Vulnerabilities > CVE-2006-0012 - Remote Code Execution vulnerability in Microsoft Windows Shell COM Object

047910
CVSS 5.1 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
high complexity
microsoft
nessus
NVD
Published: 2006-04-12
Updated: 2019-04-30

Summary

Unspecified vulnerability in Windows Explorer in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via attack vectors involving COM objects and "crafted files and directories," aka the "Windows Shell Vulnerability."

Vulnerable Configurations

Part Description Count
OS
Microsoft
30

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS06-015.NASL
descriptionThe remote version of Windows contains a version of the Windows Explorer that has a vulnerability in the way it handles COM objects. An attacker could exploit this vulnerability by asking a victim to visit a rogue website containing a malformed COM object.
last seen2020-06-01
modified2020-06-02
plugin id21212
published2006-04-11
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/21212
titleMS06-015: Vulnerabilities in Windows Explorer Could Allow Remote Code Execution (908531)
code
#
# Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(21212);
 script_version("1.30");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2006-0012");
 script_bugtraq_id(17464);
 script_xref(name:"MSFT", value:"MS06-015");
 script_xref(name:"MSKB", value:"908531");

 script_name(english:"MS06-015: Vulnerabilities in Windows Explorer Could Allow Remote Code Execution (908531)");
 script_summary(english:"Determines the presence of update 908531");

 script_set_attribute(attribute:"synopsis", value:
"Vulnerabilities in the Windows Explorer could allow an attacker to execute
arbitrary code on the remote host.");
 script_set_attribute(attribute:"description", value:
"The remote version of Windows contains a version of the Windows Explorer
that has a vulnerability in the way it handles COM objects.
An attacker could exploit this vulnerability by asking a victim to visit
a rogue website containing a malformed COM object.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-015");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, XP and
2003.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"2006/04/11");
 script_set_attribute(attribute:"patch_publication_date", value:"2006/04/11");
 script_set_attribute(attribute:"plugin_publication_date", value:"2006/04/11");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS06-015';
kb = '908531';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if ( hotfix_is_vulnerable(os:"5.2", sp:0, file:"shell32.dll", version:"6.0.3790.503", dir:"\system32", bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.2", sp:1, file:"shell32.dll", version:"6.0.3790.2662", dir:"\system32", bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.1", sp:1, file:"shell32.dll", version:"6.0.2800.1816", dir:"\system32", bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.1", sp:2, file:"shell32.dll", version:"6.0.2900.2869", dir:"\system32", bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.0",       file:"shell32.dll", version:"5.0.3900.7078", dir:"\system32", bulletin:bulletin, kb:kb) )
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_warning();

  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

  • accepted2011-05-16T04:00:30.217-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameAnna Min
      organizationBigFix, Inc
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionUnspecified vulnerability in Windows Explorer in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via attack vectors involving COM objects and "crafted files and directories," aka the "Windows Shell Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:1191
    statusaccepted
    submitted2006-04-12T12:55:00.000-04:00
    titleWin2K COM object Remote Code Execution Vulnerability
    version69
  • accepted2011-05-16T04:01:01.788-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameDragos Prisaca
      organizationGideon Technologies, Inc.
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionUnspecified vulnerability in Windows Explorer in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via attack vectors involving COM objects and "crafted files and directories," aka the "Windows Shell Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:1448
    statusaccepted
    submitted2006-04-12T12:55:00.000-04:00
    titleWinXP,SP2 COM object Remote Code Execution Vulnerability
    version69
  • accepted2011-05-16T04:01:34.633-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionUnspecified vulnerability in Windows Explorer in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via attack vectors involving COM objects and "crafted files and directories," aka the "Windows Shell Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:1679
    statusaccepted
    submitted2006-04-12T12:55:00.000-04:00
    titleWinXP,SP1 COM object Remote Code Execution Vulnerability
    version68
  • accepted2011-05-16T04:01:43.037-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionUnspecified vulnerability in Windows Explorer in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via attack vectors involving COM objects and "crafted files and directories," aka the "Windows Shell Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:1743
    statusaccepted
    submitted2006-04-12T12:55:00.000-04:00
    titleWindows (S03/64-bit XP) COM object Remote Code Execution Vulnerability
    version68
  • accepted2011-05-16T04:01:44.830-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJonathan Baker
      organizationThe MITRE Corporation
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionUnspecified vulnerability in Windows Explorer in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via attack vectors involving COM objects and "crafted files and directories," aka the "Windows Shell Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:1764
    statusaccepted
    submitted2006-04-12T12:55:00.000-04:00
    titleServer 2003 COM object Remote Code Execution Vulnerability
    version69

References