############################################################################## # # Vulnerability in Microsoft Word Could Allow Remote Code Execution (903672) # # Date Written: 2005/07/12 # # Revision: # $Revision: 1.10 $ # # Log: # $Log: stillsecure_ms05-035_100052.nasl,v $ # Revision 1.10 2006/10/30 06:49:12 ajagadeesh # --removed check for MS06-012 Hotfix and script_dependencie # # Revision 1.9 2006/09/20 11:11:40 ksjayesh # new ntlm changes # # Revision 1.1 2006/08/09 14:44:45 hpavithra # Scripts with ntlmv2 changes # # Revision 1.7 2006/08/04 01:14:28 bchandra # Changes for new NTLMv2 # # Revision 1.6 2006/04/04 04:32:30 schandan # Added check for ms06_012. # # Revision 1.5 2006/03/31 16:36:27 bdoctor # Invalid risk factors # # Revision 1.4 2006/03/31 05:47:57 hshreesha # Set KB item KB903672. # # Revision 1.3 2006/01/11 23:08:27 rdanford # descriptions updated to include MSdd-ddd number # # Revision 1.2 2005/07/18 10:44:50 nrnandini # The script is been modified to check for MS Word 2000 and MS Word XP separately. # Also the dependency file is been changed to smb_nt_ms02-031.nasl which is also # been changed to set KB item for MS Word MS Excel.Also some parts of the code is been formatted. # # Revision 1.1 2005/07/12 19:06:15 rdanford # July patch tues scripts complete. primarily tested in Win2k SP4 at this point # # Revision 1.4 2005/07/12 19:03:39 rdanford # *** empty log message *** # # Revision 1.3 2005/07/12 17:54:09 rdanford # *** empty log message *** # # Revision 1.2 2005/07/12 17:45:24 rdanford # *** empty log message *** # # Revision 1.1 2005/07/12 16:28:26 rdanford # proto-scripts ready for ms patch tues 7/12/05 # # Revision 1.1 2005/06/20 21:00:06 bertdg # Initial revision # # # # ------------------------------------------------------------------------ # # Copyright (C) 2005 Visionael Corp. # # ------------------------------------------------------------------------ # # This program was written by StillSecure and is licensed under the GNU # GPL license. Please see below for details. This header contains # information regarding licensing terms under the GPL, and information # regarding obtaining source code from the Author. Consequently, pursuant # to section 3(c) of the GPL, you must accompany the information found in # this header with any distribution you make of this Program. # # Copyright (C) 2005. Latis Networks, Inc (d/b/a StillSecure) # Please see www.stillsecure.com/opensource and # www.stillsecure.com/policies/copyright.php for further information. # # ------------------------------------------------------------------------ # # Obtaining Source Code from StillSecure # # StillSecure delivers network security solutions that protect IT # business infrastructure. The integrated StillSecure suite provides # preventative defense, enables compliance with regulatory information # security policies, and actively blocks network attacks. StillSecure # manages and reduces risk from network attack and noncompliance for some # of the largest organizations in the healthcare, financial services, # government, and education sectors. # # VAM - vulnerability management platform # StillSecure VAM manages the vulnerability remediation process from # end-to-end, allowing you to quickly and systematically fix # vulnerabilities that expose your organization to attack. # # Border Guard - network intrusion detection/prevention # StillSecure Border Guard, named SC Magazine's best IPS of 2004, is a # network intrusion detection/prevention system (IDS/IPS) that identifies # and terminates viruses, worms, Trojans, port scans, and other malicious # traffic before they enter the network. # # Safe Access - endpoint policy compliance # Information Security's Hotpick in 2004, SillSecure Safe Access # protects the network by ensuring that endpoint devices are free from # threats and in compliance with IT security policies. # # StillSecure will offer, for three years from the date this program was # released, to give any third party, for a charge no more than # StillSecure's cost of physically performing source distribution, a # complete machine-readable copy of the corresponding source code, # distributed under the terms of the GPL, on a medium customarily used for # software interchange. # # ------------------------------------------------------------------------ # # About the license for this program: # # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License v2 as published by the # Free Software Foundation. This program is distributed WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or # FITNESS FOR A PARTICULAR PURPOSE. You should have received a copy of # the GNU General Public License with this program; if not, go to # www.gnu.org/licenses/gpl.txt # # ------------------------------------------------------------------------ # # For further information regarding this program or to purchase any # StillSecure products please write to sales@stillsecure.com or call # (303) 381-3800. # ############################################################################## if(description) { script_id(100052); script_cve_id("CAN-2005-0564"); script_copyright(english:"Copyright 2005 StillSecure and Visionael Corp."); script_version("$Revision: 1.10 $"); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); name["english"] = "Vulnerability in Microsoft Word Could Allow Remote Code Execution"; script_name(english:name["english"]); summary["english"] = "Checks for hotfix 903672"; script_summary(english:summary["english"]); desc["english"] = " MS05-035 A remote code execution vulnerability exists in Word that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. Impact: This is a remote code execution vulnerability caused by an unchecked buffer in the process used by the affected software to process fonts. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Affected Software: Microsoft Word 2000, Microsoft Word 2002, or Microsoft Works Suite (2000-2004). Reference: http://www.microsoft.com/technet/security/bulletin/MS05-035.mspx Solution : Run Windows Update as soon as possible and install all available hotfixes. Risk factor : Critical"; script_description(english:desc["english"]); script_dependencies("smb_hotfixes.nasl", "smb_nt_ms02-031.nasl"); script_require_keys("SMB/WindowsVersion", "SMB/Office/Word/Version"); exit(0); } include("ntlmv2.inc"); include("smb_hotfixes.inc"); if (!port) port = 139; hotFixSpPresent = hotfix_check_sp(win2k:5, xp:3, win2003:2); if ( hotFixSpPresent <= 0 ) { exit(0); } # Check for Windows Office Word - 2000, Windows XP Word - 2002, Windows Work Suite - (2000-2004) word_ver = get_kb_item("SMB/Office/Word/Version"); if(word_ver != 0) { if(egrep(pattern:"^9\.0*", string:word_ver)) { sp_ver = split(word_ver, sep:".", keep:0); if(sp_ver[2] < 8930) { security_hole(get_kb_item("SMB/transport")); exit(0); } set_kb_item(name:"Windows/Hotfix/903672", value:TRUE); } else if(egrep(pattern:"^10\.*", string:word_ver)) { sp_ver = split(word_ver, sep:".", keep:0); if(sp_ver[2] < 6764) { security_hole(get_kb_item("SMB/transport")); exit(0); } set_kb_item(name:"Windows/Hotfix/903672", value:TRUE); } exit(0); }