[Openvas-commits] r11614 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Wed Sep 14 16:05:53 CEST 2011
Author: veerendragg
Date: 2011-09-14 16:05:49 +0200 (Wed, 14 Sep 2011)
New Revision: 11614
Added:
trunk/openvas-plugins/scripts/gb_advanced_image_hosting_xss_vuln.nasl
trunk/openvas-plugins/scripts/gb_atutor_achecker_mult_sql_inj_n_xss_vuln.nasl
trunk/openvas-plugins/scripts/gb_atutor_acontent_mult_sql_inj_n_xss_vuln.nasl
trunk/openvas-plugins/scripts/gb_ibm_openadmin_tool_detect.nasl
trunk/openvas-plugins/scripts/gb_ibm_openadmin_tool_mult_xss_vuln.nasl
trunk/openvas-plugins/scripts/gb_snitz_forums_2000_xss_n_sql_inj_vuln.nasl
trunk/openvas-plugins/scripts/secpod_ms11-070.nasl
trunk/openvas-plugins/scripts/secpod_ms11-071.nasl
trunk/openvas-plugins/scripts/secpod_ms11-072.nasl
trunk/openvas-plugins/scripts/secpod_ms11-073.nasl
trunk/openvas-plugins/scripts/secpod_ms11-074.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/scripts/cpe.inc
trunk/openvas-plugins/scripts/gb_ms_win_fraudulent_digital_cert_spoofing_vuln.nasl
Log:
Added new plugins. Added MS bulletin plugins - September 2011. Fixed FP and Added New CPE.
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/ChangeLog 2011-09-14 14:05:49 UTC (rev 11614)
@@ -1,3 +1,24 @@
+2011-09-14 Veerendra G.G <veerendragg at secpod.com>
+
+ * scripts/gb_atutor_acontent_mult_sql_inj_n_xss_vuln.nasl,
+ scripts/gb_ibm_openadmin_tool_mult_xss_vuln.nasl,
+ scripts/gb_atutor_achecker_mult_sql_inj_n_xss_vuln.nasl,
+ scripts/gb_snitz_forums_2000_xss_n_sql_inj_vuln.nasl,
+ scripts/gb_advanced_image_hosting_xss_vuln.nasl,
+ scripts/gb_ibm_openadmin_tool_detect.nasl:
+ Added new plugins.
+
+ * scripts/secpod_ms11-070.nasl,
+ scripts/secpod_ms11-071.nasl,
+ scripts/secpod_ms11-072.nasl,
+ scripts/secpod_ms11-073.nasl,
+ scripts/secpod_ms11-074.nasl:
+ Added MS bulletin plugins - September 2011.
+
+ * scripts/gb_ms_win_fraudulent_digital_cert_spoofing_vuln.nasl,
+ scripts/cpe.inc:
+ Fixed FP and Added New CPE.
+
2011-09-14 Michael Meyer <michael.meyer at greenbone.net>
* * scripts/gb_sharepoint_39776.nasl,
Modified: trunk/openvas-plugins/scripts/cpe.inc
===================================================================
--- trunk/openvas-plugins/scripts/cpe.inc 2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/cpe.inc 2011-09-14 14:05:49 UTC (rev 11614)
@@ -927,7 +927,8 @@
"Adobe/Flash/Player/MacOSX/Version", "^([0-9.]+)", "cpe:/a:adobe:flash_player:",
"Adobe/Air/MacOSX/Version", "^([0-9.]+)", "cpe:/a:adobe:adobe_air:",
"RealPlayer/MacOSX/Version", "^([0-9.]+)", "cpe:/a:realnetworks:realplayer:",
-"Tcptrack/Ver", "^([0-9.]+)", "cpe:/a:rhythm:tcptrack:"
+"Tcptrack/Ver", "^([0-9.]+)", "cpe:/a:rhythm:tcptrack:",
+"www/*/IBM/Open/Admin/Tool", "^([0-9.]+)", "cpe:/a:ibm:openadmin_tool:"
);
Added: trunk/openvas-plugins/scripts/gb_advanced_image_hosting_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_advanced_image_hosting_xss_vuln.nasl 2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/gb_advanced_image_hosting_xss_vuln.nasl 2011-09-14 14:05:49 UTC (rev 11614)
@@ -0,0 +1,104 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_advanced_image_hosting_xss_vuln.nasl 16995 2011-09-08 17:35:01Z sep $
+#
+# Advanced Image Hosting Cross Site Scripting Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802155);
+ script_version("$Revision: 1.0$");
+ script_tag(name:"cvss_base", value:"4.3");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("Advanced Image Hosting Cross Site Scripting Vulnerability");
+ desc = "
+ Overview: This host is running Advanced Image Hosting and is prone to cross
+ site scripting vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to failure in the 'report.php' script to properly
+ sanitize user supplied input in 'img_id' parameter.
+
+ Impact:
+ Successful exploitation will let attackers to execute arbitrary script code
+ in the browser of an unsuspecting user in the context of the affected site.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Advanced Image Hosting version 2.3
+
+ Fix: No solution or patch is available as on 08th September, 2011. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://yabsoft.com/products.php
+
+ References:
+ http://packetstormsecurity.org/files/view/104799/aihimgid-xss.txt ";
+
+ script_description(desc);
+ script_summary("Check if Advanced Image Hosting is vulnerable to XSS");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+ script_family("Web application abuses");
+ script_dependencies("http_version.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)) {
+ exit(0);
+}
+
+## Check for each possible path
+foreach dir (make_list("/aihspro", "/aih", "/"))
+{
+ ## Send and Receive the response
+ req = http_get(item:string(dir,"/index.php"), port:port);
+ res = http_keepalive_send_recv(port:port,data:req);
+
+ ## Confirm the application
+ if("Powered by:" >< res && '>AIH' >< res)
+ {
+ req = http_get(item:string(dir, '/report.php?img_id="><script>alert' +
+ '(document.cookie)</script>'), port:port);
+ res = http_keepalive_send_recv(port:port, data:req);
+
+ ## Confirm exploit worked by checking the response
+ if('"><script>alert(document.cookie)</script>' >< res)
+ {
+ security_warning(port);
+ exit(0);
+ }
+ }
+}
Added: trunk/openvas-plugins/scripts/gb_atutor_achecker_mult_sql_inj_n_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_atutor_achecker_mult_sql_inj_n_xss_vuln.nasl 2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/gb_atutor_achecker_mult_sql_inj_n_xss_vuln.nasl 2011-09-14 14:05:49 UTC (rev 11614)
@@ -0,0 +1,126 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_atutor_achecker_mult_sql_inj_n_xss_vuln.nasl 16587 2011-09-12 22:35:01Z sep $
+#
+# Atutor AChecker Multiple SQL Injection and XSS Vulnerabilities
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(801982);
+ script_version("$Revision: 1.0$");
+ script_bugtraq_id(49061, 49093);
+ script_tag(name:"cvss_base", value:"6.5");
+ script_tag(name:"risk_factor", value:"High");
+ script_name("Atutor AChecker Multiple SQL Injection and XSS Vulnerabilities");
+ desc = "
+ Overview: This host is running Atutor AChecker and is prone to multiple
+ cross site scripting and SQL injection vulnerabilities.
+
+ Vulnerability Insight:
+ Multiple flaws are due to an,
+ - Input passed via the parameter 'myown_patch_id' in '/updater/patch_edit.php'
+ and the parameter 'id' in '/user/user_create_edit.php' script is not
+ properly sanitised before being used in SQL queries.
+ - Input through the GET parameters 'id', 'p' and 'myown_patch_id' in
+ multiple scripts is not sanitized allowing the attacker to execute HTML
+ code or disclose the full path of application's residence.
+
+ Impact:
+ Successful exploitation will let attackers to execute arbitrary script code
+ or to compromise the application, access or modify data, or exploit latent
+ vulnerabilities in the underlying database.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Atutor AChecker 1.2 (build r530)
+
+ Fix: No solution or patch is available as on 12th September, 2011. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.atutor.ca
+
+ References:
+ http://www.exploit-db.com/exploits/17630/
+ http://packetstormsecurity.org/files/view/103763/ZSL-2011-5035.txt
+ http://packetstormsecurity.org/files/view/103762/ZSL-2011-5034.txt ";
+
+ script_description(desc);
+ script_summary("Check if Atutor AChecker is vulnerable to XSS/SQL Injection");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+ script_family("Web application abuses");
+ script_dependencies("http_version.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)) {
+ exit(0);
+}
+
+## Check for each possible path
+foreach dir (make_list("/AChecker", "/Atutor/AChecker", "/"))
+{
+ ## Send and Receive the response
+ req = http_get(item:string(dir,"/checker/index.php"), port:port);
+ res = http_keepalive_send_recv(port:port,data:req);
+
+ ## Confirm the application
+ if("Web Accessibility Checker<" >< res && '>Check Accessibility' >< res)
+ {
+ ## Construct the XSS Attack
+ req = http_get(item:string(dir, '/documentation/frame_header.php?p="' +
+ '><script>alert(document.cookie)</script>'), port:port);
+ res = http_keepalive_send_recv(port:port, data:req);
+
+ ## Confirm exploit worked by checking the response
+ if('"><script>alert(document.cookie)</script>' >< res)
+ {
+ security_hole(port);
+ exit(0);
+ }
+
+ ## Construct the SQL attack
+ req = http_get(item:string(dir, "/user/user_create_edit.php?id='1111"),
+ port:port);
+ res = http_keepalive_send_recv(port:port, data:req);
+
+ ## Confirm exploit worked by checking the response
+ if('You have an error in your SQL syntax;' >< res)
+ {
+ security_hole(port);
+ exit(0);
+ }
+ }
+}
Added: trunk/openvas-plugins/scripts/gb_atutor_acontent_mult_sql_inj_n_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_atutor_acontent_mult_sql_inj_n_xss_vuln.nasl 2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/gb_atutor_acontent_mult_sql_inj_n_xss_vuln.nasl 2011-09-14 14:05:49 UTC (rev 11614)
@@ -0,0 +1,125 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_atutor_acontent_mult_sql_inj_n_xss_vuln.nasl 16588 2011-09-12 17:35:01Z sep $
+#
+# Atutor AContent Multiple SQL Injection and XSS Vulnerabilities
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(801985);
+ script_version("$Revision: 1.0$");
+ script_bugtraq_id(49066);
+ script_tag(name:"cvss_base", value:"6.5");
+ script_tag(name:"risk_factor", value:"High");
+ script_name("Atutor AContent Multiple SQL Injection and XSS Vulnerabilities");
+ desc = "
+ Overview: This host is running Atutor AContent and is prone to multiple
+ cross site scripting and SQL injection vulnerabilities.
+
+ Vulnerability Insight:
+ Multiple flaws are due to an,
+ - Input passed via multiple parameters in multiple scripts is not properly
+ sanitised before being used in SQL queries.
+ - Input passed via multiple parameters in multiple scripts via GET and POST
+ method is not properly sanitised before being used.
+
+ Impact:
+ Successful exploitation will let attackers to execute arbitrary script code
+ or to compromise the application, access or modify data, or exploit latent
+ vulnerabilities in the underlying database.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Atutor AContent version 1.1 (build r296)
+
+ Fix: No solution or patch is available as on 12th September, 2011. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.atutor.ca
+
+ References:
+ http://www.exploit-db.com/exploits/17629/
+ http://packetstormsecurity.org/files/view/103761/ZSL-2011-5033.txt
+ http://packetstormsecurity.org/files/view/103760/ZSL-2011-5032.txt
+ http://packetstormsecurity.org/files/view/103759/ZSL-2011-5031.txt " ;
+
+ script_description(desc);
+ script_summary("Check if Atutor AContent is vulnerable to XSS/SQL Injection");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+ script_family("Web application abuses");
+ script_dependencies("http_version.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)) {
+ exit(0);
+}
+
+## Check for each possible path
+foreach dir (make_list("/AContent", "/Atutor/AContent", "/"))
+{
+ ## Send and Receive the response
+ req = http_get(item:string(dir,"/home/index.php"), port:port);
+ res = http_keepalive_send_recv(port:port,data:req);
+
+ ## Confirm the application
+ if(">AContent Handbook<" >< res && '>AContent</' >< res)
+ {
+ ## Construct the XSS Attack
+ req = http_get(item:string(dir, '/documentation/frame_header.php?p="><sc' +
+ 'ript>alert(document.cookie)</script>'), port:port);
+ res = http_keepalive_send_recv(port:port, data:req);
+
+ ## Confirm exploit worked by checking the response
+ if('"><script>alert(document.cookie)</script>' >< res)
+ {
+ security_hole(port);
+ exit(0);
+ }
+
+ ## Construct the SQL attack
+ req = http_get(item:string(dir, "/documentation/search.php?p=home&query=" +
+ "'111&search=Search"), port:port);
+ res = http_keepalive_send_recv(port:port, data:req);
+
+ ## Confirm exploit worked by checking the response
+ if('You have an error in your SQL syntax;' >< res)
+ {
+ security_hole(port);
+ exit(0);
+ }
+ }
+}
Added: trunk/openvas-plugins/scripts/gb_ibm_openadmin_tool_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ibm_openadmin_tool_detect.nasl 2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/gb_ibm_openadmin_tool_detect.nasl 2011-09-14 14:05:49 UTC (rev 11614)
@@ -0,0 +1,73 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_ibm_openadmin_tool_detect.nasl 17030 2011-09-12 17:10:36Z sep $
+#
+# IBM Open Admin Tool Version Detection
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802158);
+ script_version("$Revision: 1.0$");
+ script_tag(name:"risk_factor", value:"None");
+ script_name("IBM Open Admin Tool Version Detection");
+ desc = "
+ Overview: This script finds the installed IBM Open Admin Tool version and
+ saves the result in KB.";
+
+ script_description(desc);
+ script_summary("Set the version of IBM Open Admin Tool in KB");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+ script_family("Service detection");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+
+port = get_http_port(default:8080);
+if(!port){
+ exit(0);
+}
+
+## Send and receive response
+sndReq = http_get(item:"/openadmin/index.php?act=help&do=aboutOAT", port:port);
+rcvRes = http_send_recv(port:port, data:sndReq);
+
+## Confirm the application
+if(">OpenAdmin Tool" >< rcvRes ||
+ "> OpenAdmin Tool Community Edition <" >< rcvRes)
+{
+ ## Grep for the version
+ ver = eregmatch(pattern:">Version:.*[^\n]", string:rcvRes);
+ ver = eregmatch(pattern:"([0-9.]+)", string:ver[0]);
+ if(ver[1] != NULL)
+ {
+ ## Set the KB value
+ set_kb_item(port:uniPort, name:"www/" + port + "/IBM/Open/Admin/Tool",
+ value:ver[1]);
+ security_note(data:"IBM Open Admin Tool version " + ver[1] +
+ " was detected on the host");
+ }
+}
Added: trunk/openvas-plugins/scripts/gb_ibm_openadmin_tool_mult_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ibm_openadmin_tool_mult_xss_vuln.nasl 2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/gb_ibm_openadmin_tool_mult_xss_vuln.nasl 2011-09-14 14:05:49 UTC (rev 11614)
@@ -0,0 +1,93 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_ibm_openadmin_tool_mult_xss_vuln.nasl 17030 2011-09-12 18:20:29 sep $
+#
+# IBM Open Admin Tool 'index.php' Multiple Cross-Site Scripting Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802159);
+ script_version("$Revision: 1.0$");
+ script_cve_id("CVE-2011-3390");
+ script_bugtraq_id(49364);
+ script_tag(name:"cvss_base", value:"5.0");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("IBM Open Admin Tool 'index.php' Multiple Cross-Site Scripting Vulnerability");
+ desc = "
+ Overview: This host is running IBM Open Admin Tool and is prone to multiple
+ cross-site scripting vulnerabilities.
+
+ Vulnerability Insight:
+ The flaws are caused due to the improper validation of user supplied input
+ via 'host', 'port', 'username', 'userpass' and 'informixserver' parameters
+ in 'index.php'.
+
+ Impact:
+ Successful exploitation will allow attackers to execute arbitrary HTML and
+ script code in a user's browser session in the context of an affected site
+ and steal the victim's cookie-based authentication credentials.
+
+ Impact Level: Application.
+
+ Affected Software:
+ IBM OpenAdmin Tool (OAT) version before 2.72
+
+ Fix: Upgrade to IBM OpenAdmin Tool (OAT) version 2.72 or later
+ For updates refer, https://www14.software.ibm.com/webapp/iwm/web/reg/download.do?source=swg-informixfpd&lang=en_US&S_PKG=dl&cp=UTF-8
+
+ References:
+ http://xforce.iss.net/xforce/xfdb/69488
+ http://voidroot.blogspot.com/2011/08/xss-in-ibm-open-admin-tool.html
+ http://packetstormsecurity.org/files/view/104617/ibmopenadmin-xss.txt
+ http://www.securityfocus.com/archive/1/archive/1/519468/100/0/threaded ";
+
+ script_description(desc);
+ script_summary("Check for the version of IBM Open Admin Tool");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+ script_dependencies("gb_ibm_openadmin_tool_detect.nasl");
+ script_family("Web application abuses");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+## Get HTTP Port
+port = get_http_port(default:8080);
+if(!get_port_state(port)){
+ exit(0);
+}
+
+## GET the version from KB
+ver = get_kb_item("www/" + port + "/IBM/Open/Admin/Tool");
+if(!ver){
+ exit(0);
+}
+
+## Check the IBM Open Admin Tool less than 2.72
+if(version_is_less(version:ver, test_version:"2.72")){
+ security_warning(port);
+}
Modified: trunk/openvas-plugins/scripts/gb_ms_win_fraudulent_digital_cert_spoofing_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ms_win_fraudulent_digital_cert_spoofing_vuln.nasl 2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/gb_ms_win_fraudulent_digital_cert_spoofing_vuln.nasl 2011-09-14 14:05:49 UTC (rev 11614)
@@ -27,7 +27,7 @@
if(description)
{
script_id(801975);
- script_version("$Revision: 1.0$");
+ script_version("$Revision: 1.1$");
script_tag(name:"cvss_base", value:"5.0");
script_tag(name:"risk_factor", value:"Medium");
script_name("Fraudulent Digital Certificates Spoofing Vulnerability (2607712)");
@@ -85,6 +85,6 @@
}
## Check Hotfix 2607712
-if(!(hotfix_missing(name:"2607712") == 0)){
+if((hotfix_missing(name:"2607712") == 1)){
security_warning(0);
}
Added: trunk/openvas-plugins/scripts/gb_snitz_forums_2000_xss_n_sql_inj_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_snitz_forums_2000_xss_n_sql_inj_vuln.nasl 2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/gb_snitz_forums_2000_xss_n_sql_inj_vuln.nasl 2011-09-14 14:05:49 UTC (rev 11614)
@@ -0,0 +1,99 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_snitz_forums_2000_xss_n_sql_inj_vuln.nasl 16868 2011-09-13 12:12:12Z sep $
+#
+# Snitz Forums 2000 'members.asp' SQL Injection and Cross Site Scripting Vulnerabilities
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802243);
+ script_version("$Revision: 1.0$");
+ script_bugtraq_id(45381);
+ script_cve_id("CVE-2010-4826", "CVE-2010-4827");
+ script_tag(name:"cvss_base", value:"7.5");
+ script_tag(name:"risk_factor", value:"High");
+ script_name("Snitz Forums 2000 'members.asp' SQL Injection and Cross Site Scripting Vulnerabilities");
+ desc = "
+ Overview: The host is running Snitz and is prone to SQL injection and cross
+ site scripting vulnerabilities.
+
+ Vulnerability Insight:
+ - Input passed to the 'M_NAME' parameter in members.asp is not properly
+ sanitised before being returned to the user. This can be exploited to
+ execute arbitrary HTML and script code in a user's browser session in
+ context of an affected site.
+ - Input passed to the 'M_NAME' parameter in members.asp is not properly
+ sanitised before being used in SQL queries. This can be exploited to
+ manipulate SQL queries by injecting arbitrary SQL code.
+
+ Impact:
+ Successful exploitation could allow an attacker to steal cookie-based
+ authentication credentials, compromise the application, access or modify
+ data, or exploit latent vulnerabilities in the underlying database.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Snitz Forums 2000 version 3.4.07
+
+ Fix: Apply the patch from below link,
+ http://forum.snitz.com/forum/topic.asp?TOPIC_ID=69770
+
+ *****
+ NOTE : Ignore this warning, if above mentioned patch is applied already.
+ *****
+
+ References:
+ http://osvdb.org/69794
+ http://secunia.com/advisories/42308
+ http://forum.snitz.com/forum/topic.asp?TOPIC_ID=69770 ";
+
+ script_description(desc);
+ script_summary("Check for the version of Snitz Forums");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+ script_family("Web application abuses");
+ script_dependencies("snitz_forums_2000_detect.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+
+## Get version from KB
+ver = get_version_from_kb(port:port, app:"SnitzForums");
+if(ver)
+{
+ ## Check Snitz Forums 2000 version 3.4.07
+ if(version_is_equal(version:ver, test_version:"3.4.07")){
+ security_hole(port);
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_ms11-070.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms11-070.nasl 2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/secpod_ms11-070.nasl 2011-09-14 14:05:49 UTC (rev 11614)
@@ -0,0 +1,138 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms11-070.nasl 17072 2011-09-14 10:10:10Z sep $
+#
+# Microsoft Windows WINS Local Privilege Escalation Vulnerability (2571621)
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902566);
+ script_version("$Revision: 1.0$");
+ script_cve_id("CVE-2011-1984");
+ script_bugtraq_id(49523);
+ script_tag(name:"cvss_base", value:"6.8");
+ script_tag(name:"risk_factor", value:"High");
+ script_name("Microsoft Windows WINS Local Privilege Escalation Vulnerability (2571621)");
+ desc = "
+ Overview: This host has important security update missing according to
+ Microsoft Bulletin MS11-070.
+
+ Vulnerability Insight:
+ The flaw is caused by an error in the Windows Internet Name Service (WINS)
+ when handling handling a series of malformed packets sent over the loopback
+ interface, leading to arbitrary code execution with elevated privileges.
+
+ Impact:
+ Successful exploits will allow local attackers to execute arbitrary code with
+ local system privileges and potentially compromise the affected computer.
+
+ Impact Level: System/Application
+
+ Affected Software/OS:
+ Microsoft Windows 2K3 Service Pack 2 and prior
+ Microsoft Windows Server 2008 Service Pack 2 and prior
+
+ Fix:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://technet.microsoft.com/en-us/security/bulletin/ms11-070
+
+ References:
+ http://support.microsoft.com/kb/2571621
+ http://www.exploit-db.com/exploits/17831/
+ http://technet.microsoft.com/en-us/security/bulletin/ms11-070
+ http://www.coresecurity.com/content/ms-wins-ecommenddlg-input-validation ";
+
+ script_description(desc);
+ script_summary("Check for the vulnerable 'Wins.exe' file version");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Windows : Microsoft Bulletins");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_ports(139, 445);
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+## Check for OS and Service Pack
+if(hotfix_check_sp(win2003:3, win2008:3) <= 0){
+ exit(0);
+}
+
+## MS11-070 Hotfix (2571621)
+if(hotfix_missing(name:"2571621") == 0){
+ exit(0);
+}
+
+## Get System Path
+sysPath = smb_get_systemroot();
+if(!sysPath ){
+ exit(0);
+}
+
+## Confirm WINS Installation
+if(!registry_key_exists(key:"SYSTEM\CurrentControlSet\Services\WINS")){
+ exit(0);
+}
+
+## Get Version from Wins.exe file
+exeVer = fetch_file_version(syspath, file_name:"system32\Wins.exe");
+if(!exeVer){
+ exit(0);
+}
+
+## Windows 2003
+if(hotfix_check_sp(win2003:3) > 0)
+{
+ SP = get_kb_item("SMB/Win2003/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ ## Check for Wins.exe version
+ if(version_is_less(version:exeVer, test_version:"5.2.3790.4893")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ security_hole(0);
+}
+
+## Windows Server 2008
+else if(hotfix_check_sp(win2008:3) > 0)
+{
+ SP = get_kb_item("SMB/Win2008/ServicePack");
+ if("Service Pack 2" >< SP)
+ {
+ ## Check for Wins.exe version
+ if(version_is_less(version:exeVer, test_version:"6.0.6002.18501") ||
+ version_in_range(version:exeVer, test_version:"6.0.6002.22000", test_version2:"6.0.6002.22692")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ security_hole(0);
+}
Added: trunk/openvas-plugins/scripts/secpod_ms11-071.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms11-071.nasl 2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/secpod_ms11-071.nasl 2011-09-14 14:05:49 UTC (rev 11614)
@@ -0,0 +1,149 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms11-071.nasl 17073 2011-09-14 09:00:35Z sep $
+#
+# Microsoft Windows Components Remote Code Execution Vulnerabilities (2570947)
+#
+# Authors:
+# Veerendra GG <veerendragg at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(901205);
+ script_version("$Revision$:1.0");
+ script_bugtraq_id(47741);
+ script_cve_id("CVE-2011-1991");
+ script_tag(name:"cvss_base", value:"7.5");
+ script_tag(name:"risk_factor", value:"High");
+ script_name("Microsoft Windows Components Remote Code Execution Vulnerabilities (2570947)");
+ desc = "
+ Overview: This host has important security update missing according to
+ Microsoft Bulletin MS11-071.
+
+ Vulnerability Insight:
+ The flaw exists when specific Windows components incorrectly restrict the
+ path used for loading external libraries. An attacker can exploit this
+ issue by enticing an unsuspecting victim to open a file on a remote SMB
+ or WebDAV share.
+
+ Impact:
+ Successful exploitation could allow remote attacker to execute arbitrary
+ code by enticing an unsuspecting victim to open a file on a remote SMB or
+ WebDAV share.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ Microsoft Windows 7 Service Pack 1 and prior.
+ Microsoft Windows XP Service Pack 3 and prior.
+ Microsoft Windows 2003 Service Pack 2 and prior.
+ Microsoft Windows Vista Service Pack 2 and prior.
+ Microsoft Windows Server 2008 Service Pack 2 and prior.
+
+ Fix:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://technet.microsoft.com/en-us/security/bulletin/ms11-071
+
+ References:
+ http://support.microsoft.com/kb/2570947
+ http://technet.microsoft.com/en-us/security/bulletin/ms11-071
+ ";
+
+ script_description(desc);
+ script_summary("Check for the registry and vulnerable file version");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Windows : Microsoft Bulletins");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_ports(139, 445);
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+## Check for OS and Service Pack
+if(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:1) <= 0){
+ exit(0);
+}
+
+res = hotfix_missing(name:"2570947");
+
+## MS11-071 Hotfix (2570947)
+if(res == 0){
+ exit(0);
+}
+
+## For XP and 2003 only registry changes
+if((hotfix_check_sp(xp:4, win2003:3) == 1) && res == 1)
+{
+ security_hole(0);
+ exit(0);
+}
+
+## Get System Path
+sysPath = smb_get_systemroot();
+if(!sysPath ){
+ exit(0);
+}
+
+## Get Version from Imjpapi.dll files version
+sysVer = fetch_file_version(sysPath:sysPath,
+ file_name:"\System32\IME\IMEJP10\Imjpapi.dll");
+if(!sysVer){
+ exit(0);
+}
+
+## Windows Vista and Windows Server 2008
+if(hotfix_check_sp(winVista:3, win2008:3) > 0)
+{
+ SP = get_kb_item("SMB/WinVista/ServicePack");
+
+ if(!SP) {
+ SP = get_kb_item("SMB/Win2008/ServicePack");
+ }
+
+ if("Service Pack 2" >< SP)
+ {
+ ## Check for Imjpapi.dll version
+ if(version_in_range(version:sysVer, test_version:"10.0.6002.18000", test_version2:"10.0.6002.18494")||
+ version_in_range(version:sysVer, test_version:"10.0.6002.22000", test_version2:"10.0.6002.22683")){
+ security_hole(0);
+ }
+ exit(0);
+ }
+ security_hole(0);
+}
+
+## Windows 7
+else if(hotfix_check_sp(win7:1) > 0)
+{
+ ## Check for Imjpapi.dll version
+ if(version_in_range(version:sysVer, test_version:"10.1.7600.16000", test_version2:"10.1.7600.16855")||
+ version_in_range(version:sysVer, test_version:"10.1.7600.20000", test_version2:"10.1.7600.21015")||
+ version_in_range(version:sysVer, test_version:"10.1.7601.17000", test_version2:"10.1.7601.17657")||
+ version_in_range(version:sysVer, test_version:"10.1.7601.21000", test_version2:"10.1.7601.21778")){
+ security_hole(0);
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_ms11-072.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms11-072.nasl 2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/secpod_ms11-072.nasl 2011-09-14 14:05:49 UTC (rev 11614)
@@ -0,0 +1,204 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms11-072.nasl 17074 2011-09-14 10:10:09Z sep $
+#
+# Microsoft Office Excel Remote Code Execution Vulnerabilities (2587505)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902727);
+ script_version("$Revision: 1.0$");
+ script_cve_id("CVE-2011-1986", "CVE-2011-1987", "CVE-2011-1988",
+ "CVE-2011-1989", "CVE-2011-1990");
+ script_bugtraq_id(49476, 49477, 49478, 49518, 49517);
+ script_tag(name:"cvss_base", value:"10.0");
+ script_tag(name:"risk_factor", value:"Critical");
+ script_name("Microsoft Office Excel Remote Code Execution Vulnerabilities (2587505)");
+ desc = "
+ Overview: This host has important security update missing according to
+ Microsoft Bulletin MS11-072.
+
+ Vulnerability Insight:
+ The flaws are caused by memory corruption, array-indexing and use-after-free
+ errors when handling the crafted Excel files.
+
+ Impact:
+ Successful exploitation could allow attackers to execute arbitrary code
+ with the privileges of the user running the affected application.
+
+ Impact Level: System/Application
+
+ Affected Software/OS:
+ Microsoft Excel 2003 Service Pack 3
+ Microsoft Excel 2007 Service Pack 2
+ Microsoft Office 2007 Service Pack 2
+ Microsoft Excel Viewer Service Pack 2
+ Microsoft Excel 2010 Service Pack 1 and prior
+ Microsoft Office 2010 Service Pack 1 and prior
+ Excel Services installed on Microsoft Office SharePoint Server 2007 Service Pack 2
+ Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2
+
+ Fix:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://technet.microsoft.com/en-us/security/bulletin/ms11-072
+
+ References:
+ http://secunia.com/advisories/45932/
+ http://support.microsoft.com/kb/2553072
+ http://support.microsoft.com/kb/2553073
+ http://support.microsoft.com/kb/2553089
+ http://technet.microsoft.com/en-us/security/bulletin/ms11-072 ";
+
+ script_description(desc);
+ script_summary("Check for the version of vulnerable files");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Windows : Microsoft Bulletins");
+ script_dependencies("secpod_office_products_version_900032.nasl",
+ "secpod_ms_office_detection_900025.nasl");
+ script_require_keys("SMB/Office/Excel/Version", "MS/Office/Ver",
+ "SMB/Office/XLView/Version");
+ script_require_ports(139, 445);
+ exit(0);
+}
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+# Check for Office Excel 2003/2007/2010
+excelVer = get_kb_item("SMB/Office/Excel/Version");
+if(excelVer =~ "^(11|12|14)\..*")
+{
+ # Check version Excel.exe
+ if(version_in_range(version:excelVer, test_version:"11.0", test_version2:"11.0.8340.0") ||
+ version_in_range(version:excelVer, test_version:"12.0", test_version2:"12.0.6565.5002") ||
+ version_in_range(version:excelVer, test_version:"14.0", test_version2:"14.0.6106.5004"))
+ {
+ security_hole(0);
+ exit(0);
+ }
+}
+
+# Microsoft Office Excel Viewer 2007
+excelVer = get_kb_item(name:"SMB/Office/XLView/Version");
+if(!isnull(excelVer))
+{
+ # check for Xlview.exe version
+ if(version_in_range(version:excelVer, test_version:"12.0", test_version2:"12.0.6565.4999"))
+ {
+ security_hole(0);
+ exit(0);
+ }
+}
+
+# Check for Office Compatibility Pack 2007
+if(get_kb_item("SMB/Office/ComptPack/Version") =~ "^12\..*")
+{
+ xlcnvVer = get_kb_item("SMB/Office/XLCnv/Version");
+ if(xlcnvVer)
+ {
+ # Check for Office Excel Converter 2007 version 12.0 < 12.0.6565.5003
+ if(version_in_range(version:xlcnvVer, test_version:"12.0", test_version2:"12.0.6565.5002"))
+ {
+ security_hole(0);
+ exit(0);
+ }
+ }
+}
+
+# Microsoft Office 2007 Service Pack 2 and
+# Microsoft Office 2010 Service Pack 1 and prior
+if(get_kb_item("MS/Office/Ver") =~ "^[12|14].*")
+{
+ ## Get the file version
+ path12 = registry_get_sz(key:"SOFTWARE\Microsoft\Office\12.0\Access\InstallRoot",
+ item:"Path");
+ if(path12)
+ {
+ ## Get the file versions
+ ort12Ver = fetch_file_version(sysPath:path12, file_name:"Oart.dll");
+ ortconv12Ver = fetch_file_version(sysPath:path12, file_name:"Oartconv.dll");
+ if(!isnull(ort12Ver) || !isnull(ortconv12Ver))
+ {
+ ## Check the Oart.dll and Oartconv.dll files version
+ if(version_in_range(version:ort12Ver, test_version:"12", test_version2:"12.0.6565.4999") ||
+ version_in_range(version:ortconv12Ver, test_version:"12", test_version2:"12.0.6565.4999"))
+ {
+ security_hole(0);
+ exit(0);
+ }
+ }
+ }
+
+ ## Get the file version
+ path14 = registry_get_sz(key:"SOFTWARE\Microsoft\Office\14.0\Access\InstallRoot",
+ item:"Path");
+ if(path14)
+ {
+ ## Get the file versions
+ ort14Ver = fetch_file_version(sysPath:path14, file_name:"Oart.dll");
+ ortconv14Ver = fetch_file_version(sysPath:path14, file_name:"Oartconv.dll");
+ if(!isnull(ort14Ver) || !isnull(ortconv14Ver))
+ {
+ ## Check the Oart.dll and Oartconv.dll files version
+ if(version_in_range(version:ort14Ver, test_version:"14", test_version2:"14.0.6106.5004") ||
+ version_in_range(version:ortconv14Ver, test_version:"14", test_version2:"14.0.6106.5004"))
+ {
+ security_hole(0);
+ exit(0);
+ }
+ }
+ }
+}
+
+## Microsoft Office Share Point server
+## Check for the existence of the server
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+if(!registry_key_exists(key:key)) {
+ exit(0);
+}
+
+foreach item (registry_enum_keys(key:key))
+{
+ appName = registry_get_sz(item:"DisplayName", key:key + item);
+ if("Microsoft Office SharePoint Server 2007" >< appName)
+ {
+ dllPath = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion",
+ item:"CommonFilesDir");
+ if(dllPath)
+ {
+ dllPath += "\System\Ole DB";
+ dllVer = fetch_file_version(sysPath:dllPath, file_name:"Msmdcb80.dll");
+ if(dllVer)
+ {
+ ## Grep for Msmdcb80.dll versions
+ if(version_in_range(version:dllVer, test_version:"8.0", test_version2:"8.0.2277.0")){
+ security_hole(0);
+ }
+ }
+ }
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_ms11-073.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms11-073.nasl 2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/secpod_ms11-073.nasl 2011-09-14 14:05:49 UTC (rev 11614)
@@ -0,0 +1,114 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms11-073.nasl 17075 2011-09-14 11:11:11Z sep $
+#
+# Microsoft Office Remote Code Execution Vulnerabilites (2587634)
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902567);
+ script_version("$Revision: 1.0$");
+ script_tag(name:"cvss_base", value:"9.3");
+ script_tag(name:"risk_factor", value:"Critical");
+ script_cve_id("CVE-2011-1980", "CVE-2011-1982");
+ script_bugtraq_id(49513, 49519);
+ script_name("Microsoft Office Remote Code Execution Vulnerabilites (2587634)");
+ desc = "
+ Overview: This host has important security update missing according to
+ Microsoft Bulletin MS11-073.
+
+ Vulnerability Insight:
+ - The flaw is caused due to the application loading libraries in an
+ insecure manner when attempting to validate an opened file. This can be
+ exploited to load arbitrary libraries by tricking a user into opening a
+ PPT file located on a remote WebDAV or SMB share.
+ - An error when parsing unspecified data can be exploited to dereference an
+ uninitialised value as an object pointer via a specially crafted Word
+ document.
+
+ Impact:
+ Successful exploitation could allow attackers to execute arbitrary code as
+ the logged-on user.
+
+ Impact Level: System/Application
+
+ Affected Software/OS:
+ Microsoft Office 2003 Service Pack 3
+ Microsoft Office 2007 Service Pack 2
+ Microsoft Office 2010 Service Pack 1 and prior.
+
+ Fix:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://technet.microsoft.com/en-us/security/bulletin/ms11-073
+
+ References:
+ http://secunia.com/advisories/45020
+ http://www.securitytracker.com/id/1026039
+ http://technet.microsoft.com/en-us/security/bulletin/ms11-073 ";
+
+ script_description(desc);
+ script_summary("Check for the version of Mso.dll file");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Windows : Microsoft Bulletins");
+ script_dependencies("secpod_office_products_version_900032.nasl");
+ script_require_ports(139, 445);
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+## MS Office 2003, 2007, 2010
+if(get_kb_item("MS/Office/Ver") =~ "^[11|12|14].*")
+{
+ ## Get Office File Path
+ path = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion",
+ item:"CommonFilesDir");
+ if(! path) {
+ exit(0);
+ }
+
+ foreach ver (make_list("OFFICE11", "OFFICE12", "OFFICE14"))
+ {
+ ## Get Version from Mso.dll
+ offPath = path + "\Microsoft Shared\" + ver;
+ dllVer = fetch_file_version(sysPath:offPath, file_name:"Mso.dll");
+
+ if(dllVer)
+ {
+ ## Grep for Mso.dll versions
+ if(version_in_range(version:dllVer, test_version:"11.0", test_version2:"11.0.8340.0") ||
+ version_in_range(version:dllVer, test_version:"12.0", test_version2:"12.0.6562.5002")||
+ version_in_range(version:dllVer, test_version:"14.0", test_version2:"14.0.6106.5004"))
+ {
+ security_hole(0);
+ exit(0);
+ }
+ }
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_ms11-074.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms11-074.nasl 2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/secpod_ms11-074.nasl 2011-09-14 14:05:49 UTC (rev 11614)
@@ -0,0 +1,185 @@
+########i#######################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms11-074.nasl 17076 2011-09-14 17076 10:40:09Z sep $
+#
+# Microsoft SharePoint Multiple Privilege Escalation Vulnerabilities (2451858)
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902625);
+ script_version("$Revision: 1.0$");
+ script_cve_id("CVE-2011-0653", "CVE-2011-1252", "CVE-2011-1890", "CVE-2011-1891",
+ "CVE-2011-1892", "CVE-2011-1893");
+ script_bugtraq_id(49002, 48199, 49010, 49005, 49511, 49004);
+ script_tag(name:"cvss_base", value:"10.0");
+ script_tag(name:"risk_factor", value:"Critical");
+ script_name("Microsoft SharePoint Multiple Privilege Escalation Vulnerabilities (2451858)");
+ desc = "
+ Overview: This host has important security update missing according to
+ Microsoft Bulletin MS11-074.
+
+ Vulnerability Insight:
+ Multiple flaws are due to the way Microsoft SharePoint validates and
+ sanitizes user input, parses malicious XML and XSL files and handles
+ script contained inside of specific request parameter.
+
+ Impact:
+ Successful exploitation could allow remote attackers to execute arbitrary
+ code on the system with elevated privileges via a specially crafted URL or
+ or a crafted Web site.
+
+ Impact Level: System/Application
+
+ Affected Software/OS:
+ Microsoft Windows SharePoint Services 2.0
+ Microsoft Groove 2007 Service Pack 2 and prior
+ Microsoft Office SharePoint Server 2007 Service Pack 2
+ Microsoft Windows SharePoint Services 3.0 Service Pack 2
+ Microsoft Office SharePoint Workspace 2010 Service Pack 1 and prior
+
+ Fix:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://www.microsoft.com/technet/security/bulletin/ms11-074.mspx
+
+ References:
+ http://support.microsoft.com/kb/2451858
+ http://www.microsoft.com/technet/security/bulletin/ms11-074.mspx ";
+
+ script_description(desc);
+ script_summary("Check for the vulnerable file version");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Windows : Microsoft Bulletins");
+ script_dependencies("secpod_reg_enum.nasl", "secpod_office_products_version_900032.nasl");
+ script_require_ports(139, 445);
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+
+## MS11-074 Hotfix (2451858)
+
+if(hotfix_missing(name:"2451858") == 0){
+# exit(0);
+}
+
+## Microsoft Groove 2007
+exeVer = get_kb_item("SMB/Office/Groove/Version");
+if(exeVer =~ "^12\..*")
+{
+ # Grep for GROOVE.EXE version 12.0 < 12.0.6552.5000
+ if(version_in_range(version:exeVer, test_version:"12.0", test_version2:"12.0.6552.4999"))
+ {
+ security_hole(0);
+ exit(0);
+ }
+}
+
+## Microsoft SharePoint Server 2007
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+if(registry_key_exists(key:key))
+{
+ foreach item (registry_enum_keys(key:key))
+ {
+ appName = registry_get_sz(item:"DisplayName", key:key + item);
+ if("Microsoft Office SharePoint Server 2007" >< appName)
+ {
+ dllPath = registry_get_sz(item:"BinPath",
+ key:"SOFTWARE\Microsoft\Office Server\12.0");
+ vers = fetch_file_version(sysPath:dllPath, file_name:"Microsoft.sharepoint.publishing.dll");
+ if(vers)
+ {
+ ## Check for Microsoft.sharepoint.publishing.dl version < 12.0.6562.5000
+ if(version_is_less(version:vers, test_version:"12.0.6562.5000"))
+ {
+ security_hole(0);
+ exit(0);
+ }
+ }
+ }
+ }
+}
+
+## Microsoft Windows SharePoint Services
+if(registry_key_exists(key:key))
+{
+ foreach item (registry_enum_keys(key:key))
+ {
+ srvcName = registry_get_sz(item:"DisplayName", key:key + item);
+ if("Microsoft Windows SharePoint Services" >< srvcName)
+ {
+ dllPath = registry_get_sz(item:"SharedFilesDir",
+ key:"SOFTWARE\Microsoft\Shared Tools");
+
+ if(dllPath)
+ {
+ dllPath1 = dllPath + "web server extensions\12\BIN";
+ dllPath2 = dllPath + "web server extensions\60\BIN";
+ dllVer1 = fetch_file_version(sysPath:dllPath1, file_name:"Onetutil.dll");
+ dllVer2 = fetch_file_version(sysPath:dllPath2, file_name:"Onetutil.dll");
+
+ if(dllVer1 || dllVer2)
+ {
+ ## Check for onetutil.dll version < 12.0.6565.5001 for Sharepoint services 3.0
+ ## Check for onetutil.dll version < 11.0.8339.0 for Sharepoint services 2.0
+ if(version_in_range(version:dllVer2, test_version:"11.0", test_version2:"11.0.8339.0") ||
+ version_in_range(version:dllVer1, test_version:"12.0", test_version2:"12.0.6565.5000"))
+ {
+ security_hole(0);
+ exit(0);
+ }
+ }
+ }
+ }
+}
+}
+
+
+## Microsoft SharePoint Workspace 2010
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.GROOVER";
+if(!registry_key_exists(key:key)) {
+ exit(0);
+}
+
+worksName = registry_get_sz(item:"DisplayName", key:key);
+if("Microsoft SharePoint Workspace 2010" >< worksName)
+{
+ worksPath = registry_get_sz(key:key,item:"InstallLocation");
+ worksPath += "Office14";
+ worksVer = fetch_file_version(sysPath:worksPath, file_name:"GROOVE.exe");
+ if(worksVer && worksVer =~ "^14\..*")
+ {
+ ## Check for Groove.exe version < 14.0.6106.5000
+ if(version_is_less(version:worksVer, test_version:"14.0.6106.5000"))
+ {
+ security_hole(0);
+ exit(0);
+ }
+ }
+}
More information about the Openvas-commits
mailing list