Vulnerabilities > CVE-2006-1184 - Unspecified vulnerability in Microsoft products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
microsoft
nessus

Summary

Microsoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0, 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to cause a denial of service (crash) via a BuildContextW request with a large (1) UuidString or (2) GuidIn of a certain length, which causes an out-of-range memory access, aka the MSDTC Denial of Service Vulnerability. NOTE: this is a variant of CVE-2005-2119.

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS06-018.NASL
    descriptionThe remote version of Windows contains a version of MSDTC that contains several denial of service vulnerabilities (DoS and Invalid Memory Access). An attacker may exploit these flaws to crash the remote service.
    last seen2020-06-01
    modified2020-06-02
    plugin id21331
    published2006-05-09
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21331
    titleMS06-018: Vulnerability in MSDTC Could Allow Denial of Service (913580)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(21331);
     script_version("1.29");
     script_cvs_date("Date: 2018/11/15 20:50:30");
    
     script_cve_id("CVE-2006-1184", "CVE-2006-0034");
     script_bugtraq_id (17905, 17906);
     script_xref(name:"MSFT", value:"MS06-018");
     script_xref(name:"MSKB", value:"913580");
    
     script_name(english:"MS06-018: Vulnerability in MSDTC Could Allow Denial of Service (913580)");
     script_summary(english:"Determines the presence of update 913580");
    
     script_set_attribute(attribute:"synopsis", value:"It is possible to crash the remote MSDTC service.");
     script_set_attribute(attribute:"description", value:
    "The remote version of Windows contains a version of MSDTC that contains
    several denial of service vulnerabilities (DoS and Invalid Memory
    Access).
    
    An attacker may exploit these flaws to crash the remote service.");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-018");
     script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for Windows 2000, XP and
    2003.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploit_framework_core", value:"true");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2006/05/09");
     script_set_attribute(attribute:"patch_publication_date", value:"2006/05/09");
     script_set_attribute(attribute:"plugin_publication_date", value:"2006/05/09");
    
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
    
     script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows : Microsoft Bulletins");
    
     script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
     script_require_keys("SMB/MS_Bulletin_Checks/Possible");
     script_require_ports(139, 445, 'Host/patch_management_checks');
     exit(0);
    }
    
    include("audit.inc");
    include("smb_func.inc");
    include("smb_hotfixes.inc");
    include("smb_hotfixes_fcheck.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS06-018';
    kb = '913580';
    
    kbs = make_list(kb);
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win2k:'4,5', xp:'1,2', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    rootfile = hotfix_get_systemroot();
    if (!rootfile) exit(1, "Failed to get the system root.");
    
    share = hotfix_path2share(path:rootfile);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if ( hotfix_is_vulnerable(os:"5.2", sp:0, file:"Msdtctm.dll", version:"2001.12.4720.480", dir:"\system32", bulletin:bulletin, kb:kb) ||
         hotfix_is_vulnerable(os:"5.1", sp:1, file:"Msdtctm.dll", version:"2001.12.4414.65", dir:"\system32", bulletin:bulletin, kb:kb) ||
         hotfix_is_vulnerable(os:"5.1", sp:2, file:"Msdtctm.dll", version:"2001.12.4414.311", dir:"\system32", bulletin:bulletin, kb:kb) ||
         hotfix_is_vulnerable(os:"5.0",       file:"Msdtctm.dll", version:"2000.2.3535.0", dir:"\system32", bulletin:bulletin, kb:kb) )
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_hole();
    
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
  • NASL familyWindows
    NASL idSMB_KB913580.NASL
    descriptionThe remote version of Windows contains a version of MSDTC (Microsoft Data Transaction Coordinator) service that is affected by several remote code execution and denial of service vulnerabilities. An attacker may exploit these flaws to obtain complete control of the remote host (2000, NT4) or to crash the remote service (XP, 2003).
    last seen2020-06-01
    modified2020-06-02
    plugin id21334
    published2006-05-10
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21334
    titleMS06-018: Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow DoS (913580) (uncredentialed check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(21334);
     script_version("1.26");
     script_cvs_date("Date: 2018/11/15 20:50:28");
    
     script_cve_id("CVE-2006-0034", "CVE-2006-1184");
     script_bugtraq_id(17905, 17906);
     script_xref(name:"MSFT", value:"MS06-018");
     script_xref(name:"MSKB", value:"913580");
    
     script_name(english:"MS06-018: Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow DoS (913580) (uncredentialed check)");
     script_summary(english:"Determines the presence of update 913580");
    
     script_set_attribute(attribute:"synopsis", value:"A vulnerability in MSDTC could allow remote code execution.");
     script_set_attribute(attribute:"description", value:
    "The remote version of Windows contains a version of MSDTC (Microsoft
    Data Transaction Coordinator) service that is affected by several
    remote code execution and denial of service vulnerabilities.
    
    An attacker may exploit these flaws to obtain complete control of the
    remote host (2000, NT4) or to crash the remote service (XP, 2003)." );
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-018");
     script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000, XP and 2003.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploit_framework_core", value:"true");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2006/05/09");
     script_set_attribute(attribute:"patch_publication_date", value:"2006/05/09");
     script_set_attribute(attribute:"plugin_publication_date", value:"2006/05/10");
    
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows");
    
     script_dependencies("dcetest.nasl");
     script_require_keys("Services/DCE/906b0ce0-c70b-1067-b317-00dd010662da");
     exit(0);
    }
    
    #
    
    include ('smb_func.inc');
    
    port = get_kb_item ("Services/DCE/906b0ce0-c70b-1067-b317-00dd010662da");
    if (!port)
      exit (0);
    
    if (!get_port_state (port))
      exit (0);
    
    context_handles = get_kb_list ("DCE/906b0ce0-c70b-1067-b317-00dd010662da/context_handle");
    if (isnull(context_handles))
      exit (0);
    
    foreach context_handle (context_handles)
    {
     if (!isnull(context_handle))
       break;
    }
    
    if ( ! get_port_state(port) ) exit(0);
    soc = open_sock_tcp (port);
    if (!soc) exit (0);
    
    host_ip = get_host_ip();
    
    ret = dce_rpc_bind(cid:session_get_cid(), uuid:"906b0ce0-c70b-1067-b317-00dd010662da", vers:1);
    send (socket:soc, data:ret);
    resp = recv (socket:soc, length:4096);
    
    if (!resp)
    {
     close (soc);
     exit (0);
    }
    
    ret = dce_rpc_parse_bind_ack (data:resp);
    if (isnull (ret) || (ret != 0))
    {
     close (soc);
     exit (0);
    }
    
    session_set_unicode (unicode:1);
    
    data = raw_dword (d:0) +
    
           # Type 1
           raw_dword (d:0) +
           raw_dword (d:0) +
           raw_dword (d:0) +
           raw_dword (d:0) +
           raw_dword (d:0) +
           raw_dword (d:0) +
    
           # need a valid context handle to pass the first check
           class_name (name:context_handle) +
           # a patched version will first check if the length is less than 17
           class_name (name:crap(data:"B", length:17)) +
    
           # need to be 37 bytes long to be a valid RPC packet
           # [size_is(37)] [in]  [string] wchar_t * element_57,
           # [size_is(37)] [in]  [string] wchar_t * element_58,
           class_name (name:crap(data:"A", length:36)) +
           class_name (name:crap(data:"A", length:36)) +
    
           # a patched version will first check if the length is 37 (36 + '\0')(IDL RPC)
           class_name (name:crap(data:"C", length:37)) +
    
           # Type 2
           raw_dword (d:0) +
           raw_dword (d:0) +
           raw_dword (d:0) +
    
           # [in]  [range(8,8)] long  element_65,
           # [size_is(element_65)] [in]  char  element_66,
           # range restriction is only present in the Windows XP/2003 version
           raw_dword (d:8) +
           raw_dword (d:8) +
           crap (data:raw_string(0), length:8)
     ;
    
    
    ret = dce_rpc_request (code:0x07, data:data);
    send (socket:soc, data:ret);
    resp = recv (socket:soc, length:4096);
    resp = dce_rpc_parse_response (data:resp);
    
    if (strlen(resp) > 8)
      security_hole(port);
    

Oval

  • accepted2011-05-16T04:00:48.305-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionMicrosoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0, 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to cause a denial of service (crash) via a BuildContextW request with a large (1) UuidString or (2) GuidIn of a certain length, which causes an out-of-range memory access, aka the MSDTC Denial of Service Vulnerability. NOTE: this is a variant of CVE-2005-2119.
    familywindows
    idoval:org.mitre.oval:def:1295
    statusaccepted
    submitted2006-05-10T03:16:00.000-04:00
    titleMSDTC Denial of Service Vulnerability (XP,SP1)
    version69
  • accepted2011-05-16T04:01:48.999-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJonathan Baker
      organizationThe MITRE Corporation
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionMicrosoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0, 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to cause a denial of service (crash) via a BuildContextW request with a large (1) UuidString or (2) GuidIn of a certain length, which causes an out-of-range memory access, aka the MSDTC Denial of Service Vulnerability. NOTE: this is a variant of CVE-2005-2119.
    familywindows
    idoval:org.mitre.oval:def:1779
    statusaccepted
    submitted2006-05-10T03:16:00.000-04:00
    titleMSDTC Denial of Service Vulnerability (Server 2003)
    version70
  • accepted2011-05-16T04:02:04.947-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameDragos Prisaca
      organizationGideon Technologies, Inc.
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionMicrosoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0, 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to cause a denial of service (crash) via a BuildContextW request with a large (1) UuidString or (2) GuidIn of a certain length, which causes an out-of-range memory access, aka the MSDTC Denial of Service Vulnerability. NOTE: this is a variant of CVE-2005-2119.
    familywindows
    idoval:org.mitre.oval:def:1912
    statusaccepted
    submitted2006-05-10T03:16:00.000-04:00
    titleMSDTC Denial of Service Vulnerability (XP,SP2)
    version70
  • accepted2011-05-16T04:02:15.392-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameAnna Min
      organizationBigFix, Inc
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionMicrosoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0, 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to cause a denial of service (crash) via a BuildContextW request with a large (1) UuidString or (2) GuidIn of a certain length, which causes an out-of-range memory access, aka the MSDTC Denial of Service Vulnerability. NOTE: this is a variant of CVE-2005-2119.
    familywindows
    idoval:org.mitre.oval:def:1990
    statusaccepted
    submitted2006-05-10T03:16:00.000-04:00
    titleMSDTC Denial of Service Vulnerability (Win2K)
    version70