MS09-067 / MS09-068: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (972652 / 976307) (Mac OS X)

2010-10-2000:00:00

www.tenable.com

7.2 High

AI Score

Confidence

Low

JSON

The remote Mac OS X host is running a version of Microsoft Office that is affected by several vulnerabilities.

If an attacker can trick a user on the affected host into opening a specially crafted Excel or Word file, these issues could be leveraged to execute arbitrary code subject to the user’s privileges.

#TRUSTED 95106af1beb5e3e6e238b70a1dd223a579e6bc0e2b9bf360de8f6ea328eb220341e92a70013c896a8d8d00fb82a341a130bacb460fcd800b8676c0b3d9d2ea98e744e8bb7b64eb4b85f7b27badcb7b5886624b3cafed63df9354953478fc723fa31c5494645978ba725341aee951747a40819aa9e94a61cba89c9491fbc592c6c4065f9ef38b6f4df7203d997de8c9926e986e1730321696cd2bc793f625c27534ba7bb360118e8bc5fb52a2a87c0f36f246803e4f132c7a1df7b964fda6014ce51ba13a9797561a5ffe0e832e524735a605c33cbe95372a695b540d62bc4f47bf825df2b27b11c30ae02fccd4dbc154b0b4ececb890374b5869cd42a77b1574493f9b6accde16bc2b2b907277f79514d2d29683ed55054a07ab82197e6ece54185d9f87b75f72b8b753509d75b90b63eba58d842efef14d7fabb1e9bc23d331126c856cfd75ea4a5868e6c4bfea9db88f355c3cce29485aced85731f31769ab750a69382f321f3f71e50203b11088dc520e9323d4650db0b7528ebbaac8247f1c2d1091dbe0f17121503f9c53f521ea37d7d92008a203fe2a9367e86c971bb6743cd49f351b72f2537a99e9c6b1c86e978c093824e76554f480b8e84276c71ff4f15d7c4154cf85a1ca291dd42957a1965bc1da108afff711a96a489e89fd893eeaaad17cde70d922869edc266746873d03bd6b867e19b31a3908c62c3c5ffd
#TRUST-RSA-SHA256 2373a1442cb4b11f42ec017a27358d03babff7b6afa7412e8e48c11dddeac2e7adee5a6f4e62c8a91ffcbc3c9e5e47d559e03e58b0e459aa969e155fbe4986626f55478582633c8367d01f14537a59146861cbe36aff341b2ae77dd86a750d634c353793f1756a43f8205d5eb006f5a7a019388c2ecd5d9952cfe5319db08ddb1128bf447f4c9e70734d25e786eed5e0cc823a25e19774353beb610b44b49bf87717467e42c111d452d1e11aad048133239f704330fcb095709c624d4c06f77845bc2cbf02177799ee648de7401e269f6cd47faaf482f6f7673aeca7891d97b8fd9407a1ee6f4504e2dac4b38da27fe50f266abe71048913c1b21f480d7a32d6e1412fb2ec41d9acc01056311f2ae76b4a73ec7c716ba5c3ce60e473ace9442d9faeeefce8f0ba7d1ee02698773c20155b98709abdae6178a47a51c003356be5e661d87679f0061a4260273f5f76174476659dcf9bb15a3e7d6d3a4f851f64edff00ae3ce45195f0951645ad86e0ed7775f5849515177d9f020d93c381281260276ef9ee41a44347998474897d043564ea3fbf011b4dcedc2aade0f16913727e111d9202adb405eb064a1bfeecf753359b3b74b0efbe741d2d58b78a34738e7457736fd73d0ead12abb5ad1f2f97c905150e18b5af16abdd13152b78fce50959f71d9ad97f33a6ce0c9aed5dde195fe9cf5f15aa5247009af876c1a8414c0cd4
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(50063);
  script_version("1.27");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/27");

  script_cve_id(
    "CVE-2009-3127",
    "CVE-2009-3129",
    "CVE-2009-3130",
    "CVE-2009-3131",
    "CVE-2009-3132",
    "CVE-2009-3133",
    "CVE-2009-3134",
    "CVE-2009-3135"
  );
  script_bugtraq_id(
    36908,
    36909,
    36911,
    36912,
    36943,
    36945,
    36946,
    36950
  );
  script_xref(name:"MSFT", value:"MS09-067");
  script_xref(name:"MSFT", value:"MS09-068");
  script_xref(name:"MSKB", value:"972652");
  script_xref(name:"MSKB", value:"976307");
  script_xref(name:"MSKB", value:"976828");
  script_xref(name:"MSKB", value:"976830");
  script_xref(name:"MSKB", value:"976831");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/03/24");

  script_name(english:"MS09-067 / MS09-068: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (972652 / 976307) (Mac OS X)");

  script_set_attribute(attribute:"synopsis", value:
"An application installed on the remote Mac OS X host is affected by
multiple remote code execution vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote Mac OS X host is running a version of Microsoft Office that
is affected by several vulnerabilities.

If an attacker can trick a user on the affected host into opening a
specially crafted Excel or Word file, these issues could be leveraged
to execute arbitrary code subject to the user's privileges.");
  script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms09-067");
  script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms09-068");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Office 2004 for Mac,
Office 2008 for Mac, and Open XML File Format Converter for Mac.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2009-3135");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'MS09-067 Microsoft Excel Malformed FEATHEADER Record Vulnerability');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_cwe_id(94);

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/11/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/20");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2004::mac");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2008::mac");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:open_xml_file_format_converter:::mac");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2010-2023 Tenable Network Security, Inc.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/MacOSX/packages", "Host/uname");

  exit(0);
}


include("misc_func.inc");
include("ssh_func.inc");
include("macosx_func.inc");



enable_ssh_wrappers();

function exec(cmd)
{
  local_var buf, ret;

  if (islocalhost())
    buf = pread_wrapper(cmd:"/bin/bash", argv:make_list("bash", "-c", cmd));
  else
  {
    ret = ssh_open_connection();
    if (!ret) exit(1, "ssh_open_connection() failed.");
    buf = ssh_cmd(cmd:cmd);
    ssh_close_connection();
  }
  return buf;
}


packages = get_kb_item("Host/MacOSX/packages");
if (!packages) exit(1, "The 'Host/MacOSX/packages' KB item is missing.");

uname = get_kb_item("Host/uname");
if (!uname) exit(1, "The 'Host/uname' KB item is missing.");
if (!egrep(pattern:"Darwin.*", string:uname)) exit(1, "The host does not appear to be using the Darwin sub-system.");


# Gather version info.
info = '';
installs = make_array();

prod = 'Office 2008 for Mac';
plist = "/Applications/Microsoft Office 2008/Office/MicrosoftComponentPlugin.framework/Versions/12/Resources/Info.plist";
cmd =  'cat \'' + plist + '\' | ' +
  'grep -A 1 CFBundleShortVersionString | ' +
  'tail -n 1 | ' +
  'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\'';
version = exec(cmd:cmd);
if (version && version =~ "^[0-9]+\.")
{
  version = chomp(version);
  if (version !~ "^12\.") exit(1, "Failed to get the version for "+prod+" - '"+version+"'.");

  installs[prod] = version;

  ver = split(version, sep:'.', keep:FALSE);
  for (i=0; i<max_index(ver); i++)
    ver[i] = int(ver[i]);

  fixed_version = '12.2.3';
  fix = split(fixed_version, sep:'.', keep:FALSE);
  for (i=0; i<max_index(fix); i++)
    fix[i] = int(fix[i]);

  for (i=0; i<max_index(fix); i++)
    if ((ver[i] < fix[i]))
    {
      info +=
        '\n  Product           : ' + prod +
        '\n  Installed version : ' + version +
        '\n  Fixed version     : ' + fixed_version + '\n';
      break;
    }
    else if (ver[i] > fix[i])
      break;
}

prod = 'Office 2004 for Mac';
cmd = GetCarbonVersionCmd(file:"Microsoft Component Plugin", path:"/Applications/Microsoft Office 2004/Office");
version = exec(cmd:cmd);
if (version && version =~ "^[0-9]+\.")
{
  version = chomp(version);
  if (version !~ "^11\.") exit(1, "Failed to get the version for "+prod+" - '"+version+"'.");

  installs[prod] = version;

  ver = split(version, sep:'.', keep:FALSE);
  for (i=0; i<max_index(ver); i++)
    ver[i] = int(ver[i]);

  fixed_version = '11.5.6';
  fix = split(fixed_version, sep:'.', keep:FALSE);
  for (i=0; i<max_index(fix); i++)
    fix[i] = int(fix[i]);

  for (i=0; i<max_index(fix); i++)
    if ((ver[i] < fix[i]))
    {
      info +=
        '\n  Product           : ' + prod +
        '\n  Installed version : ' + version +
        '\n  Fixed version     : ' + fixed_version + '\n';
      break;
    }
    else if (ver[i] > fix[i])
      break;
}

prod = 'Open XML File Format Converter for Mac';
plist = "/Applications/Open XML Converter.app/Contents/Info.plist";
cmd =  'cat \'' + plist + '\' | ' +
  'grep -A 1 CFBundleShortVersionString | ' +
  'tail -n 1 | ' +
  'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\'';
version = exec(cmd:cmd);
if (version && version =~ "^[0-9]+\.")
{
  version = chomp(version);
  installs[prod] = version;

  ver = split(version, sep:'.', keep:FALSE);
  for (i=0; i<max_index(ver); i++)
    ver[i] = int(ver[i]);

  fixed_version = '1.1.3';
  fix = split(fixed_version, sep:'.', keep:FALSE);
  for (i=0; i<max_index(fix); i++)
    fix[i] = int(fix[i]);

  for (i=0; i<max_index(fix); i++)
    if ((ver[i] < fix[i]))
    {
      info +=
        '\n  Product           : ' + prod +
        '\n  Installed version : ' + version +
        '\n  Fixed version     : ' + fixed_version + '\n';
      break;
    }
    else if (ver[i] > fix[i])
      break;
}


# Report findings.
if (info)
{
  gs_opt = get_kb_item("global_settings/report_verbosity");
  if (gs_opt && gs_opt != 'Quiet') security_hole(port:0, extra:info);
  else security_hole(0);

  exit(0);
}
else
{
  if (max_index(keys(installs)) == 0) exit(0, "Office for Mac / Open XML File Format Converter is not installed.");
  else
  {
    msg = 'The host has ';
    foreach prod (sort(keys(installs)))
      msg += prod + ' ' + installs[prod] + ' and ';
    msg = substr(msg, 0, strlen(msg)-1-strlen(' and '));

    msg += ' installed and thus is not affected.';

    exit(0, msg);
  }
}

VendorProductVersionCPE
microsoftoffice2004cpe:/a:microsoft:office:2004::mac
microsoftoffice2008cpe:/a:microsoft:office:2008::mac
microsoftopen_xml_file_format_convertercpe:/a:microsoft:open_xml_file_format_converter:::mac

Vendor	Product	Version	CPE
microsoft	office	2004	cpe:/a:microsoft:office:2004::mac
microsoft	office	2008	cpe:/a:microsoft:office:2008::mac
microsoft	open_xml_file_format_converter		cpe:/a:microsoft:open_xml_file_format_converter:::mac