Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2017-2023 and is owned by Tenable, Inc. or an Affiliate thereof.SMB_NT_MS17_APR_OFFICE.NASL
HistoryApr 12, 2017 - 12:00 a.m.

Security Update for Microsoft Office Products (April 2017) (Petya)

2017-04-1200:00:00
This script is Copyright (C) 2017-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
1494
JSON

The Microsoft Office application, Office Web Apps, or SharePoint Server installed on the remote Windows host is missing a security update. It is, therefore, affected by multiple vulnerabilities :

  • An arbitrary code execution vulnerability exists in Microsoft Outlook due to improper parsing of email messages. An unauthenticated, remote attacker can exploit this, via a specially crafted email message, to execute arbitrary code. (CVE-2017-0106)

  • An information disclosure vulnerability exists in Microsoft Office due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted Excel file, to disclose the contents of memory.
    (CVE-2017-0194)

  • A cross-site scripting (XSS) vulnerability exists in Office Web Apps Server due to improper validation of input before returning it to users. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user’s browser session. (CVE-2017-0195)

  • An arbitrary code execution vulnerability exists in Microsoft Office due to improper validation of input before loading dynamic link library (DLL) files. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted Office document, to execute arbitrary code. (CVE-2017-0197)

  • An arbitrary code execution vulnerability exists in Microsoft Office and Windows WordPad due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted file, to execute arbitrary code. Note that this vulnerability is being utilized to spread the Petya ransomware. (CVE-2017-0199)

  • A security feature bypass vulnerability exists in Microsoft Office due to improper parsing of file formats. An unauthenticated, remote attacker can exploit this, by convincing a user into opening a specially crafted file, to bypass security features.
    (CVE-2017-0204)

  • A spoofing vulnerability in Microsoft Outlook due to improper validation of input passed via HTML tags. An unauthenticated, remote attacker can exploit this, by sending an email with specific HTML tags, to display a malicious authentication prompt and gain access to a user’s authentication information or login credentials.
    (CVE-2017-0207)

#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(99314);
  script_version("1.25");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/06/16");

  script_cve_id(
    "CVE-2017-0106",
    "CVE-2017-0194",
    "CVE-2017-0195",
    "CVE-2017-0197",
    "CVE-2017-0199",
    "CVE-2017-0204",
    "CVE-2017-0207"
  );
  script_bugtraq_id(
    95961,
    97411,
    97413,
    97417,
    97436,
    97458,
    97463,
    97498
  );
  script_xref(name:"CERT", value:"921560");
  script_xref(name:"EDB-ID", value:"41894");
  script_xref(name:"EDB-ID", value:"41934");
  script_xref(name:"MSKB", value:"2589382");
  script_xref(name:"MSKB", value:"3101522");
  script_xref(name:"MSKB", value:"3118388");
  script_xref(name:"MSKB", value:"3127890");
  script_xref(name:"MSKB", value:"3127895");
  script_xref(name:"MSKB", value:"3141529");
  script_xref(name:"MSKB", value:"3141538");
  script_xref(name:"MSKB", value:"3172519");
  script_xref(name:"MSKB", value:"3178664");
  script_xref(name:"MSKB", value:"3178702");
  script_xref(name:"MSKB", value:"3178703");
  script_xref(name:"MSKB", value:"3178710");
  script_xref(name:"MSKB", value:"3178724");
  script_xref(name:"MSKB", value:"3178725");
  script_xref(name:"MSKB", value:"3191827");
  script_xref(name:"MSKB", value:"3191829");
  script_xref(name:"MSKB", value:"3191830");
  script_xref(name:"MSKB", value:"3191840");
  script_xref(name:"MSKB", value:"3191845");
  script_xref(name:"MSKB", value:"3191847");
  script_xref(name:"MSFT", value:"MS17-2589382");
  script_xref(name:"MSFT", value:"MS17-3101522");
  script_xref(name:"MSFT", value:"MS17-3118388");
  script_xref(name:"MSFT", value:"MS17-3127890");
  script_xref(name:"MSFT", value:"MS17-3127895");
  script_xref(name:"MSFT", value:"MS17-3141529");
  script_xref(name:"MSFT", value:"MS17-3141538");
  script_xref(name:"MSFT", value:"MS17-3172519");
  script_xref(name:"MSFT", value:"MS17-3178664");
  script_xref(name:"MSFT", value:"MS17-3178702");
  script_xref(name:"MSFT", value:"MS17-3178703");
  script_xref(name:"MSFT", value:"MS17-3178710");
  script_xref(name:"MSFT", value:"MS17-3178724");
  script_xref(name:"MSFT", value:"MS17-3178725");
  script_xref(name:"MSFT", value:"MS17-3191827");
  script_xref(name:"MSFT", value:"MS17-3191829");
  script_xref(name:"MSFT", value:"MS17-3191830");
  script_xref(name:"MSFT", value:"MS17-3191840");
  script_xref(name:"MSFT", value:"MS17-3191845");
  script_xref(name:"MSFT", value:"MS17-3191847");
  script_xref(name:"IAVA", value:"2017-A-0101-S");
  script_xref(name:"IAVA", value:"2017-A-0104-S");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/03");

  script_name(english:"Security Update for Microsoft Office Products (April 2017) (Petya)");

  script_set_attribute(attribute:"synopsis", value:
"An application installed on the remote Windows host is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The Microsoft Office application, Office Web Apps, or SharePoint
Server installed on the remote Windows host is missing a security
update. It is, therefore, affected by multiple vulnerabilities :

  - An arbitrary code execution vulnerability exists in
    Microsoft Outlook due to improper parsing of email
    messages. An unauthenticated, remote attacker can
    exploit this, via a specially crafted email message, to
    execute arbitrary code. (CVE-2017-0106)

  - An information disclosure vulnerability exists in
    Microsoft Office due to improper handling of objects in
    memory. An unauthenticated, remote attacker can exploit
    this, by convincing a user to open a specially crafted
    Excel file, to disclose the contents of memory.
    (CVE-2017-0194)

  - A cross-site scripting (XSS) vulnerability exists in
    Office Web Apps Server due to improper validation of
    input before returning it to users. An authenticated,
    remote attacker can exploit this, via a specially
    crafted request, to execute arbitrary script code in a
    user's browser session. (CVE-2017-0195)

  - An arbitrary code execution vulnerability exists in
    Microsoft Office due to improper validation of input
    before loading dynamic link library (DLL) files. An
    unauthenticated, remote attacker can exploit this, by
    convincing a user to open a specially crafted Office
    document, to execute arbitrary code. (CVE-2017-0197)

  - An arbitrary code execution vulnerability exists in
    Microsoft Office and Windows WordPad due to improper
    validation of user-supplied input. An unauthenticated,
    remote attacker can exploit this, by convincing a user
    to open a specially crafted file, to execute arbitrary
    code. Note that this vulnerability is being utilized to
    spread the Petya ransomware. (CVE-2017-0199)

  - A security feature bypass vulnerability exists in
    Microsoft Office due to improper parsing of file
    formats. An unauthenticated, remote attacker can exploit
    this, by convincing a user into opening a specially
    crafted file, to bypass security features.
    (CVE-2017-0204)

  - A spoofing vulnerability in Microsoft Outlook due to
    improper validation of input passed via HTML tags. An
    unauthenticated, remote attacker can exploit this, by
    sending an email with specific HTML tags, to display a
    malicious authentication prompt and gain access to a
    user's authentication information or login credentials.
    (CVE-2017-0207)");
  script_set_attribute(attribute:"see_also", value:"https://portal.msrc.microsoft.com/en-us/security-guidance/summary");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Microsoft Office 2007,
2010, 2013, and 2016; Microsoft Excel 2007 and 2010; Microsoft OneNote
2007 and 2010; Microsoft Outlook 2007, 2010, 2013, and 2016; Microsoft
Office Compatibility Pack; Excel Services on Microsoft SharePoint
Server 2010 and 2013; Microsoft Excel Web App 2010; Microsoft Office
Web Apps Server 2010 and 2013; and Office Online Server.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-0199");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Microsoft Office Word Malicious Hta Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"in_the_news", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/04/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:excel");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:onenote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:outlook");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office_compatibility_pack");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office_web_apps");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office_online_server");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sharepoint_server");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2017-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("office_installed.nasl", "onenote_installed.nbin", "microsoft_sharepoint_installed.nbin", "microsoft_owa_installed.nbin", "microsoft_office_compatibility_pack_installed.nbin", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include('smb_func.inc');
include('smb_hotfixes.inc');
include('smb_hotfixes_fcheck.inc');
include('smb_reg_query.inc');
include('install_func.inc');

global_var vuln;

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = "MS17-04";
kbs = make_list(
  '2589382', # OneNote 2010 SP2
  '3101522', # Excel Web App 2010 SP2
  '3118388', # Outlook 2010 SP2
  '3127890', # Outlook 2007 SP3
  '3127895', # Office Online Server
  '3141529', # Office 2007 SP3
  '3141538', # Office 2010 SP2
  '3172519', # Outlook 2013 SP1
  '3178664', # Outlook 2016
  '3178702', # Office 2016
  '3178703', # Office 2016
  '3178710', # Office 2013 SP1
  '3178724', # Excel Services on SharePoint Server 2013
  '3178725', # Office Web Apps Server 2013 SP1
  '3191827', # Excel 2007 SP3
  '3191829', # OneNote 2007 SP3
  '3191830', # Office Compatibility Pack SP2
  '3191840', # Excel Services on SharePoint Server 2010
  '3191845', # Office Web Apps 2010 SP2
  '3191847'  # Excel 2010 SP2
);

if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated", exit_code:1);

# Get path information for Windows.
windir = hotfix_get_systemroot();
if (isnull(windir)) exit(1, "Failed to determine the location of %windir%.");

registry_init();
hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
global_var office_online_server_path = get_registry_value(
  handle : hklm,
  item   : "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office16.WacServer\InstallLocation"
);
RegCloseKey(handle:hklm);
close_registry(close:FALSE);

vuln = FALSE;
xss  = FALSE;
port = kb_smb_transport();

######################################################################
# Office 2007, 2010, 2013, 2016
######################################################################
function perform_office_checks()
{
  local_var office_vers, office_sp, path, prod;
  office_vers = hotfix_check_office_version();

  ####################################################################
  # Office 2007 SP3 Checks
  ####################################################################
  if (office_vers["12.0"])
  {
    office_sp = get_kb_item("SMB/Office/2007/SP");
    if (!isnull(office_sp) && office_sp == 3)
    {
      prod = "Microsoft Office 2007 SP3";
      path = hotfix_append_path(
        path  : hotfix_get_officecommonfilesdir(officever:"12.0"),
        value : "Microsoft Shared\Office12"
      );
      if (hotfix_check_fversion(file:"mso.dll", version:"12.0.6766.5000", path:path, kb:"3141529", bulletin:bulletin, product:prod) == HCF_OLDER)
        vuln = TRUE;
    }
  }

  ####################################################################
  # Office 2010 SP2 Checks
  ####################################################################
  if (office_vers["14.0"])
  {
    office_sp = get_kb_item("SMB/Office/2010/SP");
    if (!isnull(office_sp) && office_sp == 2)
    {
      prod = "Microsoft Office 2010 SP2";
      path = hotfix_append_path(
        path  : hotfix_get_officecommonfilesdir(officever:"14.0"),
        value : "Microsoft Shared\Office14"
      );
      if (hotfix_check_fversion(file:"mso.dll", version:"14.0.7180.5000", path:path, kb:"3141538", bulletin:bulletin, product:prod) == HCF_OLDER)
        vuln = TRUE;
    }
  }

  ####################################################################
  # Office 2013 SP1 Checks
  ####################################################################
  if (office_vers["15.0"])
  {
    office_sp = get_kb_item("SMB/Office/2013/SP");
    if (!isnull(office_sp) && office_sp == 1)
    {
      prod = "Microsoft Office 2013 SP1";
      path = hotfix_append_path(
        path  : hotfix_get_officecommonfilesdir(officever:"15.0"),
        value : "Microsoft Shared\Office15"
      );
      if (hotfix_check_fversion(file:"mso.dll", version:"15.0.4919.1000", path:path, kb:"3178710", bulletin:bulletin, product:prod) == HCF_OLDER)
        vuln = TRUE;
    }
  }

  ####################################################################
  # Office 2016 Checks
  ####################################################################
  if (office_vers["16.0"])
  {
    office_sp = get_kb_item("SMB/Office/2016/SP");
    if (!isnull(office_sp) && office_sp == 0)
    {
      prod = "Microsoft Office 2016";
      path = hotfix_append_path(
        path:hotfix_get_officecommonfilesdir(officever:"16.0"),
        value:"Microsoft Shared\Office16"
      );
      if (
        hotfix_check_fversion(file:"mso.dll", version:"16.0.4522.1002", channel:"MSI", channel_product:"Office", path:path, kb:"3178702", bulletin:bulletin, product:prod) == HCF_OLDER ||
        hotfix_check_fversion(file:"mso.dll", version:"16.0.6925.1057", channel:"Deferred", channel_product:"Office", path:path, kb:"3178702", bulletin:bulletin, product:prod) == HCF_OLDER ||
        hotfix_check_fversion(file:"mso.dll", version:"16.0.7329.1051", channel:"Deferred", channel_version:"1609", channel_product:"Office", path:path, kb:"3178702", bulletin:bulletin, product:prod) == HCF_OLDER ||
        hotfix_check_fversion(file:"mso.dll", version:"16.0.7726.1030", channel:"First Release for Deferred", channel_product:"Office", path:path, kb:"3178702", bulletin:bulletin, product:prod) == HCF_OLDER ||
        hotfix_check_fversion(file:"mso.dll", version:"16.0.7830.1021", channel:"Current", channel_product:"Office", path:path, kb:"3178702", bulletin:bulletin, product:prod) == HCF_OLDER
      )
        vuln = TRUE;

      if(
        hotfix_check_fversion(file:"mso30win32client.dll", version:"16.0.4522.1000", channel:"MSI", channel_product:"Office", path:path, kb:"3178703", bulletin:bulletin, product:prod) == HCF_OLDER ||
        hotfix_check_fversion(file:"mso30win32client.dll", version:"16.0.6925.1057", channel:"Deferred", channel_product:"Office", path:path, kb:"3178703", bulletin:bulletin, product:prod) == HCF_OLDER ||
        hotfix_check_fversion(file:"mso30win32client.dll", version:"16.0.7329.1051", channel:"Deferred", channel_version:"1609", channel_product:"Office", path:path, kb:"3178703", bulletin:bulletin, product:prod) == HCF_OLDER ||
        hotfix_check_fversion(file:"mso30win32client.dll", version:"16.0.7726.1030", channel:"First Release for Deferred", channel_product:"Office", path:path, kb:"3178703", bulletin:bulletin, product:prod) == HCF_OLDER ||
        hotfix_check_fversion(file:"mso30win32client.dll", version:"16.0.7830.1021", channel:"Current", channel_product:"Office", path:path, kb:"3178703", bulletin:bulletin, product:prod) == HCF_OLDER
      )
        vuln = TRUE;
    }
  }
}

######################################################################
# Excel 2007, 2010
######################################################################
function perform_excel_checks()
{
  local_var excel_checks;

  excel_checks = make_array(
    "12.0", make_array("sp", 3, "version", "12.0.6766.5000", "kb", "3191827"),
    "14.0", make_array("sp", 2, "version", "14.0.7180.5000", "kb", "3191847")
  );
  if (hotfix_check_office_product(product:"Excel", checks:excel_checks, bulletin:bulletin))
    vuln = TRUE;
}

######################################################################
# Outlook 2007, 2010, 2013, 2016
######################################################################
function perform_outlook_checks()
{
  local_var outlook_checks, kb16;

  kb16 = "3178664";
  outlook_checks = make_array(
    "12.0", make_array("sp", 3, "version", "12.0.6767.5000", "kb", "3127890"),
    "14.0", make_array("sp", 2, "version", "14.0.7180.5001", "kb", "3118388"),
    "15.0", make_array("sp", 1, "version", "15.0.4919.1001", "kb", "3172519"),
    "16.0", make_nested_list(
      make_array("sp", 0, "version", "16.0.4522.1001", "channel", "MSI", "kb", kb16),
      make_array("sp", 0, "version", "16.0.6965.2145", "channel", "Deferred", "kb", kb16),
      make_array("sp", 0, "version", "16.0.7369.2127", "channel", "Deferred", "channel_version", "1609", "kb", kb16),
      make_array("sp", 0, "version", "16.0.7766.2076", "channel", "First Release for Deferred", "kb", kb16),
      make_array("sp", 0, "version", "16.0.7870.2038", "channel", "Current", "kb", kb16)
    )
  );
  if (hotfix_check_office_product(product:"Outlook", checks:outlook_checks, bulletin:bulletin))
    vuln = TRUE;
}

######################################################################
# OneNote 2007, 2010
######################################################################
function perform_onenote_checks()
{
  var install, installs, prod, path;

  installs = get_installs(app_name:'Microsoft OneNote');
  if(!empty_or_null(installs))
  {
    foreach install (installs[1])
    {
      ################################################################
      # OneNote 2007 SP3 Checks
      ################################################################
      if (install["product"] == "2007" && install["sp"] == 3)
      {
        prod = "Microsoft OneNote 2007 SP3";
        path = tolower(install["path"]);
        path -= "onenote.exe";
        if (hotfix_check_fversion(file:"onenotesyncpc.dll", version:"12.0.6765.5000", path:path, kb:"3191829", bulletin:bulletin, product:prod) == HCF_OLDER)
          vuln = TRUE;
      }

      ################################################################
      # OneNote 2010 SP2 Checks
      ################################################################
      else if (install["product"] == "2010" && install["sp"] == 2)
      {
        prod = "Microsoft OneNote 2010 SP2";
        path = tolower(install["path"]);
        path -= "onenote.exe";
        if (hotfix_check_fversion(file:"onenotesyncpc.dll", version:"14.0.7180.5000", path:path, kb:"2589382", bulletin:bulletin, product:prod) == HCF_OLDER)
          vuln = TRUE;
      }
    }
  }
}


######################################################################
# Compatibility Pack
######################################################################
function perform_comppack_checks()
{
  local_var excel_compat_checks;

  ####################################################################
  # Excel Compatibility Pack
  ####################################################################
  excel_compat_checks = make_array(
    "12.0", make_array("version", "12.0.6766.5000", "kb", "3191830")
  );
  if (hotfix_check_office_product(product:"ExcelCnv", display_name:"Office Compatibility Pack SP3", checks:excel_compat_checks, bulletin:bulletin))
    vuln = TRUE;
}

######################################################################
# Office Web Apps 2010, 2013
######################################################################
function perform_owa_checks()
{
  local_var owa_installs, owa_install;
  local_var owa_2010_path, owa_2010_sp;
  local_var owa_2013_path, owa_2013_sp;
  local_var path;

  # Get installs of Office Web Apps
  owa_installs = get_installs(app_name:"Microsoft Office Web Apps");
  if (!empty_or_null(owa_installs))
  {
    foreach owa_install (owa_installs[1])
    {
      if (owa_install["Product"] == "2010")
      {
        owa_2010_path = owa_install["path"];
        owa_2010_sp = owa_install["SP"];
      }
      else if (owa_install["Product"] == "2013")
      {
        owa_2013_path = owa_install["path"];
        owa_2013_sp = owa_install["SP"];
      }
    }
  }

  ####################################################################
  # Office Web Apps 2010 SP2
  ####################################################################
  if (owa_2010_path && (!isnull(owa_2010_sp) && owa_2010_sp == "2"))
  {
    path = hotfix_append_path(path:owa_2010_path, value:"14.0\WebServices\ConversionService\Bin\Converter");
    if (hotfix_check_fversion(file:"sword.dll", version:"14.0.7180.5000", min_version:"14.0.7015.1000", path:path, kb:"3191845", bulletin:bulletin, product:"Office Web Apps 2010") == HCF_OLDER)
    {
      vuln = TRUE;
      xss  = TRUE;
    }

    # Excel Web App
    path = hotfix_append_path(path:owa_2010_path, value:"14.0\Bin");
    if (hotfix_check_fversion(file:"xlsrv.dll", version:"14.0.7180.5000", path:path, kb:"3101522", bulletin:bulletin, product:"Excel Web App 2010") == HCF_OLDER)
    {
      vuln = TRUE;
      xss  = TRUE;
    }
  }

  ####################################################################
  # Office Web Apps 2013 SP1
  ####################################################################
  if (owa_2013_path && (!isnull(owa_2013_sp) && owa_2013_sp == "1"))
  {
    path = hotfix_append_path(path:owa_2013_path, value:"WordConversionService\bin\Converter");
    if (hotfix_check_fversion(file:"sword.dll", version:"15.0.4919.1000", min_version:"15.0.4571.1500", path:path, kb:"3178725", bulletin:bulletin, product:"Office Web Apps 2013") == HCF_OLDER)
    {
      vuln = TRUE;
      xss  = TRUE;
    }
  }
}

######################################################################
# Office Online Server
######################################################################
function perform_oos_checks()
{
  var path;

  if(office_online_server_path)
  {
    path = hotfix_append_path(path:office_online_server_path, value:"UlsController");
    if (hotfix_check_fversion(file:"uls.dll", version:"16.0.7329.1048", min_version:"16.0.6000.0", path:path, kb:"3127895", bulletin:bulletin, product:"Office Online Server") == HCF_OLDER)
    {
      vuln = TRUE;
      xss  = TRUE;
    }
  }
}

######################################################################
# SharePoint
######################################################################
function perform_sharepoint_checks()
{
  local_var sps_2010_path, sps_2010_sp, sps_2010_edition;
  local_var sps_2013_path, sps_2013_sp, sps_2013_edition;
  local_var installs, install, path;

  installs = get_installs(app_name:"Microsoft SharePoint Server");

  foreach install (installs[1])
  {
    if (install["Product"] == "2013")
    {
      sps_2013_path = install['path'];
      sps_2013_sp = install['SP'];
      sps_2013_edition = install['Edition'];
    }
    else if (install["Product"] == "2010")
    {
      sps_2010_path = install['path'];
      sps_2010_sp = install['SP'];
      sps_2010_edition = install['Edition'];
    }
  }

  ######################################################################
  # SharePoint Server 2013 SP1 - Excel Services
  ######################################################################
  if (sps_2013_path && sps_2013_sp == "1" && sps_2013_edition == "Server")
  {
    path = hotfix_append_path(path:sps_2013_path, value:"Bin");
    if (hotfix_check_fversion(file:"xlsrv.dll", version:"15.0.4919.1000", min_version:"15.0.0.0", path:path, kb:"3178724", bulletin:bulletin, product:"Office SharePoint Server 2013 Excel Services") == HCF_OLDER)
    {
      vuln = TRUE;
      xss  = TRUE;
    }
  }

  ######################################################################
  # SharePoint Server 2010 SP2 - Word Automation Services / Excel Services
  ######################################################################
  if (sps_2010_path && sps_2010_sp == "2" && sps_2010_edition == "Server")
  {
    path = hotfix_append_path(path:sps_2010_path, value:"Bin");
    if (hotfix_check_fversion(file:"xlsrv.dll", version:"14.0.7180.5000", path:path, kb:"3191840", bulletin:bulletin, product:"Office SharePoint Server 2010 Excel Services") == HCF_OLDER)
    {
      vuln = TRUE;
      xss  = TRUE;
    }
  }
}

perform_office_checks();
perform_excel_checks();
perform_outlook_checks();
perform_onenote_checks();
perform_comppack_checks();
perform_owa_checks();
perform_oos_checks();
perform_sharepoint_checks();

if (vuln)
{
  # CVE-2017-0195
  if(xss) replace_kb_item(name:'www/'+port+'/XSS', value:TRUE);

  replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}
VendorProductVersionCPE
microsoftofficecpe:/a:microsoft:office
microsoftexcelcpe:/a:microsoft:excel
microsoftonenotecpe:/a:microsoft:onenote
microsoftoutlookcpe:/a:microsoft:outlook
microsoftoffice_compatibility_packcpe:/a:microsoft:office_compatibility_pack
microsoftoffice_web_appscpe:/a:microsoft:office_web_apps
microsoftoffice_online_servercpe:/a:microsoft:office_online_server
microsoftsharepoint_servercpe:/a:microsoft:sharepoint_server

Related

kaspersky 3
myhack58 13
mskb 21
openvas 21
symantec 6
checkpoint_advisories 5
cve 7
mscve 7
prion 7
packetstorm 4
nessus 5
threatpost 12
fireeye 16
malwarebytes 9
thn 7
saint 3
metasploit 1
cisa_kev 1
zdt 4
securelist 17
exploitpack 2
talosblog 9
hivepro 2
mssecure 2
seebug 2
rapid7community 2
cert 1
attackerkb 1
ics 2
exploitdb 3
avleonov 1
canvas 1
trellix 2
kaspersky
kaspersky
KLA11055 Multiple vulnerabilities in Microsoft Office
2017-04-11 00:00:00
KLA11024 Defense-in-Depth Update for Microsoft Office
2017-04-11 00:00:00
KLA10995 Multiple arbitrary code execution vulnerabilities in Microsoft office
2016-09-09 00:00:00
myhack58
myhack58
Recently being a hot Word 0day vulnerability has been used for malware spreading and the country attack-vulnerability warning-the black bar safety net
2017-04-15 00:00:00
CVE-2017-0199: analysis Microsoft Office RTF vulnerability-vulnerability warning-the black bar safety net
2017-04-13 00:00:00
CVE-2017-0199: in-depth analysis of the Microsoft Office RTF vulnerability-vulnerability warning-the black bar safety net
2017-06-08 00:00:00
mskb
mskb
Security update 2017-04-11
2017-04-11 07:00:00
Description of the security update for Outlook 2016: April 11, 2017
2017-04-11 07:00:00
Description of the security update for Outlook 2013: April 11, 2017
2017-04-11 07:00:00
openvas
openvas
Microsoft Office Outlook Security Bypass and Remote Code Execution Vulnerabilities (KB3178664)
2017-04-12 00:00:00
Microsoft Office Outlook Security Bypass and Remote Code Execution Vulnerabilities (KB3172519)
2017-04-12 00:00:00
Microsoft Office Outlook Security Bypass and Remote Code Execution Vulnerabilities (KB3127890)
2017-04-12 00:00:00
symantec
symantec
Microsoft Office CVE-2017-0194 Memory Corruption Vulnerability
2017-04-11 00:00:00
Microsoft Outlook CVE-2017-0106 Remote Code Execution Vulnerability
2017-04-11 00:00:00
Microsoft Office CVE-2017-0197 DLL Loading Remote Code Execution Vulnerability
2017-04-11 00:00:00
checkpoint_advisories
checkpoint_advisories
Microsoft Office DLL Loading (CVE-2017-0197)
2017-04-11 00:00:00
Microsoft Outlook Remote Code Execution (CVE-2017-0106)
2017-04-11 00:00:00
Microsoft Office Memory Corruption (CVE-2017-0194)
2017-04-11 00:00:00
cve
cve
CVE-2017-0197
2017-04-12 14:59:00
CVE-2017-0194
2017-04-12 14:59:00
CVE-2017-0106
2017-04-12 14:59:00
mscve
mscve
Microsoft Excel Information Disclosure Vulnerability
2017-04-11 07:00:00
Microsoft OneNote Remote Code Execution Vulnerability
2017-04-11 07:00:00
Microsoft Outlook Remote Code Execution Vulnerability
2017-04-11 07:00:00
prion
prion
Code injection
2017-04-12 14:59:00
Information disclosure
2017-04-12 14:59:00
Memory corruption
2017-04-12 14:59:00
packetstorm
packetstorm
Microsoft Office OneNote 2007 DLL Hijacking
2017-04-11 00:00:00
Microsoft Office Word Malicious Hta Execution
2017-04-24 00:00:00
Microsoft RTF Remote Code Execution
2017-04-19 00:00:00
nessus
nessus
Security Update for Microsoft Office (April 2017) (macOS)
2017-04-12 00:00:00
KB4014793: Microsoft Wordpad Remote Code Execution vulnerability (April 2017)
2017-10-20 00:00:00
Security Updates for Outlook (September 2017)
2017-09-25 00:00:00
threatpost
threatpost
Spy Campaign Spams Pro-Tibet Group With ExileRAT
2019-02-04 20:45:00
AZORult Campaign Adopts Novel Triple-Encryption Technique
2020-02-03 20:58:25
Stealthy Malware Hidden in Images Takes to GoogleUserContent
2018-07-19 19:29:29
fireeye
fireeye
CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler
2017-04-11 13:30:00
Petya Destructive Malware Variant Spreading via Stolen Credentials and EternalBlue Exploit
2017-06-27 17:30:00
CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler
2017-04-11 13:30:00
malwarebytes
malwarebytes
Blocks for Flash and others coming to Office 365
2018-06-01 15:00:00
Fake IRS notice delivers customized spying tool
2017-09-21 15:00:24
APT36 jumps on the coronavirus bandwagon, delivers Crimson RAT
2020-03-16 15:00:00
thn
thn
Indian-Made Mobile Spyware Targeted Human Rights Activist in Togo
2021-10-11 09:21:00
Petya Ransomware Spreading Rapidly Worldwide, Just Like WannaCry
2017-06-27 03:32:00
Not Just Criminals, But Governments Were Also Using MS Word 0-Day Exploit
2017-04-12 21:41:00
saint
saint
Microsoft Word and WordPad RTF HTA handler command execution
2017-04-20 00:00:00
Microsoft Word and WordPad RTF HTA handler command execution
2017-04-20 00:00:00
Microsoft Word and WordPad RTF HTA handler command execution
2017-04-20 00:00:00
metasploit
metasploit
Microsoft Office Word Malicious Hta Execution
2017-04-15 02:32:48
cisa_kev
cisa_kev
Microsoft Office and WordPad Remote Code Execution Vulnerability
2021-11-03 00:00:00
zdt
zdt
Microsoft Word - .RTF Remote Code Execution Exploit
2017-04-19 00:00:00
Microsoft Office / WordPad Remote Code Execution Vulnerability
2017-04-16 00:00:00
Microsoft Office Word Malicious Hta Execution Exploit
2017-04-25 00:00:00
securelist
securelist
RevengeHotels: cybercrime targeting hotel front desks worldwide
2019-11-28 10:00:48
The BlueNoroff cryptocurrency hunt is still on
2022-01-13 09:00:23
APT Trends report Q3 2017
2017-11-14 09:41:27
exploitpack
exploitpack
Microsoft Word - .RTF Remote Code Execution
2017-04-18 00:00:00
Microsoft Office - Composite Moniker Remote Code Execution
2018-01-09 00:00:00
talosblog
talosblog
New campaign uses government, union-themed lures to deliver Cobalt Strike beacons
2022-09-28 12:12:00
Threat Round Up For Sept 8 - Sept 15
2017-09-15 13:10:00
ExileRAT shares C2 with LuckyCat, targets Tibet
2019-02-04 08:00:00
hivepro
hivepro
SnatchCrypto campaign carried out by North Korean APT 38 subsidiary BlueNoroff
2022-01-14 06:23:18
Actors, Threats and Vulnerabilities 08 to 14 May 2023
2023-05-16 06:27:25
mssecure
mssecure
Hawkeye Keylogger – Reborn v8: An in-depth campaign analysis
2018-07-11 18:50:14
Office 365 Advanced Threat Protection defense for corporate networks against recent Office exploit attacks
2017-11-21 13:46:01
seebug
seebug
Microsoft Office OLE2Link vulnerability (CVE-2017-0199)
2017-04-12 00:00:00
FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY
2017-09-14 00:00:00
rapid7community
rapid7community
Patch Tuesday - April 2017
2017-04-12 03:13:07
Metasploit Weekly Wrapup
2017-05-05 20:37:48
cert
cert
Microsoft OLE URL Moniker improperly handles remotely-linked HTA data
2017-04-10 00:00:00
attackerkb
attackerkb
CVE-2017-0199
2017-04-12 00:00:00
ics
ics
Dridex Malware
2020-06-30 12:00:00
Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks
2022-02-24 12:00:00
exploitdb
exploitdb
Microsoft Office Word - '.RTF' Malicious HTA Execution (Metasploit)
2017-04-25 00:00:00
Microsoft Word - '.RTF' Remote Code Execution
2017-04-18 00:00:00
Microsoft Office - 'Composite Moniker Remote Code Execution
2018-01-09 00:00:00
avleonov
avleonov
Petya the Great and why *they* don’t patch vulnerabilities
2017-06-29 21:29:50
canvas
canvas
Immunity Canvas: OFFICE_WSDL
2017-09-13 01:29:00
trellix
trellix
The Tale of Two Exploits - Breaking Down CVE-2023-36884 and the Infection Chain
2023-08-24 00:00:00
The Tale of Two Exploits - Breaking Down CVE-2023-36884 and the Infection Chain
2023-08-24 00:00:00
JSON
Related for SMB_NT_MS17_APR_OFFICE.NASL
kaspersky3myhack5813mskb21openvas21symantec6checkpoint_advisories5cve7mscve7prion7packetstorm4nessus5threatpost12fireeye16malwarebytes9thn7saint3metasploit1cisa_kev1zdt4securelist17exploitpack2talosblog9hivepro2mssecure2seebug2rapid7community2cert1attackerkb1ics2exploitdb3avleonov1canvas1trellix2