[Openvas-commits] r13219 - in trunk/openvas-plugins: . scripts
scm-commit at wald.intevation.org
scm-commit at wald.intevation.org
Wed Apr 11 17:04:24 CEST 2012
Author: antu123
Date: 2012-04-11 17:04:23 +0200 (Wed, 11 Apr 2012)
New Revision: 13219
Added:
trunk/openvas-plugins/scripts/gb_distinct_tftp_server_dir_trav_vuln.nasl
trunk/openvas-plugins/scripts/gb_jre_detect_macosx.nasl
trunk/openvas-plugins/scripts/gb_jre_mult_vuln_macosx.nasl
trunk/openvas-plugins/scripts/gb_ms_smb_signing_disabled.nasl
trunk/openvas-plugins/scripts/secpod_ms12-023.nasl
trunk/openvas-plugins/scripts/secpod_ms12-024.nasl
trunk/openvas-plugins/scripts/secpod_ms12-025.nasl
trunk/openvas-plugins/scripts/secpod_ms12-027.nasl
trunk/openvas-plugins/scripts/secpod_ms12-028.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/scripts/secpod_ms_smb_signing_info_disc_vuln.nasl
Log:
Added Microsoft bulletin plugins April 2012, Added new plugins, Updated to check for Microsoft KB
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2012-04-11 11:27:00 UTC (rev 13218)
+++ trunk/openvas-plugins/ChangeLog 2012-04-11 15:04:23 UTC (rev 13219)
@@ -1,3 +1,23 @@
+2012-04-11 Antu Sanadi <santu at secpod.com>
+
+ * scripts/gb_distinct_tftp_server_dir_trav_vuln.nasl,
+ scripts/gb_jre_mult_vuln_macosx.nasl,
+ scripts/gb_jre_detect_macosx.nasl,
+ scripts/gb_ms_smb_signing_disabled.nasl:
+ Added new plugins.
+
+ * scripts/secpod_ms_smb_signing_info_disc_vuln.nasl:
+ Updated to check for Microsoft kb 916846, Removed SMB
+ signing disabled checking and added new NVT
+ gb_ms_smb_signing_disabled.nasl for checking SMB signing disabled.
+
+ * scripts/secpod_ms12-023.nasl,
+ scripts/secpod_ms12-025.nasl,
+ scripts/secpod_ms12-024.nasl,
+ scripts/secpod_ms12-028.nasl,
+ scripts/secpod_ms12-027.nasl:
+ Added Microsoft bulletin plugins April 2012
+
2012-04-11 Michael Meyer <michael.meyer at greenbone.net>
* scripts/smb_reg_service_pack.nasl:
Added: trunk/openvas-plugins/scripts/gb_distinct_tftp_server_dir_trav_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_distinct_tftp_server_dir_trav_vuln.nasl (rev 0)
+++ trunk/openvas-plugins/scripts/gb_distinct_tftp_server_dir_trav_vuln.nasl 2012-04-11 15:04:23 UTC (rev 13219)
@@ -0,0 +1,100 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Distinct TFTP Server Directory Traversal Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802623);
+ script_bugtraq_id(52938);
+ script_version("$Revision$");
+ script_tag(name:"cvss_base", value:"5.0");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2012-04-09 15:15:15 +0530 (Mon, 09 Apr 2012)");
+ script_name("Distinct TFTP Server Directory Traversal Vulnerability");
+ desc = "
+ Overview: This host is running Distinct TFTP Server and is prone to directory
+ traversal vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due an input validation error within the TFTP service
+ and can be exploited to download or manipulate files in arbitrary locations
+ outside the TFTP root via specially crafted directory traversal sequences.
+
+ Impact:
+ Successful exploitation allows an attacker to obtain sensitive information
+ and launch further attacks.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Distinct TFTP Server version 3.01 and prior
+
+ Fix: No solution or patch is available as on 09th April, 2012. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.distinct.com
+
+ References:
+ http://osvdb.org/80984
+ http://www.securityfocus.com/bid/52938
+ http://www.exploit-db.com/exploits/18718
+ http://www.spentera.com/advisories/2012/SPN-01-2012.pdf";
+
+ script_description(desc);
+ script_summary("Check for the directory traversal attack on Distinct TFTP Server");
+ script_category(ACT_ATTACK);
+ script_copyright("This script is Copyright (C) 2012 Greenbone Networks GmbH");
+ script_family("Remote file access");
+ script_require_keys("Services/udp/tftp");
+ exit(0);
+}
+
+
+include("tftp.inc");
+include("network_func.inc");
+
+## Variable Initialization
+port = 0;
+res = "";
+
+## Check for tftp service
+port = get_kb_item("Services/udp/tftp");
+if(!port){
+ port = 69;
+}
+
+## Check Port State
+if(!check_udp_port_status(dport:port)){
+ exit(0);
+}
+
+## Try Directory traversal Attack
+res = tftp_get(path:"../../../../../../../../../../../../../../boot.ini",
+ port:port);
+
+## Confirm exploit worked by checking the response
+if("[boot loader]" >< res){
+ security_warning(port);
+}
Property changes on: trunk/openvas-plugins/scripts/gb_distinct_tftp_server_dir_trav_vuln.nasl
___________________________________________________________________
Added: svn:keywords
+ Revision Date Id
Added: trunk/openvas-plugins/scripts/gb_jre_detect_macosx.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_jre_detect_macosx.nasl (rev 0)
+++ trunk/openvas-plugins/scripts/gb_jre_detect_macosx.nasl 2012-04-11 15:04:23 UTC (rev 13219)
@@ -0,0 +1,107 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Java Runtime Environment (JRE) Version Detection (Mac OS X)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+SCRIPT_OID = "1.3.6.1.4.1.25623.1.0.802736";
+
+if(description)
+{
+ script_oid(SCRIPT_OID);
+ script_version("$Revision$");
+ script_tag(name:"cvss_base", value:"0.0");
+ script_tag(name:"risk_factor", value:"None");
+ script_tag(name:"detection", value:"executable version check");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2012-04-06 18:27:52 +0530 (Fri, 06 Apr 2012)");
+
+ script_name("Java Runtime Environment (JRE) Version Detection (Mac OS X)");
+ script_description("Detection of installed version of Java.
+
+The script logs in via ssh, and gets the version via command line option
+'java -version'.");
+
+ script_summary("Detection of installed version of JRE on Mac OS X)");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (c) 2012 Greenbone Networks GmbH");
+ script_dependencies("gather-package-list.nasl");
+ script_family("Product detection");
+ script_mandatory_keys("login/SSH/success", "ssh/login/osx_name");
+ exit(0);
+}
+
+
+include("ssh_func.inc");
+include("version_func.inc");
+include("cpe.inc");
+include("host_details.inc");
+
+## Variable Initialization
+sock = 0;
+javaVer = NULL;
+cpe = NULL;
+
+## Checking OS
+sock = ssh_login_or_reuse_connection();
+if(!sock) {
+ if (defined_func("error_message"))
+ error_message(port:port, data:"Failed to open ssh port.");
+ exit(-1);
+}
+
+## Checking for Mac OS X
+if (!get_kb_item("ssh/login/osx_name")){
+ exit(0);
+}
+
+## Get the version Java
+javaVer = chomp(ssh_cmd(socket:sock, cmd:"java -version"));
+
+## Close Socket
+close(sock);
+
+## Exit if version not found
+if(isnull(javaVer) || "command not found" >< javaVer){
+ exit(0);
+}
+
+javaVer = eregmatch(pattern:'java version "([0-9.]+_?[0-9]+)', string:javaVer);
+if(javaVer[1])
+{
+ ## build cpe and store it as host_detail
+ cpe = build_cpe(value:javaVer[1], exp:"^([0-9.]+_?[0-9]+)", base:"cpe:/a:oracle:jre:");
+ if(!isnull(cpe))
+ register_product(cpe:cpe, location:'/System/Library/Java/JavaVirtualMachines', nvt:SCRIPT_OID);
+ else
+ cpe = "Failed";
+
+
+ ## Set the version in KB
+ set_kb_item(name: "JRE/MacOSX/Version", value:javaVer[1]);
+ log_message(data:'Detected Java version: ' + javaVer[1] +
+ '\nLocation: /System/Library/Java/JavaVirtualMachines' +
+ '\nCPE: '+ cpe +
+ '\n\nConcluded from version identification result:\n' +
+ "Java " + javaVer[1]);
+}
Property changes on: trunk/openvas-plugins/scripts/gb_jre_detect_macosx.nasl
___________________________________________________________________
Added: svn:keywords
+ Revision Date Id
Added: trunk/openvas-plugins/scripts/gb_jre_mult_vuln_macosx.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_jre_mult_vuln_macosx.nasl (rev 0)
+++ trunk/openvas-plugins/scripts/gb_jre_mult_vuln_macosx.nasl 2012-04-11 15:04:23 UTC (rev 13219)
@@ -0,0 +1,93 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Java Runtime Environment Multiple Vulnerabilities (MAC OS X)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802738);
+ script_version("$Revision$");
+ script_cve_id("CVE-2011-3563", "CVE-2011-5035", "CVE-2012-0497", "CVE-2012-0498",
+ "CVE-2012-0499", "CVE-2012-0500", "CVE-2012-0501", "CVE-2012-0502",
+ "CVE-2012-0503", "CVE-2012-0505", "CVE-2012-0506", "CVE-2012-0507");
+ script_bugtraq_id(52012, 51194, 52009, 52019, 52016, 52015, 52013, 52018,
+ 52013, 52017, 52014, 52161);
+ script_tag(name:"cvss_base", value:"10.0");
+ script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
+ script_tag(name:"risk_factor", value:"Critical");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2012-04-09 17:06:23 +0530 (Mon, 09 Apr 2012)");
+ script_name("Java Runtime Environment Multiple Vulnerabilities (MAC OS X)");
+ desc = "
+ Overview: The host is installed with Java Runtime Environment and is prone to
+ multiple vulnerabilities.
+
+ Vulnerability Insight:
+ The flaws are caused due to multiple unspecified errors in th application.
+
+ Impact:
+ Successful exploitation could allow attackers to cause a denial of service or
+ possibly execute arbitrary code.
+
+ Impact Level: System/Application
+
+ Affected Software/OS:
+ Java Runtime Environment (JRE) version 1.6.0_29
+
+ Fix: Upgrade to Java Runtime Environment (JRE) version 1.6.0_31 or later
+ For updates refer, http://www.oracle.com/technetwork/java/javase/overview/index.html
+
+ References:
+ http://support.apple.com/kb/HT5228
+ http://support.apple.com/kb/HT1222
+ http://packetstormsecurity.org/files/111594/Apple-Security-Advisory-2012-04-03-1.html ";
+
+ script_description(desc);
+ script_copyright("Copyright (c) 2012 Greenbone Networks GmbH");
+ script_summary("Check for the version of JRE on MAC OS X");
+ script_category(ACT_GATHER_INFO);
+ script_family("General");
+ script_dependencies("gb_jre_detect_macosx.nasl");
+ script_require_keys("JRE/MacOSX/Version");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+## Variable Initialization
+javaVer = "";
+
+## Get the version from KB
+javaVer = get_kb_item("JRE/MacOSX/Version");
+if(!javaVer){
+ exit(0);
+}
+
+javaVer = ereg_replace(pattern:"_", string:javaVer, replace: ".");
+
+## Check for Java Version 1.6.0_29
+if(version_is_equal(version:javaVer, test_version:"1.6.0.29")){
+ security_hole(0);
+}
Property changes on: trunk/openvas-plugins/scripts/gb_jre_mult_vuln_macosx.nasl
___________________________________________________________________
Added: svn:keywords
+ Revision Date Id
Added: trunk/openvas-plugins/scripts/gb_ms_smb_signing_disabled.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ms_smb_signing_disabled.nasl (rev 0)
+++ trunk/openvas-plugins/scripts/gb_ms_smb_signing_disabled.nasl 2012-04-11 15:04:23 UTC (rev 13219)
@@ -0,0 +1,83 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Microsoft SMB Signing Disabled
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802726);
+ script_version("$Revision$");
+ script_tag(name:"cvss_base", value:"0.0");
+ script_tag(name:"risk_factor", value:"None");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2012-04-09 18:56:54 +0530 (Mon, 09 Apr 2012)");
+ script_name("Microsoft SMB Signing Disabled");
+ script_description("Checking for SMB signing is disabled.
+
+The script logs in via smb, checks the SMB Negotiate Protocol response to
+confirm SMB signing is disabled.");
+ script_summary("Check if SMB signing is disabled");
+ script_category(ACT_GATHER_INFO);
+ script_dependencies("smb_login.nasl");
+ script_copyright("Copyright (c) 2012 Greenbone Networks GmbH");
+ script_family("Windows");
+ script_require_ports(139, 445);
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+
+## Variable Initialization
+name = "";
+port = "";
+soc = "";
+response = "";
+prot = "";
+
+## Get name and port
+name = kb_smb_name();
+port = kb_smb_transport();
+
+## Open the socket
+soc = open_sock_tcp(port);
+if(!soc){
+ exit(0);
+}
+
+response = smb_session_request(soc:soc, remote:name);
+if(!response)
+{
+ close(soc);
+ exit(0);
+}
+
+## SMB Negotiate Protocol Response
+## If SMB signing is disabled, then Security Mode: 0x03
+prot = smb_neg_prot(soc:soc);
+close(soc);
+
+if(prot && ord(prot[39]) == 3){
+ log_message(data:"SMB signing is disabled on this host");
+}
Property changes on: trunk/openvas-plugins/scripts/gb_ms_smb_signing_disabled.nasl
___________________________________________________________________
Added: svn:keywords
+ Revision Date Id
Added: trunk/openvas-plugins/scripts/secpod_ms12-023.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms12-023.nasl (rev 0)
+++ trunk/openvas-plugins/scripts/secpod_ms12-023.nasl 2012-04-11 15:04:23 UTC (rev 13219)
@@ -0,0 +1,170 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Microsoft Internet Explorer Multiple Vulnerabilities (2675157)
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902670);
+ script_version("$Revision$");
+ script_cve_id("CVE-2012-0168", "CVE-2012-0169", "CVE-2012-0170", "CVE-2012-0171",
+ "CVE-2012-0172");
+ script_bugtraq_id(52889, 52902, 52904, 52905);
+ script_tag(name:"cvss_base", value:"9.3");
+ script_tag(name:"risk_factor", value:"Critical");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2012-04-11 10:04:47 +0530 (Wed, 11 Apr 2012)");
+ script_name("Microsoft Internet Explorer Multiple Vulnerabilities (2675157)");
+ desc = "
+ Overview: This host has critical security update missing according to
+ Microsoft Bulletin MS12-023.
+
+ Vulnerability Insight:
+ Multiple flaws are caused due to an,
+ - Unspecified error in the Print feature.
+ - Error in the handling of the onReadyStateChange event, VML styles
+ and JScript9 when accessing already deleted.
+
+ Impact:
+ Successful exploitation could allow remote attackers to gain sensitive
+ information or execute arbitrary code in the context of the application.
+
+ Impact Level: System/Application
+
+ Affected Software/OS:
+ Microsoft Internet Explorer version 6.x/7.x/8.x/9.x
+
+ Fix:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://technet.microsoft.com/en-us/security/bulletin/ms12-023
+
+ References:
+ https://secunia.com/advisories/48724/
+ http://support.microsoft.com/kb/2675157
+ http://www.securitytracker.com/id/1026901
+ http://www.securelist.com/en/advisories/48724
+ http://technet.microsoft.com/en-us/security/bulletin/ms12-023 ";
+
+ script_description(desc);
+ script_summary("Check for the vulnerable 'Mshtml.dll' file version");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2012 SecPod");
+ script_family("Windows : Microsoft Bulletins");
+ script_dependencies("gb_ms_ie_detect.nasl");
+ script_require_keys("MS/IE/Version");
+ script_require_ports(139, 445);
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+## Variables Initialization
+sysPath = "";
+ieVer = "";
+dllVer = NULL;
+
+## Check for OS and Service Pack
+if(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:2) <= 0){
+ exit(0);
+}
+
+## Get IE Version from KB
+ieVer = get_kb_item("MS/IE/Version");
+if(!ieVer || !(ieVer =~ "^(6|7|8|9)")){
+ exit(0);
+}
+
+## Get System Path
+sysPath = smb_get_systemroot();
+if(!sysPath ){
+ exit(0);
+}
+
+## Get Version from Mshtml.dll
+dllVer = fetch_file_version(sysPath, file_name:"system32\Mshtml.dll");
+if(!dllVer){
+ exit(0);
+}
+
+## Windows XP
+if(hotfix_check_sp(xp:4) > 0)
+{
+ ## Check for Mshtml.dll version
+ if(version_in_range(version:dllVer, test_version:"6.0.2900.0000", test_version2:"6.0.2900.6196") ||
+ version_in_range(version:dllVer, test_version:"7.0.6000.16000", test_version2:"7.0.6000.17108")||
+ version_in_range(version:dllVer, test_version:"7.0.6000.21000", test_version2:"7.0.6000.21310")||
+ version_in_range(version:dllVer, test_version:"8.0.6001.18000", test_version2:"8.0.6001.19221")||
+ version_in_range(version:dllVer, test_version:"8.0.6001.20000", test_version2:"8.0.6001.23317")){
+ security_hole(0);
+ }
+ exit(0);
+}
+
+## Windows 2003
+else if(hotfix_check_sp(win2003:3) > 0)
+{
+ ## Check for Mshtml.dll version
+ if(version_in_range(version:dllVer, test_version:"6.0.3790.0000", test_version2:"6.0.3790.4968") ||
+ version_in_range(version:dllVer, test_version:"7.0.6000.16000", test_version2:"7.0.6000.17108")||
+ version_in_range(version:dllVer, test_version:"7.0.6000.21000", test_version2:"7.0.6000.21310")||
+ version_in_range(version:dllVer, test_version:"8.0.6001.18000", test_version2:"8.0.6001.19221")||
+ version_in_range(version:dllVer, test_version:"8.0.6001.20000", test_version2:"8.0.6001.23317")){
+ security_hole(0);
+ }
+ exit(0);
+}
+
+## Windows Vista and Windows Server 2008
+else if(hotfix_check_sp(winVista:3, win2008:3) > 0)
+{
+ ## Check for Mshtml.dll version
+ if(version_in_range(version:dllVer, test_version:"7.0.6002.18000", test_version2:"7.0.6002.18590")||
+ version_in_range(version:dllVer, test_version:"7.0.6002.22000", test_version2:"7.0.6002.22804")||
+ version_in_range(version:dllVer, test_version:"8.0.6001.18000", test_version2:"8.0.6001.19221")||
+ version_in_range(version:dllVer, test_version:"8.0.6001.20000", test_version2:"8.0.6001.23317")||
+ version_in_range(version:dllVer, test_version:"9.0.8112.16000", test_version2:"9.0.8112.16442")||
+ version_in_range(version:dllVer, test_version:"9.0.8112.20000", test_version2:"9.0.8112.20547")){
+ security_hole(0);
+ }
+ exit(0);
+}
+
+## Windows 7
+else if(hotfix_check_sp(win7:2) > 0)
+{
+ ## Check for Mshtml.dll version
+ if(version_in_range(version:dllVer, test_version:"8.0.7600.16000", test_version2:"8.0.7600.16967")||
+ version_in_range(version:dllVer, test_version:"8.0.7600.20000", test_version2:"8.0.7600.21157")||
+ version_in_range(version:dllVer, test_version:"8.0.7601.16000", test_version2:"8.0.7601.17784")||
+ version_in_range(version:dllVer, test_version:"8.0.7601.21000", test_version2:"8.0.7601.21930")||
+ version_in_range(version:dllVer, test_version:"9.0.8112.16000", test_version2:"9.0.8112.16442")||
+ version_in_range(version:dllVer, test_version:"9.0.8112.20000", test_version2:"9.0.8112.20547")){
+ security_hole(0);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_ms12-023.nasl
___________________________________________________________________
Added: svn:keywords
+ Revision Date Id
Added: trunk/openvas-plugins/scripts/secpod_ms12-024.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms12-024.nasl (rev 0)
+++ trunk/openvas-plugins/scripts/secpod_ms12-024.nasl 2012-04-11 15:04:23 UTC (rev 13219)
@@ -0,0 +1,147 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Windows Authenticode Signature Remote Code Execution Vulnerability (2653956)
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902669);
+ script_version("$Revision$");
+ script_cve_id("CVE-2012-0151");
+ script_bugtraq_id(52317);
+ script_tag(name:"cvss_base", value:"9.3");
+ script_tag(name:"risk_factor", value:"Critical");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2012-04-11 09:37:03 +0530 (Wed, 11 Apr 2012)");
+ script_name("Windows Authenticode Signature Remote Code Execution Vulnerability (2653956)");
+ desc = "
+ Overview: This host has critical security update missing according to
+ Microsoft Bulletin MS12-024.
+
+ Vulnerability Insight:
+ The flaw is caused due to the way Windows Authenticode Signature Verification
+ function verifies portable executable (PE) files, which can be exploited to
+ add malicious code to the file without invalidating the signature.
+
+ Impact:
+ Successful exploitation could allow remote attackers to execute arbitrary
+ code as the logged-on user.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ Microsoft Windows 7 Service Pack 1 and prior
+ Microsoft Windows XP Service Pack 3 and prior
+ Microsoft Windows 2003 Service Pack 2 and prior
+ Microsoft Windows Vista Service Pack 2 and prior
+ Microsoft Windows Server 2008 Service Pack 2 and prior
+
+ Fix:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://technet.microsoft.com/en-us/security/bulletin/ms12-024
+
+ References:
+ http://secunia.com/advisories/48581
+ http://support.microsoft.com/kb/2653956
+ http://technet.microsoft.com/en-us/security/bulletin/ms12-024 ";
+
+ script_description(desc);
+ script_summary("Check for the vulnerable 'Wintrust.dll' file version");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2012 SecPod");
+ script_family("Windows : Microsoft Bulletins");
+ script_dependencies("secpod_reg_enum.nasl");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+## Variables Initialization
+sysPath = "";
+sysVer = "";
+
+## Check for OS and Service Pack
+if(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:2) <= 0){
+ exit(0);
+}
+
+## Get System Path
+sysPath = smb_get_systemroot();
+if(! sysPath){
+ exit(0);
+}
+
+## Get Version from Win32k.sys file
+sysVer = fetch_file_version(sysPath, file_name:"system32\Wintrust.dll");
+if(! sysVer){
+ exit(0);
+}
+
+## Windows XP
+if(hotfix_check_sp(xp:4) > 0)
+{
+ ## Check for Wintrust.dll version before 5.131.2600.6198
+ if(version_is_less(version:sysVer, test_version:"5.131.2600.6198")){
+ security_hole(0);
+ }
+ exit(0);
+}
+
+## Windows 2003
+else if(hotfix_check_sp(win2003:3) > 0)
+{
+ ## Check for Wintrust.dll version before 5.131.3790.4970
+ if(version_is_less(version:sysVer, test_version:"5.131.3790.4970")){
+ security_hole(0);
+ }
+ exit(0);
+}
+
+## Windows Vista and Windows Server 2008
+else if(hotfix_check_sp(winVista:3, win2008:3) > 0)
+{
+ ## Check for Wintrust.dll version
+ if(version_is_less(version:sysVer, test_version:"6.0.6002.18592") ||
+ version_in_range(version:sysVer, test_version:"6.0.6002.22000", test_version2:"6.0.6002.22805")){
+ security_hole(0);
+ }
+ exit(0);
+}
+
+## Windows 7
+else if(hotfix_check_sp(win7:2) > 0)
+{
+ ## Check for Wintrust.dll version
+ if(version_is_less(version:sysVer, test_version:"6.1.7600.16970") ||
+ version_in_range(version:sysVer, test_version:"6.1.7600.20000", test_version2:"6.1.7600.21159")||
+ version_in_range(version:sysVer, test_version:"6.1.7601.17000", test_version2:"6.1.7601.17786")||
+ version_in_range(version:sysVer, test_version:"6.1.7601.21000", test_version2:"6.1.7601.21932")){
+ security_hole(0);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_ms12-024.nasl
___________________________________________________________________
Added: svn:keywords
+ Revision Date Id
Added: trunk/openvas-plugins/scripts/secpod_ms12-025.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms12-025.nasl (rev 0)
+++ trunk/openvas-plugins/scripts/secpod_ms12-025.nasl 2012-04-11 15:04:23 UTC (rev 13219)
@@ -0,0 +1,159 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Microsoft .NET Framework Remote Code Execution Vulnerability (2671605)
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902828);
+ script_version("$Revision$");
+ script_bugtraq_id(52921);
+ script_cve_id("CVE-2012-0163");
+ script_tag(name:"cvss_base", value:"9.3");
+ script_tag(name:"risk_factor", value:"Critical");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2012-04-11 09:21:20 +0530 (Wed, 11 Apr 2012)");
+ script_name("Microsoft .NET Framework Remote Code Execution Vulnerability (2671605)");
+ desc = "
+ Overview: This host has critical security update missing according to
+ Microsoft Bulletin MS12-025.
+
+ Vulnerability Insight:
+ The flaw is caused due to an error within the .NET CRL (Common Language
+ Runtime) when handling certain parameters passed to a function and can be
+ exploited via a specially crafted web page.
+
+ Impact:
+ Successful exploitation could allow an attacker to execute arbitrary code
+ with the privileges of the currently logged-in user. Failed attacks will
+ cause denial-of-service conditions.
+
+ Impact Level: System/Application
+
+ Affected Software/OS:
+ Microsoft .NET Framework 4.0
+ Microsoft .NET Framework 3.5.1
+ Microsoft .NET Framework 2.0 Service Pack 2
+ Microsoft .NET Framework 1.1 Service Pack 1
+
+ Fix:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://technet.microsoft.com/en-us/security/bulletin/ms12-025
+
+ References:
+ http://secunia.com/advisories/48786
+ http://support.microsoft.com/kb/2671605
+ http://www.securitytracker.com/id/1026904
+ http://technet.microsoft.com/en-us/security/bulletin/ms12-025 ";
+
+ script_description(desc);
+ script_summary("Check for the version of 'System.Drawing.dll' file");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2012 SecPod");
+ script_family("Windows : Microsoft Bulletins");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_ports(139, 445);
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+## Variables Initialization
+key = "";
+item = "";
+path = "";
+dllVer = NULL;
+
+## Check for OS and Service Pack
+if(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:2) <= 0){
+ exit(0);
+}
+
+## Confirm .NET
+key = "SOFTWARE\Microsoft\ASP.NET\";
+if(!registry_key_exists(key:key)){
+ exit(0);
+}
+
+## Try to Get Version
+foreach item (registry_enum_keys(key:key))
+{
+ path = registry_get_sz(key:key + item, item:"Path");
+ if(path && "\Microsoft.NET\Framework" >< path)
+ {
+ ## Get version from System.dll file
+ dllVer = fetch_file_version(sysPath:path, file_name:"System.Drawing.dll");
+ if(dllVer)
+ {
+ ## .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7
+ if(version_in_range(version:dllVer, test_version:"4.0.30319.000", test_version2:"4.0.30319.275")||
+ version_in_range(version:dllVer, test_version:"4.0.30319.500", test_version2:"4.0.30319.550"))
+ {
+ security_hole(0);
+ exit(0);
+ }
+
+ ## .NET Framework 3.5.1 on Windows 7
+ if((hotfix_check_sp(win7:2) > 0) &&
+ (version_in_range(version:dllVer, test_version:"2.0.50727.4000", test_version2:"2.0.50727.4973")||
+ version_in_range(version:dllVer, test_version:"2.0.50727.5000", test_version2:"2.0.50727.5457")||
+ version_in_range(version:dllVer, test_version:"2.0.50727.5700", test_version2:"2.0.50727.5712")))
+ {
+ security_hole(0);
+ exit(0);
+ }
+
+ ## .NET Framework 2.0 Service Pack 2 on Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2
+ if((hotfix_check_sp(winVista:3, win2008:3) > 0) &&
+ (version_in_range(version:dllVer, test_version:"2.0.50727.4000", test_version2:"2.0.50727.4225")||
+ version_in_range(version:dllVer, test_version:"2.0.50727.5700", test_version2:"2.0.50727.5712")))
+ {
+ security_hole(0);
+ exit(0);
+ }
+
+ ## .NET Framework 2.0 Service Pack 2 on Windows XP and Windows Server 2003
+ if((hotfix_check_sp(xp:4, win2003:3) > 0) &&
+ (version_in_range(version:dllVer, test_version:"2.0.50727.3000", test_version2:"2.0.50727.3635")||
+ version_in_range(version:dllVer, test_version:"2.0.50727.5700", test_version2:"2.0.50727.5718")))
+ {
+ security_hole(0);
+ exit(0);
+ }
+
+ ## .NET Framework 1.1 Service Pack 1 on Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008
+ if((hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3) > 0) &&
+ (version_in_range(version:dllVer, test_version:"1.1.4322.2000", test_version2:"1.1.4322.2494")))
+ {
+ security_hole(0);
+ exit(0);
+ }
+ }
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_ms12-025.nasl
___________________________________________________________________
Added: svn:keywords
+ Revision Date Id
Added: trunk/openvas-plugins/scripts/secpod_ms12-027.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms12-027.nasl (rev 0)
+++ trunk/openvas-plugins/scripts/secpod_ms12-027.nasl 2012-04-11 15:04:23 UTC (rev 13219)
@@ -0,0 +1,240 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Microsoft Windows Common Controls Remote Code Execution Vulnerability (2664258)
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902829);
+ script_version("$Revision$");
+ script_bugtraq_id(52911);
+ script_cve_id("CVE-2012-0158");
+ script_tag(name:"cvss_base", value:"9.3");
+ script_tag(name:"risk_factor", value:"Critical");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2012-04-11 11:11:11 +0530 (Wed, 11 Apr 2012)");
+ script_name("Microsoft Windows Common Controls Remote Code Execution Vulnerability (2664258)");
+ desc = "
+ Overview: This host has critical security update missing according to
+ Microsoft Bulletin MS12-027.
+
+ Vulnerability Insight:
+ The flaw is caused due to an error within the ListView, ListView2, TreeView
+ and TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls and can
+ be exploited to corrupt memory.
+
+ Impact:
+ Successful exploitation could allow an attacker to execute arbitrary code
+ within the context of the application.
+
+ Impact Level: System/Application
+
+ Affected Software/OS:
+ Microsoft SQL Server 2008
+ Microsoft Visual Basic 6.0
+ Microsoft Commerce Server 2009
+ Microsoft SQL Server 2005 Service Pack 4
+ Microsoft SQL Server 2000 Service Pack 4
+ Microsoft Visual FoxPro 9.0 Service Pack 2
+ Microsoft Visual FoxPro 8.0 Service Pack 1
+ Microsoft Commerce Server 2007 Service Pack 2
+ Microsoft Commerce Server 2002 Service Pack 4
+ Microsoft Office 2010 Service Pack 1 and prior
+ Microsoft Office 2007 Service Pack 3 and prior
+ Microsoft Office 2003 Service Pack 3 and prior
+ Microsoft SQL Server 2000 Analysis Services Service Pack 4
+
+ Fix:
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://technet.microsoft.com/en-us/security/bulletin/ms12-027
+
+ References:
+ http://secunia.com/advisories/48786
+ http://www.securitytracker.com/id/1026904
+ http://technet.microsoft.com/en-us/security/bulletin/ms12-027 ";
+
+ script_description(desc);
+ script_summary("Check for the version of 'Mscomctl.Ocx','msmdctr80.dll' and 'sqlservr.exe' files");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2012 SecPod");
+ script_family("Windows : Microsoft Bulletins");
+ script_dependencies("secpod_office_products_version_900032.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ script_require_ports(139, 445);
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+## Variables Initialization
+key = "";
+ver = "";
+keys = "";
+item = "";
+path = "";
+sysPath = "";
+bizName = "";
+dllVer = NULL;
+sysVer = NULL;
+exeVer = NULL;
+
+## Check for Windows OS
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+}
+
+## Get System Path
+sysPath = smb_get_systemroot();
+if(! sysPath){
+ exit(0);
+}
+
+## Get Version from Mscomctl.Ocx file
+sysVer = fetch_file_version(sysPath, file_name:"system32\Mscomctl.Ocx");
+if(! sysVer){
+ exit(0);
+}
+
+## Check for Microsoft Office 2003, 2007 and 2010
+if(get_kb_item("MS/Office/Ver") =~ "^[11|12|14].*")
+{
+ if(version_is_less(version:sysVer, test_version:"6.1.98.33"))
+ {
+ security_hole(0);
+ exit(0);
+ }
+}
+
+## Check for Microsoft BizTalk Server 2002
+key = "SOFTWARE\Microsoft\BizTalk Server\1.0";
+if(registry_key_exists(key:key))
+{
+ bizName = registry_get_sz(key:key, item:"ProductName");
+ if("Microsoft BizTalk Server 2002" >< bizName)
+ {
+ if(version_is_less(version:sysVer, test_version:"6.1.98.33"))
+ {
+ security_hole(0);
+ exit(0);
+ }
+ }
+}
+
+## Check for SQL Server 2005 and 2008
+foreach ver (make_list("2005", "10"))
+{
+ key = "SOFTWARE\Microsoft\Windows\CurrentVersion" +
+ "\Uninstall\Microsoft SQL Server " + ver;
+ if(registry_key_exists(key:key))
+ {
+ if(version_is_less(version:sysVer, test_version:"6.1.98.33"))
+ {
+ security_hole(0);
+ exit(0);
+ }
+ }
+}
+
+## Check for Microsoft Commerce Server 2002, 2007 or 2009
+keys = make_list("SOFTWARE\Microsoft\Commerce Server",
+ "SOFTWARE\Microsoft\Commerce Server 2007",
+ "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"+
+ "\Microsoft Commerce Server 2009");
+foreach key (keys)
+{
+ if(registry_key_exists(key:key))
+ {
+ if(version_is_less(version:sysVer, test_version:"6.1.98.33"))
+ {
+ security_hole(0);
+ exit(0);
+ }
+ }
+}
+
+## Check for Visual Basic 6.0
+key = "SOFTWARE\Microsoft\Visual Basic\6.0";
+if(registry_key_exists(key:key))
+{
+ if(version_is_less(version:sysVer, test_version:"6.1.98.33"))
+ {
+ security_hole(0);
+ exit(0);
+ }
+}
+
+## Check for Visual FoxPro 8.0 and 9.0
+foreach ver (make_list("8.0", "9.0"))
+{
+ key = "SOFTWARE\Microsoft\VisualFoxPro\" + ver;
+ if(registry_key_exists(key:key))
+ {
+ if(version_is_less(version:sysVer, test_version:"6.1.98.33"))
+ {
+ security_hole(0);
+ exit(0);
+ }
+ }
+}
+
+## Check for Microsoft SQL Server 2000 Analysis Services
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft SQL " +
+ "Server 2000 Analysis Services";
+if(registry_key_exists(key:key))
+{
+ path = registry_get_sz(key:key, item:"InstallLocation");
+ dllVer = fetch_file_version(sysPath:path, file_name:"bin\msmdctr80.dll");
+ if(dllVer)
+ {
+ if(version_is_less(version:dllVer, test_version:"8.0.2302.0"))
+ {
+ security_hole(0);
+ exit(0);
+ }
+ }
+}
+
+## Check for Microsoft SQL Server 2000
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft SQL " +
+ "Server 2000";
+if(registry_key_exists(key:key))
+{
+ path = registry_get_sz(key:key, item:"InstallLocation");
+ exeVer = fetch_file_version(sysPath:path, file_name:"Binn\sqlservr.exe");
+ if(exeVer)
+ {
+ ## Check for GDR and QFE versions
+ if(version_is_less(version:exeVer, test_version:"2000.80.2065.0") ||
+ version_in_range(version:exeVer, test_version:"2000.80.2300.0", test_version2:"2000.80.2300.9"))
+ {
+ security_hole(0);
+ exit(0);
+ }
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_ms12-027.nasl
___________________________________________________________________
Added: svn:keywords
+ Revision Date Id
Added: trunk/openvas-plugins/scripts/secpod_ms12-028.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms12-028.nasl (rev 0)
+++ trunk/openvas-plugins/scripts/secpod_ms12-028.nasl 2012-04-11 15:04:23 UTC (rev 13219)
@@ -0,0 +1,141 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Microsoft Office Remote Code Execution Vulnerability (2639185)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(903017);
+ script_version("$Revision$");
+ script_cve_id("CVE-2012-0177");
+ script_bugtraq_id(52867);
+ script_tag(name:"cvss_base", value:"7.5");
+ script_tag(name:"risk_factor", value:"High");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2012-04-11 09:32:29 +0530 (Wed, 11 Apr 2012)");
+ script_name("Microsoft Office Remote Code Execution Vulnerability (2639185)");
+ desc = "
+ Overview: This host has important security update missing according to
+ Microsoft Bulletin MS12-028.
+
+ Vulnerability Insight:
+ The flaw is caused due to an error in the Works Converter and can be
+ exploited to cause a heap-based buffer overflow via a specially crafted
+ Works '.wps' file.
+
+ Impact:
+ Successful exploitation could allow attackers to execute arbitrary code.
+
+ Impact Level: System/Application
+
+ Affected Software/OS:
+ Microsoft Works 6 to 9 File Converter
+ Microsoft Office 2007 Service Pack 2 and prior
+
+ Fix: Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://technet.microsoft.com/en-us/security/bulletin/MS12-028
+
+ References:
+ http://secunia.com/advisories/48723/
+ http://xforce.iss.net/xforce/xfdb/74556
+ http://www.securitytracker.com/id/1026910
+ http://technet.microsoft.com/en-us/security/bulletin/MS12-028 ";
+
+ script_description(desc);
+ script_summary("Check the version of Works632.cnv and Wkcvqr01.dll files");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2012 SecPod");
+ script_family("Windows : Microsoft Bulletins");
+ script_dependencies("secpod_office_products_version_900032.nasl");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+## Variable Initialization
+path = "";
+cnvVer = "";
+key = "";
+wfcName = "";
+dllVer = "";
+
+## Get Common Files Dir Path
+path = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion",
+ item:"CommonFilesDir");
+if(!path){
+ exit(0);
+}
+
+## MS Office 2007
+if(get_kb_item("MS/Office/Ver") =~ "^12")
+{
+ ## Get the Works632.cnv file version
+ cnvVer = fetch_file_version(sysPath:path,
+ file_name:"Microsoft Shared\TextConv\Works632.cnv");
+ if(cnvVer)
+ {
+ ## Checking for file version
+ if(version_is_less(version:cnvVer, test_version:"9.11.0707.0"))
+ {
+ security_hole(0);
+ exit(0);
+ }
+ }
+}
+
+## Microsoft Works 6 to 9 File Converter
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+if(!registry_key_exists(key:key)){
+ exit(0);
+}
+
+foreach item (registry_enum_keys(key:key))
+{
+ wfcName = registry_get_sz(key:key + item, item:"DisplayName");
+
+ if(!wfcName){
+ continue;
+ }
+
+ ## Confirm the application
+ if("Microsoft Works 6-9 Converter" >< wfcName)
+ {
+ ## Get the Wkcvqr01.dll file version
+ dllVer = fetch_file_version(sysPath:path,
+ file_name:"Microsoft Shared\TextConv\Wkcvqr01.dll");
+ if(!dllVer){
+ exit(0);
+ }
+
+ ## Checking for file version
+ if(version_is_less(version:dllVer, test_version:"9.8.1117.0")){
+ security_hole(0);
+ }
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_ms12-028.nasl
___________________________________________________________________
Added: svn:keywords
+ Revision Date Id
Modified: trunk/openvas-plugins/scripts/secpod_ms_smb_signing_info_disc_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms_smb_signing_info_disc_vuln.nasl 2012-04-11 11:27:00 UTC (rev 13218)
+++ trunk/openvas-plugins/scripts/secpod_ms_smb_signing_info_disc_vuln.nasl 2012-04-11 15:04:23 UTC (rev 13219)
@@ -28,10 +28,10 @@
{
script_id(902797);
script_version("$Revision$");
- script_tag(name:"last_modification", value:"$Date$");
- script_tag(name:"creation_date", value:"2012-02-27 18:06:56 +0530 (Mon, 27 Feb 2012)");
script_tag(name:"cvss_base", value:"5.0");
script_tag(name:"risk_factor", value:"Medium");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2012-04-02 16:53:51 +0530 (Mon, 02 Apr 2012)");
script_name("Microsoft SMB Signing Information Disclosure Vulnerability");
desc = "
Overview: This host is disabled SMB signing and is prone to information
@@ -50,63 +50,68 @@
Impact Level: System
Affected Software/OS:
- Microsoft Windows NT Server 4.0 and prior.
- Microsoft Windows 2K Service Pack 4 and prior
- Microsoft Windows XP Service Pack 3 and prior
- Microsoft Windows 2003 Service Pack 2 and prior
+ Microsoft Windows XP Service Pack 2 and prior
+ Microsoft Windows 2003 Service Pack 1 and prior
Fix: Run Windows Update and update the listed hotfixes or download and
update mentioned hotfixes in the advisory from the below link,
http://support.microsoft.com/kb/916846
References:
- http://support.microsoft.com/kb/887429
- http://support.microsoft.com/kb/916846
- http://xforce.iss.net/xforce/xfdb/31965 ";
+ http://support.microsoft.com/kb/916846 ";
script_description(desc);
script_summary("Check if SMB signing is disabled");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2012 SecPod");
script_family("Windows");
- script_require_ports(139, 445);
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
exit(0);
}
include("smb_nt.inc");
+include("secpod_reg.inc");
+include("secpod_smb_func.inc");
## Variable Initialization
-name = "";
-domain = "";
-port = "";
-soc = "";
-response = "";
-prot = "";
+key = "";
+key2 = "";
+val1 = "";
+val2 = "";
+val3 = "";
+val4 = "";
-## Get name, domain and port
-name = kb_smb_name();
-domain = kb_smb_domain();
-port = kb_smb_transport();
-
-## Open the socket
-soc = open_sock_tcp(port);
-if(!soc){
+## Check for OS and Service Pack
+if(hotfix_check_sp(xp:3, win2003:2) <= 0){
exit(0);
}
-response = smb_session_request(soc:soc, remote:name);
-if(!response)
+## Get the registry values for SMB signing disabled.
+## Client
+key = "SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters";
+if(registry_key_exists(key:key))
{
- close(soc);
+ val1 = registry_get_dword(key:key, item:"enablesecuritysignature");
+ val2 = registry_get_dword(key:key, item:"requiresecuritysignature");
+
+ if(val1 == "0" && val2 == "0")
+ {
+ security_warning(0);
+ exit(0);
+ }
+}
+
+## Server
+key2 = "SYSTEM\CurrentControlSet\Services\lanmanserver\parameters";
+if(!registry_key_exists(key:key2)){
exit(0);
}
-## SMB Negotiate Protocol Response
-## If SMB signing is disabled, then Security Mode: 0x03
-prot = smb_neg_prot(soc:soc);
-close(soc);
+val3 = registry_get_dword(key:key2, item:"enablesecuritysignature");
+val4 = registry_get_dword(key:key2, item:"requiresecuritysignature");
-if(prot && ord(prot[39]) == 3){
- security_warning(port);
+if(val3 == "0" && val4 == "0"){
+ security_warning(0);
}
More information about the Openvas-commits
mailing list