Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.SMB_NT_MS06-058.NASL
HistoryOct 10, 2006 - 12:00 a.m.

MS06-058: Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (924163)

2006-10-1000:00:00
This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
www.tenable.com
10
JSON

The remote host is running a version of Microsoft PowerPoint that is subject to a flaw that could allow arbitrary code to be run.

An attacker may use this to execute arbitrary code on this host.

To succeed, the attacker would have to send a rogue file to a user of the remote computer and have it open it. Then a bug in the font parsing handler would result in code execution.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(22531);
 script_version("1.36");
 script_cvs_date("Date: 2018/11/15 20:50:30");

 script_cve_id("CVE-2006-3435","CVE-2006-3876","CVE-2006-3877","CVE-2006-4694");
 script_bugtraq_id(20226, 20304, 20322, 20325);
 script_xref(name:"CERT", value:"231204");
 script_xref(name:"MSFT", value:"MS06-058");
 script_xref(name:"MSKB", value:"923091");
 script_xref(name:"MSKB", value:"923092");
 script_xref(name:"MSKB", value:"923093");
 script_xref(name:"MSKB", value:"924163");

 script_name(english:"MS06-058: Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (924163)");
 script_summary(english:"Determines the version of PowerPoint.exe");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through Microsoft
PowerPoint.");
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of Microsoft PowerPoint that is
subject to a flaw that could allow arbitrary code to be run.

An attacker may use this to execute arbitrary code on this host.

To succeed, the attacker would have to send a rogue file to a user of
the remote computer and have it open it.  Then a bug in the font parsing
handler would result in code execution.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-058");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for PowerPoint 2000, XP and
2003.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploited_by_malware", value:"true");
 script_cwe_id(94);

 script_set_attribute(attribute:"vuln_publication_date", value:"2006/09/26");
 script_set_attribute(attribute:"patch_publication_date", value:"2006/10/10");
 script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/10");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:powerpoint");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_nt_ms02-031.nasl", "office_installed.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("smb_func.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("misc_func.inc");
include("audit.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS06-058';
kbs = make_list("923091", "923092", "923093", "924163");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
port = get_kb_item("SMB/transport");


kb = '924163';

#
# PowerPoint
#
vulns = 0;
list = get_kb_list_or_exit("SMB/Office/PowerPoint/*/ProductPath");
foreach item (keys(list))
{
  v = item - 'SMB/Office/PowerPoint/' - '/ProductPath';
 if(ereg(pattern:"^9\..*", string:v))
 {
  # PowerPoint 2000 - fixed in 9.00.00.8952
  office_sp = get_kb_item("SMB/Office/2000/SP");
  if (!isnull(office_sp) && office_sp == 3)
  {
    kb = '923093';
    sub =  ereg_replace(pattern:"^9\.00?\.00?\.([0-9]*)$", string:v, replace:"\1");
    if(sub != v && int(sub) < 8952 ) { {
      vuln++;
      hotfix_add_report(bulletin:bulletin, kb:kb);
    }}
  }
 }
 else if(ereg(pattern:"^10\..*", string:v))
 {
  # PowerPoint XP - fixed in 10.0.6819.0
  office_sp = get_kb_item("SMB/Office/XP/SP");
  if (!isnull(office_sp) && office_sp == 3)
  {
    kb = '923092';
    middle =  ereg_replace(pattern:"^10\.0\.([0-9]*)\.[0-9]*$", string:v, replace:"\1");
    if(middle != v && int(middle) < 6819) { {
      vuln++;
      hotfix_add_report(bulletin:bulletin, kb:kb);
    }}
  }
 }
 else if(ereg(pattern:"^11\..*", string:v))
 {
  # PowerPoint 2003 - fixed in 11.8110.0
  office_sp = get_kb_item("SMB/Office/2003/SP");
  if (!isnull(office_sp) && (office_sp == 1 || office_sp == 2))
  {
    kb = '923091';
    middle =  ereg_replace(pattern:"^11\.0\.([0-9]*)\.[0-9]*$", string:v, replace:"\1");
    if(middle != v && int(middle) < 8110) { {
      vuln++;
      hotfix_add_report(bulletin:bulletin, kb:kb);
    }}
  }
 }
}
if (vuln)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  exit(0);
}
else audit(AUDIT_HOST_NOT, 'affected');
VendorProductVersionCPE
microsoftofficecpe:/a:microsoft:office
microsoftpowerpointcpe:/a:microsoft:powerpoint

Related

securityvulns 5
cve 6
prion 1
saint 8
checkpoint_advisories 3
cert 4
zdi 1
nessus 3
securityvulns
securityvulns
Microsoft Security Bulletin MS06-058 Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution &#40;924163&#41;
2006-10-11 00:00:00
Microsoft Security Advisory &#40;925984&#41; Vulnerability in PowerPoint Could Allow Remote Code Execution
2006-09-28 00:00:00
ZDI-06-032: Microsoft Office PowerPoint Malformed Slide Notes Rebuilding Vulnerability
2006-10-11 00:00:00
cve
cve
CVE-2006-3877
2006-10-10 22:07:00
CVE-2006-5296
2006-10-16 19:07:00
CVE-2006-3876
2006-10-10 21:07:00
prion
prion
Design/Logic Flaw
2007-02-14 01:28:00
saint
saint
Microsoft PowerPoint NamedShows record code execution
2006-10-12 00:00:00
Microsoft PowerPoint NamedShows record code execution
2006-10-12 00:00:00
Microsoft PowerPoint NamedShows record code execution
2006-10-12 00:00:00
checkpoint_advisories
checkpoint_advisories
Microsoft PowerPoint Malformed Record Code Execution (MS06-058) - ver 2 (CVE-2006-4694)
2015-03-22 00:00:00
Microsoft PowerPoint Malformed Record Code Execution (MS06-058; CVE-2006-4694)
2015-03-29 00:00:00
Microsoft PowerPoint Malformed Data Record Code Execution (MS06-058; CVE-2006-3876)
2010-10-24 00:00:00
cert
cert
Microsoft PowerPoint fails to properly handle malformed records
2006-09-27 00:00:00
Microsoft PowerPoint fails to properly handle malformed data records
2006-10-10 00:00:00
Microsoft PowerPoint malformed record memory corruption
2006-10-10 00:00:00
zdi
zdi
Microsoft PowerPoint Malformed Slide Notes Rebuilding Vulnerability
2006-10-10 00:00:00
nessus
nessus
MS06-058 / MS06-059 / MS06-0060 / MS06-062: Vulnerabilities in Microsoft Office Allow Remote Code Execution (924163 / 924164 / 924554 / 922581) (Mac OS X)
2006-10-11 00:00:00
MS07-015: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (932554)
2007-02-13 00:00:00
MS07-014 / MS07-015: Vulnerabilities in Microsoft Word and Office Could Allow Remote Code Execution (929434 / 932554) (Mac OS X)
2007-02-13 00:00:00
JSON
Related for SMB_NT_MS06-058.NASL
securityvulns5cve6prion1saint8checkpoint_advisories3cert4zdi1nessus3