod_ms10-025.nasl,
+ scripts/secpod_ms10-022.nasl,
+ scripts/secpod_ms10-029.nasl,
+ scripts/secpod_ms10-026.nasl,
+ scripts/secpod_ms10-023.nasl,
+ scripts/secpod_ms10-020.nasl:
+ MS Bulletin plugins - Apr 10.
+
+ * scripts/secpod_ssl_ciphers.nasl:
+ Addressed dump errors.
+
2010-04-14 Michael Meyer <michael.meyer at intevation.de>
* scripts/gb_mozilla_prdts_mailto_dos_vuln_win.nasl,
Added: trunk/openvas-plugins/scripts/secpod_ms10-019.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms10-019.nasl 2010-04-14 15:07:48 UTC (rev 7297)
+++ trunk/openvas-plugins/scripts/secpod_ms10-019.nasl 2010-04-14 15:51:53 UTC (rev 7298)
@@ -0,0 +1,218 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms10-019.nasl 8356 2010-04-14 01:10:42Z apr $
+#
+# Microsoft Windows Authentication Verification Remote Code Execution Vulnerability (981210)
+#
+# Authors:
+# Veerendra G <veerendragg at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900237);
+ script_version("$Revision$:1.0");
+ script_bugtraq_id(39328, 39332);
+ script_cve_id("CVE-2010-0486", "CVE-2010-0487");
+ script_tag(name:"Risk Factor", value:"Critical");
+ script_name("Microsoft Windows Authentication Verification Remote Code Execution Vulnerability (981210)");
+ desc = "
+ Overview: This host has critical security update missing according to
+ Microsoft Bulletin MS10-019.
+
+ Vulnerability Insight:
+ An error exists in the Windows Authenticode Signature Verification function
+ used for portable executable (PE) and cabinet(.cab) file formats.
+
+ Impact:
+ Successful exploitation could lead to complete system being compromised.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ Authenticode Signature Verification 5.1 on,
+ Microsoft Windows 2K Service Pack 4 and prior.
+ Microsoft Windows XP Service Pack 3 and prior.
+ Microsoft Windows 2K3 Service Pack 2 and prior.
+
+ Cabinet File Viewer Shell Extension 5.1 on,
+ Microsoft Windows 2K Service Pack 4 and prior.
+
+ Cabinet File Viewer Shell Extension 6.0 on,
+ Microsoft Windows XP Service Pack 3 and prior.
+ Microsoft Windows 2K3 Service Pack 2 and prior.
+
+ Fix:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://www.microsoft.com/technet/security/Bulletin/MS10-019.mspx
+
+ References:
+ http://secunia.com/advisories/39371
+ http://www.microsoft.com/technet/security/Bulletin/MS10-019.mspx
+ ";
+
+ script_description(desc);
+ script_summary("Check for the version of ntoskrnl.exe file");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2010 SecPod");
+ script_family("Windows : Microsoft Bulletins");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_ports(139, 445);
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(hotfix_check_sp(xp:4, win2k:5, win2003:3) <= 0){
+ exit(0);
+}
+
+## MS10-019 Hotfix check
+if(hotfix_missing(name:"978601") == 0 && hotfix_missing(name:"979309") == 0){
+ exit(0);
+}
+
+exePath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+ item:"Install Path");
+if(!exePath){
+ exit(0);
+}
+
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:exePath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:exePath + "\Wintrust.dll");
+authSigVer = GetVer(file:file, share:share);
+
+## Check for Authenticode Signature Verification
+if(authSigVer)
+{
+ ## Windows 2K
+ if(hotfix_check_sp(win2k:5) > 0)
+ {
+ ## Grep for Wintrust.dll version < 5.131.2195.7375
+ if(version_in_range(version:authSigVer, test_version:"5.1",
+ test_version2:"5.131.2195.7374")){
+ security_hole(0);
+ exit(0);
+ }
+ }
+
+ ## Windows XP
+ else if(hotfix_check_sp(xp:4) > 0)
+ {
+ SP = get_kb_item("SMB/WinXP/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ ## Grep for Wintrust.dll version < 5.131.2600.3661
+ if(version_in_range(version:authSigVer, test_version:"5.1",
+ test_version2:"5.131.2600.3660")){
+ security_hole(0);
+ exit(0);
+ }
+ }
+ else if("Service Pack 3" >< SP)
+ {
+ ## Grep for Wintrust.dll version < 5.131.2600.5922
+ if(version_in_range(version:authSigVer, test_version:"5.1",
+ test_version2:"5.131.2600.5921")){
+ security_hole(0);
+ exit(0);
+ }
+ }
+ }
+
+ ## Windows 2003
+ else if(hotfix_check_sp(win2003:3) > 0)
+ {
+ SP = get_kb_item("SMB/Win2003/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ ## Grep for Wintrust.dll version < 5.131.3790.4642
+ if(version_in_range(version:authSigVer, test_version:"5.1",
+ test_version2:"5.131.3790.4641")){
+ security_hole(0);
+ exit(0);
+ }
+ }
+ }
+}
+
+## Check for Cabinet File Viewer Shell Extension
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:exePath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:exePath + "\Cabview.dll");
+cabBViewVer = GetVer(file:file, share:share);
+
+if(cabBViewVer)
+{
+ ## Windows 2K
+ if(hotfix_check_sp(win2k:5) > 0)
+ {
+ ## Grep for Wintrust.dll version < 5.0.3900.7369
+ if(version_in_range(version:cabBViewVer, test_version:"5.0",
+ test_version2:"5.0.3900.7368")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+
+ ## Windows XP
+ else if(hotfix_check_sp(xp:4) > 0)
+ {
+ SP = get_kb_item("SMB/WinXP/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ ## Grep for Wintrust.dll version < 6.0.2900.3663
+ if(version_in_range(version:cabBViewVer, test_version:"6.0",
+ test_version2:"6.0.2900.3662")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ else if("Service Pack 3" >< SP)
+ {
+ ## Grep for Wintrust.dll version < 6.0.2900.5927
+ if(version_in_range(version:cabBViewVer, test_version:"6.0",
+ test_version2:"6.0.2900.5926")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ }
+
+ ## Windows 2003
+ else if(hotfix_check_sp(win2003:3) > 0)
+ {
+ SP = get_kb_item("SMB/Win2003/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ ## Grep for Wintrust.dll version < 6.0.3790.4649
+ if(version_in_range(version:cabBViewVer, test_version:"6.0",
+ test_version2:"6.0.3790.4648")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_ms10-020.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms10-020.nasl 2010-04-14 15:07:48 UTC (rev 7297)
+++ trunk/openvas-plugins/scripts/secpod_ms10-020.nasl 2010-04-14 15:51:53 UTC (rev 7298)
@@ -0,0 +1,149 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms10-020.nasl 0008357 2010-04-14 09:14:35Z apr $
+#
+# Microsoft SMB Client Remote Code Execution Vulnerabilities (980232)
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902156);
+ script_version("$Revision$:1.0");
+ script_cve_id("CVE-2009-3676", "CVE-2010-0269", "CVE-2010-0270", "CVE-2010-0476",
+ "CVE-2010-0477");
+ script_bugtraq_id(36989, 39312, 39339, 39336, 39340 );
+ script_tag(name:"risk_factor", value:"Critical");
+ script_name("Microsoft SMB Client Remote Code Execution Vulnerabilities (980232)");
+ desc = "
+ Overview: This host has critical security update missing according to
+ Microsoft Bulletin MS10-020.
+
+ Vulnerability Insight:
+ The flaws are due to multiple errors in SMB client implementation. It is
+ improperly validating fields in the SMB response.
+
+ Impact:
+ Successful exploitation could allow remote attackers to crash an affected
+ system or execute arbitrary code by tricking a user into visiting a specially
+ crafted web page.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ Microsoft Windows 2000 Service Pack 4 and prior
+ Microsoft Windows XP Service Pack 3 and prior
+ Microsoft Windows 2003 Service Pack 2 and prior
+
+ Fix:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://www.microsoft.com/technet/security/bulletin/ms10-020.mspx
+
+ References:
+ http://www.vupen.com/english/advisories/2010/0864
+ http://www.microsoft.com/technet/security/bulletin/ms10-020.mspx ";
+
+ script_description(desc);
+ script_summary("Check for the vulnerable 'Mrxsmb.sys' file version");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2010 SecPod");
+ script_family("Windows : Microsoft Bulletins");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_ports(139, 445);
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(hotfix_check_sp(win2k:5, xp:4, win2003:3) <= 0){
+ exit(0);
+}
+
+# Check for MS10-020 Hotfix
+if(hotfix_missing(name:"980232") == 0){
+ exit(0);
+}
+
+sysPath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+ item:"Install Path");
+if(!sysPath){
+ exit(0);
+}
+
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:sysPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:sysPath + "\drivers\Mrxsmb.sys");
+
+sysVer = GetVer(file:file, share:share);
+if(!sysVer){
+ exit(0);
+}
+
+# Windows 2K
+if(hotfix_check_sp(win2k:5) > 0)
+{
+ # Grep for Mrxsmb.sys version < 5.0.2195.7379
+ if(version_is_less(version:sysVer, test_version:"5.0.2195.7379")){
+ security_hole(0);
+ }
+}
+# Windows XP
+else if(hotfix_check_sp(xp:4) > 0)
+{
+ SP = get_kb_item("SMB/WinXP/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ # Grep for Mrxsmb.sys < 5.1.2600.3675
+ if(version_is_less(version:sysVer, test_version:"5.1.2600.3675")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ else if("Service Pack 3" >< SP)
+ {
+ # Grep for Mrxsmb.sys < 5.1.2600.5944
+ if(version_is_less(version:sysVer, test_version:"5.1.2600.5944")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ security_hole(0);
+}
+
+# Windows 2003
+else if(hotfix_check_sp(win2003:3) > 0)
+{
+ SP = get_kb_item("SMB/Win2003/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ # Grep for Mrxsmb.sys version < 5.2.3790.4671
+ if(version_is_less(version:sysVer, test_version:"5.2.3790.4671")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ security_hole(0);
+}
Added: trunk/openvas-plugins/scripts/secpod_ms10-021.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms10-021.nasl 2010-04-14 15:07:48 UTC (rev 7297)
+++ trunk/openvas-plugins/scripts/secpod_ms10-021.nasl 2010-04-14 15:51:53 UTC (rev 7298)
@@ -0,0 +1,160 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms10-021.nasl 8361 2010-04-14 11:10:42Z apr $
+#
+# Microsoft Windows Kernel Could Allow Elevation of Privilege (979683)
+#
+# Authors:
+# Veerendra G <veerendragg at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900236);
+ script_version("$Revision$:1.0");
+ script_bugtraq_id(39297, 39309, 39323, 39324, 39318, 39319, 39320, 39322);
+ script_tag(name:"risk_factor", value:"High");
+ script_cve_id("CVE-2010-0234", "CVE-2010-0235", "CVE-2010-0236", "CVE-2010-0237",
+ "CVE-2010-0238", "CVE-2010-0481", "CVE-2010-0482", "CVE-2010-0810");
+ script_name("Microsoft Windows Kernel Could Allow Elevation of Privilege (979683)");
+ desc = "
+ Overview: This host has important security update missing according to
+ Microsoft Bulletin MS10-021.
+
+ Vulnerability Insight:
+ Multiple error exists in the Windows kernel due to,
+ - the way that the kernel handles certain exceptions
+ - improper validation of specially crafted image files
+ - the manner in which the kernel processes the values of symbolic links
+ - insufficient validation of registry keys passed to a Windows kernel system
+ call
+ - the manner in which memory is allocated when extracting a symbolic link
+ from a registry key
+ - the way that the kernel resolves the real path for a registry key from its
+ virtual path
+ - not properly restricting symbolic link creation between untrusted and
+ trusted registry hives
+
+ Impact:
+ Successful exploitation could allow local users to cause a Denial of Service
+ or gain escalated privileges.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ Microsoft Windows 2K Service Pack 4 and prior.
+ Microsoft Windows XP Service Pack 3 and prior.
+ Microsoft Windows 2K3 Service Pack 2 and prior.
+
+ Fix:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://www.microsoft.com/technet/security/Bulletin/MS10-021.mspx
+
+ References:
+ http://secunia.com/advisories/39374
+ http://secunia.com/advisories/39373
+ http://www.microsoft.com/technet/security/Bulletin/MS10-021.mspx ";
+
+ script_description(desc);
+ script_summary("Check for the version of ntoskrnl.exe file");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2010 SecPod");
+ script_family("Windows : Microsoft Bulletins");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_ports(139, 445);
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(hotfix_check_sp(xp:4, win2k:5, win2003:3) <= 0){
+ exit(0);
+}
+
+## MS10-021 Hotfix check
+if(hotfix_missing(name:"979683") == 0){
+ exit(0);
+}
+
+exePath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+ item:"Install Path");
+if(!exePath){
+ exit(0);
+}
+
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:exePath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:exePath + "\ntoskrnl.exe");
+
+exeVer = GetVer(file:file, share:share);
+if(!exeVer){
+ exit(0);
+}
+
+## Windows 2K
+if(hotfix_check_sp(win2k:5) > 0)
+{
+ ## Grep for ntoskrnl.exe version < 5.0.2195.7376
+ if(version_is_less(version:exeVer, test_version:"5.0.2195.7376")){
+ security_hole(0);
+ }
+}
+
+## Windows XP
+else if(hotfix_check_sp(xp:4) > 0)
+{
+ SP = get_kb_item("SMB/WinXP/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ ## Grep for ntoskrnl.exe < 5.1.2600.3670
+ if(version_is_less(version:exeVer, test_version:"5.1.2600.3670")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ else if("Service Pack 3" >< SP)
+ {
+ ## Grep for ntoskrnl.exe < 5.1.2600.5938
+ if(version_is_less(version:exeVer, test_version:"5.1.2600.5938")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ security_hole(0);
+}
+
+## Windows 2003
+else if(hotfix_check_sp(win2003:3) > 0)
+{
+ SP = get_kb_item("SMB/Win2003/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ ## Grep for ntoskrnl.exe version < 5.2.3790.4666
+ if(version_is_less(version:exeVer, test_version:"5.2.3790.4666")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ security_hole(0);
+}
Added: trunk/openvas-plugins/scripts/secpod_ms10-022.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms10-022.nasl 2010-04-14 15:07:48 UTC (rev 7297)
+++ trunk/openvas-plugins/scripts/secpod_ms10-022.nasl 2010-04-14 15:51:53 UTC (rev 7298)
@@ -0,0 +1,159 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms10-022.nasl 8362 2010-04-14 09:14:35Z apr $
+#
+# Microsoft VBScript Scripting Engine Remote Code Execution Vulnerability (980232)
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902159);
+ script_version("$Revision$:1.0");
+ script_cve_id("CVE-2010-0483");
+ script_bugtraq_id(38463);
+ script_tag(name:"risk_factor", value:"High");
+ script_name("Microsoft VBScript Scripting Engine Remote Code Execution Vulnerability (980232)");
+ desc = "
+ Overview: This host has critical security update missing according to
+ Microsoft Bulletin MS10-022.
+
+ Vulnerability Insight:
+ The flaw exists in the way 'VBScript' interacts with Windows Help files
+ when using Internet Explorer. If a malicious Web site displayed a specially
+ crafted dialog box and a user pressed the F1 key, it allows arbitrary code
+ to be executed in the security context of the currently logged-on user.
+
+ Impact:
+ Successful exploitation could allow remote attackers to crash an affected
+ system or execute arbitrary code by tricking a user into visiting a specially
+ crafted web page.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ Microsoft Windows 2000 Service Pack 4 and prior
+ Microsoft Windows XP Service Pack 3 and prior
+ Microsoft Windows 2003 Service Pack 2 and prior
+
+ Fix:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://www.microsoft.com/technet/security/bulletin/ms10-022.mspx
+
+ References:
+ http://securitytracker.com/alerts/2010/Mar/1023668.html
+ http://www.microsoft.com/technet/security/advisory/981169.mspx
+ http://www.microsoft.com/technet/security/bulletin/ms10-022.mspx ";
+
+ script_description(desc);
+ script_summary("Check for the vulnerable 'Vbscript.dll' file version");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2010 SecPod");
+ script_family("Windows : Microsoft Bulletins");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_ports(139, 445);
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(hotfix_check_sp(win2k:5, xp:4, win2003:3) <= 0){
+ exit(0);
+}
+
+# Check for MS10-022 Hotfix
+if((hotfix_missing(name:"981349") == 0) || (hotfix_missing(name:"981350") == 0) ||
+ (hotfix_missing(name:"981332")==0)) {
+ exit(0);
+}
+
+sysPath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+ item:"Install Path");
+if(!sysPath){
+ exit(0);
+}
+
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:sysPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:sysPath + "\Vbscript.dll");
+
+sysVer = GetVer(file:file, share:share);
+if(!sysVer){
+ exit(0);
+}
+
+# Windows 2K
+if(hotfix_check_sp(win2k:5) > 0)
+{
+ # Grep for Vbscript.dll version < 5.6.0.8838, 5.7.6002.22354,
+ if(version_in_range(version:sysVer, test_version:"5.6", test_version2:"5.6.0.8837") ||
+ version_in_range(version:sysVer, test_version:"5.7", test_version2:"5.7.6002.22353")){
+ security_hole(0);
+ }
+}
+
+# Windows XP
+else if(hotfix_check_sp(xp:4) > 0)
+{
+ SP = get_kb_item("SMB/WinXP/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ # Grep for Vbscript.dll < 5.6.0.8838
+ if(version_is_less(version:sysVer, test_version:"5.6.0.8838")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+
+ else if("Service Pack 3" >< SP)
+ {
+ # Grep for Vbscript.dll < 5.7.6002.22354, 5.8.6001.23000
+ if(version_is_less(version:sysVer, test_version:"5.7.6002.22354") ||
+ version_in_range(version:sysVer, test_version:"5.8", test_version2:"5.8.6001.22999")){
+
+ security_hole(0);
+ }
+ exit(0);
+ }
+ security_hole(0);
+}
+
+# Windows 2003
+else if(hotfix_check_sp(win2003:3) > 0)
+{
+ SP = get_kb_item("SMB/Win2003/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ # Grep for Vbscript.dll < 5.6.0.8838, 5.7.6002.22354, 5.8.6001.23000
+ if(version_is_less(version:sysVer, test_version:"5.6.0.8838") ||
+ version_in_range(version:sysVer, test_version:"5.7", test_version2:"5.7.6002.22353") ||
+ version_in_range(version:sysVer, test_version:"5.8", test_version2:"5.8.6001.22999")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ security_hole(0);
+}
Added: trunk/openvas-plugins/scripts/secpod_ms10-023.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms10-023.nasl 2010-04-14 15:07:48 UTC (rev 7297)
+++ trunk/openvas-plugins/scripts/secpod_ms10-023.nasl 2010-04-14 15:51:53 UTC (rev 7298)
@@ -0,0 +1,99 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms10-023.nasl 8366 2010-04-14 16:18:09Z apr $
+#
+# Microsoft Office Publisher Remote Code Execution Vulnerability (981160)
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902158);
+ script_version("$Revision$: 1.0");
+ script_cve_id("CVE-2010-0479");
+ script_bugtraq_id(39347);
+ script_tag(name:"risk_factor", value:"High");
+ script_name("Microsoft Office Publisher Remote Code Execution Vulnerability (981160)");
+ desc = "
+ Overview: This host has critical security update missing according to
+ Microsoft Bulletin MS10-023.
+
+ Vulnerability Insight:
+ The flaw is due to error in opening a specially crafted 'Publisher' file. This
+ can be exploited to corrupt memory and cause an invalid value to be dereferenced
+ as a pointer.
+
+ Impact:
+ Successful exploitation could execute arbitrary code on the remote system
+ via a specially crafted Publisher file.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Microsoft Office Publisher 2002 SP 3 and prior
+ Microsoft Office Publisher 2003 SP 3 and prior
+ Microsoft Office Publisher 2007 SP 2 and prior.
+
+ Fix:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link.
+ http://www.microsoft.com/technet/security/bulletin/ms10-023.mspx
+
+ References:
+ http://www.microsoft.com/technet/security/bulletin/ms09-23.mspx ";
+
+ script_description(desc);
+ script_summary("Check for the Office Publisher version");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2010 SecPod");
+ script_family("Windows : Microsoft Bulletins");
+ script_dependencies("secpod_office_products_version_900032.nasl",
+ "secpod_ms_office_detection_900025.nasl");
+ script_require_keys("SMB/WindowsVersion", "SMB/Office/Publisher/Version");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+## Check for Office XP or 2003 or 2007
+officeVer = get_kb_item("MS/Office/Ver");
+if(!officeVer){
+ exit(0);
+}
+
+if(officeVer =~ "^[10|11|12].*")
+{
+ ## Grep for Office Publisher Version from KB
+ pubVer = get_kb_item("SMB/Office/Publisher/Version");
+ if(!pubVer){
+ exit(0);
+ }
+
+ ## Check for Office Publisher 10.0 < 10.0.6861.0
+ ## Check for Office Publisher 11.0 < 11.0.8321.0
+ ## Check for Office Publisher 12.0 < 12.0.6527.5000
+ if(version_in_range(version:pubVer, test_version:"10.0",test_version2:"10.0.6860") ||
+ version_in_range(version:pubVer, test_version:"11.0",test_version2:"11.0.8320") ||
+ version_in_range(version:pubVer, test_version:"12.0",test_version2:"12.0.6527.4999")){
+ security_hole(0);
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_ms10-025.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms10-025.nasl 2010-04-14 15:07:48 UTC (rev 7297)
+++ trunk/openvas-plugins/scripts/secpod_ms10-025.nasl 2010-04-14 15:51:53 UTC (rev 7298)
@@ -0,0 +1,110 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms10-025.nasl 8358 2010-04-14 14:35:29Z apr $
+#
+# Microsoft Windows Media Services Remote Code Execution Vulnerability (980858)
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(901102);
+ script_version("$Revision$: 1.0");
+ script_cve_id("CVE-2010-0478");
+ script_tag(name:"risk_factor", value:"Critical");
+ script_name("Microsoft Windows Media Services Remote Code Execution Vulnerability (980858)");
+ desc = "
+ Overview: This host has critical security update missing according to
+ Microsoft Bulletin MS10-025.
+
+ Vulnerability Insight:
+ This flaw is caused by a buffer overflow error in the Windows Media Unicast
+ Service within the Windows Media Services component when handling transport
+ information network packets, which could allow remote attackers to crash an
+ affected service or execute arbitrary code by sending malformed packets.
+
+ Impact:
+ Successful exploitation could allow attackers to execute arbitrary code with
+ system level privileges.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ Microsoft Windows 2000 Server Service Pack 4 and prior.
+
+ Fix:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://www.microsoft.com/technet/security/bulletin/ms10-025.mspx
+
+ References:
+ http://isc.sans.org/diary.html?storyid=8626
+ http://www.vupen.com/english/advisories/2010/0868
+ http://www.microsoft.com/technet/security/bulletin/ms10-025.mspx ";
+
+ script_description(desc);
+ script_summary("Check for the vulnerable 'Nsum.exe' file version");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2010 SecPod");
+ script_family("Windows : Microsoft Bulletins");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_ports(139, 445);
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(hotfix_check_sp(win2k:5) <= 0){
+ exit(0);
+}
+
+## Check for MS10-025 Hotfix
+if(hotfix_missing(name:"980858") == 0){
+ exit(0);
+}
+
+sysPath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+ item:"Install Path");
+if(!sysPath){
+ exit(0);
+}
+
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:sysPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:sysPath + "\windows media\server\Nsum.exe");
+
+exeVer = GetVer(file:file, share:share);
+if(!exeVer){
+ exit(0);
+}
+
+## Windows 2K
+if(hotfix_check_sp(win2k:5) > 0)
+{
+ ## Grep for Nsum.exe version < 4.1.0.3938
+ if(version_is_less(version:exeVer, test_version:"4.1.0.3938")){
+ security_hole(0);
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_ms10-026.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms10-026.nasl 2010-04-14 15:07:48 UTC (rev 7297)
+++ trunk/openvas-plugins/scripts/secpod_ms10-026.nasl 2010-04-14 15:51:53 UTC (rev 7298)
@@ -0,0 +1,107 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms10-026.nasl 8359 2010-04-14 10:40:35Z apr $
+#
+# Microsoft MPEG Layer-3 Codecs Remote Code Execution Vulnerability (977816)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902038);
+ script_version("$Revision$: 1.0");
+ script_cve_id("CVE-2010-0480");
+ script_tag(name:"risk_factor", value:"High");
+ script_name("Microsoft MPEG Layer-3 Codecs Remote Code Execution Vulnerability (977816)");
+ desc = "
+ Overview: This host has critical security update missing according to
+ Microsoft Bulletin MS10-026.
+
+ Vulnerability Insight:
+ The flaw is due the error in 'Microsoft MPEG Layer-3 audio codecs', which
+ does not properly handle specially crafted AVI files containing an MPEG
+ Layer-3 audio stream.
+
+ Impact:
+ Successful exploitation could allow remote attackers to gain complete control
+ of an affected system remotely. An attacker could install programs view,
+ change, or delete data; or create new accounts with full user rights.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ Microsoft Windows 2000 Service Pack 4 and prior
+ Microsoft Windows XP Service Pack 3 and prior
+ Microsoft Windows 2003 Service Pack 2 and prior
+
+ Fix:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://www.microsoft.com/technet/security/Bulletin/MS10-026.mspx
+
+ References:
+ http://www.microsoft.com/technet/security/Bulletin/MS10-026.mspx
+ http://www.symantec.com/connect/blogs/microsoft-patch-tuesday-april-2010 ";
+
+ script_description(desc);
+ script_summary("Check for the vulnerable 'L3codecx.ax' file version");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2010 SecPod");
+ script_family("Windows : Microsoft Bulletins");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_ports(139, 445);
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(hotfix_check_sp(win2k:5, xp:4, win2003:3) <= 0){
+ exit(0);
+}
+
+# Check for MS10-026 Hotfix
+if(hotfix_missing(name:"977816") == 0){
+ exit(0);
+}
+
+sysPath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+ item:"Install Path");
+if(!sysPath){
+ exit(0);
+}
+
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:sysPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:sysPath + "\l3codecx.ax");
+
+sysVer = GetVer(file:file, share:share);
+if(!sysVer){
+ exit(0);
+}
+
+# Grep L3codecx.ax version < 1.6.0.51
+if(version_is_less(version:sysVer, test_version:"1.6.0.51")){
+ security_hole(0);
+}
Added: trunk/openvas-plugins/scripts/secpod_ms10-027.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms10-027.nasl 2010-04-14 15:07:48 UTC (rev 7297)
+++ trunk/openvas-plugins/scripts/secpod_ms10-027.nasl 2010-04-14 15:51:53 UTC (rev 7298)
@@ -0,0 +1,138 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms10-027.nasl 8360 2010-04-14 09:30:09Z apr $
+#
+# Microsoft Windows Media Player Could Allow Remote Code Execution (979402)
+#
+# Authors:
+# Veerendra GG <veerendragg at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900235);
+ script_version("$Revision$: 1.0");
+ script_bugtraq_id(39351);
+ script_cve_id("CVE-2010-0268");
+ script_tag(name:"Risk Factor", value:"Critical");
+ script_name("Microsoft Windows Media Player Could Allow Remote Code Execution (979402)");
+ desc = "
+ Overview: This host has critical security update missing according to
+ Microsoft Bulletin MS10-027.
+
+ Vulnerability Insight:
+ The flaw exists because Windows Media Player ActiveX control incorrectly
+ handles specially crafted media content hosted on a malicious Web site.
+
+ Impact:
+ Successful exploitation will let the remote attackers to execute arbitrary
+ code with the privileges of the user running the applications.
+
+ Impact Level: Application/System
+
+ Affected Software/OS:
+ Windows Media Player 9 Series on,
+ Microsoft Windows 2K Service Pack 4 and prior.
+ Microsoft Windows XP Service Pack 3 and prior.
+
+ Fix:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://www.microsoft.com/technet/security/Bulletin/MS10-027.mspx
+
+ References:
+ http://secunia.com/advisories/3938
+ http://support.microsoft.com/kb/979402
+ http://www.microsoft.com/technet/security/Bulletin/MS10-027.mspx ";
+
+ script_description(desc);
+ script_summary("Check for the version of Wmp.dll file");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2010 SecPod");
+ script_family("Windows : Microsoft Bulletins");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_ports(139, 445);
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+## Check for OS and Service Pack
+if(hotfix_check_sp(win2k:5, xp:4) <= 0){
+ exit(0);
+}
+
+## MS10-027 Hotfix check
+if(hotfix_missing(name:"979402") == 0){
+ exit(0);
+}
+
+## Check Hotfix Missing for Media player
+sysPath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+ item:"Install Path");
+if(!sysPath){
+ exit(0);
+}
+
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:sysPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:sysPath + "\wmp.dll");
+windowsMediaPlayerVer = GetVer(file:file, share:share);
+
+if(!windowsMediaPlayerVer){
+ exit(0);
+}
+
+## Windows 2K
+if(hotfix_check_sp(win2k:5) > 0)
+{
+ ## Grep for Wmp.dll from version 9 to 9.0.0.3367
+ if(version_in_range(version:windowsMediaPlayerVer, test_version:"9",
+ test_version2:"9.0.0.3366")){
+ security_hole(0);
+ }
+ exit(0);
+}
+
+## Windows XP
+if(hotfix_check_sp(xp:4) > 0)
+{
+ SP = get_kb_item("SMB/WinXP/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ ## Grep for Wmp.dll from version 9 to 9.0.0.3367
+ if(version_in_range(version:windowsMediaPlayerVer, test_version:"9",
+ test_version2:"9.0.0.3366")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ else if("Service Pack 3" >< SP)
+ {
+ ## Grep for Wmp.dll from version 9 to 9.0.0.4508
+ if(version_in_range(version:windowsMediaPlayerVer, test_version:"9",
+ test_version2:"9.0.0.4507")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_ms10-028.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms10-028.nasl 2010-04-14 15:07:48 UTC (rev 7297)
+++ trunk/openvas-plugins/scripts/secpod_ms10-028.nasl 2010-04-14 15:51:53 UTC (rev 7298)
@@ -0,0 +1,103 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms10-028.nasl 8364 2010-04-14 15:26:22Z apr $
+#
+# Microsoft Visio Remote Code Execution Vulnerabilities (980094)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright (c) 2010 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902039);
+ script_version("$Revision$: 1.0");
+ script_cve_id("CVE-2010-0254", "CVE-2010-0256");
+ script_bugtraq_id(39300, 39302);
+ script_tag(name:"risk_factor", value:"High");
+ script_name("Microsoft Visio Remote Code Execution Vulnerabilities (980094)");
+ desc = "
+ Overview: This host has critical security update missing according to
+ Microsoft Bulletin MS10-028.
+
+ Vulnerability Insight:
+ The flaws exists due to the way that Microsoft Office Visio calculates
+ 'indexes' and validates 'attributes' when handling specially crafted Visio
+ files.
+
+ Impact:
+ Successful exploitation could allow users to execute arbitrary code via a
+ specially crafted Visio file.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ Microsoft Office Visio 2002/2003/2007 on Windows
+
+ Fix:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://www.microsoft.com/technet/security/bulletin/MS10-028.mspx
+
+ References:
+ http://www.fortiguard.com/advisory/FGA-2010-17.html
+ http://securitytracker.com/alerts/2010/Apr/1023856.html
+ http://www.microsoft.com/technet/security/bulletin/MS10-028.mspx ";
+
+ script_description(desc);
+ script_summary("Check for version of vulnurable file 'visio.exe'");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2010 SecPod");
+ script_family("Windows : Microsoft Bulletins");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_ports(139, 445);
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(hotfix_check_sp(win2k:5, xp:4, win2003:3) <= 0){
+ exit(0);
+}
+
+ovPath = registry_get_sz(item:"Path",
+ key:"SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\visio.exe");
+
+if(!ovPath){
+ exit(0);
+}
+
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:ovPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:ovPath + "visio.exe");
+
+exeVer = GetVer(file:file, share:share);
+if(!exeVer){
+ exit(0);
+}
+
+# Check for visio.exe version for 2002, 2003 and 2007
+if(version_in_range(version:exeVer, test_version:"11.0", test_version2:"11.0.8206" ) ||
+ version_in_range(version:exeVer, test_version:"10.0", test_version2:"10.0.6890.3") ||
+ version_in_range(version:exeVer, test_version:"12.0", test_version2:"12.0.6520.4999")){
+ security_hole(0);
+}
Added: trunk/openvas-plugins/scripts/secpod_ms10-029.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms10-029.nasl 2010-04-14 15:07:48 UTC (rev 7297)
+++ trunk/openvas-plugins/scripts/secpod_ms10-029.nasl 2010-04-14 15:51:53 UTC (rev 7298)
@@ -0,0 +1,140 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms10-029.nasl 8365 2010-04-14 09:14:35Z apr $
+#
+# Microsoft 'ISATAP' Component Spoofing Vulnerability (978338)
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902157);
+ script_version("$Revision$:1.0");
+ script_cve_id("CVE-2010-0812");
+ script_bugtraq_id(39352);
+ script_tag(name:"risk_factor", value:"Critical");
+ script_name("Microsoft 'ISATAP' Component Spoofing Vulnerability (978338)");
+ desc = "
+ Overview: This host has critical security update missing according to
+ Microsoft Bulletin MS10-029.
+
+ Vulnerability Insight:
+ The flaw caused due to error in 'ISATAP' Component when handling 'IPv4'
+ address, allows an attacker to spoof an IPv6 address so that it can bypass
+ filtering devices that rely on the source IPv6 address.
+
+ Impact:
+ Successful exploitation could allow remote attackers to spoof IPv6
+ addresses and information disclosure and other attacks may also be
+ possible.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ Microsoft Windows XP Service Pack 3 and prior
+ Microsoft Windows 2003 Service Pack 2 and prior
+
+ Fix:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://www.microsoft.com/technet/security/bulletin/ms10-029.mspx
+
+ References:
+ http://isc.sans.org/diary.html?storyid=8626
+ http://www.microsoft.com/technet/security/bulletin/ms10-029.mspx ";
+
+ script_description(desc);
+ script_summary("Check for the vulnerable 'Tcpip6.sys' file version");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2010 SecPod");
+ script_family("Windows : Microsoft Bulletins");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_ports(139, 445);
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(hotfix_check_sp(xp:4, win2003:3) <= 0){
+ exit(0);
+}
+
+# Check for MS10-029 Hotfix
+if(hotfix_missing(name:"978338") == 0){
+ exit(0);
+}
+
+sysPath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
+ item:"Install Path");
+if(!sysPath){
+ exit(0);
+}
+
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:sysPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:sysPath + "\drivers\Tcpip6.sys");
+
+sysVer = GetVer(file:file, share:share);
+if(!sysVer){
+ exit(0);
+}
+
+# Windows XP
+if(hotfix_check_sp(xp:4) > 0)
+{
+ SP = get_kb_item("SMB/WinXP/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ # Grep for Tcpip6.sys < 5.1.2600.3667
+ if(version_is_less(version:sysVer, test_version:"5.1.2600.3667")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ else if("Service Pack 3" >< SP)
+ {
+ # Grep for Tcpip6.sys < 5.1.2600.5935
+ if(version_is_less(version:sysVer, test_version:"5.1.2600.5935")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ security_hole(0);
+}
+
+# Windows 2003
+else if(hotfix_check_sp(win2003:3) > 0)
+{
+ SP = get_kb_item("SMB/Win2003/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ # Grep for Tcpip6.sys version < 5.2.3790.4662
+ if(version_is_less(version:sysVer, test_version:"5.2.3790.4662")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ security_hole(0);
+}
Modified: trunk/openvas-plugins/scripts/secpod_ssl_ciphers.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ssl_ciphers.nasl 2010-04-14 15:07:48 UTC (rev 7297)
+++ trunk/openvas-plugins/scripts/secpod_ssl_ciphers.nasl 2010-04-14 15:51:53 UTC (rev 7298)
@@ -79,6 +79,9 @@
CIPHER_CODE = raw_string(0x01, 0x00, 0x80);
c_hello = construct_ssl_req(SSL_VER:SSL_VER, CIPHER:CIPHER_CODE);
s_hello = get_ssl_server_hello(ssl_req:c_hello);
+ if(!s_hello || isnull(s_hello)){
+ continue;
+ }
if(!(ord(s_hello[2]) == 4 && ord(s_hello[5]) == 0 && ord(s_hello[6]) == 2)){
continue;
}
@@ -108,7 +111,7 @@
req = construct_ssl_req(SSL_VER:SSL_VER, CIPHER:CIPHER_CODE);
res = get_ssl_server_hello(ssl_req:req);
- if(!res){
+ if(!res || isnull(res)){
continue;
}
@@ -155,7 +158,7 @@
req = construct_ssl_req(SSL_VER:SSL_VER, CIPHER:CIPHER_CODE);
res = get_ssl_server_hello(ssl_req:req);
- if(!res){
+ if(!res || isnull(res)){
continue;
}
@@ -202,7 +205,7 @@
req = construct_ssl_req(SSL_VER:SSL_VER, CIPHER:CIPHER_CODE);
res = get_ssl_server_hello(ssl_req:req);
- if(!res){
+ if(!res || isnull(res)){
continue;
}
@@ -241,5 +244,3 @@
## Display Final report
security_note(data:complete_note, port:sslPort);
}
-
-exit(0);
More information about the Openvas-commits
mailing list