Adobe Illustrator Multiple Vulnerabilities (APSB10-01)

2010-01-1200:00:00

www.tenable.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.972

Percentile

99.9%

JSON

The version of Adobe Illustrator CS4 installed on the remote windows host is using a library that is potentially affected by multiple vulnerabilities. An attacker could exploit these flaws to execute arbitrary code on the remote host subject to the privileges of the user id running the application.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(43861);
  script_version("1.13");
 script_cvs_date("Date: 2018/11/15 20:50:26");

  script_cve_id("CVE-2009-3952", "CVE-2009-4195");
  script_bugtraq_id(37192, 37666);
  script_xref(name:"Secunia", value:"37563");

  script_name(english:"Adobe Illustrator Multiple Vulnerabilities (APSB10-01)");
  script_summary(english:"Checks version of MPS.dll");

  script_set_attribute(attribute:"synopsis", value:
"The graphics editor on the remote host is affected by multiple
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Adobe Illustrator CS4 installed on the remote windows
host is using a library that is potentially affected by multiple
vulnerabilities. An attacker could exploit these flaws to execute
arbitrary code on the remote host subject to the privileges of the
user id running the application.");

  script_set_attribute(attribute:"see_also", value:"https://www.adobe.com/support/security/bulletins/apsb10-01.html");
  script_set_attribute(attribute:"solution", value:"Apply the patch referenced above.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Adobe Illustrator CS4 v14.0.0');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_cwe_id(119);

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/12/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/01/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:illustrator");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");

  script_dependencies("adobe_illustrator_installed.nasl");
  script_require_keys("SMB/Adobe Illustrator/Installed");
  script_require_ports(139,445);
  exit(0);
}

include("global_settings.inc");
include("smb_func.inc");
include("audit.inc");

path = get_kb_item('SMB/Adobe Illustrator/path');
if (isnull(path)) exit(1, "The 'SMB/Adobe Illustrator/path' KB item is missing.");
prod = get_kb_item('SMB/Adobe Illustrator/product');
if (isnull(prod)) exit(1, "The 'SMB/Adobe Illustrator/product' KB item is missing.");

name   = kb_smb_name();
port   = kb_smb_transport();
#if (!get_port_state(port)) exit(1, 'Port '+port+' is not open.');
login  = kb_smb_login();
pass   = kb_smb_password();
domain = kb_smb_domain();

#soc = open_sock_tcp(port);
#if (!soc) exit(1, "Can't open socket to port "+port+".");

share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
dll = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\MPS.dll", string:path);

#session_init(socket:soc, hostname:name);

if(!smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');

rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
  NetUseDel();
  exit(1, "Cannot connect to " + share + "share.");
}

fh = CreateFile(
       file:dll,
       desired_access:GENERIC_READ,
       file_attributes:FILE_ATTRIBUTE_NORMAL,
       share_mode:FILE_SHARE_READ,
       create_disposition:OPEN_EXISTING);

if (isnull(fh)) exit(1, "Couldn't open file handle for MPS.dll");

ver = GetFileVersion(handle:fh);
CloseFile(handle:fh);
NetUseDel();
if (isnull(ver)) exit(1, "Couldn't determine version of MPS.dll");

if (
  (
    prod == "Adobe Illustrator CS4" &&
    (
      ver[0] < 4 ||
      (ver[0] == 4 && ver[1] < 9) ||
      (ver[0] == 4 && ver[1] == 9 && ver[2] < 16) ||
      (ver[0] == 4 && ver[1] == 9 && ver[2] == 16 && ver[3] < 4555)
    )
  ) ||
  (
    prod == "Adobe Illustrator CS3" &&
    (
      ver[0] < 4 ||
      (ver[0] == 4 && ver[1] < 9) ||
      (ver[0] == 4 && ver[1] == 9 && ver[2] < 16)
    )
  )
)
{
  if (report_verbosity > 0)
  {
    report =
      '\n' +
      '  DLL     : MPS.dll' + '\n' +
      '  Path    : ' + path + '\n' +
      '  Version : ' + ver[0] + '.' + ver[1] + '.' + ver[2] + '.' + ver[3] + '\n';
    if (prod == "Adobe Illustrator CS3") report = report + '  Fix     : ' + '4.9.16.0' + '\n\n';
    else report = report + '  Fix     : ' + '4.9.16.4555' + '\n\n';

    security_hole(port:port, extra:report);
  }
  else security_hole(port:port, extra:report);
  exit(0);
}
else exit(0, 'The remote host is not affected because MPS.dll version '+ver[0]+'.'+ver[1]+'.'+ver[2]+'.'+ver[3]+' was found.');