IBM Notes 8.5 < 8.5.3 IF4 HF2 / 9.0 < 9.0 IF2 Password Disclosure

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(66942);
  script_version("1.9");
  script_cvs_date("Date: 2018/07/14  1:59:37");

  script_cve_id("CVE-2013-0534");
  script_bugtraq_id(60536);

  script_name(english:"IBM Notes 8.5 < 8.5.3 IF4 HF2 / 9.0 < 9.0 IF2 Password Disclosure");
  script_summary(english:"Checks version of IBM Notes");

  script_set_attribute(attribute:"synopsis", value:
"The remote host has software installed that is affected by an
information disclosure vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote host has a version of Lotus Notes 8.5.x earlier than 8.5.3
Fix Pack 4 Interim Fix 2 or 9.0 earlier than Interim Fix 2. As such,
it is potentially affected by an information disclosure vulnerability.
IBM Notes may fail to zero the plaintext password within memory,
leaving the plaintext password accessible to an attacker with the
ability to access memory on the user's local workstation.");
  script_set_attribute(attribute:"solution", value:
"Upgrade to IBM Notes 8.5.3 FP4 Interim Fix 2 / 9.0 Interim Fix 2 or
later.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  # https://www.ibm.com/blogs/psirt/security-bulletin-ibm-notes-may-fail-to-zero-the-plaintext-password-within-memory-cve-2013-0534/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9823bbd2");
  script_set_attribute(attribute:"see_also", value:"https://www-304.ibm.com/support/docview.wss?uid=swg21636154");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/06/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/06/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/06/20");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:lotus_notes");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");

  script_dependencies("lotus_notes_installed.nasl");
  script_require_keys("SMB/Lotus_Notes/Installed");
  script_require_ports(139, 445);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("smb_func.inc");
include("smb_hotfixes_fcheck.inc");

appname = 'IBM Lotus Notes';
kb_base = 'SMB/Lotus_Notes/';

version = get_kb_item_or_exit(kb_base + 'Version');
path = get_kb_item_or_exit(kb_base + 'Path');
ver_ui = get_kb_item_or_exit(kb_base + 'Version_UI');

name   = kb_smb_name();
port   = kb_smb_transport();

login  = kb_smb_login();
pass   = kb_smb_password();
domain = kb_smb_domain();

# Try to connect to the server

if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');

path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:path);
share = hotfix_path2share(path:path);

rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
  NetUseDel();
  audit(AUDIT_SHARE_FAIL, share);
}

vuln = FALSE;
fixver = '';
if (version =~ '^8\\.5\\.' && ver_compare(ver:version, fix:'8.5.34.13086') < 0)
{
  vuln = TRUE;
  fixver = '8.5.34.13086';
}
else if (version =~ '^9\\.' && ver_compare(ver:version, fix:'9.0.0.13067') < 0)
{
  vuln = TRUE;
  fixver = '9.0.0.13067';
}

fixtimestamp = '';
if (!vuln)
{
  # If the version is FP4 or 9.0, we have to check the timestamp
  if (version == '8.5.34.13086' || version == '9.0.0.13067')
  {
    exe = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:"\1\notes.exe", string:path);
    fh = CreateFile(
      file:exe,
      desired_access:GENERIC_READ,
      file_attributes:FILE_ATTRIBUTE_NORMAL,
      share_mode:FILE_SHARE_READ,
      create_disposition:OPEN_EXISTING
    );
    if (isnull(fh))
    {
      NetUseDel();
      audit(AUDIT_VER_FAIL, exe);
    }
    ret = GetFileVersionEx(handle:fh);
    CloseFile(handle:fh);
    if (!isnull(ret))
    {
      timestamp = ret['dwTimeDateStamp'];
    }
    if (isnull(timestamp))
    {
     NetUseDel();
      exit(1, 'Failed to get the timestamp of ' + path + "\notes.exe");
    }
    if (version =~ '^8\\.' && int(timestamp) < 1364459259)
    {
      fixtimestamp = '1364459259';
      vuln = TRUE;
    }
    else if (version =~ '^9\\.' && int(timestamp) < 1362817062)
    {
      fixtimestamp = '1362817062';
      vuln = TRUE;
    }
  }
}
NetUseDel();

if (vuln)
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Path              : ' + path +
      '\n  Installed version : ' + version;
    if (fixtimestamp)
    {
      report +=
        '\n  File              : ' + path + "\notes.exe" +
        '\n  File Timestamp    : ' + timestamp +
        '\n  Fixed Timestamp   : ' + fixtimestamp + '\n';
    }
    else
    {
      report +=
        '\n  Fixed version     : ' + fixver + '\n';
    }
    security_note(port:port, extra:report);
  }
  else security_note(port);
  exit(0);
}
else audit(AUDIT_INST_PATH_NOT_VULN, appname, ver_ui, path);