Vulnerabilities > CVE-2009-0901 - Code Injection vulnerability in Microsoft Visual C++, Visual Studio and Visual Studio .Net

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
microsoft
CWE-94
critical
nessus

Summary

The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not prevent VariantClear calls on an uninitialized VARIANT, which allows remote attackers to execute arbitrary code via a malformed stream to an ATL (1) component or (2) control, related to ATL headers and error handling, aka "ATL Uninitialized Object Vulnerability." Please refer to this link http://www.microsoft.com/technet/security/Bulletin/MS09-035.mspx for mitigating factors and additional information.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Msbulletin

  • bulletin_idMS09-060
    bulletin_url
    date2009-10-13T00:00:00
    impactRemote Code Execution
    knowledgebase_id973965
    knowledgebase_url
    severityCritical
    titleVulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution
  • bulletin_idMS09-037
    bulletin_url
    date2009-08-11T00:00:00
    impactRemote Code Execution
    knowledgebase_id973908
    knowledgebase_url
    severityCritical
    titleVulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution
  • bulletin_idMS09-035
    bulletin_url
    date2009-07-28T00:00:00
    impactRemote Code Execution
    knowledgebase_id969706
    knowledgebase_url
    severityModerate
    titleVulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_FLASH-PLAYER-090731.NASL
    descriptionSpecially crafted Flash (SWF) files can cause a buffer overflow in flash-player. Attackers could potentially exploit that to execute arbitrary code. (CVE-2009-1862 / CVE-2009-0901 / CVE-2009-2395 / CVE-2009-2493 / CVE-2009-1863 / CVE-2009-1864 / CVE-2009-1865 / CVE-2009-1866 / CVE-2009-1867 / CVE-2009-1868 / CVE-2009-1869 / CVE-2009-1870)
    last seen2020-06-01
    modified2020-06-02
    plugin id41392
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41392
    titleSuSE 11 Security Update : flash-player (SAT Patch Number 1149)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from SuSE 11 update information. The text itself is
    # copyright (C) Novell, Inc.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(41392);
      script_version("1.18");
      script_cvs_date("Date: 2019/10/25 13:36:35");
    
      script_cve_id("CVE-2009-0901", "CVE-2009-1862", "CVE-2009-1863", "CVE-2009-1864", "CVE-2009-1865", "CVE-2009-1866", "CVE-2009-1867", "CVE-2009-1868", "CVE-2009-1869", "CVE-2009-1870", "CVE-2009-2395", "CVE-2009-2493");
    
      script_name(english:"SuSE 11 Security Update : flash-player (SAT Patch Number 1149)");
      script_summary(english:"Checks rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 11 host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Specially crafted Flash (SWF) files can cause a buffer overflow in
    flash-player. Attackers could potentially exploit that to execute
    arbitrary code. (CVE-2009-1862 / CVE-2009-0901 / CVE-2009-2395 /
    CVE-2009-2493 / CVE-2009-1863 / CVE-2009-1864 / CVE-2009-1865 /
    CVE-2009-1866 / CVE-2009-1867 / CVE-2009-1868 / CVE-2009-1869 /
    CVE-2009-1870)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=524508"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-0901.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-1862.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-1863.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-1864.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-1865.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-1866.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-1867.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-1868.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-1869.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-1870.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-2395.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-2493.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply SAT patch number 1149.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_cwe_id(59, 89, 94, 119, 189, 200, 264);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:flash-player");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/07/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11");
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu);
    
    pl = get_kb_item("Host/SuSE/patchlevel");
    if (pl) audit(AUDIT_OS_NOT, "SuSE 11.0");
    
    
    flag = 0;
    if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"flash-player-10.0.32.18-0.1.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS09-037.NASL
    descriptionThe remote Windows host contains a version of the Microsoft Active Template Library (ATL), included as part of Visual Studio or Visual C++, that is affected by multiple vulnerabilities : - A remote code execution issue affects the Microsoft Video ActiveX Control due to the a flaw in the function
    last seen2020-06-01
    modified2020-06-02
    plugin id40556
    published2009-08-11
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40556
    titleMS09-037: Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(40556);
      script_version("1.28");
      script_cvs_date("Date: 2018/11/15 20:50:30");
    
      script_cve_id("CVE-2008-0015", "CVE-2008-0020", "CVE-2009-0901", "CVE-2009-2493", "CVE-2009-2494");
      script_bugtraq_id(35558, 35585, 35828, 35832, 35982);
      script_xref(name:"MSFT", value:"MS09-037");
      script_xref(name:"MSKB", value:"973354");
      script_xref(name:"MSKB", value:"973507");
      script_xref(name:"MSKB", value:"973540");
      script_xref(name:"MSKB", value:"973815");
      script_xref(name:"MSKB", value:"973869");
      script_xref(name:"IAVA", value:"2009-A-0067");
      script_xref(name:"CERT", value:"180513");
      script_xref(name:"CERT", value:"456745");
      script_xref(name:"EDB-ID", value:"9108");
      script_xref(name:"EDB-ID", value:"16615");
    
      script_name(english:"MS09-037: Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908)");
      script_summary(english:"Checks version of various files");
    
      script_set_attribute(attribute:"synopsis", value:
    "Arbitrary code can be executed on the remote host through Microsoft
    Active Template Library.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host contains a version of the Microsoft Active
    Template Library (ATL), included as part of Visual Studio or Visual C++,
    that is affected by multiple vulnerabilities :
    
      - A remote code execution issue affects the Microsoft
        Video ActiveX Control due to the a flaw in the function
        'CComVariant::ReadFromStream' used in the ATL header,
        which fails to properly restrict untrusted data read
        from a stream. (CVE-2008-0015)
    
      - A remote code execution issue exists in the Microsoft
        Active Template Library due to an error in the 'Load'
        method of the 'IPersistStreamInit' interface, which
        could allow calls to 'memcpy' with untrusted data.
        (CVE-2008-0020)
    
      - An issue in the ATL headers could allow an attacker to
        force VariantClear to be called on a VARIANT that has
        not been correctly initialized and, by supplying a
        corrupt stream, to execute arbitrary code.
        (CVE-2009-0901)
    
      - Unsafe usage of 'OleLoadFromStream' could allow
        instantiation of arbitrary objects which can bypass
        related security policy, such as kill bits within
        Internet Explorer. (CVE-2009-2493)
    
      - A bug in the ATL header could allow reading a variant
        from a stream and leaving the variant type read with
        an invalid variant, which could be leveraged by an
        attacker to execute arbitrary code remotely.
        (CVE-2009-2494)");
      script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-037");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for Windows 2000, XP, 2003,
    Vista and 2008.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_cwe_id(94, 119, 264);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/07/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/08/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/11");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_set_attribute(attribute:"stig_severity", value:"II");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
    
      script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, 'Host/patch_management_checks');
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("smb_func.inc");
    include("smb_hotfixes.inc");
    include("smb_hotfixes_fcheck.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS09-037';
    kbs = make_list("973354", "973507", "973540", "973815", "973869");
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'2', vista:'0,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    rootfile = hotfix_get_systemroot();
    if (!rootfile) exit(1, "Failed to get the system root.");
    
    share = hotfix_path2share(path:rootfile);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    programfiles = hotfix_get_programfilesdir();
    if (!programfiles) exit(1, "Can't determine location of Program Files.");
    
    if (tolower(programfiles[0]) != tolower(rootfile[0]))
    {
      share = hotfix_path2share(path:programfiles);
      if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    }
    
    commonfiles = hotfix_get_officecommonfilesdir();
    if (!commonfiles) exit(1, "Can't determine location of Common Files.");
    
    vuln = 0;
    
    # Media Player.
    if (
      # Vista / Windows Server 2008
      hotfix_is_vulnerable(os:"6.0", sp:2,             file:"Wmp.dll", version:"11.0.6002.22172", min_version:"11.0.6002.20000", dir:"\System32", bulletin:bulletin, kb:'973540') ||
      hotfix_is_vulnerable(os:"6.0", sp:2,             file:"Wmp.dll", version:"11.0.6002.18065",                                dir:"\System32", bulletin:bulletin, kb:'973540') ||
      hotfix_is_vulnerable(os:"6.0", sp:1,             file:"Wmp.dll", version:"11.0.6001.7114",  min_version:"11.0.6001.7100",  dir:"\System32", bulletin:bulletin, kb:'973540') ||
      hotfix_is_vulnerable(os:"6.0", sp:1,             file:"Wmp.dll", version:"11.0.6001.7007",                                 dir:"\System32", bulletin:bulletin, kb:'973540') ||
      hotfix_is_vulnerable(os:"6.0", sp:0,             file:"Wmp.dll", version:"11.0.6000.6511",  min_version:"11.0.6000.6500",  dir:"\System32", bulletin:bulletin, kb:'973540') ||
      hotfix_is_vulnerable(os:"6.0", sp:0,             file:"Wmp.dll", version:"11.0.6000.6352",                                 dir:"\System32", bulletin:bulletin, kb:'973540') ||
    
      # Windows 2003
      hotfix_is_vulnerable(os:"5.2", sp:2,             file:"Wmp.dll", version:"10.0.0.4006",                                    dir:"\System32", bulletin:bulletin, kb:'973540') ||
    
      # Windows XP
      hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"Wmp.dll", version:"9.0.0.4507",                                     dir:"\System32", bulletin:bulletin, kb:'973540') ||
      hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x64", file:"Wmp.dll", version:"11.0.5721.5268",  min_version:"11.0.0.0",        dir:"\System32", bulletin:bulletin, kb:'973540') ||
      hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x64", file:"Wmp.dll", version:"10.0.0.4006",                                    dir:"\System32", bulletin:bulletin, kb:'973540') ||
      hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x86", file:"Wmp.dll", version:"9.0.0.3271",                                     dir:"\System32", bulletin:bulletin, kb:'973540') ||
    
      # Windows 2000
      hotfix_is_vulnerable(os:"5.0",                   file:"Wmp.dll", version:"9.0.0.3364",                                     dir:"\System32", bulletin:bulletin, kb:'973540')
    ) vuln++;
    
    
    # ATL.
    if (
      # Vista / Windows Server 2008
      hotfix_is_vulnerable(os:"6.0", sp:2, file:"Atl.dll", version:"3.5.2284.2",                               dir:"\System32", bulletin:bulletin, kb:'973507') ||
      hotfix_is_vulnerable(os:"6.0", sp:1, file:"Atl.dll", version:"3.5.2284.2",                               dir:"\System32", bulletin:bulletin, kb:'973507') ||
      hotfix_is_vulnerable(os:"6.0", sp:0, file:"Atl.dll", version:"3.5.2284.2",                               dir:"\System32", bulletin:bulletin, kb:'973507') ||
    
      # Windows 2003
      hotfix_is_vulnerable(os:"5.2", sp:2, file:"Atl.dll", version:"3.5.2284.2", dir:"\System32", bulletin:bulletin, kb:'973507') ||
    
      # Windows XP
      hotfix_is_vulnerable(os:"5.1", sp:3, file:"Atl.dll", version:"3.5.2284.2", dir:"\System32", bulletin:bulletin, kb:'973507') ||
      hotfix_is_vulnerable(os:"5.1", sp:2, file:"Atl.dll", version:"3.5.2284.2", dir:"\System32", bulletin:bulletin, kb:'973507') ||
    
      # Windows 2000
      hotfix_is_vulnerable(os:"5.0",       file:"Atl.dll", version:"3.0.9793.0", dir:"\System32", bulletin:bulletin, kb:'973507')
    ) vuln++;
    
    
    # MSWebDVD ActiveX Control.
    if (
      # Vista / Windows Server 2008
      #
      # empty
    
      # Windows 2003
      hotfix_is_vulnerable(os:"5.2", sp:2, arch:"x86", file:"Mswebdvd.dll", version:"6.5.3790.4564", dir:"\System32", bulletin:bulletin, kb:'973815') ||
    
      # Windows XP
      hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"Mswebdvd.dll", version:"6.5.2600.5848", dir:"\System32", bulletin:bulletin, kb:'973815') ||
      hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x86", file:"Mswebdvd.dll", version:"6.5.2600.3603", dir:"\System32", bulletin:bulletin, kb:'973815')
    
      # Windows 2000
      #
      # empty
    ) vuln++;
    
    
    # Outlook Express.
    NetUseDel(close:FALSE);
    if (
      # Vista / Windows Server 2008
      #
      # empty
    
      # Windows 2003
      hotfix_is_vulnerable(os:"5.2", sp:2,             file:"Msoe.dll", version:"6.0.3790.4548",                         dir:"\Outlook Express", path:programfiles, bulletin:bulletin, kb:'973354') ||
    
      # Windows XP
      hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"Msoe.dll", version:"6.0.2900.5843",                         dir:"\Outlook Express", path:programfiles, bulletin:bulletin, kb:'973354') ||
      hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x64", file:"Msoe.dll", version:"6.0.3790.4548",                         dir:"\Outlook Express", path:programfiles, bulletin:bulletin, kb:'973354') ||
      hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x86", file:"Msoe.dll", version:"6.0.2900.3598",                         dir:"\Outlook Express", path:programfiles, bulletin:bulletin, kb:'973354') ||
    
      # Windows 2000
      hotfix_is_vulnerable(os:"5.0",                   file:"Msoe.dll", version:"6.0.2800.1983",  min_version:"6.0.0.0", dir:"\Outlook Express", path:programfiles, bulletin:bulletin, kb:'973354') ||
      hotfix_is_vulnerable(os:"5.0",                   file:"Msoe.dll", version:"5.50.5003.1000",                        dir:"\Outlook Express", path:programfiles, bulletin:bulletin, kb:'973354')
    ) vuln++;
    
    
    # DHTML Editing Component ActiveX control/
    if  (!commonfiles)
    {
      hotfix_check_fversion_end();
      exit(1, "Can't determine location of Common Files.");
    }
    if (typeof(commonfiles) != 'array')
    {
      temp = commonfiles;
      commonfiles = make_array('commonfiles', commonfiles);
    }
    checkeddirs = make_array();
    NetUseDel(close:FALSE);
    foreach ver (keys(commonfiles))
    {
      dir = commonfiles[ver];
      if (checkeddirs[dir]) continue;
      checkeddirs[dir] = 1;
      if (
        # Vista / Windows Server 2008
        #
        # empty
    
        # Windows 2003
        hotfix_is_vulnerable(os:"5.2", sp:2, file:"Dhtmled.ocx", version:"6.1.0.9247", dir:"\Microsoft Shared\Triedit", path:dir, bulletin:bulletin, kb:'973869') ||
    
        # Windows XP
        hotfix_is_vulnerable(os:"5.1", sp:3, file:"Dhtmled.ocx", version:"6.1.0.9247", dir:"\Microsoft Shared\Triedit", path:dir, bulletin:bulletin, kb:'973869') ||
        hotfix_is_vulnerable(os:"5.1", sp:2, file:"Dhtmled.ocx", version:"6.1.0.9247", dir:"\Microsoft Shared\Triedit", path:dir, bulletin:bulletin, kb:'973869') ||
    
        # Windows 2000
        hotfix_is_vulnerable(os:"5.0",       file:"Dhtmled.ocx", version:"6.1.0.9234", dir:"\Microsoft Shared\Triedit", path:dir, bulletin:bulletin, kb:'973869')
      ) vuln++;
    }
    
    if (vuln)
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
  • NASL familyWindows
    NASL idSHOCKWAVE_PLAYER_APSB09_11.NASL
    descriptionThe remote Windows host contains a version of Adobe
    last seen2020-06-01
    modified2020-06-02
    plugin id40421
    published2009-07-29
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40421
    titleShockwave Player < 11.5.0.601 Multiple Vulnerabilities (APSB09-11)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include('compat.inc');
    
    
    if (description)
    {
      script_id(40421);
      script_version("1.17");
      script_cvs_date("Date: 2018/11/15 20:50:28");
    
      script_cve_id('CVE-2009-0901', 'CVE-2009-2495', 'CVE-2009-2493');
      script_bugtraq_id(35845);
    
      script_name(english:'Shockwave Player < 11.5.0.601 Multiple Vulnerabilities (APSB09-11)');
      script_summary(english:'Checks version of Shockwave Player');
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host contains an Internet Explorer plugin which
    uses a vulnerable version of the Microsoft Active Template Library
    (ATL).");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host contains a version of Adobe's Shockwave Player
    that is earlier than 11.5.0.601. Such versions were compiled against a
    version of Microsoft's Active Template Library (ATL) that contained a
    vulnerability. If an attacker can trick a user of the affected
    software into opening such a file, this issue could be leveraged to
    execute arbitrary code with the privileges of that user.");
      script_set_attribute(attribute:"see_also", value:"http://blogs.adobe.com/psirt/2009/07/impact_of_microsoft_atl_vulner.html/");
      script_set_attribute(attribute:"see_also", value:"https://www.adobe.com/support/security/bulletins/apsb09-11.html");
      script_set_attribute(attribute:"solution", value:
    "Uninstall the Internet Explorer version of Shockwave Player version
    11.5.0.600 and earlier, restart the system, and then install version
    11.5.0.601 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(94, 200, 264);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/07/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/07/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/29");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:shockwave_player");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:'Windows');
    
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
    
      script_dependencies('smb_hotfixes.nasl');
      script_require_keys('SMB/Registry/Enumerated');
      script_require_ports(139, 445);
    
      exit(0);
    }
    
    include('global_settings.inc');
    include('smb_func.inc');
    include("audit.inc");
    
    
    # Connect to the appropriate share.
    if (!get_kb_item('SMB/Registry/Enumerated')) exit(0, 'SMB/Registry/Enumerated KB item is missing.');
    name    =  kb_smb_name();
    port    =  kb_smb_transport();
    
    login   =  kb_smb_login();
    pass    =  kb_smb_password();
    domain  =  kb_smb_domain();
    
    
    
    if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
    rc = NetUseAdd(login:login, password:pass, domain:domain, share:'IPC$');
    if (rc != 1)
    {
      NetUseDel();
      exit(1, 'Can not connect to IPC$ share.');
    }
    
    # Connect to remote registry.
    hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
    if (isnull(hklm))
    {
      NetUseDel();
      exit(1, 'Can not connect to remote registry.');
    }
    
    # Check whether it's installed.
    variants = make_array();
    
    # - check for the ActiveX control.
    clsids = make_list(
      '{4DB2E429-B905-479A-9EFF-F7CBD9FD52DE}',
      '{233C1507-6A77-46A4-9443-F871F945D258}',
      '{166B1BCA-3F9C-11CF-8075-444553540000}'     # used in versions <= 10.x.
    );
    foreach clsid (clsids)
    {
      key = 'SOFTWARE\\Classes\\CLSID\\' + clsid + '\\InprocServer32';
      key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
      if (!isnull(key_h))
      {
        item = RegQueryValue(handle:key_h, item:NULL);
        if (!isnull(item))
        {
          file = item[1];
          variants[file] = 'ActiveX';
        }
        RegCloseKey(handle:key_h);
      }
    }
    
    RegCloseKey(handle:hklm);
    if (max_index(keys(variants)) == 0)
    {
      NetUseDel();
      exit(0, 'Shockwave Player for Internet Explorer is not installed.');
    }
    
    # Determine the version of each instance found.
    files = make_array();
    info = '';
    
    foreach file (keys(variants))
    {
      # Don't report again if the name differs only in its case.
      if (files[tolower(file)]++) continue;
    
      variant = variants[file];
    
      share = ereg_replace(pattern:'^([A-Za-z]):.*', replace:'\\1$', string:file);
      file2 =  ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:'\\1', string:file);
      NetUseDel(close:FALSE);
    
      rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
      if (rc != 1)
      {
        NetUseDel();
        exit(1, 'Can not connect to '+share+' share.');
      }
    
      fh = CreateFile(
        file:file2,
        desired_access:GENERIC_READ,
        file_attributes:FILE_ATTRIBUTE_NORMAL,
        share_mode:FILE_SHARE_READ,
          create_disposition:OPEN_EXISTING
      );
      if (!isnull(fh))
      {
        ver = GetFileVersion(handle:fh);
        CloseFile(handle:fh);
    
        if (
          isnull(ver) ||
          (ver[0] == 0 && ver[1] == 0 && ver[2] == 0 && ver[3] == 0)
        )
        {
          NetUseDel();
          exit(1, "Failed to get the file version from '"+file+"'.");
        }
    
        if (
          ver[0] < 11 ||
          (
            ver[0] == 11 &&
            (
              ver[1] < 5 ||
              (ver[1] == 5 && ver[2] == 0 && ver[3] < 601)
            )
          )
        )
        {
          version = string(ver[0], '.', ver[1], '.', ver[2], '.', ver[3]);
    
          if (variant == 'ActiveX')
          {
            info += '  - ActiveX control (for Internet Explorer) :\n';
          }
    
          info += '    ' + file + ', ' + version + '\n';
        }
      }
      NetUseDel(close:FALSE);
    }
    NetUseDel();
    
    
    if (!info) exit(0, 'No vulnerable installs of Shockwave Player were found.');
    
    if (report_verbosity > 0)
    {
      # nb: each vulnerable instance adds 2 lines to 'info'.
      if (max_index(split(info)) > 2)
        shck = 's';
      else shck = '';
    
      report = string(
        '\n',
        'Nessus has identified the following vulnerable instance', shck, ' of Shockwave\n',
        'Player for Internet Explorer installed on the remote host :\n',
        '\n',
        info
      );
      security_hole(port:get_kb_item('SMB/transport'), extra:report);
    }
    else security_hole(get_kb_item('SMB/transport'));
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_FLASH-PLAYER-6386.NASL
    descriptionSpecially crafted Flash (SWF) files can cause a buffer overflow in flash-player. Attackers could potentially exploit that to execute arbitrary code. (CVE-2009-1862 / CVE-2009-0901 / CVE-2009-2395 / CVE-2009-2493 / CVE-2009-1863 / CVE-2009-1864 / CVE-2009-1865 / CVE-2009-1866 / CVE-2009-1867 / CVE-2009-1868 / CVE-2009-1869 / CVE-2009-1870)
    last seen2020-06-01
    modified2020-06-02
    plugin id51731
    published2011-01-27
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/51731
    titleSuSE 10 Security Update : flash-player (ZYPP Patch Number 6386)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text description of this plugin is (C) Novell, Inc.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(51731);
      script_version ("1.13");
      script_cvs_date("Date: 2019/10/25 13:36:36");
    
      script_cve_id("CVE-2009-0901", "CVE-2009-1862", "CVE-2009-1863", "CVE-2009-1864", "CVE-2009-1865", "CVE-2009-1866", "CVE-2009-1867", "CVE-2009-1868", "CVE-2009-1869", "CVE-2009-1870", "CVE-2009-2395", "CVE-2009-2493");
    
      script_name(english:"SuSE 10 Security Update : flash-player (ZYPP Patch Number 6386)");
      script_summary(english:"Checks rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 10 host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Specially crafted Flash (SWF) files can cause a buffer overflow in
    flash-player. Attackers could potentially exploit that to execute
    arbitrary code. (CVE-2009-1862 / CVE-2009-0901 / CVE-2009-2395 /
    CVE-2009-2493 / CVE-2009-1863 / CVE-2009-1864 / CVE-2009-1865 /
    CVE-2009-1866 / CVE-2009-1867 / CVE-2009-1868 / CVE-2009-1869 /
    CVE-2009-1870)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-0901.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-1862.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-1863.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-1864.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-1865.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-1866.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-1867.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-1868.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-1869.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-1870.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-2395.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-2493.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 6386.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_cwe_id(59, 89, 94, 119, 189, 200, 264);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/07/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/01/27");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
    if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented.");
    
    
    flag = 0;
    if (rpm_check(release:"SLED10", sp:2, reference:"flash-player-9.0.246.0-0.3")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS09-035.NASL
    descriptionThe remote Windows host contains a version of the Microsoft Active Template Library (ATL), included as part of Visual Studio or Visual C++, that is affected by multiple vulnerabilities : - On systems with components and controls installed that were built using Visual Studio ATL, an issue in the ATL headers could allow an attacker to force VariantClear to be called on a VARIANT that has not been correctly initialized and, by supplying a corrupt stream, to execute arbitrary code. (CVE-2009-0901) - On systems with components and controls installed that were built using Visual Studio ATL, unsafe usage of OleLoadFromStream could allow instantiation of arbitrary objects that can bypass related security policy, such as kill bits within Internet Explorer. (CVE-2009-2493) - On systems with components and controls installed that were built using Visual Studio ATL, an issue in the ATL headers could allow a string to be read without a terminating NULL character, which could lead to disclosure of information in memory. (CVE-2009-2495)
    last seen2020-06-01
    modified2020-06-02
    plugin id40435
    published2009-07-30
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40435
    titleMS09-035: Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(40435);
      script_version("1.32");
      script_cvs_date("Date: 2018/11/15 20:50:30");
    
      script_cve_id("CVE-2009-0901", "CVE-2009-2493", "CVE-2009-2495");
      script_bugtraq_id(35828, 35830, 35832);
      script_xref(name:"MSFT", value:"MS09-035");
      script_xref(name:"MSKB", value:"973544");
      script_xref(name:"MSKB", value:"973551");
      script_xref(name:"MSKB", value:"973552");
      script_xref(name:"MSKB", value:"973675");
      script_xref(name:"IAVB", value:"2009-B-0033");
      script_xref(name:"CERT", value:"456745");
    
      script_name(english:"MS09-035: Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706)");
      script_summary(english:"Checks for Visual Studio / Visual C++ patches");
    
      script_set_attribute(attribute:"synopsis", value:
    "Arbitrary code can be executed on the remote host through Microsoft
    Active Template Library.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host contains a version of the Microsoft Active
    Template Library (ATL), included as part of Visual Studio or Visual
    C++, that is affected by multiple vulnerabilities :
    
      - On systems with components and controls installed that
        were built using Visual Studio ATL, an issue in the ATL
        headers could allow an attacker to force VariantClear
        to be called on a VARIANT that has not been correctly
        initialized and, by supplying a corrupt stream, to
        execute arbitrary code. (CVE-2009-0901)
    
      - On systems with components and controls installed that
        were built using Visual Studio ATL, unsafe usage of
        OleLoadFromStream could allow instantiation of
        arbitrary objects that can bypass related security
        policy, such as kill bits within Internet Explorer.
        (CVE-2009-2493)
    
      - On systems with components and controls installed that
        were built using Visual Studio ATL, an issue in the ATL
        headers could allow a string to be read without a
        terminating NULL character, which could lead to
        disclosure of information in memory. (CVE-2009-2495)");
      script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-035");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for Visual Studio .NET 2003,
    Visual Studio 2005 and 2008, as well as Visual C++ 2005 and 2008.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(94, 200, 264);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/07/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/07/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/30");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visual_studio");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visual_studio_.net");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visual_c++");
      script_set_attribute(attribute:"stig_severity", value:"II");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
    
      script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, 'Host/patch_management_checks');
    
      exit(0);
    }
    
    include("smb_func.inc");
    include("smb_hotfixes.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_reg_query.inc");
    include("misc_func.inc");
    include("audit.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    get_kb_item_or_exit("SMB/Registry/Uninstall/Enumerated");
    
    bulletin = 'MS09-035';
    kbs = make_list("973544", "973551", "973552", "973675");
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    
    if (!get_kb_item("SMB/WindowsVersion")) exit(1, "SMB/WindowsVersion KB item is missing.");
    
    
    rootfile = hotfix_get_systemroot();
    if (!rootfile) exit(1, "Can't get system root.");
    
    commonfiles = hotfix_get_commonfilesdir();
    
    MAX_RECURSE = 3;
    
    
    port    =  kb_smb_transport();
    login   =  kb_smb_login();
    pass    =  kb_smb_password();
    domain  =  kb_smb_domain();
    
    if(! smb_session_init()) audit(AUDIT_FN_FAIL, "smb_session_init");
    hcf_init = TRUE;
    
    function _list_dir(basedir, level, dir_pat, file_pat)
    {
      local_var contents, ret, subdirs, subsub;
    
      # nb: limit how deep we'll recurse.
      if (level > MAX_RECURSE) return NULL;
    
      subdirs = NULL;
      if (isnull(dir_pat)) dir_pat = "";
      ret = FindFirstFile(pattern:basedir + "\*" + dir_pat + "*");
    
      contents = make_list();
      while (!isnull(ret[1]))
      {
        if (file_pat && ereg(pattern:file_pat, string:ret[1], icase:TRUE))
          contents = make_list(contents, basedir+"\"+ret[1]);
    
        subsub = NULL;
        if ("." != ret[1] && ".." != ret[1] && level <= MAX_RECURSE)
          subsub  = _list_dir(basedir:basedir+"\"+ret[1], level:level+1, file_pat:file_pat);
        if (!isnull(subsub))
        {
          if (isnull(subdirs)) subdirs = make_list(subsub);
          else subdirs = make_list(subdirs, subsub);
        }
        ret = FindNextFile(handle:ret);
      }
    
      if (isnull(subdirs)) return contents;
      else return make_list(contents, subdirs);
    }
    
    
    # Returns the file version as a string, either from the KB or by
    # calling GetFileVersion(). Assumes we're already connected to the
    # correct share.
    function get_file_version()
    {
      local_var fh, file, ver, version;
    
      if (isnull(_FCT_ANON_ARGS[0])) return NULL;
    
      file = _FCT_ANON_ARGS[0];
      version = get_kb_item("SMB/FileVersions"+tolower(str_replace(string:file, find:"\", replace:"/")));
      if (isnull(version))
      {
        fh = CreateFile(
          file:file,
          desired_access:GENERIC_READ,
          file_attributes:FILE_ATTRIBUTE_NORMAL,
          share_mode:FILE_SHARE_READ,
          create_disposition:OPEN_EXISTING
        );
        if (!isnull(fh))
        {
          ver = GetFileVersion(handle:fh);
          CloseFile(handle:fh);
          if (!isnull(ver))
          {
            version = string(ver[0], ".", ver[1], ".", ver[2], ".", ver[3]);
            set_kb_item(
              name:"SMB/FileVersions"+tolower(str_replace(string:file, find:"\", replace:"/")),
              value:version
            );
          }
        }
      }
      return version;
    }
    
    
    
    #######################################################################
    # Check VC++ Redistributables.
    #######################################################################
    installs = make_array();
    
    # - Check if the redistributable is known to be installed; otherwise,
    #   we'll generate a false positive against Visual Studio.
    list = get_kb_list("SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName");
    if (!isnull(list))
    {
      foreach name (keys(list))
      {
        prod = list[name];
        if (prod && ereg(pattern:"^Microsoft Visual C\+\+ 200[58] Redistributable", string:prod, icase:TRUE))
        {
          installs[tolower(prod)]++;
        }
      }
    }
    
    if (max_index(keys(installs)))
    {
      share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:rootfile);
      if (!is_accessible_share(share:share)) exit(1, "Can't access '"+share+"' share.");
    
      rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
      if (rc != 1)
      {
        NetUseDel();
        exit(1, "Can't access '"+share+"' share.");
      }
    
      fixed = make_array();
      probs = make_array();
      kbs = make_array();
      fixed_versions = make_array();
      fversions = make_array();
      prodfiles = make_array();
    
      winsxs = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\WinSxS", string:rootfile);
      files = _list_dir(basedir:winsxs, level:0, dir_pat:"microsoft.vc?0.atl", file_pat:"^atl(80|90)\.dll$");
      if (!isnull(files))
      {
        foreach file (files)
        {
          if (ereg(pattern:"Microsoft\.VC80\.ATL", string:file, icase:TRUE))
          {
            prod = "Visual C++ 2005 SP1 Redistributable Package";
            fixed_versions[prod] = "8.0.50727.4053";
            prodfiles[prod] = "atl80.dll";
            kbs[prod] = '973544';
          }
          else if (ereg(pattern:"Microsoft\.VC90\.ATL.+_9\.0\.[0-2][0-9]+", string:file, icase:TRUE))
          {
            prod = "Visual C++ 2008 Redistributable Package";
            fixed_versions[prod] = "9.0.21022.218";
            prodfiles[prod] = "atl90.dll";
            kbs[prod] = '973551';
          }
          else if (ereg(pattern:"Microsoft\.VC90\.ATL.+_9\.0\.3[0-9]+", string:file, icase:TRUE))
          {
            prod = "Visual C++ 2008 SP1 Redistributable Package";
            fixed_versions[prod] = "9.0.30729.4148";
            prodfiles[prod] = "atl90.dll";
            kbs[prod] = '973552';
          }
          else continue;
    
          installed = FALSE;
          foreach key (keys(installs))
          {
            if (
              (" 2005 " >< prod && " 2005 " >< key) ||
              (
                " 2008 " >< prod && " 2008 " >< key &&
                (
                  ereg(pattern:" 9\.0\.[0-2][0-9]+", string:key) ||
                  (" SP1 " >< prod && ereg(pattern:" 9\.0\.3[0-9]+", string:key))
                )
              )
            )
            {
              installed = TRUE;
              break;
            }
          }
          if (!installed) continue;
    
          if (isnull(fixed[prod]) || fixed[prod] == 0)
          {
            version = get_file_version(file);
            fversions[prod] = version;
            if (!isnull(version))
            {
              if (version == fixed_versions[prod])
              {
                fixed[prod]++;
                if (prod == "Visual C++ 2008 SP1 Redistributable Package")
                {
                  fixed["Visual C++ 2008 Redistributable Package"]++;
                  probs[prod] = 0;
                }
                continue;
              }
    
              ver = split(version, sep:'.', keep:FALSE);
              for (i=0; i<max_index(ver); i++)
                ver[i] = int(ver[i]);
    
              fix = split(fixed_versions[prod], sep:'.', keep:FALSE);
              for (i=0; i<max_index(fix); i++)
                fix[i] = int(fix[i]);
    
              # Flag it if it's older or flag the fix if it's fixed.
              for (i=0; i<max_index(ver); i++)
                if ((ver[i] < fix[i]))
                {
                  fixed[prod] = 0;
                  probs[prod]++;
                  break;
                }
                else if (ver[i] > fix[i])
                {
                  fixed[prod]++;
                  probs[prod] = 0;
                  if (prod == "Visual C++ 2008 SP1 Redistributable Package")
                  {
                    fixed["Visual C++ 2008 Redistributable Package"]++;
                    probs[prod] = 0;
                  }
                  break;
                }
              }
          }
        }
      }
      NetUseDel(close:FALSE);
    
      # Report and exit if there's a problem.
      info = "";
      s = 0;
      foreach prod (keys(probs))
      {
        if (!fixed[prod]) s++;
      }
      if (s)
      {
        set_kb_item(name:'SMB/Missing/MS09-035', value:TRUE);
    
        if (s > 1) s = 's have';
        else s = ' has';
        info =
          '\n  The following Visual C++ Redistributable Package' + s + ' not' +
          '\n  been patched : \n';
        hotfix_add_report(info);
        foreach prod (keys(probs))
        {
          if (fixed[prod]) continue;
    
          info =
            '\n  Product           : ' + prod +
            '\n  File              : ' + prodfiles[prod] +
            '\n  Installed version : ' + fversions[prod] +
            '\n  Fixed version     : ' + fixed_versions[prod] + '\n';
          hotfix_add_report(info, bulletin:bulletin, kb:kbs[prod]);
        }
        hotfix_security_hole();
        exit(0);
      }
    }
    
    
    
    #######################################################################
    # Check Visual Studio installs.
    #######################################################################
    # - identify VCROOT for each install.
    installs = make_array();
    
    rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
    if (rc != 1)
    {
      NetUseDel();
      exit(1, "Can't connect to IPC$ share.");
    }
    
    hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
    if (isnull(hklm))
    {
      NetUseDel();
      exit(1, "Can't connect to remote registry.");
    }
    
    key = "SOFTWARE\Microsoft\VisualStudio";
    subkeys = get_registry_subkeys(handle:hklm, key:key, wow:TRUE);
    if (!isnull(subkeys))
    {
      if (report_paranoia < 2) pat = '^(7\\.1|8\\.0|9\\.0)$';
      else pat = '^[0-9]\\.[0-9]+$';
      foreach node (keys(subkeys))
      {
        key = node;
        foreach subkey (subkeys[node])
        {
          if (ereg(pattern:pat, string:subkey))
          {
            key2 = key + '\\' + subkey;
            path = get_registry_value(handle:hklm, item:key2 + "\InstallDir");
            if (!isnull(path))
            {
              path = ereg_replace(pattern:'^"(.+)"$', replace:"\1", string:path);
              vcroot = ereg_replace(pattern:"^(.+)\\Common7\\IDE\\$", replace:"\1", string:path, icase:TRUE);
              if (vcroot >< path) installs[subkey] = vcroot;
            }
          }
        }
      }
    }
    RegCloseKey(handle:hklm);
    NetUseDel(close:FALSE);
    
    # - locate possibly-affected files.
    atl_files = make_list();
    
    foreach ver (keys(installs))
    {
      if (ver =~ "^[89]\.")
      {
        vcroot = installs[ver];
    
        share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:vcroot);
        rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
        if (rc != 1)
        {
          NetUseDel();
          exit(1, "Can't access '"+share+"' share.");
        }
    
        path =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:vcroot);
        files = _list_dir(basedir:path+"\VC\redist", level:0, file_pat:"^atl(80|90)\.dll$");
        if (!isnull(files))
        {
          foreach file (files)
          {
            atl_files = make_list(atl_files, (share-'$')+':'+file);
          }
        }
      }
      else
      {
        if (report_paranoia < 2) pat = "^atl(71|80|90)\.dll$";
        else pat = "^atl[0-9][0-9]\.dll$";
    
        basedirs = make_list(
          rootfile+"\System32",
          commonfiles+"\Microsoft Shared\Help",
          commonfiles+"\Microsoft Shared\VSA"
        );
    
        foreach basedir (basedirs)
        {
          share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:basedir);
          rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
          if (rc != 1)
          {
            NetUseDel();
            exit(1, "Can't access '"+share+"' share.");
          }
          basedir = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:basedir);
    
          if (ereg(pattern:"\System32$", string:basedir, icase:TRUE))
            files = _list_dir(basedir:basedir, level:MAX_RECURSE, file_pat:pat);
          else
            files = _list_dir(basedir:basedir, level:0, file_pat:pat);
          if (!isnull(files))
          {
            foreach file (files)
            {
                atl_files = make_list(atl_files, (share-'$')+':'+file);
            }
          }
          NetUseDel(close:FALSE);
        }
      }
    }
    NetUseDel(close:FALSE);
    
    
    # - check each file.
    vuln = 0;
    
    foreach atl (atl_files)
    {
      match = eregmatch(pattern:"^(.+)\\(atl[0-9]+\.dll)$", string:atl, icase:TRUE);
      if (match)
      {
        path = match[1];
        file = match[2];
    
        if (
          hotfix_check_fversion(file:file, version:"9.0.30729.4148", min_version:"9.0.30000.0", path:path, bulletin:bulletin, kb:'973675') == HCF_OLDER ||
          hotfix_check_fversion(file:file, version:"9.0.21022.218",  min_version:"9.0.0.0",     path:path, bulletin:bulletin, kb:'973674') == HCF_OLDER ||
          hotfix_check_fversion(file:file, version:"8.0.50727.4053", min_version:"8.0.0.0",     path:path, bulletin:bulletin, kb:'971090') == HCF_OLDER ||
          hotfix_check_fversion(file:file, version:"7.10.6101.0",                               path:path, bulletin:bulletin, kb:'971089') == HCF_OLDER
        ) vuln++;
      }
    }
    
    if (vuln)
    {
      set_kb_item(name:"SMB/Missing/MS09-035", value:TRUE);
      hotfix_security_hole();
    
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      exit(0, "The host is not affected");
    }
    
  • NASL familyWindows
    NASL idFLASH_PLAYER_APSB09_10.NASL
    descriptionThe remote Windows host contains a version of Adobe Flash Player that is earlier than 9.0.246.0 / 10.0.32.18. Such versions are reportedly affected by multiple vulnerabilities : - A memory corruption vulnerability that could potentially lead to code execution. (CVE-2009-1862) - A vulnerability in the Microsoft Active Template Library (ATL) which could allow an attacker who successfully exploits the vulnerability to take control of the affected system. (CVE-2009-0901, CVE-2009-2395, CVE-2009-2493) - A privilege escalation vulnerability that could potentially lead to code execution. (CVE-2009-1863) - A heap overflow vulnerability that could potentially lead to code execution. (CVE-2009-1864) - A NULL pointer vulnerability that could potentially lead to code execution. (CVE-2009-1865) - A stack overflow vulnerability that could potentially lead to code execution. (CVE-2009-1866) - A clickjacking vulnerability that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog. (CVE-2009-1867 - A URL parsing heap overflow vulnerability that could potentially lead to code execution. (CVE-2009-1868) - An integer overflow vulnerability that could potentially lead to code execution. (CVE-2009-1869) - A local sandbox vulnerability that could potentially lead to information disclosure when SWFs are saved to the hard drive. CVE-2009-1870)
    last seen2020-06-01
    modified2020-06-02
    plugin id40434
    published2009-07-30
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40434
    titleFlash Player < 9.0.246.0 / 10.0.32.18 Multiple Vulnerabilities (APSB09-10)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(40434);
      script_version("1.21");
    
      script_cve_id(  'CVE-2009-1862', 'CVE-2009-0901', 'CVE-2009-2493',
                      'CVE-2009-1863', 'CVE-2009-1864', 'CVE-2009-1865', 'CVE-2009-1866',
                      'CVE-2009-1867', 'CVE-2009-1868', 'CVE-2009-1869', 'CVE-2009-1870');
      script_bugtraq_id(35759, 35832, 35846, 35900, 35901, 35902, 35903, 35904,
                        35905, 35906, 35907, 35908);
    
      script_name(english:"Flash Player < 9.0.246.0 / 10.0.32.18 Multiple Vulnerabilities (APSB09-10)");
      script_summary(english:"Checks version of Flash Player");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host contains a browser plugin that is affected by 
    multiple vulnerabilities."  );
    
      script_set_attribute( attribute:"description", value:
    "The remote Windows host contains a version of Adobe Flash Player that 
    is earlier than 9.0.246.0 / 10.0.32.18. Such versions are reportedly 
    affected by multiple vulnerabilities : 
    
      - A memory corruption vulnerability that could potentially
        lead to code execution. (CVE-2009-1862) 
    
      - A vulnerability in the Microsoft Active Template Library
        (ATL) which could allow an attacker who successfully
        exploits the vulnerability to take control of the
        affected system. (CVE-2009-0901, CVE-2009-2395,
        CVE-2009-2493) 
    
      - A privilege escalation vulnerability that could 
        potentially lead to code execution. (CVE-2009-1863)
    
      - A heap overflow vulnerability that could potentially
        lead to code execution. (CVE-2009-1864) 
    
      - A NULL pointer vulnerability that could potentially
        lead to code execution. (CVE-2009-1865) 
    
      - A stack overflow vulnerability that could potentially
        lead to code execution. (CVE-2009-1866) 
    
      - A clickjacking vulnerability that could allow an
        attacker to lure a web browser user into unknowingly
        clicking on a link or dialog. (CVE-2009-1867 
    
      - A URL parsing heap overflow vulnerability that could
        potentially lead to code execution. (CVE-2009-1868)
    
      - An integer overflow vulnerability that could potentially
        lead to code execution. (CVE-2009-1869) 
    
      - A local sandbox vulnerability that could potentially
        lead to information disclosure when SWFs are saved to
        the hard drive. CVE-2009-1870)"  );
    
      script_set_attribute(attribute:"see_also", value:
    "http://www.adobe.com/support/security/bulletins/apsb09-10.html"  );
    
      script_set_attribute( attribute:"solution", value:
    "Upgrade to version 10.0.32.18 or later. If you are unable to upgrade
    to version 10, upgrade to version 9.0.246.0 or later."  );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_cwe_id(59, 94, 119, 189, 200, 264);
    
      script_set_attribute( attribute:'vuln_publication_date', value:'2009/07/28' );
      script_set_attribute( attribute:'patch_publication_date', value:'2009/07/30' );
      script_set_attribute( attribute:'plugin_publication_date', value:'2009/07/30' );
    
     script_cvs_date("Date: 2018/07/11 17:09:26");
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:flash_player");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
      script_dependencies("flash_player_installed.nasl");
      script_require_keys("SMB/Flash_Player/installed");
      exit(0);
    }
    
    #
    
    if (!get_kb_item("SMB/Flash_Player/installed")) exit(0);
    
    include ("global_settings.inc");
    
    # Identify vulnerable versions.
    info=NULL;
    
    foreach variant (make_list("Plugin", "ActiveX"))
    {
      vers = get_kb_list("SMB/Flash_Player/"+variant+"/Version/*");
      files = get_kb_list("SMB/Flash_Player/"+variant+"/File/*");
      if(!isnull(vers) && !isnull(files))
      {
        foreach key (keys(vers))
        {
          ver = vers[key];
          if (ver)
          {
            iver = split(ver, sep:'.',keep:FALSE);
            for(i=0;i<max_index(iver);i++)
              iver[i] = int(iver[i]);
            if (
              (
                iver[0] == 10 && iver[1] == 0 &&
                  (
                    iver[2] < 22 ||
                    (iver[2] == 22 && iver[3] <= 87)
                  )
              ) ||
              (iver[0] == 9 && iver[1] == 0 && iver[2] < 246) ||
              iver[0] < 9
            )
            {
              num = key - ("SMB/Flash_Player/"+variant+"/Version/");
              file = files["SMB/Flash_Player/"+variant+"/File/"+num];
              if (variant == "Plugin")
              {
                info += '  - Browser Plugin (for Firefox / Netscape / Opera) :\n';
              }
              else if (variant == "ActiveX")
              {
                info += '  - ActiveX control (for Internet Explorer) :\n';
              }
              info += '    ' + file + ', ' + ver + '\n';
            }
          }
        }
      }
    }
    
    if (info)
    {
      if (report_verbosity > 0)
      {
        # nb: each vulnerable instance adds 2 lines to 'info'.
        if (max_index(split(info)) > 2)
          inst = "s";
        else
          inst = "";
    
        report = string(
          "\n",
          "Nessus has identified the following vulnerable instance", inst, " of Flash\n",
          "Player installed on the remote host :\n",
          "\n",
          info
        );
        security_hole(port:get_kb_item("SMB/transport"), extra:report);
      }
      else security_hole(get_kb_item("SMB/transport"));
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_0_FLASH-PLAYER-090731.NASL
    descriptionSpecially crafted Flash (SWF) files can cause a buffer overflow in flash-player. Attackers could potentially exploit that to execute arbitrary code (CVE-2009-1862, CVE-2009-0901, CVE-2009-2395, CVE-2009-2493, CVE-2009-1863, CVE-2009-1864, CVE-2009-1865, CVE-2009-1866, CVE-2009-1867, CVE-2009-1868, CVE-2009-1869, CVE-2009-1870).
    last seen2020-06-01
    modified2020-06-02
    plugin id40488
    published2009-08-05
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40488
    titleopenSUSE Security Update : flash-player (flash-player-1148)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update flash-player-1148.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(40488);
      script_version("1.15");
      script_cvs_date("Date: 2019/10/25 13:36:34");
    
      script_cve_id("CVE-2009-0901", "CVE-2009-1862", "CVE-2009-1863", "CVE-2009-1864", "CVE-2009-1865", "CVE-2009-1866", "CVE-2009-1867", "CVE-2009-1868", "CVE-2009-1869", "CVE-2009-1870", "CVE-2009-2395", "CVE-2009-2493");
    
      script_name(english:"openSUSE Security Update : flash-player (flash-player-1148)");
      script_summary(english:"Check for the flash-player-1148 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Specially crafted Flash (SWF) files can cause a buffer overflow in
    flash-player. Attackers could potentially exploit that to execute
    arbitrary code (CVE-2009-1862, CVE-2009-0901, CVE-2009-2395,
    CVE-2009-2493, CVE-2009-1863, CVE-2009-1864, CVE-2009-1865,
    CVE-2009-1866, CVE-2009-1867, CVE-2009-1868, CVE-2009-1869,
    CVE-2009-1870)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=524508"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected flash-player package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_cwe_id(59, 89, 94, 119, 189, 200, 264);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:flash-player");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/07/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/05");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE11\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.0", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686)$") audit(AUDIT_ARCH_NOT, "i586 / i686", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE11.0", reference:"flash-player-9.0.246.0-0.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "flash-player");
    }
    
  • NASL familyWindows
    NASL idWIN_SERVER_2008_NTLM_PCI.NASL
    descriptionAccording to the version number obtained by NTLM the remote host has Windows Server 2008 installed. The host may be vulnerable to a number of vulnerabilities including remote unauthenticated code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id108811
    published2018-04-03
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108811
    titleWindows Server 2008 Critical RCE Vulnerabilities (uncredentialed) (PCI/DSS)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_FLASH-PLAYER-090731.NASL
    descriptionSpecially crafted Flash (SWF) files can cause a buffer overflow in flash-player. Attackers could potentially exploit that to execute arbitrary code (CVE-2009-1862, CVE-2009-0901, CVE-2009-2395, CVE-2009-2493, CVE-2009-1863, CVE-2009-1864, CVE-2009-1865, CVE-2009-1866, CVE-2009-1867, CVE-2009-1868, CVE-2009-1869, CVE-2009-1870).
    last seen2020-06-01
    modified2020-06-02
    plugin id40489
    published2009-08-05
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40489
    titleopenSUSE Security Update : flash-player (flash-player-1148)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_FLASH-PLAYER-6387.NASL
    descriptionSpecially crafted Flash (SWF) files can cause a buffer overflow in flash-player. Attackers could potentially exploit that to execute arbitrary code (CVE-2009-1862, CVE-2009-0901, CVE-2009-2395, CVE-2009-2493, CVE-2009-1863, CVE-2009-1864, CVE-2009-1865, CVE-2009-1866, CVE-2009-1867, CVE-2009-1868, CVE-2009-1869, CVE-2009-1870).
    last seen2020-06-01
    modified2020-06-02
    plugin id42001
    published2009-10-06
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42001
    titleopenSUSE 10 Security Update : flash-player (flash-player-6387)
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS09-060.NASL
    descriptionOne or more ActiveX controls included in Microsoft Outlook or Visio and installed on the remote Windows host was compiled with a version of Microsoft Active Template Library (ATL) that is affected by potentially several vulnerabilities : - An issue in the ATL headers could allow an attacker to force VariantClear to be called on a VARIANT that has not been correctly initialized and, by supplying a corrupt stream, to execute arbitrary code. (CVE-2009-0901) - Unsafe usage of
    last seen2020-06-01
    modified2020-06-02
    plugin id42116
    published2009-10-14
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42116
    titleMS09-060: Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution (973965)

Oval

  • accepted2009-09-28T04:00:20.671-04:00
    classvulnerability
    contributors
    • nameDragos Prisaca
      organizationGideon Technologies, Inc.
    • nameJ. Daniel Brown
      organizationDTCC
    • nameRachana Shetty
      organizationSecPod Technologies
    • nameJosh Turpin
      organizationSymantec Corporation
    • nameChandan S
      organizationSecPod Technologies
    • nameDragos Prisaca
      organizationG2, Inc.
    • nameMaria Mikhno
      organizationALTX-SOFT
    • nameMaria Mikhno
      organizationALTX-SOFT
    • nameMaria Mikhno
      organizationALTX-SOFT
    definition_extensions
    • commentMicrosoft Windows 2000 SP4 or later is installed
      ovaloval:org.mitre.oval:def:229
    • commentMicrosoft Outlook Express 5.5 SP2 is installed.
      ovaloval:org.mitre.oval:def:504
    • commentMicrosoft Windows 2000 SP4 or later is installed
      ovaloval:org.mitre.oval:def:229
    • commentMicrosoft Outlook Express 6 SP1 is installed.
      ovaloval:org.mitre.oval:def:488
    • commentMicrosoft Windows XP (x86) SP2 is installed
      ovaloval:org.mitre.oval:def:754
    • commentMicrosoft Outlook Express 6.0 for Windows XP/2003 is installed
      ovaloval:org.mitre.oval:def:208
    • commentMicrosoft Windows XP (x86) SP3 is installed
      ovaloval:org.mitre.oval:def:5631
    • commentMicrosoft Outlook Express 6.0 for Windows XP/2003 is installed
      ovaloval:org.mitre.oval:def:208
    • commentMicrosoft Outlook Express 6.0 for Windows XP/2003 is installed
      ovaloval:org.mitre.oval:def:208
    • commentMicrosoft Windows XP x64 Edition SP2 is installed
      ovaloval:org.mitre.oval:def:4193
    • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
      ovaloval:org.mitre.oval:def:1935
    • commentMicrosoft Outlook Express 6.0 for Windows XP/2003 is installed
      ovaloval:org.mitre.oval:def:208
    • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
      ovaloval:org.mitre.oval:def:2161
    • commentMicrosoft Outlook Express 6.0 for Windows XP/2003 is installed
      ovaloval:org.mitre.oval:def:208
    • commentMicrosoft Windows Server 2003 (ia64) SP2 is installed
      ovaloval:org.mitre.oval:def:1442
    • commentMicrosoft Outlook Express 6.0 for Windows XP/2003 is installed
      ovaloval:org.mitre.oval:def:208
    • commentMicrosoft Windows 2000 SP4 or later is installed
      ovaloval:org.mitre.oval:def:229
    • commentWindows Media Player v9 is installed.
      ovaloval:org.mitre.oval:def:2147
    • commentMicrosoft Windows XP (x86) SP2 is installed
      ovaloval:org.mitre.oval:def:754
    • commentWindows Media Player v9 is installed.
      ovaloval:org.mitre.oval:def:2147
    • commentMicrosoft Windows XP (x86) SP3 is installed
      ovaloval:org.mitre.oval:def:5631
    • commentWindows Media Player v9 is installed.
      ovaloval:org.mitre.oval:def:2147
    • commentMicrosoft Windows XP (x86) SP2 is installed
      ovaloval:org.mitre.oval:def:754
    • commentMicrosoft Windows XP (x86) SP3 is installed
      ovaloval:org.mitre.oval:def:5631
    • commentWindows Media Player v10 is installed.
      ovaloval:org.mitre.oval:def:2172
    • commentWindows Media Player v10 is installed.
      ovaloval:org.mitre.oval:def:2172
    • commentMicrosoft Windows XP x64 Edition SP2 is installed
      ovaloval:org.mitre.oval:def:4193
    • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
      ovaloval:org.mitre.oval:def:1935
    • commentWindows Media Player v10 is installed.
      ovaloval:org.mitre.oval:def:2172
    • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
      ovaloval:org.mitre.oval:def:2161
    • commentWindows Media Player v10 is installed.
      ovaloval:org.mitre.oval:def:2172
    • commentMicrosoft Windows XP (x86) SP2 is installed
      ovaloval:org.mitre.oval:def:754
    • commentMicrosoft Windows XP (x86) SP3 is installed
      ovaloval:org.mitre.oval:def:5631
    • commentWindows Media Player v11 is installed.
      ovaloval:org.mitre.oval:def:2126
    • commentWindows Media Player v11 is installed.
      ovaloval:org.mitre.oval:def:2126
    • commentMicrosoft Windows XP x64 Edition SP2 is installed
      ovaloval:org.mitre.oval:def:4193
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Vista (32-bit) Service Pack 1 is installed
      ovaloval:org.mitre.oval:def:4873
    • commentMicrosoft Windows Vista x64 Edition Service Pack 1 is installed
      ovaloval:org.mitre.oval:def:5254
    • commentMicrosoft Windows Server 2008 (32-bit) is installed
      ovaloval:org.mitre.oval:def:4870
    • commentMicrosoft Windows Server 2008 (64-bit) is installed
      ovaloval:org.mitre.oval:def:5356
    • commentMicrosoft Windows Server 2008 (ia-64) is installed
      ovaloval:org.mitre.oval:def:5667
    • commentMicrosoft Windows Vista (32-bit) Service Pack 2 is installed
      ovaloval:org.mitre.oval:def:6124
    • commentMicrosoft Windows Vista x64 Edition Service Pack 2 is installed
      ovaloval:org.mitre.oval:def:5594
    • commentMicrosoft Windows Server 2008 (32-bit) Service Pack 2 is installed
      ovaloval:org.mitre.oval:def:5653
    • commentMicrosoft Windows Server 2008 x64 Edition Service Pack 2 is installed
      ovaloval:org.mitre.oval:def:6216
    • commentMicrosoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed
      ovaloval:org.mitre.oval:def:6150
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Vista (32-bit) Service Pack 1 is installed
      ovaloval:org.mitre.oval:def:4873
    • commentMicrosoft Windows Vista x64 Edition Service Pack 1 is installed
      ovaloval:org.mitre.oval:def:5254
    • commentMicrosoft Windows Server 2008 (32-bit) is installed
      ovaloval:org.mitre.oval:def:4870
    • commentMicrosoft Windows Server 2008 (64-bit) is installed
      ovaloval:org.mitre.oval:def:5356
    • commentMicrosoft Windows Server 2008 (ia-64) is installed
      ovaloval:org.mitre.oval:def:5667
    • commentMicrosoft Windows Vista (32-bit) Service Pack 2 is installed
      ovaloval:org.mitre.oval:def:6124
    • commentMicrosoft Windows Vista x64 Edition Service Pack 2 is installed
      ovaloval:org.mitre.oval:def:5594
    • commentMicrosoft Windows Server 2008 (32-bit) Service Pack 2 is installed
      ovaloval:org.mitre.oval:def:5653
    • commentMicrosoft Windows Server 2008 x64 Edition Service Pack 2 is installed
      ovaloval:org.mitre.oval:def:6216
    • commentMicrosoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed
      ovaloval:org.mitre.oval:def:6150
    • commentMicrosoft Windows 2000 SP4 or later is installed
      ovaloval:org.mitre.oval:def:229
    • commentMicrosoft Windows XP (x86) SP2 is installed
      ovaloval:org.mitre.oval:def:754
    • commentMicrosoft Windows XP (x86) SP3 is installed
      ovaloval:org.mitre.oval:def:5631
    • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
      ovaloval:org.mitre.oval:def:1935
    • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
      ovaloval:org.mitre.oval:def:2161
    • commentMicrosoft Windows Server 2003 (ia64) SP2 is installed
      ovaloval:org.mitre.oval:def:1442
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Vista (32-bit) Service Pack 1 is installed
      ovaloval:org.mitre.oval:def:4873
    • commentMicrosoft Windows Vista x64 Edition Service Pack 1 is installed
      ovaloval:org.mitre.oval:def:5254
    • commentMicrosoft Windows Server 2008 (32-bit) is installed
      ovaloval:org.mitre.oval:def:4870
    • commentMicrosoft Windows Server 2008 (64-bit) is installed
      ovaloval:org.mitre.oval:def:5356
    • commentMicrosoft Windows Server 2008 (ia-64) is installed
      ovaloval:org.mitre.oval:def:5667
    • commentMicrosoft Windows Vista (32-bit) Service Pack 2 is installed
      ovaloval:org.mitre.oval:def:6124
    • commentMicrosoft Windows Vista x64 Edition Service Pack 2 is installed
      ovaloval:org.mitre.oval:def:5594
    • commentMicrosoft Windows Server 2008 (32-bit) Service Pack 2 is installed
      ovaloval:org.mitre.oval:def:5653
    • commentMicrosoft Windows Server 2008 x64 Edition Service Pack 2 is installed
      ovaloval:org.mitre.oval:def:6216
    • commentMicrosoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed
      ovaloval:org.mitre.oval:def:6150
    • commentMicrosoft Windows XP x64 Edition SP2 is installed
      ovaloval:org.mitre.oval:def:4193
    • commentMicrosoft Windows 2000 SP4 or later is installed
      ovaloval:org.mitre.oval:def:229
    • commentMicrosoft Windows XP (x86) SP2 is installed
      ovaloval:org.mitre.oval:def:754
    • commentMicrosoft Windows XP (x86) SP3 is installed
      ovaloval:org.mitre.oval:def:5631
    • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
      ovaloval:org.mitre.oval:def:1935
    • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
      ovaloval:org.mitre.oval:def:2161
    • commentMicrosoft Windows Server 2003 (ia64) SP2 is installed
      ovaloval:org.mitre.oval:def:1442
    • commentMicrosoft Windows XP x64 Edition SP2 is installed
      ovaloval:org.mitre.oval:def:4193
    • commentMicrosoft Windows XP (x86) SP2 is installed
      ovaloval:org.mitre.oval:def:754
    • commentMicrosoft Windows XP (x86) SP3 is installed
      ovaloval:org.mitre.oval:def:5631
    • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
      ovaloval:org.mitre.oval:def:1935
    • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
      ovaloval:org.mitre.oval:def:2161
    • commentMicrosoft Windows XP x64 Edition SP2 is installed
      ovaloval:org.mitre.oval:def:4193
    • commentMicrosoft Windows Server 2003 (ia64) SP2 is installed
      ovaloval:org.mitre.oval:def:1442
    descriptionThe Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not prevent VariantClear calls on an uninitialized VARIANT, which allows remote attackers to execute arbitrary code via a malformed stream to an ATL (1) component or (2) control, related to ATL headers and error handling, aka "ATL Uninitialized Object Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:6289
    statusdeprecated
    submitted2009-08-11T13:00:00
    titleATL Uninitialized Object Vulnerability
    version78
  • accepted2009-09-14T04:00:10.848-04:00
    classvulnerability
    contributors
    • nameDragos Prisaca
      organizationGideon Technologies, Inc.
    • nameJ. Daniel Brown
      organizationDTCC
    • nameMike Lah
      organizationThe MITRE Corporation
    • nameMike Lah
      organizationThe MITRE Corporation
    • nameMike Lah
      organizationThe MITRE Corporation
    • nameMike Lah
      organizationThe MITRE Corporation
    • nameDragos Prisaca
      organizationSymantec Corporation
    • nameDragos Prisaca
      organizationSymantec Corporation
    • nameDragos Prisaca
      organizationSymantec Corporation
    • nameDragos Prisaca
      organizationSymantec Corporation
    • nameDragos Prisaca
      organizationSymantec Corporation
    • nameDragos Prisaca
      organizationG2, Inc.
    • nameMaria Kedovskaya
      organizationALTX-SOFT
    • nameMaria Mikhno
      organizationALTX-SOFT
    definition_extensions
    • commentMicrosoft Visual Studio .NET 2003 SP1 is installed
      ovaloval:org.mitre.oval:def:168
    • commentMicrosoft Visual Studio 2005 Service Pack 1 is installed
      ovaloval:org.mitre.oval:def:6401
    • commentMicrosoft Visual Studio 2008 is installed
      ovaloval:org.mitre.oval:def:5401
    • commentMicrosoft Visual Studio 2008 Service Pack 1 is installed
      ovaloval:org.mitre.oval:def:6205
    descriptionThe Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not prevent VariantClear calls on an uninitialized VARIANT, which allows remote attackers to execute arbitrary code via a malformed stream to an ATL (1) component or (2) control, related to ATL headers and error handling, aka "ATL Uninitialized Object Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:6311
    statusdeprecated
    submitted2009-07-28T13:00:00
    titleATL Uninitialized Object Vulnerability
    version79
  • accepted2009-11-30T04:00:36.150-05:00
    classvulnerability
    contributors
    • nameDragos Prisaca
      organizationGideon Technologies, Inc.
    • nameJ. Daniel Brown
      organizationDTCC
    • nameShane Shaffer
      organizationG2, Inc.
    definition_extensions
    • commentMicrosoft Outlook 2002 is installed
      ovaloval:org.mitre.oval:def:5179
    • commentMicrosoft Outlook 2003 is installed
      ovaloval:org.mitre.oval:def:5505
    • commentMicrosoft Outlook 2007 is installed
      ovaloval:org.mitre.oval:def:5352
    • commentMicrosoft Visio Viewer 2002 is installed
      ovaloval:org.mitre.oval:def:6500
    • commentMicrosoft Office Visio Viewer 2003 is installed
      ovaloval:org.mitre.oval:def:6420
    • commentMicrosoft Office Visio Viewer 2007 is installed
      ovaloval:org.mitre.oval:def:6128
    descriptionThe Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not prevent VariantClear calls on an uninitialized VARIANT, which allows remote attackers to execute arbitrary code via a malformed stream to an ATL (1) component or (2) control, related to ATL headers and error handling, aka "ATL Uninitialized Object Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:6373
    statusdeprecated
    submitted2009-10-13T13:00:00
    titleATL Uninitialized Object Vulnerability
    version6
  • accepted2015-08-10T04:01:10.426-04:00
    classvulnerability
    contributors
    • nameJ. Daniel Brown
      organizationDTCC
    • nameMike Lah
      organizationThe MITRE Corporation
    • nameMike Lah
      organizationThe MITRE Corporation
    • nameMike Lah
      organizationThe MITRE Corporation
    • nameMike Lah
      organizationThe MITRE Corporation
    • nameRachana Shetty
      organizationSecPod Technologies
    • nameDragos Prisaca
      organizationSymantec Corporation
    • nameDragos Prisaca
      organizationSymantec Corporation
    • nameDragos Prisaca
      organizationSymantec Corporation
    • nameDragos Prisaca
      organizationSymantec Corporation
    • nameDragos Prisaca
      organizationSymantec Corporation
    • nameShane Shaffer
      organizationG2, Inc.
    • nameJosh Turpin
      organizationSymantec Corporation
    • nameChandan S
      organizationSecPod Technologies
    • nameDragos Prisaca
      organizationG2, Inc.
    • nameDragos Prisaca
      organizationG2, Inc.
    • nameMaria Kedovskaya
      organizationALTX-SOFT
    • nameMaria Mikhno
      organizationALTX-SOFT
    • nameMaria Mikhno
      organizationALTX-SOFT
    • nameMaria Mikhno
      organizationALTX-SOFT
    • nameMaria Mikhno
      organizationALTX-SOFT
    • nameMaria Mikhno
      organizationALTX-SOFT
    definition_extensions
    • commentMicrosoft Outlook 2002 is installed
      ovaloval:org.mitre.oval:def:5179
    • commentMicrosoft Outlook 2003 is installed
      ovaloval:org.mitre.oval:def:5505
    • commentMicrosoft Outlook 2007 SP1 is installed
      ovaloval:org.mitre.oval:def:18961
    • commentMicrosoft Outlook 2007 SP2 is installed
      ovaloval:org.mitre.oval:def:18844
    • commentMicrosoft Visio Viewer 2002 is installed
      ovaloval:org.mitre.oval:def:6500
    • commentMicrosoft Office Visio Viewer 2003 is installed
      ovaloval:org.mitre.oval:def:6420
    • commentMicrosoft Office Visio Viewer 2007 is installed
      ovaloval:org.mitre.oval:def:6128
    • commentMicrosoft Visual Studio .NET 2003 SP1 is installed
      ovaloval:org.mitre.oval:def:168
    • commentMicrosoft Visual Studio 2005 Service Pack 1 is installed
      ovaloval:org.mitre.oval:def:6401
    • commentMicrosoft Visual Studio 2008 is installed
      ovaloval:org.mitre.oval:def:5401
    • commentMicrosoft Visual Studio 2008 Service Pack 1 is installed
      ovaloval:org.mitre.oval:def:6205
    • commentMicrosoft Visual C++ 2005 Redistributable Package is installed
      ovaloval:org.mitre.oval:def:29007
    • commentMicrosoft Visual C++ 2008 Redistributable Package is installed
      ovaloval:org.mitre.oval:def:28587
    • commentMicrosoft Windows 2000 is installed
      ovaloval:org.mitre.oval:def:85
    • commentMicrosoft Outlook Express 5.5 SP2 is installed.
      ovaloval:org.mitre.oval:def:504
    • commentMicrosoft Windows 2000 is installed
      ovaloval:org.mitre.oval:def:85
    • commentMicrosoft Outlook Express 6 SP1 is installed.
      ovaloval:org.mitre.oval:def:488
    • commentMicrosoft Outlook Express 6.0 for Windows XP/2003 is installed
      ovaloval:org.mitre.oval:def:208
    • commentMicrosoft Windows XP (32-bit) is installed
      ovaloval:org.mitre.oval:def:1353
    • commentMicrosoft Windows XP (32-bit) is installed
      ovaloval:org.mitre.oval:def:1353
    • commentMicrosoft Windows Server 2003 (32-bit) is installed
      ovaloval:org.mitre.oval:def:1870
    • commentMicrosoft Windows Server 2003 (x64) is installed
      ovaloval:org.mitre.oval:def:730
    • commentMicrosoft Windows Server 2003 (ia64) Gold is installed
      ovaloval:org.mitre.oval:def:396
    • commentMicrosoft Windows XP x64 is installed
      ovaloval:org.mitre.oval:def:15247
    • commentMicrosoft Windows 2000 is installed
      ovaloval:org.mitre.oval:def:85
    • commentWindows Media Player v9 is installed.
      ovaloval:org.mitre.oval:def:2147
    • commentMicrosoft Windows XP (32-bit) is installed
      ovaloval:org.mitre.oval:def:1353
    • commentWindows Media Player v9 is installed.
      ovaloval:org.mitre.oval:def:2147
    • commentMicrosoft Windows XP (32-bit) is installed
      ovaloval:org.mitre.oval:def:1353
    • commentWindows Media Player v9 is installed.
      ovaloval:org.mitre.oval:def:2147
    • commentWindows Media Player v10 is installed.
      ovaloval:org.mitre.oval:def:2172
    • commentMicrosoft Windows XP (32-bit) is installed
      ovaloval:org.mitre.oval:def:1353
    • commentMicrosoft Windows Server 2003 (x64) is installed
      ovaloval:org.mitre.oval:def:730
    • commentMicrosoft Windows XP x64 is installed
      ovaloval:org.mitre.oval:def:15247
    • commentMicrosoft Windows Server 2003 (32-bit) is installed
      ovaloval:org.mitre.oval:def:1870
    • commentMicrosoft Windows XP (32-bit) is installed
      ovaloval:org.mitre.oval:def:1353
    • commentMicrosoft Windows XP x64 is installed
      ovaloval:org.mitre.oval:def:15247
    • commentWindows Media Player v11 is installed.
      ovaloval:org.mitre.oval:def:2126
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentWindows Media Player v11 is installed.
      ovaloval:org.mitre.oval:def:2126
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Server 2008 (32-bit) is installed
      ovaloval:org.mitre.oval:def:4870
    • commentMicrosoft Windows Server 2008 (64-bit) is installed
      ovaloval:org.mitre.oval:def:5356
    • commentWindows Media Player v11 is installed.
      ovaloval:org.mitre.oval:def:2126
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Server 2008 (32-bit) is installed
      ovaloval:org.mitre.oval:def:4870
    • commentMicrosoft Windows Server 2008 (64-bit) is installed
      ovaloval:org.mitre.oval:def:5356
    • commentWindows Media Player v11 is installed.
      ovaloval:org.mitre.oval:def:2126
    • commentMicrosoft Windows 2000 is installed
      ovaloval:org.mitre.oval:def:85
    • commentMicrosoft Windows XP (32-bit) is installed
      ovaloval:org.mitre.oval:def:1353
    • commentMicrosoft Windows Server 2003 (32-bit) is installed
      ovaloval:org.mitre.oval:def:1870
    • commentMicrosoft Windows Server 2003 (x64) is installed
      ovaloval:org.mitre.oval:def:730
    • commentMicrosoft Windows Server 2003 (ia64) Gold is installed
      ovaloval:org.mitre.oval:def:396
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Server 2008 (32-bit) is installed
      ovaloval:org.mitre.oval:def:4870
    • commentMicrosoft Windows Server 2008 (64-bit) is installed
      ovaloval:org.mitre.oval:def:5356
    • commentMicrosoft Windows Server 2008 (ia-64) is installed
      ovaloval:org.mitre.oval:def:5667
    • commentMicrosoft Windows XP x64 is installed
      ovaloval:org.mitre.oval:def:15247
    • commentMicrosoft Windows 2000 is installed
      ovaloval:org.mitre.oval:def:85
    • commentMicrosoft Windows XP (32-bit) is installed
      ovaloval:org.mitre.oval:def:1353
    • commentMicrosoft Windows Server 2003 (32-bit) is installed
      ovaloval:org.mitre.oval:def:1870
    • commentMicrosoft Windows Server 2003 (x64) is installed
      ovaloval:org.mitre.oval:def:730
    • commentMicrosoft Windows Server 2003 (ia64) Gold is installed
      ovaloval:org.mitre.oval:def:396
    • commentMicrosoft Windows XP x64 is installed
      ovaloval:org.mitre.oval:def:15247
    • commentMicrosoft Windows XP (32-bit) is installed
      ovaloval:org.mitre.oval:def:1353
    • commentMicrosoft Windows XP (32-bit) is installed
      ovaloval:org.mitre.oval:def:1353
    • commentMicrosoft Windows Server 2003 (32-bit) is installed
      ovaloval:org.mitre.oval:def:1870
    • commentMicrosoft Windows Server 2003 (x64) is installed
      ovaloval:org.mitre.oval:def:730
    • commentMicrosoft Windows XP x64 is installed
      ovaloval:org.mitre.oval:def:15247
    • commentMicrosoft Windows Server 2003 (ia64) Gold is installed
      ovaloval:org.mitre.oval:def:396
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    descriptionThe Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not prevent VariantClear calls on an uninitialized VARIANT, which allows remote attackers to execute arbitrary code via a malformed stream to an ATL (1) component or (2) control, related to ATL headers and error handling, aka "ATL Uninitialized Object Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:7581
    statusaccepted
    submitted2009-12-26T17:00:00.000-05:00
    titleATL Uninitialized Object Vulnerability
    version110

Saint

bid35832
descriptionVisual Studio Active Template Library uninitialized object
idmisc_vstudioatl
osvdb56696
titlevisual_studio_atl_uninitialized_object
typeclient

Seebug

bulletinFamilyexploit
descriptionBugraq ID: 35832 CVE ID:CVE-2009-0901 CNCVE ID:CNCVE-20090901 Microsoft Visual Studio是一款微软公司的开发工具套件系列产品。 Microsoft活动模版库(ATL)处理ATL头字段存在问题,远程攻击者可以利用漏洞以应用程序权限执行任意指令。 ATL头字段存在的一个错误允许攻击者对未正确初始化的VARIANT进行VariantClear调用,基于此攻击者可以提供破坏的流触发错误处理过程中来调用VariantClear而控制整个流程。此漏洞只影响安装了使用Visual Studio ATL的组件和控件的系统。攻击者可以构建恶意WEB页,诱使用户打开来触发远程代码执行。 Microsoft Visual Studio 2008 SP1 Microsoft Visual Studio 2008 0 Microsoft Visual Studio 2005 64-bit Hosted Visual C++ Tools SP1 Microsoft Visual Studio 2005 SP1 Microsoft Visual Studio .NET 2003 SP1 Microsoft Visual C++ 2008 Redistributable Package SP1 Microsoft Visual C++ 2008 Redistributable Package 0 Microsoft Visual C++ 2008 SP1 Microsoft Visual C++ 2008 0 Microsoft Visual C++ 2005 Redistributable Package SP1 Microsoft Visual C++ 2005 Redistributable Package 0 Microsoft Visual C++ 2005 SP1 厂商解决方案 用户可参考如下安全补丁: Microsoft Visual C++ 2005 SP1 Microsoft Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update http://www.microsoft.com/downloads/details.aspx?familyid=766a6af7-ec73 -40ff-b072-9112bab119c2 Microsoft Visual Studio .NET 2003 SP1 Microsoft Visual Studio .NET 2003 Service Pack 1 ATL Security Update http://www.microsoft.com/downloads/details.aspx?FamilyID=63ce454e-f69c -44e3-89fb-eb23c2e2154e Microsoft Visual Studio 2005 SP1 Microsoft Visual Studio 2005 Service Pack 1 ATL Security Update http://www.microsoft.com/downloads/details.aspx?FamilyID=7c8729dc-06a2 -4538-a90d-ff9464dc0197 Microsoft Visual C++ 2008 SP1 Microsoft Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package ATL Security Update http://www.microsoft.com/downloads/details.aspx?familyid=2051a0c1-c9b5 -4b0a-a8f5-770a549fd78c Microsoft Visual Studio 2008 Service Pack 1 ATL Security Update http://www.microsoft.com/downloads/details.aspx?familyid=294de390-3c94 -49fb-a014-9a38580e64cb Microsoft Visual C++ 2008 0 Microsoft Microsoft Visual C++ 2008 Redistributable Package ATL Security Update http://www.microsoft.com/downloads/details.aspx?familyid=8b29655e-9da4 -4b6b-9ac5-687ca0770f93 Microsoft Visual Studio 2008 ATL Security Update http://www.microsoft.com/downloads/details.aspx?familyid=8f9da646-94dd -469d-baea-a4306270462c Microsoft Visual Studio 2005 64-bit Hosted Visual C++ Tools SP1 Microsoft Visual Studio 64-bit Hosted Visual C++ Tools 2005 Service Pack 1 ATL Security Update http://www.microsoft.com/downloads/details.aspx?FamilyID=43f96f2a-69c6 -4c5e-b72c-0edfa35f4fc2
idSSV:11913
last seen2017-11-19
modified2009-07-29
published2009-07-29
reporterRoot
titleMicrosoft Visual Studio ATL 'VariantClear()'远程代码执行漏洞

References