Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2009-2022 and is owned by Tenable, Inc. or an Affiliate thereof.SMB_NT_MS09-062.NASL
HistoryOct 15, 2009 - 12:00 a.m.

MS09-062: Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488)

2009-10-1500:00:00
This script is Copyright (C) 2009-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
212
JSON

The remote host is running a version of Windows that is affected by multiple buffer overflow vulnerabilities when viewing TIFF, PNG, BMP, and Office files that could allow an attacker to execute arbitrary code on the remote host. Additionally, there is a GDI+ .NET API vulnerability that allows a malicious .NET application to gain unmanaged code execution privileges.

To exploit these flaws, an attacker would need to send a malformed image file to a user on the remote host and wait for them to open it using an affected Microsoft application.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(42118);
  script_version("1.42");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id(
    "CVE-2009-2500",
    "CVE-2009-2501",
    "CVE-2009-2502",
    "CVE-2009-2503",
    "CVE-2009-2504",
    "CVE-2009-2518",
    "CVE-2009-2528",
    "CVE-2009-3126"
  );
  script_bugtraq_id(
    36619,
    36645,
    36646,
    36647,
    36648,
    36649,
    36650,
    36651
  );
  script_xref(name:"IAVA", value:"2009-A-0099-S");
  script_xref(name:"MSFT", value:"MS09-062");
  script_xref(name:"MSKB", value:"958869");
  script_xref(name:"MSKB", value:"970894");
  script_xref(name:"MSKB", value:"970899");
  script_xref(name:"MSKB", value:"971022");
  script_xref(name:"MSKB", value:"971023");
  script_xref(name:"MSKB", value:"971104");
  script_xref(name:"MSKB", value:"972221");
  script_xref(name:"MSKB", value:"972580");
  script_xref(name:"MSKB", value:"972581");
  script_xref(name:"MSKB", value:"974811");
  script_xref(name:"MSKB", value:"975365");

  script_name(english:"MS09-062: Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488)");

  script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through the
Microsoft GDI rendering engine.");
  script_set_attribute(attribute:"description", value:
"The remote host is running a version of Windows that is affected by
multiple buffer overflow vulnerabilities when viewing TIFF, PNG, BMP,
and Office files that could allow an attacker to execute arbitrary
code on the remote host. Additionally, there is a GDI+ .NET API
vulnerability that allows a malicious .NET application to gain
unmanaged code execution privileges.

To exploit these flaws, an attacker would need to send a malformed
image file to a user on the remote host and wait for them to open it
using an affected Microsoft application.");
  # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-062
  script_set_attribute(attribute:"see_also", value:"https://www.nessus.org/u?1aaa5b16");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows XP, 2003, Vista,
2008, IE, .NET Framework, Office, SQL Server, Developer Tools, and
Forefront.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_cwe_id(94, 119, 189);

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/10/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/10/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/10/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:.net_framework");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:excel_viewer");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:powerpoint_viewer");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visio");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:word_viewer");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:works");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2009-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl", "mssql_version.nasl", "office_installed.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}


include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS09-062';
kbs = make_list("958869", "970894", "970899", "971022", "971023", "971104", "972221", "972580", "972581", "974811", "975365");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);


get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(xp:'2,3', win2003:'2', vista:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();
port    =  kb_smb_transport();

if(! smb_session_init()) audit(AUDIT_FN_FAIL, "smb_session_init");

hcf_init = TRUE;

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

vuln = 0;
path = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:rootfile);
office_versions = hotfix_check_office_version ();
office_sp = get_kb_item("SMB/Office/SP");
ver_list = get_kb_list("mssql/installs/*/SQLVersion");
visiopaths = get_kb_item("SMB/Office/Visio/*/VisioPath");
progfiles = hotfix_get_programfilesdir();
cdir = hotfix_get_commonfilesdir();

# Look in the registry for install info on a few of the apps being tested
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
  NetUseDel();
  audit(AUDIT_SHARE_FAIL, "IPC$");
}

hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
  NetUseDel();
  audit(AUDIT_REG_FAIL);
}

# Detect Visual Studio 2005 installs
key = "SOFTWARE\Microsoft\VisualStudio\8.0";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
  item = RegQueryValue(handle:key_h, item:"InstallDir");
  if (!isnull(item))
  {
    vs2005_path = item[1];
    vs2005_root = ereg_replace(
      pattern:"^(.+)\\Common7\\IDE\\$", replace:"\1", string:vs2005_path,
      icase:TRUE
    );
  }

  RegCloseKey(handle:key_h);
}

# Detect Visual FoxPro installs
vfp8key = "SOFTWARE\Microsoft\VisualFoxPro\8.0\Setup\VFP";
vfp8key_h = RegOpenKey(handle:hklm, key:vfp8key, mode:MAXIMUM_ALLOWED);
if (!isnull(vfp8key_h))
{
  item = RegQueryValue(handle:vfp8key_h, item:"ProductDir");
  if (!isnull(item)) vfp8_path = item[1];

  RegCloseKey(handle:vfp8key_h);
}

vfp9key = "SOFTWARE\Microsoft\VisualFoxPro\9.0\Setup\VFP";
vfp9key_h = RegOpenKey(handle:hklm, key:vfp9key, mode:MAXIMUM_ALLOWED);
if (!isnull(vfp9key_h))
{
  item = RegQueryValue(handle:vfp9key_h, item:"ProductDir");
  if (!isnull(item)) vfp9_path = item[1];

  RegCloseKey(handle:vfp9key_h);
}

RegCloseKey(handle:hklm);
NetUseDel(close:FALSE);

r = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if ( r != 1 )
{
  NetUseDel();
  audit(AUDIT_SHARE_FAIL, share);
}


# IE 6 on Windows 2000 SP4 (KB958869)
if (hotfix_is_vulnerable(os:"5.0", file:"Vgx.dll", version:"6.0.2800.1637", min_version:"6.0.0.0", dir:"\Microsoft Shared\VGX", path:cdir, bulletin:bulletin, kb:'958869'))
{
  vuln++;
}

# Visio 2002 (KB975365)
if (!isnull(visiopaths))
{
  foreach visiopath (keys(visiopaths))
  {
    if ("10.0" >< visiopath)
    {
      if (hotfix_is_vulnerable(file:"visio.exe", version:"10.0.6885.4", min_version:"10.0.0.0", path:visiopath, dir:"\Visio10", bulletin:bulletin, kb:'975365'))
        vuln++;
    }
  }
}

msoxp_path = cdir + "\Microsoft Shared\Office10";

# The fixes for Office XP SP3 and Visual Studio.NET SP1 both update the same
# exact file.  The Office fix supersedes the VS .NET fix.
if (office_versions["10.0"])
{
  office_sp = get_kb_item("SMB/Office/XP/SP");
  if (!isnull(office_sp) && office_sp == 3)
  {
    # Office XP SP3 (KB974811)
    if(hotfix_is_vulnerable(file:"mso.dll", version:"10.0.6856.0", path:msoxp_path, bulletin:bulletin, kb:'974811'))
    {
      vuln++;
    }
  }
}
else
{
  # Visual Studio .NET 2003 SP1 (KB971022).  The 'min_version' arg is used to
  # prevent from firing on Office XP < SP3
  if(hotfix_is_vulnerable(file:"mso.dll", version:"10.0.6855.0",   min_version:"10.0.6802.0", path:msoxp_path, bulletin:bulletin, kb:'971022'))
  {
    vuln++;
  }
}

# Office 2003 SP3 (KB972580)
if (office_versions["11.0"])
{
  office_sp = get_kb_item("SMB/Office/2003/SP");
  if (!isnull(office_sp) && office_sp == 3)
  {
    path = hotfix_get_officeprogramfilesdir(officever:"11.0") + "\Microsoft Office\OFFICE11";

    if (hotfix_is_vulnerable(file:"Gdiplus.dll", version:"11.0.8312.0",       min_version:"11.0.0.0", path:path, bulletin:bulletin, kb:'972580'))
    {
      vuln++;
    }
  }
}

# Office 2007 SP1 and SP2 (KB972581)
if (office_versions["12.0"])
{
  office_sp = get_kb_item("SMB/Office/2007/SP");
  if (!isnull(office_sp) && (office_sp == 1 || office_sp == 2))
  {
    path = hotfix_get_commonfilesdir() + "\Microsoft Shared\OFFICE12";

    if (hotfix_is_vulnerable(file:"Ogl.dll", version:"12.0.6509.5000", path:path, bulletin:bulletin, kb:'972581'))
    {
      vuln++;
    }
  }
}

# Visual FoxPro and the .NET Framework are only vulnerable on Windows 2000
if (hotfix_check_sp(win2k:6) > 0)
{
  if (
    # Visual FoxPro 8.0 SP1 (KB971104)
    hotfix_is_vulnerable(path:vfp8_path, file:"gdiplus.dll", version:"5.2.6001.22319", bulletin:bulletin, kb:'971104') ||

    # Visual FoxPro 9.0 SP2 (KB971105)
    hotfix_is_vulnerable(path:vfp9_path, file:"gdiplus.dll", version:"5.2.6001.22319", bulletin:bulletin, kb:'971105') ||

    # .NET Framework 1.1 SP1 (KB971108)
    hotfix_is_vulnerable(dir:"\Microsoft.Net\Framework\v1.1.4322", file:"gdiplus.dll", version:"5.2.6001.22319", min_version:"5.1.3102.1360", bulletin:bulletin, kb:'971108') ||

    # .NET Framework 2.0 SP1 (KB971110) and SP2 (KB971111)
    hotfix_is_vulnerable(dir:"\Microsoft.Net\Framework\v2.0.50727", file:"gdiplus.dll", version:"5.2.6001.22319", min_version:"5.1.3102.1355", bulletin:bulletin, kb:'971110')
  )
  {
    vuln++;
  }
}

# Visual Studio 2005 SP1 (KB971023)
if (vs2005_root)
{
  path = vs2005_root + '\\SDK\\v2.0\\BootStrapper\\Packages\\ReportViewer';

  if (hotfix_is_vulnerable(file:"reportviewer.exe", version:"2.0.50727.4401", min_version:"2.0.50727.0", path:path, bulletin:bulletin, kb:'971023'))
  {
    vuln++;
  }
}

# Visual Studio 2008
if (progfiles)
{
  path = progfiles + '\\Microsoft SDKs\\Windows\\v6.0A\\Bootstrapper\\Packages\\ReportViewer';

  if (
    # Visual Studio 2008 (KB972221)
    hotfix_is_vulnerable(file:"reportviewer.exe", version:"9.0.21022.227", min_version:"9.0.21022.0", path:path, bulletin:bulletin, kb:'972221') ||

    # Visual Studio 2008 SP1 (KB972222)
    hotfix_is_vulnerable(file:"reportviewer.exe", version:"9.0.30729.4402", min_version:"9.0.30729.0", path:path, bulletin:bulletin, kb:'972222')
  )
  {
    vuln++;
  }
}

foreach item (keys(ver_list))
{
  item -= 'mssql/installs/';
  item -= '/SQLVersion';
  sqlpath = item;

  share = hotfix_path2share(path:sqlpath);
  if (!is_accessible_share(share:share)) continue;

  version = get_kb_item("mssql/installs/" + sqlpath + "/SQLVersion");

  if(version !~ "^9\.00\.")
    continue;

  sqledition = get_kb_item("mssql/installs/" + sqlpath + "/edition_type");
  if(isnull(sqledition))
    sqledition = get_kb_item("mssql/installs/" + sqlpath + "/edition");

  # SQL server 2005 (excluding Express Edition)
  if (
    sqlpath &&
    sqledition && "Express" >!< sqledition && "Internal" >!< sqledition &&

    (
    # SP3 (KB970892 & KB970894)
    hotfix_is_vulnerable(path:sqlpath, file:"Sqlservr.exe", version:"2005.90.4262.0", min_version:"2005.90.4200.0", bulletin:bulletin, kb:'970894') ||
    hotfix_is_vulnerable(path:sqlpath, file:"Sqlservr.exe", version:"2005.90.4053.0", min_version:"2005.90.4000.0", bulletin:bulletin, kb:'970892') ||

    # SP2 (KB970895 & KB970896)
    hotfix_is_vulnerable(path:sqlpath, file:"Sqlservr.exe", version:"2005.90.3353.0", min_version:"2005.90.3200.0", bulletin:bulletin, kb:'970896') ||
    hotfix_is_vulnerable(path:sqlpath, file:"Sqlservr.exe", version:"2005.90.3080.0", min_version:"2005.90.3000.0", bulletin:bulletin, kb:'970895')
    )
  )
  {
    vuln++;
  }
}

foreach item (keys(ver_list))
{
  item -= 'mssql/installs/';
  item -= '/SQLVersion';
  sqlpath = item;

  share = hotfix_path2share(path:sqlpath);
  if (!is_accessible_share(share:share)) continue;

  version = get_kb_item("mssql/installs/" + sqlpath + "/SQLVersion");
  if(version !~ "^8\.")
    continue;

  # SQL server 2000 reporting services SP2 (KB970899)
  if (sqlpath)
  {
    sqlsrs_path = ereg_replace(
      pattern:"^(.*)\\Binn\\?",
      replace:"\1\Reporting Services\ReportServer\bin",
      string:sqlpath,
      icase:TRUE
    );
    if (hotfix_is_vulnerable(path:sqlsrs_path, file:"ReportingServicesLibrary.dll", version:"8.0.1067.0", bulletin:bulletin, kb:'970899'))
    {
      vuln++;
    }
  }
}

# If any of the above applications are vulnerable, there's no need to check
# the WinSxS dir (for the OS-specific patches
if (vuln)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}

# KB958869.  Checks the SxS directory.  The bulletin says 2k, vista/2k8 SP2,
# and win7 aren't affected
if (hotfix_check_sp_range(xp:'2,3', win2003:'2', vista:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);

vuln = 0;
kb = '958869';
winsxs = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\WinSxS", string:rootfile);
files = list_dir(basedir:winsxs, level:0, dir_pat:"microsoft.windows.gdiplus", file_pat:"^gdiplus\.dll$");

# Windows XP / Server 2003
vuln += hotfix_check_winsxs(os:'5.1', files:files, versions:make_list('5.2.6001.22319'), bulletin:bulletin, kb:kb);
vuln += hotfix_check_winsxs(os:'5.2', sp:2, files:files, versions:make_list('5.2.6001.22319'), bulletin:bulletin, kb:kb);

# Windows Vista / Server 2008
vuln += hotfix_check_winsxs(os:'6.0', files:files, versions:make_list('5.2.6001.22319'), max_versions:make_list('6.0.0.0'), bulletin:bulletin, kb:kb);
vuln += hotfix_check_winsxs(os:'6.0', sp:0, files:files, versions:make_list('6.0.6000.16782', '6.0.6000.20966'), max_versions:make_list('6.0.6000.20000', '6.0.6000.99999'), bulletin:bulletin, kb:kb);
vuln += hotfix_check_winsxs(os:'6.0', sp:1, files:files, versions:make_list('6.0.6001.18175', '6.0.6001.22319'), max_versions:make_list('6.0.6001.20000', '6.0.6001.99999'), bulletin:bulletin, kb:kb);

if (vuln)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}

hotfix_check_fversion_end();
audit(AUDIT_HOST_NOT, 'affected');
VendorProductVersionCPE
microsoftofficecpe:/a:microsoft:office
microsoft.net_frameworkcpe:/a:microsoft:.net_framework
microsoftexcel_viewercpe:/a:microsoft:excel_viewer
microsoftpowerpoint_viewercpe:/a:microsoft:powerpoint_viewer
microsoftvisiocpe:/a:microsoft:visio
microsoftwindowscpe:/o:microsoft:windows
microsoftword_viewercpe:/a:microsoft:word_viewer
microsoftworkscpe:/a:microsoft:works

Related

mskb 1
nessus 1
securityvulns 7
seebug 2
openvas 2
cve 8
checkpoint_advisories 15
prion 8
saint 4
zdi 1
ibm 2
mskb
mskb
KB957488 - MS09-062: Vulnerabilities in GDI+ could allow remote code execution
2020-10-20 07:11:43
nessus
nessus
MS09-062: Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488) (uncredentialed check)
2014-03-10 00:00:00
securityvulns
securityvulns
Microsoft Security Bulletin MS09-062 - Critical Vulnerabilities in GDI+ Could Allow Remote Code Execution &#40;957488&#41;
2009-10-14 00:00:00
Microsoft GDI+ multiple security vulnerabilities
2009-10-14 00:00:00
Secunia Research: Microsoft Office BMP Image Colour Handling Integer Overflow
2009-10-14 00:00:00
seebug
seebug
Microsoft GDI+εΊ“ε›Ύε½’ζ–‡δ»Άε€„η†ε€šδΈͺηΌ“ε†²εŒΊζΊ’ε‡Ίε’Œε†…ε­˜η ΄εζΌζ΄ž(MS09-062)
2009-10-20 00:00:00
Microsoft Office BMP Image Colour Handling Integer Overflow
2009-10-20 00:00:00
openvas
openvas
Microsoft Products GDI Plus Code Execution Vulnerabilities (957488)
2009-10-21 00:00:00
Microsoft Products GDI Plus Code Execution Vulnerabilities (957488)
2009-10-21 00:00:00
cve
cve
CVE-2009-3126
2009-10-14 10:30:00
CVE-2009-2500
2009-10-14 10:30:00
CVE-2009-2504
2009-10-14 10:30:00
checkpoint_advisories
checkpoint_advisories
Microsoft GDI+ TIFF Buffer Overflow (MS09-062; CVE-2009-2502)
2009-10-13 00:00:00
Microsoft Windows GDI+ .NET API Remote Code Execution (MS09-062; CVE-2009-2504)
2009-10-29 00:00:00
Preemptive Protection against Microsoft GDI+ PNG Integer Overflow Vulnerability (MS09-062)
2009-10-13 00:00:00
prion
prion
Buffer overflow
2009-10-14 10:30:00
Integer overflow
2009-10-14 10:30:00
Heap overflow
2009-10-14 10:30:00
saint
saint
Microsoft Office Art Property Table Memory Corruption
2009-10-22 00:00:00
Microsoft Office Art Property Table Memory Corruption
2009-10-22 00:00:00
Microsoft Office Art Property Table Memory Corruption
2009-10-22 00:00:00
zdi
zdi
Microsoft Windows GDI+ TIFF Parsing Code Execution Vulnerability
2009-10-13 00:00:00
ibm
ibm
Security Bulletin: IBM Cognos Business Intelligence has addressed multiple vulnerabilties
2019-12-19 21:01:39
Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilties
2019-12-19 15:30:15
JSON
Related for SMB_NT_MS09-062.NASL
mskb1nessus1securityvulns7seebug2openvas2cve8checkpoint_advisories15prion8saint4zdi1ibm2