Lucene search
This script is Copyright (C) 2009-2020 and is owned by Tenable, Inc. or an Affiliate thereof.SMS_SMTP_KEYVIEW_OVERFLOW.NASLHistorySep 04, 2009 - 12:00 a.m.
Symantec Mail Security for SMTP KeyView Excel SST Parsing RCE
2009-09-0400:00:00
This script is Copyright (C) 2009-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
23
CVSS2
9.3
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
0.347
Percentile
97.1%
The version of Symantec Mail Security for SMTP running on the remote host is affected by an integer overflow condition when parsing a Shared String Table (SST) record inside of an Excel file. One of the fields in the SST is a 32-bit integer used to specify the size of a dynamic memory allocation. This integer is not validated, which can result in a heap-based buffer overflow condition. A remote attacker can exploit this by tricking a user into viewing an email with a specially crafted Excel file, resulting in the execution of arbitrary code as SYSTEM.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(40871);
script_version("1.20");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/08/05");
script_cve_id("CVE-2009-3037");
script_bugtraq_id(36042);
script_xref(name:"Secunia", value:"36421");
script_xref(name:"IAVB", value:"2009-B-0042-S");
script_name(english:"Symantec Mail Security for SMTP KeyView Excel SST Parsing RCE");
script_summary(english:"Does a version check on SMSSMTP.");
script_set_attribute( attribute:"synopsis", value:
"An email security application running on the remote Windows host is
affected by a remote code execution vulnerability.");
script_set_attribute( attribute:"description", value:
"The version of Symantec Mail Security for SMTP running on the remote
host is affected by an integer overflow condition when parsing a
Shared String Table (SST) record inside of an Excel file. One of the
fields in the SST is a 32-bit integer used to specify the size of a
dynamic memory allocation. This integer is not validated, which can
result in a heap-based buffer overflow condition. A remote attacker
can exploit this by tricking a user into viewing an email with a
specially crafted Excel file, resulting in the execution of arbitrary
code as SYSTEM.");
# https://web.archive.org/web/20150126142007/http://www.verisigninc.com/en_US/cyber-security/security-intelligence/vulnerability-reports/articles/index.xhtml?id=823
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?72cc3878");
# http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090825_00
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7daa28ca");
script_set_attribute(attribute:"solution", value:
"Apply patch level 205.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2009-3037");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(119);
script_set_attribute(attribute:"vuln_publication_date", value:"2009/08/25");
script_set_attribute(attribute:"patch_publication_date", value:"2009/08/25");
script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/04");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:symantec:mail_security");
script_set_attribute(attribute:"stig_severity", value:"II");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2009-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("sms_smtp_installed.nasl");
script_require_keys("Symantec/SMSSMTP/Version");
script_require_ports(139, 445);
exit(0);
}
include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");
ver = get_kb_item('Symantec/SMSSMTP/Version');
if (isnull(ver)) exit(1, "The 'Symantec/SMSSMTP/Version' KB item is missing.");
ver_fields = split(ver, sep:'.', keep:FALSE);
major = int(ver_fields[0]);
minor = int(ver_fields[1]);
# Only the 5.0.x branch is affected
if (major != 5 && minor != 0) exit(0, "Version "+ver+" is not affected.");
path_key = 'SMB/Symantec/SMSSMTP/' + ver;
path = get_kb_item(path_key);
if (isnull(path)) exit(1, "The '"+path_key+"' KB item is missing.");
dll_path = path + "\scanner\rules\verity";
dll_file = "xlssr.dll";
res = hotfix_check_fversion(file:dll_file, version:"10.4.0.0", path:dll_path);
# After a vanilla install, there is no version in the metadata of the affected
# file
if (res == HCF_OLDER || res == HCF_NOVER)
{
hotfix_security_hole();
hotfix_check_fversion_end();
exit(0);
}
hotfix_check_fversion_end();
if (res != HCF_OK) exit(1, "Unable to do version check (error code: " + res + ").");
else audit(AUDIT_HOST_NOT, 'affected');
Related
cvelist
cvelist
CVE-2009-3037
2009-09-01 16:00:00
checkpoint_advisories
checkpoint_advisories
prion
prion
Buffer overflow
2009-09-01 16:30:00
symantec
symantec
Symantec Products Autonomy KeyView Module Vulnerability
2009-08-25 08:00:00
nvd
nvd
CVE-2009-3037
2009-09-01 16:30:00
cve
cve
CVE-2009-3037
2009-09-01 16:30:00
CVSS2
9.3
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
0.347
Percentile
97.1%
Related for SMS_SMTP_KEYVIEW_OVERFLOW.NASL