Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
openvasCopyright (c) 2010 Greenbone Networks GmbHOPENVAS:801461
HistoryOct 22, 2010 - 12:00 a.m.

Lhasa Untrusted search path vulnerability

2010-10-2200:00:00
Copyright (c) 2010 Greenbone Networks GmbH
plugins.openvas.org
4

0.0004 Low

EPSS

Percentile

9.8%

JSON

This host is installed with Lhasa and is prone to untrusted search
path vulnerability.

###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_lhasa_untrusted_search_path_vuln.nasl 5374 2017-02-20 16:36:11Z cfi $
#
# Lhasa Untrusted search path vulnerability
#
# Authors:
# Madhuri D <[email protected]>
#
# Copyright:
# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

tag_impact = "Successful exploitation will allow remote attackers to execute arbitrary code
  with the privilege of the running application.
  Impact Level: Application";
tag_affected = "Lhasa version 0.19 and prior";

tag_insight = "The flaw exists due to Lhasa, which loads certain executables (.exe) when
  extracting files.";
tag_solution = "Upgrade to the Lhasa version 0.20 0r later
  For updates refer to http://www.digitalpad.co.jp/~takechin/download.html#lhasa";
tag_summary = "This host is installed with Lhasa and is prone to untrusted search
  path vulnerability.";

if(description)
{
  script_id(801461);
  script_version("$Revision: 5374 $");
  script_tag(name:"last_modification", value:"$Date: 2017-02-20 17:36:11 +0100 (Mon, 20 Feb 2017) $");
  script_tag(name:"creation_date", value:"2010-10-22 15:51:55 +0200 (Fri, 22 Oct 2010)");
  script_cve_id("CVE-2010-2369");
  script_tag(name:"cvss_base", value:"6.9");
  script_tag(name:"cvss_base_vector", value:"AV:L/AC:M/Au:N/C:C/I:C/A:C");
  script_name("Lhasa Untrusted search path vulnerability");
  script_xref(name : "URL" , value : "http://jvn.jp/en/jp/JVN88850043/index.html");
  script_xref(name : "URL" , value : "http://jvndb.jvn.jp/ja/contents/2010/JVNDB-2010-000038.html");

  script_tag(name:"qod_type", value:"executable_version");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (c) 2010 Greenbone Networks GmbH");
  script_family("General");
  script_dependencies("secpod_reg_enum.nasl");
  script_mandatory_keys("SMB/WindowsVersion");
  script_tag(name : "insight" , value : tag_insight);
  script_tag(name : "solution" , value : tag_solution);
  script_tag(name : "summary" , value : tag_summary);
  script_tag(name : "impact" , value : tag_impact);
  script_tag(name : "affected" , value : tag_affected);
  exit(0);
}


include("smb_nt.inc");
include("version_func.inc");
include("secpod_smb_func.inc");

if(!get_kb_item("SMB/WindowsVersion")){
  exit(0);
}

key = "SOFTWARE\Microsoft\Windows\CurrentVersion\";
if(!registry_key_exists(key:key)){
  exit(0);
}

## Get the path for Lhasa
lhPath = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion\",
                             item:"ProgramFilesDir");
if(lhPath != NULL)
{
  lhPath = lhPath + "\Lhasa\README.txt";
  share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:lhPath);
  file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:lhPath);
  readmeText = read_file(share:share, file:file, count:1000);

  if(readmeText != NULL)
  {
    ## Confirm the application is Lhasa
    if ("LHASA" >< readmeText)
    {
      ## Get the .exe path
      lhPath = lhPath - "\README.txt" + "\Lhasa.exe";
      share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:lhPath);
      file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:lhPath);
      lhVer = GetVer(file:file, share:share);

      if(lhVer != NULL)
      {
        ## Check for Lhasa version <= 0.19
        if(version_is_less_equal(version:lhVer, test_version:"0.19")){
          security_message(0);
        }
      }
    }
  }
}

Related

cve 1
jvn 1
nvd 1
prion 1
cvelist 1
openvas 1
cve
cve
CVE-2010-2369
2022-10-03 16:21:09
jvn
jvn
JVN#88850043: Lhasa may insecurely load executable files
2010-10-12 00:00:00
nvd
nvd
CVE-2010-2369
2010-10-18 17:00:03
prion
prion
Design/Logic Flaw
2010-10-18 17:00:00
cvelist
cvelist
CVE-2010-2369
2022-10-03 16:21:09
openvas
openvas
Lhasa Untrusted search path vulnerability
2010-10-22 00:00:00

0.0004 Low

EPSS

Percentile

9.8%

JSON
Related for OPENVAS:801461
cve1jvn1nvd1prion1cvelist1openvas1