##############################################################################
#
#  Symantec pcAnywhere CIF Files Privilege Escalation Vulnerability
#
#  Copyright: OS2A and it's member companies
#
#  Date Written: 2006/07/24
#
#  $Revision: 1.4 $
#
#  $Log: os2a_symantec_pcanywhere_priv_escalation_606021.nasl,v $
#  Revision 1.4  2006/09/20 11:11:35  ksjayesh
#  new ntlm changes
#
#  Revision 1.2  2006/08/21 13:10:06  hpavithra
#  Added soc, fcnx arguments to os2a file version functions
#  Removed share argument from file related functions
#  Backward compatibility support for Enum values and Registry close functions
#
#  Revision 1.1  2006/08/09 14:44:33  hpavithra
#  Scripts with ntlmv2 changes
#
#  Revision 1.2  2006/08/04 01:24:07  hshreesha
#  - Changes for NTLMV2.
#
#  Revision 1.1  2006/07/27 03:34:24  hpavithra
#  To production
#
#  Revision 1.1  2006/07/26 04:33:58  schandan
#  Issue #2818
#
#  Revision 1.1  2006/07/24 11:38:08  nashwini
#  issue #2818
#
#  ------------------------------------------------------------------------
#  This program was written by OS2A and/or it's member companies and is
#  licensed under the GNU GPL license. Please see below for details. This
#  header contains information regarding licensing terms under the GPL, and
#  information regarding obtaining source code from the Author. Consequently,
#  pursuant to section 3(c) of the GPL, you must accompany the information
#  found in this header with any distribution you make of this Program.
#  ------------------------------------------------------------------------
##############################################################################


if(description)
{
 script_id(606021);
 script_bugtraq_id(19059);
 script_cve_id("CVE-2006-3784", "CVE-2006-3785", "CVE-2006-3786");
 script_copyright(english:"Copyright (C) 2005 OS2A");
 script_version("$Revision: 1.4 $");
 script_category(ACT_GATHER_INFO);
 script_family(english:"Windows");
 script_name(english:"Symantec pcAnywhere CIF Files Privilege Escalation Vulnerability");
 script_summary(english:"Check for Symantec pcAnywhere version");
 desc["english"] = "
 Overview : This host has symantec pcAnywhere installed which is prone to local
 privilege escalation vulnerability.

 The issue is caused due to CIF files containing a superuser flag and being
 stored insecurely by default in Documents and Settings\All Users\Application-
 Data\Symantec\pcAnywhere\Hosts\ where any user can read the contents of files
 and create new files.

 Impact : Successful exploitation can allow attackers to gain administrative
 user privileges via pcAnywhere by crafting a new CIF file, setting the
 superuser flag, and placing the file in the Hosts directory.

 Impact is limited to application level.

 Affected Software : Symantec pcAnywhere 12.5 and prior.
                    
 Affected Platform : Windows (any).

 Solution : No vendor supplied patch/upgrade available as on 26 July 2006.
 Information regarding this issue will be updated once the solution details
 are available.
 Check here for updates,
 http://www.symantec.com/home_homeoffice/products/overview.jsp?pcid=pf&pvid=pca12

 References : http://www.frsirt.com/english/advisories/2006/2874

 CVSS Score :
      CVSS Base Score     : 3.7 (AV:L/AC:L/Au:NR/C:P/I:P/A:N/B:I)
      CVSS Temporal Score : 3.5
 Risk factor : Medium";
 script_description(english:desc["english"]); 
 script_dependencies("smb_hotfixes.nasl");
 script_require_keys("SMB/WindowsVersion");
 exit(0);
}


 include("ntlmv2.inc");
 include("os2a_fileversion.inc");

 if(!get_kb_item("SMB/WindowsVersion")){
        exit(0);
 }

 symantec = cx_registry_get_sz(
            key:"SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winaw32.exe",
            item:"Path");
 if(!symantec) {
	exit(0);
 }

 pcAnywhere = symantec + "Winaw32.exe";

 soc = open_sock_tcp(smb_port);
 if(!soc){
        exit(0);
 }

 share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:pcAnywhere);

 fcnx = cx_smb_connect(soc:soc, host:smb_host, login:smb_login, pass:smb_pass,
                       domain:smb_domain, share:share);
 if(fcnx == NULL)
 {
        close(soc);
        exit(0);
 }

 pcAnywhereVer = cx_getFileVersion(soc:soc, fcnx:fcnx, filename:pcAnywhere);

 cx_smb_close(fcnx:fcnx);
 close(soc);

 if(pcAnywhereVer == NULL){
 	exit(0);
 }

 pcVersion = pcAnywhereVer[0] + "." + pcAnywhereVer[1] + "." +
	     pcAnywhereVer[2] + "." + pcAnywhereVer[3];
 if(ereg(pattern:"^(([0-9]|1[01])\..*|12\.[0-5]\..*)$", string:pcVersion)){
	security_warning(0);
 }