win_cve-2008-0087.nasl

漏洞扫描源码,可以扫描linux,windows,交换机路由器

#
# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
#
# This script is released under the GNU GPLv2
#
# $Revision: 01 $

if(description)
{

 script_id(90020);
 script_version ("$Revision: 01 $");
 script_cve_id("CVE-2008-0087");
 name["english"] = "Windows vulnerability in DNS Client Could Allow Spoofing (945553)";
 script_name(english:name["english"]);

 desc["english"] = "The remote host is probably affected by the vulnerability described in
CVE-2008-0087


Impact
    The DNS client in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1
    and SP2, and Vista uses predictable DNS transaction IDs, which allows
    remote attackers to spoof DNS responses. 

References:
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0087
    http://www.microsoft.com/technet/security/bulletin/ms08-020.mspx

Solution:
    All Users should upgrade to the latest version.


Risk factor : High";

 script_description(english:desc["english"]);
 summary["english"] = "Windows vulnerability in DNS Client Could Allow Spoofing (945553)";
 script_summary(english:summary["english"]);
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is under GPLv2");
 family["english"] = "Windows";
 script_family(english:family["english"]);
 exit(0);
}

#
# The code starts here
#

local_var os;

include("version_func.inc");
include("smbcl_func.inc");
if( check_smbcl() == 0 ) exit(0);

  win_dir = get_windir();
  sec_hole = 0;
  if( !isnull(win_dir) ) {
    os = get_kb_item("SMB/OS");
    filespec = win_dir+"system32\Dnsapi.dll";
    test_version = NULL;
    if( "WINDOWS VISTA" >< os ) {
      test_version = "6.0.6000.16615";
    } else {
      if( "WINDOWS 5.1" >< os ) {
        test_version = "5.1.2600.3316";
      } else {
        if( "WINDOWS SERVER 2003" >< os ) {
          if( "SERVICE PACK 2" >< os ) {
            test_version = "5.2.3790.4238";
          } else {
	    test_version = "5.2.3790.3092";
          }
        } else {
          if( "WINDOWS 5.0" >< os ) {
            test_version = "5.0.2195.7151";            
          }
        }
      }
    }
    if( !isnull(test_version) ) {
      r = smbgetdir(share: "C$", dir: filespec, typ: 1 );
      if( !isnull(r) ) {
        tmp_filename = get_tmp_dir()+"tmpfile"+rand();
        if( smbgetfile(share: "C$", filename: filespec, tmp_filename: tmp_filename) ) {
          v = GetPEFileVersion(tmp_filename:tmp_filename, orig_filename:filespec);
          unlink(tmp_filename);
          if( version_is_less(version: v, test_version: test_version) ) {
            if( sec_hole == 0 ) {
              security_hole(port:0, proto:"Win");
              sec_hole = 1;
            }
            security_hole(port:0, proto:"Win", data:"Version found : C$ "+filespec + " "+v+string("\n")+
                                                    "Version expected : "+test_version+" or higher "+string("\n"));
          }
        } else {
          report = string("Error getting SMB-File -> "+get_kb_item("SMB/ERROR")) + string("\n");
          security_note(port:0, proto:"SMB", data:report);
        }
      } else {
        report = string(filespec+" not found/no access -> "+get_kb_item("SMB/ERROR")) + string("\n");
        security_note(port:0, proto:"SMB", data:report);
      }
    }
  }

exit(0);