Lucene search

K
nessusThis script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.GROUPWISE_IA_MULTIPLE_OVERFLOWS.NASL
HistoryJun 01, 2009 - 12:00 a.m.

Novell GroupWise Internet Agent < 7.03 HP3 / 8.0 HP2 Multiple Buffer Overflows

2009-06-0100:00:00
This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
6

A vulnerable version of GroupWise Internet Agent is running on the remote host. The software contains unspecified buffer overflow vulnerabilities that are triggered when processing email addresses and other specially crafted SMTP requests.

This could allow a remote attacker to crash the service or execute arbitrary code as SYSTEM.

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(38972);
  script_version("1.11");

  script_cve_id("CVE-2009-1636");
  script_bugtraq_id(35064, 35065);

  script_name(english:"Novell GroupWise Internet Agent < 7.03 HP3 / 8.0 HP2 Multiple Buffer Overflows");
  script_summary(english:"Does a local check for the version of gwia.exe");

  script_set_attribute(attribute:"synopsis", value:
"The SMTP server running on the remote Windows host has multiple
buffer overflow vulnerabilities."  );
  script_set_attribute( attribute:"description", value:
"A vulnerable version of GroupWise Internet Agent is running on the
remote host.  The software contains unspecified buffer overflow
vulnerabilities that are triggered when processing email addresses
and other specially crafted SMTP requests.

This could allow a remote attacker to crash the service or execute
arbitrary code as SYSTEM."  );
  # https://support.microfocus.com/kb/doc.php?id=7003272
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?422158ab"
  );
  # https://support.microfocus.com/kb/doc.php?id=7003273
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?77140f4e"
  );
  script_set_attribute(
    attribute:"solution",
    value:"Upgrade to Novell GroupWise version 7.03 HP3 / 8.0 HP2 or later."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(119);
 script_set_attribute(attribute:"plugin_publication_date", value: "2009/06/01");
 script_cvs_date("Date: 2018/11/15 20:50:27");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("groupwise_ia_detect.nasl", "smb_enum_services.nasl");
  script_require_keys("SMB/GWIA/Version");
 
  exit(0);
}


include("global_settings.inc");


version = get_kb_item("SMB/GWIA/Version");
if (isnull(version)) exit(0);

ver_fields = split(version, sep:'.', keep:FALSE);
major = ver_fields[0];
minor = ver_fields[1];
build = ver_fields[2];
revision = ver_fields[3];

# First, see if the version is vulnerable (< 8.0.0.7328, < 7.0.3.1401)
if (
  (major == 8 && minor == 0 && build == 0 && revision < 7328) ||
  (major == 7 && minor == 0 && (build < 3 || (build == 3 && revision < 1401)))
)
  vulnerable = TRUE;
else
  vulnerable = FALSE;

if (!vulnerable) exit(0);

# Make sure the service is running, unless we're paranoid
if (report_paranoia < 2)
{
  services = get_kb_item("SMB/svcs");

  if (isnull(services) || "GWIA" >!< services) exit(0);
}

if (report_verbosity > 0)
{
  if (major == 7) patched_ver = "7.0.3.1401";
  else if (major == 8) patched_ver = "8.0.0.7328";

  report = string(
    "\n",
    "The remote version of GroupWise Internet Agent (gwia.exe) has not been\n",
    "patched :\n",
    "\n",
    "  Remote version : ", version, "\n",
    "  Should be      : ", patched_ver, "\n"
  );
  security_hole(port:get_kb_item("SMB/transport"), extra:report);
}
else security_hole(get_kb_item("SMB/transport"));

Related for GROUPWISE_IA_MULTIPLE_OVERFLOWS.NASL