code | #
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(25424);
script_version("1.18");
script_cvs_date("Date: 2018/07/30 15:31:32");
script_cve_id("CVE-2007-3098");
script_bugtraq_id(24292);
script_xref(name:"EDB-ID", value:"4033");
script_name(english:"SNMPc Management Server Login Packet Remote DoS");
script_summary(english:"Checks version of SNMPc's crserv.exe");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host contains an application that is susceptible to
a denial of service attack.");
script_set_attribute(attribute:"description", value:
"The remote host is running SNMPc, a network management application for
Windows.
The version of SNMPc installed on the remote host reportedly will
crash if a specially crafted logon packet is sent to its Management
Server. An unauthenticated, remote attacker may be able to exploit
this issue to crash the service and deny access to legitimate users.");
script_set_attribute(attribute:"solution", value:
"Upgrade to SNMPc Management Server version 7.0.19 or later as that is
supposed to address the issue.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2007/06/04");
script_set_attribute(attribute:"plugin_publication_date", value:"2007/06/05");
script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
script_dependencies("smb_hotfixes.nasl");
script_require_keys("SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
include("smb_func.inc");
include("audit.inc");
# Connect to the appropriate share.
if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);
name = kb_smb_name();
port = kb_smb_transport();
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
NetUseDel();
exit(0);
}
# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
NetUseDel();
exit(0);
}
# Get some info about the install.
path = NULL;
key = "SOFTWARE\Castle Rock Computing\SNMPc Network Manager";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
value = RegQueryValue(handle:key_h, item:"Dir");
if (!isnull(value)) path = value[1];
RegCloseKey(handle:key_h);
}
RegCloseKey(handle:hklm);
# If it is...
if (path)
{
# Make sure the executable exists.
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
exe = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\crserv.exe", string:path);
NetUseDel(close:FALSE);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
NetUseDel();
exit(0);
}
fh = CreateFile(
file:exe,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
if (!isnull(fh))
{
ver = GetFileVersion(handle:fh);
CloseFile(handle:fh);
}
# There's a problem if the version is < 7.0.19.0.
if (!isnull(ver))
{
fix = split("7.0.19.0", sep:'.', keep:FALSE);
for (i=0; i<4; i++)
fix[i] = int(fix[i]);
for (i=0; i<max_index(ver); i++)
if ((ver[i] < fix[i]))
{
# nb: only the first 3 parts seem to be reported to end-users.
version = string(ver[0], ".", ver[1], ".", ver[2]);
report = string(
"SNMPc's Management Server version ", version, " is installed under :\n",
"\n",
" ", path, "\n"
);
security_warning(port:port, extra:report);
break;
}
else if (ver[i] > fix[i])
break;
}
}
# Clean up.
NetUseDel();
|