Vulnerabilities > CVE-2006-0013 - Buffer Overflow vulnerability in Microsoft Windows 2003 Server and Windows XP
Attack vector
NETWORK Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Buffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207.
Vulnerable Configurations
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS06-008.NASL description The remote version of Windows contains a flaw in the Web Client service that could allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need credentials to log into the remote host. last seen 2020-06-01 modified 2020-06-02 plugin id 20908 published 2006-02-14 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20908 title MS06-008: Vulnerability in Web Client Service Could Allow Remote Code Execution (911927) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20908); script_version("1.28"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id("CVE-2006-0013"); script_bugtraq_id(16636); script_xref(name:"MSFT", value:"MS06-008"); script_xref(name:"MSKB", value:"911927"); script_name(english:"MS06-008: Vulnerability in Web Client Service Could Allow Remote Code Execution (911927)"); script_summary(english:"Determines the presence of update 911927"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host."); script_set_attribute(attribute:"description", value: "The remote version of Windows contains a flaw in the Web Client service that could allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need credentials to log into the remote host."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-008"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/02/14"); script_set_attribute(attribute:"patch_publication_date", value:"2006/02/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/02/14"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS06-008'; kbs = make_list("911927"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); kb = '911927'; if ( hotfix_is_vulnerable(os:"5.2", sp:0, file:"Webclnt.dll", version:"5.2.3790.453", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.2", sp:1, file:"Webclnt.dll", version:"5.2.3790.2591", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:2, file:"Webclnt.dll", version:"5.1.2600.2821", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:1, file:"Webclnt.dll", version:"5.1.2600.1790", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_warning(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }NASL family Windows NASL id SMB_KB911927.NASL description The remote version of Windows contains a flaw in the Web Client service that may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need credentials to log into the remote host. last seen 2020-06-01 modified 2020-06-02 plugin id 20928 published 2006-02-15 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20928 title MS06-008: Vulnerability in Web Client Service Could Allow Remote Code Execution (911927) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20928); script_version("1.26"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2006-0013"); script_bugtraq_id(16636); script_xref(name:"MSFT", value:"MS06-008"); script_xref(name:"MSKB", value:"911927"); script_name(english:"MS06-008: Vulnerability in Web Client Service Could Allow Remote Code Execution (911927) (uncredentialed check)"); script_summary(english:"Determines the presence of update 911927 (remote check)"); script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host."); script_set_attribute(attribute:"description", value: "The remote version of Windows contains a flaw in the Web Client service that may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need credentials to log into the remote host." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-008"); script_set_attribute( attribute:"solution", value:"Microsoft has released a set of patches for Windows XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/02/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/02/15"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"x-cpe:/a:microsoft:windows:webclntsvc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_family(english:"Windows"); script_dependencies("smb_nativelanman.nasl","smb_login.nasl"); script_require_keys("Host/OS/smb"); script_require_ports(139,445); exit(0); } # include ('smb_func.inc'); global_var rpipe; function DavCreateConnection () { local_var fid, data, rep, ret; fid = bind_pipe (pipe:"\DAV RPC SERVICE", uuid:"c8cb7687-e6d3-11d2-a958-00c04f682e16", vers:1); if (isnull (fid)) return 0; data = class_parameter (ref_id:0x20000, name:"c:") + class_name (name:"\\") + raw_dword (d:0) + class_parameter (ref_id:0x20008, name:crap(data:"A", length:0x101)) + class_parameter (ref_id:0x2000c, name:"tns") ; data = dce_rpc_pipe_request (fid:fid, code:0x00, data:data); if (!data) return 0; rep = dce_rpc_parse_response (fid:fid, data:data); if (!rep || (strlen(rep) != 4)) return 0; ret = get_dword (blob:rep, pos:0); if (ret == 0x43) return 1; # patched == 0x57 (or access denied) return 0; } os = get_kb_item ("Host/OS/smb") ; if ("Windows" >!< os) exit(0); name = kb_smb_name(); login = kb_smb_login(); pass = kb_smb_password(); domain = kb_smb_domain(); port = kb_smb_transport(); if ( ! get_port_state(port) ) exit(0); soc = open_sock_tcp(port); if ( ! soc ) exit(0); session_init(socket:soc, hostname:name); r = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$"); if ( r == 1 ) { ret = DavCreateConnection (); if (ret == 1) security_warning(port:port); NetUseDel(); }
Oval
accepted 2011-05-16T04:00:34.977-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Buffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207. family windows id oval:org.mitre.oval:def:1220 status accepted submitted 2006-02-17T07:36:00.000-04:00 title WebClient Service Unchecked Buffer Remote Code Execution (Server 2003,SP1) version 68 accepted 2011-05-16T04:01:17.934-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Jonathan Baker organization The MITRE Corporation name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Buffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207. family windows id oval:org.mitre.oval:def:1547 status accepted submitted 2006-02-17T07:36:00.000-04:00 title WebClient Service Unchecked Buffer Remote Code Execution (Server 2003) version 69 accepted 2011-05-16T04:01:25.079-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Dragos Prisaca organization Gideon Technologies, Inc. name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Buffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207. family windows id oval:org.mitre.oval:def:1602 status accepted submitted 2006-02-17T07:36:00.000-04:00 title WebClient Service Unchecked Buffer Remote Code Execution (XP,SP2) version 69 accepted 2011-05-16T04:03:21.399-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Buffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207. family windows id oval:org.mitre.oval:def:683 status accepted submitted 2006-02-17T07:36:00.000-04:00 title WebClient Service Unchecked Buffer Remote Code Execution (XP,SP1) version 68 accepted 2011-05-16T04:03:23.941-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Buffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207. family windows id oval:org.mitre.oval:def:716 status accepted submitted 2006-02-17T07:36:00.000-04:00 title WebClient Service Unchecked Buffer Remote Code Execution (64-bit XP,SP1) version 68
References
- http://secunia.com/advisories/18857
- http://securitytracker.com/id?1015630
- http://www.kb.cert.org/vuls/id/388900
- http://www.securityfocus.com/bid/16636
- http://www.vupen.com/english/advisories/2006/0577
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-008
- https://exchange.xforce.ibmcloud.com/vulnerabilities/24491
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1220
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1547
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1602
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A683
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A716