CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
93.2%
DriveLock, an application for controlling access to computer devices, is installed on the remote host.
According to its version, the DriveLock Agent component, which acts as a web server, on the remote host fails to properly handle long HTTP requests. An unauthenticated, remote attacker may be able to leverage this issue to execute arbitrary code on the affected host with SYSTEM privileges.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(26915);
script_version("1.15");
script_cvs_date("Date: 2018/07/10 14:27:33");
script_cve_id("CVE-2007-5209");
script_bugtraq_id(25902);
script_name(english:"DriveLock DriveLock.exe HTTP Request Processing Remote Overflow");
script_summary(english:"Checks version of DriveLock.exe");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has a program that is susceptible to a buffer
overflow attack.");
script_set_attribute(attribute:"description", value:
"DriveLock, an application for controlling access to computer devices,
is installed on the remote host.
According to its version, the DriveLock Agent component, which acts as
a web server, on the remote host fails to properly handle long HTTP
requests. An unauthenticated, remote attacker may be able to leverage
this issue to execute arbitrary code on the affected host with SYSTEM
privileges.");
script_set_attribute(attribute:"solution", value:"Upgrade to DriveLock version 5.0.0.314 / 4.1.1.277 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(119);
script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/04");
script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
script_dependencies("smb_hotfixes.nasl");
script_require_keys("SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
include("smb_func.inc");
include("audit.inc");
# Figure out where the installer recorded information about it.
key = NULL;
list = get_kb_list("SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName");
if (isnull(list)) exit(0);
foreach name (keys(list))
{
prod = list[name];
# nb: what's "DriveLock SRC Server" look like???
if (prod && "CenterTools DriveLock" == prod)
{
key = ereg_replace(pattern:"^SMB\/Registry\/HKLM\/(.+)\/DisplayName$", replace:"\1", string:name);
key = str_replace(find:"/", replace:"\", string:key);
break;
}
}
if (isnull(key)) exit(0);
# Connect to the appropriate share.
if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);
name = kb_smb_name();
port = kb_smb_transport();
#if (!get_port_state(port)) exit(0);
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
#soc = open_sock_tcp(port);
#if (!soc) exit(0);
#session_init(socket:soc, hostname:name);
if(!smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
NetUseDel();
exit(0);
}
# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
NetUseDel();
exit(0);
}
# Find out where it was installed.
path = NULL;
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
item = RegQueryValue(handle:key_h, item:"InstallLocation");
if (!isnull(item))
{
path = item[1];
path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:path);
}
RegCloseKey(handle:key_h);
}
RegCloseKey(handle:hklm);
if (isnull(path))
{
NetUseDel();
exit(0);
}
# Determine the version of DriveLock.exe.
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
exe = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\DriveLock.exe", string:path);
NetUseDel(close:FALSE);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
NetUseDel();
exit(0);
}
fh = CreateFile(
file:exe,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
ver = NULL;
if (!isnull(fh))
{
ver = GetFileVersion(handle:fh);
CloseFile(handle:fh);
}
NetUseDel();
# Check the version number.
if (!isnull(ver))
{
if (
ver[0] < 4 ||
(
ver[0] == 4 &&
(
ver[1] < 1 ||
(
ver[1] == 1 &&
(
ver[2] < 1 ||
(ver[2] == 1 && ver[3] < 277)
)
)
)
) ||
(ver[0] == 5 && ver[1] == 0 && ver[2] == 0 && ver[3] < 314)
)
{
version = string(ver[0], ".", ver[1], ".", ver[2], ".", ver[3]);
report = string(
"Version ", version, " of DriveLock is installed under :\n",
"\n",
" ", path, "\n"
);
security_hole(port: port, extra: report);
}
}