Vulnerabilities > CVE-2006-3439 - Remote Buffer Overflow vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Buffer overflow in the Server Service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers, including anonymous users, to execute arbitrary code via a crafted RPC message, a different vulnerability than CVE-2006-1314.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 9 |
Exploit-Db
description MS Windows NetpIsRemote() Remote Overflow Exploit (MS06-040) (2). CVE-2006-3439. Remote exploit for windows platform id EDB-ID:2265 last seen 2016-01-31 modified 2006-08-28 published 2006-08-28 reporter ub3rst4r source https://www.exploit-db.com/download/2265/ title Microsoft Windows - NetpIsRemote Remote Overflow Exploit MS06-040 2 description Microsoft Server Service NetpwPathCanonicalize Overflow. CVE-2006-3439. Remote exploit for windows platform id EDB-ID:16367 last seen 2016-02-01 modified 2011-02-17 published 2011-02-17 reporter metasploit source https://www.exploit-db.com/download/16367/ title Microsoft Server Service NetpwPathCanonicalize Overflow description MS Windows CanonicalizePathName() Remote Exploit (MS06-040). CVE-2006-3439. Remote exploit for windows platform id EDB-ID:2223 last seen 2016-01-31 modified 2006-08-19 published 2006-08-19 reporter Preddy source https://www.exploit-db.com/download/2223/ title Microsoft Windows - CanonicalizePathName Remote Exploit MS06-040 description MS Windows NetpIsRemote() Remote Overflow Exploit (MS06-040). CVE-2006-3439. Remote exploit for windows platform id EDB-ID:2162 last seen 2016-01-31 modified 2006-08-10 published 2006-08-10 reporter H D Moore source https://www.exploit-db.com/download/2162/ title Microsoft Windows - NetpIsRemote Remote Overflow Exploit MS06-040 description MS Windows NetpIsRemote() Remote Overflow Exploit (MS06-040) (2k3). CVE-2006-3439. Remote exploit for windows platform id EDB-ID:2355 last seen 2016-01-31 modified 2006-09-13 published 2006-09-13 reporter Trirat Puttaraksa source https://www.exploit-db.com/download/2355/ title Microsoft Windows 2003 - NetpIsRemote Remote Overflow Exploit MS06-040
Metasploit
| description | This module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that other RPC calls could be used to exploit this service. This exploit will result in a denial of service on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt will likely result in a complete reboot on Windows 2000 and the termination of all SMB-related services on Windows XP. The default target for this exploit should succeed on Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0. |
| id | MSF:EXPLOIT/WINDOWS/SMB/MS06_040_NETAPI |
| last seen | 2020-02-29 |
| modified | 2019-12-03 |
| published | 2007-02-18 |
| references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3439 |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms06_040_netapi.rb |
| title | MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow |
Nessus
NASL family Windows NASL id SMB_KB921883.NASL description The remote host is vulnerable to a buffer overrun in the last seen 2020-06-01 modified 2020-06-02 plugin id 22194 published 2006-08-08 reporter This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22194 title MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(22194); script_version("1.32"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2006-3439"); script_bugtraq_id(19409); script_xref(name:"MSFT", value:"MS06-040"); script_xref(name:"MSKB", value:"921883"); script_name(english:"MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) (uncredentialed check)"); script_summary(english:"Determines the presence of update 921883"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service."); script_set_attribute(attribute:"description", value: "The remote host is vulnerable to a buffer overrun in the 'Server' service that may allow an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-040"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2006-3439"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2006/08/08"); script_set_attribute(attribute:"patch_publication_date", value:"2006/08/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/08/08"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Windows"); script_dependencies("smb_nativelanman.nasl","smb_login.nasl"); script_require_keys("Host/OS/smb"); script_require_ports(139, 445); exit(0); } # include ('smb_func.inc'); global_var rpipe; function NetPathCanonicalize () { local_var fid, data, rep, ret; fid = bind_pipe (pipe:"\browser", uuid:"4b324fc8-1670-01d3-1278-5a47bf6ee188", vers:3); if (isnull (fid)) return 0; # we initialize the buffer first data = class_parameter (name:"m", ref_id:0x20000) + class_name (name:"") + raw_dword (d:20) + class_name (name:"nessus") + # wcscpy in the buffer raw_dword (d:1) + raw_dword (d:0) ; data = dce_rpc_pipe_request (fid:fid, code:0x1f, data:data); if (!data) return 0; rep = dce_rpc_parse_response (fid:fid, data:data); if (!rep || (strlen(rep) != 32)) return 0; ret = get_dword (blob:rep, pos:strlen(rep)-4); if ((ret != 0x84b) && (ret != 0x7b)) return 0; # the patch should fill the buffer with 0, else it will return "nessus" data = class_parameter (name:"m", ref_id:0x20000) + class_name (name:"") + # the path reinitialize the buffer raw_dword (d:20) + class_name (name:"") + raw_dword (d:1) + raw_dword (d:0) ; data = dce_rpc_pipe_request (fid:fid, code:0x1f, data:data); if (!data) return 0; rep = dce_rpc_parse_response (fid:fid, data:data); if (!rep || (strlen(rep) != 32)) return 0; ret = get_dword (blob:rep, pos:strlen(rep)-4); if ((ret != 0x84b) && (ret != 0x7b)) return 0; ret = get_dword (blob:rep, pos:0); if (ret != 20) return 0; ret = get_string (blob:rep, pos:4, _type:1); if (ret == "nessus\") return 1; return 0; } os = get_kb_item ("Host/OS/smb") ; if ("Windows" >!< os) exit(0); name = kb_smb_name(); port = kb_smb_transport(); if ( ! get_port_state(port) ) exit(0); soc = open_sock_tcp(port); if ( ! soc ) exit(0); session_init(socket:soc, hostname:name); r = NetUseAdd(share:"IPC$"); if ( r == 1 ) { ret = NetPathCanonicalize (); if (ret == 1) security_hole(port:port); NetUseDel(); }NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS06-040.NASL description The remote host is vulnerable to a buffer overrun in the last seen 2020-06-01 modified 2020-06-02 plugin id 22182 published 2006-08-08 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22182 title MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(22182); script_version("1.32"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2006-3439"); script_bugtraq_id(19409); script_xref(name:"CERT", value:"650769"); script_xref(name:"MSFT", value:"MS06-040"); script_xref(name:"MSKB", value:"921883"); script_name(english:"MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883)"); script_summary(english:"Determines the presence of update 921883"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host due to a flaw in the 'server' service."); script_set_attribute(attribute:"description", value: "The remote host is vulnerable to a buffer overrun in the 'Server' service that could allow an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-040"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2006/08/08"); script_set_attribute(attribute:"patch_publication_date", value:"2006/08/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/08/08"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS06-040'; kb = '921883'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"5.2", sp:0, file:"Netapi32.dll", version:"5.2.3790.559", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.2", sp:1, file:"Netapi32.dll", version:"5.2.3790.2769", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:1, file:"Netapi32.dll", version:"5.1.2600.1874", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:2, file:"Netapi32.dll", version:"5.1.2600.2952", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.0", file:"Netapi32.dll", version:"5.0.2195.7105", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }
Oval
| accepted | 2014-03-17T04:00:20.273-04:00 | ||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||
| description | Buffer overflow in the Server Service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers, including anonymous users, to execute arbitrary code via a crafted RPC message, a different vulnerability than CVE-2006-1314. | ||||||||||||||||||||||||
| family | windows | ||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:492 | ||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||
| submitted | 2006-08-11T12:53:40 | ||||||||||||||||||||||||
| title | Buffer Overrun in Server Service Vulnerability | ||||||||||||||||||||||||
| version | 73 |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/82940/ms06_040_netapi.rb.txt |
| id | PACKETSTORM:82940 |
| last seen | 2016-12-05 |
| published | 2009-11-26 |
| reporter | H D Moore |
| source | https://packetstormsecurity.com/files/82940/Microsoft-Server-Service-NetpwPathCanonicalize-Overflow.html |
| title | Microsoft Server Service NetpwPathCanonicalize Overflow |
Saint
| bid | 19409 |
| description | Windows Server Service buffer overflow |
| id | win_patch_servserv |
| osvdb | 27845 |
| title | windows_server_service |
| type | remote |
References
- http://secunia.com/advisories/21388
- http://securitytracker.com/id?1016667
- http://www.cisco.com/en/US/products/ps6120/tsd_products_security_response09186a008070c75a.html
- http://www.dhs.gov/dhspublic/display?content=5789
- http://www.kb.cert.org/vuls/id/650769
- http://www.securityfocus.com/bid/19409
- http://www.us-cert.gov/cas/techalerts/TA06-220A.html
- http://www.vupen.com/english/advisories/2006/3210
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-040
- https://exchange.xforce.ibmcloud.com/vulnerabilities/28002
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A492