[Plugins-writers] Checking Windows Patches Using Registry

From: hallnk@private
Date: Thu May 13 2004 - 12:24:50 PDT

  • Next message: Renaud Deraison: "Re: [Plugins-writers] Checking Windows Patches Using Registry"

    There are some patches for Windows which are covered by more than one
    hotfix. Accurately checking for these patches requires checking multiple
    keys in the windows registry. One example of this is MS03-027 (Nessus
    plug-in #11792). This hotfix is also included in the Windows XP Update
    Rollup 1 (see http://support.microsoft.com/?kbid=826939). Therefore to
    check if the hotfix is applied both the key
    "HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q811493" and
    "HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP2\K826939" must be
    checked. If either key is present the vulnerability is patched. Between
    the XP Update Rollup and some cases where one patch supersedes another
    there is the possibility of false positives in scans.
    
     Modified code for plug-in 11792 which gives and accurate answer
    follows:
    
    
    #
    # (C) Tenable Network Security
    #
    #v1.5 changes by Nathan Hall (13/05/2004): check for XP Update Rollup 1
    #
    
    if(description)
    {
     script_id(11792);
     script_version("$Revision: 1.5 $");
     script_cve_id("CAN-2003-0306");
     
     name["english"] = "Buffer overrun in Windows Shell (821557)";
     
     script_name(english:name["english"]);
     
     desc["english"] = "
    The remote host is running a version of Windows which has a flaw in 
    its shell. An attacker could exploit it by creating a malicious
    Desktop.ini
    file which triggers the flaw, and put it on a shared folder and wait
    for someone to browse it.
    
    Solution : see
    http://www.microsoft.com/technet/security/bulletin/ms03-027.mspx
     
    Risk factor : Medium";
    
     script_description(english:desc["english"]);
     
     summary["english"] = "Checks for hotfix Q823980";
    
     script_summary(english:summary["english"]);
     
     script_category(ACT_GATHER_INFO);
     
     script_copyright(english:"This script is Copyright (C) 2003 Tenable
    Network Security");
     family["english"] = "Windows";
     script_family(english:family["english"]);
     
     script_dependencies("netbios_name_get.nasl",
     		     "smb_login.nasl","smb_registry_full_access.nasl",
    		     "smb_reg_service_pack_XP.nasl",
    		     "smb_reg_service_pack_W2K.nasl");
     script_require_keys("SMB/name", "SMB/login", "SMB/password",
    		     "SMB/registry_full_access","SMB/WindowsVersion");
     script_exclude_keys("SMB/Win2003/ServicePack");
    
    
     script_require_ports(139, 445);
     exit(0);
    }
    
    include("smb_nt.inc");
    port = get_kb_item("SMB/transport");
    if(!port)port = 139;
    
    
    access = get_kb_item("SMB/registry_full_access");
    if(!access)exit(0);
    
    version = get_kb_item("SMB/WindowsVersion");
    # XP only
    if("5.1" >< version)
    {
     item = "Description";
    
    # fixed in Service Pack 2
     sp = get_kb_item("SMB/WinXP/ServicePack");
     if(ereg(string:sp, pattern:"Service Pack [2-9]"))exit(0);
    
    # also fixed in XP Update Rollup 1
     key = "SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB826939";
     value = registry_get_sz(item:item, key:key);
     if(value)exit(0);
    
     key = "SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB821557";
     value = registry_get_sz(item:item, key:key);
    
     if(!value)security_hole(port);
    }
    
    Nathan Hall
    System Administrator - Computer Services
    SUNY Oneonta
    Oneonta, NY 13820
    (607) 436-2708
    
    
    _______________________________________________
    Plugins-writers mailing list
    Plugins-writers@private
    http://mail.nessus.org/mailman/listinfo/plugins-writers
    



    This archive was generated by hypermail 2b30 : Thu May 13 2004 - 12:23:16 PDT