Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2485376)

Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Executio

Reporter	Title	Published	Views	Family All 9
Check Point Advisories	Microsoft OpenType CFF Driver Font Encoded Character Corruption (MS11-007; CVE-2011-0033)	8 Feb 201100:00	–	checkpoint_advisories
CVE	CVE-2011-0033	10 Feb 201115:00	–	cve
Cvelist	CVE-2011-0033	10 Feb 201115:00	–	cvelist
NVD	CVE-2011-0033	10 Feb 201116:00	–	nvd
OpenVAS	Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2485376)	9 Feb 201100:00	–	openvas
Prion	Code injection	10 Feb 201116:00	–	prion
Positive Technologies	PT-2011-2030 · Microsoft · Windows Server 2003 +5	10 Feb 201100:00	–	ptsecurity
securityvulns	Microsoft Windows multiple security vulnerabilities	14 Feb 201100:00	–	securityvulns
Tenable Nessus	MS11-007: Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2485376)	8 Feb 201100:00	–	nessus

Source	Link
microsoft	www.microsoft.com/technet/security/Bulletin/MS11-007.mspx
vupen	www.vupen.com/english/advisories/2011/0320

###############################################################################
# OpenVAS Vulnerability Test
# $Id: secpod_ms11-007.nasl 5362 2017-02-20 12:46:39Z cfi $
#
# Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2485376)
#
# Authors:
# Madhuri D <[email protected]>
#
# Copyright:
# Copyright (c) 2011 SecPod, http://www.secpod.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

tag_impact = "Successful exploitation will allow the remote attackers or malicious users to
  execute arbitrary code with kernel privileges.
  Impact Level: System/Application";
tag_affected = "Microsoft Windows 7 Service Pack 1 and prior.
  Microsoft Windows XP Service Pack 3 and prior.
  Microsoft Windows 2K3 Service Pack 2 and prior.
  Microsoft Windows Vista Service Pack 2 and prior.
  Microsoft Windows Server 2008 Service Pack 2 and prior.";
tag_insight = "The flaw is caused by an error in the Windows OpenType Compact Font Format
  (CFF) driver that does not properly validate the parameter values of
  specially crafted OpenType fonts.";
tag_solution = "Run Windows Update and update the listed hotfixes or download and
  update mentioned hotfixes in the advisory from the below link,
  http://www.microsoft.com/technet/security/Bulletin/MS11-007.mspx";
tag_summary = "This host is missing a critical security update according to
  Microsoft Bulletin MS11-007.";

if(description)
{
  script_id(902335);
  script_version("$Revision: 5362 $");
  script_tag(name:"last_modification", value:"$Date: 2017-02-20 13:46:39 +0100 (Mon, 20 Feb 2017) $");
  script_tag(name:"creation_date", value:"2011-02-09 17:14:46 +0100 (Wed, 09 Feb 2011)");
  script_cve_id("CVE-2011-0033");
  script_bugtraq_id(46106);
  script_tag(name:"cvss_base", value:"9.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_name("Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2485376)");
  script_xref(name : "URL" , value : "http://www.vupen.com/english/advisories/2011/0320");
  script_xref(name : "URL" , value : "http://www.microsoft.com/technet/security/Bulletin/MS11-007.mspx");

  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2011 SecPod");
  script_family("Windows : Microsoft Bulletins");
  script_dependencies("secpod_reg_enum.nasl");
  script_require_ports(139, 445);
  script_mandatory_keys("SMB/WindowsVersion");

  script_tag(name : "impact" , value : tag_impact);
  script_tag(name : "affected" , value : tag_affected);
  script_tag(name : "insight" , value : tag_insight);
  script_tag(name : "solution" , value : tag_solution);
  script_tag(name : "summary" , value : tag_summary);
  script_tag(name:"qod_type", value:"registry");
  script_tag(name:"solution_type", value:"VendorFix");
  exit(0);
}


include("smb_nt.inc");
include("secpod_reg.inc");
include("version_func.inc");
include("secpod_smb_func.inc");

## Check for OS and Service Pack
if(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:2) <= 0){
  exit(0);
}

## MS11-007 Hotfix
if((hotfix_missing(name:"2485376") == 0)){
  exit(0);
}

## Get System32 path
sysPath = smb_get_systemroot();
if(!sysPath ){
  exit(0);
}

dllVer = fetch_file_version(sysPath, file_name:"system32\Atmfd.dll");
if(!dllVer){
  exit(0);
}

if(hotfix_check_sp(xp:4, winVista:3, win2008:3) > 0)
{
  # Grep for Atmfd.dll version < 5.1.2.231
  if(version_is_less(version:dllVer, test_version:"5.1.2.231"))
  {
    security_message(0);
    exit(0);
  }
}

if(hotfix_check_sp(win7:2) > 0)
{
  # Grep for Atmfd.dll version < 5.1.2.232
  if(version_is_less(version:dllVer, test_version:"5.1.2.232"))
  {
    security_message(0);
    exit(0);
  }
}

if(hotfix_check_sp(win2003:3) > 0)
{
  # Grep for Atmfd.dll version < 5.2.2.231
  if(version_is_less(version:dllVer, test_version:"5.2.2.231")){
    security_message(0);
  }
}

20 Feb 2017 00:00Current

0.7Low risk

Vulners AI Score0.7

EPSS0.22056