Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.SMB_KB957488.NASL
HistoryMar 10, 2014 - 12:00 a.m.

MS09-062: Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488) (uncredentialed check)

2014-03-1000:00:00
This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
31
JSON

The remote host has a version of SQL Server that may host the RSClientPrint ActiveX control that includes a copy of gdiplus.dll that is affected by multiple buffer overflow vulnerabilities when viewing TIFF, PNG, BMP, and Office files that could allow an attacker to execute arbitrary code on the remote host. Additionally, there is a GDI+ .NET API vulnerability that allows a malicious .NET application to gain unmanaged code execution privileges.

To exploit these flaws, an attacker would need to send a malformed image file to a user on the remote host and wait for them to open it using an affected Microsoft application.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(72908);
  script_version("1.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id(
    "CVE-2009-2500",
    "CVE-2009-2501",
    "CVE-2009-2502",
    "CVE-2009-2503",
    "CVE-2009-2504",
    "CVE-2009-2518",
    "CVE-2009-2528",
    "CVE-2009-3126"
  );
  script_bugtraq_id(
    36619,
    36645,
    36646,
    36647,
    36648,
    36649,
    36650,
    36651
  );
  script_xref(name:"MSFT", value:"MS09-062");
  script_xref(name:"IAVA", value:"2009-A-0099-S");
  script_xref(name:"MSKB", value:"957488");

  script_name(english:"MS09-062: Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488) (uncredentialed check)");

  script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through the Microsoft
GDI rendering engine.");
  script_set_attribute(attribute:"description", value:
"The remote host has a version of SQL Server that may host the
RSClientPrint ActiveX control that includes a copy of gdiplus.dll that
is affected by multiple buffer overflow vulnerabilities when viewing
TIFF, PNG, BMP, and Office files that could allow an attacker to execute
arbitrary code on the remote host.  Additionally, there is a GDI+ .NET
API vulnerability that allows a malicious .NET application to gain
unmanaged code execution privileges. 

To exploit these flaws, an attacker would need to send a malformed image
file to a user on the remote host and wait for them to open it using an
affected Microsoft application.");
  # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-062
  script_set_attribute(attribute:"see_also", value:"https://www.nessus.org/u?1aaa5b16");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for SQL Server 2000 and
2005.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_cwe_id(94, 119, 189);

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/10/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/10/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/10");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sql_server");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("mssqlserver_detect.nasl");
  script_require_keys("Settings/ParanoidReport");
  script_require_ports(1433, "Services/mssql");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

port = get_service(svc:"mssql", exit_on_fail:TRUE);

ver = get_kb_item("MSSQL/" + port + "/Version");
if (!ver) audit(AUDIT_SERVICE_VER_FAIL,"MSSQL", port);

v = split(ver, sep:".", keep:FALSE);
for (i=0; i < max_index(v); i++)
  v[i] = int(v[i]);

if (report_paranoia < 2) audit(AUDIT_PARANOID);
pcidss = get_kb_item("Settings/PCI_DSS");

if (
  # 2000 < SP2
  (pcidss && (v[0] == 8 && v[1] == 0 && v[2] < 534)) ||
  # 2000 SP2
  (v[0] == 8 && v[1] == 0 && (v[2] >= 1038 && v[2] < 1067)) ||
  # 2005 < SP2
  (pcidss && (v[0] == 9 && v[1] == 0 && v[2] < 3042)) ||
  # 2005 SP2 GDR
  (v[0] == 9 && v[1] == 0 && (v[2] >= 3000 && v[2] < 3080)) ||
  # 2005 SP2 QFE
  (v[0] == 9 && v[1] == 0 && (v[2] >= 3200 && v[2] < 3353)) ||
  # 2005 SP3 GDR
  (v[0] == 9 && v[1] == 0 && v[2] >= 4035 && v[2] < 4053) ||
  # 2005 SP3 QFE
  (v[0] == 9 && v[1] == 0 && v[2] >= 4200 && v[2] < 4262)
)
{
  security_hole(port);
  exit(0);
}
audit(AUDIT_INST_VER_NOT_VULN, "MSSQL", ver);
VendorProductVersionCPE
microsoftsql_servercpe:/a:microsoft:sql_server

Related

securityvulns 7
mskb 1
seebug 2
nessus 1
openvas 2
cve 8
checkpoint_advisories 15
prion 8
saint 4
zdi 1
ibm 2
securityvulns
securityvulns
Microsoft Security Bulletin MS09-062 - Critical Vulnerabilities in GDI+ Could Allow Remote Code Execution &#40;957488&#41;
2009-10-14 00:00:00
Microsoft GDI+ multiple security vulnerabilities
2009-10-14 00:00:00
Secunia Research: Microsoft Office BMP Image Colour Handling Integer Overflow
2009-10-14 00:00:00
mskb
mskb
KB957488 - MS09-062: Vulnerabilities in GDI+ could allow remote code execution
2020-10-20 07:11:43
seebug
seebug
Microsoft GDI+εΊ“ε›Ύε½’ζ–‡δ»Άε€„η†ε€šδΈͺηΌ“ε†²εŒΊζΊ’ε‡Ίε’Œε†…ε­˜η ΄εζΌζ΄ž(MS09-062)
2009-10-20 00:00:00
Microsoft Office BMP Image Colour Handling Integer Overflow
2009-10-20 00:00:00
nessus
nessus
MS09-062: Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488)
2009-10-15 00:00:00
openvas
openvas
Microsoft Products GDI Plus Code Execution Vulnerabilities (957488)
2009-10-21 00:00:00
Microsoft Products GDI Plus Code Execution Vulnerabilities (957488)
2009-10-21 00:00:00
cve
cve
CVE-2009-3126
2009-10-14 10:30:00
CVE-2009-2504
2009-10-14 10:30:00
CVE-2009-2500
2009-10-14 10:30:00
checkpoint_advisories
checkpoint_advisories
Microsoft GDI+ TIFF Buffer Overflow (MS09-062; CVE-2009-2502)
2009-10-13 00:00:00
Preemptive Protection against Microsoft GDI+ PNG Integer Overflow Vulnerability (MS09-062)
2009-10-13 00:00:00
Microsoft Windows GDI+ PNG Processing Integer Overflow (MS09-062; CVE-2009-3126)
2010-01-31 00:00:00
prion
prion
Buffer overflow
2009-10-14 10:30:00
Heap overflow
2009-10-14 10:30:00
Integer overflow
2009-10-14 10:30:00
saint
saint
Microsoft Office Art Property Table Memory Corruption
2009-10-22 00:00:00
Microsoft Office Art Property Table Memory Corruption
2009-10-22 00:00:00
Microsoft Office Art Property Table Memory Corruption
2009-10-22 00:00:00
zdi
zdi
Microsoft Windows GDI+ TIFF Parsing Code Execution Vulnerability
2009-10-13 00:00:00
ibm
ibm
Security Bulletin: IBM Cognos Business Intelligence has addressed multiple vulnerabilties
2019-12-19 21:01:39
Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilties
2019-12-19 15:30:15
JSON
Related for SMB_KB957488.NASL
securityvulns7mskb1seebug2nessus1openvas2cve8checkpoint_advisories15prion8saint4zdi1ibm2