CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
96.2%
The remote host is missing KB955759. This KB mitigates multiple vulnerabilities in the Indeo video codec by preventing it from being used by Internet Explorer or Windows Media Player. A remote attacker can exploit these issues by tricking a user into viewing a maliciously crafted video file, resulting in the execution of arbitrary code.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(43089);
script_version("1.21");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/08/05");
script_cve_id(
"CVE-2009-4210",
"CVE-2009-4309",
"CVE-2009-4310",
"CVE-2009-4311",
"CVE-2009-4312",
"CVE-2009-4313"
);
script_bugtraq_id(
37251,
80529,
82335,
82338,
82341
);
script_xref(name:"IAVB", value:"2009-B-0069-S");
script_xref(name:"MSKB", value:"955759");
script_name(english:"MS KB955759: Security Enhancements for the Indeo Codec");
script_summary(english:"Checks the version of Aclayers.dll.");
script_set_attribute(attribute:"synopsis", value:
"The remote host is missing a security update that mitigates multiple
vulnerabilities in a video codec.");
script_set_attribute(attribute:"description", value:
"The remote host is missing KB955759. This KB mitigates multiple
vulnerabilities in the Indeo video codec by preventing it from being
used by Internet Explorer or Windows Media Player. A remote attacker
can exploit these issues by tricking a user into viewing a maliciously
crafted video file, resulting in the execution of arbitrary code.");
# https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2009/954157
script_set_attribute(attribute:"see_also", value:"https://www.nessus.org/u?3a6fcdc9");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/955759");
script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, XP, and
2003.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(94, 119);
script_set_attribute(attribute:"vuln_publication_date", value:"2009/12/08");
script_set_attribute(attribute:"patch_publication_date", value:"2009/12/08");
script_set_attribute(attribute:"plugin_publication_date", value:"2009/12/09");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe",value:"cpe:/o:microsoft:windows");
script_set_attribute(attribute:"stig_severity", value:"II");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2009-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("smb_hotfixes.nasl");
script_require_keys("SMB/Registry/Enumerated", "SMB/WindowsVersion");
script_require_ports(139, 445);
exit(0);
}
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("audit.inc");
include("misc_func.inc");
ACCESS_DENIED_ACE_TYPE = 0x01;
if (!get_kb_item("SMB/WindowsVersion")) exit(1, "SMB/WindowsVersion KB item is missing.");
if (hotfix_check_sp(win2k:6, xp:4, win2003:3) <= 0) exit(0, "Host is not affected based on its version / service pack.");
if (!is_accessible_share()) exit(1, "is_accessible_share() failed.");
if (
# Windows 2003 / XP SP2 x64
hotfix_is_vulnerable(os:"5.2", sp:2, file:"Aclayers.dll", version:"5.2.3790.4624", dir:"\AppPatch") ||
# Windows XP x86
hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x86", file:"Aclayers.dll", version:"5.1.2600.3637", dir:"\AppPatch") ||
hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"Aclayers.dll", version:"5.1.2600.5906", dir:"\AppPatch") ||
# Windows 2000
hotfix_is_vulnerable(os:"5.0", file:"Aclayers.dll", version:"5.0.2195.7358", dir:"\AppPatch")
)
{
# If KB955759 hasn't been applied, check if the relevant DLLs have been
# 1) unregistered, or 2) deleted
dlls = make_list(
'ir32_32.dll',
'ir41_qc.dll',
'ir41_qcx.dll',
'ir50_32.dll',
'ir50_qc.dll',
'ir50_qcx.dll'
);
share = ereg_replace(pattern:'^([A-Za-z]):.*', replace:"\1$", string:hotfix_get_systemroot());
path = ereg_replace(string:hotfix_get_systemroot(), pattern:'^[A-Za-z]:(.*)', replace:"\1\system32\");
vuln_dlls = make_list();
NetUseDel(close:FALSE);
r = NetUseAdd(login:kb_smb_login(), password:kb_smb_password(), domain:kb_smb_domain(), share:share);
if ( r != 1 )
{
hotfix_check_fversion_end();
exit(1, "Can't connect to '"+share+"' share.");
}
foreach dll (dlls)
{
fh = CreateFile(
file:path + dll,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
if (!fh) continue; # unable to open file (it was probably deleted)
sd = GetSecurityInfo(handle:fh, level:DACL_SECURITY_INFORMATION);
if (isnull(sd))
exit(1, "Unable to access security descriptor for "+path+dll+".");
dacl = sd[3];
if (isnull(dacl))
exit(1, "Unable to retrieve DACL for "+path+dll+".");
CloseFile(handle:fh);
dacl = parse_pdacl(blob:dacl);
if (isnull(dacl))
exit(1, "Error parsing DACL.");
vuln = make_array();
foreach ace (dacl)
{
ace = parse_dacl(blob:ace);
if (isnull(ace))
{
err_print("Error parsing ACE.");
continue;
}
rights = ace[0];
type = ace[3];
sid = sid2string(sid:ace[1]);
if (isnull(sid))
{
err_print(1, "Error parsing SID.");
continue;
}
# Check ACEs for SYSTEM, Users, Power Users, and Administrators
# only if we haven't already determined whether or not
# read & execute is allowed
if (
(sid == '1-5-18' || sid == '1-5-32-545' ||
sid == '1-5-32-547' || sid == '1-5-32-544') &&
!vuln[sid]
)
{
if (
rights & FILE_GENERIC_READ == FILE_GENERIC_READ &&
rights & FILE_GENERIC_EXECUTE == FILE_GENERIC_EXECUTE
) vuln[sid] = type != ACCESS_DENIED_ACE_TYPE;
}
}
# If read & execute is allowed for any of the SIDs we checked for,
# the system is vulnerable
foreach allowed (vuln)
{
if (allowed)
{
vuln_dlls = make_list(vuln_dlls, dll);
break;
}
}
}
if (max_index(vuln_dlls) > 0)
{
extra = '\nAdditionally, the following DLLs have not been deleted/unregistered :\n\n';
foreach dll (vuln_dlls)
extra += hotfix_get_systemroot()+"\system32\"+dll+'\n';
hotfix_add_report(extra);
hotfix_security_hole();
hotfix_check_fversion_end();
exit(0);
}
else
{
hotfix_check_fversion_end();
exit(0, "KB955759 hasn't been installed, but the Indeo DLLs have been deleted or unregistered, therefore the system is not affected.");
}
}
else
{
hotfix_check_fversion_end();
exit(0, "KB955759 has been installed, therefore the system is not affected.");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4210
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4309
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4310
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4311
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4312
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4313
support.microsoft.com/en-us/help/955759
www.nessus.org/u?3a6fcdc9