Microsoft Office Web Components ActiveX Control Code Execution Vulnerability

Microsoft Office Web Components ActiveX Control Code Execution Vulnerability. This host is prone to code execution vulnerability

Reporter	Title	Published	Views	Family All 63
Circl	CVE-2009-1136	16 Jul 200900:00	–	circl
Circl	CVE-2009-1534	30 Apr 201000:00	–	circl
Check Point Advisories	Microsoft Office Web Components Multiple Buffer Overflows (MS08-017; CVE-2006-4695; CVE-2007-1201; CVE-2009-0562; CVE-2009-1136; CVE-2009-1534; CVE-2009-2493; CVE-2009-2496)	11 Mar 200800:00	–	checkpoint_advisories
Check Point Advisories	Update Protection against Microsoft Office Web Components Multiple ActiveX Controls Remote Code Execution Vulnerability (MS09-043)	13 Jul 200900:00	–	checkpoint_advisories
Check Point Advisories	Microsoft Office Web Components Arbitrary Code Execution (CVE-2009-1136)	4 Oct 201100:00	–	checkpoint_advisories
CVE	CVE-2009-0562	12 Aug 200917:00	–	cve
CVE	CVE-2009-1136	15 Jul 200915:00	–	cve
CVE	CVE-2009-1534	12 Aug 200917:00	–	cve
CVE	CVE-2009-2496	12 Aug 200917:00	–	cve
Cvelist	CVE-2009-0562	12 Aug 200917:00	–	cvelist

Source	Link
support	www.support.microsoft.com/kb/957638
microsoft	www.microsoft.com/technet/security/advisory/973472.mspx
secunia	www.secunia.com/advisories/35800/
microsoft	www.microsoft.com/technet/security/bulletin/ms09-043.mspx
vupen	www.vupen.com/english/advisories/2009/1867

###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_ms_office_web_compnts_actvx_code_exec_vuln.nasl 6235 2017-05-29 13:45:48Z cfi $
#
# Microsoft Office Web Components ActiveX Control Code Execution Vulnerability
#
# Authors:
# Sharath S <[email protected]>
#
# Copyright:
# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net
#
# Update to MS09-043 Bulletin (957638)
#   - By Sharath S <[email protected]> On 2009-08-13
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

tag_solution = "Run Windows Update and update the listed hotfixes or download and
  update mentioned hotfixes in the advisory from the below link.
  http://www.microsoft.com/technet/security/bulletin/ms09-043.mspx

  Workaround:
  Set the killbit for the CLSID

  {0002E541-0000-0000-C000-000000000046}

  {0002E559-0000-0000-C000-000000000046}

  {0002E55B-0000-0000-C000-000000000046}

  http://support.microsoft.com/kb/240797";

tag_impact = "Successful exploitation will let the attacker execute arbitrary code which may
  result in a Denial of Service condition on the affected system.

  Impact Level: System/Application";
tag_affected = "Microsoft Office XP/2003 SP 3 and prior

  Microsoft Visual Studio .NET 2003 SP 1 and prior

  Microsoft Office XP/2003 Web Components SP 3 and prior

  Microsoft ISA Server 2004 Standard/Enterprise Edition SP 3 and prior

  Microsoft ISA Server 2006 Standard/Enterprise Edition SP 1 and prior

  Microsoft Office 2003 Web Components for 2007 Microsoft Office system SP 1";
tag_insight = "- Error exists in the OWC10.Spreadsheet ActiveX control that can be
    exploited via specially crafted parameters passed to the
    'msDataSourceObject()' method.

  - Error occurs when loading and unloading the OWC10 ActiveX control.

  - Error exists in the OWC10.Spreadsheet ActiveX control related to the
    'BorderAround()' method via accessing certain methods in a specific order.

  - A boundary error in the Office Web Components ActiveX control which can be
    exploited to cause a buffer overflow.";
tag_summary = "This host is installed with Microsoft Office Web Components ActiveX Control
  and is prone to code execution vulnerability.";

if(description)
{
  script_id(800845);
  script_version("$Revision: 6235 $");
  script_tag(name:"last_modification", value:"$Date: 2017-05-29 15:45:48 +0200 (Mon, 29 May 2017) $");
  script_tag(name:"creation_date", value:"2009-07-18 09:37:41 +0200 (Sat, 18 Jul 2009)");
  script_tag(name:"cvss_base", value:"9.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_cve_id("CVE-2009-1136", "CVE-2009-0562", "CVE-2009-2496", "CVE-2009-1534");
  script_bugtraq_id(35642, 35990, 35991, 35992);
  script_name("Microsoft Office Web Components ActiveX Control Code Execution Vulnerability");

  script_xref(name : "URL" , value : "http://secunia.com/advisories/35800/");
  script_xref(name : "URL" , value : "http://support.microsoft.com/kb/957638");
  script_xref(name : "URL" , value : "http://www.vupen.com/english/advisories/2009/1867");
  script_xref(name : "URL" , value : "http://www.microsoft.com/technet/security/advisory/973472.mspx");
  script_xref(name : "URL" , value : "http://www.microsoft.com/technet/security/bulletin/ms09-043.mspx");

  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"qod_type", value:"executable_version");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2009 Greenbone Networks GmbH");
  script_family("Windows : Microsoft Bulletins");
  script_dependencies("secpod_reg_enum.nasl");
  script_mandatory_keys("SMB/WindowsVersion");
  script_require_ports(139, 445);
  script_tag(name : "impact" , value : tag_impact);
  script_tag(name : "affected" , value : tag_affected);
  script_tag(name : "insight" , value : tag_insight);
  script_tag(name : "summary" , value : tag_summary);
  script_tag(name : "solution" , value : tag_solution);
  exit(0);
}


include("smb_nt.inc");
include("secpod_reg.inc");
include("version_func.inc");
include("secpod_activex.inc");
include("secpod_smb_func.inc");

function getWebCmpntsVer(webpath, webfile)
{
  webdllpath = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion",
                               item:"ProgramFilesDir");
  if(webdllpath == NULL){
    return NULL;
  }

  share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:webdllpath);
  file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
                      string:webdllpath + webpath + webfile);

  # Get for file version
  webdllVer = GetVer(share:share, file:file);

  if(webdllVer == NULL){
    return NULL;
  }

  return webdllVer;
}


# MS09-043 Hotfix check
if((hotfix_missing(name:"947320") == 0)||(hotfix_missing(name:"947319") == 0)||
   (hotfix_missing(name:"947318") == 0)||(hotfix_missing(name:"947826") == 0)||
   (hotfix_missing(name:"969172") == 0)){
  exit(0);
}

# Check for Office Installation
if(registry_key_exists(key:"SOFTWARE\Microsoft\Office"))
{
  # Path for OWC10.dll file
  dllPath = "\Common Files\Microsoft Shared\Web Components";

  # Grep for OWC10.dll file version for
  # Office XP Web Components for Office XP/2003
  dllVer = getWebCmpntsVer(webpath:dllPath, webfile:"\10\OWC10.DLL");

  if(dllVer == NULL)
  {
    # Grep for OWC11.dll file version for
    # Office 2003 Web Components for Office 2003/2007
    dllVer = getWebCmpntsVer(webpath:dllPath, webfile:"\11\OWC11.DLL");
  }

  if(dllVer != NULL)
  {
    # Office XP   Web Components 10.0 < 10.0.6854.0 in Office XP/2003
    # Office 2003 Web Components 11.0 < 11.0.8304.0 in Office 2003
    # Office 2003 Web Components 12.0 < 12.0.6502.5000 for Office 2007
    if(version_in_range(version:dllVer, test_version:"10.0", test_version2:"10.0.6853.0")||
       version_in_range(version:dllVer, test_version:"11.0", test_version2:"11.0.8303.0")||
       version_in_range(version:dllVer, test_version:"12.0", test_version2:"12.0.6502.4999"))
    {
      security_message(0);
      exit(0);
    }
  }
}

# Check for ISA Server Installation
if(registry_key_exists(key:"SOFTWARE\Microsoft\Fpc"))
{
  # Grep for Install path of ISA Server
  key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
  if(registry_key_exists(key:key)) 
  {
  foreach item (registry_enum_keys(key:key))
  {
    isaName = registry_get_sz(key:key + item, item:"DisplayName");
    if("Microsoft ISA Server 2006 Service Pack 1" >< isaName ||
       "Microsoft ISA Server 2004 Service Pack 3" >< isaName)
    {
      # Check if Kill-Bit is set for ActiveX control
      if(is_killbit_set(clsid:"{0002E541-0000-0000-C000-000000000046}") == 0)
        security_message(0);
      else if(is_killbit_set(clsid:"{0002E559-0000-0000-C000-000000000046}") == 0)
        security_message(0);
      else if(is_killbit_set(clsid:"{0002E55B-0000-0000-C000-000000000046}") == 0)
       security_message(0);
      exit(0);
    }
    else if(isaName =~ "Microsoft ISA Server [2004|2006]")
    {
      security_message(0);
      exit(0);
    }
  }
  }
}

# Microsoft Visual Studio .NET 2003 SP1
if(registry_key_exists(key:"SOFTWARE\Microsoft\VisualStudio\7.0"))
{
  dllVer = getWebCmpntsVer(webpath:"\Microsoft Office\Office10",
                           webfile:"\MSOWC.DLL");

  if(dllVer != NULL)
  {
    # Msowc.dll version 9.0 < 9.0.0.8977 for Visual Studio .NET 2003 SP1
    if(version_in_range(version:dllVer, test_version:"9.0",
                                       test_version2:"9.0.0.8976")){
      security_message(0);
    }
  }
}

29 May 2017 00:00Current

0.5Low risk

Vulners AI Score0.5

EPSS0.86081