ID CVE-2011-0976 Type cve Reporter cve@mitre.org Modified 2018-10-12T21:59:00
Description
Microsoft PowerPoint 2002 SP3, 2003 SP3, and 2007 SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2; and PowerPoint Viewer 2007 SP2 do not properly handle Office Art containers that have invalid records, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a PowerPoint document with a container that triggers certain access to an uninitialized object, aka "OfficeArt Atom RCE Vulnerability."
{"id": "CVE-2011-0976", "bulletinFamily": "NVD", "title": "CVE-2011-0976", "description": "Microsoft PowerPoint 2002 SP3, 2003 SP3, and 2007 SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2; and PowerPoint Viewer 2007 SP2 do not properly handle Office Art containers that have invalid records, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a PowerPoint document with a container that triggers certain access to an uninitialized object, aka \"OfficeArt Atom RCE Vulnerability.\"", "published": "2011-02-10T19:00:00", "modified": "2018-10-12T21:59:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0976", "reporter": "cve@mitre.org", "references": ["http://zerodayinitiative.com/advisories/ZDI-11-044/", "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11978", "http://www.vupen.com/english/advisories/2011/0941", "http://secunia.com/advisories/43213", "http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-microsoft", "http://www.securityfocus.com/archive/1/516233/100/0/threaded", "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-022", "http://www.securitytracker.com/id?1025340", "http://www.us-cert.gov/cas/techalerts/TA11-102A.html"], "cvelist": ["CVE-2011-0976"], "type": "cve", "lastseen": "2020-10-03T11:39:25", "edition": 3, "viewCount": 11, "enchantments": {"dependencies": {"references": [{"type": "zdi", "idList": ["ZDI-11-044"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310801594", "OPENVAS:1361412562310902411", "OPENVAS:801594", "OPENVAS:902411"]}, {"type": "nessus", "idList": ["SMB_NT_MS11-022.NASL", "MACOSX_MS_OFFICE_APR2011.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11580"]}], "modified": "2020-10-03T11:39:25", "rev": 2}, "score": {"value": 8.5, "vector": "NONE", "modified": "2020-10-03T11:39:25", "rev": 2}, "vulnersScore": 8.5}, "cpe": ["cpe:/a:microsoft:powerpoint:2007"], "affectedSoftware": [{"cpeName": "microsoft:powerpoint", "name": "microsoft powerpoint", "operator": "eq", "version": "2007"}], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": true}, "cvss3": {}, "cpe23": ["cpe:2.3:a:microsoft:powerpoint:2007:*:*:*:*:*:*:*"], "cwe": ["CWE-264"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:microsoft:powerpoint:2007:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}}
{"openvas": [{"lastseen": "2017-07-20T08:55:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0976"], "description": "This host is installed with Microsoft Office Power Point and is\nprone to remote code execution vulnerability.\n\nThis NVT has been replaced by NVT secpod_ms11-022.nasl\n(OID:1.3.6.1.4.1.25623.1.0.902411).", "modified": "2017-07-05T00:00:00", "published": "2011-02-23T00:00:00", "id": "OPENVAS:801594", "href": "http://plugins.openvas.org/nasl.php?oid=801594", "type": "openvas", "title": "Microsoft PowerPoint 2007 OfficeArt Atom Remote Code Execution Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_power_point_code_exec_vuln.nasl 6538 2017-07-05 11:38:27Z cfischer $\n#\n# Microsoft PowerPoint 2007 OfficeArt Atom Remote Code Execution Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow attacker to execute arbitrary\ncodes, can cause memory corruption and other attacks in the context of the\napplication through a crafted Power Point file.\n\nImpact Level: System\";\n\ntag_affected = \"MS PowerPoint 2007 Service Pack 2\";\n\ntag_insight = \"The flaw exists with the way application will parse external\nobjects within an Office Art container. When parsing this object, the\napplication will append an uninitialized object to a list. When destroying this\nobject during document close (WM_DESTROY), the application will access a method\nthat does not exist.\";\n\ntag_solution = \"No solution or patch was made available for at least one year\nsince disclosure of this vulnerability. Likely none will be provided anymore.\nGeneral solution options are to upgrade to a newer release, disable respective\nfeatures, remove the product or replace the product by another one.\";\n\ntag_summary = \"This host is installed with Microsoft Office Power Point and is\nprone to remote code execution vulnerability.\n\nThis NVT has been replaced by NVT secpod_ms11-022.nasl\n(OID:1.3.6.1.4.1.25623.1.0.902411).\";\n\nif(description)\n{\n script_id(801594);\n script_version(\"$Revision: 6538 $\");\n script_tag(name:\"deprecated\", value:TRUE);\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-05 13:38:27 +0200 (Wed, 05 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-02-23 12:24:37 +0100 (Wed, 23 Feb 2011)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2011-0976\");\n script_name(\"Microsoft PowerPoint 2007 OfficeArt Atom Remote Code Execution Vulnerability\");\n script_xref(name : \"URL\" , value : \"http://zerodayinitiative.com/advisories/ZDI-11-044/\");\n script_xref(name : \"URL\" , value : \"http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-microsoft\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"Windows\");\n script_dependencies(\"secpod_ms_office_detection_900025.nasl\", \"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"MS/Office/Ver\", \"SMB/Office/PowerPnt/Version\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n exit(0);\n}\n\nexit(66); ## This NVT is deprecated as addressed in secpod_ms11-021.nasl.\n\ninclude(\"version_func.inc\");\n\n## check for microsoft office installation\nif(!get_kb_item(\"MS/Office/Ver\") =~ \"^12\\.*\"){\n exit(0);\n}\n\n## Get the ms office power point version\nppVer = get_kb_item(\"SMB/Office/PowerPnt/Version\");\n\n## Check for the MS office power point 2007\nif(ppVer && ppVer =~ \"^12\\.*\"){\n security_message(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-07T16:39:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0976"], "description": "This host is installed with Microsoft Office Power Point and is\n prone to remote code execution vulnerability.\n\n This NVT has been replaced by OID:1.3.6.1.4.1.25623.1.0.902411.", "modified": "2020-04-02T00:00:00", "published": "2011-02-23T00:00:00", "id": "OPENVAS:1361412562310801594", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801594", "type": "openvas", "title": "Microsoft PowerPoint 2007 OfficeArt Atom Remote Code Execution Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft PowerPoint 2007 OfficeArt Atom Remote Code Execution Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801594\");\n script_version(\"2020-04-02T11:36:28+0000\");\n script_tag(name:\"deprecated\", value:TRUE);\n script_tag(name:\"last_modification\", value:\"2020-04-02 11:36:28 +0000 (Thu, 02 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-02-23 12:24:37 +0100 (Wed, 23 Feb 2011)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2011-0976\");\n script_name(\"Microsoft PowerPoint 2007 OfficeArt Atom Remote Code Execution Vulnerability\");\n script_xref(name:\"URL\", value:\"http://zerodayinitiative.com/advisories/ZDI-11-044/\");\n script_xref(name:\"URL\", value:\"http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-microsoft\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"Windows\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary\n codes, can cause memory corruption and other attacks in the context of the\n application through a crafted Power Point file.\");\n\n script_tag(name:\"affected\", value:\"MS PowerPoint 2007 Service Pack 2\");\n\n script_tag(name:\"insight\", value:\"The flaw exists with the way application will parse external\n objects within an Office Art container. When parsing this object, the\n application will append an uninitialized object to a list. When destroying this\n object during document close (WM_DESTROY), the application will access a method\n that does not exist.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Microsoft Office Power Point and is\n prone to remote code execution vulnerability.\n\n This NVT has been replaced by OID:1.3.6.1.4.1.25623.1.0.902411.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n exit(0);\n}\n\nexit(66); ## This NVT is deprecated as addressed in secpod_ms11-021.nasl.\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-19T10:54:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0976", "CVE-2011-0655", "CVE-2011-0656"], "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS11-022.", "modified": "2017-07-04T00:00:00", "published": "2011-04-13T00:00:00", "id": "OPENVAS:902411", "href": "http://plugins.openvas.org/nasl.php?oid=902411", "type": "openvas", "title": "Microsoft Office PowerPoint Remote Code Execution Vulnerabilities (2489283)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms11-022.nasl 6523 2017-07-04 15:46:12Z cfischer $\n#\n# Microsoft Office PowerPoint Remote Code Execution Vulnerabilities (2489283)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could allow attackers to execute arbitrary code by\n tricking a user into opening a malicious PPT file.\n Impact Level: System\";\ntag_affected = \"Microsoft PowerPoint 2010\n Microsoft PowerPoint Viewer 2010\n Microsoft PowerPoint 2002 Service Pack 3\n Microsoft PowerPoint 2003 Service Pack 3\n Microsoft PowerPoint 2007 Service Pack 2\n Microsoft PowerPoint Viewer 2007 Service Pack 2\";\ntag_insight = \"The flaws are caused by errors related to floating point techno-color time bandit,\n persist directory and OfficeArt atoms, which could be exploited by attackers to\n execute arbitrary code by tricking a user into opening a specially crafted\n PowerPoint file.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://www.microsoft.com/technet/security/bulletin/ms11-022.mspx\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS11-022.\";\n\nif(description)\n{\n script_id(902411);\n script_version(\"$Revision: 6523 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-04 17:46:12 +0200 (Tue, 04 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-04-13 17:05:53 +0200 (Wed, 13 Apr 2011)\");\n script_cve_id(\"CVE-2011-0655\", \"CVE-2011-0656\", \"CVE-2011-0976\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft Office PowerPoint Remote Code Execution Vulnerabilities (2489283)\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2464617\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2464588\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2464594\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2464623\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2519975\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2519984\");\n script_xref(name : \"URL\" , value : \"http://www.microsoft.com/technet/security/Bulletin/MS11-022.mspx\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"MS/Office/Ver\", \"SMB/Office/PowerPnt/Version\");\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(!egrep(pattern:\"^(|10|11|12|14)\\..*\", string:get_kb_item(\"MS/Office/Ver\"))){\n exit(0);\n}\n\npptVer = get_kb_item(\"SMB/Office/PowerPnt/Version\");\nif(pptVer)\n{\n if(egrep(pattern:\"^(|10|11|12|14)\\..*\", string:pptVer))\n {\n ## PowerPoint Check\n ## Check for Powerpnt.exe < 10.0.6868.0 for PowerPoint 2002\n ## Check for Powerpnt.exe < 11.0.8334.0 for PowerPoint 2003\n ## Check for Powerpnt.exe < 12.0.6545.5000 for PowerPoint 2007\n if(version_in_range(version:pptVer, test_version:\"10.0\", test_version2:\"10.0.6867.0\") ||\n version_in_range(version:pptVer, test_version:\"11.0\", test_version2:\"11.0.8333.0\") ||\n version_in_range(version:pptVer, test_version:\"12.0\", test_version2:\"12.0.6545.4999\"))\n {\n security_message(0);\n exit(0);\n }\n }\n}\n\n# Office Power Point for 2010\nif(registry_key_exists(key:\"SOFTWARE\\Microsoft\\Office\"))\n{\n sysPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"ProgramFilesDir\");\n if(sysPath)\n {\n dllVer = fetch_file_version(sysPath, file_name:\"Microsoft Office\\Office14\\ppcore.dll\");\n if(dllVer)\n {\n ## Check for Ppcore.dll < 14.0.5136.5003 for PowerPoint 2010\n if(version_in_range(version:dllVer, test_version:\"14.0\", test_version2:\"14.0.5136.5002\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n}\n\nppviewVer = get_kb_item(\"SMB/Office/PPView/Version\");\n\n## PowerPoint Viewer Check\nif (!isnull(ppviewVer))\n{\n ## Check for Pptview.exe < 12.0.6550.5000 for PowerPoint Viewer 2007\n ## Check for Pptview.exe < 14.0.5136.5003 for PowerPoint Viewer 2010\n if(version_in_range(version:ppviewVer, test_version:\"12.0\", test_version2:\"12.0.6550.4999\") ||\n version_in_range(version:ppviewVer, test_version:\"14.0\", test_version2:\"14.0.5136.5002\")){\n security_message(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-01-08T14:04:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0976", "CVE-2011-0655", "CVE-2011-0656"], "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS11-022.", "modified": "2020-01-07T00:00:00", "published": "2011-04-13T00:00:00", "id": "OPENVAS:1361412562310902411", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902411", "type": "openvas", "title": "Microsoft Office PowerPoint Remote Code Execution Vulnerabilities (2489283)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Office PowerPoint Remote Code Execution Vulnerabilities (2489283)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902411\");\n script_version(\"2020-01-07T09:06:32+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-07 09:06:32 +0000 (Tue, 07 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-04-13 17:05:53 +0200 (Wed, 13 Apr 2011)\");\n script_cve_id(\"CVE-2011-0655\", \"CVE-2011-0656\", \"CVE-2011-0976\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft Office PowerPoint Remote Code Execution Vulnerabilities (2489283)\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2464617\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2464588\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2464594\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2464623\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2519975\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2519984\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-022\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/Office/Ver\", \"SMB/Office/PowerPnt/Version\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow attackers to execute arbitrary code by\n tricking a user into opening a malicious PPT file.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft PowerPoint 2010\n\n - Microsoft PowerPoint Viewer 2010\n\n - Microsoft PowerPoint 2002 Service Pack 3\n\n - Microsoft PowerPoint 2003 Service Pack 3\n\n - Microsoft PowerPoint 2007 Service Pack 2\n\n - Microsoft PowerPoint Viewer 2007 Service Pack 2\");\n\n script_tag(name:\"insight\", value:\"The flaws are caused by errors related to floating point techno-color time bandit,\n persist directory and OfficeArt atoms, which could be exploited by attackers to\n execute arbitrary code by tricking a user into opening a specially crafted PowerPoint file.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS11-022.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-022\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nofficeVer = get_kb_item(\"MS/Office/Ver\");\n\nif(!officeVer || officeVer !~ \"^1[0124]\\.\"){\n exit(0);\n}\n\npptVer = get_kb_item(\"SMB/Office/PowerPnt/Version\");\nif(pptVer && pptVer =~ \"^1[0124]\\.\")\n{\n if(version_in_range(version:pptVer, test_version:\"10.0\", test_version2:\"10.0.6867.0\") ||\n version_in_range(version:pptVer, test_version:\"11.0\", test_version2:\"11.0.8333.0\") ||\n version_in_range(version:pptVer, test_version:\"12.0\", test_version2:\"12.0.6545.4999\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\n# Office Power Point for 2010\nif(registry_key_exists(key:\"SOFTWARE\\Microsoft\\Office\"))\n{\n sysPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\", item:\"ProgramFilesDir\");\n if(sysPath)\n {\n dllVer = fetch_file_version(sysPath:sysPath, file_name:\"Microsoft Office\\Office14\\ppcore.dll\");\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"14.0\", test_version2:\"14.0.5136.5002\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n}\n\nppviewVer = get_kb_item(\"SMB/Office/PPView/Version\");\nif(ppviewVer && ppviewVer =~ \"^1[24]\\.\")\n{\n if(version_in_range(version:ppviewVer, test_version:\"12.0\", test_version2:\"12.0.6550.4999\") ||\n version_in_range(version:ppviewVer, test_version:\"14.0\", test_version2:\"14.0.5136.5002\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2020-06-22T11:40:56", "bulletinFamily": "info", "cvelist": ["CVE-2011-0976"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office Powerpoint 2007. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists with the way the application will parse external objects within an Office Art container. When parsing this object, the application will append an uninitialized object to a list. When destroying this object during document close (WM_DESTROY), the application will access a method that doesn't exist. This can lead to code execution under the context of the application.", "modified": "2011-06-22T00:00:00", "published": "2011-02-07T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-11-044/", "id": "ZDI-11-044", "title": "(0Day) Microsoft PowerPoint 2007 OfficeArt Atom Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T05:43:32", "description": "The remote Windows host has a version of Microsoft PowerPoint that is\naffected by multiple code execution vulnerabilities. A remote attacker\ncould exploit this by tricking a user into viewing a maliciously\ncrafted PowerPoint file.", "edition": 27, "published": "2011-04-13T00:00:00", "title": "MS11-022: Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2489283)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0976", "CVE-2011-0655", "CVE-2011-0656"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:microsoft:powerpoint_viewer", "cpe:/a:microsoft:powerpoint", "cpe:/a:microsoft:office", "cpe:/a:microsoft:office_compatibility_pack"], "id": "SMB_NT_MS11-022.NASL", "href": "https://www.tenable.com/plugins/nessus/53379", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(53379);\n script_version(\"1.26\");\n script_cvs_date(\"Date: 2019/12/13\");\n\n script_cve_id(\"CVE-2011-0655\", \"CVE-2011-0656\", \"CVE-2011-0976\");\n script_bugtraq_id(46228, 47251, 47252);\n script_xref(name:\"MSFT\", value:\"MS11-022\");\n script_xref(name:\"MSKB\", value:\"2464588\");\n script_xref(name:\"MSKB\", value:\"2464594\");\n script_xref(name:\"MSKB\", value:\"2464617\");\n script_xref(name:\"MSKB\", value:\"2464623\");\n script_xref(name:\"MSKB\", value:\"2464635\");\n script_xref(name:\"MSKB\", value:\"2519975\");\n script_xref(name:\"MSKB\", value:\"2519984\");\n script_xref(name:\"MSKB\", value:\"2520047\");\n\n script_name(english:\"MS11-022: Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2489283)\");\n script_summary(english:\"Checks version of PowerPoint\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through Microsoft\nPowerPoint.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host has a version of Microsoft PowerPoint that is\naffected by multiple code execution vulnerabilities. A remote attacker\ncould exploit this by tricking a user into viewing a maliciously\ncrafted PowerPoint file.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-11-044/\");\n # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-022\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?aa74871a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for PowerPoint 2002, 2003,\n2007, 2010, PowerPoint Viewer 2007 and 2010, Office Compatibility\nPack, and Office Web Apps.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/02/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/04/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office_compatibility_pack\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:powerpoint\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:powerpoint_viewer\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_nt_ms02-031.nasl\", \"office_installed.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\n\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"audit.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS11-022';\nkbs = make_list(\"2464588\", \"2464594\", \"2464617\", \"2464623\", \"2464635\", \"2519975\", \"2519984\", \"2520047\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\n\n# PowerPoint.\ninfo = \"\";\n\n\n\n# First check office web apps\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, \"smb_session_init\");\n\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:\"IPC$\");\nif (rc != 1)\n{\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, \"IPC$\");\n\n}\n\n\n# Connect to remote registry.\nhklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);\nif (isnull(hklm))\n{\n NetUseDel();\n audit(AUDIT_REG_FAIL);\n}\n\nowa_path = NULL;\n\nkey = \"SOFTWARE\\Microsoft\\Office Server\\14.0\";\nkey_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\nif (!isnull(key_h))\n{\n value = RegQueryValue(handle:key_h, item:\"InstallPath\");\n if (!isnull(value))\n owa_path = value[1];\n\n RegCloseKey(handle:key_h);\n}\n\nRegCloseKey(handle:hklm);\nNetUseDel();\n\nif (owa_path)\n{\n share = owa_path[0] + '$';\n if (is_accessible_share(share:share))\n {\n kb = '2520047';\n owa_path = owa_path + \"\\WebServices\\ConversionService\\Bin\\Converter\";\n\n if (hotfix_is_vulnerable(file:\"msoserver.dll\", version:\"14.0.5136.5002\", min_version:\"14.0.0.0\", path:owa_path, bulletin:bulletin, kb:kb))\n {\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", string:owa_path, replace:\"\\1\\msoserver.dll\");\n kb_name = \"SMB/FileVersions/\"+tolower(share-'$')+tolower(str_replace(string:file, find:\"\\\", replace:\"/\"));\n version = get_kb_item(kb_name);\n\n info =\n '\\n Product : Office Web Apps 2010' +\n '\\n Path : ' + owa_path + '\\\\msoserver.dll' +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 14.0.5136.5002' + '\\n';\n\n hcf_report = '';\n hotfix_add_report(info, bulletin:bulletin, kb:kb);\n vuln = TRUE;\n }\n }\n else debug_print('is_accessible_share() failed on ' + owa_path);\n}\n\n# Check powerpoint versions\ninstalls = get_kb_list(\"SMB/Office/PowerPoint/*/ProductPath\");\nif (!isnull(installs))\n{\n foreach install (keys(installs))\n {\n version = install - 'SMB/Office/PowerPoint/' - '/ProductPath';\n path = installs[install];\n\n info = NULL;\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n # PowerPoint 2010\n if (ver[0] == 14 && path != 'n/a')\n {\n office_sp = get_kb_item(\"SMB/Office/2010/SP\");\n if (!isnull(office_sp) && office_sp == 0)\n {\n kb = '2519975';\n path = ereg_replace(pattern:\"^([A-Za-z]:.*)\\\\PowerPnt.exe\", string:path, replace:\"\\1\");\n share = hotfix_path2share(path:path);\n\n if (is_accessible_share(share:share))\n {\n old_report = hotfix_get_report();\n\n if (hotfix_is_vulnerable(file:\"ppcore.dll\", version:\"14.0.5136.5003\", min_version:\"14.0.0.0\", path:path, bulletin:bulletin, kb:kb))\n {\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", string:path, replace:\"\\1\\ppcore.dll\");\n kb_name = \"SMB/FileVersions/\"+tolower(share-'$')+tolower(str_replace(string:file, find:\"\\\", replace:\"/\"));\n version = get_kb_item(kb_name);\n\n info =\n '\\n Product : PowerPoint 2010' +\n '\\n Path : ' + path + '\\\\ppcore.dll' +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 14.0.5136.5003\\n';\n }\n }\n else debug_print('is_accessible_share() failed on ' + path);\n }\n }\n\n # PowerPoint 2007.\n else if (ver[0] == 12 && path != 'n/a')\n {\n office_sp = get_kb_item(\"SMB/Office/2007/SP\");\n if (!isnull(office_sp) && office_sp == 2)\n {\n kb = \"2464594\";\n path = ereg_replace(pattern:\"^([A-Za-z]:.*)\\\\PowerPnt.exe\", string:path, replace:\"\\1\");\n share = hotfix_path2share(path:path);\n share = path[0] + '$';\n\n if (is_accessible_share(share:share))\n {\n old_report = hotfix_get_report();\n\n if (hotfix_is_vulnerable(file:\"ppcore.dll\", version:\"12.0.6550.5000\", min_version:\"12.0.0.0\", path:path, bulletin:bulletin, kb:kb))\n {\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", string:path, replace:\"\\1\\ppcore.dll\");\n kb_name = \"SMB/FileVersions/\"+tolower(share-'$')+tolower(str_replace(string:file, find:\"\\\", replace:\"/\"));\n version = get_kb_item(kb_name);\n\n info =\n '\\n Product : PowerPoint 2007' +\n '\\n Path : ' + path + '\\\\ppcore.dll' +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 12.0.6550.5000\\n';\n hotfix_check_fversion_end();\n }\n }\n else debug_print('is_accessible_share() failed on ' + path);\n }\n }\n # PowerPoint 2003.\n else if (ver[0] == 11 && ver[1] == 0 && ver[2] < 8334)\n {\n office_sp = get_kb_item(\"SMB/Office/2003/SP\");\n if (!isnull(office_sp) && office_sp == 3)\n {\n kb = \"2464588\";\n info =\n '\\n Product : PowerPoint 2003\\n' +\n ' File : ' + path + '\\n' +\n ' Installed version : ' + version + '\\n' +\n ' Fixed version : 11.0.8334.0\\n';\n }\n }\n # PowerPoint 2002.\n else if (ver[0] == 10 && ver[1] == 0 && ver[2] < 6868)\n {\n office_sp = get_kb_item(\"SMB/Office/XP/SP\");\n if (!isnull(office_sp) && office_sp == 3)\n {\n kb = \"2464617\";\n info =\n '\\n Product : PowerPoint 2002\\n' +\n ' File : ' + path + '\\n' +\n ' Installed version : ' + version + '\\n' +\n ' Fixed version : 10.0.6868.0\\n';\n }\n }\n\n if (info)\n {\n hcf_report = '';\n hotfix_add_report(old_report + info, bulletin:bulletin, kb:kb);\n vuln = TRUE;\n }\n }\n}\n\n\n# PowerPoint Viewer.\ninstalls = get_kb_list(\"SMB/Office/PowerPointViewer/*/ProductPath\");\nif (!isnull(installs))\n{\n foreach install (keys(installs))\n {\n version = install - 'SMB/Office/PowerPointViewer/' - '/ProductPath';\n path = installs[install];\n\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n # Office PowerPoint Viewer 2010\n if (\n ver[0] == 14 && ver[1] == 0 &&\n (\n ver[2] < 5136 ||\n (ver[2] == 5136 && ver[3] < 5003)\n )\n )\n {\n kb = \"2519984\";\n info =\n '\\n Product : PowerPoint Viewer 2010\\n' +\n ' File : ' + path + '\\n' +\n ' Installed version : ' + version + '\\n' +\n ' Fixed version : 14.0.5136.5003\\n';\n hotfix_add_report(info, bulletin:bulletin, kb:kb);\n vuln = TRUE;\n }\n # PowerPoint Viewer 2007.\n else if (\n ver[0] == 12 && ver[1] == 0 &&\n (\n ver[2] < 6550 ||\n (ver[2] == 6550 && ver[3] < 5000)\n )\n )\n {\n kb = \"2464623\";\n info =\n '\\n Product : PowerPoint Viewer 2007\\n' +\n ' File : ' + path + '\\n' +\n ' Installed version : ' + version + '\\n' +\n ' Fixed version : 12.0.6550.5000\\n';\n hotfix_add_report(info, bulletin:bulletin, kb:kb);\n vuln = TRUE;\n }\n }\n}\n\n\n# PowerPoint Converter.\ninstalls = get_kb_list(\"SMB/Office/PowerPointCnv/*/ProductPath\");\nif (!isnull(installs))\n{\n foreach install (keys(installs))\n {\n version = install - 'SMB/Office/PowerPointCnv/' - '/ProductPath';\n path = installs[install];\n\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n path = ereg_replace(pattern:\"^([A-Za-z]:.*)\\\\Ppcnvcom.exe\", string:path, replace:\"\\1\");\n info = NULL;\n\n # PowerPoint 2007 converter.\n if (ver[0] == 12 && path)\n {\n kb = \"2464635\";\n share = path[0] + '$';\n\n if (is_accessible_share(share:share))\n {\n old_report = hotfix_get_report();\n\n if (hotfix_is_vulnerable(file:\"ppcnv.dll\", version:\"12.0.6550.5000\", min_version:\"12.0.0.0\", path:path, bulletin:bulletin, kb:kb))\n {\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", string:path, replace:\"\\1\\ppcnv.dll\");\n kb_name = \"SMB/FileVersions/\"+tolower(share-'$')+tolower(str_replace(string:file, find:\"\\\", replace:\"/\"));\n version = get_kb_item(kb_name);\n\n vuln = TRUE;\n info =\n '\\n Product : PowerPoint 2007 Converter' +\n '\\n Path : ' + path + '\\\\ppcnv.dll' +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 12.0.6550.5000\\n';\n hcf_report = '';\n hotfix_add_report(old_report + info, bulletin:bulletin, kb:kb);\n }\n }\n else debug_print('is_accessible_share() failed on ' + path);\n }\n }\n}\n\nhotfix_check_fversion_end();\n\n# report if office webapps, powerpoint converter, or powerpoint viewer\n# are unpatched\nif (vuln)\n{\n set_kb_item(name:\"SMB/Missing/\" + bulletin, value:TRUE);\n hotfix_security_hole();\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, 'affected');\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T16:10:58", "description": "The remote Mac OS X host is running a version of Microsoft Office that\nis affected by several vulnerabilities.\n\nIf an attacker can trick a user on the affected host into opening a\nspecially crafted Office file, these issues could be leveraged to\nexecute arbitrary code subject to the user's privileges.", "edition": 15, "published": "2011-04-13T00:00:00", "title": "MS11-021 / MS11-022 / MS11-023: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2489279 / 2489283 / 2489293) (Mac OS X)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0097", "CVE-2011-0979", "CVE-2011-0105", "CVE-2011-0976", "CVE-2011-0098", "CVE-2011-0978", "CVE-2011-0103", "CVE-2011-0655", "CVE-2011-0656", "CVE-2011-0101", "CVE-2011-0104", "CVE-2011-0977", "CVE-2011-0980"], "modified": "2011-04-13T00:00:00", "cpe": ["cpe:/a:microsoft:open_xml_file_format_converter:::mac", "cpe:/a:microsoft:office:2011::mac", "cpe:/a:microsoft:office:2004::mac", "cpe:/a:microsoft:office:2008::mac"], "id": "MACOSX_MS_OFFICE_APR2011.NASL", "href": "https://www.tenable.com/plugins/nessus/53374", "sourceData": "#TRUSTED 3dbb80909b11b14dd01195e3769775f6316a6eb5b40e63da58b86fbd56b1e962d228b6f919890790ebc9b6bfda7a21d337df920e2c83a47723b39568cb15b0ad9de3c6deaed84d014b57446aa897b4c1207134c3c33d23db4d6569365d811ca8267d8b3e79281619c493de58520923626586af57914f759fcadd044c34fb5b63c099489f648efad331a249c1875d371c78283ef5bf57a23772c1216ca3fce8681bfa57512d6b70e8dd19681a83d527059b4d9a9dbb3511ec57cb9ae568cd12415dbe63a336f8a342122a24991b02a58b408e98a5e45c09c88ada659f77a31c727dbbfba94bb135351fda34d378e6a8efc292ade4b9acc3b1bd3f009e35dd8ab4e6eb01b852637ade8ddbeb05b51da3557478c618167bf7c9aedf584d8b8f9cf1681a145098f66dc9c3c127cf6204457d033ab4c5d22f93b855d981eae3c51675149f33cc32824ec90d0510bf03a85926e21e450eb89fa941b4d89693a57cb8e8ece3d1533184322df565b0f583708b530a7d52496d525aac7f8d96b8e2c7ad75aa194fcd635a76b3a26fd9c387d30dbc88302d0874ac16d9ab9d364ce714dee8870892419c44b078714b69bb0e3221a3efebbe4061533ee781a222d5ab3e64ee1d9f776123cc3ae3164ed70973a287cf5792f260c06803578c3f7ac011edf9117f7d2493452891366aa1b1a6edc5d5bf9310431a9019712923d939d0a81fe6bb\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(53374);\n script_version(\"1.28\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/05\");\n\n script_cve_id(\n \"CVE-2011-0097\",\n \"CVE-2011-0098\",\n \"CVE-2011-0101\",\n \"CVE-2011-0103\",\n \"CVE-2011-0104\",\n \"CVE-2011-0105\",\n \"CVE-2011-0655\",\n \"CVE-2011-0656\",\n \"CVE-2011-0976\",\n \"CVE-2011-0977\",\n \"CVE-2011-0978\",\n \"CVE-2011-0979\",\n \"CVE-2011-0980\"\n );\n script_bugtraq_id(\n 46225,\n 46226,\n 46227,\n 46228,\n 46229,\n 47201,\n 47243,\n 47244,\n 47245,\n 47251,\n 47252\n );\n script_xref(name:\"MSFT\", value:\"MS11-021\");\n script_xref(name:\"IAVA\", value:\"2011-A-0045-S\");\n script_xref(name:\"MSFT\", value:\"MS11-022\");\n script_xref(name:\"MSFT\", value:\"MS11-023\");\n script_xref(name:\"MSKB\", value:\"2489279\");\n script_xref(name:\"MSKB\", value:\"2489283\");\n script_xref(name:\"MSKB\", value:\"2489293\");\n script_xref(name:\"MSKB\", value:\"2505924\");\n script_xref(name:\"MSKB\", value:\"2505927\");\n script_xref(name:\"MSKB\", value:\"2505935\");\n script_xref(name:\"MSKB\", value:\"2525412\");\n\n script_name(english:\"MS11-021 / MS11-022 / MS11-023: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2489279 / 2489283 / 2489293) (Mac OS X)\");\n script_summary(english:\"Check version of Microsoft Office\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote Mac OS X host is affected by\nmultiple remote code execution vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Mac OS X host is running a version of Microsoft Office that\nis affected by several vulnerabilities.\n\nIf an attacker can trick a user on the affected host into opening a\nspecially crafted Office file, these issues could be leveraged to\nexecute arbitrary code subject to the user's privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms11-021\");\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms11-022\");\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms11-023\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Office for Mac 2011,\nOffice 2008 for Mac, Office 2004 for Mac, and Open XML File Format\nConverter for Mac.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'White_Phosphorus');\n script_set_attribute(attribute:\"metasploit_name\", value:'MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/02/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/04/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office:2004::mac\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office:2008::mac\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office:2011::mac\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:open_xml_file_format_converter:::mac\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/MacOSX/packages\", \"Host/uname\");\n\n exit(0);\n}\n\n\ninclude(\"misc_func.inc\");\ninclude(\"ssh_func.inc\");\ninclude(\"macosx_func.inc\");\n\n\n\nif(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)\n enable_ssh_wrappers();\nelse disable_ssh_wrappers();\n\nfunction exec(cmd)\n{\n local_var buf, ret;\n\n if (islocalhost())\n buf = pread(cmd:\"/bin/bash\", argv:make_list(\"bash\", \"-c\", cmd));\n else\n {\n ret = ssh_open_connection();\n if (!ret) exit(1, \"ssh_open_connection() failed.\");\n buf = ssh_cmd(cmd:cmd);\n ssh_close_connection();\n }\n return buf;\n}\n\n\npackages = get_kb_item(\"Host/MacOSX/packages\");\nif (!packages) exit(1, \"The 'Host/MacOSX/packages' KB item is missing.\");\n\nuname = get_kb_item(\"Host/uname\");\nif (!uname) exit(1, \"The 'Host/uname' KB item is missing.\");\nif (!egrep(pattern:\"Darwin.*\", string:uname)) exit(1, \"The host does not appear to be using the Darwin sub-system.\");\n\n\n# Gather version info.\ninfo = '';\ninstalls = make_array();\n\nprod = 'Office for Mac 2011';\nplist = \"/Applications/Microsoft Office 2011/Office/MicrosoftComponentPlugin.framework/Versions/14/Resources/Info.plist\";\ncmd = 'cat \\'' + plist + '\\' | ' +\n 'grep -A 1 CFBundleShortVersionString | ' +\n 'tail -n 1 | ' +\n 'sed \\'s/.*string>\\\\(.*\\\\)<\\\\/string>.*/\\\\1/g\\'';\nversion = exec(cmd:cmd);\nif (version && version =~ \"^[0-9]+\\.\")\n{\n version = chomp(version);\n if (version !~ \"^14\\.\") exit(1, \"Failed to get the version for \"+prod+\" - '\"+version+\"'.\");\n\n installs[prod] = version;\n\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n fixed_version = '14.1.0';\n fix = split(fixed_version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(fix); i++)\n if ((ver[i] < fix[i]))\n {\n info +=\n '\\n Product : ' + prod +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version + '\\n';\n break;\n }\n else if (ver[i] > fix[i])\n break;\n}\n\nprod = 'Office 2008 for Mac';\nplist = \"/Applications/Microsoft Office 2008/Office/MicrosoftComponentPlugin.framework/Versions/12/Resources/Info.plist\";\ncmd = 'cat \\'' + plist + '\\' | ' +\n 'grep -A 1 CFBundleShortVersionString | ' +\n 'tail -n 1 | ' +\n 'sed \\'s/.*string>\\\\(.*\\\\)<\\\\/string>.*/\\\\1/g\\'';\nversion = exec(cmd:cmd);\nif (version && version =~ \"^[0-9]+\\.\")\n{\n version = chomp(version);\n if (version !~ \"^12\\.\") exit(1, \"Failed to get the version for \"+prod+\" - '\"+version+\"'.\");\n\n installs[prod] = version;\n\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n fixed_version = '12.2.9';\n fix = split(fixed_version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(fix); i++)\n if ((ver[i] < fix[i]))\n {\n info +=\n '\\n Product : ' + prod +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version + '\\n';\n break;\n }\n else if (ver[i] > fix[i])\n break;\n}\n\nprod = 'Office 2004 for Mac';\ncmd = GetCarbonVersionCmd(file:\"Microsoft Component Plugin\", path:\"/Applications/Microsoft Office 2004/Office\");\nversion = exec(cmd:cmd);\nif (version && version =~ \"^[0-9]+\\.\")\n{\n version = chomp(version);\n if (version !~ \"^11\\.\") exit(1, \"Failed to get the version for \"+prod+\" - '\"+version+\"'.\");\n\n installs[prod] = version;\n\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n fixed_version = '11.6.3';\n fix = split(fixed_version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(fix); i++)\n if ((ver[i] < fix[i]))\n {\n info +=\n '\\n Product : ' + prod +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version + '\\n';\n break;\n }\n else if (ver[i] > fix[i])\n break;\n}\n\nprod = 'Open XML File Format Converter for Mac';\nplist = \"/Applications/Open XML Converter.app/Contents/Info.plist\";\ncmd = 'cat \\'' + plist + '\\' | ' +\n 'grep -A 1 CFBundleShortVersionString | ' +\n 'tail -n 1 | ' +\n 'sed \\'s/.*string>\\\\(.*\\\\)<\\\\/string>.*/\\\\1/g\\'';\nversion = exec(cmd:cmd);\nif (version && version =~ \"^[0-9]+\\.\")\n{\n version = chomp(version);\n installs[prod] = version;\n\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n fixed_version = '1.1.9';\n fix = split(fixed_version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(fix); i++)\n if ((ver[i] < fix[i]))\n {\n info +=\n '\\n Product : ' + prod +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version + '\\n';\n break;\n }\n else if (ver[i] > fix[i])\n break;\n}\n\n\n# Report findings.\nif (info)\n{\n gs_opt = get_kb_item(\"global_settings/report_verbosity\");\n if (gs_opt && gs_opt != 'Quiet') security_hole(port:0, extra:info);\n else security_hole(0);\n\n exit(0);\n}\nelse\n{\n if (max_index(keys(installs)) == 0) exit(0, \"Office for Mac / Open XML File Format Converter is not installed.\");\n else\n {\n msg = 'The host has ';\n foreach prod (sort(keys(installs)))\n msg += prod + ' ' + installs[prod] + ' and ';\n msg = substr(msg, 0, strlen(msg)-1-strlen(' and '));\n\n msg += ' installed and thus is not affected.';\n\n exit(0, msg);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:41", "bulletinFamily": "software", "cvelist": ["CVE-2011-0097", "CVE-2011-0979", "CVE-2011-0105", "CVE-2011-0976", "CVE-2011-0098", "CVE-2011-0978", "CVE-2011-0103", "CVE-2011-0655", "CVE-2011-0656", "CVE-2011-0107", "CVE-2011-0101", "CVE-2011-0104", "CVE-2011-0977", "CVE-2011-0980"], "description": "Multiple memory corruptions in Excel and PowerPoint, unsafe DLL loading, memory corruption in Office Graphic.", "edition": 1, "modified": "2011-04-17T00:00:00", "published": "2011-04-17T00:00:00", "id": "SECURITYVULNS:VULN:11580", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11580", "title": "Microsoft Office multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
