Microsoft Office Invalid Index CVE-2014-6356 Memory Corruption Vulnerability
2014-12-09T00:00:00
ID SMNTC-71470 Type symantec Reporter Symantec Security Response Modified 2014-12-09T00:00:00
Description
Description
Microsoft Office is prone to a remote memory-corruption vulnerability because it fails to properly handle objects in memory. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions.
Technologies Affected
Microsoft Office 2007 SP3
Microsoft Office 2010 (32-bit edition) SP1
Microsoft Office 2010 (32-bit edition) SP2
Microsoft Office 2010 (64-bit edition) SP1
Microsoft Office 2010 (64-bit edition) SP2
Microsoft Office Compatibility Pack SP3
Recommendations
Run all software as a nonprivileged user with minimal access rights.
To reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.
Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.
Do not accept or execute files from untrusted or unknown sources.
To reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.
Do not follow links provided by unknown or untrusted sources.
Web users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.
Implement multiple redundant layers of security.
Since this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.
Updates are available. Please see the references or vendor advisory for more information.
{"published": "2014-12-09T00:00:00", "id": "SMNTC-71470", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "history": [{"differentElements": ["description", "href", "affectedSoftware"], "edition": 1, "lastseen": "2016-09-04T11:41:29", "bulletin": {"published": "2014-12-09T00:00:00", "href": "https://www.symantec.com/security_response/vulnerability.jsp?bid=71470", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "reporter": "Symantec Security Response", "history": [], "description": "### Description\n\nMicrosoft Office is prone to a remote memory-corruption vulnerability because it fails to properly handle objects in memory. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions. \n\n### Technologies Affected\n\n * Microsoft Office 2007 SP3\n * Microsoft Office 2010 (32-bit edition) SP1\n * Microsoft Office 2010 (32-bit edition) SP2\n * Microsoft Office 2010 (64-bit edition) SP1\n * Microsoft Office 2010 (64-bit edition) SP2\n * Microsoft Office Compatibility Pack SP3\n\n### Recommendations\n\n#### Run all software as a nonprivileged user with minimal access rights.\n\nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n#### Deploy network intrusion detection systems to monitor network traffic for malicious activity.\n\nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n#### Do not accept or execute files from untrusted or unknown sources.\n\nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n#### Do not follow links provided by unknown or untrusted sources.\n\nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n#### Implement multiple redundant layers of security.\n\nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities. \n\nUpdates are available. Please see the references or vendor advisory for more information. \n", "bulletinFamily": "software", "viewCount": 0, "cvelist": ["CVE-2014-6356"], "affectedSoftware": [{"version": "SP3", "name": "Microsoft Office Compatibility Pack", "operator": "eq"}, {"version": "SP2", "name": "Microsoft Office 2010 (32-bit edition)", "operator": "eq"}, {"version": "SP1", "name": "Microsoft Office 2010 (32-bit edition)", "operator": "eq"}, {"version": "SP2", "name": "Microsoft Office 2010 (64-bit edition)", "operator": "eq"}, {"version": "2007 SP3", "name": "Microsoft Office", "operator": "eq"}, {"version": "SP1", "name": "Microsoft Office 2010 (64-bit edition)", "operator": "eq"}], "type": "symantec", "hash": "28f18ab190bf9fca2d6829a703812b5303f680eb0f166b21bf453a7b7e047919", "references": [], "enchantments": {"score": {"value": 7.6, "modified": "2016-09-04T11:41:29"}}, "title": "Microsoft Office Invalid Index CVE-2014-6356 Memory Corruption Vulnerability", "id": "SMNTC-71470", "lastseen": "2016-09-04T11:41:29", "edition": 1, "objectVersion": "1.2", "hashmap": [{"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "930e01eb79ed3e7301ab98e6b6deabc1", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "2c7062b6125ac079570b705c92eb9e66", "key": "title"}, {"hash": "52e3bbafc627009ac13caff1200a0dbf", "key": "type"}, {"hash": "123da52f4ba4d05ba2fc7c7a89dbc60c", "key": "href"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "86ffd76294760c93a6b08c9c98b80d63", "key": "published"}, {"hash": "86ffd76294760c93a6b08c9c98b80d63", "key": "modified"}, {"hash": "ff806125aff137419104eb10a98cc234", "key": "description"}, {"hash": "02b1286a0bfca54d488ce4fbfa9865e7", "key": "cvelist"}, {"hash": "d6218597dc7a1b025a781373296b2b63", "key": "reporter"}], "modified": "2014-12-09T00:00:00"}}], "description": "### Description\n\nMicrosoft Office is prone to a remote memory-corruption vulnerability because it fails to properly handle objects in memory. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft Office 2007 SP3 \n * Microsoft Office 2010 (32-bit edition) SP1 \n * Microsoft Office 2010 (32-bit edition) SP2 \n * Microsoft Office 2010 (64-bit edition) SP1 \n * Microsoft Office 2010 (64-bit edition) SP2 \n * Microsoft Office Compatibility Pack SP3 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "hash": "01e05bba540f865fcf88533c5b2ed9a128960d6d4c5543fc9d9cc0b19089b392", "enchantments": {"score": {"value": 9.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-6356"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805029", "OPENVAS:1361412562310805113", "OPENVAS:1361412562310805028", "OPENVAS:1361412562310805025", "OPENVAS:1361412562310805027", "OPENVAS:1361412562310805026"]}, {"type": "nessus", "idList": ["SMB_NT_MS14-081.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14212"]}], "modified": "2018-03-13T20:24:10"}, "vulnersScore": 9.3}, "type": "symantec", "lastseen": "2018-03-13T20:24:10", "edition": 2, "title": "Microsoft Office Invalid Index CVE-2014-6356 Memory Corruption Vulnerability", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/71470", "modified": "2014-12-09T00:00:00", "bulletinFamily": "software", "viewCount": 2, "cvelist": ["CVE-2014-6356"], "affectedSoftware": [{"version": "2010 (64-bit edition) SP1 ", "name": "Microsoft Office", "operator": "eq"}, {"version": "2007 SP3 ", "name": "Microsoft Office", "operator": "eq"}, {"version": "2010 (32-bit edition) SP1 ", "name": "Microsoft Office", "operator": "eq"}, {"version": "2010 (64-bit edition) SP2 ", "name": "Microsoft Office", "operator": "eq"}, {"version": "2010 (32-bit edition) SP2 ", "name": "Microsoft Office", "operator": "eq"}], "references": [], "reporter": "Symantec Security Response", "hashmap": [{"hash": "c00bd8604a2664c10329d037dd29d7d5", "key": "affectedSoftware"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "02b1286a0bfca54d488ce4fbfa9865e7", "key": "cvelist"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "ae4e8042553adce0961322f649a813bc", "key": "description"}, {"hash": "8121e719b0de3331c7f83c8be747da8d", "key": "href"}, {"hash": "86ffd76294760c93a6b08c9c98b80d63", "key": "modified"}, {"hash": "86ffd76294760c93a6b08c9c98b80d63", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "d6218597dc7a1b025a781373296b2b63", "key": "reporter"}, {"hash": "2c7062b6125ac079570b705c92eb9e66", "key": "title"}, {"hash": "52e3bbafc627009ac13caff1200a0dbf", "key": "type"}], "objectVersion": "1.3"}
{"cve": [{"lastseen": "2018-10-13T11:06:31", "bulletinFamily": "NVD", "description": "Array index error in Microsoft Word 2007 SP3, Word 2010 SP2, and Office Compatibility Pack SP3 allows remote attackers to execute arbitrary code via a crafted Office document, aka \"Invalid Index Remote Code Execution Vulnerability.\"", "modified": "2018-10-12T18:07:44", "published": "2014-12-10T19:59:09", "id": "CVE-2014-6356", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6356", "title": "CVE-2014-6356", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-05-06T14:36:03", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS14-081.", "modified": "2019-05-03T00:00:00", "published": "2014-12-10T00:00:00", "id": "OPENVAS:1361412562310805113", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805113", "title": "Microsoft SharePoint Server WAS Remote Code Execution Vulnerability (3017301)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft SharePoint Server WAS Remote Code Execution Vulnerability (3017301)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:microsoft:sharepoint_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805113\");\n script_version(\"2019-05-03T10:54:50+0000\");\n script_cve_id(\"CVE-2014-6356\", \"CVE-2014-6357\");\n script_bugtraq_id(71470, 71469);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 10:54:50 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2014-12-10 11:30:23 +0530 (Wed, 10 Dec 2014)\");\n script_name(\"Microsoft SharePoint Server WAS Remote Code Execution Vulnerability (3017301)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS14-081.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Flaws are due to an invalid indexing error\n and a use-after-free error when parsing Office files.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute the arbitrary code and compromise the system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft SharePoint Server 2010\n\n Word Automation Services Service Pack 2 and prior, Microsoft\n\n SharePoint Server 2013 Word Automation Services Service Pack 1 and prior\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/61149\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/kb/2899581\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/kb/2883050\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/ms14-081\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_sharepoint_sever_n_foundation_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/SharePoint/Server/Ver\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif( ! infos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE ) ) exit( 0 );\nshareVer = infos['version'];\npath = infos['location'];\nif(!path || \"Could not find the install location\" >< path){\n exit(0);\n}\n\n## SharePoint Server 2010\nif(shareVer =~ \"^14\\..*\")\n{\n dllVer2 = fetch_file_version(sysPath:path,\n file_name:\"\\14.0\\WebServices\\WordServer\\Core\\sword.dll\");\n if(dllVer2)\n {\n if(version_in_range(version:dllVer2, test_version:\"14.0\", test_version2:\"14.0.7140.4999\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\n\n## SharePoint Server 2013\nif(shareVer =~ \"^15\\..*\")\n{\n dllVer2 = fetch_file_version(sysPath:path,\n file_name:\"\\15.0\\WebServices\\ConversionServices\\sword.dll\");\n if(dllVer2)\n {\n if(version_in_range(version:dllVer2, test_version:\"15.0\", test_version2:\"15.0.4675.999\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\nexit(99);", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-06T14:36:38", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS14-081.", "modified": "2019-05-03T00:00:00", "published": "2014-12-10T00:00:00", "id": "OPENVAS:1361412562310805026", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805026", "title": "Microsoft Office Word Viewer Remote Code Execution Vulnerabilities (3017301)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Office Word Viewer Remote Code Execution Vulnerabilities (3017301)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805026\");\n script_version(\"2019-05-03T12:31:27+0000\");\n script_cve_id(\"CVE-2014-6356\", \"CVE-2014-6357\");\n script_bugtraq_id(71469, 71470);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 12:31:27 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2014-12-10 12:31:36 +0530 (Wed, 10 Dec 2014)\");\n script_name(\"Microsoft Office Word Viewer Remote Code Execution Vulnerabilities (3017301)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS14-081.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaws are due to,\n\n - An invalid indexing error when parsing Office files can be exploited to\n execute arbitrary code via a specially crafted Office file.\n\n - A use-after-free error when parsing Office files can be exploited to execute\n arbitrary code via a specially crafted Office file.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute the arbitrary code, cause memory corruption and\n compromise the system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office Word Viewer 2007 SP3 and prior.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/61149\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/kb/3017301\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS14-081\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/WordView/Version\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nwordviewVer = get_kb_item(\"SMB/Office/WordView/Version\");\nif(wordviewVer)\n{\n if(version_in_range(version:wordviewVer, test_version:\"11.0\", test_version2:\"11.0.8413\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-21T14:46:03", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS14-081.", "modified": "2019-05-20T00:00:00", "published": "2014-12-10T00:00:00", "id": "OPENVAS:1361412562310805029", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805029", "title": "Microsoft Office Word Remote Code Execution Vulnerabilities-3017301 (Mac OS X)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Office Word Remote Code Execution Vulnerabilities-3017301 (Mac OS X)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805029\");\n script_version(\"2019-05-20T11:12:48+0000\");\n script_cve_id(\"CVE-2014-6356\", \"CVE-2014-6357\");\n script_bugtraq_id(71469, 71470);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-20 11:12:48 +0000 (Mon, 20 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2014-12-10 13:24:58 +0530 (Wed, 10 Dec 2014)\");\n script_name(\"Microsoft Office Word Remote Code Execution Vulnerabilities-3017301 (Mac OS X)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS14-081.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaws are due to,\n\n - An invalid indexing error when parsing Office files can be exploited to\n execute arbitrary code via a specially crafted Office file.\n\n - A use-after-free error when parsing Office files can be exploited to execute\n arbitrary code via a specially crafted Office file.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute the arbitrary code, cause memory corruption and\n compromise the system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office 2011 on Mac OS X\");\n\n script_tag(name:\"solution\", value:\"Apply the patch from the referenced advisory.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/61149\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/kb/3018888\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS14-081\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gb_microsoft_office_detect_macosx.nasl\");\n script_mandatory_keys(\"MS/Office/MacOSX/Ver\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/security/bulletin/ms14-081\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\noffVer = get_kb_item(\"MS/Office/MacOSX/Ver\");\n\nif(!offVer || offVer !~ \"^14\\.\"){\n exit(0);\n}\n\nif(version_in_range(version:offVer, test_version:\"14.0\", test_version2:\"14.4.6\"))\n{\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-06T14:36:03", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS14-081.", "modified": "2019-05-03T00:00:00", "published": "2014-12-10T00:00:00", "id": "OPENVAS:1361412562310805025", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805025", "title": "Microsoft Office Word Remote Code Execution Vulnerabilities (3017301)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Office Word Remote Code Execution Vulnerabilities (3017301)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805025\");\n script_version(\"2019-05-03T12:31:27+0000\");\n script_cve_id(\"CVE-2014-6356\", \"CVE-2014-6357\");\n script_bugtraq_id(71469, 71470);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 12:31:27 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2014-12-10 12:08:06 +0530 (Wed, 10 Dec 2014)\");\n script_name(\"Microsoft Office Word Remote Code Execution Vulnerabilities (3017301)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS14-081.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaws are due to,\n\n - An invalid indexing error when parsing Office files can be exploited to\n execute arbitrary code via a specially crafted Office file.\n\n - A use-after-free error when parsing Office files can be exploited to execute\n arbitrary code via a specially crafted Office file.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute the arbitrary code, cause memory corruption and\n compromise the system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Word 2007 SP3 and prior\n Microsoft Word 2010 Service Pack 2 and prior\n Microsoft Word 2013 Service Pack 1 and prior\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/61149\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/kb/3017301\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS14-081\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/Word/Version\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nwinwordVer = get_kb_item(\"SMB/Office/Word/Version\");\n\n## Microsoft Office Word 2007\nif(winwordVer && winwordVer =~ \"^(12|14|15).*\")\n{\n ## 15 < 15.0.4675.1000\n if(version_in_range(version:winwordVer, test_version:\"12.0\", test_version2:\"12.0.6713.4999\") ||\n version_in_range(version:winwordVer, test_version:\"14.0\", test_version2:\"14.0.7140.4999\") ||\n version_in_range(version:winwordVer, test_version:\"15.0\", test_version2:\"15.0.4675.999\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-06T14:36:28", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS14-081.", "modified": "2019-05-03T00:00:00", "published": "2014-12-10T00:00:00", "id": "OPENVAS:1361412562310805027", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805027", "title": "MS Office Compatibility Pack Remote Code Execution Vulnerabilities (3017301)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# MS Office Compatibility Pack Remote Code Execution Vulnerabilities (3017301)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805027\");\n script_version(\"2019-05-03T12:31:27+0000\");\n script_cve_id(\"CVE-2014-6356\", \"CVE-2014-6357\");\n script_bugtraq_id(71469, 71470);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 12:31:27 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2014-12-10 12:32:44 +0530 (Wed, 10 Dec 2014)\");\n script_name(\"MS Office Compatibility Pack Remote Code Execution Vulnerabilities (3017301)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS14-081.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaws are due to,\n\n - An invalid indexing error when parsing Office files can be exploited to\n execute arbitrary code via a specially crafted Office file.\n\n - A use-after-free error when parsing Office files can be exploited to execute\n arbitrary code via a specially crafted Office file.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute the arbitrary code, cause memory corruption and\n compromise the system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office Compatibility Pack SP3 and prior.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/61149\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/kb/3017301\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/kb/2920792\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS14-081\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/WordCnv/Version\");\n script_require_ports(139, 445);\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nwordcnvVer = get_kb_item(\"SMB/Office/WordCnv/Version\");\nif(wordcnvVer && wordcnvVer =~ \"^12.*\")\n{\n # Office Word Converter\n path = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"ProgramFilesDir\");\n if(path)\n {\n sysVer = fetch_file_version(sysPath:path + \"\\Microsoft Office\\Office12\", file_name:\"Wordcnv.dll\");\n if(sysVer)\n {\n if(version_in_range(version:sysVer, test_version:\"12.0\", test_version2:\"12.0.6713.4999\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-06T14:36:47", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS14-081.", "modified": "2019-05-03T00:00:00", "published": "2014-12-10T00:00:00", "id": "OPENVAS:1361412562310805028", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805028", "title": "Microsoft Office Web Apps Remote Code Execution Vulnerabilities (3017301)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Office Web Apps Remote Code Execution Vulnerabilities (3017301)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:microsoft:office_web_apps\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805028\");\n script_version(\"2019-05-03T12:31:27+0000\");\n script_cve_id(\"CVE-2014-6356\", \"CVE-2014-6357\");\n script_bugtraq_id(71469, 71470);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 12:31:27 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2014-12-10 12:57:43 +0530 (Wed, 10 Dec 2014)\");\n script_name(\"Microsoft Office Web Apps Remote Code Execution Vulnerabilities (3017301)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS14-081.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaws are due to,\n\n - An invalid indexing error when parsing Office files can be exploited to\n execute arbitrary code via a specially crafted Office file.\n\n - A use-after-free error when parsing Office files can be exploited to execute\n arbitrary code via a specially crafted Office file.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute the arbitrary code, cause memory corruption and\n compromise the system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Web Applications 2010 Service Pack 2 and prior,\n\n Microsoft Web Applications 2013 Service Pack 1 and prior.\n\n Microsoft Office Compatibility Pack SP3 and prior.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/61149\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/kb/2889851\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/kb/2910892\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS14-081\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_office_web_apps_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/Office/Web/Apps/Ver\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif( ! infos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE ) ) exit( 0 );\nwebappVer = infos['version'];\npath = infos['location'];\nif(!path || \"Could not find the install location\" >< path){\n exit(0);\n}\n\nif(webappVer =~ \"^14\\..*\")\n{\n ## Microsoft Office Web Apps 2010\n dllVer = fetch_file_version(sysPath:path,\n file_name:\"\\14.0\\WebServices\\ConversionService\\Bin\\Converter\\msoserver.dll\");\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"14.0\", test_version2:\"14.0.7140.4999\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\n## Microsoft Office Web Apps 2013\nif(webappVer =~ \"^15\\..*\")\n{\n path = path + \"\\PPTConversionService\\bin\\Converter\\\";\n\n dllVer = fetch_file_version(sysPath:path, file_name:\"msoserver.dll\");\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"15.0\", test_version2:\"15.0.4675.999\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\nexit(99);", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:22:59", "bulletinFamily": "scanner", "description": "The remote Windows host has a version of Microsoft Office, Microsoft Word, Office Compatibility Pack, Microsoft Word Viewer, SharePoint Server, or Microsoft Office Web Apps that is affected by one or more remote code execution vulnerabilities due to Microsoft Word improperly handling objects in memory. A remote attacker can exploit this vulnerability by convincing a user to open a specially crafted Office file, resulting in execution of arbitrary code in the context of the current user.", "modified": "2018-07-30T00:00:00", "id": "SMB_NT_MS14-081.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=79830", "published": "2014-12-09T00:00:00", "title": "MS14-081: Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (3017301)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(79830);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/07/30 15:31:33\");\n\n script_cve_id(\"CVE-2014-6356\", \"CVE-2014-6357\");\n script_bugtraq_id(71469, 71470);\n script_xref(name:\"MSFT\", value:\"MS14-081\");\n script_xref(name:\"MSKB\", value:\"2920793\");\n script_xref(name:\"MSKB\", value:\"2899518\");\n script_xref(name:\"MSKB\", value:\"2899519\");\n script_xref(name:\"MSKB\", value:\"2910916\");\n script_xref(name:\"MSKB\", value:\"2920729\");\n script_xref(name:\"MSKB\", value:\"2920792\");\n script_xref(name:\"MSKB\", value:\"2899581\");\n script_xref(name:\"MSKB\", value:\"2883050\");\n script_xref(name:\"MSKB\", value:\"2910892\");\n script_xref(name:\"MSKB\", value:\"2889851\");\n script_xref(name:\"IAVA\", value:\"2014-A-0190\");\n\n script_name(english:\"MS14-081: Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (3017301)\");\n script_summary(english:\"Checks Word / Office Web Apps version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple remote code execution\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host has a version of Microsoft Office, Microsoft\nWord, Office Compatibility Pack, Microsoft Word Viewer, SharePoint\nServer, or Microsoft Office Web Apps that is affected by one or more\nremote code execution vulnerabilities due to Microsoft Word improperly\nhandling objects in memory. A remote attacker can exploit this\nvulnerability by convincing a user to open a specially crafted Office\nfile, resulting in execution of arbitrary code in the context of the\ncurrent user.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://technet.microsoft.com/library/security/ms14-081\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Office 2007, 2010, 2013,\nOffice Compatibility Pack, Microsoft Word Viewer, SharePoint Server,\nand Office Web Apps.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/12/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/12/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/12/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:word\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:word_viewer\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office_compatibility_pack\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office_web_apps\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"office_installed.nasl\", \"microsoft_sharepoint_installed.nbin\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nglobal_var bulletin, vuln;\n\nfunction get_ver()\n{\n local_var fh, path, rc, share, ver;\n\n path = _FCT_ANON_ARGS[0];\n\n share = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:path);\n\n rc = NetUseAdd(share:share);\n if (rc != 1)\n {\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, share);\n }\n\n ver = NULL;\n path = ereg_replace(string:path, pattern:\"^[A-Za-z]:(.*)\", replace:'\\\\1\\\\');\n\n fh = CreateFile(\n file : path,\n desired_access : GENERIC_READ,\n file_attributes : FILE_ATTRIBUTE_NORMAL,\n share_mode : FILE_SHARE_READ,\n create_disposition : OPEN_EXISTING\n );\n if (!isnull(fh))\n {\n ver = GetFileVersion(handle:fh);\n ver = join(ver, sep:\".\");\n CloseFile(handle:fh);\n }\n\n NetUseDel(close:FALSE);\n\n return ver;\n}\n\nfunction check_vuln(fix, kb, name, path, ver)\n{\n local_var info;\n\n if (isnull(ver))\n ver = get_ver(path);\n\n if (isnull(ver) || ver_compare(ver:ver, fix:fix, strict:FALSE) >= 0)\n return 0;\n\n info =\n '\\n Product : ' + name +\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix +\n '\\n';\n hotfix_add_report(info, bulletin:bulletin, kb:kb);\n\n vuln = TRUE;\n}\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\n# Get path information for Windows.\nwindir = hotfix_get_systemroot();\nif (isnull(windir)) exit(1, \"Failed to determine the location of %windir%.\");\n\nbulletin = 'MS14-081';\nkbs = make_list(\n 2920793, # Word 2007\n 2899518, # Office 2010\n 2899519, # Word 2010\n 2910916, # Word 2013\n 2920729, # Word Viewer\n 2920792, # Office Compatibility Pack SP3\n 2899581, # Word Automation Services SharePoint Server 2010\n 2883050, # Word Automation Services SharePoint Server 2013\n 2910892, # Office Web Apps 2010\n 2889851 # Office Web Apps 2013\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\", exit_code:1);\n\n# Connect to the registry.\nregistry_init();\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n\n# Get path information for SharePoint Server 2010.\nsps_2010_path = get_registry_value(\n handle : hklm,\n item : \"SOFTWARE\\Microsoft\\Office Server\\14.0\\InstallPath\"\n);\n\n# Get the path information for SharePoint Server 2013\nsps_2013_path = get_registry_value(\n handle : hklm,\n item : \"SOFTWARE\\Microsoft\\Office Server\\15.0\\InstallPath\"\n);\n\nowa_2013_path = get_registry_value(\n handle : hklm,\n item : \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Office15.WacServer\\InstallLocation\"\n);\n\n# Close connection to registry.\nRegCloseKey(handle:hklm);\nclose_registry(close:FALSE);\n# Get path information for Office Web Apps.\nowa_2010_path = sps_2010_path;\n######################################################################\n# Office Web Apps 2010 SP1 / SP2\n######################################################################\nif (owa_2010_path)\n{\n check_vuln(\n name : \"Office Web Apps 2010\",\n kb : \"2910892\",\n path : owa_2010_path + \"WebServices\\ConversionService\\Bin\\Converter\\sword.dll\",\n fix : \"14.0.7140.5000\"\n );\n}\n\n######################################################################\n# Office Web Apps 2013\n######################################################################\nif (owa_2013_path)\n{\n check_vuln(\n name : \"Office Web Apps 2013\",\n kb : \"2889851\",\n path : windir + \"\\Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.Office.Web.Apps.Environment.WacServer\\v4.0_15.0.0.0__71e9bce111e9429c\\Microsoft.Office.Web.Apps.Environment.WacServer.dll\",\n fix : \"15.0.4611.1000\"\n );\n}\n\n######################################################################\n# SharePoint Server 2010 SP1 / SP2\n######################################################################\nif (sps_2010_path)\n{\n check_vuln(\n name : \"Office SharePoint Server 2010\",\n kb : \"2899581\",\n path : sps_2010_path + \"WebServices\\WordServer\\Core\\sword.dll\",\n fix : \"14.0.7140.5000\"\n );\n}\n\n######################################################################\n# SharePoint Server 2013\n######################################################################\nif (sps_2013_path)\n{\n check_vuln(\n name : \"Office SharePoint Server 2013\",\n kb : \"2883050\",\n path : sps_2013_path + \"WebServices\\ConversionServices\\sword.dll\",\n fix : \"15.0.4675.1000\"\n );\n}\n\n# Word\nkb = \"\";\ninstalls = get_kb_list(\"SMB/Office/Word/*/ProductPath\");\nif (!isnull(installs))\n{\n foreach install (keys(installs))\n {\n version = install - 'SMB/Office/Word/' - '/ProductPath';\n path = installs[install];\n info = \"\";\n\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n if(ver[0] == 15 && ver[1] == 0)\n {\n # Word 2013\n if (\n ver[2] < 4675 ||\n (ver[2] == 4675 && ver[3] < 1000)\n )\n {\n office_sp = get_kb_item(\"SMB/Office/2013/SP\");\n if (!isnull(office_sp) && (office_sp == 0 || office_sp == 1))\n {\n info =\n '\\n Product : Word 2013' +\n '\\n File : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 15.0.4675.1000' + '\\n';\n kb = \"2910916\";\n }\n }\n }\n\n # Word 2010 SP1 and SP2\n if (\n ver[0] == 14 && ver[1] == 0 &&\n (\n ver[2] < 7140 ||\n (ver[2] == 7140 && ver[3] < 5000)\n )\n )\n {\n office_sp = get_kb_item(\"SMB/Office/2010/SP\");\n if (!isnull(office_sp) && (office_sp == 2))\n {\n info =\n '\\n Product : Word 2010' +\n '\\n File : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 14.0.7140.5000' + '\\n';\n kb = \"2899519\";\n }\n }\n\n # Word 2007 SP3\n if (\n ver[0] == 12 && ver[1] == 0 &&\n (\n ver[2] < 6713 ||\n (ver[2] == 6713 && ver[3] < 5000)\n )\n )\n {\n office_sp = get_kb_item(\"SMB/Office/2007/SP\");\n if (!isnull(office_sp) && office_sp == 3)\n {\n info =\n '\\n Product : Word 2007 SP3' +\n '\\n File : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 12.0.6713.5000' + '\\n';\n kb = \"2920793\";\n }\n }\n\n if (info)\n {\n hotfix_add_report(info, bulletin:bulletin, kb:kb);\n vuln = TRUE;\n }\n }\n}\n\n# Word Viewer\ninstalls = get_kb_list(\"SMB/Office/WordViewer/*/ProductPath\");\nif (!isnull(installs))\n{\n foreach install (keys(installs))\n {\n info = \"\";\n version = install - 'SMB/Office/WordViewer/' - '/ProductPath';\n path = installs[install];\n if (isnull(path)) path = \"n/a\";\n\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n if (ver[0] == 11 && ver[1] == 0 && ver[2] < 8414)\n {\n info =\n '\\n Product : Word Viewer' +\n '\\n File : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 11.0.8414.0' + '\\n';\n kb = \"2920729\";\n }\n\n if (info)\n {\n hotfix_add_report(info, bulletin:bulletin, kb:kb);\n vuln = TRUE;\n break;\n }\n }\n}\n\n# Ensure Office is installed\noffice_vers = hotfix_check_office_version();\nif (!isnull(office_vers))\n{\n # Ensure we can get common files directory\n commonfiles = hotfix_get_officecommonfilesdir(officever:\"14.0\");\n if (commonfiles)\n {\n # Ensure share is accessible\n share = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:commonfiles);\n if (is_accessible_share(share:share))\n {\n # Office 2010\n if (office_vers[\"14.0\"])\n {\n office_sp = get_kb_item(\"SMB/Office/2010/SP\");\n if (!isnull(office_sp) && office_sp == 2)\n {\n path = get_kb_item(\"SMB/Office/Word/14.0/Path\");\n if (path)\n {\n old_report = hotfix_get_report();\n check_file = \"Wwlib.dll\";\n\n if (hotfix_check_fversion(path:path, file:check_file, version:\"14.0.7140.5000\", min_version:\"14.0.0.0\") == HCF_OLDER)\n {\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", string:path, replace:\"\\1\\\" + check_file);\n kb_name = \"SMB/FileVersions/\"+tolower(share-'$')+tolower(str_replace(string:file, find:\"\\\", replace:\"/\"));\n kb_name = str_replace(find:\"//\", replace:\"/\", string:kb_name);\n version = get_kb_item(kb_name);\n\n info =\n '\\n Product : Microsoft Office 2010' +\n '\\n File : ' + path + '\\\\' + check_file +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 14.0.7140.5000' + '\\n';\n\n hcf_report = '';\n hotfix_add_report(old_report + info, bulletin:bulletin, kb:\"2899518\");\n vuln = TRUE;\n }\n }\n }\n }\n }\n }\n}\n\nversion = '';\ninstalls = get_kb_list(\"SMB/Office/WordCnv/*/ProductPath\");\nif (!isnull(installs))\n{\n foreach install (keys(installs))\n {\n version = install - 'SMB/Office/WordCnv/' - '/ProductPath';\n path = installs[install];\n\n if (!isnull(path))\n {\n share = hotfix_path2share(path:path);\n if (!is_accessible_share(share:share))\n audit(AUDIT_SHARE_FAIL, share);\n\n path = path - '\\\\Wordconv.exe';\n\n old_report = hotfix_get_report();\n check_file = \"wordcnv.dll\";\n\n if (hotfix_check_fversion(path:path, file:check_file, version:\"12.0.6713.5000\", min_version:\"12.0.0.0\") == HCF_OLDER)\n {\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", string:path, replace:\"\\1\\\" + check_file);\n kb_name = \"SMB/FileVersions/\"+tolower(share-'$')+tolower(str_replace(string:file, find:\"\\\", replace:\"/\"));\n kb_name = ereg_replace(pattern:\"//\"+check_file, replace:\"/\"+check_file, string:kb_name);\n version = get_kb_item(kb_name);\n\n info =\n '\\n Product : Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats' +\n '\\n File : ' + path + '\\\\' + check_file +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 12.0.6713.5000' + '\\n';\n\n hcf_report = '';\n hotfix_add_report(old_report + info, bulletin:bulletin, kb:\"2920792\");\n vuln = TRUE;\n }\n }\n }\n}\n\nif (!version)\n{\n # Additional check if registry key is missing\n path = hotfix_get_officecommonfilesdir(officever:\"12.0\") + \"\\Microsoft Office\\Office12\";\n\n kb = \"2920792\";\n if (\n hotfix_is_vulnerable(file:\"wordcnv.dll\", version:\"12.0.6713.5000\", min_version:\"12.0.0.0\", path:path, bulletin:bulletin, kb:kb)\n ) vuln = TRUE;\n}\n\nif (vuln)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:58", "bulletinFamily": "software", "description": "Memory corruptions, index overflows, use-after-free, uninitialized pointers.", "modified": "2015-01-14T00:00:00", "published": "2015-01-14T00:00:00", "id": "SECURITYVULNS:VULN:14212", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14212", "title": "Microsoft Office multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
