UltraVNC Viewer < 1.0.5.4 Multiple Integer Overflows

#
# (C) Tenable Network Security, Inc.
#



include("compat.inc");

if (description)
{
  script_id(35608);
  script_version("1.12");
 script_cvs_date("Date: 2019/09/16 11:41:12");

  script_cve_id("CVE-2009-0388");
  script_bugtraq_id(33568);

  script_name(english:"UltraVNC Viewer < 1.0.5.4 Multiple Integer Overflows");
  script_summary(english:"Checks version of vncviewer.exe");

 script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an application that is affected by multiple integer overflows.");
 script_set_attribute(attribute:"description", value:
"The installed version of UltraVNC Viewer is earlier than 1.0.5.4. Such versions reportedly miscalculate a buffer size
on the heap. If an attacker can trick a user on the remote host into connecting to a malicious server, the attacker can
probably exploit this issue using specially crafted messages to execute code on the affected host subject to the user's
privileges.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
 script_set_attribute(attribute:"see_also", value:"http://www.coresecurity.com/content/vnc-integer-overflows");
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/500632/30/0/threaded" );
 script_set_attribute(attribute:"see_also", value:"http://www.uvnc.com/download/1054/" );
 script_set_attribute(attribute:"solution", value:"Upgrade to UltraVNC 1.0.5.4 or later.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
 script_set_attribute(attribute:"cvss_score_source", value:"CVE-2009-0388");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_cwe_id(189);

 script_set_attribute(attribute:"plugin_publication_date", value:"2009/02/06");

script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:ultravnc:ultravnc");
script_end_attributes();


  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_enum_services.nasl", "smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}


include('smb_func.inc');
include('audit.inc');
include('smb_hotfixes.inc');


if (!get_kb_item('SMB/Registry/Enumerated')) exit(0);


# Detect where UltraVNC's installed.
list = get_kb_list('SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName');
if (isnull(list)) exit(0);
key = NULL;
foreach name (keys(list))
{
  prod = list[name];
  if (prod && prod =~ "^UltraVNC")
  {
    key = ereg_replace(pattern:"^SMB\/Registry\/HKLM\/(.+)\/DisplayName$", replace:"\1", string:name);
    key = str_replace(find:"/", replace:"\", string:key);
    break;
  }
}
if (isnull(key)) exit(0);


# Connect to the appropriate share.
name    =  kb_smb_name();
port    =  kb_smb_transport();
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();



if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
rc = NetUseAdd(login:login, password:pass, domain:domain, share:'IPC$');
if (rc != 1) {
  NetUseDel();
  exit(0);
}


# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
  NetUseDel();
  exit(0);
}


# Find the install path.
path = NULL;

key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
  item = RegQueryValue(handle:key_h, item:'InstallLocation');
  if (!isnull(item))
  {
    path = item[1];
    path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:path);
  }

  RegCloseKey(handle:key_h);
}
RegCloseKey(handle:hklm);
if (isnull(path))
{
  NetUseDel();
  exit(0);
}


# Grab the version and description from the executable.
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
exe =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\vncviewer.exe", string:path);
NetUseDel(close:FALSE);

rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
  NetUseDel();
  exit(0);
}

fh = CreateFile(
  file:exe,
  desired_access:GENERIC_READ,
  file_attributes:FILE_ATTRIBUTE_NORMAL,
  share_mode:FILE_SHARE_READ,
  create_disposition:OPEN_EXISTING
);

ver = NULL;
if (!isnull(fh))
{
  ver = GetFileVersion(handle:fh);
  CloseFile(handle:fh);
}
NetUseDel();


# Check the version number.
if (!isnull(ver))
{
  fix = split('1.0.5.4', sep:'.', keep:FALSE);
  for (i=0; i<max_index(fix); i++)
    fix[i] = int(fix[i]);

  for (i=0; i<max_index(ver); i++)
    if ((ver[i] < fix[i]))
    {
      if (report_verbosity)
      {
        version = ver[0] + '.' + ver[1] + '.' + ver[2] + '.' + ver[3];

        report =
          '\n' +
          'UltraVNC Viewer ' + version + ' is installed under :\n' +
          '\n' +
          '  ' + path + '\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      break;
    }
    else if (ver[i] > fix[i])
      break;
}