MS06-058 / MS06-059 / MS06-0060 / MS06-062: Vulnerabilities in Microsoft Office Allow Remote Code Execution (924163 / 924164 / 924554 / 922581) (Mac OS X)

#TRUSTED 1816673e5bf1ae10b437bccec4783053d1d45107a1b975a347c46547f4cdf0a0d0f54b1c60143d96e7c64bd1a65613507874378df66601133eed8e611659eb08178617b67d50635e0d5dd4b4d969f3cfaaec01a6385ec0cf3a062d6a1dbe4f3637f795c8ed40b63da94b114f51b2417a77e6184c64083b9a1f23f6f709e2124f90d2c079a1439acaf0e5bb48bcb5c68f9f03a1a0faaf5ff971e50c07d78d6b2595ad21b58eb03663da31078b81eaf06fdefa962fba6e7b97dddd34bf2cbc688f62baebb6c5f72f1fdcbd1a7bad31202e0cc1881f084682fc8f5ba0d9dc0363d613da7cf46cc180b68cdc57701879a224467f4c4623aaaddb0d47f664e0a39c8eb4d5d296f075dca8c4c33e5109567583950d130d4b6f9f6cb7cb118de93730f6d4657b5e7f2410942a1e81a8426de46600d81b13f1543ddfb58055249d420cc9edec91ac84e0c59759570add3ddc293e56522dc3b6a01a94fd01ea2d9d9388816da078f084f9682b1cfcdfe32970ecb231b343e2ca861ec26d4b2499fe8e5fddb2762f9ab4e34d150c1f3c9ab8978bd34f26ea882f1dd005d90ae46e583ec7b783d1b8e64daea5d0263a064e50e98676cdcebc2d9f628b7136798bb690f338e71d3d1e55384093fd39bc9f56ea0535ebcdc4b3d6296b69c65a332ea6e6dead39da89e8cb34925965a86d63f7e2ce0fcbd2718509166d05e7730d0c53c0107f70
#TRUST-RSA-SHA256 85b5ad54d5f4398cd0521f0a73dc11810b40f4de7d568a373c07ed85a3cf906d272bb4919c9f9835567321b3137d9ae5301db9cb8ba7c543bad6615b4daa00cbd27fd35f90c3738a6a11d2df78870178e7f61f1a71e4de454fc2430c1370cbe22b02385df73f7990f84571c872924fa0ea35b421b7334dd93d50b7324e24c94845839110fec196b2337505d968491b1ca373586a6a7d692d699600ac289cdb060dc94c298fa420c097595e75dadf92a70ba2fe7b503ab3519aa5416a604797a4ec18d01378ba0dd94b9ae1778c3a371c215a57ed5154a5305c6d4f77b8cd8ad54c63c1a66d69298430a1a5fb3155c9fa9e634f67b8bd9f5e95fcada5241c1dc0860888e6e966e688a879c536e09e2081a1c66fb873e151ea3bb5f0dd1a8b62479b28d901db57bbb48ba277a8dc8039cfe2c368e9326e103d7c70ac9a62281699fb3f8e4dc1c3b1dde8385ad4f633dd3e3475a23acc12bcb120dc3d49e50aaeca1ea0be4ec5fa2ecd92a90f082733a43fa84d81f3dac0b4710d35dfba17ff509634faaa44bde7e746f33fe4fa63cb221fc3a4e968cfdf035fa2098d18bdc2153905378bab95ab6ef09deddf0eb89fff3ae5d0133d17f0746fe53f1c92da97ec91a13039e22e470c61ff062474e0f7309ddddf6ecda3cb16b883cbffef2e8b3590a10909076ec1424827e02bc2a3c49c6e940ca85d9634ee738643502ce9d77c24
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(22539);
 script_version("1.28");
 script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/27");

 script_cve_id(
  # "CVE-2006-3435",
  "CVE-2006-3876",
  "CVE-2006-3877",
  "CVE-2006-4694",
  "CVE-2006-2387",
  "CVE-2006-3431",
  "CVE-2006-3867",
  "CVE-2006-3875",
  "CVE-2006-3647",
  # "CVE-2006-3651",
  # "CVE-2006-4534",
  "CVE-2006-4693",
  "CVE-2006-3434",
  "CVE-2006-3650",
  "CVE-2006-3864"
  # "CVE-2006-3868"
 );
 script_bugtraq_id(
  18872,
  20226,
  20322,
  20325,
  20341,
  20344,
  20345,
  20382,
  20383,
  20384,
  20391
 );
 script_xref(name:"MSFT", value:"MS06-058");
 script_xref(name:"MSFT", value:"MS06-059");
 script_xref(name:"MSFT", value:"MS06-060");
 script_xref(name:"MSFT", value:"MS06-062");
 script_xref(name:"MSKB", value:"924163");
 script_xref(name:"MSKB", value:"924164");
 script_xref(name:"MSKB", value:"924554");
 script_xref(name:"MSKB", value:"922581");

 script_name(english:"MS06-058 / MS06-059 / MS06-0060 / MS06-062: Vulnerabilities in Microsoft Office Allow Remote Code Execution (924163 / 924164 / 924554 / 922581) (Mac OS X)");
 script_summary(english:"Check for Office 2004 and X");

 script_set_attribute(
  attribute:"synopsis",
  value:
"An application installed on the remote Mac OS X host is affected by
multiple remote code execution vulnerabilities."
 );
 script_set_attribute(
  attribute:"description",
  value:
"The remote host is running a version of Microsoft Office that is
affected by various flaws that may allow arbitrary code to be run.

To succeed, the attacker would have to send a rogue file to a user of
the remote computer and have it open it with Microsoft Word, Excel,
PowerPoint or another Office application."
 );
 script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms06-058");
 script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms06-059");
 script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms06-060");
 script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms06-062");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Office for Mac OS X.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"cvss_score_source", value:"CVE-2006-4694");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploited_by_malware", value:"true");
 script_cwe_id(94);

 script_set_attribute(attribute:"vuln_publication_date", value:"2006/07/03");
 script_set_attribute(attribute:"patch_publication_date", value:"2006/10/10");
 script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/11");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2001:sr1:mac_os");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2004::mac");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2006-2023 Tenable Network Security, Inc.");
 script_family(english:"MacOS X Local Security Checks");

 script_dependencies("ssh_get_info.nasl");
 script_require_keys("Host/MacOSX/packages");
 exit(0);
}


include("misc_func.inc");
include("ssh_func.inc");
include("macosx_func.inc");



enable_ssh_wrappers();

uname = get_kb_item("Host/uname");
if ( egrep(pattern:"Darwin.*", string:uname) )
{
  off2004 = GetCarbonVersionCmd(file:"Microsoft Component Plugin", path:"/Applications/Microsoft Office 2004/Office");
  offX    = GetCarbonVersionCmd(file:"Microsoft Component Plugin", path:"/Applications/Microsoft Office X/Office");

  if ( ! islocalhost() )
  {
   ret = ssh_open_connection();
   if ( ! ret ) exit(0);
   buf = ssh_cmd(cmd:off2004);
   if ( buf !~ "^11" ) buf = ssh_cmd(cmd:offX);
   ssh_close_connection();
  }
  else
  {
  buf = pread_wrapper(cmd:"/bin/bash", argv:make_list("bash", "-c", off2004));
  if ( buf !~ "^11" )
    buf = pread_wrapper(cmd:"/bin/bash", argv:make_list("bash", "-c", offX));
  }


 if ( buf =~ "^(10\.|11\.)" )
	{
	  vers = split(buf, sep:'.', keep:FALSE);
	  # < 10.1.8
	  if ( int(vers[0]) == 10 && ( int(vers[1]) < 1  || ( int(vers[1]) == 1 && int(vers[2]) < 8 ) ) )  security_hole(0);
	  else
          # < 11.3.0
	  if ( int(vers[0]) == 11 && int(vers[1]) < 3  ) security_hole(0);
	}
}