Search...

Microsoft Office PowerPoint Remote Code Execution Vulnerabilities (2489283)

2011-04-13T00:00:00

ID OPENVAS:1361412562310902411
Type openvas
Reporter Copyright (C) 2011 Greenbone Networks GmbH
Modified 2020-01-07T00:00:00

Description

This host is missing a critical security update according to Microsoft Bulletin MS11-022.

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
#
# Microsoft Office PowerPoint Remote Code Execution Vulnerabilities (2489283)
#
# Authors:
# Antu Sanadi &lt;santu@secpod.com&gt;
#
# Copyright:
# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.902411");
  script_version("2020-01-07T09:06:32+0000");
  script_tag(name:"last_modification", value:"2020-01-07 09:06:32 +0000 (Tue, 07 Jan 2020)");
  script_tag(name:"creation_date", value:"2011-04-13 17:05:53 +0200 (Wed, 13 Apr 2011)");
  script_cve_id("CVE-2011-0655", "CVE-2011-0656", "CVE-2011-0976");
  script_tag(name:"cvss_base", value:"9.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_name("Microsoft Office PowerPoint Remote Code Execution Vulnerabilities (2489283)");
  script_xref(name:"URL", value:"http://support.microsoft.com/kb/2464617");
  script_xref(name:"URL", value:"http://support.microsoft.com/kb/2464588");
  script_xref(name:"URL", value:"http://support.microsoft.com/kb/2464594");
  script_xref(name:"URL", value:"http://support.microsoft.com/kb/2464623");
  script_xref(name:"URL", value:"http://support.microsoft.com/kb/2519975");
  script_xref(name:"URL", value:"http://support.microsoft.com/kb/2519984");
  script_xref(name:"URL", value:"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-022");

  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
  script_family("Windows : Microsoft Bulletins");
  script_dependencies("secpod_office_products_version_900032.nasl");
  script_require_ports(139, 445);
  script_mandatory_keys("MS/Office/Ver", "SMB/Office/PowerPnt/Version");

  script_tag(name:"impact", value:"Successful exploitation could allow attackers to execute arbitrary code by
  tricking a user into opening a malicious PPT file.");

  script_tag(name:"affected", value:"- Microsoft PowerPoint 2010

  - Microsoft PowerPoint Viewer 2010

  - Microsoft PowerPoint 2002 Service Pack 3

  - Microsoft PowerPoint 2003 Service Pack 3

  - Microsoft PowerPoint 2007 Service Pack 2

  - Microsoft PowerPoint Viewer 2007 Service Pack 2");

  script_tag(name:"insight", value:"The flaws are caused by errors related to floating point techno-color time bandit,
  persist directory and OfficeArt atoms, which could be exploited by attackers to
  execute arbitrary code by tricking a user into opening a specially crafted PowerPoint file.");

  script_tag(name:"solution", value:"The vendor has released updates. Please see the references for more information.");

  script_tag(name:"summary", value:"This host is missing a critical security update according to
  Microsoft Bulletin MS11-022.");

  script_tag(name:"qod_type", value:"registry");
  script_tag(name:"solution_type", value:"VendorFix");

  script_xref(name:"URL", value:"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-022");

  exit(0);
}

include("smb_nt.inc");
include("secpod_reg.inc");
include("version_func.inc");
include("secpod_smb_func.inc");

officeVer = get_kb_item("MS/Office/Ver");

if(!officeVer || officeVer !~ "^1[0124]\."){
  exit(0);
}

pptVer = get_kb_item("SMB/Office/PowerPnt/Version");
if(pptVer && pptVer =~ "^1[0124]\.")
{
  if(version_in_range(version:pptVer, test_version:"10.0", test_version2:"10.0.6867.0") ||
     version_in_range(version:pptVer, test_version:"11.0", test_version2:"11.0.8333.0") ||
     version_in_range(version:pptVer, test_version:"12.0", test_version2:"12.0.6545.4999"))
  {
    security_message( port: 0, data: "The target host was found to be vulnerable" );
    exit(0);
  }
}

# Office Power Point for 2010
if(registry_key_exists(key:"SOFTWARE\Microsoft\Office"))
{
  sysPath = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion", item:"ProgramFilesDir");
  if(sysPath)
  {
    dllVer = fetch_file_version(sysPath:sysPath, file_name:"Microsoft Office\Office14\ppcore.dll");
    if(dllVer)
    {
      if(version_in_range(version:dllVer, test_version:"14.0", test_version2:"14.0.5136.5002"))
      {
        security_message( port: 0, data: "The target host was found to be vulnerable" );
        exit(0);
      }
    }
  }
}

ppviewVer = get_kb_item("SMB/Office/PPView/Version");
if(ppviewVer && ppviewVer =~ "^1[24]\.")
{
  if(version_in_range(version:ppviewVer, test_version:"12.0", test_version2:"12.0.6550.4999") ||
     version_in_range(version:ppviewVer, test_version:"14.0", test_version2:"14.0.5136.5002")){
      security_message( port: 0, data: "The target host was found to be vulnerable" );
  }
}

JSON Vulners Source

Initial Source

{"id": "OPENVAS:1361412562310902411", "type": "openvas", "bulletinFamily": "scanner", "title": "Microsoft Office PowerPoint Remote Code Execution Vulnerabilities (2489283)", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS11-022.", "published": "2011-04-13T00:00:00", "modified": "2020-01-07T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902411", "reporter": "Copyright (C) 2011 Greenbone Networks GmbH", "references": ["http://support.microsoft.com/kb/2464617", "http://support.microsoft.com/kb/2519975", "http://support.microsoft.com/kb/2519984", "http://support.microsoft.com/kb/2464623", "http://support.microsoft.com/kb/2464594", "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-022", "http://support.microsoft.com/kb/2464588"], "cvelist": ["CVE-2011-0976", "CVE-2011-0655", "CVE-2011-0656"], "lastseen": "2020-01-08T14:04:37", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-0655", "CVE-2011-0656", "CVE-2011-0976"]}, {"type": "nessus", "idList": ["SMB_NT_MS11-022.NASL", "MACOSX_MS_OFFICE_APR2011.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:902411", "OPENVAS:1361412562310801594", "OPENVAS:801594"]}, {"type": "zdi", "idList": ["ZDI-11-125", "ZDI-11-123", "ZDI-11-124", "ZDI-11-044"]}, {"type": "seebug", "idList": ["SSV:20490", "SSV:20488"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:26112", "SECURITYVULNS:VULN:11580", "SECURITYVULNS:DOC:26113", "SECURITYVULNS:DOC:26110"]}, {"type": "saint", "idList": ["SAINT:09BB4936C60432BDECFB24590F9F2B73", "SAINT:037061F684C7241ABD70789C2F1DF809", "SAINT:8DC65ED5190A1A2AAE0D44CCF8A8EB83"]}], "modified": "2020-01-08T14:04:37", "rev": 2}, "score": {"value": 9.5, "vector": "NONE", "modified": "2020-01-08T14:04:37", "rev": 2}, "vulnersScore": 9.5}, "pluginID": "1361412562310902411", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Office PowerPoint Remote Code Execution Vulnerabilities (2489283)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902411\");\n script_version(\"2020-01-07T09:06:32+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-07 09:06:32 +0000 (Tue, 07 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-04-13 17:05:53 +0200 (Wed, 13 Apr 2011)\");\n script_cve_id(\"CVE-2011-0655\", \"CVE-2011-0656\", \"CVE-2011-0976\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft Office PowerPoint Remote Code Execution Vulnerabilities (2489283)\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2464617\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2464588\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2464594\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2464623\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2519975\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2519984\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-022\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/Office/Ver\", \"SMB/Office/PowerPnt/Version\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow attackers to execute arbitrary code by\n tricking a user into opening a malicious PPT file.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft PowerPoint 2010\n\n - Microsoft PowerPoint Viewer 2010\n\n - Microsoft PowerPoint 2002 Service Pack 3\n\n - Microsoft PowerPoint 2003 Service Pack 3\n\n - Microsoft PowerPoint 2007 Service Pack 2\n\n - Microsoft PowerPoint Viewer 2007 Service Pack 2\");\n\n script_tag(name:\"insight\", value:\"The flaws are caused by errors related to floating point techno-color time bandit,\n persist directory and OfficeArt atoms, which could be exploited by attackers to\n execute arbitrary code by tricking a user into opening a specially crafted PowerPoint file.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS11-022.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-022\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nofficeVer = get_kb_item(\"MS/Office/Ver\");\n\nif(!officeVer || officeVer !~ \"^1[0124]\\.\"){\n exit(0);\n}\n\npptVer = get_kb_item(\"SMB/Office/PowerPnt/Version\");\nif(pptVer && pptVer =~ \"^1[0124]\\.\")\n{\n if(version_in_range(version:pptVer, test_version:\"10.0\", test_version2:\"10.0.6867.0\") ||\n version_in_range(version:pptVer, test_version:\"11.0\", test_version2:\"11.0.8333.0\") ||\n version_in_range(version:pptVer, test_version:\"12.0\", test_version2:\"12.0.6545.4999\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\n# Office Power Point for 2010\nif(registry_key_exists(key:\"SOFTWARE\\Microsoft\\Office\"))\n{\n sysPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\", item:\"ProgramFilesDir\");\n if(sysPath)\n {\n dllVer = fetch_file_version(sysPath:sysPath, file_name:\"Microsoft Office\\Office14\\ppcore.dll\");\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"14.0\", test_version2:\"14.0.5136.5002\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n}\n\nppviewVer = get_kb_item(\"SMB/Office/PPView/Version\");\nif(ppviewVer && ppviewVer =~ \"^1[24]\\.\")\n{\n if(version_in_range(version:ppviewVer, test_version:\"12.0\", test_version2:\"12.0.6550.4999\") ||\n version_in_range(version:ppviewVer, test_version:\"14.0\", test_version2:\"14.0.5136.5002\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "immutableFields": []}

{"cve": [{"lastseen": "2021-02-02T05:50:59", "description": "Microsoft PowerPoint 2002 SP3, 2003 SP3, 2007 SP2, and 2010; Office 2004, 2008, and 2011 for Mac; Open XML File Format Converter for Mac; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2; PowerPoint Viewer; PowerPoint Viewer 2007 SP2; and PowerPoint Web App do not properly validate PersistDirectoryEntry records in PowerPoint documents, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a Slide with a malformed record, which triggers an exception and later use of an unspecified method, aka \"Persist Directory RCE Vulnerability.\"", "edition": 4, "cvss3": {}, "published": "2011-04-13T18:55:00", "title": "CVE-2011-0656", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0656"], "modified": "2018-10-12T21:59:00", "cpe": ["cpe:/a:microsoft:powerpoint_viewer:2007", "cpe:/a:microsoft:office:2008", "cpe:/a:microsoft:powerpoint:2003", "cpe:/a:microsoft:powerpoint:2007", "cpe:/a:microsoft:open_xml_file_format_converter:*", "cpe:/a:microsoft:powerpoint:2010", "cpe:/a:microsoft:powerpoint_web_app:*", "cpe:/a:microsoft:office:2011", "cpe:/a:microsoft:office:2004", "cpe:/a:microsoft:office_powerpoint_viewer:*", "cpe:/a:microsoft:office_compatibility_pack:2007", "cpe:/a:microsoft:powerpoint:2002"], "id": "CVE-2011-0656", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0656", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:open_xml_file_format_converter:*:*:mac:*:*:*:*:*", "cpe:2.3:a:microsoft:powerpoint:2007:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:powerpoint:2010:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2004:*:mac:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2011:*:mac:*:*:*:*:*", "cpe:2.3:a:microsoft:powerpoint_web_app:*:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office_compatibility_pack:2007:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office_powerpoint_viewer:*:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:powerpoint:2003:sp3:*:*:*:*:*:*", "cpe:2.3:a:microsoft:powerpoint_viewer:2007:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2008:*:mac:*:*:*:*:*", "cpe:2.3:a:microsoft:powerpoint:2002:sp3:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:50:59", "description": "Microsoft PowerPoint 2007 SP2 and 2010; Office 2004, 2008, and 2011 for Mac; Open XML File Format Converter for Mac; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2; PowerPoint Viewer; PowerPoint Viewer 2007 SP2; and PowerPoint Web App do not properly validate TimeColorBehaviorContainer Floating Point records in PowerPoint documents, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted document containing an invalid record, aka \"Floating Point Techno-color Time Bandit RCE Vulnerability.\"", "edition": 4, "cvss3": {}, "published": "2011-04-13T18:55:00", "title": "CVE-2011-0655", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0655"], "modified": "2018-10-12T21:59:00", "cpe": ["cpe:/a:microsoft:powerpoint_viewer:2007", "cpe:/a:microsoft:office:2008", "cpe:/a:microsoft:open_xml_file_format_converter:*", "cpe:/a:microsoft:powerpoint:2010", "cpe:/a:microsoft:powerpoint_web_app:*", "cpe:/a:microsoft:office:2011", "cpe:/a:microsoft:office:2004", "cpe:/a:microsoft:office_powerpoint_viewer:*", "cpe:/a:microsoft:office_compatibility_pack:2007"], "id": "CVE-2011-0655", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0655", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:open_xml_file_format_converter:*:*:mac:*:*:*:*:*", "cpe:2.3:a:microsoft:powerpoint:2010:*:x32:*:*:*:*:*", "cpe:2.3:a:microsoft:powerpoint:2010:*:x64:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2004:*:mac:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2011:*:mac:*:*:*:*:*", "cpe:2.3:a:microsoft:powerpoint_web_app:*:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office_compatibility_pack:2007:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office_powerpoint_viewer:*:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:powerpoint_viewer:2007:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2008:*:mac:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:50:59", "description": "Microsoft PowerPoint 2002 SP3, 2003 SP3, and 2007 SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2; and PowerPoint Viewer 2007 SP2 do not properly handle Office Art containers that have invalid records, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a PowerPoint document with a container that triggers certain access to an uninitialized object, aka \"OfficeArt Atom RCE Vulnerability.\"", "edition": 4, "cvss3": {}, "published": "2011-02-10T19:00:00", "title": "CVE-2011-0976", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0976"], "modified": "2018-10-12T21:59:00", "cpe": ["cpe:/a:microsoft:powerpoint:2007"], "id": "CVE-2011-0976", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0976", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:powerpoint:2007:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-07-19T10:54:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0976", "CVE-2011-0655", "CVE-2011-0656"], "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS11-022.", "modified": "2017-07-04T00:00:00", "published": "2011-04-13T00:00:00", "id": "OPENVAS:902411", "href": "http://plugins.openvas.org/nasl.php?oid=902411", "type": "openvas", "title": "Microsoft Office PowerPoint Remote Code Execution Vulnerabilities (2489283)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms11-022.nasl 6523 2017-07-04 15:46:12Z cfischer $\n#\n# Microsoft Office PowerPoint Remote Code Execution Vulnerabilities (2489283)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could allow attackers to execute arbitrary code by\n tricking a user into opening a malicious PPT file.\n Impact Level: System\";\ntag_affected = \"Microsoft PowerPoint 2010\n Microsoft PowerPoint Viewer 2010\n Microsoft PowerPoint 2002 Service Pack 3\n Microsoft PowerPoint 2003 Service Pack 3\n Microsoft PowerPoint 2007 Service Pack 2\n Microsoft PowerPoint Viewer 2007 Service Pack 2\";\ntag_insight = \"The flaws are caused by errors related to floating point techno-color time bandit,\n persist directory and OfficeArt atoms, which could be exploited by attackers to\n execute arbitrary code by tricking a user into opening a specially crafted\n PowerPoint file.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://www.microsoft.com/technet/security/bulletin/ms11-022.mspx\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS11-022.\";\n\nif(description)\n{\n script_id(902411);\n script_version(\"$Revision: 6523 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-04 17:46:12 +0200 (Tue, 04 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-04-13 17:05:53 +0200 (Wed, 13 Apr 2011)\");\n script_cve_id(\"CVE-2011-0655\", \"CVE-2011-0656\", \"CVE-2011-0976\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft Office PowerPoint Remote Code Execution Vulnerabilities (2489283)\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2464617\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2464588\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2464594\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2464623\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2519975\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2519984\");\n script_xref(name : \"URL\" , value : \"http://www.microsoft.com/technet/security/Bulletin/MS11-022.mspx\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"MS/Office/Ver\", \"SMB/Office/PowerPnt/Version\");\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(!egrep(pattern:\"^(|10|11|12|14)\\..*\", string:get_kb_item(\"MS/Office/Ver\"))){\n exit(0);\n}\n\npptVer = get_kb_item(\"SMB/Office/PowerPnt/Version\");\nif(pptVer)\n{\n if(egrep(pattern:\"^(|10|11|12|14)\\..*\", string:pptVer))\n {\n ## PowerPoint Check\n ## Check for Powerpnt.exe < 10.0.6868.0 for PowerPoint 2002\n ## Check for Powerpnt.exe < 11.0.8334.0 for PowerPoint 2003\n ## Check for Powerpnt.exe < 12.0.6545.5000 for PowerPoint 2007\n if(version_in_range(version:pptVer, test_version:\"10.0\", test_version2:\"10.0.6867.0\") ||\n version_in_range(version:pptVer, test_version:\"11.0\", test_version2:\"11.0.8333.0\") ||\n version_in_range(version:pptVer, test_version:\"12.0\", test_version2:\"12.0.6545.4999\"))\n {\n security_message(0);\n exit(0);\n }\n }\n}\n\n# Office Power Point for 2010\nif(registry_key_exists(key:\"SOFTWARE\\Microsoft\\Office\"))\n{\n sysPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"ProgramFilesDir\");\n if(sysPath)\n {\n dllVer = fetch_file_version(sysPath, file_name:\"Microsoft Office\\Office14\\ppcore.dll\");\n if(dllVer)\n {\n ## Check for Ppcore.dll < 14.0.5136.5003 for PowerPoint 2010\n if(version_in_range(version:dllVer, test_version:\"14.0\", test_version2:\"14.0.5136.5002\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n}\n\nppviewVer = get_kb_item(\"SMB/Office/PPView/Version\");\n\n## PowerPoint Viewer Check\nif (!isnull(ppviewVer))\n{\n ## Check for Pptview.exe < 12.0.6550.5000 for PowerPoint Viewer 2007\n ## Check for Pptview.exe < 14.0.5136.5003 for PowerPoint Viewer 2010\n if(version_in_range(version:ppviewVer, test_version:\"12.0\", test_version2:\"12.0.6550.4999\") ||\n version_in_range(version:ppviewVer, test_version:\"14.0\", test_version2:\"14.0.5136.5002\")){\n security_message(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-20T08:55:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0976"], "description": "This host is installed with Microsoft Office Power Point and is\nprone to remote code execution vulnerability.\n\nThis NVT has been replaced by NVT secpod_ms11-022.nasl\n(OID:1.3.6.1.4.1.25623.1.0.902411).", "modified": "2017-07-05T00:00:00", "published": "2011-02-23T00:00:00", "id": "OPENVAS:801594", "href": "http://plugins.openvas.org/nasl.php?oid=801594", "type": "openvas", "title": "Microsoft PowerPoint 2007 OfficeArt Atom Remote Code Execution Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_power_point_code_exec_vuln.nasl 6538 2017-07-05 11:38:27Z cfischer $\n#\n# Microsoft PowerPoint 2007 OfficeArt Atom Remote Code Execution Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow attacker to execute arbitrary\ncodes, can cause memory corruption and other attacks in the context of the\napplication through a crafted Power Point file.\n\nImpact Level: System\";\n\ntag_affected = \"MS PowerPoint 2007 Service Pack 2\";\n\ntag_insight = \"The flaw exists with the way application will parse external\nobjects within an Office Art container. When parsing this object, the\napplication will append an uninitialized object to a list. When destroying this\nobject during document close (WM_DESTROY), the application will access a method\nthat does not exist.\";\n\ntag_solution = \"No solution or patch was made available for at least one year\nsince disclosure of this vulnerability. Likely none will be provided anymore.\nGeneral solution options are to upgrade to a newer release, disable respective\nfeatures, remove the product or replace the product by another one.\";\n\ntag_summary = \"This host is installed with Microsoft Office Power Point and is\nprone to remote code execution vulnerability.\n\nThis NVT has been replaced by NVT secpod_ms11-022.nasl\n(OID:1.3.6.1.4.1.25623.1.0.902411).\";\n\nif(description)\n{\n script_id(801594);\n script_version(\"$Revision: 6538 $\");\n script_tag(name:\"deprecated\", value:TRUE);\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-05 13:38:27 +0200 (Wed, 05 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-02-23 12:24:37 +0100 (Wed, 23 Feb 2011)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2011-0976\");\n script_name(\"Microsoft PowerPoint 2007 OfficeArt Atom Remote Code Execution Vulnerability\");\n script_xref(name : \"URL\" , value : \"http://zerodayinitiative.com/advisories/ZDI-11-044/\");\n script_xref(name : \"URL\" , value : \"http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-microsoft\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"Windows\");\n script_dependencies(\"secpod_ms_office_detection_900025.nasl\", \"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"MS/Office/Ver\", \"SMB/Office/PowerPnt/Version\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n exit(0);\n}\n\nexit(66); ## This NVT is deprecated as addressed in secpod_ms11-021.nasl.\n\ninclude(\"version_func.inc\");\n\n## check for microsoft office installation\nif(!get_kb_item(\"MS/Office/Ver\") =~ \"^12\\.*\"){\n exit(0);\n}\n\n## Get the ms office power point version\nppVer = get_kb_item(\"SMB/Office/PowerPnt/Version\");\n\n## Check for the MS office power point 2007\nif(ppVer && ppVer =~ \"^12\\.*\"){\n security_message(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-07T16:39:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0976"], "description": "This host is installed with Microsoft Office Power Point and is\n prone to remote code execution vulnerability.\n\n This NVT has been replaced by OID:1.3.6.1.4.1.25623.1.0.902411.", "modified": "2020-04-02T00:00:00", "published": "2011-02-23T00:00:00", "id": "OPENVAS:1361412562310801594", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801594", "type": "openvas", "title": "Microsoft PowerPoint 2007 OfficeArt Atom Remote Code Execution Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft PowerPoint 2007 OfficeArt Atom Remote Code Execution Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801594\");\n script_version(\"2020-04-02T11:36:28+0000\");\n script_tag(name:\"deprecated\", value:TRUE);\n script_tag(name:\"last_modification\", value:\"2020-04-02 11:36:28 +0000 (Thu, 02 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-02-23 12:24:37 +0100 (Wed, 23 Feb 2011)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2011-0976\");\n script_name(\"Microsoft PowerPoint 2007 OfficeArt Atom Remote Code Execution Vulnerability\");\n script_xref(name:\"URL\", value:\"http://zerodayinitiative.com/advisories/ZDI-11-044/\");\n script_xref(name:\"URL\", value:\"http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-microsoft\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"Windows\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary\n codes, can cause memory corruption and other attacks in the context of the\n application through a crafted Power Point file.\");\n\n script_tag(name:\"affected\", value:\"MS PowerPoint 2007 Service Pack 2\");\n\n script_tag(name:\"insight\", value:\"The flaw exists with the way application will parse external\n objects within an Office Art container. When parsing this object, the\n application will append an uninitialized object to a list. When destroying this\n object during document close (WM_DESTROY), the application will access a method\n that does not exist.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Microsoft Office Power Point and is\n prone to remote code execution vulnerability.\n\n This NVT has been replaced by OID:1.3.6.1.4.1.25623.1.0.902411.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n exit(0);\n}\n\nexit(66); ## This NVT is deprecated as addressed in secpod_ms11-021.nasl.\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-04-01T06:15:47", "description": "The remote Windows host has a version of Microsoft PowerPoint that is\naffected by multiple code execution vulnerabilities. A remote attacker\ncould exploit this by tricking a user into viewing a maliciously\ncrafted PowerPoint file.", "edition": 30, "published": "2011-04-13T00:00:00", "title": "MS11-022: Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2489283)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0976", "CVE-2011-0655", "CVE-2011-0656"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/a:microsoft:powerpoint_viewer", "cpe:/a:microsoft:powerpoint", "cpe:/a:microsoft:office", "cpe:/a:microsoft:office_compatibility_pack"], "id": "SMB_NT_MS11-022.NASL", "href": "https://www.tenable.com/plugins/nessus/53379", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(53379);\n script_version(\"1.26\");\n script_cvs_date(\"Date: 2019/12/13\");\n\n script_cve_id(\"CVE-2011-0655\", \"CVE-2011-0656\", \"CVE-2011-0976\");\n script_bugtraq_id(46228, 47251, 47252);\n script_xref(name:\"MSFT\", value:\"MS11-022\");\n script_xref(name:\"MSKB\", value:\"2464588\");\n script_xref(name:\"MSKB\", value:\"2464594\");\n script_xref(name:\"MSKB\", value:\"2464617\");\n script_xref(name:\"MSKB\", value:\"2464623\");\n script_xref(name:\"MSKB\", value:\"2464635\");\n script_xref(name:\"MSKB\", value:\"2519975\");\n script_xref(name:\"MSKB\", value:\"2519984\");\n script_xref(name:\"MSKB\", value:\"2520047\");\n\n script_name(english:\"MS11-022: Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2489283)\");\n script_summary(english:\"Checks version of PowerPoint\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through Microsoft\nPowerPoint.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host has a version of Microsoft PowerPoint that is\naffected by multiple code execution vulnerabilities. A remote attacker\ncould exploit this by tricking a user into viewing a maliciously\ncrafted PowerPoint file.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-11-044/\");\n # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-022\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?aa74871a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for PowerPoint 2002, 2003,\n2007, 2010, PowerPoint Viewer 2007 and 2010, Office Compatibility\nPack, and Office Web Apps.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/02/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/04/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office_compatibility_pack\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:powerpoint\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:powerpoint_viewer\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_nt_ms02-031.nasl\", \"office_installed.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\n\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"audit.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS11-022';\nkbs = make_list(\"2464588\", \"2464594\", \"2464617\", \"2464623\", \"2464635\", \"2519975\", \"2519984\", \"2520047\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\n\n# PowerPoint.\ninfo = \"\";\n\n\n\n# First check office web apps\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, \"smb_session_init\");\n\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:\"IPC$\");\nif (rc != 1)\n{\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, \"IPC$\");\n\n}\n\n\n# Connect to remote registry.\nhklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);\nif (isnull(hklm))\n{\n NetUseDel();\n audit(AUDIT_REG_FAIL);\n}\n\nowa_path = NULL;\n\nkey = \"SOFTWARE\\Microsoft\\Office Server\\14.0\";\nkey_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\nif (!isnull(key_h))\n{\n value = RegQueryValue(handle:key_h, item:\"InstallPath\");\n if (!isnull(value))\n owa_path = value[1];\n\n RegCloseKey(handle:key_h);\n}\n\nRegCloseKey(handle:hklm);\nNetUseDel();\n\nif (owa_path)\n{\n share = owa_path[0] + '$';\n if (is_accessible_share(share:share))\n {\n kb = '2520047';\n owa_path = owa_path + \"\\WebServices\\ConversionService\\Bin\\Converter\";\n\n if (hotfix_is_vulnerable(file:\"msoserver.dll\", version:\"14.0.5136.5002\", min_version:\"14.0.0.0\", path:owa_path, bulletin:bulletin, kb:kb))\n {\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", string:owa_path, replace:\"\\1\\msoserver.dll\");\n kb_name = \"SMB/FileVersions/\"+tolower(share-'$')+tolower(str_replace(string:file, find:\"\\\", replace:\"/\"));\n version = get_kb_item(kb_name);\n\n info =\n '\\n Product : Office Web Apps 2010' +\n '\\n Path : ' + owa_path + '\\\\msoserver.dll' +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 14.0.5136.5002' + '\\n';\n\n hcf_report = '';\n hotfix_add_report(info, bulletin:bulletin, kb:kb);\n vuln = TRUE;\n }\n }\n else debug_print('is_accessible_share() failed on ' + owa_path);\n}\n\n# Check powerpoint versions\ninstalls = get_kb_list(\"SMB/Office/PowerPoint/*/ProductPath\");\nif (!isnull(installs))\n{\n foreach install (keys(installs))\n {\n version = install - 'SMB/Office/PowerPoint/' - '/ProductPath';\n path = installs[install];\n\n info = NULL;\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n # PowerPoint 2010\n if (ver[0] == 14 && path != 'n/a')\n {\n office_sp = get_kb_item(\"SMB/Office/2010/SP\");\n if (!isnull(office_sp) && office_sp == 0)\n {\n kb = '2519975';\n path = ereg_replace(pattern:\"^([A-Za-z]:.*)\\\\PowerPnt.exe\", string:path, replace:\"\\1\");\n share = hotfix_path2share(path:path);\n\n if (is_accessible_share(share:share))\n {\n old_report = hotfix_get_report();\n\n if (hotfix_is_vulnerable(file:\"ppcore.dll\", version:\"14.0.5136.5003\", min_version:\"14.0.0.0\", path:path, bulletin:bulletin, kb:kb))\n {\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", string:path, replace:\"\\1\\ppcore.dll\");\n kb_name = \"SMB/FileVersions/\"+tolower(share-'$')+tolower(str_replace(string:file, find:\"\\\", replace:\"/\"));\n version = get_kb_item(kb_name);\n\n info =\n '\\n Product : PowerPoint 2010' +\n '\\n Path : ' + path + '\\\\ppcore.dll' +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 14.0.5136.5003\\n';\n }\n }\n else debug_print('is_accessible_share() failed on ' + path);\n }\n }\n\n # PowerPoint 2007.\n else if (ver[0] == 12 && path != 'n/a')\n {\n office_sp = get_kb_item(\"SMB/Office/2007/SP\");\n if (!isnull(office_sp) && office_sp == 2)\n {\n kb = \"2464594\";\n path = ereg_replace(pattern:\"^([A-Za-z]:.*)\\\\PowerPnt.exe\", string:path, replace:\"\\1\");\n share = hotfix_path2share(path:path);\n share = path[0] + '$';\n\n if (is_accessible_share(share:share))\n {\n old_report = hotfix_get_report();\n\n if (hotfix_is_vulnerable(file:\"ppcore.dll\", version:\"12.0.6550.5000\", min_version:\"12.0.0.0\", path:path, bulletin:bulletin, kb:kb))\n {\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", string:path, replace:\"\\1\\ppcore.dll\");\n kb_name = \"SMB/FileVersions/\"+tolower(share-'$')+tolower(str_replace(string:file, find:\"\\\", replace:\"/\"));\n version = get_kb_item(kb_name);\n\n info =\n '\\n Product : PowerPoint 2007' +\n '\\n Path : ' + path + '\\\\ppcore.dll' +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 12.0.6550.5000\\n';\n hotfix_check_fversion_end();\n }\n }\n else debug_print('is_accessible_share() failed on ' + path);\n }\n }\n # PowerPoint 2003.\n else if (ver[0] == 11 && ver[1] == 0 && ver[2] < 8334)\n {\n office_sp = get_kb_item(\"SMB/Office/2003/SP\");\n if (!isnull(office_sp) && office_sp == 3)\n {\n kb = \"2464588\";\n info =\n '\\n Product : PowerPoint 2003\\n' +\n ' File : ' + path + '\\n' +\n ' Installed version : ' + version + '\\n' +\n ' Fixed version : 11.0.8334.0\\n';\n }\n }\n # PowerPoint 2002.\n else if (ver[0] == 10 && ver[1] == 0 && ver[2] < 6868)\n {\n office_sp = get_kb_item(\"SMB/Office/XP/SP\");\n if (!isnull(office_sp) && office_sp == 3)\n {\n kb = \"2464617\";\n info =\n '\\n Product : PowerPoint 2002\\n' +\n ' File : ' + path + '\\n' +\n ' Installed version : ' + version + '\\n' +\n ' Fixed version : 10.0.6868.0\\n';\n }\n }\n\n if (info)\n {\n hcf_report = '';\n hotfix_add_report(old_report + info, bulletin:bulletin, kb:kb);\n vuln = TRUE;\n }\n }\n}\n\n\n# PowerPoint Viewer.\ninstalls = get_kb_list(\"SMB/Office/PowerPointViewer/*/ProductPath\");\nif (!isnull(installs))\n{\n foreach install (keys(installs))\n {\n version = install - 'SMB/Office/PowerPointViewer/' - '/ProductPath';\n path = installs[install];\n\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n # Office PowerPoint Viewer 2010\n if (\n ver[0] == 14 && ver[1] == 0 &&\n (\n ver[2] < 5136 ||\n (ver[2] == 5136 && ver[3] < 5003)\n )\n )\n {\n kb = \"2519984\";\n info =\n '\\n Product : PowerPoint Viewer 2010\\n' +\n ' File : ' + path + '\\n' +\n ' Installed version : ' + version + '\\n' +\n ' Fixed version : 14.0.5136.5003\\n';\n hotfix_add_report(info, bulletin:bulletin, kb:kb);\n vuln = TRUE;\n }\n # PowerPoint Viewer 2007.\n else if (\n ver[0] == 12 && ver[1] == 0 &&\n (\n ver[2] < 6550 ||\n (ver[2] == 6550 && ver[3] < 5000)\n )\n )\n {\n kb = \"2464623\";\n info =\n '\\n Product : PowerPoint Viewer 2007\\n' +\n ' File : ' + path + '\\n' +\n ' Installed version : ' + version + '\\n' +\n ' Fixed version : 12.0.6550.5000\\n';\n hotfix_add_report(info, bulletin:bulletin, kb:kb);\n vuln = TRUE;\n }\n }\n}\n\n\n# PowerPoint Converter.\ninstalls = get_kb_list(\"SMB/Office/PowerPointCnv/*/ProductPath\");\nif (!isnull(installs))\n{\n foreach install (keys(installs))\n {\n version = install - 'SMB/Office/PowerPointCnv/' - '/ProductPath';\n path = installs[install];\n\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n path = ereg_replace(pattern:\"^([A-Za-z]:.*)\\\\Ppcnvcom.exe\", string:path, replace:\"\\1\");\n info = NULL;\n\n # PowerPoint 2007 converter.\n if (ver[0] == 12 && path)\n {\n kb = \"2464635\";\n share = path[0] + '$';\n\n if (is_accessible_share(share:share))\n {\n old_report = hotfix_get_report();\n\n if (hotfix_is_vulnerable(file:\"ppcnv.dll\", version:\"12.0.6550.5000\", min_version:\"12.0.0.0\", path:path, bulletin:bulletin, kb:kb))\n {\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", string:path, replace:\"\\1\\ppcnv.dll\");\n kb_name = \"SMB/FileVersions/\"+tolower(share-'$')+tolower(str_replace(string:file, find:\"\\\", replace:\"/\"));\n version = get_kb_item(kb_name);\n\n vuln = TRUE;\n info =\n '\\n Product : PowerPoint 2007 Converter' +\n '\\n Path : ' + path + '\\\\ppcnv.dll' +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 12.0.6550.5000\\n';\n hcf_report = '';\n hotfix_add_report(old_report + info, bulletin:bulletin, kb:kb);\n }\n }\n else debug_print('is_accessible_share() failed on ' + path);\n }\n }\n}\n\nhotfix_check_fversion_end();\n\n# report if office webapps, powerpoint converter, or powerpoint viewer\n# are unpatched\nif (vuln)\n{\n set_kb_item(name:\"SMB/Missing/\" + bulletin, value:TRUE);\n hotfix_security_hole();\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, 'affected');\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T16:10:58", "description": "The remote Mac OS X host is running a version of Microsoft Office that\nis affected by several vulnerabilities.\n\nIf an attacker can trick a user on the affected host into opening a\nspecially crafted Office file, these issues could be leveraged to\nexecute arbitrary code subject to the user's privileges.", "edition": 15, "published": "2011-04-13T00:00:00", "title": "MS11-021 / MS11-022 / MS11-023: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2489279 / 2489283 / 2489293) (Mac OS X)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0097", "CVE-2011-0979", "CVE-2011-0105", "CVE-2011-0976", "CVE-2011-0098", "CVE-2011-0978", "CVE-2011-0103", "CVE-2011-0655", "CVE-2011-0656", "CVE-2011-0101", "CVE-2011-0104", "CVE-2011-0977", "CVE-2011-0980"], "modified": "2011-04-13T00:00:00", "cpe": ["cpe:/a:microsoft:open_xml_file_format_converter:::mac", "cpe:/a:microsoft:office:2011::mac", "cpe:/a:microsoft:office:2004::mac", "cpe:/a:microsoft:office:2008::mac"], "id": "MACOSX_MS_OFFICE_APR2011.NASL", "href": "https://www.tenable.com/plugins/nessus/53374", "sourceData": "#TRUSTED 3dbb80909b11b14dd01195e3769775f6316a6eb5b40e63da58b86fbd56b1e962d228b6f919890790ebc9b6bfda7a21d337df920e2c83a47723b39568cb15b0ad9de3c6deaed84d014b57446aa897b4c1207134c3c33d23db4d6569365d811ca8267d8b3e79281619c493de58520923626586af57914f759fcadd044c34fb5b63c099489f648efad331a249c1875d371c78283ef5bf57a23772c1216ca3fce8681bfa57512d6b70e8dd19681a83d527059b4d9a9dbb3511ec57cb9ae568cd12415dbe63a336f8a342122a24991b02a58b408e98a5e45c09c88ada659f77a31c727dbbfba94bb135351fda34d378e6a8efc292ade4b9acc3b1bd3f009e35dd8ab4e6eb01b852637ade8ddbeb05b51da3557478c618167bf7c9aedf584d8b8f9cf1681a145098f66dc9c3c127cf6204457d033ab4c5d22f93b855d981eae3c51675149f33cc32824ec90d0510bf03a85926e21e450eb89fa941b4d89693a57cb8e8ece3d1533184322df565b0f583708b530a7d52496d525aac7f8d96b8e2c7ad75aa194fcd635a76b3a26fd9c387d30dbc88302d0874ac16d9ab9d364ce714dee8870892419c44b078714b69bb0e3221a3efebbe4061533ee781a222d5ab3e64ee1d9f776123cc3ae3164ed70973a287cf5792f260c06803578c3f7ac011edf9117f7d2493452891366aa1b1a6edc5d5bf9310431a9019712923d939d0a81fe6bb\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(53374);\n script_version(\"1.28\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/05\");\n\n script_cve_id(\n \"CVE-2011-0097\",\n \"CVE-2011-0098\",\n \"CVE-2011-0101\",\n \"CVE-2011-0103\",\n \"CVE-2011-0104\",\n \"CVE-2011-0105\",\n \"CVE-2011-0655\",\n \"CVE-2011-0656\",\n \"CVE-2011-0976\",\n \"CVE-2011-0977\",\n \"CVE-2011-0978\",\n \"CVE-2011-0979\",\n \"CVE-2011-0980\"\n );\n script_bugtraq_id(\n 46225,\n 46226,\n 46227,\n 46228,\n 46229,\n 47201,\n 47243,\n 47244,\n 47245,\n 47251,\n 47252\n );\n script_xref(name:\"MSFT\", value:\"MS11-021\");\n script_xref(name:\"IAVA\", value:\"2011-A-0045-S\");\n script_xref(name:\"MSFT\", value:\"MS11-022\");\n script_xref(name:\"MSFT\", value:\"MS11-023\");\n script_xref(name:\"MSKB\", value:\"2489279\");\n script_xref(name:\"MSKB\", value:\"2489283\");\n script_xref(name:\"MSKB\", value:\"2489293\");\n script_xref(name:\"MSKB\", value:\"2505924\");\n script_xref(name:\"MSKB\", value:\"2505927\");\n script_xref(name:\"MSKB\", value:\"2505935\");\n script_xref(name:\"MSKB\", value:\"2525412\");\n\n script_name(english:\"MS11-021 / MS11-022 / MS11-023: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2489279 / 2489283 / 2489293) (Mac OS X)\");\n script_summary(english:\"Check version of Microsoft Office\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote Mac OS X host is affected by\nmultiple remote code execution vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Mac OS X host is running a version of Microsoft Office that\nis affected by several vulnerabilities.\n\nIf an attacker can trick a user on the affected host into opening a\nspecially crafted Office file, these issues could be leveraged to\nexecute arbitrary code subject to the user's privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms11-021\");\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms11-022\");\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms11-023\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Office for Mac 2011,\nOffice 2008 for Mac, Office 2004 for Mac, and Open XML File Format\nConverter for Mac.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'White_Phosphorus');\n script_set_attribute(attribute:\"metasploit_name\", value:'MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/02/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/04/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office:2004::mac\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office:2008::mac\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office:2011::mac\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:open_xml_file_format_converter:::mac\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/MacOSX/packages\", \"Host/uname\");\n\n exit(0);\n}\n\n\ninclude(\"misc_func.inc\");\ninclude(\"ssh_func.inc\");\ninclude(\"macosx_func.inc\");\n\n\n\nif(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)\n enable_ssh_wrappers();\nelse disable_ssh_wrappers();\n\nfunction exec(cmd)\n{\n local_var buf, ret;\n\n if (islocalhost())\n buf = pread(cmd:\"/bin/bash\", argv:make_list(\"bash\", \"-c\", cmd));\n else\n {\n ret = ssh_open_connection();\n if (!ret) exit(1, \"ssh_open_connection() failed.\");\n buf = ssh_cmd(cmd:cmd);\n ssh_close_connection();\n }\n return buf;\n}\n\n\npackages = get_kb_item(\"Host/MacOSX/packages\");\nif (!packages) exit(1, \"The 'Host/MacOSX/packages' KB item is missing.\");\n\nuname = get_kb_item(\"Host/uname\");\nif (!uname) exit(1, \"The 'Host/uname' KB item is missing.\");\nif (!egrep(pattern:\"Darwin.*\", string:uname)) exit(1, \"The host does not appear to be using the Darwin sub-system.\");\n\n\n# Gather version info.\ninfo = '';\ninstalls = make_array();\n\nprod = 'Office for Mac 2011';\nplist = \"/Applications/Microsoft Office 2011/Office/MicrosoftComponentPlugin.framework/Versions/14/Resources/Info.plist\";\ncmd = 'cat \\'' + plist + '\\' | ' +\n 'grep -A 1 CFBundleShortVersionString | ' +\n 'tail -n 1 | ' +\n 'sed \\'s/.*string>\\\$.*\\\$<\\\\/string>.*/\\\\1/g\\'';\nversion = exec(cmd:cmd);\nif (version && version =~ \"^[0-9]+\\.\")\n{\n version = chomp(version);\n if (version !~ \"^14\\.\") exit(1, \"Failed to get the version for \"+prod+\" - '\"+version+\"'.\");\n\n installs[prod] = version;\n\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n fixed_version = '14.1.0';\n fix = split(fixed_version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(fix); i++)\n if ((ver[i] < fix[i]))\n {\n info +=\n '\\n Product : ' + prod +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version + '\\n';\n break;\n }\n else if (ver[i] > fix[i])\n break;\n}\n\nprod = 'Office 2008 for Mac';\nplist = \"/Applications/Microsoft Office 2008/Office/MicrosoftComponentPlugin.framework/Versions/12/Resources/Info.plist\";\ncmd = 'cat \\'' + plist + '\\' | ' +\n 'grep -A 1 CFBundleShortVersionString | ' +\n 'tail -n 1 | ' +\n 'sed \\'s/.*string>\\\$.*\\\$<\\\\/string>.*/\\\\1/g\\'';\nversion = exec(cmd:cmd);\nif (version && version =~ \"^[0-9]+\\.\")\n{\n version = chomp(version);\n if (version !~ \"^12\\.\") exit(1, \"Failed to get the version for \"+prod+\" - '\"+version+\"'.\");\n\n installs[prod] = version;\n\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n fixed_version = '12.2.9';\n fix = split(fixed_version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(fix); i++)\n if ((ver[i] < fix[i]))\n {\n info +=\n '\\n Product : ' + prod +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version + '\\n';\n break;\n }\n else if (ver[i] > fix[i])\n break;\n}\n\nprod = 'Office 2004 for Mac';\ncmd = GetCarbonVersionCmd(file:\"Microsoft Component Plugin\", path:\"/Applications/Microsoft Office 2004/Office\");\nversion = exec(cmd:cmd);\nif (version && version =~ \"^[0-9]+\\.\")\n{\n version = chomp(version);\n if (version !~ \"^11\\.\") exit(1, \"Failed to get the version for \"+prod+\" - '\"+version+\"'.\");\n\n installs[prod] = version;\n\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n fixed_version = '11.6.3';\n fix = split(fixed_version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(fix); i++)\n if ((ver[i] < fix[i]))\n {\n info +=\n '\\n Product : ' + prod +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version + '\\n';\n break;\n }\n else if (ver[i] > fix[i])\n break;\n}\n\nprod = 'Open XML File Format Converter for Mac';\nplist = \"/Applications/Open XML Converter.app/Contents/Info.plist\";\ncmd = 'cat \\'' + plist + '\\' | ' +\n 'grep -A 1 CFBundleShortVersionString | ' +\n 'tail -n 1 | ' +\n 'sed \\'s/.*string>\\\$.*\\\$<\\\\/string>.*/\\\\1/g\\'';\nversion = exec(cmd:cmd);\nif (version && version =~ \"^[0-9]+\\.\")\n{\n version = chomp(version);\n installs[prod] = version;\n\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n fixed_version = '1.1.9';\n fix = split(fixed_version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(fix); i++)\n if ((ver[i] < fix[i]))\n {\n info +=\n '\\n Product : ' + prod +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version + '\\n';\n break;\n }\n else if (ver[i] > fix[i])\n break;\n}\n\n\n# Report findings.\nif (info)\n{\n gs_opt = get_kb_item(\"global_settings/report_verbosity\");\n if (gs_opt && gs_opt != 'Quiet') security_hole(port:0, extra:info);\n else security_hole(0);\n\n exit(0);\n}\nelse\n{\n if (max_index(keys(installs)) == 0) exit(0, \"Office for Mac / Open XML File Format Converter is not installed.\");\n else\n {\n msg = 'The host has ';\n foreach prod (sort(keys(installs)))\n msg += prod + ' ' + installs[prod] + ' and ';\n msg = substr(msg, 0, strlen(msg)-1-strlen(' and '));\n\n msg += ' installed and thus is not affected.';\n\n exit(0, msg);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2020-06-22T11:40:56", "bulletinFamily": "info", "cvelist": ["CVE-2011-0976"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office Powerpoint 2007. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists with the way the application will parse external objects within an Office Art container. When parsing this object, the application will append an uninitialized object to a list. When destroying this object during document close (WM_DESTROY), the application will access a method that doesn't exist. This can lead to code execution under the context of the application.", "modified": "2011-06-22T00:00:00", "published": "2011-02-07T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-11-044/", "id": "ZDI-11-044", "title": "(0Day) Microsoft PowerPoint 2007 OfficeArt Atom Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-22T11:41:08", "bulletinFamily": "info", "cvelist": ["CVE-2011-0656"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office PowerPoint. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within how the application handles an exception within the PersistDirectoryEntry records when loading a presentation. When an entry points to a container containing a Slide with a malformed record, the application will raise an exception during the loading of the record. Afterward the application will use a method off of this malformed object which can lead to code execution under the context of the application.", "modified": "2011-06-22T00:00:00", "published": "2011-04-12T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-11-125/", "id": "ZDI-11-125", "title": "Microsoft Office PowerPoint PersistDirectoryEntry Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-22T11:42:08", "bulletinFamily": "info", "cvelist": ["CVE-2011-0655"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office PowerPoint. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the ppcore.dll module responsible for parsing PowerPoint (ppt) files. When parsing a malformed TimeCommandBehaviorContainer structure the process raises an exception that causes an object in memory to be freed prior to being fully parsed. Due to the lack of a check that this object has been freed, a later function references an invalid pointer element. This can be leveraged by a remote attacker to execute arbitrary code under the context of the user running PowerPoint.", "modified": "2011-06-22T00:00:00", "published": "2011-04-12T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-11-123/", "id": "ZDI-11-123", "title": "Microsoft PowerPoint TimeCommandBehaviorContainer Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-22T11:40:34", "bulletinFamily": "info", "cvelist": ["CVE-2011-0655"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office PowerPoint. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within how the application parses a record associated with animation. If a container holds a specific record type, the application will explicitly trust a length used in this record to calculate a pointer for copying floating point numbers to. This can be used to write outside of an allocated buffer and will lead to code execution under the context of the application.", "modified": "2011-06-22T00:00:00", "published": "2011-04-12T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-11-124/", "id": "ZDI-11-124", "title": "Microsoft PowerPoint TimeColorBehaviorContainer Floating Point Record Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T18:05:12", "description": "BUGTRAQ ID: 47251\r\nCVE ID: CVE-2011-0656\r\n\r\nMicrosoft PowerPoint\uff0c\u7b80\u79f0PowerPoint\uff0c\u662f\u4e00\u4e2a\u7531Microsoft\u516c\u53f8\u5f00\u53d1\u7684\u6f14\u793a\u6587\u7a3f\u7a0b\u5e8f\uff0c\u662fMicrosoft Office\u7cfb\u7edf\u4e2d\u7684\u5176\u4e2d\u4e00\u4e2a\u7ec4\u4ef6\u3002\r\n\r\nMicrosoft Excel\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u65e0\u6548"PersistDirectoryEntry"\u8bb0\u5f55\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u4ee5\u5f53\u524d\u7528\u6237\u6743\u9650\u6267\u884c\u4efb\u610f\u4ee3\u7801\uff0c\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002\r\n\r\n\u653b\u51fb\u8005\u901a\u8fc7\u521b\u5efa\u53ef\u4f5c\u4e3a\u7535\u5b50\u90ae\u4ef6\u9644\u4ef6\u5305\u542b\u5176\u4e2d\u6216\u5728\u7279\u5236\u7684\u53d7\u63a7\u7684\u7f51\u7ad9\u5b58\u50a8\u7684\u7279\u5236PP\u6587\u4ef6\u5229\u7528\u6b64\u6f0f\u6d1e\u3002\n\nMicrosoft Office\r\nMicrosoft PowerPoint\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n* \u8bbe\u7f6e\u201cOffice\u6587\u4ef6\u9a8c\u8bc1\u201d\u4ee5\u5728PowerPoint 2010\u4e2d\u7981\u7528\u5728\u4fdd\u62a4\u89c6\u56fe\u4e2d\u7f16\u8f91\r\n\r\n* \u4f7f\u7528\u201cMicrosoft Office\u6587\u4ef6\u963b\u6b62\u201d\u7b56\u7565\u7981\u6b62\u5728Excel\u4e2d\u6253\u5f00\u6765\u81ea\u4e0d\u53ef\u4fe1\u4efb\u6765\u6e90\u548c\u4f4d\u7f6e\u7684Office 2003\u548c\u65e9\u671f\u7248\u672c\u7684\u6587\u4ef6\u3002\r\n \r\n* \u5728\u6253\u5f00\u672a\u77e5\u6216\u53ef\u7591\u6e90\u7684\u6587\u4ef6\u65f6\u4f7f\u7528MOICE\r\n\r\n* \u4e0d\u8981\u6253\u5f00\u6765\u81ea\u53ef\u7591\u6e90\u7684PP\u6587\u4ef6\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS11-022\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\n\r\nMS11-022\uff1aVulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution\r\n\r\n\u94fe\u63a5\uff1ahttp://www.microsoft.com/technet/security/bulletin/MS11-022.asp", "published": "2011-04-15T00:00:00", "title": "Microsoft PowerPoint\u65e0\u6548"PersistDirectoryEntry"\u8bb0\u5f55\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e(MS11-022)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0656"], "modified": "2011-04-15T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-20490", "id": "SSV:20490", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T18:05:01", "description": "BUGTRAQ ID: 47252\r\nCVE ID: CVE-2011-0655\r\n\r\nMicrosoft PowerPoint\uff0c\u7b80\u79f0PowerPoint\uff0c\u662f\u4e00\u4e2a\u7531Microsoft\u516c\u53f8\u5f00\u53d1\u7684\u6f14\u793a\u6587\u7a3f\u7a0b\u5e8f\uff0c\u662fMicrosoft Office\u7cfb\u7edf\u4e2d\u7684\u5176\u4e2d\u4e00\u4e2a\u7ec4\u4ef6\u3002\r\n\r\nMicrosoft Excel\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u65e0\u6548"TimeColorBehaviorContainer"\u8bb0\u5f55\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u4ee5\u5f53\u524d\u7528\u6237\u6743\u9650\u6267\u884c\u4efb\u610f\u4ee3\u7801\uff0c\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002\r\n\r\nMicrosoft PowerPoint\u5904\u7406\u7279\u5236PowerPoint\u6587\u4ef6\u7684\u65b9\u5f0f\u4e2d\u5b58\u5728\u4e00\u4e2a\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u901a\u8fc7\u521b\u5efa\u53ef\u4f5c\u4e3a\u7535\u5b50\u90ae\u4ef6\u9644\u4ef6\u5305\u542b\u5176\u4e2d\u6216\u5728\u7279\u5236\u7684\u53d7\u63a7\u7684\u7f51\u7ad9\u5b58\u50a8\u7684\u7279\u5236PP\u6587\u4ef6\u5229\u7528\u6b64\u6f0f\u6d1e\u3002\n\nMicrosoft Office\r\nMicrosoft PowerPoint\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n* \u8bbe\u7f6e\u201cOffice\u6587\u4ef6\u9a8c\u8bc1\u201d\u4ee5\u5728PowerPoint 2010\u4e2d\u7981\u7528\u5728\u4fdd\u62a4\u89c6\u56fe\u4e2d\u7f16\u8f91\r\n\r\n* \u4f7f\u7528\u201cMicrosoft Office\u6587\u4ef6\u963b\u6b62\u201d\u7b56\u7565\u7981\u6b62\u5728Excel\u4e2d\u6253\u5f00\u6765\u81ea\u4e0d\u53ef\u4fe1\u4efb\u6765\u6e90\u548c\u4f4d\u7f6e\u7684Office 2003\u548c\u65e9\u671f\u7248\u672c\u7684\u6587\u4ef6\u3002\r\n \r\n* \u5728\u6253\u5f00\u672a\u77e5\u6216\u53ef\u7591\u6e90\u7684\u6587\u4ef6\u65f6\u4f7f\u7528MOICE\r\n\r\n* \u4e0d\u8981\u6253\u5f00\u6765\u81ea\u53ef\u7591\u6e90\u7684PP\u6587\u4ef6\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS11-022\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\n\r\nMS11-022\uff1aVulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution\r\n\r\n\u94fe\u63a5\uff1ahttp://www.microsoft.com/technet/security/bulletin/MS11-022.asp", "published": "2011-04-15T00:00:00", "title": "Microsoft PowerPoint\u65e0\u6548"TimeColorBehaviorContainer"\u8bb0\u5f55\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e(MS11-022)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0655"], "modified": "2011-04-15T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-20488", "id": "SSV:20488", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "securityvulns": [{"lastseen": "2018-08-31T11:10:39", "bulletinFamily": "software", "cvelist": ["CVE-2011-0656"], "description": "ZDI-11-125: Microsoft Office PowerPoint PersistDirectoryEntry Remote Code Execution\r\nVulnerability\r\n\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-11-125\r\n\r\nApril 12, 2011\r\n\r\n-- CVE ID:\r\nCVE-2011-0656\r\n\r\n-- CVSS:\r\n9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)\r\n\r\n-- Affected Vendors:\r\nMicrosoft\r\n\r\n-- Affected Products:\r\nMicrosoft Office PowerPoint\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 10885. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Microsoft Office PowerPoint. User\r\ninteraction is required to exploit this vulnerability in that the target\r\nmust visit a malicious page or open a malicious file.\r\n\r\nThe specific flaw exists within how the application handles an exception\r\nwithin the PersistDirectoryEntry records when loading a presentation.\r\nWhen an entry points to a container containing a Slide with a malformed\r\nrecord, the application will raise an exception during the loading of\r\nthe record. Afterward the application will use a method off of this\r\nmalformed object which can lead to code execution under the context of\r\nthe application.\r\n\r\n-- Vendor Response:\r\nMicrosoft has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttp://www.microsoft.com/technet/security/Bulletin/MS11-022.mspx\r\n\r\n-- Disclosure Timeline:\r\n2010-09-14 - Vulnerability reported to vendor\r\n2011-04-12 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Anonymous\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi", "edition": 1, "modified": "2011-04-13T00:00:00", "published": "2011-04-13T00:00:00", "id": "SECURITYVULNS:DOC:26110", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26110", "title": "ZDI-11-125: Microsoft Office PowerPoint PersistDirectoryEntry Remote Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:39", "bulletinFamily": "software", "cvelist": ["CVE-2011-0655"], "description": "ZDI-11-123: Microsoft PowerPoint TimeCommandBehaviorContainer Remote Code Execution\r\nVulnerability\r\n\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-11-123\r\n\r\nApril 12, 2011\r\n\r\n-- CVE ID:\r\nCVE-2011-0655\r\n\r\n-- CVSS:\r\n9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)\r\n\r\n-- Affected Vendors:\r\nMicrosoft\r\n\r\n-- Affected Products:\r\nMicrosoft Office PowerPoint\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 10822. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Microsoft Office PowerPoint. User\r\ninteraction is required to exploit this vulnerability in that the target\r\nmust visit a malicious page or open a malicious file.\r\n\r\nThe specific flaw exists within the ppcore.dll module responsible for\r\nparsing PowerPoint (ppt) files. When parsing a malformed\r\nTimeCommandBehaviorContainer structure the process raises an exception\r\nthat causes an object in memory to be freed prior to being fully parsed.\r\nDue to the lack of a check that this object has been freed, a later\r\nfunction references an invalid pointer element. This can be leveraged by\r\na remote attacker to execute arbitrary code under the context of the\r\nuser running PowerPoint.\r\n\r\n-- Vendor Response:\r\nMicrosoft has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttp://www.microsoft.com/technet/security/Bulletin/MS11-022.mspx\r\n\r\n-- Disclosure Timeline:\r\n2010-09-24 - Vulnerability reported to vendor\r\n2011-04-12 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Anonymous\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi", "edition": 1, "modified": "2011-04-13T00:00:00", "published": "2011-04-13T00:00:00", "id": "SECURITYVULNS:DOC:26113", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26113", "title": "ZDI-11-123: Microsoft PowerPoint TimeCommandBehaviorContainer Remote Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:39", "bulletinFamily": "software", "cvelist": ["CVE-2011-0655"], "description": "ZDI-11-124: Microsoft PowerPoint TimeColorBehaviorContainer Floating Point Record\r\nRemote Code Execution Vulnerability\r\n\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-11-124\r\n\r\nApril 12, 2011\r\n\r\n-- CVE ID:\r\nCVE-2011-0655\r\n\r\n-- CVSS:\r\n9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)\r\n\r\n-- Affected Vendors:\r\nMicrosoft\r\n\r\n-- Affected Products:\r\nMicrosoft Office PowerPoint\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 10873. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Microsoft Office PowerPoint. User\r\ninteraction is required to exploit this vulnerability in that the target\r\nmust visit a malicious page or open a malicious file.\r\n\r\nThe specific flaw exists within how the application parses a record\r\nassociated with animation. If a container holds a specific record type,\r\nthe application will explicitly trust a length used in this record to\r\ncalculate a pointer for copying floating point numbers to. This can be\r\nused to write outside of an allocated buffer and will lead to code\r\nexecution under the context of the application.\r\n\r\n-- Vendor Response:\r\nMicrosoft has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttp://www.microsoft.com/technet/security/Bulletin/MS11-022.mspx\r\n-- Disclosure Timeline:\r\n2010-09-14 - Vulnerability reported to vendor\r\n2011-04-12 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Anonymous\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi", "edition": 1, "modified": "2011-04-13T00:00:00", "published": "2011-04-13T00:00:00", "id": "SECURITYVULNS:DOC:26112", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26112", "title": "ZDI-11-124: Microsoft PowerPoint TimeColorBehaviorContainer Floating Point Record Remote Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:41", "bulletinFamily": "software", "cvelist": ["CVE-2011-0097", "CVE-2011-0979", "CVE-2011-0105", "CVE-2011-0976", "CVE-2011-0098", "CVE-2011-0978", "CVE-2011-0103", "CVE-2011-0655", "CVE-2011-0656", "CVE-2011-0107", "CVE-2011-0101", "CVE-2011-0104", "CVE-2011-0977", "CVE-2011-0980"], "description": "Multiple memory corruptions in Excel and PowerPoint, unsafe DLL loading, memory corruption in Office Graphic.", "edition": 1, "modified": "2011-04-17T00:00:00", "published": "2011-04-17T00:00:00", "id": "SECURITYVULNS:VULN:11580", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11580", "title": "Microsoft Office multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "saint": [{"lastseen": "2016-10-03T15:01:55", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0655"], "description": "Added: 01/12/2012 \nCVE: [CVE-2011-0655](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0655>) \nBID: [47252](<http://www.securityfocus.com/bid/47252>) \nOSVDB: [71771](<http://www.osvdb.org/71771>) \n\n\n### Background\n\n[Microsoft PowerPoint](<http://office.microsoft.com/en-us/FX010857971033.aspx>) is presentation software included in the [Microsoft Office](<http://office.microsoft.com>) desktop suite. \n\n### Problem\n\nThe vulnerability is caused when PowerPoint reads an invalid record in a specially crafted PowerPoint file. A remote attacker could exploit this flaw by convincing a victim to open a specially crafted PowerPoint file which contains a malformed `**ExtTimeNodeContainer**` record. Successful exploitation of this issue may allow execution of arbitrary code in the context of the affected user. \n\n### Resolution\n\nApply the patch provided in [Microsoft Security Bulletin MS11-022](<http://technet.microsoft.com/en-us/security/bulletin/ms11-022>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-11-123/> \n\n\n### Limitations\n\nExploit works on Microsoft PowerPoint 2007 SP2. The target user must open the exploit file in Powerpoint. \n\nThis exploit uses the perl CPAN modules IO::Uncompress and Compress::Zlib to compress the data transferred to the target. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2012-01-12T00:00:00", "published": "2012-01-12T00:00:00", "id": "SAINT:09BB4936C60432BDECFB24590F9F2B73", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/powerpoint_exttimenodecontainer", "type": "saint", "title": "Microsoft PowerPoint Floating Point Techno-color Time Bandit vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-04T23:19:40", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0655"], "description": "Added: 01/12/2012 \nCVE: [CVE-2011-0655](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0655>) \nBID: [47252](<http://www.securityfocus.com/bid/47252>) \nOSVDB: [71771](<http://www.osvdb.org/71771>) \n\n\n### Background\n\n[Microsoft PowerPoint](<http://office.microsoft.com/en-us/FX010857971033.aspx>) is presentation software included in the [Microsoft Office](<http://office.microsoft.com>) desktop suite. \n\n### Problem\n\nThe vulnerability is caused when PowerPoint reads an invalid record in a specially crafted PowerPoint file. A remote attacker could exploit this flaw by convincing a victim to open a specially crafted PowerPoint file which contains a malformed `**ExtTimeNodeContainer**` record. Successful exploitation of this issue may allow execution of arbitrary code in the context of the affected user. \n\n### Resolution\n\nApply the patch provided in [Microsoft Security Bulletin MS11-022](<http://technet.microsoft.com/en-us/security/bulletin/ms11-022>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-11-123/> \n\n\n### Limitations\n\nExploit works on Microsoft PowerPoint 2007 SP2. The target user must open the exploit file in Powerpoint. \n\nThis exploit uses the perl CPAN modules IO::Uncompress and Compress::Zlib to compress the data transferred to the target. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2012-01-12T00:00:00", "published": "2012-01-12T00:00:00", "id": "SAINT:8DC65ED5190A1A2AAE0D44CCF8A8EB83", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/powerpoint_exttimenodecontainer", "title": "Microsoft PowerPoint Floating Point Techno-color Time Bandit vulnerability", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:19:45", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0655"], "edition": 2, "description": "Added: 01/12/2012 \nCVE: [CVE-2011-0655](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0655>) \nBID: [47252](<http://www.securityfocus.com/bid/47252>) \nOSVDB: [71771](<http://www.osvdb.org/71771>) \n\n\n### Background\n\n[Microsoft PowerPoint](<http://office.microsoft.com/en-us/FX010857971033.aspx>) is presentation software included in the [Microsoft Office](<http://office.microsoft.com>) desktop suite. \n\n### Problem\n\nThe vulnerability is caused when PowerPoint reads an invalid record in a specially crafted PowerPoint file. A remote attacker could exploit this flaw by convincing a victim to open a specially crafted PowerPoint file which contains a malformed `**ExtTimeNodeContainer**` record. Successful exploitation of this issue may allow execution of arbitrary code in the context of the affected user. \n\n### Resolution\n\nApply the patch provided in [Microsoft Security Bulletin MS11-022](<http://technet.microsoft.com/en-us/security/bulletin/ms11-022>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-11-123/> \n\n\n### Limitations\n\nExploit works on Microsoft PowerPoint 2007 SP2. The target user must open the exploit file in Powerpoint. \n\nThis exploit uses the perl CPAN modules IO::Uncompress and Compress::Zlib to compress the data transferred to the target. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2012-01-12T00:00:00", "published": "2012-01-12T00:00:00", "id": "SAINT:037061F684C7241ABD70789C2F1DF809", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/powerpoint_exttimenodecontainer", "type": "saint", "title": "Microsoft PowerPoint Floating Point Techno-color Time Bandit vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}