CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
97.9%
Microsoft ActiveX controls that were compiled using the vulnerable Active Template Library described in Microsoft Security Bulletin MS09-035 have remote code execution vulnerabilities. A remote attacker could exploit them to execute arbitrary code by tricking a user into requesting a maliciously crafted web page.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(42111);
script_version("1.34");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2009-2493");
script_bugtraq_id(35828);
script_xref(name:"MSFT", value:"MS09-055");
script_xref(name:"MSKB", value:"973525");
script_xref(name:"CERT", value:"456745");
script_name(english:"MS09-055: Cumulative Security Update of ActiveX Kill Bits (973525)");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has multiple ActiveX controls that are affected
by multiple code execution vulnerabilities.");
script_set_attribute(attribute:"description", value:
"Microsoft ActiveX controls that were compiled using the vulnerable
Active Template Library described in Microsoft Security Bulletin
MS09-035 have remote code execution vulnerabilities. A remote attacker
could exploit them to execute arbitrary code by tricking a user into
requesting a maliciously crafted web page.");
script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-055");
script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, XP, 2003,
Vista and 2008.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(264);
script_set_attribute(attribute:"vuln_publication_date", value:"2009/07/28");
script_set_attribute(attribute:"patch_publication_date", value:"2009/10/13");
script_set_attribute(attribute:"plugin_publication_date", value:"2009/10/13");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows : Microsoft Bulletins");
script_copyright(english:"This script is Copyright (C) 2009-2022 Tenable Network Security, Inc.");
script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
script_require_keys("SMB/MS_Bulletin_Checks/Possible");
script_require_ports(139, 445, "Host/patch_management_checks");
exit(0);
}
include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_activex_func.inc");
include("misc_func.inc");
get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
bulletin = 'MS09-055';
kb = '973525';
kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);
get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'2', vista:'0,2', win7:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);
if (activex_init() != ACX_OK) exit(1, "activex_init() failed.");
# Test each control.
info = "";
clsids = make_list(
"{0002E531-0000-0000-C000-000000000046}", # msowc.dll
"{4C85388F-1500-11D1-A0DF-00C04FC9E20F}", # msowc.dll
"{0002E532-0000-0000-C000-000000000046}", # msowc.dll
"{0002E554-0000-0000-C000-000000000046}", # owc10.dll
"{0002E55C-0000-0000-C000-000000000046}", # owc11.dll
"{279D6C9A-652E-4833-BEFC-312CA8887857}", # viewer.dll
"{B1F78FEF-3DB7-4C56-AF2B-5DCCC7C42331}", # msmail.dll
"{C832BE8F-4B89-4579-A217-DB92E7A27915}", # msmail.dll
"{A9A7297E-969C-43F1-A1EF-51EBEA36F850}", # mailcomm.dll
"{DD8C2179-1B4A-4951-B432-5DE3D1507142}", # msmail.dll
"{4F1E5B1A-2A80-42ca-8532-2D05CB959537}", # MsnPUpld.dll
"{27A3D328-D206-4106-8D33-1AA39B13394B}", # ReportBuilderAddin.dll
"{DB640C86-731C-484A-AAAF-750656C9187D}", # ReportBuilderAddin.dll
"{15721a53-8448-4731-8bfc-ed11e128e444}", # ReportBuilderAddin.dll
"{3267123E-530D-4E73-9DA7-79F01D86A89F}" # ReportBuilderAddin.dll
);
foreach clsid (clsids)
{
# Make sure the control is installed
file = activex_get_filename(clsid:clsid);
if (isnull(file) || !file) continue;
if (activex_get_killbit(clsid:clsid) == 0)
{
info += ' ' + clsid + '\n';
if (!thorough_tests) break;
}
}
activex_end();
if (info)
{
if (report_verbosity > 0)
{
if (max_index(split(info)) > 1) s = "s";
else s = "";
report = string(
"\n",
"The kill bit has not been set for the following control", s, " :\n",
"\n",
info
);
if (!thorough_tests)
{
report = string(
report,
"\n",
"Note that Nessus did not check whether there were other kill bits\n",
"that have not been set because the 'Perofrm thorough tests' setting\n",
"was not enabled when this scan was run.\n"
);
}
hotfix_add_report(report, bulletin:bulletin, kb:kb);
security_warning(port:kb_smb_transport(), extra:report);
}
else
{
hotfix_add_report(bulletin:bulletin, kb:kb);
hotfix_security_warning();
}
set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
}
else audit(AUDIT_HOST_NOT, 'affected');