VisiWave Site Survey Report VWR File Handling Overflow - Nessus
High Plugin ID: 54644This page contains detailed information about the VisiWave Site Survey Report VWR File Handling Overflow Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 54644
Name: VisiWave Site Survey Report VWR File Handling Overflow
Filename: visiwave_2_1_9.nasl
Vulnerability Published: 2011-05-20
This Plugin Published: 2011-05-25
Last Modification Time: 2018-08-06
Plugin Version: 1.11
Plugin Type: local
Plugin Family: Windows
Dependencies:
smb_hotfixes.nasl
Required KB Items [?]: SMB/Registry/Enumerated
Vulnerability Information
Severity: High
Vulnerability Published: 2011-05-20
Patch Published: 2011-05-20
CVE [?]: CVE-2011-2386
CPE [?]: cpe:/a:visiwave:site_survey
Synopsis
The remote Windows host has an application that is affected by a file handling overflow vulnerability.
Description
The version of VisiWave Site Survey on the remote host is earlier than 2.1.9 and thus reportedly contains a file handling overflow. If an attacker provides a malicious VWR file and convinces a user to open it with VisiWave, VisiWave may execute malicious code in the context of the user.
Solution
Upgrade to version 2.1.9 or above.
Public Exploits
Target Network Port(s): 139, 445
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, Core Impact)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the VisiWave Site Survey Report VWR File Handling Overflow vulnerability:
- Metasploit: exploit/windows/fileformat/visiwave_vwr_type
[VisiWave VWR File Parsing Vulnerability] - Exploit-DB: exploits/windows/local/17317.rb
[EDB-17317: VisiWave - '.VWR' File Parsing Trusted Pointer (Metasploit)]
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS V2 Vector [?]: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
| CVSS Base Score: | 9.3 (High) |
| Impact Subscore: | 10.0 |
| Exploitability Subscore: | 8.6 |
| CVSS Temporal Score: | 7.7 (High) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 7.7 (High) |
Go back to menu.
Plugin Source
This is the visiwave_2_1_9.nasl nessus plugin source code. This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(54644);
script_version("1.11");
script_cvs_date("Date: 2018/08/06 14:03:16");
script_cve_id("CVE-2011-2386");
script_bugtraq_id(47948);
script_xref(name:"EDB-ID", value:"17317");
script_xref(name:"Secunia", value:"44636");
script_name(english:"VisiWave Site Survey Report VWR File Handling Overflow");
script_summary(english:"Checks version of VisiWave");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an application that is affected by a file
handling overflow vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of VisiWave Site Survey on the remote host is earlier than
2.1.9 and thus reportedly contains a file handling overflow. If an
attacker provides a malicious VWR file and convinces a user to open it
with VisiWave, VisiWave may execute malicious code in the context of
the user.");
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b223c9f4");
script_set_attribute(attribute:"solution", value:"Upgrade to version 2.1.9 or above.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'VisiWave VWR File Parsing Vulnerability');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2011/05/20");
script_set_attribute(attribute:"patch_publication_date", value:"2011/05/20");
script_set_attribute(attribute:"plugin_publication_date", value:"2011/05/25");
script_set_attribute(attribute:"cpe", value:"cpe:/a:visiwave:site_survey");
script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");
script_dependencies("smb_hotfixes.nasl");
script_require_keys("SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("smb_func.inc");
include("audit.inc");
get_kb_item_or_exit("SMB/Registry/Enumerated");
# Connect to the appropriate share.
name = kb_smb_name();
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
port = kb_smb_transport();
# Try to connect to server.
if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
# Connect to IPC share.
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
NetUseDel();
exit(1, "Failed to connect to IPC share.");
}
# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
NetUseDel();
exit(1, "Failed to connect to the remote registry.");
}
# Get the installation path from the registry.
base = NULL;
key = "SOFTWARE\AZO Technologies, Inc.\VisiWave Site Survey";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
item = RegQueryValue(handle:key_h, item:"InstallDir");
if (!isnull(item))
base = ereg_replace(string:item[1], pattern:"^(.+)\\$", replace:"\1");
RegCloseKey(handle:key_h);
}
# Clean up.
RegCloseKey(handle:hklm);
NetUseDel(close:FALSE);
# Check if VisiWave is installed.
if (isnull(base))
{
NetUseDel();
exit(0, "VisiWave does not appear to be installed.");
}
# Split the software's location into components.
share = ereg_replace(string:base, pattern:"^([A-Za-z]):.*", replace:"\1$");
path = ereg_replace(string:base, pattern:"^[A-Za-z]:(.*)", replace:"\1");
file = "\VisiWave.exe";
# Connect to the share software is installed on.
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
NetUseDel();
exit(1, "Failed to connect to " + share + " share.");
}
# Get the version number from the main executable.
version = NULL;
fh = CreateFile(
file:path + file,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
if (!isnull(fh))
{
version = GetFileVersion(handle:fh);
CloseFile(handle:fh);
}
else
{
NetUseDel();
exit(1, "Failed to open " + base + file + ".");
}
# Clean up.
NetUseDel();
# Ensure that we got a version number.
if (isnull(version))
exit(1, "Failed to get version of " + base + file + ".");
# Check if the version is vulnerable.
fixed = "2.1.9.162";
version = join(version, sep:".");
if (ver_compare(ver:version, fix:fixed, strict:TRUE) >= 0)
exit(0, "VisiWave version " + version + " is not vulnerable.");
# Report our findings.
if (report_verbosity > 0)
{
report =
'\n Path : ' + base +
'\n Installed version : ' + version +
'\n Fixed version : ' + fixed +
'\n';
security_hole(port:port, extra:report);
}
else security_hole(port);
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/visiwave_2_1_9.nasl - Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\visiwave_2_1_9.nasl - Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/visiwave_2_1_9.nasl
Go back to menu.
How to Run
Here is how to run the VisiWave Site Survey Report VWR File Handling Overflow as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select Windows plugin family.
- On the right side table select VisiWave Site Survey Report VWR File Handling Overflow plugin ID 54644.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl visiwave_2_1_9.nasl -t <IP/HOST>Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a visiwave_2_1_9.nasl -t <IP/HOST>Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - visiwave_2_1_9.nasl -t <IP/HOST>Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state visiwave_2_1_9.nasl -t <IP/HOST>Go back to menu.
References
BID | SecurityFocus Bugtraq ID: Secunia Advisory: See also:
- https://www.tenable.com/plugins/nessus/54644
- http://www.nessus.org/u?b223c9f4
- https://vulners.com/nessus/VISIWAVE_2_1_9.NASL
- 42977 - Altiris ConsoleUtilities ActiveX RunCmd Method Overflow
- 43060 - Novell iPrint Client < 5.32 Multiple Overflows
- 44338 - Wireshark / Ethereal Dissector LWRES Multiple Buffer Overflows
- 45593 - HP Operations Manager SourceView ActiveX LoadFile / SaveFile Stack Overflows
- 46733 - SyncBack Profile File Remote Buffer Overflow
- 47701 - Xftp < 3.0 Build 242 LIST Response Buffer Overflow
- 48323 - QuickTime < 7.6.7 QuickTimeStreaming.qtx SMIL File Debug Logging Overflow (Windows)
- 50382 - Firefox < 3.5.15 Buffer Overflow
- 50383 - Firefox 3.6 < 3.6.12 Buffer Overflow
- 50384 - Mozilla Thunderbird < 3.0.10 Buffer Overflow
- 50385 - Mozilla Thunderbird 3.1 < 3.1.6 Buffer Overflow
- 50386 - SeaMonkey < 2.0.10 Buffer Overflow
- 51091 - Winamp < 5.601 MIDI Timestamp Stack-based Buffer Overflow
- 51894 - SigPlus Pro ActiveX Control LCDWriteString() Method HexString Parameter Overflow
- 52976 - VLC Media Player < 1.1.8 Multiple Buffer Overflows
- 53536 - Novell File Reporter Agent XML Tag Handling Buffer Overflow
- 54606 - Adobe Audition < CS5.5 Multiple SES Session File Processing Overflows (APSB11-10)
- 54922 - IBM Lotus Notes Attachment Handling Multiple Buffer Overflows
- 55471 - Novell File Reporter Engine RECORD Element Tag Parsing Overflow (credentialed check)
- 56682 - Novell iPrint Client < 5.72 nipplib.dll GetDriverSettings Function Buffer Overflow
- 57062 - Trend Micro Control Manager CmdProcessor.exe Remote Buffer Overflow
- 58005 - Firefox 10.x < 10.0.2 'png_decompress_chunk' Integer Overflow
- 58006 - Firefox 3.6.x < 3.6.27 'png_decompress_chunk' Integer Overflow
- 58007 - Mozilla Thunderbird 10.x < 10.0.2 'png_decompress_chunk' Integer Overflow
- 58008 - Mozilla Thunderbird 3.1.x < 3.1.19 'png_decompress_chunk' Integer Overflow
- 58009 - SeaMonkey < 2.7.2 'png_decompress_chunk' Integer Overflow
- 58386 - XnView < 1.98.6 Multiple Buffer Overflow Vulnerabilities
- 58389 - IBM Tivoli Provisioning Manager Express for Software Distribution Isig.isigCtl.1 ActiveX RunAndUploadFile Method Boundary Error Remote Overflow
- 58482 - Cisco Linksys PlayerPT ActiveX SetSource() Method base64string Argument Parsing Remote Overflow
- 58483 - Dell Webcam CrazyTalk ActiveX Remote Overflow
- 58591 - D-Link DCS-5605 Network Surveillance DcsCliCtrl.dll ActiveX Control SelectDirectory() Method Buffer Overflow
- 58597 - TRENDnet SecurView UltraMJCam ActiveX Control OpenFileDlg Method WideCharToMultiByte() Call Remote Overflow
- 58649 - Bitsmith Software Personal Knowbase knowbase.exe FileOpen Dialogue Local Overflow
- 58769 - Netop Remote Control dws File Handling Overflow
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file visiwave_2_1_9.nasl version 1.11. For more plugins, visit the Nessus Plugin Library.
Go back to menu.
