Making Security Measurable
 › 
OVAL
 › 
OVAL Repository Forum

OVAL 1456

2 Messages Forum Options Options
Embed this topic
Permalink
Clifford Farrugia
OVAL 1456
Reply Threaded More
Print post
Permalink
Some javascript/style in this post has been disabled (why?)

Hi,

 

I have attached a fixed version of OVAL 1456 which had an issue with the path of msmapi32.dll. The path included “1033” as one of the directories, and the issue is that 1033 refers to the English version of Windows. Other languages have different values.

 

On another note, I would like to take a look at the checks I sent, especially in the fixed oval:org.mitre.oval:obj:691. There, I am getting the full path (including filename) from the registry, and therefore leaving the filename blank. The MITRE OVAL interpreter, however is not treating this correctly, and is adding a trailing “\” after the filename, and therefore giving an error. Other objects such as oval:org.mitre.oval:obj:718 as used in OVAL definition 1402 does not have the same issue. I have checked the differences thoroughly, and the only meaningful difference that I could be able to find was that in my check, I’m reading from an ordinary registry value, while in obj 718, the value is being retrieved from the (Default) value of a registry key. Am I missing something here or is this a bug in the OVAL interpreter?

 

Regards,

 

Clifford Farrugia - clifford@...

Security Researcher - GFI Software - www.gfi.com

Messaging, Content Security & Network Security Software

Tel: +356 21382418 (ext. 224)     Fax: +356 21382419

 

 

DISCLAIMER
The information contained in this electronic mail may be confidential or legally privileged. It is for the intended recipient(s) only. Should you receive this message in error, please notify the sender by replying to this mail. Unless expressly stated, opinions in this message are those of the individual sender and not of GFI. Unauthorized use of the contents is strictly prohibited. While all care has been taken, GFI is not responsible for the integrity of the contents of this electronic mail and any attachments included within.

This mail was checked for viruses by GFI MailSecurity. GFI also develops anti-spam software (GFI MailEssentials), a fax server (GFI FAXmaker), and network security and management software (GFI LANguard) - www.gfi.com

To unsubscribe, send an email message to LISTSERV@... with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to OVAL-DISCUSSION-LIST-request@....
<?xml version="1.0" encoding="UTF-8"?>
<oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows windows-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5">
  <generator>
    <oval:product_name>The OVAL Repository</oval:product_name>
    <oval:schema_version>5.4</oval:schema_version>
    <oval:timestamp>2008-04-21T08:22:11.116-04:00</oval:timestamp>
  </generator>
  <definitions>
    <definition id="oval:org.mitre.oval:def:1456" version="2" class="vulnerability">
      <metadata>
        <title>Outlook 2003 TNEF Decoding Vulnerability</title>
        <affected family="windows">
          <platform>Microsoft Windows NT</platform>
          <platform>Microsoft Windows 2000</platform>
          <platform>Microsoft Windows XP</platform>
          <platform>Microsoft Windows Server 2003</platform>
          <product>Microsoft Outlook</product>
        </affected>
        <reference source="CVE" ref_id="CVE-2006-0002" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0002"/>
        <description>Unspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation.</description>
        <oval_repository>
          <dates>
            <submitted date="2006-01-11T12:56:00.000-04:00">
              <contributor organization="ThreatGuard, Inc.">Robert L. Hollis</contributor>
            </submitted>
            <status_change date="2006-01-12T09:21:00.000-04:00">DRAFT</status_change>
            <status_change date="2006-02-01T09:08:00.000-04:00">INTERIM</status_change>
            <status_change date="2006-02-22T08:27:00.000-04:00">ACCEPTED</status_change>
            <modified comment="Fix to regex, target pattern in ste:826 is not always ALL CAPS." date="2007-01-10T16:47:00.128-05:00">
              <contributor organization="ThreatGuard, Inc.">Robert L. Hollis</contributor>
            </modified>
            <status_change date="2007-01-10T16:47:44.225-05:00">INTERIM</status_change>
            <status_change date="2007-02-20T13:39:44.364-05:00">ACCEPTED</status_change>
            <modified comment="References registry value for Common Files directory due to multilingual support" date="2008-04-14T11:07:00.658-04:00">
              <contributor organization="GFI Software">Clifford Farrugia</contributor>
            </modified>
            <status_change date="2008-04-14T12:26:28.959-04:00">INTERIM</status_change>
            <modified comment="References different registry key for msmapi32.dll path due to differences in non-English OS installations" date="2008-04-21T09:50:00.658-04:00">
              <contributor organization="GFI Software">Clifford Farrugia</contributor>
            </modified>
          </dates>
          <status>INTERIM</status>
        </oval_repository>
      </metadata>
      <criteria comment="Software section" operator="AND">
        <criterion comment="Outlook 2003 is installed" negate="false" test_ref="oval:org.mitre.oval:tst:922"/>
        <criterion comment="the version of msmapi32.dll is greater than 11.0.6566.0" negate="true" test_ref="oval:org.mitre.oval:tst:921"/>
      </criteria>
    </definition>
  </definitions>
  <tests>
    <registry_test id="oval:org.mitre.oval:tst:922" version="2" comment="Outlook 2003 is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <object object_ref="oval:org.mitre.oval:obj:692"/>
      <state state_ref="oval:org.mitre.oval:ste:826"/>
    </registry_test>
    <file_test id="oval:org.mitre.oval:tst:921" version="2" check="at least one" comment="the version of msmapi32.dll is greater than 11.0.6566.0" check_existence="at_least_one_exists" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <object object_ref="oval:org.mitre.oval:obj:691"/>
      <state state_ref="oval:org.mitre.oval:ste:825"/>
    </file_test>
  </tests>
  <objects>
    <registry_object id="oval:org.mitre.oval:obj:692" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <hive>HKEY_LOCAL_MACHINE</hive>
      <key>SOFTWARE\Microsoft\Office\11.0\Outlook\InstallRoot</key>
      <name>Path</name>
    </registry_object>
    <file_object id="oval:org.mitre.oval:obj:691" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <path var_ref="oval:com.gfi.oval:var:2"/>
      <filename/>
    </file_object>
    <registry_object id="oval:com.gfi.oval:obj:3" version="1" comment="The registry key that identifies the location of msmapi32.dll if Outlook 2003 is installed." xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <hive>HKEY_LOCAL_MACHINE</hive>
      <key>SOFTWARE\Clients\Mail\Microsoft Outlook</key>
      <name>DLLPathEx</name>
    </registry_object>
  </objects>
  <states>
    <registry_state id="oval:org.mitre.oval:ste:826" version="2" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <value operation="pattern match">.*[Oo][Ff][Ff][Ii][Cc][Ee]11.*</value>
    </registry_state>
    <file_state id="oval:org.mitre.oval:ste:825" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
      <version datatype="version" operation="greater than">11.0.6566.0</version>
    </file_state>
  </states>
  <variables>
    <local_variable id="oval:com.gfi.oval:var:2" comment="Outlook 2003 msmapi32.dll path" version="1" datatype="string">
      <object_component item_field="value" object_ref="oval:com.gfi.oval:obj:3"/>
    </local_variable>
  </variables>
</oval_definitions>
Worrell, Bryan A.
Re: OVAL 1456
Reply Threaded More
Print post
Permalink
Hi Clifford,

The issue you ran into with the registry value being appended with a
"\" is a bug that has been identified within the OVAL Language (not
just the OVAL Interpreter) for while now.  We are currently hashing out
a possible quick solution to this problem that will hold us over until
the next major release, but haven't committed to it yet.  Hopefully we
can resolve this issue quickly because we appreciate your content
submissions and would like to import this one into the OVAL Repository.

Thanks,
Bryan Worrell



__
Bryan Worrell    
The MITRE Corporation
bworrell@...




>-----Original Message-----
>From: Clifford Farrugia [mailto:clifford@...]
>Sent: Monday, April 21, 2008 11:18 AM
>To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
>Subject: [OVAL-DISCUSSION-LIST] OVAL 1456
>
>Hi,
>
>
>
>I have attached a fixed version of OVAL 1456 which had an issue with
the
>path of msmapi32.dll. The path included "1033" as one of the
>directories, and the issue is that 1033 refers to the English version
of
>Windows. Other languages have different values.
>
>
>
>On another note, I would like to take a look at the checks I sent,
>especially in the fixed oval:org.mitre.oval:obj:691. There, I am
getting
>the full path (including filename) from the registry, and therefore
>leaving the filename blank. The MITRE OVAL interpreter, however is not
>treating this correctly, and is adding a trailing "\" after the
>filename, and therefore giving an error. Other objects such as
>oval:org.mitre.oval:obj:718 as used in OVAL definition 1402 does not
>have the same issue. I have checked the differences thoroughly, and
the
>only meaningful difference that I could be able to find was that in my
>check, I'm reading from an ordinary registry value, while in obj 718,
>the value is being retrieved from the (Default) value of a registry
key.

>Am I missing something here or is this a bug in the OVAL interpreter?
>
>
>
>Regards,
>
>
>
>Clifford Farrugia - clifford@...
>
>Security Researcher - GFI Software - www.gfi.com
>
>Messaging, Content Security & Network Security Software
>
>Tel: +356 21382418 (ext. 224)     Fax: +356 21382419
>
>
>
>
>
>DISCLAIMER
>The information contained in this electronic mail may be confidential
or
>legally privileged. It is for the intended recipient(s) only. Should
you
>receive this message in error, please notify the sender by replying to
>this mail. Unless expressly stated, opinions in this message are those
>of the individual sender and not of GFI. Unauthorized use of the
>contents is strictly prohibited. While all care has been taken, GFI is
>not responsible for the integrity of the contents of this electronic
>mail and any attachments included within.
>
>This mail was checked for viruses by GFI MailSecurity. GFI also
develops
>anti-spam software (GFI MailEssentials), a fax server (GFI FAXmaker),
>and network security and management software (GFI LANguard) -
>www.gfi.com
>
>To unsubscribe, send an email message to LISTSERV@... with
>SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have
>difficulties, write to OVAL-DISCUSSION-LIST-request@....

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DISCUSSION-LIST-request@....
Free Forum Powered by Nabble Forum Help