Mailing List Archive: Nessus Script ID 22534 version 1.3: Contains A Reporting Bug?

Hello All,

I believe the following Script ID: 22534 version 1.3 contains an reporting bug.

When scanning systems with Office 2003, this check reports twice in the reports.

Example output for NBE:

results|TARGET SYSTEM|microsoft-ds (445/tcp)|11119|Security Note|\nSynopsis :\n\nThe remote system has the latest service pack installed.\n\nDescription :\n\nBy reading the registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CSDVersion\nit was possible to determine the Service Pack version of the Windows XP\nsystem.\n\nRisk factor :\n\nNone\n\nPlugin output :\n\nThe remote Windows XP system has Service Pack 2 applied.\n\nCVE : CVE-1999-0662\nBID : 10897, 11202\n

results|TARGET SYSTEM|microsoft-ds (445/tcp)|22534|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through the web or\nemail client. \n\nDescription :\n\nThe remote host is running a version of Windows which contains a flaw\nin the Windows XML Core Services..\n\nAn attacker may be able to execute arbitrary code on the remote host\nby constructing a malicious script and enticing a victim to visit a\nweb site or view a specially-crafted email message.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/Bulletin/MS06-061.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2006-4684, CVE-2006-4685\nBID : 20338, 20339\n

results|TARGET SYSTEM|microsoft-ds (445/tcp)|22534|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through the web or\nemail client. \n\nDescription :\n\nThe remote host is running a version of Windows which contains a flaw\nin the Windows XML Core Services..\n\nAn attacker may be able to execute arbitrary code on the remote host\nby constructing a malicious script and enticing a victim to visit a\nweb site or view a specially-crafted email message.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/Bulletin/MS06-061.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2006-4684, CVE-2006-4685\nBID : 20338, 20339\n

results|TARGET SYSTEM|microsoft-ds (445/tcp)|22531|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through Microsoft\nPowerPoint.\n\nDescription :\n\nThe remote host is running a version of Microsoft PowerPoint\nwhich is subject to a flaw which may allow arbitrary code to be run.\n\nAn attacker may use this to execute arbitrary code on this host.\n\nTo succeed, the attacker would have to send a rogue file to \na user of the remote computer and have it open it. Then a bug in\nthe font parsing handler would result in code execution.\n\nSolution : \n\nMicrosoft has released a set of patches for PowerPoint 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms06-058.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2006-3435, CVE-2006-3876, CVE-2006-3877, CVE-2006-4694\nBID : 20325, 20322, 20304\n

Could someone verify?

Thanks,

Paul

Hello All,

After reviewing the code, I suggest the following changes for Script ID 22534 version 1.3:

if ( hotfix_check_sp(xp:3, win2003:2, win2k:6) > 0 )

{

if (is_accessible_share())

{

office_version = hotfix_check_office_version ();

rootfile = hotfix_get_commonfilesdir();

if ( ( hotfix_check_fversion(path:rootfile, file:"\Microsoft Shared\Office11\msxml5.dll", version:"5.10.2930.0") == HCF_OLDER ) ||

( hotfix_check_fversion(file:"system32\Msxml3.dll", version:"8.70.1113.0") == HCF_OLDER ) )

# if ( ( hotfix_check_fversion(file:"system32\Msxml3.dll", version:"8.70.1113.0") == HCF_OLDER ) ||

# ( hotfix_check_fversion(path:rootfile, file:"\Microsoft Shared\Office11\msxml5.dll", version:"5.10.2930.0") == HCF_OLDER ) )

#( hotfix_check_fversion(file:"system32\Msxml4.dll", version:"4.20.9839.0") == HCF_OLDER ) ||

#( hotfix_check_fversion(file:"system32\Msxml5.dll", version:"5.10.2930.0") == HCF_OLDER ) ||

#( hotfix_check_fversion(file:"system32\Msxml6.dll", version:"6.0.3888.0") == HCF_OLDER ) )

security_hole (get_kb_item("SMB/transport"));

hotfix_check_fversion_end();

}

else if ( hotfix_missing(name:"924191") > 0 )

security_hole(get_kb_item("SMB/transport"));

}

Comments or other suggestions?

Thanks,

Paul

----- Original Message -----
From: Paul Bellefeuille
To: plugins-writers@list.nessus.org
Sent: Wednesday, October 25, 2006 10:01 PM
Subject: Nessus Script ID 22534 version 1.3: Contains A Reporting Bug?

Hello All,

I believe the following Script ID: 22534 version 1.3 contains an reporting bug.

When scanning systems with Office 2003, this check reports twice in the reports.

Example output for NBE:

results|TARGET SYSTEM|microsoft-ds (445/tcp)|11119|Security Note|\nSynopsis :\n\nThe remote system has the latest service pack installed.\n\nDescription :\n\nBy reading the registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CSDVersion\nit was possible to determine the Service Pack version of the Windows XP\nsystem.\n\nRisk factor :\n\nNone\n\nPlugin output :\n\nThe remote Windows XP system has Service Pack 2 applied.\n\nCVE : CVE-1999-0662\nBID : 10897, 11202\n

results|TARGET SYSTEM|microsoft-ds (445/tcp)|22534|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through the web or\nemail client. \n\nDescription :\n\nThe remote host is running a version of Windows which contains a flaw\nin the Windows XML Core Services..\n\nAn attacker may be able to execute arbitrary code on the remote host\nby constructing a malicious script and enticing a victim to visit a\nweb site or view a specially-crafted email message.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/Bulletin/MS06-061.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2006-4684, CVE-2006-4685\nBID : 20338, 20339\n

results|TARGET SYSTEM|microsoft-ds (445/tcp)|22534|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through the web or\nemail client. \n\nDescription :\n\nThe remote host is running a version of Windows which contains a flaw\nin the Windows XML Core Services..\n\nAn attacker may be able to execute arbitrary code on the remote host\nby constructing a malicious script and enticing a victim to visit a\nweb site or view a specially-crafted email message.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/Bulletin/MS06-061.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2006-4684, CVE-2006-4685\nBID : 20338, 20339\n

results|TARGET SYSTEM|microsoft-ds (445/tcp)|22531|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through Microsoft\nPowerPoint.\n\nDescription :\n\nThe remote host is running a version of Microsoft PowerPoint\nwhich is subject to a flaw which may allow arbitrary code to be run.\n\nAn attacker may use this to execute arbitrary code on this host.\n\nTo succeed, the attacker would have to send a rogue file to \na user of the remote computer and have it open it. Then a bug in\nthe font parsing handler would result in code execution.\n\nSolution : \n\nMicrosoft has released a set of patches for PowerPoint 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms06-058.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2006-3435, CVE-2006-3876, CVE-2006-3877, CVE-2006-4694\nBID : 20325, 20322, 20304\n

Could someone verify?

Thanks,

Paul