Vulnerabilities > CVE-2006-2371 - Unspecified vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN microsoft
nessus
Summary
Buffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability."
Vulnerable Configurations
Nessus
NASL family Windows NASL id SMB_KB911280.NASL description The remote version of Windows contains a version of RRAS (Routing and Remote Access Service) that is affected by several memory corruption vulnerabilities. An attacker may exploit these flaws to execute code on the remote service. last seen 2020-06-01 modified 2020-06-02 plugin id 21696 published 2006-06-13 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21696 title MS06-025: Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(21696); script_version("1.34"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2006-2370", "CVE-2006-2371"); script_bugtraq_id(18325, 18358); script_xref(name:"MSFT", value:"MS06-025"); script_xref(name:"MSKB", value:"911280"); script_name(english:"MS06-025: Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280) (uncredentialed check)"); script_summary(english:"Determines the presence of update 911280 (remote check)"); script_set_attribute( attribute:"synopsis", value:"It is possible to execute code on the remote host." ); script_set_attribute(attribute:"description", value: "The remote version of Windows contains a version of RRAS (Routing and Remote Access Service) that is affected by several memory corruption vulnerabilities. An attacker may exploit these flaws to execute code on the remote service." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-025"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS06-025 Microsoft RRAS Service Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2006/06/13"); script_set_attribute(attribute:"patch_publication_date", value:"2006/07/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/06/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"x-cpe:/a:microsoft:windows:routingsvr"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_family(english:"Windows"); script_dependencies("smb_nativelanman.nasl","smb_login.nasl"); script_require_keys("Host/OS/smb"); script_require_ports(139,445); exit(0); } # include ('smb_func.inc'); global_var rpipe; function RasRpcDeleteEntry () { local_var fid, data, rep, ret; fid = bind_pipe (pipe:"\SRVSVC", uuid:"20610036-fa22-11cf-9823-00a0c911e5df", vers:1); if (isnull (fid)) return 0; data = class_name (name:string("tns",rand())) + class_name (name:string("tns",rand())) ; data = dce_rpc_pipe_request (fid:fid, code:0x05, data:data); if (!data) return 0; rep = dce_rpc_parse_response (fid:fid, data:data); if (!rep || (strlen(rep) != 4)) return 0; ret = get_dword (blob:rep, pos:0); if (ret == 0x26d) return 1; # patched == 0x80070005 (check if admin) or access denied return 0; } os = get_kb_item ("Host/OS/smb") ; if ("Windows" >!< os) exit(0); name = kb_smb_name(); port = kb_smb_transport(); if ( ! get_port_state(port) ) exit(0); soc = open_sock_tcp(port); if ( ! soc ) exit(0); session_init(socket:soc, hostname:name); r = NetUseAdd(share:"IPC$"); if ( r == 1 ) { ret = RasRpcDeleteEntry (); if (ret == 1) security_hole(port:port); NetUseDel(); }NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS06-025.NASL description The remote version of Windows contains a version of RRAS (Routing and Remote Access Service) that has several memory corruption vulnerabilities. An attacker may exploit these flaws to execute code on the remote service. last seen 2020-06-01 modified 2020-06-02 plugin id 21689 published 2006-06-13 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21689 title MS06-025: Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(21689); script_version("1.37"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2006-2370", "CVE-2006-2371"); script_bugtraq_id(18325, 18358, 18424); script_xref(name:"MSFT", value:"MS06-025"); script_xref(name:"MSKB", value:"911280"); script_name(english:"MS06-025: Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280)"); script_summary(english:"Determines the presence of update 911280"); script_set_attribute(attribute:"synopsis", value: "It is possible to execute code on the remote host."); script_set_attribute(attribute:"description", value: "The remote version of Windows contains a version of RRAS (Routing and Remote Access Service) that has several memory corruption vulnerabilities. An attacker may exploit these flaws to execute code on the remote service."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-025"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS06-025 Microsoft RRAS Service Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2006/06/13"); script_set_attribute(attribute:"patch_publication_date", value:"2006/06/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/06/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS06-025'; kb = '911280'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"5.2", sp:0, file:"Rasmans.dll", version:"5.2.3790.529", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.2", sp:1, file:"Rasmans.dll", version:"5.2.3790.2697", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:1, file:"Rasmans.dll", version:"5.1.2600.1842", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:2, file:"Rasmans.dll", version:"5.1.2600.2908", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.0", file:"Rasmans.dll", version:"5.0.2195.7093", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }
Oval
accepted 2011-05-16T04:01:33.364-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Buffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability." family windows id oval:org.mitre.oval:def:1674 status accepted submitted 2006-06-14T09:55:00.000-04:00 title RASMAN Registry Corruption Vulnerability (64-bit XP) version 68 accepted 2011-05-16T04:01:57.733-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Dragos Prisaca organization Gideon Technologies, Inc. name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Buffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability." family windows id oval:org.mitre.oval:def:1846 status accepted submitted 2006-06-14T09:55:00.000-04:00 title RASMAN Registry Corruption Vulnerability (XP,SP2) version 69 accepted 2011-05-16T04:01:58.869-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Buffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability." family windows id oval:org.mitre.oval:def:1851 status accepted submitted 2006-06-14T09:55:00.000-04:00 title RASMAN Registry Corruption Vulnerability (S03,SP1) version 68 accepted 2011-05-16T04:01:59.168-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Anna Min organization BigFix, Inc name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Buffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability." family windows id oval:org.mitre.oval:def:1857 status accepted submitted 2006-06-14T09:55:00.000-04:00 title RASMAN Registry Corruption Vulnerability (Win2K) version 69 accepted 2011-05-16T04:02:03.080-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Buffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability." family windows id oval:org.mitre.oval:def:1907 status accepted submitted 2006-06-14T09:55:00.000-04:00 title RASMAN Registry Corruption Vulnerability (XP,SP1) version 68 accepted 2011-05-16T04:02:13.339-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Jonathan Baker organization The MITRE Corporation name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Buffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability." family windows id oval:org.mitre.oval:def:1983 status accepted submitted 2006-06-14T09:55:00.000-04:00 title RASMAN Registry Corruption Vulnerability (WinS03) version 69
Saint
| bid | 18358 |
| description | Windows RASMAN registry corruption vulnerability |
| id | win_patch_rasman |
| osvdb | 26436 |
| title | windows_rasman_registry |
| type | remote |
References
- http://www.securityfocus.com/bid/18358
- http://www.us-cert.gov/cas/techalerts/TA06-164A.html
- http://www.kb.cert.org/vuls/id/814644
- http://securitytracker.com/id?1016285
- http://secunia.com/advisories/20630
- http://www.osvdb.org/26436
- http://securityreason.com/securityalert/1096
- http://www.vupen.com/english/advisories/2006/2323
- https://exchange.xforce.ibmcloud.com/vulnerabilities/26814
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1983
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1907
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1857
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1851
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1846
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1674
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-025
- http://www.securityfocus.com/archive/1/436977/100/0/threaded