The remote Mac OS X host is running a version of Microsoft Office that is affected by several vulnerabilities.
If an attacker can trick a user on the affected host into opening a specially crafted Office file, these issues could be leveraged to execute arbitrary code subject to the user’s privileges.
#TRUSTED 6df29cd352b7dcaab7132f5baa242e6610160b9bfe5c01b4e20937a58e9aa3f9c249a6642989488ed8f4fbb0acd999f2aa9153fbab90f2f56ae209e0413ea13eb94e93c9e28a80bb897b5c44707a58255519ab1e0db0ee10f13a21551d762b6d2a4959581a6148814eaf259fb5678803bef1237b8d5671aad04b13eef6533eda88fbab38739cbe8befdb249c4186c50b43cf4e042321926d0fa9780539c9cc6a3d7348e9dcdf9d12676c56f4f10f2d9a6cbd09bad9bd8d364291e2c8cbd7a01d7f17b6f724d0415a0c7ad6a4a090e407a3b73689f53d3c84a1f03a787fc5d69d315ea53807abeea279b6324811a57909075cd8d6a4bd6747a9944d330bc2bab8c4bfdde3f1f59702a1687b1b64beb2b3bec00c5ab8cc4fb98f7acbb82f8f8f3c453b7857d682184f86af27ccbf46b02a7b36819d49bcf9f5864b44cb893bbfb0c9676d1be3727f8ac167d8ae84d7676f40aeddc010a6ebf73dcebaa5e56eb33259a4f32619a745d9c1ef883400767ef5c17a265fc3f8ff6a9fdb86053a0425f953f0a8796ed287883d9d82bc13a1297cec9bf0c3ba140cc4847e2821f0ec6820d1270f8cac8c969e2c694f4ead4b6f4f7126a0db8e6b10a3ef2bcf13d0c915c92cb7db131425115f431403ebd4b41fb5ea7429458426f1a2d9e8b9c6d3ad5155ac2cd81282163bd3311dc603f803e54cb1ef190b0251dc5078e909125dab85b5
#TRUST-RSA-SHA256 68595d70fb84268ae4b2b52f899b176878ab43d8b7bd890cff7499b4545446c3eb4c1169547320e9790f17b40ba6c10bd39827de7217621bac3921ef108f0eb267cba10af0ed66219055dd29ee4287a66f338d398c4348bcdd7ee0cf453b06cf506306730f9ada5f869ecc19b5558d3c6474229de813d901694c2f960954c80fa3d6c28f1424153bf7dc9f9b24dad46b9a8f861b63129331bae9db35224566d75bc7483e798ffeec890831c3150fc3bd6b16ba99d4dff85f1222a6ec464131b42e235620a01f14f3f8058c0ad7f4ae0079a2d25f5bbd335a5fe13e40c1f8ff9428ad91680d7d4a55443d001b1940ab44b73bade73599f5d8266c9382b947c0ef651e090c9cdbeddb84693d30b481355c444b1766ff78a9670604af821ad3f39aa5a3c7b100a0f41b55b6bc1dbe991b009e94902af518f5b2146d0f14c67041f97bf96b1ef91fc46d1cffcc9e7a01d2e943adf7b7ca342460ba78ac3b8f52811be08a5c39c4c1fecd0139c6eba266468ea408f3be86159a9f6d041be4a75a49d8a78cc72e52bd36e4421d9d96981eeb02d80fad263e6560e7f97992f1b2d7ca20b5467732fd51f7c71b78d823e0ebfc3fe9eb5c6e3e939775bde6666e5769350eba05b99cd5dcced48378ed4ba831eecc9a46f257334fffb07deeb8353abe8efbad20a7b95583950be18cf14d4dc3e8977a531e131157e8492e045f075b9094cf
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(50531);
script_version("1.28");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/27");
script_cve_id(
"CVE-2010-3333",
"CVE-2010-3334",
"CVE-2010-3335",
"CVE-2010-3336"
);
script_bugtraq_id(
44652,
44656,
44659,
44660
);
script_xref(name:"MSFT", value:"MS10-087");
script_xref(name:"MSKB", value:"2423930");
script_xref(name:"MSKB", value:"2454823");
script_xref(name:"MSKB", value:"2476511");
script_xref(name:"MSKB", value:"2476512");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/03/24");
script_name(english:"MS10-087: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930) (Mac OS X)");
script_set_attribute(attribute:"synopsis", value:
"An application installed on the remote Mac OS X host is affected by
multiple remote code execution vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The remote Mac OS X host is running a version of Microsoft Office that
is affected by several vulnerabilities.
If an attacker can trick a user on the affected host into opening a
specially crafted Office file, these issues could be leveraged to
execute arbitrary code subject to the user's privileges.");
script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms10-087");
script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Office for Mac 2011,
Office 2008 for Mac, and Open XML File Format Converter for Mac.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2010-3336");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2010/11/09");
script_set_attribute(attribute:"patch_publication_date", value:"2010/11/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2010/11/09");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2008::mac");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2011::mac");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:open_xml_file_format_converter:::mac");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"MacOS X Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2010-2023 Tenable Network Security, Inc.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/MacOSX/packages", "Host/uname");
exit(0);
}
include("misc_func.inc");
include("ssh_func.inc");
include("macosx_func.inc");
enable_ssh_wrappers();
function exec(cmd)
{
local_var buf, ret;
if (islocalhost())
buf = pread_wrapper(cmd:"/bin/bash", argv:make_list("bash", "-c", cmd));
else
{
ret = ssh_open_connection();
if (!ret) exit(1, "ssh_open_connection() failed.");
buf = ssh_cmd(cmd:cmd);
ssh_close_connection();
}
return buf;
}
packages = get_kb_item("Host/MacOSX/packages");
if (!packages) exit(1, "The 'Host/MacOSX/packages' KB item is missing.");
uname = get_kb_item("Host/uname");
if (!uname) exit(1, "The 'Host/uname' KB item is missing.");
if (!egrep(pattern:"Darwin.*", string:uname)) exit(1, "The host does not appear to be using the Darwin sub-system.");
# Gather version info.
info = '';
installs = make_array();
prod = 'Office for Mac 2011';
plist = "/Applications/Microsoft Office 2011/Office/MicrosoftComponentPlugin.framework/Versions/14/Resources/Info.plist";
cmd = 'cat \'' + plist + '\' | ' +
'grep -A 1 CFBundleShortVersionString | ' +
'tail -n 1 | ' +
'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\'';
version = exec(cmd:cmd);
if (version && version =~ "^[0-9]+\.")
{
version = chomp(version);
if (version !~ "^14\.") exit(1, "Failed to get the version for "+prod+" - '"+version+"'.");
installs[prod] = version;
ver = split(version, sep:'.', keep:FALSE);
for (i=0; i<max_index(ver); i++)
ver[i] = int(ver[i]);
fixed_version = '14.0.1';
fix = split(fixed_version, sep:'.', keep:FALSE);
for (i=0; i<max_index(fix); i++)
fix[i] = int(fix[i]);
for (i=0; i<max_index(fix); i++)
if ((ver[i] < fix[i]))
{
info +=
'\n Product : ' + prod +
'\n Installed version : ' + version +
'\n Fixed version : ' + fixed_version + '\n';
break;
}
else if (ver[i] > fix[i])
break;
}
prod = 'Office 2008 for Mac';
plist = "/Applications/Microsoft Office 2008/Office/MicrosoftComponentPlugin.framework/Versions/12/Resources/Info.plist";
cmd = 'cat \'' + plist + '\' | ' +
'grep -A 1 CFBundleShortVersionString | ' +
'tail -n 1 | ' +
'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\'';
version = exec(cmd:cmd);
if (version && version =~ "^[0-9]+\.")
{
version = chomp(version);
if (version !~ "^12\.") exit(1, "Failed to get the version for "+prod+" - '"+version+"'.");
installs[prod] = version;
ver = split(version, sep:'.', keep:FALSE);
for (i=0; i<max_index(ver); i++)
ver[i] = int(ver[i]);
fixed_version = '12.2.8';
fix = split(fixed_version, sep:'.', keep:FALSE);
for (i=0; i<max_index(fix); i++)
fix[i] = int(fix[i]);
for (i=0; i<max_index(fix); i++)
if ((ver[i] < fix[i]))
{
info +=
'\n Product : ' + prod +
'\n Installed version : ' + version +
'\n Fixed version : ' + fixed_version + '\n';
break;
}
else if (ver[i] > fix[i])
break;
}
prod = 'Open XML File Format Converter for Mac';
plist = "/Applications/Open XML Converter.app/Contents/Info.plist";
cmd = 'cat \'' + plist + '\' | ' +
'grep -A 1 CFBundleShortVersionString | ' +
'tail -n 1 | ' +
'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\'';
version = exec(cmd:cmd);
if (version && version =~ "^[0-9]+\.")
{
version = chomp(version);
installs[prod] = version;
ver = split(version, sep:'.', keep:FALSE);
for (i=0; i<max_index(ver); i++)
ver[i] = int(ver[i]);
fixed_version = '1.1.8';
fix = split(fixed_version, sep:'.', keep:FALSE);
for (i=0; i<max_index(fix); i++)
fix[i] = int(fix[i]);
for (i=0; i<max_index(fix); i++)
if ((ver[i] < fix[i]))
{
info +=
'\n Product : ' + prod +
'\n Installed version : ' + version +
'\n Fixed version : ' + fixed_version + '\n';
break;
}
else if (ver[i] > fix[i])
break;
}
# Report findings.
if (info)
{
gs_opt = get_kb_item("global_settings/report_verbosity");
if (gs_opt && gs_opt != 'Quiet') security_hole(port:0, extra:info);
else security_hole(0);
exit(0);
}
else
{
if (max_index(keys(installs)) == 0) exit(0, "Office for Mac / Open XML File Format Converter is not installed.");
else
{
msg = 'The host has ';
foreach prod (sort(keys(installs)))
msg += prod + ' ' + installs[prod] + ' and ';
msg = substr(msg, 0, strlen(msg)-1-strlen(' and '));
msg += ' installed and thus is not affected.';
exit(0, msg);
}
}