MS07-014 / MS07-015: Vulnerabilities in Microsoft Word and Office Could Allow Remote Code Execution (929434 / 932554) (Mac OS X)

#TRUSTED 1342c968a15a86507cd6ac90fe15de8df9849c65cb4eecdbd8e192f40b2b7b7a8b3d75d41fcf136de724e5dfbf7e4aed91bf17b715a4a599a68da18b404de6cd6a79bf2dda48539f735605627aa5f806fe721187f4bff1a1d1b7762a18623dd4f7a7478873458e1f7b2157183573f0f1186a3adebf24a7fb6bb5239b857b2a622d8f510bda4cb1edf1039a805872cf666efc191b0b85a6dca8eade82d7fe469408c887f70c79bf2b9dbe092440658a9eb122fc6cd322a85c40c8683d0bd7d39ca32d2f2bf60d4c396ab88e448acf2c16d15c184c713fb3c06bd983959262859ca7125e5ac3501bc87474cf13f71d477985137aefa59f024f99f38416fcbf2a601a8ef7d5e02c6af5b59193b8a91c467541057abb8f01e707852de7a6f1becd7dba4ef89f775c9242b6bd52e2a7cc0193a0f28bde4c3d78d41ade5e72faa311f965963726a423c5543c8669b04002a74a0fd6824db00425472379445efeb914e37fa3496a78a32435f66514e259d819bb9ebdfd4d1098bc24ac53606840728d5e8c4c9e1232ac1cf0062263d45007540db19b99a43c93450af1a3af88b65deec2c5f1c50e2c8bdcd3f0373e2f4165d0af9f7eb0a5ed358022a009aaaacf9f8133f72b7a479c03bda3dba2518fafd1171633b66675fe2c2ce52b1f20e13fd4cabab228cf86739e4db4486e7f3f13016091a023d1e40a3736f2fd3dae183527e24f
#TRUST-RSA-SHA256 9c23c60b66a1c88da19f73d5f9721021796756792cd05c43a44d8f769922039b30b36cc4285777496ef7b2d75b22eb8cef0013a51850467adf8fc84f622759aff453edad7fb3f1c574491be28650df29c5f0d8e3ec770d9e55cee730b1df1e7392809f6e4a2a2c9543214a863605a41282181e2e6bfa2ba62d794ea5e032394030776ad4a1a8d881e8ab83a934e580c873ed8cb796c810d26c9fb55f7c28cf40872e09d0cdbc408c3628fa307461cbc9a3c37ca6958b2d9dd7b5f59de537e478c8fa543d2d886fc948f44dc2116182a9e217051aa52088cd53b9ba024507a5989c623d0b8800fc38d969045119bc80c163f603943ca96644205ba94dd7e9036cecbc1d8acb19b1202f76e948bb195f65d3021a4fb2f00d0d6c8ffdc78aad0eb1b1e2bd913312ed84ceb8e3427b428370ca2796a40d8b098e35292fa2ce8ba698cdd5e2aaa7b884ac592dabe52a33e9f542357b2027a78cfc00ac31c4ac103a6de13fd718b55c1a150cf8d70b3582a36f70a636b23d66f0ddda5f43651909c8f697ed2d23cdca8fa2f376f85b4c2fd02df9e8702d52ebb13bf0b1996734ad4c6c931f75cee9c0e138fcf125380a6267d5e5326c4b46e1b195ab7cc9faa4c0659c039deb5c25075930a81b3d3d28cefaaee561878486788913fbddcee61c68f51fd841d1fdbeebd26a0e8e91f1e5dff650c812202109cafb05c08c3e2006b5ccce
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(24328);
 script_version("1.29");
 script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/27");

 script_cve_id(
  "CVE-2006-3877",
  "CVE-2006-5994",
  "CVE-2006-6456",
  "CVE-2006-6561",
  "CVE-2007-0208",
  "CVE-2007-0209",
  "CVE-2007-0515",
  "CVE-2007-0671"
 );
 script_bugtraq_id(20325, 21451, 21518, 21589, 22225, 22383, 22477, 22482);
 script_xref(name:"MSFT", value:"MS07-014");
 script_xref(name:"MSFT", value:"MS07-015");
 script_xref(name:"MSKB", value:"929434");
 script_xref(name:"MSKB", value:"932554");

 script_name(english:"MS07-014 / MS07-015: Vulnerabilities in Microsoft Word and Office Could Allow Remote Code Execution (929434 / 932554) (Mac OS X)");
 script_summary(english:"Checks version of Word 2004");

 script_set_attribute(
  attribute:"synopsis",
  value:
"An application installed on the remote Mac OS X host is affected by
multiple remote code execution vulnerabilities."
 );
 script_set_attribute(
  attribute:"description",
  value:
"The remote host is running a version of Microsoft Office that is
affected by various flaws that may allow arbitrary code to be run.

To succeed, the attacker would have to send a rogue file to a user of
the remote computer and have it open it with Microsoft Word or another
Office application."
 );
 script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms07-014");
 script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms07-015");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Office for Mac OS X.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"cvss_score_source", value:"CVE-2007-0671");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploited_by_malware", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_cwe_id(94);

 script_set_attribute(attribute:"vuln_publication_date", value:"2006/10/10");
 script_set_attribute(attribute:"patch_publication_date", value:"2007/02/17");
 script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/13");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2004::mac");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2006-2023 Tenable Network Security, Inc.");
 script_family(english:"MacOS X Local Security Checks");

 script_dependencies("ssh_get_info.nasl");
 script_require_keys("Host/MacOSX/packages");
 exit(0);
}


include("misc_func.inc");
include("ssh_func.inc");
include("macosx_func.inc");



enable_ssh_wrappers();

uname = get_kb_item("Host/uname");
if ( egrep(pattern:"Darwin.*", string:uname) )
{
  off2004 = GetCarbonVersionCmd(file:"Microsoft Word", path:"/Applications/Microsoft Office 2004");
  if ( ! islocalhost() )
  {
   ret = ssh_open_connection();
   if ( ! ret ) exit(0);
   buf = ssh_cmd(cmd:off2004);
   ssh_close_connection();
  }
  else
  buf = pread_wrapper(cmd:"/bin/bash", argv:make_list("bash", "-c", off2004));


 if ( buf =~ "^11\." )
	{
	  vers = split(buf, sep:'.', keep:FALSE);
          # < 11.3.4
	  if ( int(vers[0]) == 11 && ( int(vers[1]) < 3  || ( int(vers[1]) == 3 && int(vers[2]) < 4 ) ) ) security_hole(0);
	}
}