Search...

FUJITSU SystemWizard Lite Multiple Vulnerabilities

2009-01-30T00:00:00

ID OPENVAS:1361412562310900456
Type openvas
Reporter Copyright (C) 2009 SecPod
Modified 2020-04-27T00:00:00

Description

This host is installed with FUJITSU SystemWizard Lite and is prone to multiple vulnerabilities.

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
#
# FUJITSU SystemWizard Lite Multiple Vulnerabilities
#
# Authors:
# Sujit Ghosal &lt;sghosal@secpod.com&gt;
#
# Copyright:
# Copyright (C) 2009 SecPod, http://www.secpod.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.900456");
  script_version("2020-04-27T09:00:11+0000");
  script_tag(name:"last_modification", value:"2020-04-27 09:00:11 +0000 (Mon, 27 Apr 2020)");
  script_tag(name:"creation_date", value:"2009-01-30 14:33:42 +0100 (Fri, 30 Jan 2009)");
  script_tag(name:"cvss_base", value:"10.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_cve_id("CVE-2009-0264", "CVE-2009-0270", "CVE-2009-0271");
  script_bugtraq_id(33344);
  script_name("FUJITSU SystemWizard Lite Multiple Vulnerabilities");
  script_xref(name:"URL", value:"http://secunia.com/advisories/33594");
  script_xref(name:"URL", value:"http://securityvulns.com/Vdocument198.html");
  script_xref(name:"URL", value:"http://www.wintercore.com/advisories/advisory_W010109.html");
  script_xref(name:"URL", value:"http://primeserver.fujitsu.com/primequest/products/os/windows2008.html");

  script_category(ACT_GATHER_INFO);
  script_tag(name:"qod_type", value:"executable_version");
  script_copyright("Copyright (C) 2009 SecPod");
  script_family("Buffer overflow");
  script_dependencies("smb_reg_service_pack.nasl");
  script_mandatory_keys("SMB/WindowsVersion");
  script_require_ports(139, 445);

  script_tag(name:"impact", value:"Successful exploitation will let the attacker execute arbitrary codes via
  a large PXE protocol request in a UDP packet and also directory traversal
  attack sequences in unspecified vectors.");

  script_tag(name:"affected", value:"FUJITSU SystemWizard Lite version 2.0A and prior on Windows.");

  script_tag(name:"insight", value:"Improper boundary check of input data in DefaultSkin.ini in TFTP service,
  Registry Setting Tool and PXEService.exe files.");

  script_tag(name:"solution", value:"Apply the security patches from the linked references.");

  script_tag(name:"summary", value:"This host is installed with FUJITSU SystemWizard Lite and is prone
  to multiple vulnerabilities.");

  script_tag(name:"solution_type", value:"VendorFix");

  exit(0);
}

include("smb_nt.inc");
include("version_func.inc");
include("secpod_smb_func.inc");

if(!get_kb_item("SMB/WindowsVersion")){
  exit(0);
}

if(!registry_key_exists(key:"SOFTWARE\FUJITSU")){
  exit(0);
}

key = "SOFTWARE\FUJITSU\SystemcastWizard";
fuziVer = registry_get_sz(key:"SOFTWARE\FUJITSU\SystemcastWizard",
                          item:"ProductVersion");
if(!fuziVer){
  exit(0);
}

wizardVer =  eregmatch(pattern:"V([0-9.]+A?)", string:fuziVer);
if(wizardVer[1] == NULL){
  exit(0);
}

if(version_is_less_equal(version:wizardVer[1], test_version:"1.6A"))
{
  report = report_fixed_ver(installed_version:wizardVer[1], vulnerable_range:"Less than or equal to 1.6A");
  security_message(port: 0, data: report);
  exit(0);
}

if(version_is_less_equal(version:wizardVer[1], test_version:"2.0A"))
{
  key = "SOFTWARE\FUJITSU\SystemcastWizard";
  path = registry_get_sz(key:key, item:"InstallPath");
  if(!path){
    exit(0);
  }

  dllPath = path + "bin\ChkPXESv.dll";
  share = ereg_replace(pattern:"([A-Z]):.*",replace:"\1$", string:dllPath);
  file = ereg_replace(pattern:"[A-Z]:(.*)",replace:"\1", string:dllPath);

  dllVer = GetVer(share:share, file:file);
  if(!dllVer){
    exit(0);
  }

  if(version_is_less(version:dllVer, test_version:"4.0.11.530")){
    report = report_fixed_ver(installed_version:dllVer, fixed_version:"4.0.11.530", install_path:dllPath);
    security_message(port: 0, data: report);
  }
}

JSON Vulners Source

Initial Source

{"id": "OPENVAS:1361412562310900456", "type": "openvas", "bulletinFamily": "scanner", "title": "FUJITSU SystemWizard Lite Multiple Vulnerabilities", "description": "This host is installed with FUJITSU SystemWizard Lite and is prone\n to multiple vulnerabilities.", "published": "2009-01-30T00:00:00", "modified": "2020-04-27T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900456", "reporter": "Copyright (C) 2009 SecPod", "references": ["http://securityvulns.com/Vdocument198.html", "http://primeserver.fujitsu.com/primequest/products/os/windows2008.html", "http://secunia.com/advisories/33594", "http://www.wintercore.com/advisories/advisory_W010109.html"], "cvelist": ["CVE-2009-0264", "CVE-2009-0270", "CVE-2009-0271"], "lastseen": "2020-04-29T22:26:36", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-0271", "CVE-2009-0270", "CVE-2009-0264"]}, {"type": "openvas", "idList": ["OPENVAS:900456"]}, {"type": "jvn", "idList": ["JVN:05255562"]}, {"type": "saint", "idList": ["SAINT:F168A3089838198F30F8EFEB69B427F9", "SAINT:7FD41F00E955757DFA3F58C95540E4FD", "SAINT:A87C55E95CFEB548CDC7B23D1FA42B7C"]}, {"type": "nessus", "idList": ["TFTPD_DIR_TRAV.NASL"]}], "modified": "2020-04-29T22:26:36", "rev": 2}, "score": {"value": 8.0, "vector": "NONE", "modified": "2020-04-29T22:26:36", "rev": 2}, "vulnersScore": 8.0}, "pluginID": "1361412562310900456", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# FUJITSU SystemWizard Lite Multiple Vulnerabilities\n#\n# Authors:\n# Sujit Ghosal <sghosal@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900456\");\n script_version(\"2020-04-27T09:00:11+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-27 09:00:11 +0000 (Mon, 27 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2009-01-30 14:33:42 +0100 (Fri, 30 Jan 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2009-0264\", \"CVE-2009-0270\", \"CVE-2009-0271\");\n script_bugtraq_id(33344);\n script_name(\"FUJITSU SystemWizard Lite Multiple Vulnerabilities\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/33594\");\n script_xref(name:\"URL\", value:\"http://securityvulns.com/Vdocument198.html\");\n script_xref(name:\"URL\", value:\"http://www.wintercore.com/advisories/advisory_W010109.html\");\n script_xref(name:\"URL\", value:\"http://primeserver.fujitsu.com/primequest/products/os/windows2008.html\");\n\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n\n script_tag(name:\"impact\", value:\"Successful exploitation will let the attacker execute arbitrary codes via\n a large PXE protocol request in a UDP packet and also directory traversal\n attack sequences in unspecified vectors.\");\n\n script_tag(name:\"affected\", value:\"FUJITSU SystemWizard Lite version 2.0A and prior on Windows.\");\n\n script_tag(name:\"insight\", value:\"Improper boundary check of input data in DefaultSkin.ini in TFTP service,\n Registry Setting Tool and PXEService.exe files.\");\n\n script_tag(name:\"solution\", value:\"Apply the security patches from the linked references.\");\n\n script_tag(name:\"summary\", value:\"This host is installed with FUJITSU SystemWizard Lite and is prone\n to multiple vulnerabilities.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n}\n\nif(!registry_key_exists(key:\"SOFTWARE\\FUJITSU\")){\n exit(0);\n}\n\nkey = \"SOFTWARE\\FUJITSU\\SystemcastWizard\";\nfuziVer = registry_get_sz(key:\"SOFTWARE\\FUJITSU\\SystemcastWizard\",\n item:\"ProductVersion\");\nif(!fuziVer){\n exit(0);\n}\n\nwizardVer = eregmatch(pattern:\"V([0-9.]+A?)\", string:fuziVer);\nif(wizardVer[1] == NULL){\n exit(0);\n}\n\nif(version_is_less_equal(version:wizardVer[1], test_version:\"1.6A\"))\n{\n report = report_fixed_ver(installed_version:wizardVer[1], vulnerable_range:\"Less than or equal to 1.6A\");\n security_message(port: 0, data: report);\n exit(0);\n}\n\nif(version_is_less_equal(version:wizardVer[1], test_version:\"2.0A\"))\n{\n key = \"SOFTWARE\\FUJITSU\\SystemcastWizard\";\n path = registry_get_sz(key:key, item:\"InstallPath\");\n if(!path){\n exit(0);\n }\n\n dllPath = path + \"bin\\ChkPXESv.dll\";\n share = ereg_replace(pattern:\"([A-Z]):.*\",replace:\"\\1$\", string:dllPath);\n file = ereg_replace(pattern:\"[A-Z]:(.*)\",replace:\"\\1\", string:dllPath);\n\n dllVer = GetVer(share:share, file:file);\n if(!dllVer){\n exit(0);\n }\n\n if(version_is_less(version:dllVer, test_version:\"4.0.11.530\")){\n report = report_fixed_ver(installed_version:dllVer, fixed_version:\"4.0.11.530\", install_path:dllPath);\n security_message(port: 0, data: report);\n }\n}\n", "naslFamily": "Buffer overflow", "immutableFields": []}

{"cve": [{"lastseen": "2021-04-21T20:47:44", "description": "Buffer overflow in the Registry Setting Tool in Fujitsu SystemcastWizard Lite 2.0A, 2.0, 1.9, and earlier has unknown impact and attack vectors.", "edition": 7, "cvss3": {}, "published": "2009-01-26T15:30:00", "title": "CVE-2009-0264", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-0264"], "modified": "2017-08-08T01:33:00", "cpe": ["cpe:/a:fujitsu:systemcastwizard_lite:1.8a", "cpe:/a:fujitsu:systemcastwizard_lite:1.7", "cpe:/a:fujitsu:systemcastwizard_lite:2.0", "cpe:/a:fujitsu:systemcastwizard_lite:2.0a", "cpe:/a:fujitsu:systemcastwizard_lite:1.9", "cpe:/a:fujitsu:systemcastwizard_lite:1.8"], "id": "CVE-2009-0264", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0264", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:fujitsu:systemcastwizard_lite:1.9:*:*:*:*:*:*:*", "cpe:2.3:a:fujitsu:systemcastwizard_lite:1.8a:*:*:*:*:*:*:*", "cpe:2.3:a:fujitsu:systemcastwizard_lite:2.0a:*:*:*:*:*:*:*", "cpe:2.3:a:fujitsu:systemcastwizard_lite:1.7:*:*:*:*:*:*:*", "cpe:2.3:a:fujitsu:systemcastwizard_lite:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:fujitsu:systemcastwizard_lite:1.8:*:*:*:*:*:*:*"]}, {"lastseen": "2021-04-21T20:47:45", "description": "Stack-based buffer overflow in PXEService.exe in Fujitsu SystemcastWizard Lite 2.0A, 2.0, 1.9, and earlier allows remote attackers to execute arbitrary code via a large PXE protocol request in a UDP packet.", "edition": 7, "cvss3": {}, "published": "2009-01-26T19:30:00", "title": "CVE-2009-0270", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-0270"], "modified": "2018-10-11T21:01:00", "cpe": ["cpe:/a:fujitsu:systemcastwizard_lite:1.8a", "cpe:/a:fujitsu:systemcastwizard_lite:1.7", "cpe:/a:fujitsu:systemcastwizard_lite:2.0", "cpe:/a:fujitsu:systemcastwizard_lite:2.0a", "cpe:/a:fujitsu:systemcastwizard_lite:1.9", "cpe:/a:fujitsu:systemcastwizard_lite:1.8"], "id": "CVE-2009-0270", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0270", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:fujitsu:systemcastwizard_lite:1.9:*:*:*:*:*:*:*", "cpe:2.3:a:fujitsu:systemcastwizard_lite:1.8a:*:*:*:*:*:*:*", "cpe:2.3:a:fujitsu:systemcastwizard_lite:2.0a:*:*:*:*:*:*:*", "cpe:2.3:a:fujitsu:systemcastwizard_lite:1.7:*:*:*:*:*:*:*", "cpe:2.3:a:fujitsu:systemcastwizard_lite:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:fujitsu:systemcastwizard_lite:1.8:*:*:*:*:*:*:*"]}, {"lastseen": "2021-04-21T20:47:45", "description": "Directory traversal vulnerability in the TFTP service in Fujitsu SystemcastWizard Lite 2.0A, 2.0, 1.9, and earlier allows remote attackers to read arbitrary files via directory traversal sequences in unspecified vectors.", "edition": 5, "cvss3": {}, "published": "2009-01-26T19:30:00", "title": "CVE-2009-0271", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-0271"], "modified": "2011-03-08T03:18:00", "cpe": ["cpe:/a:fujitsu:systemcastwizard_lite:1.8a", "cpe:/a:fujitsu:systemcastwizard_lite:1.7", "cpe:/a:fujitsu:systemcastwizard_lite:2.0", "cpe:/a:fujitsu:systemcastwizard_lite:2.0a", "cpe:/a:fujitsu:systemcastwizard_lite:1.9", "cpe:/a:fujitsu:systemcastwizard_lite:1.8"], "id": "CVE-2009-0271", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0271", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:fujitsu:systemcastwizard_lite:1.9:*:*:*:*:*:*:*", "cpe:2.3:a:fujitsu:systemcastwizard_lite:1.8a:*:*:*:*:*:*:*", "cpe:2.3:a:fujitsu:systemcastwizard_lite:2.0a:*:*:*:*:*:*:*", "cpe:2.3:a:fujitsu:systemcastwizard_lite:1.7:*:*:*:*:*:*:*", "cpe:2.3:a:fujitsu:systemcastwizard_lite:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:fujitsu:systemcastwizard_lite:1.8:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-07-02T21:14:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-0264", "CVE-2009-0270", "CVE-2009-0271"], "description": "This host is installed with FUJITSU SystemWizard Lite and is prone\n to multiple vulnerabilities.", "modified": "2017-02-20T00:00:00", "published": "2009-01-30T00:00:00", "id": "OPENVAS:900456", "href": "http://plugins.openvas.org/nasl.php?oid=900456", "type": "openvas", "title": "FUJITSU SystemWizard Lite Multiple Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_fujitsu_syswizard_lite_mult_vuln.nasl 5369 2017-02-20 14:48:07Z cfi $\n#\n# FUJITSU SystemWizard Lite Multiple Vulnerabilities\n#\n# Authors:\n# Sujit Ghosal <sghosal@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will let the attacker execute arbitrary codes via\n a large PXE protocol request in a UDP packet and also directory traversal\n attack sequences in unspecified vectors.\n Impact Level: Application\";\ntag_affected = \"FUJITSU SystemWizard Lite version 2.0A and prior on Windows.\";\ntag_insight = \"Improper boundary check of input data in DefaultSkin.ini in TFTP service,\n Registry Setting Tool and PXEService.exe files.\";\ntag_solution = \"Apply the security patches.\n http://primeserver.fujitsu.com/primequest/products/os/windows2008.html\";\ntag_summary = \"This host is installed with FUJITSU SystemWizard Lite and is prone\n to multiple vulnerabilities.\";\n\nif(description)\n{\n script_id(900456);\n script_version(\"$Revision: 5369 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 15:48:07 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-01-30 14:33:42 +0100 (Fri, 30 Jan 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2009-0264\", \"CVE-2009-0270\", \"CVE-2009-0271\");\n script_bugtraq_id(33344);\n script_name(\"FUJITSU SystemWizard Lite Multiple Vulnerabilities\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/33594\");\n script_xref(name : \"URL\" , value : \"http://securityvulns.com/Vdocument198.html\");\n script_xref(name : \"URL\" , value : \"http://www.wintercore.com/advisories/advisory_W010109.html\");\n\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n}\n\nif(!registry_key_exists(key:\"SOFTWARE\\FUJITSU\")){\n exit(0);\n}\n\nkey = \"SOFTWARE\\FUJITSU\\SystemcastWizard\";\nfuziVer = registry_get_sz(key:\"SOFTWARE\\FUJITSU\\SystemcastWizard\",\n item:\"ProductVersion\");\nif(!fuziVer){\n exit(0);\n}\n\nwizardVer = eregmatch(pattern:\"V([0-9.]+A?)\", string:fuziVer);\nif(wizardVer[1] == NULL){\n exit(0);\n}\n\n# Check for FUJITSU SystemWizard version 1.6a and prior\nif(version_is_less_equal(version:wizardVer[1], test_version:\"1.6A\"))\n{\n security_message(0);\n exit(0);\n}\n\n# Check for FUJITSU SystemWizard version 1.7 to 2.0A\nif(version_is_less_equal(version:wizardVer[1], test_version:\"2.0A\"))\n{\n key = \"SOFTWARE\\FUJITSU\\SystemcastWizard\";\n path = registry_get_sz(key:key, item:\"InstallPath\");\n if(!path){\n exit(0);\n }\n\n dllPath = path + \"bin\\ChkPXESv.dll\";\n share = ereg_replace(pattern:\"([A-Z]):.*\",replace:\"\\1$\", string:dllPath);\n file = ereg_replace(pattern:\"[A-Z]:(.*)\",replace:\"\\1\", string:dllPath);\n\n dllVer = GetVer(share:share, file:file);\n if(!dllVer){\n exit(0);\n }\n\n # Check for ChkPXESv.dll file version < 4.0.11.530 or prior.\n if(version_is_less(version:dllVer, test_version:\"4.0.11.530\")){\n security_message(0);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "saint": [{"lastseen": "2016-10-03T15:01:57", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0270"], "description": "Added: 03/03/2009 \nCVE: [CVE-2009-0270](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0270>) \nBID: [33342](<http://www.securityfocus.com/bid/33342>) \nOSVDB: [51486](<http://www.osvdb.org/51486>) \n\n\n### Background\n\nSystemcastWizard Lite is support software for the setup of Primequest systems. \n\n### Problem\n\nA buffer overflow vulnerability allows remote attackers to execute arbitrary commands by sending a long, specially crafted datagram to the PXE service. \n\n### Resolution\n\nApply the patch referenced on the precautions page for [Windows Server 2008](<http://www.fujitsu.com/global/services/computing/server/primequest/products/os/windows-server-2008-2.html>) or [Windows Server 2003](<http://www.fujitsu.com/global/services/computing/server/primequest/products/os/windows-server-2003-2.html>). \n\n### References\n\n<http://www.securityfocus.com/archive/1/500172> \n\n\n### Limitations\n\nExploit works on Fujitsu SystemcastWizard Lite 1.9. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2009-03-03T00:00:00", "published": "2009-03-03T00:00:00", "id": "SAINT:7FD41F00E955757DFA3F58C95540E4FD", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/fujitsu_systemcastwizard_lite_pxe", "type": "saint", "title": "Fujitsu SystemcastWizard Lite PXE service buffer overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-04T23:19:35", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0270"], "description": "Added: 03/03/2009 \nCVE: [CVE-2009-0270](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0270>) \nBID: [33342](<http://www.securityfocus.com/bid/33342>) \nOSVDB: [51486](<http://www.osvdb.org/51486>) \n\n\n### Background\n\nSystemcastWizard Lite is support software for the setup of Primequest systems. \n\n### Problem\n\nA buffer overflow vulnerability allows remote attackers to execute arbitrary commands by sending a long, specially crafted datagram to the PXE service. \n\n### Resolution\n\nApply the patch referenced on the precautions page for [Windows Server 2008](<http://www.fujitsu.com/global/services/computing/server/primequest/products/os/windows-server-2008-2.html>) or [Windows Server 2003](<http://www.fujitsu.com/global/services/computing/server/primequest/products/os/windows-server-2003-2.html>). \n\n### References\n\n<http://www.securityfocus.com/archive/1/500172> \n\n\n### Limitations\n\nExploit works on Fujitsu SystemcastWizard Lite 1.9. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2009-03-03T00:00:00", "published": "2009-03-03T00:00:00", "id": "SAINT:F168A3089838198F30F8EFEB69B427F9", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/fujitsu_systemcastwizard_lite_pxe", "title": "Fujitsu SystemcastWizard Lite PXE service buffer overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:19:48", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0270"], "edition": 2, "description": "Added: 03/03/2009 \nCVE: [CVE-2009-0270](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0270>) \nBID: [33342](<http://www.securityfocus.com/bid/33342>) \nOSVDB: [51486](<http://www.osvdb.org/51486>) \n\n\n### Background\n\nSystemcastWizard Lite is support software for the setup of Primequest systems. \n\n### Problem\n\nA buffer overflow vulnerability allows remote attackers to execute arbitrary commands by sending a long, specially crafted datagram to the PXE service. \n\n### Resolution\n\nApply the patch referenced on the precautions page for [Windows Server 2008](<http://www.fujitsu.com/global/services/computing/server/primequest/products/os/windows-server-2008-2.html>) or [Windows Server 2003](<http://www.fujitsu.com/global/services/computing/server/primequest/products/os/windows-server-2003-2.html>). \n\n### References\n\n<http://www.securityfocus.com/archive/1/500172> \n\n\n### Limitations\n\nExploit works on Fujitsu SystemcastWizard Lite 1.9. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2009-03-03T00:00:00", "published": "2009-03-03T00:00:00", "id": "SAINT:A87C55E95CFEB548CDC7B23D1FA42B7C", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/fujitsu_systemcastwizard_lite_pxe", "type": "saint", "title": "Fujitsu SystemcastWizard Lite PXE service buffer overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "jvn": [{"lastseen": "2019-05-29T17:21:48", "bulletinFamily": "info", "cvelist": ["CVE-2009-0270"], "description": "\n ## Description\n\nProducts that use the PXE SDK sample code provided by Intel contain directory traversal and buffer overflow vulnerabilities.\n\n ## Impact\n\nInformation stored by the product using the PXE SDK sample code may be viewed, or arbitrary code may be executed.\n\n ## Solution\n\n**Update the software** \nUpdate according to the information provided by the product developer.\n\n ## Products Affected\n\nProducts that use the PXE SDK sample may be vulnerable. \n \nFor more information, refer to the vendor information under \"Vendor Status\"\n", "edition": 4, "modified": "2013-01-30T00:00:00", "published": "2011-12-15T00:00:00", "id": "JVN:05255562", "href": "http://jvn.jp/en/jp/JVN05255562/index.html", "title": "JVN#05255562: Multiple vulnerabilities in products that use the Preboot Execution Environment (PXE) SDK", "type": "jvn", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-03-18T03:17:27", "description": "The TFTP (Trivial File Transfer Protocol) server running on the remote\nhost is vulnerable to a directory traversal attack that allows an\nattacker to read arbitrary files on the remote host by prepending\ntheir names with directory traversal sequences.", "edition": 14, "published": "2005-05-16T00:00:00", "title": "TFTP Traversal Arbitrary File Access", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1161", "CVE-2009-0288", "CVE-1999-0183", "CVE-2009-0271", "CVE-2002-2353", "CVE-1999-0498"], "modified": "2005-05-16T00:00:00", "cpe": [], "id": "TFTPD_DIR_TRAV.NASL", "href": "https://www.tenable.com/plugins/nessus/18262", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# This script replaces the old C plugin \"tftp_grab_file\".\n#\n# References:\n# From:\tLuigi Auriemma <aluigi@autistici.org>\n# To:\tbugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk,\n#\tpacket@packetstormsecurity.org,cert@cert.org,news@securiteam.com\n# Date:\tWed, Apr 2, 2008 at 8:42 PM\n# Subject: Directory traversal in LANDesk Management Suite 8.80.1.1\n#\n# From:\tLuigi Auriemma <aluigi@autistici.org>\n# To:\tbugtraq@securityfocus.com,full-disclosure@lists.grok.org.uk,\n#\tpacket@packetstormsecurity.org,cert@cert.org,news@securiteam.com,\n# Date:\tMon, Mar 31, 2008 at 9:48 PM\n# Subject: Directory traversal in 2X ThinClientServer v5.0_sp1-r3497\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(18262);\n script_version(\"1.54\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/02/26\");\n\n script_cve_id(\n \"CVE-1999-0183\",\n \"CVE-1999-0498\",\n \"CVE-2002-2353\",\n \"CVE-2009-0271\",\n \"CVE-2009-0288\",\n \"CVE-2009-1161\"\n );\n script_bugtraq_id(\n 6198,\n 11582,\n 11584,\n 33287,\n 33344,\n 35040,\n 42907,\n 48272,\n 50441,\n 52938\n );\n script_xref(name:\"EDB-ID\", value:\"14857\");\n script_xref(name:\"EDB-ID\", value:\"17507\");\n script_xref(name:\"EDB-ID\", value:\"18718\");\n\n script_name(english:\"TFTP Traversal Arbitrary File Access\");\n script_summary(english:\"Attempts to grab a file through TFTP\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote TFTP server can be used to read arbitrary files on the\nremote host.\");\n script_set_attribute(attribute:\"description\", value:\n\"The TFTP (Trivial File Transfer Protocol) server running on the remote\nhost is vulnerable to a directory traversal attack that allows an\nattacker to read arbitrary files on the remote host by prepending\ntheir names with directory traversal sequences.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Disable the remote TFTP daemon, run it in a chrooted environment, or\nfilter incoming traffic to this port.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-1999-0498\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Distinct TFTP 3.10 Writable Directory Traversal Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n script_cwe_id(22, 264);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"1986/04/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/05/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_copyright(english:\"This script is Copyright (C) 2005-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Misc.\");\n\n # Warning! We cannot depend on tftpd_backdoor!\n script_dependencies('tftpd_detect.nasl', \"os_fingerprint.nasl\");\n script_require_keys(\"Services/udp/tftp\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"dump.inc\");\ninclude(\"tftp.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"data_protection.inc\");\n\nif(islocalhost()) exit(0, \"This plugin does not run against the localhost.\");\t# ?\nif ( TARGET_IS_IPV6 ) exit(0, \"This plugin does not run over IPv6.\");\n\nglobal_var\tnb;\nfunction tftp_grab(port, file)\n{\n local_var\treq, rep, sport, ip, u, filter, data, i;\n\n req = '\\x00\\x01'+file+'\\0netascii\\0';\n sport = rand() % 64512 + 1024;\n\n ip = forge_ip_packet(ip_hl : 5, ip_v: 4, ip_tos:0,\n\tip_len:20, ip_off:0, ip_ttl:64, ip_p:IPPROTO_UDP,\n\tip_src: compat::this_host());\n\n u = forge_udp_packet(ip:ip, uh_sport: sport, uh_dport:port, uh_ulen: 8 + strlen(req), data:req);\n\n filter = 'udp and dst port ' + sport + ' and src host ' + get_host_ip() + ' and udp[8:1]=0x00';\n\n data = NULL;\n for (i = 0; i < 2; i ++)\t# Try twice\n {\n rep = send_packet(u, pcap_active:TRUE, pcap_filter:filter);\n if(rep)\n {\n if (debug_level > 2) dump(ddata: rep, dtitle: 'TFTP (IP)');\n data = get_udp_element(udp: rep, element:\"data\");\n if (debug_level > 1) dump(ddata: data, dtitle: 'TFTP (UDP)');\n if (data[0] == '\\0' && data[1] == '\\x03')\n {\n local_var\tc;\n c = substr(data, 4);\n # debug_print('Content of ',file, \"= \", c, '\\n'r);\n set_kb_item(name: 'tftp/'+port+'/filename/'+ nb, value: file);\n set_kb_item(name: 'tftp/'+port+'/filecontent/'+ nb, value: c);\n nb ++;\n return c;\n }\n else\n return NULL;\n }\n }\n return NULL;\n}\n\nport = get_kb_item('Services/udp/tftp');\nif (! port) port = 69;\nnb = 0;\n\nif (!get_udp_port_state(port)) audit(AUDIT_PORT_CLOSED, port, \"UDP\");\n\n\nexploits = make_array();\nexploits['windows'] = make_list(\n \"win.ini\",\n \"Windows/win.ini\",\n \"WINNT/win.ini\",\n \"/Windows/win.ini\",\n \"/WINNT/win.ini\",\n mult_str(str:\"../\", nb:10) + \"Windows/win.ini\",\n mult_str(str:\"../\", nb:10) + \"WINNT/win.ini\",\n mult_str(str:\".../\", nb:10) + \"Windows/win.ini\",\n mult_str(str:\".../\", nb:10) + \"WINNT/win.ini\",\n \"x/\" + mult_str(str:\"../\", nb:10) + \"Windows/win.ini\",\n \"x/\" + mult_str(str:\"../\", nb:10) + \"WINNT/win.ini\",\n \"x/Windows/win.ini\",\n \"x/WINNT/win.ini\",\n \"C:/Windows/win.ini\",\n \"C:/WINNT/win.ini\",\n \"Windows\\win.ini\",\n \"WINNT\\win.ini\",\n \"\\Windows\\win.ini\",\n \"\\WINNT\\win.ini\",\n mult_str(str:\"..\\\", nb:10) + \"Windows\\win.ini\",\n mult_str(str:\"..\\\", nb:10) + \"WINNT\\win.ini\",\n mult_str(str:\"...\\\", nb:10) + \"Windows\\win.ini\",\n mult_str(str:\"...\\\", nb:10) + \"WINNT\\win.ini\",\n \"x\\\" + mult_str(str:\"..\\\", nb:10) + \"Windows\\win.ini\",\n \"x\\\" + mult_str(str:\"..\\\", nb:10) + \"WINNT\\win.ini\",\n \"x\\Windows\\win.ini\",\n \"x\\WINNT\\win.ini\",\n \"C:\\Windows\\win.ini\",\n \"C:\\WINNT\\win.ini\"\n);\nexploits['nix'] = make_list(\n \"/etc/passwd\",\n mult_str(str:\"../\", nb:10) + \"etc/passwd\"\n);\n\nvulns = make_list();\nobtained_contents = \"\";\nobtained_file = \"\";\n\nos = get_kb_item(\"Host/OS\");\n\nforeach os_type (keys(exploits))\n{\n # Run all exploits in paranoid mode\n # otherwise just for the detected OS\n if (!isnull(os) && report_paranoia < 2)\n {\n if (\"windows\" >< tolower(os) && os_type != \"windows\") continue;\n if (\"windows\" >!< tolower(os) && os_type == \"windows\") continue;\n }\n\n exploit_list = exploits[os_type];\n\n foreach file (exploit_list)\n {\n # Try using netascii mode.\n f = tftp_grab(port: port, file: file);\n # If that failed, try octet mode.\n if (isnull(f)) f = tftp_get(port:port, path:file);\n if (f)\n {\n # Check contents\n if (\n (\"win.ini\" >< file && \"; for 16-bit app support\" >< f) ||\n (\"win.ini\" >< file && \"[Mail]\" >< f) ||\n (f =~ \"root:.*:0:[01]:\")\n )\n {\n vulns = make_list(vulns, file);\n obtained_file = file;\n if (strlen(f) > 600)\n obtained_contents = substr(f, 0, 600);\n else\n obtained_contents = f;\n\n if (!thorough_tests) break;\n }\n }\n }\n if (max_index(vulns) && !thorough_tests) break;\n}\n\nif (max_index(vulns))\n{\n if (report_verbosity > 0)\n {\n vulns = list_uniq(vulns);\n foreach vuln (vulns)\n successful_attempts += '\\n '+vuln;\n obtained_contents = data_protection::redact_etc_passwd(output:obtained_contents);\n report =\n '\\n' + 'Nessus was able to access a system file via the TFTP server' +\n '\\n' + 'using each of the following requests : ' +\n '\\n' +\n successful_attempts +\n '\\n';\n\n if (!get_kb_item(\"global_settings/enable_plugin_debugging\") &&\n !isnull(get_preference(\"sc_version\")))\n {\n report +=\n '\\n' + 'Here is the contents of the file Nessus was able to obtain :' +\n '\\n' + snip +\n '\\n' + obtained_contents +\n '\\n' + snip +\n '\\n';\n security_warning(port:port, proto:\"udp\", extra:report);\n }\n else\n {\n # Sanitize file names\n if (\"/\" >< obtained_file) obtained_file = ereg_replace(pattern:\"^.+/([^/]+)$\", replace:\"\\1\", string:obtained_file);\n else if (\"\\\" >< obtained_file) obtained_file = ereg_replace(pattern:\"^.+\\\\([^\\\\]+)$\", replace:\"\\1\", string:obtained_file);\n\n report +=\n '\\n' + 'Attached is a copy of the contents' + '\\n';\n\n attachments = make_list();\n attachments[0] = make_array();\n attachments[0][\"type\"] = \"text/plain\";\n attachments[0][\"name\"] = obtained_file;\n attachments[0][\"value\"] = obtained_contents;\n\n security_report_with_attachments(\n port : port,\n proto : \"udp\",\n level : 2,\n extra : report,\n attachments : attachments\n );\n }\n }\n else security_warning(port:port, proto:\"udp\");\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"TFTP server\", port);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}