Vulnerabilities > CVE-2006-2370 - Remote Access Remote Code Execution vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Buffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability."
Vulnerable Configurations
Exploit-Db
description MS Windows RRAS Remote Stack Overflow Exploit (MS06-025). CVE-2006-2370. Remote exploit for windows platform id EDB-ID:1940 last seen 2016-01-31 modified 2006-06-22 published 2006-06-22 reporter H D Moore source https://www.exploit-db.com/download/1940/ title Microsoft Windows RRAS - Remote Stack Overflow Exploit MS06-025 description MS Windows RRAS RASMAN Registry Stack Overflow Exploit (MS06-025). CVE-2006-2370. Remote exploit for windows platform id EDB-ID:1965 last seen 2016-01-31 modified 2006-06-29 published 2006-06-29 reporter Pusscat source https://www.exploit-db.com/download/1965/ title Microsoft Windows - RRAS RASMAN Registry Stack Overflow Exploit MS06-025 description Microsoft RRAS Service RASMAN Registry Overflow. CVE-2006-2370. Remote exploit for windows platform id EDB-ID:16375 last seen 2016-02-01 modified 2010-08-25 published 2010-08-25 reporter metasploit source https://www.exploit-db.com/download/16375/ title Microsoft RRAS Service RASMAN Registry Overflow description Microsoft RRAS Service Overflow. CVE-2006-2370. Remote exploit for windows platform id EDB-ID:16364 last seen 2016-02-01 modified 2010-05-09 published 2010-05-09 reporter metasploit source https://www.exploit-db.com/download/16364/ title Microsoft RRAS Service Overflow
Metasploit
description This module exploits a stack buffer overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'. id MSF:EXPLOIT/WINDOWS/SMB/MS06_025_RRAS last seen 2020-06-12 modified 2017-07-24 published 2006-06-14 references https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2370 reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms06_025_rras.rb title MS06-025 Microsoft RRAS Service Overflow description This module exploits a registry-based stack buffer overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'. Exploiting this flaw involves two distinct steps - creating the registry key and then triggering an overwrite based on a read of this key. Once the key is created, it cannot be recreated. This means that for any given system, you only get one chance to exploit this flaw. Picking the wrong target will require a manual removal of the following registry key before you can try again: HKEY_USERS\\.DEFAULT\Software\Microsoft\RAS Phonebook id MSF:EXPLOIT/WINDOWS/SMB/MS06_025_RASMANS_REG last seen 2020-03-12 modified 2017-07-24 published 2006-06-20 references https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2370 reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms06_025_rasmans_reg.rb title MS06-025 Microsoft RRAS Service RASMAN Registry Overflow
Nessus
NASL family Windows NASL id SMB_KB911280.NASL description The remote version of Windows contains a version of RRAS (Routing and Remote Access Service) that is affected by several memory corruption vulnerabilities. An attacker may exploit these flaws to execute code on the remote service. last seen 2020-06-01 modified 2020-06-02 plugin id 21696 published 2006-06-13 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21696 title MS06-025: Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(21696); script_version("1.34"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2006-2370", "CVE-2006-2371"); script_bugtraq_id(18325, 18358); script_xref(name:"MSFT", value:"MS06-025"); script_xref(name:"MSKB", value:"911280"); script_name(english:"MS06-025: Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280) (uncredentialed check)"); script_summary(english:"Determines the presence of update 911280 (remote check)"); script_set_attribute( attribute:"synopsis", value:"It is possible to execute code on the remote host." ); script_set_attribute(attribute:"description", value: "The remote version of Windows contains a version of RRAS (Routing and Remote Access Service) that is affected by several memory corruption vulnerabilities. An attacker may exploit these flaws to execute code on the remote service." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-025"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS06-025 Microsoft RRAS Service Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2006/06/13"); script_set_attribute(attribute:"patch_publication_date", value:"2006/07/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/06/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"x-cpe:/a:microsoft:windows:routingsvr"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_family(english:"Windows"); script_dependencies("smb_nativelanman.nasl","smb_login.nasl"); script_require_keys("Host/OS/smb"); script_require_ports(139,445); exit(0); } # include ('smb_func.inc'); global_var rpipe; function RasRpcDeleteEntry () { local_var fid, data, rep, ret; fid = bind_pipe (pipe:"\SRVSVC", uuid:"20610036-fa22-11cf-9823-00a0c911e5df", vers:1); if (isnull (fid)) return 0; data = class_name (name:string("tns",rand())) + class_name (name:string("tns",rand())) ; data = dce_rpc_pipe_request (fid:fid, code:0x05, data:data); if (!data) return 0; rep = dce_rpc_parse_response (fid:fid, data:data); if (!rep || (strlen(rep) != 4)) return 0; ret = get_dword (blob:rep, pos:0); if (ret == 0x26d) return 1; # patched == 0x80070005 (check if admin) or access denied return 0; } os = get_kb_item ("Host/OS/smb") ; if ("Windows" >!< os) exit(0); name = kb_smb_name(); port = kb_smb_transport(); if ( ! get_port_state(port) ) exit(0); soc = open_sock_tcp(port); if ( ! soc ) exit(0); session_init(socket:soc, hostname:name); r = NetUseAdd(share:"IPC$"); if ( r == 1 ) { ret = RasRpcDeleteEntry (); if (ret == 1) security_hole(port:port); NetUseDel(); }NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS06-025.NASL description The remote version of Windows contains a version of RRAS (Routing and Remote Access Service) that has several memory corruption vulnerabilities. An attacker may exploit these flaws to execute code on the remote service. last seen 2020-06-01 modified 2020-06-02 plugin id 21689 published 2006-06-13 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21689 title MS06-025: Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(21689); script_version("1.37"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2006-2370", "CVE-2006-2371"); script_bugtraq_id(18325, 18358, 18424); script_xref(name:"MSFT", value:"MS06-025"); script_xref(name:"MSKB", value:"911280"); script_name(english:"MS06-025: Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280)"); script_summary(english:"Determines the presence of update 911280"); script_set_attribute(attribute:"synopsis", value: "It is possible to execute code on the remote host."); script_set_attribute(attribute:"description", value: "The remote version of Windows contains a version of RRAS (Routing and Remote Access Service) that has several memory corruption vulnerabilities. An attacker may exploit these flaws to execute code on the remote service."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-025"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS06-025 Microsoft RRAS Service Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2006/06/13"); script_set_attribute(attribute:"patch_publication_date", value:"2006/06/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/06/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS06-025'; kb = '911280'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"5.2", sp:0, file:"Rasmans.dll", version:"5.2.3790.529", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.2", sp:1, file:"Rasmans.dll", version:"5.2.3790.2697", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:1, file:"Rasmans.dll", version:"5.1.2600.1842", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:2, file:"Rasmans.dll", version:"5.1.2600.2908", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.0", file:"Rasmans.dll", version:"5.0.2195.7093", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }
Oval
accepted 2011-05-16T04:01:21.701-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Buffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability." family windows id oval:org.mitre.oval:def:1587 status accepted submitted 2006-06-14T09:55:00.000-04:00 title RRAS Memory Corruption Vulnerability (64-bit XP) version 68 accepted 2011-05-16T04:01:39.629-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Jonathan Baker organization The MITRE Corporation name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Buffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability." family windows id oval:org.mitre.oval:def:1720 status accepted submitted 2006-06-14T09:55:00.000-04:00 title RRAS Memory Corruption Vulnerability (WinS03) version 69 accepted 2011-05-16T04:01:41.863-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Anna Min organization BigFix, Inc name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Buffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability." family windows id oval:org.mitre.oval:def:1741 status accepted submitted 2006-06-14T09:55:00.000-04:00 title RRAS Memory Corruption Vulnerability (Win2K) version 69 accepted 2011-05-16T04:01:53.995-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Dragos Prisaca organization Gideon Technologies, Inc. name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Buffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability." family windows id oval:org.mitre.oval:def:1823 status accepted submitted 2006-06-14T09:55:00.000-04:00 title RRAS Memory Corruption Vulnerability (WinXP,SP2) version 69 accepted 2011-05-16T04:02:08.528-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Buffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability." family windows id oval:org.mitre.oval:def:1936 status accepted submitted 2006-06-14T09:55:00.000-04:00 title RRAS Memory Corruption Vulnerability (S03,SP1) version 68 accepted 2011-05-16T04:02:21.573-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Buffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability." family windows id oval:org.mitre.oval:def:2061 status accepted submitted 2006-06-14T09:55:00.000-04:00 title RRAS Memory Corruption Vulnerability (WinXP,SP1) version 68
Packetstorm
data source https://packetstormsecurity.com/files/download/83149/ms06_025_rasmans_reg.rb.txt id PACKETSTORM:83149 last seen 2016-12-05 published 2009-11-26 reporter H D Moore source https://packetstormsecurity.com/files/83149/Microsoft-RRAS-Service-RASMAN-Registry-Overflow.html title Microsoft RRAS Service RASMAN Registry Overflow data source https://packetstormsecurity.com/files/download/83082/ms06_025_rras.rb.txt id PACKETSTORM:83082 last seen 2016-12-05 published 2009-11-26 reporter H D Moore source https://packetstormsecurity.com/files/83082/Microsoft-RRAS-Service-Overflow.html title Microsoft RRAS Service Overflow
Saint
| bid | 18325 |
| description | Windows RRAS memory corruption vulnerability |
| id | win_patch_rasman |
| osvdb | 26437 |
| title | windows_rras |
| type | remote |
References
- http://secunia.com/advisories/20630
- http://securitytracker.com/id?1016285
- http://www.kb.cert.org/vuls/id/631516
- http://www.osvdb.org/26437
- http://www.securityfocus.com/bid/18325
- http://www.us-cert.gov/cas/techalerts/TA06-164A.html
- http://www.vupen.com/english/advisories/2006/2323
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-025
- https://exchange.xforce.ibmcloud.com/vulnerabilities/26812
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1587
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1720
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1741
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1823
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1936
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2061