Mailing List Archive: Nessus: plugins

Dreamweaver Plug In Code

Index | Next | Previous | View Threaded

jfvanmeter at comcast

Apr 10, 2007, 10:20 AM

Post #1 of 2 (1431 views)
Permalink

Dreamweaver Plug In Code

Hello, below is the code that i' think would verify the version of dreamweaver installed on a remote host. Would someone point out any mistakes or areas that I an improve on. Hopefully I didn't muck it up to bad

desc = "
Synopsis :
Dreamweaver 8.0 – CVE 2006-2042 - CVSS Severity: 7.0 (High)
The version of Dreamweaver on the remote Windows host is out of date, and can generate code that introduces multiple SQL
vulnerabilities on the web server on which Dreamweaver gerated code is executed.
issues.

Description :

Versions of Dreamweaver prior to 8.0.2 is capable of generating code that introduces multiple SQL
Injection vulnerabilities on the web server on which the Dreamweaver generated code is executed. The
threat is exploitable externally/internally to USDA. NIST rates the severity of this vulnerability as a high.
The vulnerability is remotely exploitable and does not require authentication to exploit.

Impact Type: Provides unauthorized access, Allows partial confidentiality, integrity, and availability
violation and allows disruption of service.

See also :

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2042
http://www.adobe.com/support/security/bulletins/apsb06-07.html
http://www.tom-muck.com/blog/samples/dw8updaterreport.cfm

Solution :
1. Install the updater software that updates the version of Dreamweaver to version 8.0.2
2. Recreate the server components generated by Dreamweaver to eliminate the SQL Injection vulnerabilities.

Risk factor :

CVSS Severity: 7.0 (High)";

if (description)
{
script_id(99999);
script_version("$Revision: 1 $");

script_name(english:"Dreamweaver Version < 8.0.2");
script_summary(english:"Checks version of Dreamweaver.exe");

script_description(english:desc);

script_category(ACT_GATHER_INFO);
script_family(english:"Windows");

script_copyright(english:"This script is Copyright (C) 2007 Tenable Network Security");

script_dependencies("smb_hotfixes.nasl", "opera_installed.nasl");
script_require_keys("SMB/Registry/Enumerated");
script_require_ports(139, 445);

exit(0);
}

include("smb_func.inc");
include("smb_hotfixes.inc");

if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);

# Connect to the appropriate share.
name = kb_smb_name();
port = kb_smb_transport();
if (!get_port_state(port)) exit(0);
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();

soc = open_sock_tcp(port);
if (!soc) exit(0);

session_init(socket:soc, hostname:name);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1) {
NetUseDel();
exit(0);
}

# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
NetUseDel();
exit(0);
}

# Determine its version from the executable itself.
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
exe = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\dreamweaver.exe", string:path);
NetUseDel(close:FALSE);

rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
NetUseDel();
exit(1);
}

fh = CreateFile(
file:exe,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);

# Check the version
if (
!isnull(ver) &&
(
ver[0] < 8 ||
(ver[0] == 8 && ver[1] == 0 && ver[2] < 9)
)
)
{

if (info) {
report = strcat(
desc,
'\n\n',
'Plugin output :\n',
'\n',
info
);
security_hole(port:port, data:report);
}

Thanks you in advance

Take Care and Have Fun --John
_______________________________________________
Plugins-writers mailing list
Plugins-writers [at] list
http://mail.nessus.org/mailman/listinfo/plugins-writers

theall at tenablesecurity

Apr 10, 2007, 6:32 PM

Post #2 of 2 (1347 views)
Permalink

Re: Dreamweaver Plug In Code [In reply to]

On 04/10/07 13:20, jfvanmeter [at] comcast wrote:

> Hello, below is the code that i' think would verify the version of
> dreamweaver installed on a remote host. Would someone point out any
> mistakes or areas that I an improve on.

I'll give it a shot. I haven't looked at this particular app so the
general approach could be completely wrong. If so, you man want to if
it's possible to pull the version info out of a registry key or by
reading / parsing a file of some type.

> script_id(99999);

We recommend using script ids in the range 60000 - 62000 for custom plugins.

> script_copyright(english:"This script is Copyright (C) 2007 Tenable Network Security");

Aw, shucks, you give us too much credit!

> script_dependencies("smb_hotfixes.nasl", "opera_installed.nasl");

Not sure why you have 'opera_installed.nasl' here; it's not required.

> include("smb_func.inc");
> include("smb_hotfixes.inc");

These won't work if you intend to submit this as they're not part of the
GPL feed.

> # Determine its version from the executable itself.
> share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
> exe = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\dreamweaver.exe", string:path);

'path' is uninitialized at this point. I don't know off-hand how
Dreamweaver works, but typically plugins pull this info from a registry
key, under HKLM. Take a look at quicktime_installed.nasl for a basic
example.

> fh = CreateFile(
> file:exe,
> desired_access:GENERIC_READ,
> file_attributes:FILE_ATTRIBUTE_NORMAL,
> share_mode:FILE_SHARE_READ,
> create_disposition:OPEN_EXISTING
> );

After this, typically you make sure that 'fh' is not null and then call
GetFileVersion() to get the file version info ('ver') from the specified
file; otherwise, 'ver' will remain uninitialized.

> # Check the version
> if (
> !isnull(ver) &&
> (
> ver[0] < 8 ||
> (ver[0] == 8 && ver[1] == 0 && ver[2] < 9)

Are you worried about versions before 8.0.9 or 8.0.2? The code checks
for the first yet your description talks about the second.

> if (info) {
> report = strcat(
> desc,
> '\n\n',
> 'Plugin output :\n',
> '\n',
> info
> );

Where do you set 'info'? I'd probably do away with this conditional
check and just issue the report, replacing 'info' in it with some text
saying what version you found and maybe the installation path. If your
tastes run towards less verbosity, just call:

security_hole(port);

and it will use the text you specified for 'desc'.

And lastly, you're missing a closing brace, at least in the copy you
posted, as well as calls to RegCloseKey() to close the hklm key, to
CloseFile() to close the file handle, and NetUseDel() when everything is
done.

George
--
theall [at] tenablesecurity
_______________________________________________
Plugins-writers mailing list
Plugins-writers [at] list
http://mail.nessus.org/mailman/listinfo/plugins-writers

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads