[Openvas-commits] r9703 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Mon Dec 13 15:28:58 CET 2010


Author: chandra
Date: 2010-12-13 15:28:53 +0100 (Mon, 13 Dec 2010)
New Revision: 9703

Added:
   trunk/openvas-plugins/scripts/gb_firefox_sec_bypass_vuln_win.nasl
   trunk/openvas-plugins/scripts/gb_freefloat_ftp_server_dir_trav_vun.nasl
   trunk/openvas-plugins/scripts/gb_phpmyadmin_bbcode_xss_vuln.nasl
   trunk/openvas-plugins/scripts/gb_vmware_prdts_mem_corruption_n_bof_vuln_win.nasl
   trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_loc_prev_escl_vuln_lin.nasl
   trunk/openvas-plugins/scripts/gb_vmware_prdts_tools_loc_prev_escl_vuln_lin.nasl
   trunk/openvas-plugins/scripts/gb_vmware_prdts_tools_loc_prev_escl_vuln_win.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
Log:
Added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2010-12-13 13:38:21 UTC (rev 9702)
+++ trunk/openvas-plugins/ChangeLog	2010-12-13 14:28:53 UTC (rev 9703)
@@ -1,4 +1,15 @@
 2010-12-13  Chandrashekhar B <bchandra at secpod.com>
+
+	* scripts/gb_vmware_prdts_mem_corruption_n_bof_vuln_win.nasl,
+	scripts/gb_phpmyadmin_bbcode_xss_vuln.nasl,
+	scripts/gb_vmware_prdts_mult_loc_prev_escl_vuln_lin.nasl,
+	scripts/gb_vmware_prdts_tools_loc_prev_escl_vuln_lin.nasl,
+	scripts/gb_firefox_sec_bypass_vuln_win.nasl,
+	scripts/gb_freefloat_ftp_server_dir_trav_vun.nasl,
+	scripts/gb_vmware_prdts_tools_loc_prev_escl_vuln_win.nasl:
+	Added new plugins.
+
+2010-12-13  Chandrashekhar B <bchandra at secpod.com>
 	
 	* scripts/gb_ms09-036.nasl:
 	Added new plugin.

Added: trunk/openvas-plugins/scripts/gb_firefox_sec_bypass_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_firefox_sec_bypass_vuln_win.nasl	2010-12-13 13:38:21 UTC (rev 9702)
+++ trunk/openvas-plugins/scripts/gb_firefox_sec_bypass_vuln_win.nasl	2010-12-13 14:28:53 UTC (rev 9703)
@@ -0,0 +1,81 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_firefox_sec_bypass_vuln_win.nasl 12547 2010-12-10 09:43:33Z dec $
+#
+# Mozilla Firefox Browser Security Bypass Vulnerabilities - Win
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801562);
+  script_version("$Revision$: 1.0");
+  script_tag(name:"cvss_base", value:"5.0");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_cve_id("CVE-2010-4508");
+  script_name("Mozilla Firefox Browser Security Bypass Vulnerabilities - Win");
+  desc = "
+
+  Overview: The host is installed with Mozilla Firefox browser and is prone to
+  secuirty bypass vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to error in 'WebSockets' implementation, does not properly
+  perform proxy upgrade negotiation, which has unspecified impact and remote attack
+  vectors.
+
+  Impact: Successful exploitation will let the attacker to bypass intended access
+  restrictions.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Firefox version 4.0 to 4.0 Beta 7 on Windows
+
+  Fix:  No solution or patch is available as on 11th December, 2010. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.mozilla.com/en-US/firefox/all.html
+
+  References:
+  https://wiki.mozilla.org/Platform/2010-12-07 ";
+
+  script_description(desc);
+  script_summary("Check for the version of Firefox");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2010 Greenbone Networks GmbH");
+  script_family("General");
+  script_dependencies("gb_firefox_detect_win.nasl");
+  script_require_keys("Firefox/Win/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+ffVer = get_kb_item("Firefox/Win/Ver");
+if(!ffVer){
+  exit(0);
+}
+
+# Grep for firefox version 4.0 to 4.0.b7
+if(version_in_range(version:ffVer, test_version:"4.0", test_version2:"4.0.b7")){
+  security_warning(0);
+}

Added: trunk/openvas-plugins/scripts/gb_freefloat_ftp_server_dir_trav_vun.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_freefloat_ftp_server_dir_trav_vun.nasl	2010-12-13 13:38:21 UTC (rev 9702)
+++ trunk/openvas-plugins/scripts/gb_freefloat_ftp_server_dir_trav_vun.nasl	2010-12-13 14:28:53 UTC (rev 9703)
@@ -0,0 +1,144 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_freefloat_ftp_server_dir_trav_vun.nasl 12461 2010-12-13 16:10:56Z dec $
+#
+# Freefloat FTP Server Directory Traversal Vulnerability
+#
+# Authors:
+# Veerendra GG <veerendragg at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.ne
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(800188);
+  script_version("$Revision$:1.0");
+  script_bugtraq_id(45218);
+  script_tag(name:"cvss_base", value:"6.4");
+  script_tag(name:"risk_factor", value:"High");
+  script_name("Freefloat FTP Server Directory Directory Traversal Vulnerability");
+  desc = "
+  Overview:
+  The host is running Freefloat FTP Server and is prone to directory traversal
+  vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to an error while handling certain requests, which
+  can be exploited to download arbitrary files from the host system via
+  directory traversal attack.
+
+  Impact:
+  Successful exploitation will allow attackers to read arbitrary files
+  on the affected application.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Freefloat FTPserver version 1.00
+
+  Fix: No solution/patch is available as on 13th December, 2010. Information
+  regarding this issue will updated once the solution details are available.
+  For updates refer,
+  http://www.freefloat.com/sv/freefloat-ftp-server/freefloat-ftp-server.php
+
+  References:
+  http://www.securityfocus.com/bid/45218/info
+  http://packetstormsecurity.org/files/view/96423/freefloat-traversal.txt ";
+
+  script_description(desc);
+  script_summary("Try Directory Traversal Attack on Freefloat FTP server");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (C) 2010 SecPod");
+  script_family("FTP");
+  script_require_ports("Services/ftp", 21);
+  exit(0);
+}
+
+##
+## The script code starts here
+##
+
+include("ftp_func.inc");
+
+## Get the default FTP port
+ftpPort = get_kb_item("Services/ftp");
+if(!ftpPort){
+  ftpPort = 21;
+}
+
+## Check FTP Port Status
+if(!get_port_state(ftpPort)){
+  exit(0);
+}
+
+## Confirm the application with FTP banner
+banner = get_ftp_banner(port:ftpPort);
+if("FreeFloat Ftp Server" >!< banner){
+  exit(0);
+}
+
+## Open a Socket to FTP port
+soc1 = open_sock_tcp(ftpPort);
+if(!soc1){
+  exit(0);
+}
+
+## Get User and Pass from KB
+user = get_kb_item("ftp/login");
+pass = get_kb_item("ftp/password");
+
+## Use default Passwords,
+## If user and pass are not given
+if(!user){
+  user = "anonymous";
+}
+if(!pass){
+  pass = "anonymous";
+}
+
+## Login with given credentials
+login_details = ftp_log_in(socket:soc1, user:user, pass:pass);
+if(login_details)
+{
+  chk_res = "Windows";
+
+  ## Change Current working Directory using Directory Traversal
+  send(socket:soc1, data:'CWD ../../../../../../Windows\r\n');
+  atkres1 = ftp_recv_line(socket:soc1);
+
+  ## If CWD is not successful, then try to CWD to WINNT
+  if("250 CWD command successful" >!< atkres1)
+  {
+    send(socket:soc1, data:'CWD ../../../../../../WINNT\r\n');
+    atkres1 = ftp_recv_line(socket:soc1);
+    chk_res = "WINNT";
+  }
+
+  ## Send Present Working Directory command
+  send(socket:soc1, data:'PWD\r\n');
+  atkres2 = ftp_recv_line(socket:soc1);
+
+  ## Confirm the Exploit by checking the resopnse from server
+  if("250 CWD command successful" >< atkres1 && "257 ">< atkres2 &&
+                                              chk_res >< atkres2){
+    security_hole(port:ftpPort);
+  }
+}
+
+## Close FTP socket
+ftp_close(socket:soc1);


Property changes on: trunk/openvas-plugins/scripts/gb_freefloat_ftp_server_dir_trav_vun.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_phpmyadmin_bbcode_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_phpmyadmin_bbcode_xss_vuln.nasl	2010-12-13 13:38:21 UTC (rev 9702)
+++ trunk/openvas-plugins/scripts/gb_phpmyadmin_bbcode_xss_vuln.nasl	2010-12-13 14:28:53 UTC (rev 9703)
@@ -0,0 +1,100 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_phpmyadmin_bbcode_xss_vuln.nasl 12518 2010-12-10 11:11:11Z dec $
+#
+# phpMyAdmin 'error.php' Cross Site Scripting Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801660);
+  script_version("$Revision$: 1.0");
+  script_cve_id("CVE-2010-4480");
+  script_tag(name:"cvss_base", value:"4.3");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_name("phpMyAdmin 'error.php' Cross Site Scripting Vulnerability");
+  desc = "
+  Overview: The host is running phpMyAdmin and is prone to Cross-Site Scripting
+  Vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused by input validation errors in the 'error.php' script when
+  processing crafted BBcode tags containing '@' characters, which could allow
+  attackers to inject arbitrary HTML code within the error page and conduct
+  phishing attacks.
+
+  Impact:
+  Successful exploitation will let the attackers to inject arbitrary HTML code
+  within the error page and conduct phishing attacks.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  phpMyAdmin version 3.3.8.1 and prior.
+
+  Fix: No solution or patch is available as on 10th December, 2010. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.phpmyadmin.net/home_page/downloads.php
+
+  References:
+  http://www.exploit-db.com/exploits/15699/
+  http://www.vupen.com/english/advisories/2010/3133 ";
+
+  script_description(desc);
+  script_summary("Check if phpMyAdmin is vulnerable to Cross-Site Scripting");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (C) 2010 Greenbone Networks GmbH");
+  script_family("Web application abuses");
+  script_dependencies("secpod_phpmyadmin_detect_900129.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get phpMyAdmin Port
+port = get_http_port(default:80);
+if(!port){
+  exit(0);
+}
+
+## Get phpMyAdmin Location
+if(!dir = get_dir_from_kb(port:port, app:"phpMyAdmin")){
+  exit(0);
+}
+
+## Construct the Attack Request
+url = string(dir,"/error.php?type=OpenVAS+XSS+Test&error=Attack+via+",
+                 "characters+injection+-+[a%40http://www.openvas.org%40_self]",
+                 "This%20Is%20a%20Link[%2Fa]");
+
+## Try attack and check the response to confirm vulnerability
+if(http_vuln_check(port:port, url:url, pattern:'<h1>phpMyAdmin - OpenVAS XSS Test</h1>',
+                   extra_check: make_list('Attack via characters injection',
+                   '<a href="http://www.openvas.org" target="_self">This Is a Link</a>')))
+{
+  security_warning(port);
+  exit(0);
+}

Added: trunk/openvas-plugins/scripts/gb_vmware_prdts_mem_corruption_n_bof_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_vmware_prdts_mem_corruption_n_bof_vuln_win.nasl	2010-12-13 13:38:21 UTC (rev 9702)
+++ trunk/openvas-plugins/scripts/gb_vmware_prdts_mem_corruption_n_bof_vuln_win.nasl	2010-12-13 14:28:53 UTC (rev 9703)
@@ -0,0 +1,126 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_vmware_prdts_mem_corruption_n_bof_vuln_win.nasl 12459 2010-12-09 13:20:21Z dec $
+#
+# VMware Products Memory Corruption and Buffer Overflow Vulnerability (Win)
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801558);
+  script_version("$Revision$: 1.0");
+  script_cve_id("CVE-2010-4294");
+  script_bugtraq_id(45169);
+  script_tag(name:"cvss_base", value:"9.3");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_name("VMware Products Memory Corruption and Buffer Overflow Vulnerability (Win)");
+  desc = "
+  Overview : The host is installed with VMWare products and are prone to memory
+  corruption and buffer overflow Vulnerability
+
+  Vulnerability Insight:
+  The flaw is caused due to the VMnc codec 'vmnc.dll' driver which does not
+  properly verify the size when handling 'ICM_DECOMPRESS' driver messages,
+  which can be exploited to corrupt heap memory.
+
+  Impact:
+  Successful exploitation will let the attacker to corrupt heap memory by
+  tricking a user into visiting a malicious website or playing a malicious
+  file.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  VMware Server version  2.x
+  VMware Player 2.5.x before 2.5.5 build 246459 and 3.x before 3.1.2 build 301548
+  VMware Workstation 6.5.x before 6.5.5 build 328052 and 7.x before 7.1.2 build 301548
+
+  Fix:
+  Apply the patch or upgrade workstation 6.5.5 build 328052 or 7.1.2 build 301548
+  http://www.vmware.com/products/ws/
+
+  Apply the patch Upgrade to VMware player 2.5.5 build 246459 and 3.1.2 build 301548
+  http://www.vmware.com/products/player/
+
+  For VMware Server version 2.x ,
+  No solution or patch is available as on 09th December 2010. Information
+  regarding this issue will be updated once the solution details are available.
+  http://downloads.vmware.com/d/info/datacenter_downloads/vmware_server/2_0
+
+  *****
+  NOTE: Ignore this warning, if above mentioned workaround is manually applied.
+  *****
+
+  References:
+  http://secunia.com/advisories/42481
+  http://www.vmware.com/security/advisories/VMSA-2010-0018.html
+  http://lists.vmware.com/pipermail/security-announce/2010/000112.html ";
+
+  script_description(desc);
+  script_summary("Check for the version of VMware Products");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2010 Greenbone Networks GmbH");
+  script_family("General");
+  script_dependencies("gb_vmware_prdts_detect_win.nasl");
+  script_require_keys("VMware/Win/Installed");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+if(!get_kb_item("VMware/Win/Installed")){
+  exit(0);
+}
+
+# Check for VMware Player
+vmplayerVer = get_kb_item("VMware/Player/Win/Ver");
+if(vmplayerVer != NULL )
+{
+  if(version_in_range(version:vmplayerVer, test_version:"2.5", test_version2:"2.5.4") ||
+     version_in_range(version:vmplayerVer, test_version:"3.0", test_version2:"3.1.1"))
+  {
+    security_hole(0);
+    exit(0);
+  }
+}
+
+#Check for VMware Workstation
+vmworkstnVer = get_kb_item("VMware/Workstation/Win/Ver");
+if(vmworkstnVer != NULL)
+{
+  if(version_in_range(version:vmworkstnVer, test_version:"6.5", test_version2:"6.5.4") ||
+     version_in_range(version:vmworkstnVer, test_version:"7.0", test_version2:"7.1.11"))
+  {
+    security_hole(0);
+    exit(0);
+  }
+}
+
+# VMware Server
+vmserVer = get_kb_item("VMware/Server/Win/Ver");
+if(vmserVer)
+{
+  if(vmserVer =~ "^2.*"){
+   security_hole(0);
+  }
+}

Added: trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_loc_prev_escl_vuln_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_loc_prev_escl_vuln_lin.nasl	2010-12-13 13:38:21 UTC (rev 9702)
+++ trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_loc_prev_escl_vuln_lin.nasl	2010-12-13 14:28:53 UTC (rev 9703)
@@ -0,0 +1,126 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_vmware_prdts_mult_loc_prev_escl_vuln_lin.nasl 12459 2010-12-09 14:20:21Z dec $
+#
+# VMware Products Multiple Local Privilege Escalation Vulnerabilities (Linux)
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801559);
+  script_version("$Revision$: 1.0");
+  script_cve_id("CVE-2010-4295", "CVE-2010-4296");
+  script_bugtraq_id(45167, 45168);
+  script_tag(name:"cvss_base", value:"7.2");
+  script_tag(name:"risk_factor", value:"High");
+  script_name("VMware Products Multiple Local Privilege Escalation Vulnerabilities (Linux)");
+  desc = "
+  Overview : The host is installed with VMWare products multiple local privilege
+  escalation Vulnerabilities.
+
+  Vulnerability Insight:
+  The flaws are caused due to,
+  - Race conditions within the 'vmware-mount' utility when handling temporary
+    files during the mounting process can be exploited to create files or
+    directories.
+  - An error within the 'vmware-mount' utility when loading libraries that can
+    be exploited to execute arbitrary code with root privileges.
+
+  Impact:
+  Successful exploitation will let the attacker to execute arbitrary code with
+  elevated privileges, this may aid in other attacks.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  VMware Server version  2.x
+  VMware Player 3.x before 3.1.2 build 301548
+  VMware Workstation 7.x before 7.1.2 build 301548 on Linux
+
+  Fix:
+  Apply the patch or upgrade workstation 7.1.2 build 301548
+  http://www.vmware.com/products/ws/
+
+  Apply the patch Upgrade to 3.1.2 build 301548
+  http://www.vmware.com/products/player/
+
+  For VMware Server version 2.x ,
+  No solution or patch is available as on 09th December 2010. Information
+  regarding this issue will be updated once the solution details are available.
+  http://downloads.vmware.com/d/info/datacenter_downloads/vmware_server/2_0
+
+  *****
+  NOTE: Ignore this warning, if above mentioned workaround is manually applied.
+  *****
+
+  References:
+  http://secunia.com/advisories/42453/
+  http://www.vmware.com/security/advisories/VMSA-2010-0018.html
+  http://lists.vmware.com/pipermail/security-announce/2010/000112.html ";
+
+  script_description(desc);
+  script_summary("Check for the version of VMware Products");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2010 Greenbone Networks GmbH");
+  script_family("General");
+  script_dependencies("gb_vmware_prdts_detect_lin.nasl");
+  script_require_keys("VMware/Linux/Installed");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+if(!get_kb_item("VMware/Linux/Installed")){
+  exit(0);
+}
+
+# Check for VMware Player
+vmplayerVer = get_kb_item("VMware/Player/Linux/Ver");
+if(vmplayerVer != NULL )
+{
+  if(version_in_range(version:vmplayerVer, test_version:"3.0", test_version2:"3.1.1"))
+  {
+    security_hole(0);
+    exit(0);
+  }
+}
+
+#Check for VMware Workstation
+vmworkstnVer = get_kb_item("VMware/Workstation/Linux/Ver");
+if(vmworkstnVer != NULL)
+{
+  if(version_in_range(version:vmworkstnVer, test_version:"7.0", test_version2:"7.1.1"))
+  {
+    security_hole(0);
+    exit(0);
+  }
+}
+
+# VMware Server
+vmserVer = get_kb_item("VMware/Server/Linux/Ver");
+if(vmserVer)
+{
+  if(vmserVer =~ "^2.*"){
+   security_hole(0);
+  }
+}

Added: trunk/openvas-plugins/scripts/gb_vmware_prdts_tools_loc_prev_escl_vuln_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_vmware_prdts_tools_loc_prev_escl_vuln_lin.nasl	2010-12-13 13:38:21 UTC (rev 9702)
+++ trunk/openvas-plugins/scripts/gb_vmware_prdts_tools_loc_prev_escl_vuln_lin.nasl	2010-12-13 14:28:53 UTC (rev 9703)
@@ -0,0 +1,124 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_vmware_prdts_tools_loc_prev_escl_vuln_lin.nasl 12459 2010-12-09 16:20:21Z dec $
+#
+# VMware Products Tools Local Privilege Escalation Vulnerability (Linux)
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801560);
+  script_version("$Revision$: 1.0");
+  script_cve_id("CVE-2010-4297");
+  script_tag(name:"cvss_base", value:"7.2");
+  script_tag(name:"risk_factor", value:"High");
+  script_name("VMware Products Tools Local Privilege Escalation Vulnerability (Linux");
+  desc = "
+  Overview : The host is installed with VMWare products tools local privilege
+  escalation vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to an error in Tools update functionality, which
+  allows host OS users to gain privileges on the guest OS via unspecified
+  vectors.
+
+  Impact:
+  Successful exploitation will let the attacker to execute arbitrary code with
+  elevated privileges, this may aid in other attacks.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  VMware Server version  2.x
+  VMware Player 2.5.x before 2.5.5 build 328052 and 3.1.x before 3.1.2 build 301548
+  VMware Workstation 6.5.x before 6.5.5 build 328052 and 7.x before 7.1.2 build 301548
+
+  Fix:
+  Apply the patch or upgrade workstation 6.5.5 build 328052 or 7.1.2 build 301548
+  http://www.vmware.com/products/ws/
+
+  Apply the patch Upgrade to 2.5.5 build 328052 to 3.1.2 build 301548
+  http://www.vmware.com/products/player/
+
+  For VMware Server version 2.x ,
+  No solution or patch is available as on 09th December 2010. Information
+  regarding this issue will be updated once the solution details are available.
+  http://downloads.vmware.com/d/info/datacenter_downloads/vmware_server/2_0
+
+  *****
+  NOTE: Ignore this warning, if above mentioned workaround is manually applied.
+  *****
+
+  References:
+  http://www.securityfocus.com/archive/1/514995
+  http://www.vmware.com/security/advisories/VMSA-2010-0018.html
+  http://lists.vmware.com/pipermail/security-announce/2010/000112.html ";
+
+  script_description(desc);
+  script_summary("Check for the version of VMware Products");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2010 Greenbone Networks GmbH");
+  script_family("General");
+  script_dependencies("gb_vmware_prdts_detect_lin.nasl");
+  script_require_keys("VMware/Linux/Installed");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+if(!get_kb_item("VMware/Linux/Installed")){
+  exit(0);
+}
+
+# Check for VMware Player
+vmplayerVer = get_kb_item("VMware/Player/Linux/Ver");
+if(vmplayerVer != NULL )
+{
+  if(version_in_range(version:vmplayerVer, test_version:"2.5", test_version2:"2.5.4") ||
+     version_in_range(version:vmplayerVer, test_version:"3.0", test_version2:"3.1.1"))
+  {
+    security_hole(0);
+    exit(0);
+  }
+}
+
+#Check for VMware Workstation
+vmworkstnVer = get_kb_item("VMware/Workstation/Linux/Ver");
+if(vmworkstnVer != NULL)
+{
+  if(version_in_range(version:vmworkstnVer, test_version:"6.5", test_version2:"6.5.4")||
+     version_in_range(version:vmworkstnVer, test_version:"7.0", test_version2:"7.1.1"))
+  {
+    security_hole(0);
+    exit(0);
+  }
+}
+
+# VMware Server
+vmserVer = get_kb_item("VMware/Server/Linux/Ver");
+if(vmserVer)
+{
+  if(vmserVer =~ "^2.*"){
+   security_hole(0);
+  }
+}

Added: trunk/openvas-plugins/scripts/gb_vmware_prdts_tools_loc_prev_escl_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_vmware_prdts_tools_loc_prev_escl_vuln_win.nasl	2010-12-13 13:38:21 UTC (rev 9702)
+++ trunk/openvas-plugins/scripts/gb_vmware_prdts_tools_loc_prev_escl_vuln_win.nasl	2010-12-13 14:28:53 UTC (rev 9703)
@@ -0,0 +1,124 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_vmware_prdts_tools_loc_prev_escl_vuln_win.nasl 12459 2010-12-09 16:20:21Z dec $
+#
+# VMware Products Tools Local Privilege Escalation Vulnerability (Windows)
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801561);
+  script_version("$Revision$: 1.0");
+  script_cve_id("CVE-2010-4297");
+  script_tag(name:"cvss_base", value:"7.2");
+  script_tag(name:"risk_factor", value:"High");
+  script_name("VMware Products Tools Local Privilege Escalation Vulnerability (Windows)");
+  desc = "
+  Overview : The host is installed with VMWare products tools local privilege
+  escalation vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to an error in Tools update functionality, which
+  allows host OS users to gain privileges on the guest OS via unspecified
+  vectors.
+
+  Impact:
+  Successful exploitation will let the attacker to execute arbitrary code with
+  elevated privileges, this may aid in other attacks.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  VMware Server version  2.x
+  VMware Player 2.5.x before 2.5.5 build 328052 and 3.1.x before 3.1.2 build 301548
+  VMware Workstation 6.5.x before 6.5.5 build 328052 and 7.x before 7.1.2 build 301548
+
+  Fix:
+  Apply the patch or upgrade workstation 6.5.5 build 328052 or 7.1.2 build 301548
+  http://www.vmware.com/products/ws/
+
+  Apply the patch Upgrade to 2.5.5 build 328052 to 3.1.2 build 301548
+  http://www.vmware.com/products/player/
+
+  For VMware Server version 2.x ,
+  No solution or patch is available as on 09th December 2010. Information
+  regarding this issue will be updated once the solution details are available.
+  http://downloads.vmware.com/d/info/datacenter_downloads/vmware_server/2_0
+
+  *****
+  NOTE: Ignore this warning, if above mentioned workaround is manually applied.
+  *****
+
+  References:
+  http://www.securityfocus.com/archive/1/514995
+  http://www.vmware.com/security/advisories/VMSA-2010-0018.html
+  http://lists.vmware.com/pipermail/security-announce/2010/000112.html ";
+
+  script_description(desc);
+  script_summary("Check for the version of VMware Products");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2010 Greenbone Networks GmbH");
+  script_family("General");
+  script_dependencies("gb_vmware_prdts_detect_win.nasl");
+  script_require_keys("VMware/Win/Installed");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+if(!get_kb_item("VMware/Win/Installed")){
+  exit(0);
+}
+
+# Check for VMware Player
+vmplayerVer = get_kb_item("VMware/Player/Win/Ver");
+if(vmplayerVer != NULL )
+{
+  if(version_in_range(version:vmplayerVer, test_version:"2.5", test_version2:"2.5.4") ||
+     version_in_range(version:vmplayerVer, test_version:"3.0", test_version2:"3.1.1"))
+  {
+    security_hole(0);
+    exit(0);
+  }
+}
+
+#Check for VMware Workstation
+vmworkstnVer = get_kb_item("VMware/Workstation/Win/Ver");
+if(vmworkstnVer != NULL)
+{
+  if(version_in_range(version:vmworkstnVer, test_version:"6.5", test_version2:"6.5.4")||
+     version_in_range(version:vmworkstnVer, test_version:"7.0", test_version2:"7.1.1"))
+  {
+    security_hole(0);
+    exit(0);
+  }
+}
+
+# VMware Server
+vmserVer = get_kb_item("VMware/Server/Win/Ver");
+if(vmserVer)
+{
+  if(vmserVer =~ "^2.*"){
+   security_hole(0);
+  }
+}



More information about the Openvas-commits mailing list