MS11-021 / MS11-022 / MS11-023: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2489279 / 2489283 / 2489293) (Mac OS X)

2011-04-1300:00:00

www.tenable.com

7.3 High

AI Score

Confidence

Low

JSON

The remote Mac OS X host is running a version of Microsoft Office that is affected by several vulnerabilities.

If an attacker can trick a user on the affected host into opening a specially crafted Office file, these issues could be leveraged to execute arbitrary code subject to the user’s privileges.

#TRUSTED 7f2c8937ee94f44292f1f79ece432704ee191a713b8f8423360c4722867b121b8af057d418671de7f7b68445603633bdd9a98f4389ef8a0098f7cf05f9cbb11c77ae4758eb648d77512df900bc778529cc2f97aefcc4c1af44cb9cefd076340dce38993170267861e47be2e1ef322d8010527bf8c2efaed392ed99f268b696aca2c394d6d5e8fe8acba18a4048262d32b54859252332e9f941a3c74b47a7d9fd2e03b983c87383b03abe2807ab64c01fa0eb99abf612e60600fb9cba67524ebc7b7695054d18acfa32d4eb47f9352bd9ebf511880ec54671bb753eaeb297452019d135f5cbf33b0439cf40e12326bbf400615a3e63c9825ce1d4f715ea42bc6dc382f2aad9d777cd880f04022235d6d56a2120c3890723fafc76168aef0c62347276910aea02a6beccd67e32e203b5e21cd478b2f5800e3660da5dd6154b3b3e0f1817b70fa1354d2a0a955cf4af497a1b863a8eed6f9e2de2b167c213ea453c259c6b6b08bb1ade6c8701e3b367edc048bd50816fb017b6a975b35d208a304c02f9e37646e446ea58a29254a74400d84e758fd57f9f92abae79003a4f8b8dbb28cdb0a70e6641c0c99adc0c1173bccc3d1f36e85c0ed5eea9ea0b40b6b53c4da2efb591c545a3a593fd0ea531aeb2f61f73d1d23c66b09f3ea0655294b0f72cc0e83df1d1b03e3b99b1c3809a39fe4af26eef4ed0c331d411a69040a33c82fd
#TRUST-RSA-SHA256 69bd198ccef66b1ae2a68e42c24cac6fede5e67b8ccd76ba17293d0ca4783d6336c2b267fa351bcebb05369527420aa47c9976e94dfb8d7f419ffd1941ef559b06ee10aed6683054ace7b5369026a5a433fd0838feb4cce0615246fa2c64166cd0b6d0bbf8397fb9eca755b6e2dbedc2cd98fe2dc712bfef56cd0ac2cd535fa34afa3291ad4f6381859f5b227345c4c712ae2834c9f9106e820eadcf3c179b441038f98c85e8564c82a51186df336290598cca017080f5e4c46fe51db48eb10939e018d4af961c5662e4d6adfe1e28fe21352e2f92b55cb2c7022296d850dc01b772e5424d8552f4f288d3ea1273cde83e6b1c2f96effba6d9a12d7b5cddbc08fb251d9819e69814b1ec3efcfaa19707b7913e37c80efec8a021e2ebdf53aea13fb9a39c0be8bfc4500c485aa70485400f26e9f9aa30774ed053785435fc22b6a14b5d6adcc4f6912149ec116027e95d3efb86aade8e91b6ca2a731780a5a5bc32f6f0aecef83f26713e783a3a9112688efb7e4da634b06a09e93a0f5d295decc2875891bb08dd0ae40ba3ee1f76e80de6b5c8ddbaaf260ad0fec9ed4e8872c0c48568c532fdc721d49e00f7b900ce64672cfbf934b7bfe31415c16a5971dea9488c88e6e4988aa14321fe1bb40464f5928a82895a13ec808d99c8d8d541bec0a517a42b478af9066ee4f8322b18248ddffd822ff4076a8a9b3c34964a1a410d
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(53374);
  script_version("1.32");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/27");

  script_cve_id(
    "CVE-2011-0097",
    "CVE-2011-0098",
    "CVE-2011-0101",
    "CVE-2011-0103",
    "CVE-2011-0104",
    "CVE-2011-0105",
    "CVE-2011-0655",
    "CVE-2011-0656",
    "CVE-2011-0976",
    "CVE-2011-0977",
    "CVE-2011-0978",
    "CVE-2011-0979",
    "CVE-2011-0980"
  );
  script_bugtraq_id(
    46225,
    46226,
    46227,
    46228,
    46229,
    47201,
    47243,
    47244,
    47245,
    47251,
    47252
  );
  script_xref(name:"MSFT", value:"MS11-021");
  script_xref(name:"IAVA", value:"2011-A-0045-S");
  script_xref(name:"MSFT", value:"MS11-022");
  script_xref(name:"MSFT", value:"MS11-023");
  script_xref(name:"MSKB", value:"2489279");
  script_xref(name:"MSKB", value:"2489283");
  script_xref(name:"MSKB", value:"2489293");
  script_xref(name:"MSKB", value:"2505924");
  script_xref(name:"MSKB", value:"2505927");
  script_xref(name:"MSKB", value:"2505935");
  script_xref(name:"MSKB", value:"2525412");

  script_name(english:"MS11-021 / MS11-022 / MS11-023: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2489279 / 2489283 / 2489293) (Mac OS X)");
  script_summary(english:"Check version of Microsoft Office");

  script_set_attribute(attribute:"synopsis", value:
"An application installed on the remote Mac OS X host is affected by
multiple remote code execution vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote Mac OS X host is running a version of Microsoft Office that
is affected by several vulnerabilities.

If an attacker can trick a user on the affected host into opening a
specially crafted Office file, these issues could be leveraged to
execute arbitrary code subject to the user's privileges.");
  script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms11-021");
  script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms11-022");
  script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms11-023");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Office for Mac 2011,
Office 2008 for Mac, Office 2004 for Mac, and Open XML File Format
Converter for Mac.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2011-0980");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'White_Phosphorus');
  script_set_attribute(attribute:"metasploit_name", value:'MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/02/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/04/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/04/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2004::mac");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2008::mac");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2011::mac");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:open_xml_file_format_converter:::mac");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2011-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/MacOSX/packages", "Host/uname");

  exit(0);
}


include("misc_func.inc");
include("ssh_func.inc");
include("macosx_func.inc");



enable_ssh_wrappers();

function exec(cmd)
{
  local_var buf, ret;

  if (islocalhost())
    buf = pread_wrapper(cmd:"/bin/bash", argv:make_list("bash", "-c", cmd));
  else
  {
    ret = ssh_open_connection();
    if (!ret) exit(1, "ssh_open_connection() failed.");
    buf = ssh_cmd(cmd:cmd);
    ssh_close_connection();
  }
  return buf;
}


packages = get_kb_item("Host/MacOSX/packages");
if (!packages) exit(1, "The 'Host/MacOSX/packages' KB item is missing.");

uname = get_kb_item("Host/uname");
if (!uname) exit(1, "The 'Host/uname' KB item is missing.");
if (!egrep(pattern:"Darwin.*", string:uname)) exit(1, "The host does not appear to be using the Darwin sub-system.");


# Gather version info.
info = '';
installs = make_array();

prod = 'Office for Mac 2011';
plist = "/Applications/Microsoft Office 2011/Office/MicrosoftComponentPlugin.framework/Versions/14/Resources/Info.plist";
cmd =  'cat \'' + plist + '\' | ' +
  'grep -A 1 CFBundleShortVersionString | ' +
  'tail -n 1 | ' +
  'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\'';
version = exec(cmd:cmd);
if (version && version =~ "^[0-9]+\.")
{
  version = chomp(version);
  if (version !~ "^14\.") exit(1, "Failed to get the version for "+prod+" - '"+version+"'.");

  installs[prod] = version;

  ver = split(version, sep:'.', keep:FALSE);
  for (i=0; i<max_index(ver); i++)
    ver[i] = int(ver[i]);

  fixed_version = '14.1.0';
  fix = split(fixed_version, sep:'.', keep:FALSE);
  for (i=0; i<max_index(fix); i++)
    fix[i] = int(fix[i]);

  for (i=0; i<max_index(fix); i++)
    if ((ver[i] < fix[i]))
    {
      info +=
        '\n  Product           : ' + prod +
        '\n  Installed version : ' + version +
        '\n  Fixed version     : ' + fixed_version + '\n';
      break;
    }
    else if (ver[i] > fix[i])
      break;
}

prod = 'Office 2008 for Mac';
plist = "/Applications/Microsoft Office 2008/Office/MicrosoftComponentPlugin.framework/Versions/12/Resources/Info.plist";
cmd =  'cat \'' + plist + '\' | ' +
  'grep -A 1 CFBundleShortVersionString | ' +
  'tail -n 1 | ' +
  'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\'';
version = exec(cmd:cmd);
if (version && version =~ "^[0-9]+\.")
{
  version = chomp(version);
  if (version !~ "^12\.") exit(1, "Failed to get the version for "+prod+" - '"+version+"'.");

  installs[prod] = version;

  ver = split(version, sep:'.', keep:FALSE);
  for (i=0; i<max_index(ver); i++)
    ver[i] = int(ver[i]);

  fixed_version = '12.2.9';
  fix = split(fixed_version, sep:'.', keep:FALSE);
  for (i=0; i<max_index(fix); i++)
    fix[i] = int(fix[i]);

  for (i=0; i<max_index(fix); i++)
    if ((ver[i] < fix[i]))
    {
      info +=
        '\n  Product           : ' + prod +
        '\n  Installed version : ' + version +
        '\n  Fixed version     : ' + fixed_version + '\n';
      break;
    }
    else if (ver[i] > fix[i])
      break;
}

prod = 'Office 2004 for Mac';
cmd = GetCarbonVersionCmd(file:"Microsoft Component Plugin", path:"/Applications/Microsoft Office 2004/Office");
version = exec(cmd:cmd);
if (version && version =~ "^[0-9]+\.")
{
  version = chomp(version);
  if (version !~ "^11\.") exit(1, "Failed to get the version for "+prod+" - '"+version+"'.");

  installs[prod] = version;

  ver = split(version, sep:'.', keep:FALSE);
  for (i=0; i<max_index(ver); i++)
    ver[i] = int(ver[i]);

  fixed_version = '11.6.3';
  fix = split(fixed_version, sep:'.', keep:FALSE);
  for (i=0; i<max_index(fix); i++)
    fix[i] = int(fix[i]);

  for (i=0; i<max_index(fix); i++)
    if ((ver[i] < fix[i]))
    {
      info +=
        '\n  Product           : ' + prod +
        '\n  Installed version : ' + version +
        '\n  Fixed version     : ' + fixed_version + '\n';
      break;
    }
    else if (ver[i] > fix[i])
      break;
}

prod = 'Open XML File Format Converter for Mac';
plist = "/Applications/Open XML Converter.app/Contents/Info.plist";
cmd =  'cat \'' + plist + '\' | ' +
  'grep -A 1 CFBundleShortVersionString | ' +
  'tail -n 1 | ' +
  'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\'';
version = exec(cmd:cmd);
if (version && version =~ "^[0-9]+\.")
{
  version = chomp(version);
  installs[prod] = version;

  ver = split(version, sep:'.', keep:FALSE);
  for (i=0; i<max_index(ver); i++)
    ver[i] = int(ver[i]);

  fixed_version = '1.1.9';
  fix = split(fixed_version, sep:'.', keep:FALSE);
  for (i=0; i<max_index(fix); i++)
    fix[i] = int(fix[i]);

  for (i=0; i<max_index(fix); i++)
    if ((ver[i] < fix[i]))
    {
      info +=
        '\n  Product           : ' + prod +
        '\n  Installed version : ' + version +
        '\n  Fixed version     : ' + fixed_version + '\n';
      break;
    }
    else if (ver[i] > fix[i])
      break;
}


# Report findings.
if (info)
{
  gs_opt = get_kb_item("global_settings/report_verbosity");
  if (gs_opt && gs_opt != 'Quiet') security_hole(port:0, extra:info);
  else security_hole(0);

  exit(0);
}
else
{
  if (max_index(keys(installs)) == 0) exit(0, "Office for Mac / Open XML File Format Converter is not installed.");
  else
  {
    msg = 'The host has ';
    foreach prod (sort(keys(installs)))
      msg += prod + ' ' + installs[prod] + ' and ';
    msg = substr(msg, 0, strlen(msg)-1-strlen(' and '));

    msg += ' installed and thus is not affected.';

    exit(0, msg);
  }
}

VendorProductVersionCPE
microsoftoffice2004cpe:/a:microsoft:office:2004::mac
microsoftoffice2008cpe:/a:microsoft:office:2008::mac
microsoftoffice2011cpe:/a:microsoft:office:2011::mac
microsoftopen_xml_file_format_convertercpe:/a:microsoft:open_xml_file_format_converter:::mac

Vendor	Product	Version	CPE
microsoft	office	2004	cpe:/a:microsoft:office:2004::mac
microsoft	office	2008	cpe:/a:microsoft:office:2008::mac
microsoft	office	2011	cpe:/a:microsoft:office:2011::mac
microsoft	open_xml_file_format_converter		cpe:/a:microsoft:open_xml_file_format_converter:::mac