############################################################################## # # Novell Client NWGINA.DLL User Profile Security Bypass Vulnerability # # Copyright: OS2A and it's member companies # # Date Written: 2007/01/10 # # $Revision: 1.2 $ # # $Log: os2a_novell_client_security_bypass_601361.nasl,v $ # Revision 1.2 2007/01/12 09:16:17 shraddha # Modified CVSS Score # # Revision 1.1 2007/01/12 09:13:20 shraddha # To Production Issue #3503 # # # Revision 1.1 2007/01/11 04:26:59 areddy # ------------------------------------------------------------------------ # This program was written by OS2A and/or it's member companies and is # licensed under the GNU GPL license. Please see below for details. This # header contains information regarding licensing terms under the GPL, and # information regarding obtaining source code from the Author. Consequently, # pursuant to section 3(c) of the GPL, you must accompany the information # found in this header with any distribution you make of this Program. # ------------------------------------------------------------------------ ############################################################################## if(description) { script_id(601361); script_bugtraq_id(21886); script_cve_id("CVE-2007-0108"); script_copyright(english:"Copyright (C) 2007 OS2A"); script_version("$Revision: 1.2 $"); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_name(english:"Novell Client NWGINA.DLL User Profile Security Bypass Vulnerability"); script_summary(english:"Check for vulnerable version of Novell Client and patch installation"); desc["english"] = " Overview : This host has Novell Client installed, which is prone to security bypass vulnerability. This issue is due to an error where user profiles are not deleted in a Terminal Server/Citrix session. Impact : Successful exploitation allows an authenticated attacker to invoke alternate user profiles. Scope of impact is limited to application level. Affected Software : Novell Client versions prior to 4.91 SP3 Affected Platform : Windows (Any). Solution : Apply Patch for Novell Client v4.91 SP3, http://support.novell.com/servlet/downloadfile?file=/sec/ftf/491psp3_nwgina.exe References : http://support.novell.com/cgi-bin/search/searchtid.cgi?/2974970.htm CVSS Score : CVSS Base Score : 3.1 (AV:R/AC:L/Au:R/C:P/I:P/A:N/B:I) CVSS Temporal Score : 2.4 Risk factor : Medium"; script_description(english:desc["english"]); script_dependencies("smb_hotfixes.nasl"); script_require_keys("SMB/WindowsVersion"); exit(0); } include("ntlmv2.inc"); if(!get_kb_item("SMB/WindowsVersion")){ exit(0); } installKey = "SOFTWARE\Novell\NetWareWorkstation\CurrentVersion"; majorVersion = cx_registry_get_dword(key:installKey, item:"MajorVersion"); minorVersion = cx_registry_get_dword(key:installKey, item:"MinorVersion"); servicePack = cx_registry_get_dword(key:installKey, item:"Service Pack"); if(!majorVersion && !minorVersion && !servicePack){ exit(0); } novellClient = majorVersion + "." + minorVersion + "." + servicePack; if(ereg(pattern:"^([0-3]\..*|4\.(([0-8]?[0-9]|90)(\..*)?|91(\.[0-2])?))$", string:novellClient)) { security_warning(0); exit(0); } # Check for patch installation if version = 4.91 SP3 if(ereg(pattern:"^(4\.91\.3)$", string:novellClient)) { installPath = cx_registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup", item:"Install Path"); if(!installPath){ exit(0); } share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:installPath); soc = open_sock_tcp(smb_port); if(!soc){ exit(0); } fcnx = cx_smb_connect(soc:soc, host:smb_host, login:smb_login, pass:smb_pass, domain:smb_domain, share:share); if(fcnx == NULL) { close(soc); exit(0); } # Get the file size of nwgina.dll to check for patch installation. dllFileSize = cx_GetFileSize(soc:soc, fcnx:fcnx, file:installPath + "\nwgina.dll"); cx_smb_close(fcnx:fcnx); close(soc); # Since file version could not be obtained, file size is checked for # patch verification. if(dllFileSize < "372821"){ security_warning(0); } }