Lucene search
This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.DRIVELOCK_HTTP_OVERFLOW.NASLHistoryOct 04, 2007 - 12:00 a.m.
DriveLock DriveLock.exe HTTP Request Processing Remote Overflow
2007-10-0400:00:00
This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
www.tenable.com
17
CVSS2
9.3
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
0.055
Percentile
93.2%
DriveLock, an application for controlling access to computer devices, is installed on the remote host.
According to its version, the DriveLock Agent component, which acts as a web server, on the remote host fails to properly handle long HTTP requests. An unauthenticated, remote attacker may be able to leverage this issue to execute arbitrary code on the affected host with SYSTEM privileges.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(26915);
script_version("1.15");
script_cvs_date("Date: 2018/07/10 14:27:33");
script_cve_id("CVE-2007-5209");
script_bugtraq_id(25902);
script_name(english:"DriveLock DriveLock.exe HTTP Request Processing Remote Overflow");
script_summary(english:"Checks version of DriveLock.exe");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has a program that is susceptible to a buffer
overflow attack.");
script_set_attribute(attribute:"description", value:
"DriveLock, an application for controlling access to computer devices,
is installed on the remote host.
According to its version, the DriveLock Agent component, which acts as
a web server, on the remote host fails to properly handle long HTTP
requests. An unauthenticated, remote attacker may be able to leverage
this issue to execute arbitrary code on the affected host with SYSTEM
privileges.");
script_set_attribute(attribute:"solution", value:"Upgrade to DriveLock version 5.0.0.314 / 4.1.1.277 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(119);
script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/04");
script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
script_dependencies("smb_hotfixes.nasl");
script_require_keys("SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
include("smb_func.inc");
include("audit.inc");
# Figure out where the installer recorded information about it.
key = NULL;
list = get_kb_list("SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName");
if (isnull(list)) exit(0);
foreach name (keys(list))
{
prod = list[name];
# nb: what's "DriveLock SRC Server" look like???
if (prod && "CenterTools DriveLock" == prod)
{
key = ereg_replace(pattern:"^SMB\/Registry\/HKLM\/(.+)\/DisplayName$", replace:"\1", string:name);
key = str_replace(find:"/", replace:"\", string:key);
break;
}
}
if (isnull(key)) exit(0);
# Connect to the appropriate share.
if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);
name = kb_smb_name();
port = kb_smb_transport();
#if (!get_port_state(port)) exit(0);
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
#soc = open_sock_tcp(port);
#if (!soc) exit(0);
#session_init(socket:soc, hostname:name);
if(!smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
NetUseDel();
exit(0);
}
# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
NetUseDel();
exit(0);
}
# Find out where it was installed.
path = NULL;
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
item = RegQueryValue(handle:key_h, item:"InstallLocation");
if (!isnull(item))
{
path = item[1];
path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:path);
}
RegCloseKey(handle:key_h);
}
RegCloseKey(handle:hklm);
if (isnull(path))
{
NetUseDel();
exit(0);
}
# Determine the version of DriveLock.exe.
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
exe = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\DriveLock.exe", string:path);
NetUseDel(close:FALSE);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
NetUseDel();
exit(0);
}
fh = CreateFile(
file:exe,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
ver = NULL;
if (!isnull(fh))
{
ver = GetFileVersion(handle:fh);
CloseFile(handle:fh);
}
NetUseDel();
# Check the version number.
if (!isnull(ver))
{
if (
ver[0] < 4 ||
(
ver[0] == 4 &&
(
ver[1] < 1 ||
(
ver[1] == 1 &&
(
ver[2] < 1 ||
(ver[2] == 1 && ver[3] < 277)
)
)
)
) ||
(ver[0] == 5 && ver[1] == 0 && ver[2] == 0 && ver[3] < 314)
)
{
version = string(ver[0], ".", ver[1], ".", ver[2], ".", ver[3]);
report = string(
"Version ", version, " of DriveLock is installed under :\n",
"\n",
" ", path, "\n"
);
security_hole(port: port, extra: report);
}
}
Related
kaspersky
kaspersky
KLA10100 ACE vulnerability in CenterTools DriveLock
2007-10-04 00:00:00
nvd
nvd
CVE-2007-5209
2007-10-04 23:17:00
cvelist
cvelist
CVE-2007-5209
2007-10-04 23:00:00
cve
cve
CVE-2007-5209
2007-10-04 23:17:00
prion
prion
Stack overflow
2007-10-04 23:17:00
CVSS2
9.3
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
0.055
Percentile
93.2%
Related for DRIVELOCK_HTTP_OVERFLOW.NASL