##############################################################################
#
#  IBM Lotus Notes Multiple Vulnerabilities
#
#  Copyright: OS2A and it's member companies
#
#  Date Written: 2006/02/14
#
#  $Revision: 1.4 $
#
#  $Log: os2a_lotus_notes_6x_multiple_vuln_601718.nasl,v $
#  Revision 1.4  2006/09/20 11:11:28  ksjayesh
#  new ntlm changes
#
#  Revision 1.1  2006/08/09 14:44:17  hpavithra
#  Scripts with ntlmv2 changes
#
#  Revision 1.2  2006/08/04 01:03:18  bchandra
#  Changes for new NTLMv2
#
#  Revision 1.1  2006/02/17 14:29:01  ksjayesh
#  To production
#
#  Revision 1.3  2006/02/17 04:09:11  hshreesha
#  issue #1821
#  formatting changes
#
#  Revision 1.2  2006/02/15 12:15:38  shraddha
#  Added bid.
#  Issue #1820
#  Issue #1821
#
#  Revision 1.1  2006/02/15 04:18:36  shraddha
#  Issue #1821
#
#  ------------------------------------------------------------------------
#  This program was written by OS2A and/or it's member companies and is
#  licensed under the GNU GPL license. Please see below for details. This
#  header contains information regarding licensing terms under the GPL, and
#  information regarding obtaining source code from the Author. Consequently,
#  pursuant to section 3(c) of the GPL, you must accompany the information
#  found in this header with any distribution you make of this Program.
#  ------------------------------------------------------------------------
##############################################################################


if(description)
{
 script_id(601718);
 script_bugtraq_id(16576);
 script_cve_id("CVE-2005-2618", "CVE-2005-2619");
 script_copyright(english:"Copyright (C) 2006 OS2A");
 script_version("$Revision: 1.4 $");
 script_category(ACT_GATHER_INFO);
 script_family(english:"Gain a shell remotely");
 name["english"] = "IBM Lotus Notes 6.x Multiple Vulnerabilities";
 script_name(english:name["english"]);
 summary["english"] = "Check for IBM Lotus Notes Vulnerable Version";
 script_summary(english:summary["english"]);
 desc["english"] = "
 Overview : This host has IBM Lotus Notes installed which is prone to multiple
 stack-based buffer overflow and directory traversal vulnerabilities.

 Vulnerability Insight : 
 - A boundary error exists in kvarcve.dll when constructing the full pathname
   of a compressed file to check for its existence before extracting it from
   a ZIP archive.

 - A boundary error exists in uudrdr.dll when handling UUE files containing an
   encoded file with an overly long filename.

 - Directory traversal errors exists in kvarcve.dll when generating the preview
   of a compressed file from ZIP, UUE, and TAR archives.

 - A boundary error exists in the TAR reader tarrdr.dll, when extracting files
   from a TAR archive via a TAR archive containing a file with a long filename.

 - A boundary error exists in the HTML speed reader htmsr.dll, which is used
   for viewing HTML attachments in emails which can be exploited via a
   malicious email containing an overly long link beginning with either http,
   ftp, or //.

 - A boundary error exists in the HTML speed reader when checking if a link
   references a local file can be exploited via a malicious email containing
   a specially crafted, overly long link.

 Impact : Successful exploitation leads to arbitrary code execution and/or
 delete arbitrary files with the privileges of the user running Lotus Notes.

 Impact is restricted to system level.
 
 Affected Software : IBM Lotus Notes 6.x before 6.5.5.

 Affected Platform : Windows (Any).

 Solution :
 Update to version 6.5.5 or later 
 http://www14.software.ibm.com/webapp/download/search.jsp?dt=SOFTWARE+UPDATE&q=Notes

 References :   
 http://secunia.com/secunia_research/2005-30/advisory/
 http://secunia.com/secunia_research/2005-32/advisory/
 http://secunia.com/secunia_research/2005-34/advisory/
 http://secunia.com/secunia_research/2005-36/advisory/
 http://secunia.com/secunia_research/2005-37/advisory/

 CVSS Score :
	CVSS Base Score     : 5.6 (AV:R/AC:H/Au:NR/C:P/I:P/A:P/B:N)
	CVSS Temporal Score : 4.1
 Risk factor : Medium";

 script_description(english:desc["english"]); 
 script_dependencies("smb_hotfixes.nasl");
 script_require_keys("SMB/WindowsVersion");
 exit(0);
}


 include("ntlmv2.inc");

 if(!get_kb_item("SMB/WindowsVersion")){
	 exit(0);
 }

 soc = open_sock_tcp(smb_port);
 if(!soc){
        exit(0);
 }

 cnx = cx_registry_connect(soc:soc, host:smb_host, login:smb_login,
                           pass:smb_pass, domain:smb_domain);
 if(cnx == NULL)
 {
        close(soc);
        exit(0);
 }

 key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\12220527D96F8434C95B35328503A0AD";
 entries = cx_registry_enum_value(soc:soc, cnx:cnx, key:key);

 cx_registry_close(soc:soc, cnx:cnx);
 close(soc);

 if(entries == NULL){
       	exit(0);
 }

 entry = ereg_replace(string:entries[0], pattern:"", replace:"");
 
 if(!entry){
        exit(0);
 }

 lotusNotes = cx_registry_get_sz(key:"SOFTWARE\Classes\Installer\Products\\" +
				 entry, item:"ProductName");
 if(!lotusNotes){
       	exit(0);
 }

 if(ereg(pattern:"^Lotus Notes (6\.[0-4](\..*)?|6\.5(\.[0-4])?)$",
 	 string:lotusNotes))
 {
       	security_warning(0);
       	exit(0);
 }