secpod_ms08-053_900044.nasl

漏洞扫描源码,可以扫描linux,windows,交换机路由器

##############################################################################
#
#  Windows Media Encoder 9 Remote Code Execution Vulnerability (954156)
#
#  Copyright: SecPod
#
#  Date Written: 2008/09/10
#
#  Revision: 1.1 
#
#  Log: schandan
#  Issue #0179
#  ------------------------------------------------------------------------
#  This program was written by SecPod and is licensed under the GNU GPL 
#  license. Please refer to the below link for details,
#  http://www.gnu.org/licenses/gpl.html
#  This header contains information regarding licensing terms under the GPL, 
#  and information regarding obtaining source code from the Author. 
#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
#  information found in this header with any distribution you make of this 
#  Program.
#  ------------------------------------------------------------------------
##############################################################################

if(description)
{
 script_id(900044);
 script_bugtraq_id(31065);
 script_cve_id("CVE-2008-3008");
 script_copyright(english:"Copyright (C) 2008 SecPod");
 script_version("Revision: 1.1 ");
 script_category(ACT_GATHER_INFO);
 script_family(english:"Windows");
 script_name(english:"Windows Media Encoder 9 Remote Code Execution Vulnerability (954156)");
 script_summary(english:"Check for Hotfix and version of Windows Media Encoder");
 desc["english"] = "
 MS08-053

 Overview : This host has critical security update missing according to
 Microsoft Bulletin MS08-053.

 Vulnerability Insight :

        The flaw is caused due to a boundary error in the WMEX.DLL ActiveX
        control.

        Impact : Remote attackers can execute arbitrary code, if a user views
        a specially crafted web page, and can successfully exploit to 
        take complete control of an affected system to view, change, or
        delete, or create new accounts with full user rights.

 Impact Level : Application/System

 Affected Software/OS :
        Windows Media Encoder 9 on Windows 2K/XP/2003

 Fix : Run Windows Update and update the listed hotfixes or download and
 update mentioned hotfixes in the advisory from the below link,
 http://www.microsoft.com/technet/security/bulletin/ms08-053.mspx

 References : http://www.microsoft.com/technet/security/bulletin/ms08-053.mspx

 CVSS Score :
        CVSS Base Score     : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
        CVSS Temporal Score : 7.3
 Risk factor : High";

 script_description(english:desc["english"]);
 script_dependencies("secpod_reg_enum.nasl");
 exit(0);
}


 include("smb_nt.inc");
 include("secpod_reg.inc");
 include("secpod_smb_func.inc");

 if(hotfix_check_sp(xp:4, win2k:5, win2003:3) <= 0){
	 exit(0);
 }

 function get_version()
 {

	dllPath = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion" +
                                      "\Uninstall\Windows Media Encoder 9",
                           	  item:"DisplayIcon");

        dllPath = dllPath - "WMEnc.exe" + "wmex.dll";

        share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:dllPath);
        file =  ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:dllPath);

        name    =  kb_smb_name();
        login   =  kb_smb_login();
        pass    =  kb_smb_password();
        domain  =  kb_smb_domain();
        port    =  kb_smb_transport();

        soc = open_sock_tcp(port);
        if(!soc){
                exit(0);
        }

        r = smb_session_request(soc:soc, remote:name);
        if(!r)
        {
                close(soc);
                exit(0);
        } 

        prot = smb_neg_prot(soc:soc);
        if(!prot)
        {
                close(soc);
                exit(0);
        }

        r = smb_session_setup(soc:soc, login:login, password:pass,
                              domain:domain, prot:prot);
        if(!r)
        {
                close(soc);
                exit(0);
        }

        uid = session_extract_uid(reply:r);

        r = smb_tconx(soc:soc, name:name, uid:uid, share:share);
        tid = tconx_extract_tid(reply:r);
        if(!tid)
        {
                close(soc);
                exit(0);
        }

        fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file);
        if(!fid)
        {
                close(soc);
                exit(0);
        }

        v = GetVersion(socket:soc, uid:uid, tid:tid, fid:fid);
	close(soc);
        return v;
 }

 if(!registry_key_exists(key:"SOFTWARE\Microsoft\Windows\CurrentVersion" +
			     "\Uninstall\Windows Media Encoder 9")){
	exit(0);
 }

 wmeName = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion" +
                               "\Uninstall\Windows Media Encoder 9",
		  	   item:"DisplayName");

 if("Windows Media Encoder 9" >< wmeName)
 {
	if(hotfix_missing(name:"954156") == 0){
                exit(0);
        }

	vers = get_version();
        if(vers == NULL){
                exit(0);
        }

	# Grep wmex.dll version < 9.0.0.3359
        if(ereg(pattern:"^9\.0?0\.0?0\.([0-2]?[0-9]?[0-9]?[0-9]|3[0-2][0-9]" +
			"[0-9]|33[0-4][0-9]|335[0-8])$", string:vers)){
                security_hole(0);
	}
 }