[Plugins-writers] Re: Nessus Script ID 22534 version 1.3: Contains A Reporting Bug?

• Previous message: Paul Bellefeuille: "[Plugins-writers] Nessus Script ID 22534 version 1.3: Contains A Reporting Bug?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello All,

 

After reviewing the code, I suggest the following changes for Script ID 22534 version 1.3:

 

if ( hotfix_check_sp(xp:3, win2003:2, win2k:6) > 0 )

{

 if (is_accessible_share())

 {

  office_version = hotfix_check_office_version (); 

  rootfile = hotfix_get_commonfilesdir(); 

   if ( ( hotfix_check_fversion(path:rootfile, file:"\Microsoft Shared\Office11\msxml5.dll", version:"5.10.2930.0") == HCF_OLDER ) ||

       ( hotfix_check_fversion(file:"system32\Msxml3.dll", version:"8.70.1113.0") == HCF_OLDER ) )

#  if ( ( hotfix_check_fversion(file:"system32\Msxml3.dll", version:"8.70.1113.0") == HCF_OLDER )  ||

#        ( hotfix_check_fversion(path:rootfile, file:"\Microsoft Shared\Office11\msxml5.dll", version:"5.10.2930.0") == HCF_OLDER ) )

       #( hotfix_check_fversion(file:"system32\Msxml4.dll", version:"4.20.9839.0") == HCF_OLDER ) ||

       #( hotfix_check_fversion(file:"system32\Msxml5.dll", version:"5.10.2930.0") == HCF_OLDER ) ||

       #( hotfix_check_fversion(file:"system32\Msxml6.dll", version:"6.0.3888.0") == HCF_OLDER ) )

    security_hole (get_kb_item("SMB/transport"));

 

  hotfix_check_fversion_end();

 }

 else if ( hotfix_missing(name:"924191") > 0 )

   security_hole(get_kb_item("SMB/transport"));

}



Comments or other suggestions?



Thanks,

Paul



----- Original Message ----- 
From: Paul Bellefeuille 
To: plugins-writers@private 
Sent: Wednesday, October 25, 2006 10:01 PM
Subject: Nessus Script ID 22534 version 1.3: Contains A Reporting Bug?


Hello All,

 

I believe the following Script ID: 22534 version 1.3 contains an reporting bug.

 

When scanning systems with Office 2003, this check reports twice in the reports. 

 

Example output for NBE:

 

results|TARGET SYSTEM|microsoft-ds (445/tcp)|11119|Security Note|\nSynopsis :\n\nThe remote system has the latest service pack installed.\n\nDescription :\n\nBy reading the registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CSDVersion\nit was possible to determine the Service Pack version of the Windows XP\nsystem.\n\nRisk factor :\n\nNone\n\nPlugin output :\n\nThe remote Windows XP system has Service Pack 2 applied.\n\nCVE : CVE-1999-0662\nBID : 10897, 11202\n

results|TARGET SYSTEM|microsoft-ds (445/tcp)|22534|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through the web or\nemail client. \n\nDescription :\n\nThe remote host is running a version of Windows which contains a flaw\nin the Windows XML Core Services..\n\nAn attacker may be able to execute arbitrary code on the remote host\nby constructing a malicious script and enticing a victim to visit a\nweb site or view a specially-crafted email message.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/Bulletin/MS06-061.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2006-4684, CVE-2006-4685\nBID : 20338, 20339\n

results|TARGET SYSTEM|microsoft-ds (445/tcp)|22534|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through the web or\nemail client. \n\nDescription :\n\nThe remote host is running a version of Windows which contains a flaw\nin the Windows XML Core Services..\n\nAn attacker may be able to execute arbitrary code on the remote host\nby constructing a malicious script and enticing a victim to visit a\nweb site or view a specially-crafted email message.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/Bulletin/MS06-061.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2006-4684, CVE-2006-4685\nBID : 20338, 20339\n

results|TARGET SYSTEM|microsoft-ds (445/tcp)|22531|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through Microsoft\nPowerPoint.\n\nDescription :\n\nThe remote host is running a version of Microsoft PowerPoint\nwhich is subject to a flaw which may allow arbitrary code to be run.\n\nAn attacker may use this to execute arbitrary code on this host.\n\nTo succeed, the attacker would have to send a rogue file to \na user of the remote computer and have it open it. Then a bug in\nthe font parsing handler would result in code execution.\n\nSolution : \n\nMicrosoft has released a set of patches for PowerPoint 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms06-058.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2006-3435, CVE-2006-3876, CVE-2006-3877, CVE-2006-4694\nBID : 20325, 20322, 20304\n

 

Could someone verify?

 

Thanks,

Paul




_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers

• Previous message: Paul Bellefeuille: "[Plugins-writers] Nessus Script ID 22534 version 1.3: Contains A Reporting Bug?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Oct 27 2006 - 15:29:18 PDT