📄 secpod_ms08-049_900035.nasl
字号:
################################################################################ Vulnerabilities in Event System Could Allow Remote Code Execution (950974)## Copyright: SecPod## Date Written: 2008/08/14## Revision: 1.1 ## Log: schandan# Issue #0121# ------------------------------------------------------------------------# This program was written by SecPod and is licensed under the GNU GPL # license. Please refer to the below link for details,# http://www.gnu.org/licenses/gpl.html# This header contains information regarding licensing terms under the GPL, # and information regarding obtaining source code from the Author. # Consequently, pursuant to section 3(c) of the GPL, you must accompany the # information found in this header with any distribution you make of this # Program.# ------------------------------------------------------------------------##############################################################################if(description){ script_id(900035); script_bugtraq_id(30584); script_cve_id("CVE-2008-1456", "CVE-2008-1457"); script_copyright(english:"Copyright (C) 2008 SecPod"); script_version("$Revision: 1.1 $"); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_name(english:"Vulnerabilities in Event System Could Allow Remote Code Execution (950974)"); script_summary(english:"Check for the vulnerable File Version"); desc["english"] = " MS08-049 Overview : This host has critical security update missing according to Microsoft Bulletin MS08-049. Vulnerability Insight : Issues are due to the Microsoft Windows Event System does not properly validate the range of indexes when calling an array of function pointers and fails to handle per-user subscription requests. Impact : Remote exploitation allows attackers to execute arbitrary code with system privileges. Impact Level : System Affected Software/OS : Microsoft Windows 2K/XP/2003 Fix : Run Windows Update and update the listed hotfixes or download and update mentioned hotfixes in the advisory from the below link. http://www.microsoft.com/technet/security/bulletin/ms08-049.mspx References : http://www.microsoft.com/technet/security/bulletin/ms08-049.mspx CVSS Score : CVSS Base Score : 6.8 (AV:N/AC:M/Au:NR/C:P/I:P/A:P) CVSS Temporal Score : 5.0 Risk factor : Medium"; script_description(english:desc["english"]); script_dependencies("secpod_reg_enum.nasl"); exit(0);} include("smb_nt.inc"); include("secpod_reg.inc"); include("secpod_smb_func.inc"); if(hotfix_check_sp(xp:3, win2k:5, win2003:3) <= 0){ exit(0); } function get_version() { if(hotfix_missing(name:"950974") == 0){ exit(0); } dllPath = registry_get_sz(item:"Install Path", key:"SOFTWARE\Microsoft\COM3\Setup"); dllPath += "\Es.dll"; share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:dllPath); file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:dllPath); name = kb_smb_name(); login = kb_smb_login(); pass = kb_smb_password(); domain = kb_smb_domain(); port = kb_smb_transport(); soc = open_sock_tcp(port); if(!soc){ exit(0); } r = smb_session_request(soc:soc, remote:name); if(!r) { close(soc); exit(0); } prot = smb_neg_prot(soc:soc); if(!prot) { close(soc); exit(0); } r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain, prot:prot); if(!r) { close(soc); exit(0); } uid = session_extract_uid(reply:r); r = smb_tconx(soc:soc, name:name, uid:uid, share:share); tid = tconx_extract_tid(reply:r); if(!tid) { close(soc); exit(0); } fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file); if(!fid) { close(soc); exit(0); } v = GetVersion(socket:soc, uid:uid, tid:tid, fid:fid, offset:150000); return v; } if(hotfix_check_sp(win2k:5) > 0) { vers = get_version(); if(vers == NULL){ exit(0); } # Grep < 2000.2.3550.0 if(ereg(pattern:"^(1999\..*|2000\.(1\..*|2\.([0-2]?[0-9].|3[0-4].*|" + "35[0-4][0-9]\..*)))$", string:vers)){ security_warning(0); } } if(hotfix_check_sp(xp:4) > 0) { vers = get_version(); if(vers == NULL){ exit(0); } SP = get_kb_item("SMB/WinXP/ServicePack"); if("Service Pack 2" >< SP) { # Grep < 2001.12.4414.320 if(ereg(pattern:"^(2000\..*|2001\.(0?[0-9]\..*|1[01]\..*|12\." + "([0-3]?[0-9].*|4[0-3].*|440[0-9]\..*|441[0-3]" + "\..*|4414\.([0-2]?[0-9]?[0-9]|3[01][0-9])))).?$", string:vers)){ security_warning(0); } exit(0); } if("Service Pack 3" >< SP) { # Grep < 2001.12.4414.706 if(ereg(pattern:"^(2000\..*|2001\.(0?[0-9]\..*|1[01]\..*|12\." + "([0-3]?[0-9].*|4[0-3].*|440[0-9]\..*|441[0-3]" + "\..*|4414\.([0-6]?[0-9]?[0-9]|70[0-5])))).?$", string:vers)){ security_warning(0); } exit(0); } else security_warning(0); } if(hotfix_check_sp(win2003:3) > 0) { vers = get_version(); if(vers == NULL){ exit(0); } SP = get_kb_item("SMB/Win2003/ServicePack"); if("Service Pack 1" >< SP) { # Grep < 2001.12.4720.3129 if(ereg(pattern:"^(2000\..*|2001\.(0?[0-9]\..*|1[01]\..*|12\." + "([0-3]?[0-9].*|4[0-6].*|47[01][0-9]\..*|4720" + "\.([0-2]?[0-9]?[0-9]?[0-9]|30.*|31[01][0-9]|" + "312[0-8])))).?$", string:vers)){ security_warning(0); } exit(0); } if("Service Pack 2" >< SP) { # Grep < 2001.12.4720.4282 if(ereg(pattern:"^(2000\..*|2001\.(0?[0-9]\..*|1[01]\..*|12\." + "([0-3]?[0-9].*|4[0-6].*|47[01][0-9]\..*|4720" + "\.([0-3]?[0-9]?[0-9]?[0-9]|4[01].*|42[0-7][0-9]|" + "428[01])))).?$", string:vers)){ security_warning(0); } exit(0); } else security_warning(0); }⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -