Microsoft Windows Vector Markup Language Vulnerabilities (929969)

# SPDX-FileCopyrightText: 2010 LSS
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.102053");
  script_version("2023-08-01T13:29:10+0000");
  script_tag(name:"last_modification", value:"2023-08-01 13:29:10 +0000 (Tue, 01 Aug 2023)");
  script_tag(name:"creation_date", value:"2010-07-08 10:59:30 +0200 (Thu, 08 Jul 2010)");
  script_cve_id("CVE-2007-0024");
  script_name("Microsoft Windows Vector Markup Language Vulnerabilities (929969)");
  script_xref(name:"URL", value:"http://www.kb.cert.org/vuls/id/122084");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/21930");
  script_xref(name:"URL", value:"http://secunia.com/advisories/23677");
  script_xref(name:"URL", value:"http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=462");
  script_xref(name:"URL", value:"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-004");
  script_tag(name:"qod_type", value:"executable_version");
  script_tag(name:"cvss_base", value:"9.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2010 LSS");
  script_family("Windows : Microsoft Bulletins");
  script_dependencies("gb_ms_ie_detect.nasl");
  script_require_ports(139, 445);
  script_mandatory_keys("MS/IE/Version");

  script_tag(name:"solution", value:"The vendor has released updates. Please see the references for
  more information.");

  script_tag(name:"solution_type", value:"VendorFix");

  script_tag(name:"summary", value:"Remote exploitation of an integer overflow vulnerability in the
  Vector Markup Language (VML) support in multiple Microsoft products allows attackers to execute
  arbitrary code within the context of the user running the vulnerable application.");

  exit(0);
}

include("smb_nt.inc");
include("secpod_reg.inc");
include("version_func.inc");
include("secpod_smb_func.inc");

if(hotfix_check_sp(xp:4, win2k:5, win2003:3) <= 0)
  exit(0);

ieVer = get_kb_item("MS/IE/Version");
if(!ieVer)
  exit(0);

# MS07-033 Hotfix (929969)
if(hotfix_missing(name:"929969") == 0)
  exit(0);

dllPath = registry_get_sz(item:"CommonFilesDir", key:"SOFTWARE\Microsoft\Windows\CurrentVersion");
dllPath += "\Microsoft Shared\VGX\vgx.dll";
share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:dllPath);
file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:dllPath);

vers = GetVer(file:file, share:share);
if(!vers)
  exit(0);

# CVE-2007-0024
if(hotfix_check_sp(win2k:5) > 0) {

  #Vgx.dll 5.0.3848.1800
  SP = get_kb_item("SMB/Win2K/ServicePack");
  if("Service Pack 4" >< SP) {
    if(version_in_range(version:vers, test_version:"6.0", test_version2:"6.0.2800.1588")) {
      security_message(port:0, data:"The target host was found to be vulnerable");
      exit(0);
    }
  }
}

else if(hotfix_check_sp(xp:4) > 0) {
  SP = get_kb_item("SMB/WinXP/ServicePack");
  if("Service Pack 2" >< SP) {
    if(version_in_range(version:vers, test_version:"6.0", test_version2:"6.0.2900.3051") ||
       version_in_range(version:vers, test_version:"7.0", test_version2:"7.0.6000.16386")) {
      security_message(port:0, data:"The target host was found to be vulnerable");
      exit(0);
    }
  }
}

else if(hotfix_check_sp(win2003:3) > 0) {
  SP = get_kb_item("SMB/Win2003/ServicePack");
  if("Service Pack 1" >< SP) {
    if(version_in_range(version:vers, test_version:"6.0", test_version2:"6.0.3790.2851") ||
       version_in_range(version:vers, test_version:"7.0", test_version2:"7.0.6000.16386")) {
      security_message(port:0, data:"The target host was found to be vulnerable");
      exit(0);
    }
  }
}

exit(99);