Vulnerabilities > CVE-2006-2371 - Remote Access RASMAN Registry Remote Code Execution vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
microsoft
nessus

Summary

Buffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability."

Nessus

  • NASL familyWindows
    NASL idSMB_KB911280.NASL
    descriptionThe remote version of Windows contains a version of RRAS (Routing and Remote Access Service) that is affected by several memory corruption vulnerabilities. An attacker may exploit these flaws to execute code on the remote service.
    last seen2020-06-01
    modified2020-06-02
    plugin id21696
    published2006-06-13
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21696
    titleMS06-025: Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280) (uncredentialed check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(21696);
     script_version("1.34");
     script_cvs_date("Date: 2018/11/15 20:50:28");
    
     script_cve_id("CVE-2006-2370", "CVE-2006-2371");
     script_bugtraq_id(18325, 18358);
     script_xref(name:"MSFT", value:"MS06-025");
     script_xref(name:"MSKB", value:"911280");
    
     script_name(english:"MS06-025: Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280) (uncredentialed check)");
     script_summary(english:"Determines the presence of update 911280 (remote check)");
    
     script_set_attribute(
      attribute:"synopsis",
      value:"It is possible to execute code on the remote host."
     );
     script_set_attribute(attribute:"description", value:
    "The remote version of Windows contains a version of RRAS (Routing and
    Remote Access Service) that is affected by several memory corruption
    vulnerabilities.
    
    An attacker may exploit these flaws to execute code on the remote
    service." );
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-025");
     script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000, XP and 2003.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploit_framework_core", value:"true");
     script_set_attribute(attribute:"metasploit_name", value:'MS06-025 Microsoft RRAS Service Overflow');
     script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
     script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
     script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2006/06/13");
     script_set_attribute(attribute:"patch_publication_date", value:"2006/07/13");
     script_set_attribute(attribute:"plugin_publication_date", value:"2006/06/13");
    
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"x-cpe:/a:microsoft:windows:routingsvr");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows");
    
     script_dependencies("smb_nativelanman.nasl","smb_login.nasl");
     script_require_keys("Host/OS/smb");
     script_require_ports(139,445);
     exit(0);
    }
    
    #
    
    include ('smb_func.inc');
    
    global_var rpipe;
    
    function  RasRpcDeleteEntry ()
    {
     local_var fid, data, rep, ret;
    
     fid = bind_pipe (pipe:"\SRVSVC", uuid:"20610036-fa22-11cf-9823-00a0c911e5df", vers:1);
     if (isnull (fid))
       return 0;
    
     data = class_name (name:string("tns",rand())) +
    	class_name (name:string("tns",rand())) ;
    
     data = dce_rpc_pipe_request (fid:fid, code:0x05, data:data);
     if (!data)
       return 0;
    
     rep = dce_rpc_parse_response (fid:fid, data:data);
    
     if (!rep || (strlen(rep) != 4))
       return 0;
    
     ret = get_dword (blob:rep, pos:0);
     if (ret == 0x26d)
       return 1;
    
     # patched == 0x80070005 (check if admin) or access denied
     return 0;
    }
    
    os = get_kb_item ("Host/OS/smb") ;
    if ("Windows" >!< os) exit(0);
    
    name	= kb_smb_name();
    port	= kb_smb_transport();
    
    if ( ! get_port_state(port) ) exit(0);
    soc = open_sock_tcp(port);
    if ( ! soc ) exit(0);
    
    session_init(socket:soc, hostname:name);
    
    r = NetUseAdd(share:"IPC$");
    if ( r == 1 )
    {
     ret = RasRpcDeleteEntry ();
     if (ret == 1)
       security_hole(port:port);
    
     NetUseDel();
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS06-025.NASL
    descriptionThe remote version of Windows contains a version of RRAS (Routing and Remote Access Service) that has several memory corruption vulnerabilities. An attacker may exploit these flaws to execute code on the remote service.
    last seen2020-06-01
    modified2020-06-02
    plugin id21689
    published2006-06-13
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21689
    titleMS06-025: Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(21689);
     script_version("1.37");
     script_cvs_date("Date: 2018/11/15 20:50:30");
    
     script_cve_id("CVE-2006-2370", "CVE-2006-2371");
     script_bugtraq_id(18325, 18358, 18424);
     script_xref(name:"MSFT", value:"MS06-025");
     script_xref(name:"MSKB", value:"911280");
    
     script_name(english:"MS06-025: Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280)");
     script_summary(english:"Determines the presence of update 911280");
    
     script_set_attribute(attribute:"synopsis", value:
    "It is possible to execute code on the remote host.");
     script_set_attribute(attribute:"description", value:
    "The remote version of Windows contains a version of RRAS (Routing and
    Remote Access Service) that has several memory corruption
    vulnerabilities.
    
    An attacker may exploit these flaws to execute code on the remote
    service.");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-025");
     script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for Windows 2000, XP and
    2003.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploit_framework_core", value:"true");
     script_set_attribute(attribute:"metasploit_name", value:'MS06-025 Microsoft RRAS Service Overflow');
     script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
     script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
     script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2006/06/13");
     script_set_attribute(attribute:"patch_publication_date", value:"2006/06/13");
     script_set_attribute(attribute:"plugin_publication_date", value:"2006/06/13");
    
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
    
     script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows : Microsoft Bulletins");
    
     script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
     script_require_keys("SMB/MS_Bulletin_Checks/Possible");
     script_require_ports(139, 445, 'Host/patch_management_checks');
     exit(0);
    }
    
    include("audit.inc");
    include("smb_func.inc");
    include("smb_hotfixes.inc");
    include("smb_hotfixes_fcheck.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS06-025';
    kb = '911280';
    
    kbs = make_list(kb);
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win2k:'4,5', xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    rootfile = hotfix_get_systemroot();
    if (!rootfile) exit(1, "Failed to get the system root.");
    
    share = hotfix_path2share(path:rootfile);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if ( hotfix_is_vulnerable(os:"5.2", sp:0, file:"Rasmans.dll", version:"5.2.3790.529", dir:"\system32", bulletin:bulletin, kb:kb) ||
         hotfix_is_vulnerable(os:"5.2", sp:1, file:"Rasmans.dll", version:"5.2.3790.2697", dir:"\system32", bulletin:bulletin, kb:kb) ||
         hotfix_is_vulnerable(os:"5.1", sp:1, file:"Rasmans.dll", version:"5.1.2600.1842", dir:"\system32", bulletin:bulletin, kb:kb) ||
         hotfix_is_vulnerable(os:"5.1", sp:2, file:"Rasmans.dll", version:"5.1.2600.2908", dir:"\system32", bulletin:bulletin, kb:kb) ||
         hotfix_is_vulnerable(os:"5.0",       file:"Rasmans.dll", version:"5.0.2195.7093", dir:"\system32", bulletin:bulletin, kb:kb) )
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_hole();
    
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    

Oval

  • accepted2011-05-16T04:01:33.364-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionBuffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:1674
    statusaccepted
    submitted2006-06-14T09:55:00.000-04:00
    titleRASMAN Registry Corruption Vulnerability (64-bit XP)
    version68
  • accepted2011-05-16T04:01:57.733-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameDragos Prisaca
      organizationGideon Technologies, Inc.
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionBuffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:1846
    statusaccepted
    submitted2006-06-14T09:55:00.000-04:00
    titleRASMAN Registry Corruption Vulnerability (XP,SP2)
    version69
  • accepted2011-05-16T04:01:58.869-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionBuffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:1851
    statusaccepted
    submitted2006-06-14T09:55:00.000-04:00
    titleRASMAN Registry Corruption Vulnerability (S03,SP1)
    version68
  • accepted2011-05-16T04:01:59.168-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameAnna Min
      organizationBigFix, Inc
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionBuffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:1857
    statusaccepted
    submitted2006-06-14T09:55:00.000-04:00
    titleRASMAN Registry Corruption Vulnerability (Win2K)
    version69
  • accepted2011-05-16T04:02:03.080-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionBuffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:1907
    statusaccepted
    submitted2006-06-14T09:55:00.000-04:00
    titleRASMAN Registry Corruption Vulnerability (XP,SP1)
    version68
  • accepted2011-05-16T04:02:13.339-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJonathan Baker
      organizationThe MITRE Corporation
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionBuffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:1983
    statusaccepted
    submitted2006-06-14T09:55:00.000-04:00
    titleRASMAN Registry Corruption Vulnerability (WinS03)
    version69

Saint

bid18358
descriptionWindows RASMAN registry corruption vulnerability
idwin_patch_rasman
osvdb26436
titlewindows_rasman_registry
typeremote