Vulnerabilities > CVE-2006-0014 - Buffer Overflow vulnerability in Microsoft Outlook Express Windows Address Book File Parsing

047910
CVSS 5.1 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
high complexity
microsoft
nessus

Summary

Buffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values.

Vulnerable Configurations

Part Description Count
Application
Microsoft
5

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS06-016.NASL
descriptionThe remote host is running a version of Microsoft Outlook Express that may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need to send a malformed Windows Address Book (.wab) file to a victim on the remote host and have him open the file.
last seen2020-06-01
modified2020-06-02
plugin id21213
published2006-04-11
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/21213
titleMS06-016: Vulnerability in Outlook Express Could Allow Remote Code Execution (911567)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(21213);
 script_version("1.29");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2006-0014");
 script_bugtraq_id(17459);
 script_xref(name:"MSFT", value:"MS06-016");
 script_xref(name:"MSKB", value:"911567");

 script_name(english:"MS06-016: Vulnerability in Outlook Express Could Allow Remote Code Execution (911567)");
 script_summary(english:"Determines the version of MSOE.dll");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through the email
client.");
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of Microsoft Outlook Express that
may allow an attacker to execute arbitrary code on the remote host.

To exploit this flaw, an attacker would need to send a malformed
Windows Address Book (.wab) file to a victim on the remote host and
have him open the file.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-016");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Outlook Express.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"2006/04/11");
 script_set_attribute(attribute:"patch_publication_date", value:"2006/04/11");
 script_set_attribute(attribute:"plugin_publication_date", value:"2006/04/11");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS06-016';
kb = '911567';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

path = hotfix_get_programfilesdir() + '\\Outlook Express\\';
if (!path) exit(1, "Failed to get the program file directory.");

share = hotfix_path2share(path:path);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if ( hotfix_is_vulnerable(os:"5.2", sp:0, file:"msoe.dll", version:"6.0.3790.504", path:path, bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.2", sp:1, file:"msoe.dll", version:"6.0.3790.2663", path:path, bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.1", sp:1, file:"msoe.dll", version:"6.0.2800.1807", path:path, bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.1", sp:2, file:"msoe.dll", version:"6.0.2900.2869", path:path, bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.0", file:"msoe.dll", version:"6.0.2800.1807", min_version:"6.0.0.0", path:path, bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.0", file:"msoe.dll", version:"5.50.4963.1700", path:path, bulletin:bulletin, kb:kb) )
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_warning();

  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

  • accepted2011-05-16T04:01:26.956-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJohn Hoyland
      organizationCentennial Software
    • nameAnna Min
      organizationBigFix, Inc
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameDragos Prisaca
      organizationGideon Technologies, Inc.
    • nameTim Harrison
      organizationNational Institute of Standards and Technology
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionBuffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values.
    familywindows
    idoval:org.mitre.oval:def:1611
    statusaccepted
    submitted2006-04-12T12:55:00.000-04:00
    titleMicrosoft Outlook Express 6 (XP,SP2) WAB Remote Code Execution Vulnerability
    version72
  • accepted2011-05-16T04:01:35.093-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameAnna Min
      organizationBigFix, Inc
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionBuffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values.
    familywindows
    idoval:org.mitre.oval:def:1682
    statusaccepted
    submitted2006-04-12T12:55:00.000-04:00
    titleMicrosoft Outlook Express 6,SP1 WAB Remote Code Execution Vulnerability
    version69
  • accepted2011-01-17T04:00:18.065-05:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJohn Hoyland
      organizationCentennial Software
    • nameAnna Min
      organizationBigFix, Inc
    • nameTim Harrison
      organizationNational Institute of Standards and Technology
    descriptionBuffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values.
    familywindows
    idoval:org.mitre.oval:def:1769
    statusaccepted
    submitted2006-04-12T12:55:00.000-04:00
    titleMicrosoft Outlook Express 6 (64-bit XP) WAB Remote Code Execution Vulnerability
    version67
  • accepted2011-05-16T04:01:46.627-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJohn Hoyland
      organizationCentennial Software
    • nameAnna Min
      organizationBigFix, Inc
    • nameJonathan Baker
      organizationThe MITRE Corporation
    • nameTim Harrison
      organizationNational Institute of Standards and Technology
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionBuffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values.
    familywindows
    idoval:org.mitre.oval:def:1771
    statusaccepted
    submitted2006-04-12T12:55:00.000-04:00
    titleMicrosoft Outlook Express 6 (S03-Gold, Itanium) WAB Remote Code Execution Vulnerability
    version71
  • accepted2006-11-14T08:57:55.387-05:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJohn Hoyland
      organizationCentennial Software
    • nameAnna Min
      organizationBigFix, Inc
    descriptionBuffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values.
    familywindows
    idoval:org.mitre.oval:def:1780
    statusaccepted
    submitted2006-04-12T12:55:00.000-04:00
    titleMicrosoft Outlook Express 5.5 WAB Remote Code Execution Vulnerability
    version65
  • accepted2011-05-16T04:01:50.849-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJohn Hoyland
      organizationCentennial Software
    • nameAnna Min
      organizationBigFix, Inc
    • nameTim Harrison
      organizationNational Institute of Standards and Technology
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionBuffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values.
    familywindows
    idoval:org.mitre.oval:def:1791
    statusaccepted
    submitted2006-04-12T12:55:00.000-04:00
    titleMicrosoft Outlook Express 6 (S03,SP1) WAB Remote Code Execution Vulnerability
    version70
  • accepted2011-05-16T04:03:31.624-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJohn Hoyland
      organizationCentennial Software
    • nameAnna Min
      organizationBigFix, Inc
    • nameJonathan Baker
      organizationThe MITRE Corporation
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameTim Harrison
      organizationNational Institute of Standards and Technology
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionBuffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values.
    familywindows
    idoval:org.mitre.oval:def:812
    statusaccepted
    submitted2006-04-12T12:55:00.000-04:00
    titleMicrosoft Outlook Express 6 (S03-Gold) WAB Remote Code Execution Vulnerability
    version72