##############################################################################
#
#  Vulnerabilities in Windows Shell Could Allow Remote Code Execution (900725)
#
#  Date Written: 2005/10/11
#
#  Revision:
#  $Revision: 1.3 $
#
#  Log:
#  $Log: stillsecure_ms05-049_100066.nasl,v $
#  Revision 1.3  2006/02/16 21:16:08  rdanford
#  risk-factor-update
#
#  Revision 1.2  2006/01/11 23:08:28  rdanford
#  descriptions updated to include MSdd-ddd number
#
#  Revision 1.1  2005/10/11 20:39:05  rdanford
#  moved to prod
#
#  Revision 1.3  2005/10/11 20:36:53  bdoctor
#  tested.
#
#  Revision 1.2  2005/10/11 18:50:55  rdanford
#  ms05-049 ready for testing
#
#  Revision 1.1  2005/10/11 16:20:13  rdanford
#  ms patch tues 10/11/05
#
#  Revision 1.2  2005/08/09 16:55:49  bertdg
#  *** empty log message ***
#
#  Revision 1.1  2005/06/20 21:00:06  bertdg
#  Initial revision
#
#
#
#  ------------------------------------------------------------------------
#
#  Copyright (C) 2005 Visionael Corp.
#
#  ------------------------------------------------------------------------
#
#  This program was written by StillSecure and is licensed under the GNU
#  GPL license. Please see below for details. This header contains
#  information regarding licensing terms under the GPL, and information
#  regarding obtaining source code from the Author. Consequently, pursuant
#  to section 3(c) of the GPL, you must accompany the information found in
#  this header with any distribution you make of this Program.
#
#  Copyright (C) 2005. Latis Networks, Inc (d/b/a StillSecure)
#  Please see www.stillsecure.com/opensource and
#  www.stillsecure.com/policies/copyright.php for further information.
#
#  ------------------------------------------------------------------------
#
#  Obtaining Source Code from StillSecure
#
#  StillSecure delivers network security solutions that protect IT
#  business infrastructure. The integrated StillSecure suite provides
#  preventative defense, enables compliance with regulatory information
#  security policies, and actively blocks network attacks. StillSecure
#  manages and reduces risk from network attack and noncompliance for some
#  of the largest organizations in the healthcare, financial services,
#  government, and education sectors.
#
#  VAM - vulnerability management platform
#  StillSecure VAM manages the vulnerability remediation process from
#  end-to-end, allowing you to quickly and systematically fix
#  vulnerabilities that expose your organization to attack.
#
#  Border Guard - network intrusion detection/prevention
#  StillSecure Border Guard, named SC Magazine's best IPS of 2004, is a
#  network intrusion detection/prevention system (IDS/IPS) that identifies
#  and terminates viruses, worms, Trojans, port scans, and other malicious
#  traffic before they enter the network.
#
#  Safe Access - endpoint policy compliance
#  Information Security's Hotpick in 2004, SillSecure Safe Access
#  protects the network by ensuring that endpoint devices are free from
#  threats and in compliance with IT security policies.
#
#  StillSecure will offer, for three years from the date this program was
#  released, to give any third party, for a charge no more than
#  StillSecure's cost of physically performing source distribution, a
#  complete machine-readable copy of the corresponding source code,
#  distributed under the terms of the GPL, on a medium customarily used for
#  software interchange.
#
#  ------------------------------------------------------------------------
#
#  About the license for this program:
#                                                                            
#  This program is free software; you can redistribute it and/or modify it
#  under the terms of the GNU General Public License v2 as published by the
#  Free Software Foundation. This program is distributed WITHOUT ANY
#  WARRANTY; without even the implied warranty of MERCHANTABILITY or
#  FITNESS FOR A PARTICULAR PURPOSE. You should have received a copy of
#  the GNU General Public License with this program; if not, go to
#  www.gnu.org/licenses/gpl.txt
#
#  ------------------------------------------------------------------------
#
#  For further information regarding this program or to purchase any
#  StillSecure products please write to sales@stillsecure.com or call
#  (303) 381-3800.
#
##############################################################################

if(description)
{
 script_id(100066);
 script_cve_id("CAN-2005-2122", "CAN-2005-2118", "CAN-2005-2117");
 script_copyright(english:"Copyright 2005 StillSecure and Visionael Corp.");
 script_version("$Revision: 1.3 $");
 script_category(ACT_GATHER_INFO);
 script_family(english:"Windows");

 name["english"] = "Vulnerabilities in Windows Shell Could Allow Remote Code Execution";
 script_name(english:name["english"]);

 summary["english"] = "Checks for hotfix 900725";
 script_summary(english:summary["english"]);

 desc["english"] = "
 MS05-049

 Shell Vulnerability - CAN-2005-2122:

 A remote code execution vulnerability exists in Windows because of the way 
 that it handles the .lnk file name extension. By persuading a user to open 
 an .lnk file that has specially-crafted properties an attacker could execute 
 code on an affected system.

 Shell Vulnerability - CAN-2005-2118:

 A remote code execution vulnerability exists in Windows because of the way 
 that it handles files with the .lnk file name extension. By persuading a user 
 to view the properties of a specially-crafted .lnk file, an attacker could 
 execute code on the affected system.
	
 Web View Script Injection Vulnerability - CAN-2005-2117:

 A remote code execution vulnerability exists in the way that Web View in 
 Windows Explorer handles certain HTML characters in preview fields. By 
 persuading a user to preview a malicious file, an attacker could execute 
 code. However, user interaction is required to exploit this vulnerability.
 [source: Microsoft]

 Solution : Run Windows Update as soon as possible and install all available hotfixes.

 More information: http://www.microsoft.com/technet/security/Bulletin/MS05-049.mspx

 Risk factor : Low";

 script_description(english:desc["english"]);

 script_dependencies("smb_hotfixes.nasl", "smb_registry_access.nasl");
 script_require_keys("SMB/Registry/Enumerated",
                     "SMB/name",
                     "SMB/login",
                     "SMB/password",
                     "SMB/registry_access",
                     "SMB/WindowsVersion");

 exit(0);
}

# this is considered Low because MS considers it low - the vendor may overrides
# our grading process

include("smb_hotfixes.inc");

hotFixSpPresent =  hotfix_check_sp(win2k:5, xp:3, win2003:2);

if ( hotFixSpPresent <= 0 ) {
                exit(0);
}

isnotthere = hotfix_missing(name:"900725");

if ( isnotthere == 1 ) {
            security_hole(get_kb_item("SMB/transport"));
}