Lucene search
This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.CITRIX_XENAPP_CTX135066.NASLHistoryDec 27, 2012 - 12:00 a.m.
Citrix XenApp XML Service Interface Crafted Packet Parsing Remote Code Execution (CTX135066)
2012-12-2700:00:00
This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
93
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.046 Low
EPSS
Percentile
92.6%
The version of Citrix XenApp installed on the remote Windows host is potentially affected by an unspecified vulnerability in the XML service interface. An unauthenticated, remote attacker can exploit this to execute arbitrary code on the remote host.
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(63339);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/11/13");
script_cve_id("CVE-2012-5161");
script_bugtraq_id(56907);
script_xref(name:"IAVB", value:"2012-B-0127-S");
script_name(english:"Citrix XenApp XML Service Interface Crafted Packet Parsing Remote Code Execution (CTX135066)");
script_summary(english:"Checks version of wpnbr.dll");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an application that is affected by a remote
code execution vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of Citrix XenApp installed on the remote Windows host is
potentially affected by an unspecified vulnerability in the XML service
interface. An unauthenticated, remote attacker can exploit this to
execute arbitrary code on the remote host.");
script_set_attribute(attribute:"see_also", value:"https://support.citrix.com/article/CTX135066");
script_set_attribute(attribute:"solution", value:
"Apply the relevant vendor-supplied patch.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-5161");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2012/12/11");
script_set_attribute(attribute:"patch_publication_date", value:"2012/12/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2012/12/27");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:citrix:xenapp");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("smb_hotfixes.nasl");
script_require_keys("SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_reg_query.inc");
include("misc_func.inc");
port = kb_smb_transport();
if (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
appname = 'Citrix XenApp';
registry_init();
handle = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
# Make sure the software is installed and
# get the path
xapath = NULL;
prodver = NULL;
# Make sure Xenapp is installed
item = "SOFTWARE\Citrix\XenApp\Commands\Install";
if (!isnull(get_registry_value(handle:handle, item:item)))
{
item = "SOFTWARE\Citrix\Install\Location";
xapath = get_registry_value(handle:handle, item:item);
}
RegCloseKey(handle:handle);
if (isnull(xapath))
{
close_registry();
audit(AUDIT_NOT_INST, appname);
}
else close_registry(close:FALSE);
share = ereg_replace(pattern:'^([A-Za-z]):.*', replace:"\1$", string:xapath);
sys = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:"\1system32\wpnbr.dll", string:xapath);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
NetUseDel();
audit(AUDIT_SHARE_FAIL, share);
}
fh = CreateFile(
file:sys,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
if (isnull(fh))
{
close_registry();
audit(AUDIT_UNINST, appname);
}
ver = GetFileVersion(handle:fh);
prodver = GetProductVersion(handle:fh);
CloseFile(handle:fh);
close_registry();
filePath = (share - '$')+':'+sys;
if (isnull(ver)) audit(AUDIT_VER_FAIL, filePath);
if (isnull(prodver)) exit(1, 'Couldn\'t determine the product version from ' + filePath);
version = join(ver, sep:'.');
major = int(ver[0]);
minor = int(ver[1]);
rev = int(ver[2]);
build = int(ver[3]);
fix = NULL;
if (prodver == '6.0' && build == 6682 && rev < 6500 && version =~ '^6\\.0') fix = '6.0.36.6682';
else if (prodver == '6.0' && build == 6682 && version =~ '^6\\.0\\.65') fix = '6.0.6535.6682';
if (fix)
{
if (ver_compare(ver:version, fix:fix) == -1)
{
if (report_verbosity > 0)
{
report =
'\n File : ' + filePath +
'\n Installed version : ' + version +
'\n Fixed version : ' + fix + '\n';
security_hole(port:port, extra:report);
}
else security_hole(port);
exit(0);
}
}
audit(AUDIT_INST_PATH_NOT_VULN, appname, version, xapath);
Related
prion
prion
Code injection
2012-12-26 22:55:00
cve
cve
CVE-2012-5161
2012-12-26 22:55:03
cvelist
cvelist
CVE-2012-5161
2012-12-26 22:00:00
nvd
nvd
CVE-2012-5161
2012-12-26 22:55:03
citrix
citrix
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.046 Low
EPSS
Percentile
92.6%
Related for CITRIX_XENAPP_CTX135066.NASL