A vulnerable version of GroupWise Internet Agent is running on the remote host. The software contains unspecified buffer overflow vulnerabilities that are triggered when processing email addresses and other specially crafted SMTP requests.
This could allow a remote attacker to crash the service or execute arbitrary code as SYSTEM.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(38972);
script_version("1.11");
script_cve_id("CVE-2009-1636");
script_bugtraq_id(35064, 35065);
script_name(english:"Novell GroupWise Internet Agent < 7.03 HP3 / 8.0 HP2 Multiple Buffer Overflows");
script_summary(english:"Does a local check for the version of gwia.exe");
script_set_attribute(attribute:"synopsis", value:
"The SMTP server running on the remote Windows host has multiple
buffer overflow vulnerabilities." );
script_set_attribute( attribute:"description", value:
"A vulnerable version of GroupWise Internet Agent is running on the
remote host. The software contains unspecified buffer overflow
vulnerabilities that are triggered when processing email addresses
and other specially crafted SMTP requests.
This could allow a remote attacker to crash the service or execute
arbitrary code as SYSTEM." );
# https://support.microfocus.com/kb/doc.php?id=7003272
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?422158ab"
);
# https://support.microfocus.com/kb/doc.php?id=7003273
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?77140f4e"
);
script_set_attribute(
attribute:"solution",
value:"Upgrade to Novell GroupWise version 7.03 HP3 / 8.0 HP2 or later."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(119);
script_set_attribute(attribute:"plugin_publication_date", value: "2009/06/01");
script_cvs_date("Date: 2018/11/15 20:50:27");
script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("groupwise_ia_detect.nasl", "smb_enum_services.nasl");
script_require_keys("SMB/GWIA/Version");
exit(0);
}
include("global_settings.inc");
version = get_kb_item("SMB/GWIA/Version");
if (isnull(version)) exit(0);
ver_fields = split(version, sep:'.', keep:FALSE);
major = ver_fields[0];
minor = ver_fields[1];
build = ver_fields[2];
revision = ver_fields[3];
# First, see if the version is vulnerable (< 8.0.0.7328, < 7.0.3.1401)
if (
(major == 8 && minor == 0 && build == 0 && revision < 7328) ||
(major == 7 && minor == 0 && (build < 3 || (build == 3 && revision < 1401)))
)
vulnerable = TRUE;
else
vulnerable = FALSE;
if (!vulnerable) exit(0);
# Make sure the service is running, unless we're paranoid
if (report_paranoia < 2)
{
services = get_kb_item("SMB/svcs");
if (isnull(services) || "GWIA" >!< services) exit(0);
}
if (report_verbosity > 0)
{
if (major == 7) patched_ver = "7.0.3.1401";
else if (major == 8) patched_ver = "8.0.0.7328";
report = string(
"\n",
"The remote version of GroupWise Internet Agent (gwia.exe) has not been\n",
"patched :\n",
"\n",
" Remote version : ", version, "\n",
" Should be : ", patched_ver, "\n"
);
security_hole(port:get_kb_item("SMB/transport"), extra:report);
}
else security_hole(get_kb_item("SMB/transport"));