Lucene search
This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.SMB_NT_MS07-060.NASLHistoryOct 09, 2007 - 12:00 a.m.
MS07-060: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (942695)
2007-10-0900:00:00
This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
www.tenable.com
12
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.74 High
EPSS
Percentile
98.1%
The remote host is running a version of Microsoft Word that may allow arbitrary code to be run.
An attacker may use this to execute arbitrary code on this host.
To succeed, the attacker would have to send a rogue file to a user of the remote computer and have it open it. Then a bug in the font parsing handler would result in code execution.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(26966);
script_version("1.32");
script_cvs_date("Date: 2018/11/15 20:50:30");
script_cve_id("CVE-2007-3899");
script_bugtraq_id(25906);
script_xref(name:"MSFT", value:"MS07-060");
script_xref(name:"MSKB", value:"942669");
script_xref(name:"MSKB", value:"942670");
script_name(english:"MS07-060: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (942695)");
script_summary(english:"Determines the version of WinWord.exe");
script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through Microsoft
Word.");
script_set_attribute(attribute:"description", value:
"The remote host is running a version of Microsoft Word that may allow
arbitrary code to be run.
An attacker may use this to execute arbitrary code on this host.
To succeed, the attacker would have to send a rogue file to a user of
the remote computer and have it open it. Then a bug in the font parsing
handler would result in code execution.");
script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-060");
script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Word 2000 and XP.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(94);
script_set_attribute(attribute:"vuln_publication_date", value:"2007/10/09");
script_set_attribute(attribute:"patch_publication_date", value:"2007/10/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/09");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
script_family(english:"Windows : Microsoft Bulletins");
script_dependencies("smb_nt_ms02-031.nasl", "office_installed.nasl", "ms_bulletin_checks_possible.nasl");
script_require_keys("SMB/MS_Bulletin_Checks/Possible");
script_require_ports(139, 445, "Host/patch_management_checks");
exit(0);
}
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("misc_func.inc");
include("audit.inc");
get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
bulletin = 'MS07-060';
kbs = make_list("942669", "942670");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
port = get_kb_item("SMB/transport");
#
# Word
#
vuln = 0;
list = get_kb_list_or_exit("SMB/Office/Word/*/ProductPath");
foreach item (keys(list))
{
v = item - 'SMB/Office/Word/' - '/ProductPath';
if(ereg(pattern:"^9\..*", string:v))
{
# Word 2000 - fixed in 9.0.0.8965
office_sp = get_kb_item("SMB/Office/2000/SP");
if (!isnull(office_sp) && office_sp == 3)
{
sub = ereg_replace(pattern:"^9\.00?\.00?\.([0-9]*)$", string:v, replace:"\1");
if(sub != v && int(sub) < 8965 ) {
vuln++;
info =
'\n Product : Word 2000' +
'\n Installed version : ' + v +
'\n Fixed version : 9.0.0.8965\n';
hotfix_add_report(info, bulletin:bulletin, kb:'942669');
}
}
}
else if(ereg(pattern:"^10\..*", string:v))
{
# Word XP - fixed in 10.0.6835.0
office_sp = get_kb_item("SMB/Office/XP/SP");
if (!isnull(office_sp) && office_sp == 3)
{
middle = ereg_replace(pattern:"^10\.0\.([0-9]*)\.[0-9]*$", string:v, replace:"\1");
if(middle != v && int(middle) < 6835) {
vuln++;
info =
'\n Product : Word 2002' +
'\n Installed version : ' + v +
'\n Fixed version : 10.0.6835.0\n';
hotfix_add_report(info, bulletin:bulletin, kb:'942670');
}
}
}
}
if (vuln)
{
set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
hotfix_security_hole();
exit(0);
}
else audit(AUDIT_HOST_NOT, 'affected');
Related
checkpoint_advisories
checkpoint_advisories
Microsoft Word Malformed String Memory Corruption (MS07-060; CVE-2007-3899)
2007-10-15 00:00:00
cve
cve
CVE-2007-3899
2007-10-09 22:17:00
nessus
nessus
nvd
nvd
CVE-2007-3899
2007-10-09 22:17:00
prion
prion
Memory corruption
2007-10-09 22:17:00
cvelist
cvelist
CVE-2007-3899
2007-10-09 22:00:00
seebug
seebug
Microsoft Word工作区内存破坏远程代码执行漏洞(MS07-060)
2007-10-12 00:00:00
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.74 High
EPSS
Percentile
98.1%
Related for SMB_NT_MS07-060.NASL