The remote Mac OS X host is running a version of Microsoft Office that is affected by several vulnerabilities.
If an attacker can trick a user on the affected host into opening a specially crafted Excel or Word file, these issues could be leveraged to execute arbitrary code subject to the user’s privileges.
#TRUSTED 95106af1beb5e3e6e238b70a1dd223a579e6bc0e2b9bf360de8f6ea328eb220341e92a70013c896a8d8d00fb82a341a130bacb460fcd800b8676c0b3d9d2ea98e744e8bb7b64eb4b85f7b27badcb7b5886624b3cafed63df9354953478fc723fa31c5494645978ba725341aee951747a40819aa9e94a61cba89c9491fbc592c6c4065f9ef38b6f4df7203d997de8c9926e986e1730321696cd2bc793f625c27534ba7bb360118e8bc5fb52a2a87c0f36f246803e4f132c7a1df7b964fda6014ce51ba13a9797561a5ffe0e832e524735a605c33cbe95372a695b540d62bc4f47bf825df2b27b11c30ae02fccd4dbc154b0b4ececb890374b5869cd42a77b1574493f9b6accde16bc2b2b907277f79514d2d29683ed55054a07ab82197e6ece54185d9f87b75f72b8b753509d75b90b63eba58d842efef14d7fabb1e9bc23d331126c856cfd75ea4a5868e6c4bfea9db88f355c3cce29485aced85731f31769ab750a69382f321f3f71e50203b11088dc520e9323d4650db0b7528ebbaac8247f1c2d1091dbe0f17121503f9c53f521ea37d7d92008a203fe2a9367e86c971bb6743cd49f351b72f2537a99e9c6b1c86e978c093824e76554f480b8e84276c71ff4f15d7c4154cf85a1ca291dd42957a1965bc1da108afff711a96a489e89fd893eeaaad17cde70d922869edc266746873d03bd6b867e19b31a3908c62c3c5ffd
#TRUST-RSA-SHA256 2373a1442cb4b11f42ec017a27358d03babff7b6afa7412e8e48c11dddeac2e7adee5a6f4e62c8a91ffcbc3c9e5e47d559e03e58b0e459aa969e155fbe4986626f55478582633c8367d01f14537a59146861cbe36aff341b2ae77dd86a750d634c353793f1756a43f8205d5eb006f5a7a019388c2ecd5d9952cfe5319db08ddb1128bf447f4c9e70734d25e786eed5e0cc823a25e19774353beb610b44b49bf87717467e42c111d452d1e11aad048133239f704330fcb095709c624d4c06f77845bc2cbf02177799ee648de7401e269f6cd47faaf482f6f7673aeca7891d97b8fd9407a1ee6f4504e2dac4b38da27fe50f266abe71048913c1b21f480d7a32d6e1412fb2ec41d9acc01056311f2ae76b4a73ec7c716ba5c3ce60e473ace9442d9faeeefce8f0ba7d1ee02698773c20155b98709abdae6178a47a51c003356be5e661d87679f0061a4260273f5f76174476659dcf9bb15a3e7d6d3a4f851f64edff00ae3ce45195f0951645ad86e0ed7775f5849515177d9f020d93c381281260276ef9ee41a44347998474897d043564ea3fbf011b4dcedc2aade0f16913727e111d9202adb405eb064a1bfeecf753359b3b74b0efbe741d2d58b78a34738e7457736fd73d0ead12abb5ad1f2f97c905150e18b5af16abdd13152b78fce50959f71d9ad97f33a6ce0c9aed5dde195fe9cf5f15aa5247009af876c1a8414c0cd4
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(50063);
script_version("1.27");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/27");
script_cve_id(
"CVE-2009-3127",
"CVE-2009-3129",
"CVE-2009-3130",
"CVE-2009-3131",
"CVE-2009-3132",
"CVE-2009-3133",
"CVE-2009-3134",
"CVE-2009-3135"
);
script_bugtraq_id(
36908,
36909,
36911,
36912,
36943,
36945,
36946,
36950
);
script_xref(name:"MSFT", value:"MS09-067");
script_xref(name:"MSFT", value:"MS09-068");
script_xref(name:"MSKB", value:"972652");
script_xref(name:"MSKB", value:"976307");
script_xref(name:"MSKB", value:"976828");
script_xref(name:"MSKB", value:"976830");
script_xref(name:"MSKB", value:"976831");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/03/24");
script_name(english:"MS09-067 / MS09-068: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (972652 / 976307) (Mac OS X)");
script_set_attribute(attribute:"synopsis", value:
"An application installed on the remote Mac OS X host is affected by
multiple remote code execution vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The remote Mac OS X host is running a version of Microsoft Office that
is affected by several vulnerabilities.
If an attacker can trick a user on the affected host into opening a
specially crafted Excel or Word file, these issues could be leveraged
to execute arbitrary code subject to the user's privileges.");
script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms09-067");
script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms09-068");
script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Office 2004 for Mac,
Office 2008 for Mac, and Open XML File Format Converter for Mac.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2009-3135");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'MS09-067 Microsoft Excel Malformed FEATHEADER Record Vulnerability');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_cwe_id(94);
script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/10");
script_set_attribute(attribute:"patch_publication_date", value:"2009/11/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/20");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2004::mac");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2008::mac");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:open_xml_file_format_converter:::mac");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"MacOS X Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2010-2023 Tenable Network Security, Inc.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/MacOSX/packages", "Host/uname");
exit(0);
}
include("misc_func.inc");
include("ssh_func.inc");
include("macosx_func.inc");
enable_ssh_wrappers();
function exec(cmd)
{
local_var buf, ret;
if (islocalhost())
buf = pread_wrapper(cmd:"/bin/bash", argv:make_list("bash", "-c", cmd));
else
{
ret = ssh_open_connection();
if (!ret) exit(1, "ssh_open_connection() failed.");
buf = ssh_cmd(cmd:cmd);
ssh_close_connection();
}
return buf;
}
packages = get_kb_item("Host/MacOSX/packages");
if (!packages) exit(1, "The 'Host/MacOSX/packages' KB item is missing.");
uname = get_kb_item("Host/uname");
if (!uname) exit(1, "The 'Host/uname' KB item is missing.");
if (!egrep(pattern:"Darwin.*", string:uname)) exit(1, "The host does not appear to be using the Darwin sub-system.");
# Gather version info.
info = '';
installs = make_array();
prod = 'Office 2008 for Mac';
plist = "/Applications/Microsoft Office 2008/Office/MicrosoftComponentPlugin.framework/Versions/12/Resources/Info.plist";
cmd = 'cat \'' + plist + '\' | ' +
'grep -A 1 CFBundleShortVersionString | ' +
'tail -n 1 | ' +
'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\'';
version = exec(cmd:cmd);
if (version && version =~ "^[0-9]+\.")
{
version = chomp(version);
if (version !~ "^12\.") exit(1, "Failed to get the version for "+prod+" - '"+version+"'.");
installs[prod] = version;
ver = split(version, sep:'.', keep:FALSE);
for (i=0; i<max_index(ver); i++)
ver[i] = int(ver[i]);
fixed_version = '12.2.3';
fix = split(fixed_version, sep:'.', keep:FALSE);
for (i=0; i<max_index(fix); i++)
fix[i] = int(fix[i]);
for (i=0; i<max_index(fix); i++)
if ((ver[i] < fix[i]))
{
info +=
'\n Product : ' + prod +
'\n Installed version : ' + version +
'\n Fixed version : ' + fixed_version + '\n';
break;
}
else if (ver[i] > fix[i])
break;
}
prod = 'Office 2004 for Mac';
cmd = GetCarbonVersionCmd(file:"Microsoft Component Plugin", path:"/Applications/Microsoft Office 2004/Office");
version = exec(cmd:cmd);
if (version && version =~ "^[0-9]+\.")
{
version = chomp(version);
if (version !~ "^11\.") exit(1, "Failed to get the version for "+prod+" - '"+version+"'.");
installs[prod] = version;
ver = split(version, sep:'.', keep:FALSE);
for (i=0; i<max_index(ver); i++)
ver[i] = int(ver[i]);
fixed_version = '11.5.6';
fix = split(fixed_version, sep:'.', keep:FALSE);
for (i=0; i<max_index(fix); i++)
fix[i] = int(fix[i]);
for (i=0; i<max_index(fix); i++)
if ((ver[i] < fix[i]))
{
info +=
'\n Product : ' + prod +
'\n Installed version : ' + version +
'\n Fixed version : ' + fixed_version + '\n';
break;
}
else if (ver[i] > fix[i])
break;
}
prod = 'Open XML File Format Converter for Mac';
plist = "/Applications/Open XML Converter.app/Contents/Info.plist";
cmd = 'cat \'' + plist + '\' | ' +
'grep -A 1 CFBundleShortVersionString | ' +
'tail -n 1 | ' +
'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\'';
version = exec(cmd:cmd);
if (version && version =~ "^[0-9]+\.")
{
version = chomp(version);
installs[prod] = version;
ver = split(version, sep:'.', keep:FALSE);
for (i=0; i<max_index(ver); i++)
ver[i] = int(ver[i]);
fixed_version = '1.1.3';
fix = split(fixed_version, sep:'.', keep:FALSE);
for (i=0; i<max_index(fix); i++)
fix[i] = int(fix[i]);
for (i=0; i<max_index(fix); i++)
if ((ver[i] < fix[i]))
{
info +=
'\n Product : ' + prod +
'\n Installed version : ' + version +
'\n Fixed version : ' + fixed_version + '\n';
break;
}
else if (ver[i] > fix[i])
break;
}
# Report findings.
if (info)
{
gs_opt = get_kb_item("global_settings/report_verbosity");
if (gs_opt && gs_opt != 'Quiet') security_hole(port:0, extra:info);
else security_hole(0);
exit(0);
}
else
{
if (max_index(keys(installs)) == 0) exit(0, "Office for Mac / Open XML File Format Converter is not installed.");
else
{
msg = 'The host has ';
foreach prod (sort(keys(installs)))
msg += prod + ' ' + installs[prod] + ' and ';
msg = substr(msg, 0, strlen(msg)-1-strlen(' and '));
msg += ' installed and thus is not affected.';
exit(0, msg);
}
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3127
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3129
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3130
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3131
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3132
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3133
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3134
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3135
technet.microsoft.com/en-us/security/bulletin/ms09-067
technet.microsoft.com/en-us/security/bulletin/ms09-068