Untrusted search path vulnerability in Microsoft Lync 2010, 2010 Attendee, and 2010 Attendant allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .ocsmeet file, aka "Lync Insecure Library Loading Vulnerability."
{"symantec": [{"lastseen": "2021-06-08T19:04:31", "description": "### Description\n\nMicrosoft Lync is prone to vulnerability that lets attackers execute arbitrary code. An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location which contains a specially crafted Dynamic Link Library (DLL) file. Successful exploits will compromise the application in the context of the currently logged-in user.\n\n### Technologies Affected\n\n * Microsoft Lync 2010 \n * Microsoft Lync 2010 Attendant (32-bit) \n * Microsoft Lync 2010 Attendant (64-bit) \n * Microsoft Lync 2010 Attendee \n * Microsoft Office Communicator 2007 R2 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of successful exploits.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nExercise caution when handling files received from unfamiliar or suspicious sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\nThe vendor has released an advisory and updates. Please see the references for details.\n", "cvss3": {}, "published": "2012-06-12T00:00:00", "type": "symantec", "title": "Microsoft Lync CVE-2012-1849 DLL Loading Arbitrary Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-1849"], "modified": "2012-06-12T00:00:00", "id": "SMNTC-53831", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/53831", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "checkpoint_advisories": [{"lastseen": "2022-11-28T07:10:15", "description": "A remote code execution vulnerability has been reported in Microsoft Lync.", "cvss3": {}, "published": "2012-06-18T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Lync Insecure Library Loading Code Execution (MS12-039; CVE-2012-1849)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-1849"], "modified": "2022-11-27T00:00:00", "id": "CPAI-2012-254", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2017-07-14T10:50:56", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS12-039.", "cvss3": {}, "published": "2012-06-13T00:00:00", "type": "openvas", "title": "Microsoft Lync Remote Code Execution Vulnerabilities (2707956)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-1858", "CVE-2011-3402", "CVE-2012-0159", "CVE-2012-1849"], "modified": "2017-06-29T00:00:00", "id": "OPENVAS:902842", "href": "http://plugins.openvas.org/nasl.php?oid=902842", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms12-039.nasl 6473 2017-06-29 06:07:30Z cfischer $\n#\n# Microsoft Lync Remote Code Execution Vulnerabilities (2707956)\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could allow an attacker to execute arbitrary code\n with kernel-level privileges. Failed exploit attempts may result in a\n denial of service condition.\n Impact Level: System/Application\";\ntag_affected = \"Microsoft Lync 2010\n Microsoft Lync 2010 Attendee\n Microsoft Lync 2010 Attendant\n Microsoft Communicator 2007 R2\";\ntag_insight = \"- An error within the Win32k kernel-mode driver (win32k.sys) when parsing\n TrueType fonts.\n - An error in the t2embed.dll module when parsing TrueType fonts.\n - The client loads libraries in an insecure manner, which can be exploited\n to load arbitrary libraries by tricking a user into opening a '.ocsmeet'\n file located on a remote WebDAV or SMB share.\n - An unspecified error in the 'SafeHTML' API when sanitising HTML code can\n be exploited to execute arbitrary HTML and script code in the user's chat\n session.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://technet.microsoft.com/en-us/security/bulletin/ms12-039\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS12-039.\";\n\nif(description)\n{\n script_id(902842);\n script_version(\"$Revision: 6473 $\");\n script_bugtraq_id(50462, 53335, 53831, 53833);\n script_cve_id(\"CVE-2011-3402\", \"CVE-2012-0159\", \"CVE-2012-1849\", \"CVE-2012-1858\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-06-29 08:07:30 +0200 (Thu, 29 Jun 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-06-13 11:11:11 +0530 (Wed, 13 Jun 2012)\");\n script_name(\"Microsoft Lync Remote Code Execution Vulnerabilities (2707956)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/48429\");\n script_xref(name : \"URL\" , value : \"http://www.securitytracker.com/id/1027150\");\n script_xref(name : \"URL\" , value : \"http://technet.microsoft.com/en-us/security/bulletin/ms12-039\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_ms_lync_detect_win.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/Lync/Installed\");\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Variables Initialization\npath = \"\";\noglVer = \"\";\nattVer = \"\";\ncommVer = \"\";\n\n## Check for Microsoft Lync 2010/Communicator 2007 R2\nif(get_kb_item(\"MS/Lync/Ver\"))\n{\n ## Get Installed Path\n path = get_kb_item(\"MS/Lync/path\");\n if(path)\n {\n ## Get Version from communicator.exe\n commVer = fetch_file_version(sysPath:path, file_name:\"communicator.exe\");\n if(commVer)\n {\n if(version_in_range(version:commVer, test_version:\"3.5\", test_version2:\"3.5.6907.252\")||\n version_in_range(version:commVer, test_version:\"4.0\", test_version2:\"4.0.7577.4097\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n}\n\n## For Microsoft Lync 2010 Attendee (admin level install) \n## For Microsoft Lync 2010 Attendee (user level install) \nif(get_kb_item(\"MS/Lync/Attendee/Ver\"))\n{\n ## Get Installed Path\n path = get_kb_item(\"MS/Lync/Attendee/path\");\n if(path)\n {\n ## Get Version from Ogl.dll\n oglVer = fetch_file_version(sysPath:path, file_name:\"Ogl.dll\");\n if(oglVer)\n {\n if(version_in_range(version:oglVer, test_version:\"4.0\", test_version2:\"4.0.7577.4097\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n}\n\n## Check for Microsoft Lync 2010 Attendant\nif(get_kb_item(\"MS/Lync/Attendant/Ver\"))\n{\n ## Get Installed Path\n path = get_kb_item(\"MS/Lync/Attendant/path\");\n if(path)\n {\n ## Get Version from AttendantConsole.exe\n attVer = fetch_file_version(sysPath:path, file_name:\"AttendantConsole.exe\");\n if(attVer)\n {\n if(version_in_range(version:attVer, test_version:\"4.0\", test_version2:\"4.0.7577.4097\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-06-10T19:55:18", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS12-039.", "cvss3": {}, "published": "2012-06-13T00:00:00", "type": "openvas", "title": "Microsoft Lync Remote Code Execution Vulnerabilities (2707956)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-1858", "CVE-2011-3402", "CVE-2012-0159", "CVE-2012-1849"], "modified": "2020-06-09T00:00:00", "id": "OPENVAS:1361412562310902842", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902842", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Lync Remote Code Execution Vulnerabilities (2707956)\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2012 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902842\");\n script_version(\"2020-06-09T10:15:40+0000\");\n script_bugtraq_id(50462, 53335, 53831, 53833);\n script_cve_id(\"CVE-2011-3402\", \"CVE-2012-0159\", \"CVE-2012-1849\", \"CVE-2012-1858\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 10:15:40 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-06-13 11:11:11 +0530 (Wed, 13 Jun 2012)\");\n script_name(\"Microsoft Lync Remote Code Execution Vulnerabilities (2707956)\");\n script_xref(name:\"URL\", value:\"http://www.securitytracker.com/id/1027150\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-039\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_ms_lync_detect_win.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/Lync/Installed\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow an attacker to execute arbitrary code\n with kernel-level privileges. Failed exploit attempts may result in a\n denial of service condition.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Lync 2010\n\n - Microsoft Lync 2010 Attendee\n\n - Microsoft Lync 2010 Attendant\n\n - Microsoft Communicator 2007 R2\");\n\n script_tag(name:\"insight\", value:\"- An error within the Win32k kernel-mode driver (win32k.sys) when parsing\n TrueType fonts.\n\n - An error in the t2embed.dll module when parsing TrueType fonts.\n\n - The client loads libraries in an insecure manner, which can be exploited\n to load arbitrary libraries by tricking a user into opening a '.ocsmeet'\n file located on a remote WebDAV or SMB share.\n\n - An unspecified error in the 'SafeHTML' API when sanitising HTML code can\n be exploited to execute arbitrary HTML and script code in the user's chat\n session.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS12-039.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(get_kb_item(\"MS/Lync/Ver\"))\n{\n path = get_kb_item(\"MS/Lync/path\");\n if(path)\n {\n commVer = fetch_file_version(sysPath:path, file_name:\"communicator.exe\");\n if(commVer)\n {\n if(version_in_range(version:commVer, test_version:\"3.5\", test_version2:\"3.5.6907.252\")||\n version_in_range(version:commVer, test_version:\"4.0\", test_version2:\"4.0.7577.4097\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n}\n\n## For Microsoft Lync 2010 Attendee (admin level install)\n## For Microsoft Lync 2010 Attendee (user level install)\nif(get_kb_item(\"MS/Lync/Attendee/Ver\"))\n{\n path = get_kb_item(\"MS/Lync/Attendee/path\");\n if(path)\n {\n oglVer = fetch_file_version(sysPath:path, file_name:\"Ogl.dll\");\n if(oglVer)\n {\n if(version_in_range(version:oglVer, test_version:\"4.0\", test_version2:\"4.0.7577.4097\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n}\n\nif(get_kb_item(\"MS/Lync/Attendant/Ver\"))\n{\n path = get_kb_item(\"MS/Lync/Attendant/path\");\n if(path)\n {\n attVer = fetch_file_version(sysPath:path, file_name:\"AttendantConsole.exe\");\n if(attVer)\n {\n if(version_in_range(version:attVer, test_version:\"4.0\", test_version2:\"4.0.7577.4097\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2021-06-08T19:02:41", "description": "Font parsing vulnerabilities, unsafe DLL loading, crossite scripting.", "cvss3": {}, "published": "2012-06-13T00:00:00", "type": "securityvulns", "title": "Mictosoft Lync multiple security vulnerabilities", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2012-1858", "CVE-2011-3402", "CVE-2012-0159", "CVE-2012-1849"], "modified": "2012-06-13T00:00:00", "id": "SECURITYVULNS:VULN:12406", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12406", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2023-05-18T14:23:53", "description": "The remote Windows host is potentially affected by the following vulnerabilities :\n\n - Multiple code execution vulnerabilities exist in the handling of specially crafted TrueType font files.\n (CVE-2011-3402, CVE-2012-0159)\n\n - An insecure library loading vulnerability exists in the way that Microsoft Lync handles the loading of DLL files. (CVE-2012-1849)\n\n - An HTML sanitization vulnerability exists in the way that HTML is filtered. (CVE-2012-1858)", "cvss3": {}, "published": "2012-06-13T00:00:00", "type": "nessus", "title": "MS12-039: Vulnerabilities in Lync Could Allow Remote Code Execution (2707956)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-3402", "CVE-2012-0159", "CVE-2012-1849", "CVE-2012-1858"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/a:microsoft:office_communicator", "cpe:/a:microsoft:lync"], "id": "SMB_NT_MS12-039.NASL", "href": "https://www.tenable.com/plugins/nessus/59457", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(59457);\n script_version(\"1.31\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\"CVE-2011-3402\", \"CVE-2012-0159\", \"CVE-2012-1849\", \"CVE-2012-1858\");\n script_bugtraq_id(50462, 53335, 53831, 53842);\n script_xref(name:\"EDB-ID\", value:\"19777\");\n script_xref(name:\"MSFT\", value:\"MS12-039\");\n script_xref(name:\"MSKB\", value:\"2693282\");\n script_xref(name:\"MSKB\", value:\"2693283\");\n script_xref(name:\"MSKB\", value:\"2696031\");\n script_xref(name:\"MSKB\", value:\"2702444\");\n script_xref(name:\"MSKB\", value:\"2708980\");\n\n script_name(english:\"MS12-039: Vulnerabilities in Lync Could Allow Remote Code Execution (2707956)\");\n script_summary(english:\"Checks version of multiple files\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through Microsoft\nLync.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is potentially affected by the following\nvulnerabilities :\n\n - Multiple code execution vulnerabilities exist in the\n handling of specially crafted TrueType font files.\n (CVE-2011-3402, CVE-2012-0159)\n\n - An insecure library loading vulnerability exists in the\n way that Microsoft Lync handles the loading of DLL\n files. (CVE-2012-1849)\n\n - An HTML sanitization vulnerability exists in the way\n that HTML is filtered. (CVE-2012-1858)\");\n # http://blog.watchfire.com/wfblog/2012/07/tostatichtml-the-second-encounter-cve-2012-1858-html-sanitizing-information-disclosure-introduction-t.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7d49512\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-129/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2012/Aug/58\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-039\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Lync 2010, Lync 2010\nAttendee, Lync 2010 Attendant, and Communicator 2007 R2.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/06/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/06/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/06/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office_communicator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:lync\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nglobal_var bulletin;\n\nfunction get_user_dirs()\n{\n local_var appdir, dirpat, domain, hklm, iter, lcpath, login, pass;\n local_var path, paths, pdir, port, rc, root, share, user, ver;\n\n paths = make_list();\n\n registry_init();\n hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n pdir = get_registry_value(handle:hklm, item:\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProfilesDirectory\");\n if (pdir && stridx(tolower(pdir), \"%systemdrive%\") == 0)\n {\n root = get_registry_value(handle:hklm, item:\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRoot\");\n if (!isnull(root))\n {\n share = ereg_replace(string:root, pattern:\"^([A-Za-z]):.*\", replace:\"\\1:\");\n pdir = share + substr(pdir, strlen(\"%systemdrive%\"));\n }\n }\n RegCloseKey(handle:hklm);\n close_registry(close:FALSE);\n\n if (!pdir)\n return NULL;\n\n ver = get_kb_item(\"SMB/WindowsVersion\");\n\n share = ereg_replace(string:pdir, pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\");\n dirpat = ereg_replace(string:pdir, pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\*\");\n\n port = kb_smb_transport();\n if (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);\n login = kb_smb_login();\n pass = kb_smb_password();\n domain = kb_smb_domain();\n\n rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\n if (rc != 1)\n {\n NetUseDel(close:FALSE);\n return NULL;\n }\n\n # 2000 / XP / 2003\n if (ver < 6)\n appdir += \"\\Local Settings\\Application Data\";\n # Vista / 7 / 2008\n else\n appdir += \"\\AppData\\Local\";\n\n paths = make_array();\n iter = FindFirstFile(pattern:dirpat);\n while (!isnull(iter[1]))\n {\n user = iter[1];\n iter = FindNextFile(handle:iter);\n\n if (user == \".\" || user == \"..\")\n continue;\n\n path = pdir + \"\\\" + user + appdir;\n\n lcpath = tolower(path);\n if (isnull(paths[lcpath]))\n paths[lcpath] = path;\n }\n\n NetUseDel(close:FALSE);\n\n return paths;\n}\n\nfunction check_vuln(file, fix, kb, key, min, paths)\n{\n local_var base, hklm, path, result, rc, share;\n\n if (!isnull(key))\n {\n registry_init();\n hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n base = get_registry_value(handle:hklm, item:key);\n RegCloseKey(handle:hklm);\n close_registry(close:FALSE);\n\n if (isnull(base))\n return FALSE;\n }\n\n if (isnull(paths))\n paths = make_list(\"\");\n\n result = FALSE;\n foreach path (paths)\n {\n path = base + path;\n\n share = ereg_replace(string:path, pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\");\n if (!is_accessible_share(share:share))\n continue;\n\n rc = hotfix_check_fversion(file:file, version:fix, min_version:min, path:path, bulletin:bulletin, kb:kb);\n\n if (rc == HCF_OLDER)\n result = TRUE;\n }\n\n return result;\n}\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS12-039\";\nkbs = make_list(\"2693282\", \"2693283\", \"2696031\", \"2702444\", \"2708980\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\", exit_code:1);\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\n# Add an extra node to the registry key if needed.\narch = get_kb_item_or_exit(\"SMB/ARCH\", exit_code:1);\nif (arch == \"x64\")\n extra = \"\\Wow6432Node\";\n\n######################################################################\n# Microsoft Communicator 2007 R2\n######################################################################\nvuln = check_vuln(\n key : \"SOFTWARE\\Microsoft\\Communicator\\InstallationDirectory\",\n file : \"Communicator.exe\",\n min : \"3.5.0.0\",\n fix : \"3.5.6907.253\",\n kb : \"2708980\"\n);\n\n######################################################################\n# Microsoft Lync 2010\n######################################################################\nif (!vuln)\n{\n vuln = check_vuln(\n key : \"SOFTWARE\" + extra + \"\\Microsoft\\Communicator\\InstallationDirectory\",\n file : \"Communicator.exe\",\n min : \"4.0.0.0\",\n fix : \"4.0.7577.4098\",\n kb : \"2693282\"\n );\n}\n\n######################################################################\n# Microsoft Lync 2010 Attendant\n######################################################################\nvuln = check_vuln(\n key : \"SOFTWARE\" + extra + \"\\Microsoft\\Attendant\\InstallationDirectory\",\n file : \"AttendantConsole.exe\",\n min : \"4.0.0.0\",\n fix : \"4.0.7577.4098\",\n kb : \"2702444\"\n) || vuln;\n\n######################################################################\n# Microsoft Lync 2010 Attendee (admin-level install)\n######################################################################\nvuln = check_vuln(\n key : \"SOFTWARE\\Microsoft\\AttendeeCommunicator\\InstallationDirectory\",\n file : \"CURes.dll\",\n min : \"4.0.0.0\",\n fix : \"4.0.7577.4098\",\n kb : \"2696031\"\n) || vuln;\n\n######################################################################\n# Microsoft Lync 2010 Attendee (user-level install)\n######################################################################\npaths = get_user_dirs();\n\nif (!isnull(paths))\n{\n vuln = check_vuln(\n paths : paths,\n file : \"\\Microsoft Lync Attendee\\System.dll\",\n min : \"4.0.0.0\",\n fix : \"4.0.60831.0\",\n kb : \"2693283\"\n ) || vuln;\n}\n\n# Disconnect from registry.\nclose_registry();\n\nif (vuln)\n{\n set_kb_item(name:\"www/0/XSS\", value:TRUE);\n\n set_kb_item(name:\"SMB/Missing/\" + bulletin, value:TRUE);\n hotfix_security_hole();\n\n hotfix_check_fversion_end();\n exit(0);\n}\n\nhotfix_check_fversion_end();\nexit(0, \"The host is not affected.\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}]}
CVE-2012-1849
