The remote Mac OS X host is running a version of Microsoft Office that is affected by several vulnerabilities.
If an attacker can trick a user on the affected host into opening a specially crafted Office file, these issues could be leveraged to execute arbitrary code subject to the user’s privileges.
#TRUSTED 7f2c8937ee94f44292f1f79ece432704ee191a713b8f8423360c4722867b121b8af057d418671de7f7b68445603633bdd9a98f4389ef8a0098f7cf05f9cbb11c77ae4758eb648d77512df900bc778529cc2f97aefcc4c1af44cb9cefd076340dce38993170267861e47be2e1ef322d8010527bf8c2efaed392ed99f268b696aca2c394d6d5e8fe8acba18a4048262d32b54859252332e9f941a3c74b47a7d9fd2e03b983c87383b03abe2807ab64c01fa0eb99abf612e60600fb9cba67524ebc7b7695054d18acfa32d4eb47f9352bd9ebf511880ec54671bb753eaeb297452019d135f5cbf33b0439cf40e12326bbf400615a3e63c9825ce1d4f715ea42bc6dc382f2aad9d777cd880f04022235d6d56a2120c3890723fafc76168aef0c62347276910aea02a6beccd67e32e203b5e21cd478b2f5800e3660da5dd6154b3b3e0f1817b70fa1354d2a0a955cf4af497a1b863a8eed6f9e2de2b167c213ea453c259c6b6b08bb1ade6c8701e3b367edc048bd50816fb017b6a975b35d208a304c02f9e37646e446ea58a29254a74400d84e758fd57f9f92abae79003a4f8b8dbb28cdb0a70e6641c0c99adc0c1173bccc3d1f36e85c0ed5eea9ea0b40b6b53c4da2efb591c545a3a593fd0ea531aeb2f61f73d1d23c66b09f3ea0655294b0f72cc0e83df1d1b03e3b99b1c3809a39fe4af26eef4ed0c331d411a69040a33c82fd
#TRUST-RSA-SHA256 69bd198ccef66b1ae2a68e42c24cac6fede5e67b8ccd76ba17293d0ca4783d6336c2b267fa351bcebb05369527420aa47c9976e94dfb8d7f419ffd1941ef559b06ee10aed6683054ace7b5369026a5a433fd0838feb4cce0615246fa2c64166cd0b6d0bbf8397fb9eca755b6e2dbedc2cd98fe2dc712bfef56cd0ac2cd535fa34afa3291ad4f6381859f5b227345c4c712ae2834c9f9106e820eadcf3c179b441038f98c85e8564c82a51186df336290598cca017080f5e4c46fe51db48eb10939e018d4af961c5662e4d6adfe1e28fe21352e2f92b55cb2c7022296d850dc01b772e5424d8552f4f288d3ea1273cde83e6b1c2f96effba6d9a12d7b5cddbc08fb251d9819e69814b1ec3efcfaa19707b7913e37c80efec8a021e2ebdf53aea13fb9a39c0be8bfc4500c485aa70485400f26e9f9aa30774ed053785435fc22b6a14b5d6adcc4f6912149ec116027e95d3efb86aade8e91b6ca2a731780a5a5bc32f6f0aecef83f26713e783a3a9112688efb7e4da634b06a09e93a0f5d295decc2875891bb08dd0ae40ba3ee1f76e80de6b5c8ddbaaf260ad0fec9ed4e8872c0c48568c532fdc721d49e00f7b900ce64672cfbf934b7bfe31415c16a5971dea9488c88e6e4988aa14321fe1bb40464f5928a82895a13ec808d99c8d8d541bec0a517a42b478af9066ee4f8322b18248ddffd822ff4076a8a9b3c34964a1a410d
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(53374);
script_version("1.32");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/27");
script_cve_id(
"CVE-2011-0097",
"CVE-2011-0098",
"CVE-2011-0101",
"CVE-2011-0103",
"CVE-2011-0104",
"CVE-2011-0105",
"CVE-2011-0655",
"CVE-2011-0656",
"CVE-2011-0976",
"CVE-2011-0977",
"CVE-2011-0978",
"CVE-2011-0979",
"CVE-2011-0980"
);
script_bugtraq_id(
46225,
46226,
46227,
46228,
46229,
47201,
47243,
47244,
47245,
47251,
47252
);
script_xref(name:"MSFT", value:"MS11-021");
script_xref(name:"IAVA", value:"2011-A-0045-S");
script_xref(name:"MSFT", value:"MS11-022");
script_xref(name:"MSFT", value:"MS11-023");
script_xref(name:"MSKB", value:"2489279");
script_xref(name:"MSKB", value:"2489283");
script_xref(name:"MSKB", value:"2489293");
script_xref(name:"MSKB", value:"2505924");
script_xref(name:"MSKB", value:"2505927");
script_xref(name:"MSKB", value:"2505935");
script_xref(name:"MSKB", value:"2525412");
script_name(english:"MS11-021 / MS11-022 / MS11-023: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2489279 / 2489283 / 2489293) (Mac OS X)");
script_summary(english:"Check version of Microsoft Office");
script_set_attribute(attribute:"synopsis", value:
"An application installed on the remote Mac OS X host is affected by
multiple remote code execution vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The remote Mac OS X host is running a version of Microsoft Office that
is affected by several vulnerabilities.
If an attacker can trick a user on the affected host into opening a
specially crafted Office file, these issues could be leveraged to
execute arbitrary code subject to the user's privileges.");
script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms11-021");
script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms11-022");
script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms11-023");
script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Office for Mac 2011,
Office 2008 for Mac, Office 2004 for Mac, and Open XML File Format
Converter for Mac.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2011-0980");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:'White_Phosphorus');
script_set_attribute(attribute:"metasploit_name", value:'MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2011/02/07");
script_set_attribute(attribute:"patch_publication_date", value:"2011/04/12");
script_set_attribute(attribute:"plugin_publication_date", value:"2011/04/13");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2004::mac");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2008::mac");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2011::mac");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:open_xml_file_format_converter:::mac");
script_set_attribute(attribute:"stig_severity", value:"II");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"MacOS X Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2011-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/MacOSX/packages", "Host/uname");
exit(0);
}
include("misc_func.inc");
include("ssh_func.inc");
include("macosx_func.inc");
enable_ssh_wrappers();
function exec(cmd)
{
local_var buf, ret;
if (islocalhost())
buf = pread_wrapper(cmd:"/bin/bash", argv:make_list("bash", "-c", cmd));
else
{
ret = ssh_open_connection();
if (!ret) exit(1, "ssh_open_connection() failed.");
buf = ssh_cmd(cmd:cmd);
ssh_close_connection();
}
return buf;
}
packages = get_kb_item("Host/MacOSX/packages");
if (!packages) exit(1, "The 'Host/MacOSX/packages' KB item is missing.");
uname = get_kb_item("Host/uname");
if (!uname) exit(1, "The 'Host/uname' KB item is missing.");
if (!egrep(pattern:"Darwin.*", string:uname)) exit(1, "The host does not appear to be using the Darwin sub-system.");
# Gather version info.
info = '';
installs = make_array();
prod = 'Office for Mac 2011';
plist = "/Applications/Microsoft Office 2011/Office/MicrosoftComponentPlugin.framework/Versions/14/Resources/Info.plist";
cmd = 'cat \'' + plist + '\' | ' +
'grep -A 1 CFBundleShortVersionString | ' +
'tail -n 1 | ' +
'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\'';
version = exec(cmd:cmd);
if (version && version =~ "^[0-9]+\.")
{
version = chomp(version);
if (version !~ "^14\.") exit(1, "Failed to get the version for "+prod+" - '"+version+"'.");
installs[prod] = version;
ver = split(version, sep:'.', keep:FALSE);
for (i=0; i<max_index(ver); i++)
ver[i] = int(ver[i]);
fixed_version = '14.1.0';
fix = split(fixed_version, sep:'.', keep:FALSE);
for (i=0; i<max_index(fix); i++)
fix[i] = int(fix[i]);
for (i=0; i<max_index(fix); i++)
if ((ver[i] < fix[i]))
{
info +=
'\n Product : ' + prod +
'\n Installed version : ' + version +
'\n Fixed version : ' + fixed_version + '\n';
break;
}
else if (ver[i] > fix[i])
break;
}
prod = 'Office 2008 for Mac';
plist = "/Applications/Microsoft Office 2008/Office/MicrosoftComponentPlugin.framework/Versions/12/Resources/Info.plist";
cmd = 'cat \'' + plist + '\' | ' +
'grep -A 1 CFBundleShortVersionString | ' +
'tail -n 1 | ' +
'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\'';
version = exec(cmd:cmd);
if (version && version =~ "^[0-9]+\.")
{
version = chomp(version);
if (version !~ "^12\.") exit(1, "Failed to get the version for "+prod+" - '"+version+"'.");
installs[prod] = version;
ver = split(version, sep:'.', keep:FALSE);
for (i=0; i<max_index(ver); i++)
ver[i] = int(ver[i]);
fixed_version = '12.2.9';
fix = split(fixed_version, sep:'.', keep:FALSE);
for (i=0; i<max_index(fix); i++)
fix[i] = int(fix[i]);
for (i=0; i<max_index(fix); i++)
if ((ver[i] < fix[i]))
{
info +=
'\n Product : ' + prod +
'\n Installed version : ' + version +
'\n Fixed version : ' + fixed_version + '\n';
break;
}
else if (ver[i] > fix[i])
break;
}
prod = 'Office 2004 for Mac';
cmd = GetCarbonVersionCmd(file:"Microsoft Component Plugin", path:"/Applications/Microsoft Office 2004/Office");
version = exec(cmd:cmd);
if (version && version =~ "^[0-9]+\.")
{
version = chomp(version);
if (version !~ "^11\.") exit(1, "Failed to get the version for "+prod+" - '"+version+"'.");
installs[prod] = version;
ver = split(version, sep:'.', keep:FALSE);
for (i=0; i<max_index(ver); i++)
ver[i] = int(ver[i]);
fixed_version = '11.6.3';
fix = split(fixed_version, sep:'.', keep:FALSE);
for (i=0; i<max_index(fix); i++)
fix[i] = int(fix[i]);
for (i=0; i<max_index(fix); i++)
if ((ver[i] < fix[i]))
{
info +=
'\n Product : ' + prod +
'\n Installed version : ' + version +
'\n Fixed version : ' + fixed_version + '\n';
break;
}
else if (ver[i] > fix[i])
break;
}
prod = 'Open XML File Format Converter for Mac';
plist = "/Applications/Open XML Converter.app/Contents/Info.plist";
cmd = 'cat \'' + plist + '\' | ' +
'grep -A 1 CFBundleShortVersionString | ' +
'tail -n 1 | ' +
'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\'';
version = exec(cmd:cmd);
if (version && version =~ "^[0-9]+\.")
{
version = chomp(version);
installs[prod] = version;
ver = split(version, sep:'.', keep:FALSE);
for (i=0; i<max_index(ver); i++)
ver[i] = int(ver[i]);
fixed_version = '1.1.9';
fix = split(fixed_version, sep:'.', keep:FALSE);
for (i=0; i<max_index(fix); i++)
fix[i] = int(fix[i]);
for (i=0; i<max_index(fix); i++)
if ((ver[i] < fix[i]))
{
info +=
'\n Product : ' + prod +
'\n Installed version : ' + version +
'\n Fixed version : ' + fixed_version + '\n';
break;
}
else if (ver[i] > fix[i])
break;
}
# Report findings.
if (info)
{
gs_opt = get_kb_item("global_settings/report_verbosity");
if (gs_opt && gs_opt != 'Quiet') security_hole(port:0, extra:info);
else security_hole(0);
exit(0);
}
else
{
if (max_index(keys(installs)) == 0) exit(0, "Office for Mac / Open XML File Format Converter is not installed.");
else
{
msg = 'The host has ';
foreach prod (sort(keys(installs)))
msg += prod + ' ' + installs[prod] + ' and ';
msg = substr(msg, 0, strlen(msg)-1-strlen(' and '));
msg += ' installed and thus is not affected.';
exit(0, msg);
}
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0097
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0098
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0101
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0103
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0104
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0105
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0655
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0656
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0976
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0977
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0978
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0979
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0980
technet.microsoft.com/en-us/security/bulletin/ms11-021
technet.microsoft.com/en-us/security/bulletin/ms11-022
technet.microsoft.com/en-us/security/bulletin/ms11-023