Vulnerabilities > CVE-2006-3434 - Remote Code Execution vulnerability in Microsoft Office Improper Memory Access

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
microsoft
critical
nessus
NVD
Published: 2006-10-10
Updated: 2018-10-18

Summary

Unspecified vulnerability in Microsoft Office 2000, XP, 2003, 2004 for Mac, and v.X for Mac allows remote user-assisted attackers to execute arbitrary code via a crafted string that triggers memory corruption.

Vulnerable Configurations

Part Description Count
Application
Microsoft
13

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS06-062.NASL
    descriptionThe remote host is running a version of Microsoft Office that could allow arbitrary code to be run. To succeed, the attacker would have to send a rogue file to a user of the remote computer and have it open it with Microsoft Office.
    last seen2020-06-01
    modified2020-06-02
    plugin id22535
    published2006-10-10
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22535
    titleMS06-062: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922581)
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(22535);
 script_version("1.41");
 script_cvs_date("Date: 2018/11/15 20:50:30");

 script_cve_id(
  "CVE-2006-3434",
  "CVE-2006-3650",
  "CVE-2006-3864",
  "CVE-2006-3868"
 );
 script_bugtraq_id(20320, 20382, 20383, 20384);
 script_xref(name:"CERT", value:"534276");
 script_xref(name:"CERT", value:"807780");
 script_xref(name:"MSFT", value:"MS06-062");
 script_xref(name:"MSKB", value:"922581");

 script_name(english:"MS06-062: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922581)");
 script_summary(english:"Determines the version of MSO.dll");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through Microsoft
Office.");
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of Microsoft Office that could
allow arbitrary code to be run.

To succeed, the attacker would have to send a rogue file to a user of
the remote computer and have it open it with Microsoft Office.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-062");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Office 2000, XP and 2003.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(94);

 script_set_attribute(attribute:"vuln_publication_date", value:"2006/10/10");
 script_set_attribute(attribute:"patch_publication_date", value:"2006/10/10");
 script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/10");

 script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:word");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:word_viewer");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:excel");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:excel_viewer");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:powerpoint");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visio");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:access");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:frontpage");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:infopath");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:onenote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:outlook");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:publisher");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:project");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}


include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");


get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS06-062';
kbs = make_list("922581", "923272", "923273", "923274");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);


kb = '922581';

get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

office_versions = hotfix_check_office_version ();
if ( !office_versions ) exit(0, "Microsoft Office not found.");

rootfiles = hotfix_get_officecommonfilesdir();
if ( ! rootfiles ) exit(1, "Failed to get Office Common Files directory.");

login	=  kb_smb_login();
pass  	=  kb_smb_password();
domain 	=  kb_smb_domain();
port    =  kb_smb_transport();

if(! smb_session_init()) audit(AUDIT_FN_FAIL, "smb_session_init");

share = '';
lastshare = '';
vuln = FALSE;
checkedfiles = make_array();
foreach ver (keys(office_versions))
{
  if (typeof(rootfiles) == 'array') rootfile = rootfiles[ver];
  else rootfile = rootfiles;
  if ( "9.0" >< ver )
	{
    rootfile = hotfix_get_programfilesdir();
    dll  =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\Microsoft Office\Office\mso9.dll", string:rootfile);
	}
  else if ( "10.0" >< ver )
  {
	  dll =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\Microsoft Shared\Office10\mso.dll", string:rootfile);
  }
  else if ( "11.0" >< ver )
  {
	  dll =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\Microsoft Shared\Office11\mso.dll", string:rootfile);
  }
  else continue;
  if (checkedfiles[dll]) continue;

  share = hotfix_path2share(path:rootfile);
  if (share && share != lastshare)
  {
    NetUseDel(close:FALSE);
    r = NetUseAdd(login:login, password:pass, domain:domain, share:share);
    if ( r != 1 ) audit(AUDIT_SHARE_FAIL,share);
  }

  handle =  CreateFile (file:dll, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);

  if ( ! isnull(handle) )
  {
    checkedfiles[dll] = 1;
    v = GetFileVersion(handle:handle);
    CloseFile(handle:handle);
    if ( !isnull(v) )
    {
      if (v[0] == 9 &&  v[1] == 0 && v[2] == 0 && v[3] < 8950)
      {
        vuln = TRUE;
        kb = '923274';
        hotfix_add_report('\nPath : '+share-'$'+':'+dll+
                          '\nVersion : '+join(v, sep:'.')+
                          '\nShould be : 9.0.0.8950\n',
                          bulletin:bulletin, kb:kb);
      }
      else if (v[0] == 10 && v[1] == 0 && v[2] < 6817)
      {
        vuln = TRUE;
        kb = '923273';
        hotfix_add_report('\nPath : '+share-'$'+':'+dll+
                          '\nVersion : '+join(v, sep:'.')+
                          '\nShould be : 10.0.6817.0\n',
                          bulletin:bulletin, kb:kb);
      }
      else if ( v[0] == 11 && v[1] == 0 && v[2] < 8107)
      {
        vuln = TRUE;
        kb = '923272';
        hotfix_add_report('\nPath : '+share-'$'+':'+dll+
                          '\nVersion : '+join(v, sep:'.')+
                          '\nShould be : 11.0.8107.0\n',
                          bulletin:bulletin, kb:kb);
      }
    }
  }
}
NetUseDel();
if (vuln)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_warning();
  exit(0);
}
else audit(AUDIT_HOST_NOT, 'affected');
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_MS_OFFICE_OCT2006.NASL
    descriptionThe remote host is running a version of Microsoft Office that is affected by various flaws that may allow arbitrary code to be run. To succeed, the attacker would have to send a rogue file to a user of the remote computer and have it open it with Microsoft Word, Excel, PowerPoint or another Office application.
    last seen2020-03-18
    modified2006-10-11
    plugin id22539
    published2006-10-11
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22539
    titleMS06-058 / MS06-059 / MS06-0060 / MS06-062: Vulnerabilities in Microsoft Office Allow Remote Code Execution (924163 / 924164 / 924554 / 922581) (Mac OS X)
    code
    #TRUSTED 2c4d1c448257315de7d547465a1555e2bf815efdac1b0a7b25e5429b69796c0e48122d471ecd87d1c4dafb500294445b000afb553cf92b5bea6c53292a1b32e45aa07a53ac2ac4e0d1df4025c032ae6830cd0ef545dd73c2f18bb78485ebba802e3b10009fbced7b6712e15f7191a62cbeb4533bdfac28255d55d0a886002a24f107b579fed1284b36a7e5bb593789dfb7d53075108fa245ab4e39b2b136759c9a4fdcfafa51f19141a02195a99598f4bdb92952f84b0e5af5248219573c22005721632c0314c9c6c79cf5e96c4feebd0ed0a166271afb88947891d74c93a51b81a2111d73711778239f8c193e075b0ba928c15167162a5b45b51ba99cf99c7e332ef56740eb79f0a3551b9299d63f96a706ecc5bbc7095572ce6fa6b01c971f986baca8b87aefee773c8a8b8ba19973d3f67ca3318ec2482ed14e175cb2101a6533e248b8e856c3a359573ca787d27aba868b12bc346d6deeeb2e1211ed9ea65a62546f1d33a722221e10b07c381577e8de316672a7dea5778b1f26adf6f0fecdde1399c5039d09387c04975c4f043d7fb0dcbacf43ebbdab0e1105dc9b5bf8c04fdbcc1f0213d8538f2f56e75a67d36506aa52aa150abfdff4a3f50cd2b8615a99eaa30252a335de6d1170c72d0e071e8cdfd2cde3faa2050428a84b2b91db1e3254e3b683d02d2741fad0d6e77deeb32b065300c387ce71b1e3f17e5a08af
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(22539);
 script_version("1.24");
 script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/14");

 script_cve_id(
  # "CVE-2006-3435",
  "CVE-2006-3876",
  "CVE-2006-3877",
  "CVE-2006-4694",
  "CVE-2006-2387",
  "CVE-2006-3431",
  "CVE-2006-3867",
  "CVE-2006-3875",
  "CVE-2006-3647",
  # "CVE-2006-3651",
  # "CVE-2006-4534",
  "CVE-2006-4693",
  "CVE-2006-3434",
  "CVE-2006-3650",
  "CVE-2006-3864"
  # "CVE-2006-3868"
 );
 script_bugtraq_id(
  18872,
  20226,
  20322,
  20325,
  20341,
  20344,
  20345,
  20382,
  20383,
  20384,
  20391
 );
 script_xref(name:"MSFT", value:"MS06-058");
 script_xref(name:"MSFT", value:"MS06-059");
 script_xref(name:"MSFT", value:"MS06-060");
 script_xref(name:"MSFT", value:"MS06-062");
 script_xref(name:"MSKB", value:"924163");
 script_xref(name:"MSKB", value:"924164");
 script_xref(name:"MSKB", value:"924554");
 script_xref(name:"MSKB", value:"922581");

 script_name(english:"MS06-058 / MS06-059 / MS06-0060 / MS06-062: Vulnerabilities in Microsoft Office Allow Remote Code Execution (924163 / 924164 / 924554 / 922581) (Mac OS X)");
 script_summary(english:"Check for Office 2004 and X");

 script_set_attribute(
  attribute:"synopsis",
  value:
"An application installed on the remote Mac OS X host is affected by
multiple remote code execution vulnerabilities."
 );
 script_set_attribute(
  attribute:"description",
  value:
"The remote host is running a version of Microsoft Office that is
affected by various flaws that may allow arbitrary code to be run.

To succeed, the attacker would have to send a rogue file to a user of
the remote computer and have it open it with Microsoft Word, Excel,
PowerPoint or another Office application."
 );
 script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms06-058");
 script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms06-059");
 script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms06-060");
 script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms06-062");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Office for Mac OS X.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploited_by_malware", value:"true");
 script_cwe_id(94);

 script_set_attribute(attribute:"vuln_publication_date", value:"2006/07/03");
 script_set_attribute(attribute:"patch_publication_date", value:"2006/10/10");
 script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/11");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2001:sr1:mac_os");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2004::mac");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
 script_family(english:"MacOS X Local Security Checks");

 script_dependencies("ssh_get_info.nasl");
 script_require_keys("Host/MacOSX/packages");
 exit(0);
}


include("misc_func.inc");
include("ssh_func.inc");
include("macosx_func.inc");



if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
  enable_ssh_wrappers();
else disable_ssh_wrappers();

uname = get_kb_item("Host/uname");
if ( egrep(pattern:"Darwin.*", string:uname) )
{
  off2004 = GetCarbonVersionCmd(file:"Microsoft Component Plugin", path:"/Applications/Microsoft Office 2004/Office");
  offX    = GetCarbonVersionCmd(file:"Microsoft Component Plugin", path:"/Applications/Microsoft Office X/Office");

  if ( ! islocalhost() )
  {
   ret = ssh_open_connection();
   if ( ! ret ) exit(0);
   buf = ssh_cmd(cmd:off2004);
   if ( buf !~ "^11" ) buf = ssh_cmd(cmd:offX);
   ssh_close_connection();
  }
  else
  {
  buf = pread(cmd:"/bin/bash", argv:make_list("bash", "-c", off2004));
  if ( buf !~ "^11" )
    buf = pread(cmd:"/bin/bash", argv:make_list("bash", "-c", offX));
  }


 if ( buf =~ "^(10\.|11\.)" )
	{
	  vers = split(buf, sep:'.', keep:FALSE);
	  # < 10.1.8
	  if ( int(vers[0]) == 10 && ( int(vers[1]) < 1  || ( int(vers[1]) == 1 && int(vers[2]) < 8 ) ) )  security_hole(0);
	  else
          # < 11.3.0
	  if ( int(vers[0]) == 11 && int(vers[1]) < 3  ) security_hole(0);
	}
}

Oval

accepted2012-05-28T04:01:40.603-04:00
classvulnerability
contributors
  • nameRobert L. Hollis
    organizationThreatGuard, Inc.
  • nameRobert L. Hollis
    organizationThreatGuard, Inc.
  • nameDragos Prisaca
    organizationSecure Elements, Inc.
  • nameDragos Prisaca
    organizationSymantec Corporation
  • nameShane Shaffer
    organizationG2, Inc.
definition_extensions
  • commentMicrosoft Office 2000 is installed
    ovaloval:org.mitre.oval:def:93
  • commentMicrosoft Office XP is installed
    ovaloval:org.mitre.oval:def:663
  • commentMicrosoft Office 2003 is installed
    ovaloval:org.mitre.oval:def:233
  • commentMicrosoft Project 2000 SR1 is installed
    ovaloval:org.mitre.oval:def:518
  • commentMicrosoft Project 2002 SP1 is installed
    ovaloval:org.mitre.oval:def:707
  • commentMicrosoft Office Visio 2002 SP2 is installed
    ovaloval:org.mitre.oval:def:692
  • commentMicrosoft Word Viewer is installed
    ovaloval:org.mitre.oval:def:737
  • commentMicrosoft Excel Viewer 2003 is installed
    ovaloval:org.mitre.oval:def:439
descriptionUnspecified vulnerability in Microsoft Office 2000, XP, 2003, 2004 for Mac, and v.X for Mac allows remote user-assisted attackers to execute arbitrary code via a crafted string that triggers memory corruption.
familywindows
idoval:org.mitre.oval:def:389
statusaccepted
submitted2006-10-11T05:29:41
titleOffice Improper Memory Access Vulnerability
version12

References