win_cve-2007-6026.nasl

漏洞扫描源码,可以扫描linux,windows,交换机路由器

#
# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
#
# This script is released under the GNU GPLv2
#
# $Revision: 01 $

if(description)
{

 script_id(90024);
 script_version ("$Revision: 01 $");
 script_cve_id("CVE-2007-6026");
 name["english"] = "Windows Vulnerability in Microsoft Jet Database Engine";
 script_name(english:name["english"]);

 desc["english"] = "The remote host is probably affected by the vulnerability described in
CVE-2007-6026


Impact
    Stack-based buffer overflow in Microsoft msjet40.dll 4.0.8618.0
    (aka Microsoft Jet Engine), as used by Access 2003 in Microsoft
    Office 2003 SP3, allows user-assisted attackers to execute arbitrary
    code via a crafted MDB file database file containing a column
    structure with a modified column count. NOTE: this might be the
    same issue as CVE-2005-0944. 

References:
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6026
    http://www.microsoft.com/technet/security/bulletin/ms08-028.mspx

Solution:
    All Users should upgrade to the latest version.


Risk factor : High";

 script_description(english:desc["english"]);
 summary["english"] = "Windows Vulnerability in Microsoft Jet Database Engine";
 script_summary(english:summary["english"]);
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is under GPLv2");
 family["english"] = "Windows";
 script_family(english:family["english"]);
 exit(0);
}

#
# The code starts here
#

local_var os;

include("version_func.inc");
include("smbcl_func.inc");
if( check_smbcl() == 0 ) exit(0);

  win_dir = get_windir();
  sec_hole = 0;
  if( !isnull(win_dir) ) {
    os = get_kb_item("SMB/OS");
    filespec = win_dir+"system32\Msjint40.dll";
    test_version = NULL;
    if( "WINDOWS 5.1" >< os ) {
      test_version = "4.0.9502.0";
    } else {
      if( "WINDOWS SERVER 2003" >< os ) {
        test_version = "4.0.9502.0";
      } else {
        if( "WINDOWS 5.0" >< os ) {
          test_version = "4.0.9502.0";            
        }
      }
    }
    if( !isnull(test_version) ) {
      r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
      if( !isnull(r) ) {
        tmp_filename = get_tmp_dir()+"tmpfile"+rand();
        if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
          v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:filespec);
          unlink(tmp_filename);
          if( version_is_less(version: v, test_version: test_version) ) {
            if( sec_hole == 0 ) {
              security_hole(port:0, proto:"Win");
              sec_hole = 1;
            }
            security_hole(port:0, proto:"Win", data:"Version found : C$ "+filespec + " "+v+string("\n")+
                                                    "Version expected : "+test_version+" or higher "+string("\n"));
          }
        } else {
          report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
          security_note(port:0, proto:"SMB", data:report);
        }
      } else {
        report = string(filespec+" not found/no access -> "+get_kb_item("SMB/ERROR")) + string("\n");
        security_note(port:0, proto:"SMB", data:report);
      }
    }
    filespec = win_dir+"system32\Msjet40.dll";
    test_version = NULL;
    if( "WINDOWS 5.1" >< os ) {
      test_version = "4.0.9511.0";
    } else {
      if( "WINDOWS SERVER 2003" >< os ) {
        test_version = "4.0.9511.0";
      } else {
        if( "WINDOWS 5.0" >< os ) {
          test_version = "4.0.9511.0";            
        }
      }
    }
    if( !isnull(test_version) ) {
      r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
      if( !isnull(r) ) {
        tmp_filename = get_tmp_dir()+"tmpfile"+rand();
        if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
          v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:filespec);
          unlink(tmp_filename);
          if( version_is_less(version: v, test_version: test_version) ) {
            if( sec_hole == 0 ) {
              security_hole(port:0, proto:"Win");
              sec_hole = 1;
            }
            security_hole(port:0, proto:"Win", data:"Version found : C$ "+filespec + " "+v+string("\n")+
                                                    "Version expected : "+test_version+" or higher "+string("\n"));
          }
        } else {
          report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
          security_note(port:0, proto:"SMB", data:report);
        }
      } else {
        report = string(filespec+" not found/no access -> "+get_kb_item("SMB/ERROR")) + string("\n");
        security_note(port:0, proto:"SMB", data:report);
      }
    }
  }

exit(0);