Vulnerabilities > CVE-2006-2386 - Remote Code Execution vulnerability in Microsoft Outlook Express Windows Address Book Contact Record

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
microsoft
nessus
NVD
Published: 2006-12-13
Updated: 2018-10-18

Summary

Unspecified vulnerability in Microsoft Outlook Express 6 and earlier allows remote attackers to execute arbitrary code via a crafted contact record in a Windows Address Book (WAB) file. If a end user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system.

Vulnerable Configurations

Part Description Count
Application
Microsoft
4

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS06-076.NASL
descriptionThe remote host is running a version of Microsoft Outlook Express that contains a security flaw that may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need to send a malformed HTML email to a victim on the remote host and have him open it.
last seen2020-06-01
modified2020-06-02
plugin id23835
published2006-12-12
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/23835
titleMS06-076: Cumulative Security Update for Outlook Express (923694)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(23835);
 script_version("1.29");
 script_cvs_date("Date: 2018/11/15 20:50:30");

 script_cve_id("CVE-2006-2386");
 script_bugtraq_id(21501);
 script_xref(name:"MSFT", value:"MS06-076");
 script_xref(name:"MSKB", value:"923694");

 script_name(english:"MS06-076: Cumulative Security Update for Outlook Express (923694)");
 script_summary(english:"Determines the presence of update 923694");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through the email
client.");
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of Microsoft Outlook Express
that contains a security flaw that may allow an attacker to execute
arbitrary code on the remote host.

To exploit this flaw, an attacker would need to send a malformed HTML
email to a victim on the remote host and have him open it.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-076");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Outlook Express.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/12");
 script_set_attribute(attribute:"patch_publication_date", value:"2006/12/12");
 script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/12");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS06-076';
kb = '923694';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', xp:'2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if ( hotfix_is_vulnerable(os:"5.2", sp:1, file:"Inetcomm.dll", version:"6.0.3790.2826", dir:"\system32", bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.2", sp:0, file:"Inetcomm.dll", version:"6.0.3790.607", dir:"\system32", bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.1", sp:2, file:"Inetcomm.dll", version:"6.0.2900.3028", dir:"\system32", bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.0", file:"Inetcomm.dll", version:"6.0.2800.1896", min_version:"6.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.0", file:"Inetcomm.dll", version:"5.50.4971.600", dir:"\system32", bulletin:bulletin, kb:kb) )
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_warning();

  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2007-02-20T13:39:28.558-05:00
classvulnerability
contributors
nameRobert L. Hollis
organizationThreatGuard, Inc.
definition_extensions
  • commentMicrosoft Windows 2000 SP4 or later is installed
    ovaloval:org.mitre.oval:def:229
  • commentMicrosoft Outlook Express 5.5 SP2 is installed.
    ovaloval:org.mitre.oval:def:504
  • commentMicrosoft Windows 2000 SP4 or later is installed
    ovaloval:org.mitre.oval:def:229
  • commentMicrosoft Outlook Express 6 SP1 is installed.
    ovaloval:org.mitre.oval:def:488
  • commentMicrosoft Windows XP SP2 or later is installed
    ovaloval:org.mitre.oval:def:521
  • commentMicrosoft Outlook Express 6.0 for Windows XP/2003 is installed
    ovaloval:org.mitre.oval:def:208
  • commentMicrosoft Windows XP SP1 (64-bit) is installed
    ovaloval:org.mitre.oval:def:480
  • commentMicrosoft Outlook Express 6.0 for Windows XP/2003 is installed
    ovaloval:org.mitre.oval:def:208
  • commentMicrosoft Windows Server 2003 (x86) Gold is installed
    ovaloval:org.mitre.oval:def:165
  • commentMicrosoft Outlook Express 6.0 for Windows XP/2003 is installed
    ovaloval:org.mitre.oval:def:208
  • commentMicrosoft Windows Server 2003 SP1 (x86) is installed
    ovaloval:org.mitre.oval:def:565
  • commentMicrosoft Outlook Express 6.0 for Windows XP/2003 is installed
    ovaloval:org.mitre.oval:def:208
descriptionUnspecified vulnerability in Microsoft Outlook Express 6 and earlier allows remote attackers to execute arbitrary code via a crafted contact record in a Windows Address Book (WAB) file.
familywindows
idoval:org.mitre.oval:def:1055
statusaccepted
submitted2006-12-13T08:17:04
titleWindows Address Book Contact Record Vulnerability
version70

References