############################################################################## # # MS08-046 # http://www.microsoft.com/technet/security/Bulletin/MS08-046.mspx # http://support.microsoft.com/kb/952954 # This script is released under the GNU GPLv2 # AlienVault VRT # jaime.blasco [at] alienvault.com ############################################################################## if(description) { script_id(1020026); script_version("$Revision: 1.0 $"); script_cve_id("CVE-2008-2245"); name["english"] = "Vulnerability in Microsoft Windows Image Color Management System Could Allow Remote Code Execution (952954)"; script_name(english:name["english"]); desc["english"] = " Overview : This host is missing critical security update according to Microsoft Bulletin MS08-046. Vulnerability Insight : A remote code execution vulnerability exists in the way that Microsoft Color Management System (MSCMS) module of the Microsoft ICM component handles memory allocation. The vulnerability could allow remote code execution if a user opens a specially crafted image file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts. Impact: An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Impact Level : SYSTEM Affected Software/OS: - Windows XP SP1-SP2, Windows 2003 SP1-SP2, Windows 2000 SP4 Fix : Run Windows Update and update the listed hotfixes or download and update mentioned hotfixes in the advisory from the below link. http://www.microsoft.com/technet/security/Bulletin/MS08-046.mspx References : http://secunia.com/advisories/31385/ http://www.kb.cert.org/vuls/id/309739 http://www.securitytracker.com/id?1020675 http://www.microsoft.com/technet/security/Bulletin/MS08-046.mspx CVSS Score Report : CVSS Base Score : 6.6 CVSS Temporal Score : 5.1 Risk factor : High"; script_description(english:desc["english"]); script_dependencies("secpod_reg_enum.nasl"); exit(0); } include("smb_nt.inc"); include("secpod_reg.inc"); include("secpod_smb_func.inc"); #Check vulnerable os if(hotfix_check_sp(win2k:5, xp:4, win2003:3) <= 0){ exit(0); } function Get_FileVersion() { sysFile = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup", item:"Install Path"); if(!sysFile){ exit(0); } #affected dll sysFile += "Mscms.dll"; share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:sysFile); file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:sysFile); name = kb_smb_name(); login = kb_smb_login(); pass = kb_smb_password(); domain = kb_smb_domain(); port = kb_smb_transport(); soc = open_sock_tcp(port); if(!soc){ exit(0); } r = smb_session_request(soc:soc, remote:name); if(!r) { close(soc); exit(0); } prot = smb_neg_prot(soc:soc); if(!prot) { close(soc); exit(0); } r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain, prot:prot); if(!r) { close(soc); exit(0); } uid = session_extract_uid(reply:r); r = smb_tconx(soc:soc, name:name, uid:uid, share:share); tid = tconx_extract_tid(reply:r); if(!tid) { close(soc); exit(0); } fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file); if(!fid) { close(soc); exit(0); } return GetVersion(socket:soc, uid:uid, tid:tid, fid:fid, offset, verstr:"prod"); } #Check for 952954 if(hotfix_missing(name:"952954") == 0){ exit(0); } fileVer = Get_FileVersion(); if(!fileVer){ exit(0); } if(hotfix_check_sp(win2k:5) > 0) { # Check for version < 5.0.2195.7162 if(egrep(pattern:"^5\.0?0\.(([01]?[0-9]?[0-9]?[0-9]|2(0[0-9" + "][0-9]|1([0-8][0-9]|9[0-4])))\..*|2195\.(" + "[0-6]?[0-9]?[0-9]?[0-9]|7(0[0-9][0-9]|1[0" + "-5][0-9]|16[01])))$", string:fileVer)){ security_warning(0); } exit(0); } else if(hotfix_check_sp(xp:4) > 0) { SP = get_kb_item("SMB/WinXP/ServicePack"); if("Service Pack 2" >< SP) { # < 5.1.2600.3396 if(egrep(pattern:"^5\.0?1\.(([01]?[0-9]?[0-9]?[0-9]|2([0-5][0" + "-9][0-9]))\..*|2600\.([0-2]?[0-9]?[0-9]?[" + "0-9]|3([0-2][0-9][0-9]|3[0-8][0-9]|39[0-5])))$", string:fileVer)){ security_warning(0); } exit(0); } else if("Service Pack 3" >< SP) { # Check for version < 5.1.2600.5627 if(egrep(pattern:"^5\.0?1\.(([01]?[0-9]?[0-9]?[0-9]|2([0-5][0" + "-9][0-9]))\..*|2600\.([0-4]?[0-9]?[0-9]?[" + "0-9]|5([0-5][0-9][0-9]|6[0-1][0-9]|62[0-6])))$", string:fileVer)){ security_warning(0); } exit(0); } security_warning(0); } else if(hotfix_check_sp(win2003:3) > 0) { SP = get_kb_item("SMB/Win2003/ServicePack"); if("Service Pack 1" >< SP) { # Check for version < 5.2.3790.3163 if(egrep(pattern:"^5\.0?2\.(([0-2]?[0-9]?[0-9]?[0-9]|3([0-6]" + "[0-9][0-9]|7[0-8][0-9]))\..*|3790\.([0-2]?" + "[0-9]?[0-9]?[0-9]|30[0-9][0-9]|31([0-5][0-9]|6[0-2])))$", string:fileVer)){ security_warning(0); } exit(0); } else if("Service Pack 2" >< SP) { # Check for version < 5.2.3790.4320 if(egrep(pattern:"^5\.0?2\.(([02]?[0-9]?[0-9]?[0-9]|3([0-6]" + "[0-9][0-9]|7[0-8][0-9]))\..*|3790\.([0-3]?" + "[0-9]?[0-9]?[0-9]|4([0-2][0-9][0-9]|3(0" + "[0-9]|1[0-9]))))$", string:fileVer)){ security_warning(0); } exit(0); } security_warning(0); }