This host is missing a critical security update according to
Microsoft Bulletin MS10-068.
###############################################################################
# OpenVAS Vulnerability Test
# $Id: secpod_ms10-068.nasl 5361 2017-02-20 11:57:13Z cfi $
#
# MS Local Security Authority Subsystem Service Privilege Elevation Vulnerability (983539)
#
# Authors:
# Antu Sanadi <[email protected]>
#
# Copyright:
# Copyright (c) 2010 SecPod, http://www.secpod.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
tag_impact = "Successful exploitation will allow the remote attacker who has previously
authenticated with the LSASS server to execute arbitrary code with SYSTEM
privileges.
Impact Level: System/Application.";
tag_affected = "Microsoft Windows 7
Microsoft Windows Vista Service Pack 2
Microsoft Windows XP Service Pack 3 and prior
Microsoft Windows Server 2003 Service Pack 2 and prior
Microsoft Windows Server 2008 Service Pack 2 and prior";
tag_insight = "The flaw is caused by a heap overflow error in the Local Security Authority
Subsystem Service (LSASS) when handling Lightweight Directory Access Protocol
(LDAP) messages in certain implementations of Active Directory, Active
Directory Application Mode (ADAM), and Active Directory Lightweight Directory
Service (AD LDS).";
tag_solution = "Run Windows Update and update the listed hotfixes or download and
update mentioned hotfixes in the advisory from the below link,
http://www.microsoft.com/technet/security/bulletin/ms10-068.mspx";
tag_summary = "This host is missing a critical security update according to
Microsoft Bulletin MS10-068.";
if(description)
{
script_id(902244);
script_version("$Revision: 5361 $");
script_tag(name:"last_modification", value:"$Date: 2017-02-20 12:57:13 +0100 (Mon, 20 Feb 2017) $");
script_tag(name:"creation_date", value:"2010-09-15 17:01:07 +0200 (Wed, 15 Sep 2010)");
script_tag(name:"cvss_base", value:"9.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:S/C:C/I:C/A:C");
script_cve_id("CVE-2010-0820");
script_name("MS Local Security Authority Subsystem Service Privilege Elevation Vulnerability (983539)");
script_xref(name : "URL" , value : "http://support.microsoft.com/kb/981550");
script_xref(name : "URL" , value : "http://support.microsoft.com/kb/982000");
script_xref(name : "URL" , value : "http://www.vupen.com/english/advisories/2010/2389");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2010 SecPod");
script_family("Windows : Microsoft Bulletins");
script_dependencies("secpod_reg_enum.nasl");
script_require_ports(139, 445);
script_mandatory_keys("SMB/WindowsVersion");
script_tag(name : "impact" , value : tag_impact);
script_tag(name : "affected" , value : tag_affected);
script_tag(name : "insight" , value : tag_insight);
script_tag(name : "solution" , value : tag_solution);
script_tag(name : "summary" , value : tag_summary);
script_tag(name:"qod_type", value:"registry");
script_tag(name:"solution_type", value:"VendorFix");
exit(0);
}
include("smb_nt.inc");
include("secpod_reg.inc");
include("version_func.inc");
include("secpod_smb_func.inc");
if(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:1) <= 0){
exit(0);
}
# Active Directory
if((hotfix_missing(name:"981550") == 1) &&
registry_key_exists(key:"SYSTEM\CurrentControlSet\Services\NTDS\Performance"))
{
dllPath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
item:"Install Path");
if(dllPath != NULL)
{
# Get the version of Active Directory
share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:dllPath);
ntdsaFile = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
string:dllPath + "\Ntdsa.dll");
ntdsaVer = GetVer(file:ntdsaFile, share:share);
if(ntdsaVer != NULL)
{
# Windows 2K3
if(hotfix_check_sp(win2003:3) > 0)
{
SP = get_kb_item("SMB/Win2003/ServicePack");
if("Service Pack 2" >< SP)
{
# Check for Ntdsa.dll version < 5.2.3790.4754
if(version_is_less(version:ntdsaVer, test_version:"5.2.3790.4754")){
security_message(0);
}
exit(0);
}
security_message(0);
}
}
}
}
# Active Directory Application Mode
if((hotfix_missing(name:"982000)") == 1) &&
registry_key_exists(key:"SYSTEM\CurrentControlSet\Services\ADAM\Linkage"))
{
dllPath = registry_get_sz(key:"SOFTWARE\Microsoft\COM3\Setup",
item:"Install Path");
if(dllPath != NULL)
{
# Get the version of Active Directory Application Mode
share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:dllPath);
adamdsaFile = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
string:dllPath - "system32" + "ADAM\Adamdsa.dll");
adamdsaVer = GetVer(file:adamdsaFile, share:share);
if(adamdsaVer != NULL)
{
# Windows XP/2K3
if(hotfix_check_sp(xp:4, win2003:3) > 0)
{
XPSP = get_kb_item("SMB/WinXP/ServicePack");
k3SP = get_kb_item("SMB/Win2003/ServicePack");
if(XPSP =~ "Service Pack (2|3)" || ("Service Pack 2" >< k3SP))
{
# Check for Adamdsa.dll version < 1.1.3790.4722
if(version_is_less(version:adamdsaVer, test_version:"1.1.3790.4722")){
security_message(0);
}
exit(0);
}
security_message(0);
}
}
}
}
if((hotfix_missing(name:"981550") == 0)){
exit(0);
}
sysPath = registry_get_sz(key:"SOFTWARE\Microsoft\Windows NT\CurrentVersion",
item:"PathName");
if(!sysPath){
exit(0);
}
share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:sysPath);
file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
string:sysPath + "\system32\Ntdsai.dll");
sysVer = GetVer(file:file, share:share);
if(!sysVer){
exit(0);
}
# Windows Vista
if(hotfix_check_sp(winVista:2) > 0)
{
SP = get_kb_item("SMB/WinVista/ServicePack");
if("Service Pack 1" >< SP)
{
# Grep for Rtutils.dll version < 6.0.6001.18461
if(version_is_less(version:sysVer, test_version:"6.0.6001.18461")){
security_message(0);
}
exit(0);
}
if("Service Pack 2" >< SP)
{
# Grep for Rtutils.dll version < 6.0.6002.18244
if(version_is_less(version:sysVer, test_version:"6.0.6002.18244")){
security_message(0);
}
exit(0);
}
security_message(0);
}
# Windows Server 2008
else if(hotfix_check_sp(win2008:2) > 0)
{
SP = get_kb_item("SMB/Win2008/ServicePack");
if("Service Pack 1" >< SP)
{
# Grep for Ntdsai.dll version < 1.626.6001.18461
if(version_is_less(version:sysVer, test_version:"1.626.6001.18461")){
security_message(0);
}
exit(0);
}
if("Service Pack 2" >< SP)
{
# Grep for Ntdsai.dll version < 6.0.6002.18244
if(version_is_less(version:sysVer, test_version:"6.0.6002.18244")){
security_message(0);
}
exit(0);
}
security_message(0);
}
## Windows 7
else if(hotfix_check_sp(win7:1) > 0)
{
## Grep for Ntdsai.dll version < 6.1.7600.16612
if(version_is_less(version:sysVer, test_version:"6.1.7600.16612")){
security_message(0);
}
}