Microsoft SharePoint Privilege Elevation Vulnerabilities (2663841)

###############################################################################
# OpenVAS Vulnerability Test
# $Id: secpod_ms12-011.nasl 5366 2017-02-20 13:55:38Z cfi $
#
# Microsoft SharePoint Privilege Elevation Vulnerabilities (2663841)
#
# Authors:
# Madhuri D <[email protected]>
#
# Copyright:
# Copyright (c) 2012 SecPod, http://www.secpod.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

tag_impact = "Successful exploitation will allow attacker to execute arbitrary script
  code in the browser of an unsuspecting user in the context of the affected
  site.
  Impact Level: Application";
tag_affected = "Microsoft SharePoint Server 2010 Service Pack 1 and prior
  Microsoft SharePoint Foundation 2010 Service Pack 1 and prior";
tag_insight = "Input passed to 'inplview.aspx', 'themeweb.aspx' and 'skey' parameter in
  'wizardlist.aspx' is not properly sanitised before being returned to the
  user. This can be exploited to execute arbitrary HTML and script code in a
  user's browser session in context of an affected site.";
tag_solution = "Run Windows Update and update the listed hotfixes or download and
  update mentioned hotfixes in the advisory from the below link,
  http://technet.microsoft.com/en-us/security/bulletin/ms12-011";
tag_summary = "This host is missing an important security update according to
  Microsoft Bulletin MS12-011.";

if(description)
{
  script_id(902919);
  script_version("$Revision: 5366 $");
  script_cve_id("CVE-2012-0017", "CVE-2012-0144", "CVE-2012-0145");
  script_bugtraq_id(51928 ,51934, 51937);
  script_tag(name:"cvss_base", value:"4.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_tag(name:"last_modification", value:"$Date: 2017-02-20 14:55:38 +0100 (Mon, 20 Feb 2017) $");
  script_tag(name:"creation_date", value:"2012-06-28 15:51:26 +0530 (Thu, 28 Jun 2012)");
  script_name("Microsoft SharePoint Privilege Elevation Vulnerabilities (2663841)");
  script_xref(name : "URL" , value : "http://secunia.com/advisories/48029/");
  script_xref(name : "URL" , value : "http://support.microsoft.com/kb/2553413");
  script_xref(name : "URL" , value : "http://support.microsoft.com/kb/2597124");
  script_xref(name : "URL" , value : "http://technet.microsoft.com/en-us/security/bulletin/ms12-011");

  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2012 SecPod");
  script_family("Windows : Microsoft Bulletins");
  script_dependencies("secpod_reg_enum.nasl");
  script_require_ports(139, 445);
  script_mandatory_keys("SMB/WindowsVersion");

  script_tag(name : "impact" , value : tag_impact);
  script_tag(name : "affected" , value : tag_affected);
  script_tag(name : "insight" , value : tag_insight);
  script_tag(name : "solution" , value : tag_solution);
  script_tag(name : "summary" , value : tag_summary);
  script_tag(name:"qod_type", value:"registry");
  script_tag(name:"solution_type", value:"VendorFix");
  exit(0);
}


include("smb_nt.inc");
include("secpod_reg.inc");
include("version_func.inc");
include("secpod_smb_func.inc");

## Variable Initialization
key = "";
dllVer = "";
spName = "";
spPath = "";
spVer = "";
path = "";

key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
if(!registry_key_exists(key:key)){
  exit(0);
}

foreach item (registry_enum_keys(key:key))
{
  spName = registry_get_sz(key:key + item, item:"DisplayName");

  ## Confirm the application
  if("Microsoft SharePoint Foundation 2010" >< spName ||
     "Microsoft SharePoint Server 2010" >< spName)
  {
    ## Get the common files dir path
    path = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion",
                       item:"CommonFilesDir");
    if(path)
    {
      ## For Microsoft SharePoint Foundation 2010
      ## Get the Onfda.dll file version
      dllVer = fetch_file_version(sysPath:path,
              file_name:"Microsoft Shared\Web Server Extensions\14\Bin\ONFDA.dll");
      if(dllVer)
      {
        ## Checking for Onfda.dll file version
        if(version_is_less(version:dllVer, test_version:"14.0.6106.5000"))
        {
          security_message(0);
          exit(0);
        }
      }
    }

    ## Microsoft SharePoint Server 2010
    ## Get the Microsoft.office.server.native.dll file version
    spPath = registry_get_sz(key:key + item, item:"InstallLocation");
    if(!spPath){
      exit(0);
    }

    spVer = fetch_file_version(sysPath:spPath, file_name:"14.0\Bin\Microsoft.office.server.native.dll");
    if(!spVer){
      exit(0);
    }

    ## Checking for Microsoft.office.server.native.dll file version
    if(version_is_less(version:spVer, test_version:"14.0.6108.5000"))
    {
      security_message(0);
      exit(0);
    }
  }
}