Vulnerabilities > CVE-2006-0020 - Numeric Errors vulnerability in Microsoft products

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
microsoft
CWE-189
critical
nessus
NVD
Published: 2006-01-10
Updated: 2018-10-12

Summary

An unspecified Microsoft WMF parsing application, as used in Internet Explorer 5.01 SP4 on Windows 2000 SP4, and 5.5 SP2 on Windows Millennium, and possibly other versions, allows attackers to cause a denial of service (crash) and possibly execute code via a crafted WMF file with a manipulated WMF header size, possibly involving an integer overflow, a different vulnerability than CVE-2005-4560, and aka "WMF Image Parsing Memory Corruption Vulnerability."

Vulnerable Configurations

Part Description Count
OS
Microsoft
8

Common Weakness Enumeration (CWE)

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS06-004.NASL
descriptionThe remote host is missing the IE cumulative security update 910620. The remote version of IE is vulnerable to several flaws that could allow an attacker to execute arbitrary code on the remote host.
last seen2020-06-01
modified2020-06-02
plugin id20904
published2006-02-14
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/20904
titleMS06-004: Cumulative Security Update for Internet Explorer (910620)
code
#
# Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(20904);
 script_version("1.42");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2006-0020");
 script_bugtraq_id(16516);
 script_xref(name:"CERT", value:"312956");
 script_xref(name:"MSFT", value:"MS06-004");
 script_xref(name:"MSKB", value:"910620");

 script_name(english:"MS06-004: Cumulative Security Update for Internet Explorer (910620)");
 script_summary(english:"Determines the presence of update 910620");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through the web client.");
 script_set_attribute(attribute:"description", value:
"The remote host is missing the IE cumulative security update 910620.

The remote version of IE is vulnerable to several flaws that could
allow an attacker to execute arbitrary code on the remote host.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-004");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(189);

 script_set_attribute(attribute:"vuln_publication_date", value:"2006/01/09");
 script_set_attribute(attribute:"patch_publication_date", value:"2006/02/14");
 script_set_attribute(attribute:"plugin_publication_date", value:"2006/02/14");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl","smb_nt_ms05-054.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS06-004';
kbs = make_list("910620");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

version = hotfix_check_ie_version ();
if (!version || !egrep (pattern:"^6\.", string:version)) exit (0);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

kb = '910620';

if ( hotfix_is_vulnerable(os:"5.0", file:"Mshtml.dll", version:"5.0.3837.1200", dir:"\system32", bulletin:bulletin, kb:kb) )
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();

  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2014-02-24T04:00:21.305-05:00
classvulnerability
contributors
  • nameRobert L. Hollis
    organizationThreatGuard, Inc.
  • nameRobert L. Hollis
    organizationThreatGuard, Inc.
  • nameMaria Mikhno
    organizationALTX-SOFT
descriptionAn unspecified Microsoft WMF parsing application, as used in Internet Explorer 5.01 SP4 on Windows 2000 SP4, and 5.5 SP2 on Windows Millennium, and possibly other versions, allows attackers to cause a denial of service (crash) and possibly execute code via a crafted WMF file with a manipulated WMF header size, possibly involving an integer overflow, a different vulnerability than CVE-2005-4560, and aka "WMF Image Parsing Memory Corruption Vulnerability."
familywindows
idoval:org.mitre.oval:def:1638
statusaccepted
submitted2006-02-17T07:36:00.000-04:00
titleRemote Code Execution Vulnerability in IE5.01
version67

References