Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.SMB_NT_MS07-031.NASL
HistoryJun 12, 2007 - 12:00 a.m.

MS07-031: Vulnerability in the Windows Schannel Security Package Could Allow Remote Code Execution (935840)

2007-06-1200:00:00
This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
www.tenable.com
16
JSON

The remote host is running a version of Windows that has a bug in the SSL/TLS server-key exchange handling routine that may allow an attacker to execute arbitrary code on the remote host by luring a user on the remote host into visiting a rogue website.

On Windows 2000 and 2003 this vulnerability only results in a crash of the web browser.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(25484);
 script_version("1.31");
 script_cvs_date("Date: 2018/11/15 20:50:30");

 script_cve_id("CVE-2007-2218");
 script_bugtraq_id(24416);
 script_xref(name:"MSFT", value:"MS07-031");
 script_xref(name:"MSKB", value:"935840");
 
 script_xref(name:"CERT", value:"810073");

 script_name(english:"MS07-031: Vulnerability in the Windows Schannel Security Package Could Allow Remote Code Execution (935840)");
 script_summary(english:"Determines the presence of update 935840");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through the web
browser.");
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of Windows that has a bug in the
SSL/TLS server-key exchange handling routine that may allow an attacker
to execute arbitrary code on the remote host by luring a user on the
remote host into visiting a rogue website.

On Windows 2000 and 2003 this vulnerability only results in a crash of
the web browser.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-031");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, XP, and
2003.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"2007/06/12");
 script_set_attribute(attribute:"patch_publication_date", value:"2007/06/12");
 script_set_attribute(attribute:"plugin_publication_date", value:"2007/06/12");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}


include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS07-031';
kb = '935840';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', xp:'2', win2003:'1,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"5.2", sp:2, file:"Schannel.dll", version:"5.2.3790.4068", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.2", sp:1, file:"Schannel.dll", version:"5.2.3790.2924", dir:"\System32", bulletin:bulletin, kb:kb) ||

  hotfix_is_vulnerable(os:"5.1", file:"Schannel.dll", version:"5.1.2600.3126", dir:"\System32", bulletin:bulletin, kb:kb) ||

  hotfix_is_vulnerable(os:"5.0", file:"Schannel.dll", version:"5.1.2195.7136", dir:"\System32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}
VendorProductVersionCPE
microsoftwindowscpe:/o:microsoft:windows

Related

cvelist 1
cve 1
checkpoint_advisories 1
securityvulns 2
prion 1
cert 1
cvelist
cvelist
CVE-2007-2218
2007-06-12 19:00:00
cve
cve
CVE-2007-2218
2007-06-12 19:30:00
checkpoint_advisories
checkpoint_advisories
Microsoft Windows Schannel Security Package Code Execution (MS07-031; CVE-2007-2218)
2009-10-27 00:00:00
securityvulns
securityvulns
Microsoft Security Bulletin MS07-031 - Critical Vulnerability in the Windows Schannel Security Package Could Allow Remote Code Execution &#40;935840&#41;
2007-06-12 00:00:00
Microsoft Windows Secure Channle DoS
2007-06-13 00:00:00
prion
prion
Design/Logic Flaw
2007-06-12 19:30:00
cert
cert
Microsoft Windows Secure Channel integer underflow
2007-06-14 00:00:00
JSON
Related for SMB_NT_MS07-031.NASL
cvelist1cve1checkpoint_advisories1securityvulns2prion1cert1