Developers Guide for OpenVAS Server and ClientWriting SMBclient-based WLSC NASL Scriptsget windir()Example

Example

This is a complete NASL test for a Windows Local Security Check. It can be found in the OpenVAS plugins as win_CVE-2007-0043.nasl.

#
# This script was written by
# Carsten Koch-Mauthe
# <c.koch-mauthe at dn-systems.de>
#
# This script is released under the GNU GPLv2
#
# $Revision: 01 $

if(description)
{
  if (OPENVAS_NASL_LEVEL >= 2206)
  {
    script_oid("1.3.6.1.4.1.25623.1.0.90010");
  }
  else
  {
    script_id(90010);
  }
  script_version ("$Revision: 01 $");
  script_cve_id("CVE-2007-0043");
  script_name(".NET JIT Compiler Vulnerability");

  desc = 
"The remote host is affected by the vulnerabilities described in CVE-2007-0043

Checking if System.web.dll version is less than 2.0.50727.832

Impact
    The Just In Time (JIT) Compiler service in Microsoft
    .NET Framework 1.0, 1.1, and 2.0 for Windows 2000, XP,
    Server 2003, and Vista allows user-assisted remote
    attackers to execute arbitrary code via unspecified
    vectors involving an unchecked buffer, probably a
    buffer overflow, aka .NET JIT Compiler Vulnerability.
    Checking if System.web.dll version is less than 2.0.50727.832

References:
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0043

Solution:
    All users should upgrade to the latest version.


Risk factor : High";

  script_description(desc);
  script_summary("Test for .NET JIT Compiler Vulnerability");
  script_category(ACT_GATHER_INFO);
  script_copyright("This script is under GPLv2");
  family = "Windows.NET";
  script_family(family);
  exit(0);
}

#
# The code starts here
#

include("version_func.inc");
include("smbcl_func.inc");

if(!get_kb_item("SMB/smbclient"))
{
  smbclientavail();
}
test_version = "2.0.50727.832";

if(get_kb_item("SMB/smbclient"))
{
  if(smbversion() == 0)
  {
    report = string("Error getting SMB-Data -> " +
                    get_kb_item("SMB/ERROR"));
    security_note(port:0, proto:"SMBClient", data:report);
    exit(0);
  }
}
else
{
  report = string("SMBClient not found on this host !");
  security_note(port:0, proto:"SMBClient", data:report);
  exit(0);
}

win_dir = get_windir();
if(!isnull(win_dir))
{
  path = win_dir+"Microsoft.NET\Framework\";
  filespec = "v2*";
  r = smbgetdir(share: "C$", dir: path+filespec, typ: 2);
  if(!isnull(r))
  {
    filespec = r[0] + "\" + "system.web.dll";
    r = smbgetdir(share: "C$", dir: path+filespec, typ: 1);
    if(!isnull(r))
    {
      tmp_filename = get_tmp_dir() + "tmpfile" + rand();
      orig_filename = path + filespec;
      if(smbgetfile(share: "C$", filename: orig_filename,
                    tmp_filename: tmp_filename))
      {
        v = GetPEFileVersion(tmp_filename:tmp_filename,
                              orig_filename:orig_filename);
        unlink(tmp_filename);
        if(version_is_less(version: v, test_version: test_version))
        {
          security_hole(port:0, proto:"SMB");
          report = report + "Fileversion : C$ " +
                    orig_filename + " "+ v + string("\n");
          security_hole(port:0, proto:"SMB", data:report);
        }
      }
      else
      {
        report = string("Error getting SMB-File -> " +
                        get_kb_item("SMB/ERROR")) + string("\n");
        security_note(port:0, proto:"SMB", data:report);
      }
    }
  }
  else
  {
    report = string(".NET V2xx not found/no access -> " +
                    get_kb_item("SMB/ERROR")) + string("\n");
    security_note(port:0, proto:"SMB", data:report);
  }
}

exit(0);

Developers Guide for OpenVAS Server and ClientWriting SMBclient-based WLSC NASL Scriptsget windir()Example