6.9 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
5.1%
The version of XnView installed on the remote Windows host is earlier than 1.98.1. As such, it reportedly uses unsafe methods for determining how to load executables. Specifically, there is an issue with the file search path, which could result in the insecure loading of executables when using the ‘Open containing folder’ function.
An attacker may be able to exploit this to execute arbitrary code with the privileges of the running application.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(55535);
script_version("1.6");
script_cvs_date("Date: 2018/11/15 20:50:29");
script_cve_id("CVE-2011-1338");
script_bugtraq_id(48562);
script_name(english:"XnView < 1.98.1 Insecure Executable Loading");
script_summary(english:"Checks XnView.exe's Product Version number");
script_set_attribute(
attribute:"synopsis",
value:
"The remote Windows host contains an application that loads
executables in an insecure manner."
);
script_set_attribute(
attribute:"description",
value:
"The version of XnView installed on the remote Windows host is earlier
than 1.98.1. As such, it reportedly uses unsafe methods for
determining how to load executables. Specifically, there is an issue
with the file search path, which could result in the insecure loading
of executables when using the 'Open containing folder' function.
An attacker may be able to exploit this to execute arbitrary code with
the privileges of the running application."
);
script_set_attribute(
attribute:"see_also",
value:"https://jvndb.jvn.jp/en/contents/2011/JVNDB-2011-000050.html"
);
script_set_attribute(
attribute:"solution",
value:
"Upgrade to XnView version 1.98.1 or later as that reportedly resolves
the issue."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2011/06/21");
script_set_attribute(attribute:"patch_publication_date", value:"2011/07/05");
script_set_attribute(attribute:"plugin_publication_date", value:"2011/07/07");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe",value:"cpe:/a:xnview:xnview");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");
script_dependencies("xnview_rgbe_overflow.nasl");
script_require_keys("SMB/XnView/Version");
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
kb_base = "SMB/XnView";
get_kb_item_or_exit(kb_base+"/Installed");
version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1);
port = get_kb_item("SMB/transport");
# Check the version number.
ver = split(version, sep:'.', keep:FALSE);
for (i=0; i<max_index(ver); i++)
ver[i] = int(ver[i]);
if (
ver[0] < 1 ||
(
ver[0] == 1 &&
(
ver[1] < 98 ||
(ver[1] == 98 && ver[2] < 1)
)
)
)
{
if (report_verbosity > 0)
{
path = get_kb_item(kb_base+"/Path");
if (isnull(path)) path = "n/a";
report =
'\n Path : ' + path +
'\n Installed version : ' + version +
'\n Fixed version : 1.98.1\n';
security_hole(port:port, extra:report);
}
else security_hole(port);
}
else exit(0, "The XnView " + version + " install is not affected.");