This plugin originally checked for the workaround described in Microsoft Security Advisory 2737111, and has been deprecated due to the publication of MS12-067. Microsoft has released a patch that makes the workaround unnecessary. To check for the patch, use Nessus plugin ID xxxxx.
#%NASL_MIN_LEVEL 999999
#
# (C) Tenable Network Security, Inc.
#
# @DEPRECATED@
#
# Disabled on 2012/10/09. Deprecated by smb_nt_ms12-067.nasl.
include("compat.inc");
if (description)
{
script_id(60155);
script_version("1.14");
script_cvs_date("Date: 2018/07/27 18:38:15");
script_cve_id(
"CVE-2012-1766",
"CVE-2012-1767",
"CVE-2012-1768",
"CVE-2012-1769",
"CVE-2012-1770",
"CVE-2012-1771",
"CVE-2012-1772",
"CVE-2012-1773",
"CVE-2012-3106",
"CVE-2012-3107",
"CVE-2012-3108",
"CVE-2012-3109",
"CVE-2012-3110"
);
script_bugtraq_id(
54497,
54500,
54504,
54506,
54511,
54531,
54536,
54541,
54543,
54546,
54548,
54550,
54554
);
script_xref(name:"CERT", value:"118913");
script_xref(name:"Secunia", value:"49936");
script_name(english:"Microsoft Security Advisory 2737111: Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution (deprecated)");
script_summary(english:"Checks if workarounds are being used");
script_set_attribute(
attribute:"synopsis",
value:"This plugin has been deprecated."
);
script_set_attribute(
attribute:"description",
value:
"This plugin originally checked for the workaround described in
Microsoft Security Advisory 2737111, and has been deprecated due to
the publication of MS12-067. Microsoft has released a patch that
makes the workaround unnecessary. To check for the patch, use Nessus
plugin ID xxxxx."
);
script_set_attribute(attribute:"solution",value:"n/a");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2012/07/19");
script_set_attribute(attribute:"plugin_publication_date", value:"2012/07/30");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");
script_dependencies("fast_search_server_installed.nasl");
script_require_keys("SMB/fast_search_server/path", "SMB/fast_search_server/prodtype");
script_require_ports(139, 445);
exit(0);
}
exit(0, "This plugin has been deprecated. Use smb_nt_ms12-067.nasl (plugin ID 62462) instead.");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("audit.inc");
global_var login, pass, domain;
##
# checks whether or not the given configuration file is using the
# workaround described by kb2737111
#
# @anonparam path path of the XML configuration file to check
# @return the line of the config file that indicates the workaround isn't being used,
# NULL otherwise
##
function _is_fast_vulnerable()
{
local_var path, vuln_line, rc, fh, len, data, match, share, dir, parts, xml, line;
path = _FCT_ANON_ARGS[0];
vuln_line = NULL;
parts = split(path, sep:':', keep:FALSE);
share = parts[0] + '$';
xml = parts[1];
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
NetUseDel(close:FALSE);
return NULL;
}
fh = CreateFile(
file:xml,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
if (fh)
{
# This file was a little over 2k. the 4k cap is a sanity check and should be more than enough
len = GetFileSize(handle:fh);
if (len > 4096) len = 4096;
data = ReadFile(handle:fh, length:len, offset:0);
if (strlen(data) == len)
{
foreach line (split(data, sep:'\n', keep:FALSE))
{
match = eregmatch(string:line, pattern:'name="SearchExportConverter" active="([^"]+)"');
if (match[1] == 'yes')
vuln_line = line;
}
}
CloseFile(handle:fh);
}
NetUseDel(close:FALSE);
return vuln_line;
}
if (get_kb_item('SMB/fast_search_server/prodtype') == 'forSharePoint')
fast_path = get_kb_item('SMB/fast_search_server/path');
if (isnull(fast_path))
audit(AUDIT_NOT_INST, 'FAST Search Server for SharePoint');
name = kb_smb_name();
port = kb_smb_transport();
if (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
soc = open_sock_tcp(port);
if (!soc) audit(AUDIT_SOCK_FAIL, port);
session_init(socket:soc, hostname:name);
report = NULL;
if (fast_path)
{
xml_path = fast_path + "\etc\config_data\DocumentProcessor\optionalprocessing.xml";
if (line = _is_fast_vulnerable(xml_path))
{
report +=
'\nThe workaround for FAST Search Server 2010 for SharePoint is not being' +
'\nused. Nessus determined this by reading the following file : ' +
'\n\n' + xml_path +
'\n\nwhich contains the following line :' +
'\n\n' + line;
}
}
NetUseDel();
if (isnull(report))
audit(AUDIT_HOST_NOT, 'affected');
if (report_verbosity > 0)
{
report += '\n';
security_hole(port:port, extra:report);
}
else security_hole(port);
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1766
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1767
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1768
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1769
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1770
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1771
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1772
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1773
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3106
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3107
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3108
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3109
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3110