Lucene search
This script is Copyright (C) 2009-2022 and is owned by Tenable, Inc. or an Affiliate thereof.SMB_NT_MS09-043.NASLHistoryAug 11, 2009 - 12:00 a.m.
MS09-043: Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (957638)
2009-08-1100:00:00
This script is Copyright (C) 2009-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
75
The remote host is running a version of Microsoft Office Web Components that is affected by various flaws that may allow arbitrary code to be run.
To succeed, the attacker would have to send specially crafted URLs to a user of the remote computer and have him process it with Microsoft Office Web Components.
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(40562);
script_version("1.34");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/06/01");
script_cve_id(
"CVE-2009-0562",
"CVE-2009-2496",
"CVE-2009-1136",
"CVE-2009-1534"
);
script_bugtraq_id(
35642,
35990,
35991,
35992
);
script_xref(name:"IAVA", value:"2009-A-0069-S");
script_xref(name:"MSFT", value:"MS09-043");
script_xref(name:"MSKB", value:"947318");
script_xref(name:"MSKB", value:"947319");
script_xref(name:"MSKB", value:"947320");
script_xref(name:"MSKB", value:"947826");
script_xref(name:"MSKB", value:"968377");
script_xref(name:"MSKB", value:"969172");
script_xref(name:"Secunia", value:"35800");
script_xref(name:"EDB-ID", value:"9163");
script_xref(name:"EDB-ID", value:"16537");
script_xref(name:"EDB-ID", value:"16542");
script_name(english:"MS09-043: Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (957638)");
script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through Microsoft
Office Web Components.");
script_set_attribute(attribute:"description", value:
"The remote host is running a version of Microsoft Office Web
Components that is affected by various flaws that may allow arbitrary
code to be run.
To succeed, the attacker would have to send specially crafted URLs to
a user of the remote computer and have him process it with Microsoft
Office Web Components.");
# https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-043
script_set_attribute(attribute:"see_also", value:"https://www.nessus.org/u?682ca4b4");
script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Office XP and 2003, as
well as for Microsoft ISA server.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Microsoft OWC Spreadsheet HTMLURL Buffer Overflow');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"D2ExploitPack");
script_cwe_id(94, 119, 399);
script_set_attribute(attribute:"vuln_publication_date", value:"2009/07/13");
script_set_attribute(attribute:"patch_publication_date", value:"2009/08/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:biztalk_server");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:isa_server");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office_web_components");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visual_studio_.net");
script_set_attribute(attribute:"stig_severity", value:"II");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows : Microsoft Bulletins");
script_copyright(english:"This script is Copyright (C) 2009-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
script_require_keys("SMB/MS_Bulletin_Checks/Possible");
script_require_ports(139, 445, "Host/patch_management_checks");
exit(0);
}
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_activex_func.inc");
include("misc_func.inc");
include("audit.inc");
get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
bulletin = 'MS09-043';
kbs = make_list("947318", "947319", "947320", "947826", "968377", "969172");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
vuln = FALSE;
get_kb_item_or_exit('SMB/WindowsVersion');
path = get_kb_item("SMB/Registry/HKLM/SOFTWARE/Microsoft/Fpc");
if ( path )
{
# This is MS ISA
if (activex_init() != ACX_OK) exit(1, "Could not initialize the ActiveX checks");
hcf_init = TRUE;
# Test each control.
info = NULL;
clsids = make_list(
"{0002E543-0000-0000-C000-000000000046}",
"{0002E55B-0000-0000-C000-000000000046}"
);
foreach clsid (clsids)
{
file = activex_get_filename(clsid:clsid);
if (file)
{
if (activex_get_killbit(clsid:clsid) == 0)
{
version = activex_get_fileversion(clsid:clsid);
if (!version) version = "Unknown";
info =
'\n' +
' Class Identifier : ' + clsid + '\n' +
' Filename : ' + file + '\n' +
' Version : ' + version + '\n';
if (!thorough_tests) break;
}
}
}
if (!isnull(info))
{
vuln = TRUE;
hotfix_add_report(info, bulletin:bulletin, kb:'947826');
}
RegCloseKey(handle:_acx_hklm);
}
if (!path)
{
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
port = kb_smb_transport();
if(! smb_session_init()) audit(AUDIT_FN_FAIL, "smb_session_init");
rc = NetUseAdd(login:login, password:pass, domain:domain, share:'IPC$');
if (rc != 1)
{
NetUseDel();
audit(AUDIT_SHARE_FAIL, "IPC$");
}
hcf_init = TRUE;
}
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
NetUseDel();
audit(AUDIT_REG_FAIL);
}
# Visual Studio .Net
vs_dll = NULL;
vs_path = NULL;
key = 'SOFTWARE\\Microsoft\\VisualStudio\\7.1';
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
item = RegQueryValue(handle:key_h, item:'InstallDir');
if (!isnull(item))
{
rootfile = hotfix_get_programfilesdir();
vs_dll = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:'\\1\\Microsoft Office\\Office\\msowc.dll', string:rootfile);
vs_path = rootfile + '\\Microsoft Office\\Office';
}
RegCloseKey(handle:key_h);
}
# Microsoft Small Business Acounting 2006
sba_dll = NULL;
sba_path = NULL;
key = 'SOFTWARE\\Microsoft\\Small Business Accounting\\1.0\\InstallRoot';
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
item = RegQueryValue(handle:key_h, item:'Main');
if (!isnull(item))
{
rootfiles = hotfix_get_officecommonfilesdir();
checkeddirs = make_array();
if (typeof(rootfiles) != 'array')
{
temp = rootfiles;
rootfiles = make_array('commonfiles', temp);
}
foreach item (keys(rootfiles))
{
rootfile = rootfiles[item];
if (checkeddirs[item]) continue;
checkeddirs[item] = 1;
sba_dll = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:'\\1\\Microsoft Shared\\Web Components', string:rootfile);
sba_dll += '\\11\\Owc11.dll';
sba_path = rootfile + '\\Microsoft Shared\\Web Components\\';
break;
}
}
RegCloseKey(handle:key_h);
}
RegCloseKey(handle:hklm);
NetUseDel(close:FALSE);
# Office Suites and Office Web Components
office_ver = hotfix_check_office_version();
if (!is_accessible_share())
{
if (vuln)
{
NetUseDel();
hotfix_security_hole();
exit(0);
}
else exit(1, 'is_accessible_share() failed.');
}
rootfile = hotfix_get_officeprogramfilesdir();
share = '';
lastshare = '';
if (rootfile && office_version)
{
foreach ver (keys(office_version))
{
if (typeof(rootfiles) == 'array') rootfile = rootfiles[ver];
else rootfile = rootfiles;
info = NULL;
path = NULL;
kb = '';
if (ver == "9.0")
{
dll = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:'\\1\\Microsoft Office\\Office\\msowc.dll', string:rootfile);
path = rootfile + '\\Microsoft Office\\Office';
kb = '947320';
}
else if (ver == "10.0")
{
dll = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:'\\1\\Microsoft Office\\Office10\\owc10.dll', string:rootfile);
path = rootfile + '\\Microsoft Office\\Office10\\';
kb = '947320';
}
else if (ver == "11.0")
{
rootfile = hotfix_get_officecommonfilesdir(officever:'11.0');
dll = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:'\\1\\Microsoft Shared\\Web Components', string:rootfile);
dll += '\\11\\Owc11.dll';
path = rootfile + '\\Microsoft Shared\\Web Components\\';
kb = '947319';
}
else if (ver == "12.0")
{
rootfile = hotfix_get_officecommonfilesdir(officever:'12.0');
dll = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:'\\1\\Microsoft Shared\\Web Components', string:rootfile);
dll += '\\11\\Owc11.dll';
path = rootfile + '\\Microsoft Shared\\Web Components\\';
kb = '947318';
}
if (path)
{
share = hotfix_path2share(path:path);
if (share != lastshare)
{
lastshare = share;
NetUseDel(close:FALSE);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
audit(AUDIT_SHARE_FAIL, share);
}
}
handle = CreateFile(
file:dll,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
if (!isnull(handle))
{
ver = GetFileVersion(handle:handle);
CloseFile(handle:handle);
if (!isnull(ver))
{
version = join(ver, sep:'.');
if (ver[0] == 9 && ver[1] == 0 && ver[2] == 0 && ver[3] < 8977)
{
info =
'\n Path : ' + path +
'\n Installed version : ' + version +
'\n Fixed version : 9.0.0.8977 \n';
}
else if (ver[0] == 10 && ver[1] == 0 && ver[2] < 6854)
{
info =
'\n Path : ' + path +
'\n Installed version : ' + version +
'\n Fixed version : 10.0.6854.0 \n';
}
else if (ver[0] == 11 && ver[1] == 0 && ver[2] < 8304)
{
info =
'\n Path : ' + path +
'\n Installed version : ' + version +
'\n Fixed version : 11.0.8304.0 \n';
}
else if (ver[0] == 12 && ver[1] == 0 && (ver[2] < 6502 || (ver[2] == 6502 && ver[3] < 5000)))
{
info =
'\n Path : ' + path +
'\n Installed version : ' + version +
'\n Fixed version : 12.0.6502.5000 \n';
}
}
}
}
if (info)
{
vuln = TRUE;
hotfix_add_report(info, bulletin:bulletin, kb:kb);
}
}
NetUseDel(close:FALSE);
}
if (!vuln)
{
# Multiple versions of Office Web Components can be installed separately
# without installing office
rootfile = NULL;
rootfile = hotfix_get_commonfilesdir();
if (rootfile)
{
rootfile += '\\Microsoft Shared\\Web Components\\';
share = ereg_replace(pattern:'^([A-Za-z]):.*', replace:'\\1$', string:rootfile);
dirpat = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:'\\1\\*', string:rootfile);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
audit(AUDIT_SHARE_FAIL, share);
}
owcdirs = make_list();
fh = FindFirstFile(pattern:dirpat);
while (!isnull(fh[1]))
{
if (fh[2] && FILE_ATTRIBUTE_DIRECTORY)
{
if (fh[1] =~ '^[0-9]+$')
{
owcdirs = make_list(owcdirs, fh[1]);
}
}
fh = FindNextFile(handle:fh);
}
if (max_index(owcdirs) > 0)
{
for (i=0; i < max_index(owcdirs); i++)
{
info = NULL;
path = rootfile + '\\' + owcdirs[i] + '\\';
dll = ereg_replace(pattern:'[A-Za-z]:(.*)', replace:'\\1\\owc'+owcdirs[i]+'.dll', string:path);
handle = CreateFile(
file:dll,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
if (!isnull(handle))
{
ver = GetFileVersion(handle:handle);
CloseFile(handle:handle);
if (!isnull(ver))
{
version = join(ver, sep:'.');
if (ver[0] == 10 && ver[1] == 0 && ver[2] < 6854)
{
info =
'\n Path : ' + path +
'\n Installed version : ' + version +
'\n Fixed version : 10.0.6854.0 \n';
}
else if (ver[0] == 11 && ver[1] == 0 && ver[2] < 8304)
{
info =
'\n Path : ' + path +
'\n Installed version : ' + version +
'\n Fixed version : 11.0.8304.0 \n';
}
else if (ver[0] == 12 && ver[1] == 0 && (ver[2] < 6502 || (ver[2] == 6502 && ver[3] < 5000)))
{
info =
'\n Path : ' + path +
'\n Installed version : ' + version +
'\n Fixed version : 12.0.6502.5000 \n';
}
}
}
if (info)
{
vuln = TRUE;
hotfix_add_report(info, bulletin:bulletin, kb:kb);
}
}
}
NetUseDel(close:FALSE);
}
}
if (vs_dll || sba_dll)
{
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
audit(AUDIT_SHARE_FAIL, share);
}
if (vs_dll)
{
handle = CreateFile(
file:vs_dll,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
if (!isnull(handle))
{
ver = GetFileVersion(handle:handle);
CloseFile(handle:handle);
if (!isnull(ver))
{
version = join(ver, sep:'.');
if (ver[0] == 9 && ver[1] == 0 && ver[2] == 0 && ver[3] < 8977)
{
info =
'\n Path : ' + vs_path +
'\n Installed version : ' + version +
'\n Fixed version : 9.0.0.8977 \n';
vuln = TRUE;
hotfix_add_report(info, bulletin:bulletin, kb:'969172');
}
}
}
}
if (sba_dll)
{
handle = CreateFile(
file:sba_dll,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
if (!isnull(handle))
{
ver = GetFileVersion(handle:handle);
CloseFile(handle:handle);
if (!isnull(ver))
{
version = join(ver, sep:'.');
if (ver[0] == 11 && ver[1] == 0 && ver[2] < 8304)
{
info =
'\n Path : ' + sba_path +
'\n Installed version : ' + version +
'\n Fixed version : 11.0.8304 \n';
vuln = TRUE;
hotfix_add_report(info, bulletin:bulletin, kb:'968377');
}
}
}
}
}
NetUseDel();
if (vuln)
{
set_kb_item(name:'SMB/Missing/MS09-043', value:TRUE);
hotfix_security_hole();
exit(0);
}
else exit(0, 'Host is patched.');
| Vendor | Product | Version | CPE |
|---|---|---|---|
| microsoft | biztalk_server | cpe:/a:microsoft:biztalk_server | |
| microsoft | isa_server | cpe:/a:microsoft:isa_server | |
| microsoft | office | cpe:/a:microsoft:office | |
| microsoft | office_web_components | cpe:/a:microsoft:office_web_components | |
| microsoft | visual_studio_.net | cpe:/a:microsoft:visual_studio_.net |
Related
openvas
openvas
Microsoft Office Web Components ActiveX Control Code Execution Vulnerability
2009-07-18 00:00:00
Microsoft Office Web Components ActiveX Control Code Execution Vulnerability
2009-07-18 00:00:00
securityvulns
securityvulns
mskb
mskb
checkpoint_advisories
checkpoint_advisories
packetstorm
packetstorm
Microsoft OWC Spreadsheet HTMLURL Buffer Overflow
2010-03-03 00:00:00
Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption
2010-03-03 00:00:00
Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption
2009-11-26 00:00:00
saint
saint
Microsoft Office Web Components OWC.Spreadsheet.9 HTMLURL property overflow
2009-08-14 00:00:00
Microsoft Office Web Components OWC.Spreadsheet.9 HTMLURL property overflow
2009-08-14 00:00:00
Microsoft Office Web Components OWC.Spreadsheet BorderAround vulnerability
2009-08-24 00:00:00
prion
prion
Buffer overflow
2009-08-12 17:30:00
Heap overflow
2009-08-12 17:30:00
Design/Logic Flaw
2009-07-15 15:30:00
d2
d2
DSquare Exploit Pack: D2SEC_MS09_043
2009-08-12 17:30:00
DSquare Exploit Pack: D2SEC_OWC
2009-07-15 15:30:00
cve
cve
zdi
zdi
seebug
seebug
Microsoft Office Spreadsheet ActiveXζ§δ»Άε
εη ΄εζΌζ΄
2009-07-14 00:00:00
nessus
nessus
cert
cert
Microsoft Office Web Components Spreadsheet ActiveX control vulnerability
2009-07-15 00:00:00
Related for SMB_NT_MS09-043.NASL