Lucene search

K
nessusThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.FSECURE_FSC_2009_01.NASL
HistoryMay 10, 2009 - 12:00 a.m.

F-Secure Products ZIP/RAR File Scan Evasion (FSC-2009-1)

2009-05-1000:00:00
This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
www.tenable.com
15

6.8 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.013 Low

EPSS

Percentile

86.1%

The remote host has an antivirus product from F-Secure installed. The installed version of the product fails to accurately scan certain ZIP and RAR archive files. Therefore, it may be possible for such files to evade detection from the scanning engine.

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
  script_id(38718);
  script_version("1.17");
  script_cvs_date("Date: 2018/07/12 15:01:52");

  script_cve_id("CVE-2009-1782");
  script_bugtraq_id(34849);
  script_xref(name:"Secunia", value:"35008");

  script_name(english:"F-Secure Products ZIP/RAR File Scan Evasion (FSC-2009-1)");
  script_summary(english:"Checks version of fm4av.dll.");

 script_set_attribute(attribute:"synopsis", value:
"An antivirus application installed on the remote host is affected by
a scan evasion vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote host has an antivirus product from F-Secure installed. The
installed version of the product fails to accurately scan certain ZIP
and RAR archive files. Therefore, it may be possible for such files to
evade detection from the scanning engine.");
  # https://web.archive.org/web/20090510034628/http://www.f-secure.com/en_EMEA/support/security-advisory/fsc-2009-1.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7cf449be");
  script_set_attribute(attribute:"solution", value:
"Apply the vendor-supplied patches.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_publication_date", value:"2009/05/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f-secure:f-secure_anti-virus");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/name", "SMB/login", "SMB/password", "SMB/registry_full_access", "SMB/transport");
  script_require_ports(139, 445);

  exit(0);
}

include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("audit.inc");
include("misc_func.inc");

name    = kb_smb_name();
login   = kb_smb_login();
pass    = kb_smb_password();
domain  = kb_smb_domain();
port    = kb_smb_transport();

#if (!get_port_state(port))
#  exit(0);

#soc = open_sock_tcp(port);
#if (!soc) exit(0);

#session_init(socket:soc, hostname:name);
if(!smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');

rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1) {
  exit(0);
}

path = NULL;

hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
 NetUseDel();
 exit (0);
}

key = "SOFTWARE\Data Fellows\F-Secure\Content Scanner Server";
item = "Path";

hkey = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(hkey))
{
  value = RegQueryValue(handle:hkey, item:item);
  if (!isnull(value))
    path = value[1];

  RegCloseKey (handle:hkey);
}

RegCloseKey (handle:hklm);
NetUseDel ();

if(isnull(path))
  exit(0);

if (!isnull(path) && is_accessible_share())
{
  # fm4av.dll is updated after applying the patch.
  if ( hotfix_check_fversion(file:"fm4av.dll", version:"3.1.15160.1", path:path) == HCF_OLDER )
     security_warning(port);
  hotfix_check_fversion_end();
}
else audit(AUDIT_HOST_NOT, 'affected');
VendorProductVersionCPE
f-securef-secure_anti-viruscpe:/a:f-secure:f-secure_anti-virus

6.8 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.013 Low

EPSS

Percentile

86.1%

Related for FSECURE_FSC_2009_01.NASL