Lucene search

K
nessusThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.TRENDMICRO_SERVERPROTECT_AGRPCCLN_OVERFLOW.NASL
HistoryMay 09, 2007 - 12:00 a.m.

Trend Micro ServerProtect AgRpcCln.dll Buffer Overflow

2007-05-0900:00:00
This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
www.tenable.com
10

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.048

Percentile

92.8%

The remote version of Trend Micro ServerProtect is vulnerable to a stack overflow involving the ‘wcscpy’ function of the routine ‘CAgRpcClient::CreateBinding’ in AgRpcCln.dll library. An unauthenticated, remote attacker may be able to leverage this issue with specially crafted RPC requests to its SpntSvc.exe daemon to execute arbitrary code on the remote host.

Note that by default, Trend Micro services run with LocalSystem privileges.

#
#  (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
  script_id(25171);
  script_version("1.19");

  script_cve_id("CVE-2007-2528");
  script_bugtraq_id(23868);

  script_name(english:"Trend Micro ServerProtect AgRpcCln.dll Buffer Overflow");
  script_summary(english:"Checks version of ServerProtect"); 
 
 script_set_attribute(attribute:"synopsis", value:
"The remote service is vulnerable to a remote buffer overflow attack." );
 script_set_attribute(attribute:"description", value:
"The remote version of Trend Micro ServerProtect is vulnerable to a
stack overflow involving the 'wcscpy' function of the routine
'CAgRpcClient::CreateBinding' in AgRpcCln.dll library.  An
unauthenticated, remote attacker may be able to leverage this issue
with specially crafted RPC requests to its SpntSvc.exe daemon to
execute arbitrary code on the remote host. 

Note that by default, Trend Micro services run with LocalSystem
privileges." );
 script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-07-025/" );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2007/May/89" );
  # http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch3_readme.txt
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6b7dccdd" );
 script_set_attribute(attribute:"solution", value:
"Apply Security Patch 3 - Build 1176 or later." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"metasploit_name", value:'Trend Micro ServerProtect 5.58 CreateBinding() Buffer Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2007/05/09");
 script_set_attribute(attribute:"vuln_publication_date", value: "2007/05/08");
 script_set_attribute(attribute:"patch_publication_date", value: "2007/04/13");
 script_cvs_date("Date: 2018/11/15 20:50:29");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:trend_micro:serverprotect");
script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");
  script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
  script_dependencies("trendmicro_serverprotect_detect.nasl");
  script_require_keys("Antivirus/TrendMicro/ServerProtect");
  script_require_ports(5168);

  exit(0);
}


port = 5168;


# Check the version number.
ver = get_kb_item ("Antivirus/TrendMicro/ServerProtect");
if (ver)
{
 iver = split (ver, sep:".", keep:FALSE);
 for (i=0; i<max_index(iver); i++)
   iver[i] = int(iver[i]);

 # Versions before 5.5 build 1176 are affected.
 if (
      iver[0] < 5 ||
      (
        iver[0] == 5 &&
        (
          iver[1] < 58 ||
          (iver[1] == 58 && iver[2] == 0 && iver[3] < 1176)
        )
      )
    ) security_hole(port);
}

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.048

Percentile

92.8%

Related for TRENDMICRO_SERVERPROTECT_AGRPCCLN_OVERFLOW.NASL