Intel PRO/Wireless Network Connection Drivers Remote Code Execution Vulnerabilities

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
 script_id(22131);
 script_version("1.19");
 script_cvs_date("Date: 2018/07/12 19:01:17");

 script_cve_id("CVE-2006-3992");
 script_bugtraq_id(19298, 19864);
 script_name(english:"Intel PRO/Wireless Network Connection Drivers Remote Code Execution Vulnerabilities");
 script_summary(english:"Determines the version of the Intel Wireless/PRO driver");

 script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host.");
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of Intel Wireless/PRO 2200/2915
driver that is is affected by a memory corruption vulnerability. An
attacker may exploit this flaw to execute arbitrary code on the remote
host with kernel privileges or to disable the remote service remotely.

To exploit this flaw, an attacker would need to send a specially
crafted wireless frame to the remote host.");
 script_set_attribute(attribute:"solution", value:"http://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00001");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"2006/07/28");
 script_set_attribute(attribute:"plugin_publication_date", value:"2006/08/02");

script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();


 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows");

 script_dependencies("smb_hotfixes.nasl");
 script_require_keys("SMB/Registry/Enumerated");
 script_require_ports(139, 445);
 exit(0);
}




include("smb_func.inc");
include("smb_hotfixes.inc");
include("audit.inc");


if ( ! get_kb_item("SMB/Registry/Enumerated") ) exit(1);


name 	=  kb_smb_name();
login	=  kb_smb_login();
pass  	=  kb_smb_password();
domain 	=  kb_smb_domain();
port    =  kb_smb_transport();




if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
r = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");

hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if ( isnull(hklm) )
{
 NetUseDel();
 exit(1);
}

key_h = RegOpenKey(handle:hklm, key:"SYSTEM\CurrentControlSet\Services\w22n51", mode:MAXIMUM_ALLOWED);
if ( isnull(key_h) )
{
 key_h = RegOpenKey(handle:hklm, key:"SYSTEM\CurrentControlSet\Services\w29n51", mode:MAXIMUM_ALLOWED);
 if ( isnull(key_h) )
 {
  RegCloseKey(handle:hklm);
  NetUseDel();
  exit(0);
 }
}

value = RegQueryValue(handle:key_h, item:"ImagePath");
RegCloseKey(handle:key_h);
RegCloseKey(handle:hklm);
if ( isnull(value) )
{
 NetUseDel();
 exit(0);
}

value = hotfix_get_systemroot() + "\" + value[1];
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:value);
exe =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:value);
NetUseDel(close:FALSE);

r = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if ( r != 1 ) {
 NetUseDel();
 exit(1);
}



handle = CreateFile (file:exe, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);


if ( ! isnull(handle) )
{
 v = GetFileVersion(handle:handle);
 CloseFile(handle:handle);
 if (!isnull(v))
 if ( ( v[0] < 9 ) ||
      ( ( v[0] == 9 ) && ( v[1] == 0 ) && ( v[2] < 4 ) ) ||
      ( ( v[0] == 9 ) && ( v[1] == 0 ) && ( v[2] == 4 ) && ( v[3] < 16 ) ) )
    security_hole(port);
}

NetUseDel();