############################################################################### # OpenVAS Vulnerability Test # $Id: secpod_ms_wordpad_mult_vuln.nasl 655 2008-12-11 16:37:35Z dec $ # # Vulnerability in WordPad Text Converter Could Allow Remote Code Execution (960906) # # Authors: # Chandan S # # Copyright: SecPod # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 # (or any later version), as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ############################################################################### if(description) { script_id(900065); script_version("$Revision: 1.0 $"); script_cve_id("CVE-2008-4841"); script_bugtraq_id(31399, 32718); script_name(english:"Vulnerability in WordPad Text Converter Could Allow Remote Code Execution (960906)"); desc["english"] = " Overview: This host has Microsoft WordPad installed and is prone to multiple vulnerabilities. Vulnerability Insight: The issue is caused due to an error in the WordPad Text Converter for Word 97 files. Impact: Successful exploitation will allow remote arbitrary code execution on the vulnerable system and could also corrupt memory to deny the service. Impact Level: Application Affected Software/OS: Microsoft Windows 2K/XP/2003 Fix: No solution or patch is available as on 11th December,2008. Information regarding this issue will be updated once the solution details are available. For updates refer, http://www.microsoft.com/en/us/default.aspx Workaround: Go through the workaround section in the below advisory reference link. ***** NOTE : Microsoft Windows XP SP3 is not vulnerable to this issue. ***** References: http://milw0rm.com/sploits/2008-crash.doc.rar http://www.microsoft.com/technet/security/advisory/960906.mspx CVSS Score: CVSS Base Score : 7.1 (AV:N/AC:M/Au:NR/C:N/I:N/A:C) CVSS Temporal Score : 6.1 Risk factor : High"; script_description(english:desc["english"]); script_summary(english:"Check for the vulnerable File Version"); script_category(ACT_GATHER_INFO); script_copyright(english:"Copyright (C) 2008 SecPod"); script_family(english:"Windows"); script_dependencies("secpod_reg_enum.nasl"); exit(0); } include("smb_nt.inc"); include("secpod_reg.inc"); include("version_func.inc"); include("secpod_smb_func.inc"); if(hotfix_check_sp(xp:3, win2k:5, win2003:3) <= 0){ exit(0); } if(!registry_key_exists(key:"SOFTWARE\Microsoft\Windows\CurrentVersion" + "\App Paths\WORDPAD.EXE")){ exit(0); } key = "SOFTWARE\Microsoft\Shared Tools\MSWord8\Clients"; foreach item (registry_enum_values(key:key)) { if("wordpad" >< item) { share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:item); file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:item); wpVer = GetVer(file:file, share:share); if(wpVer != NULL) { if(hotfix_check_sp(win2k:5) > 0) # Check <= 2K SP4 { if(version_is_less_equal(version:wpVer, test_version:"5.0.2195.6991")){ security_hole(0); } } else if(hotfix_check_sp(xp:3) > 0) # Check < XP SP3 { if(version_is_less_equal(version:wpVer, test_version:"5.1.2600.2180")){ security_hole(0); } } else if(hotfix_check_sp(win2003:3) > 0) # Check <= SP2 { if(version_is_less_equal(version:wpVer, test_version:"5.2.3790.3959")){ security_hole(0); } } } exit(0); } }