Vulnerabilities > CVE-2006-3649 - Buffer Overflow vulnerability in Microsoft Visual Basic 6.2/6.3/6.4

047910
CVSS 5.1 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
high complexity
microsoft
nessus
NVD
Published: 2006-08-09
Updated: 2018-10-12

Summary

Buffer overflow in Microsoft Visual Basic for Applications (VBA) SDK 6.0 through 6.4, as used by Microsoft Office 2000 SP3, Office XP SP3, Project 2000 SR1, Project 2002 SP1, Access 2000 Runtime SP3, Visio 2002 SP2, and Works Suite 2004 through 2006, allows user-assisted attackers to execute arbitrary code via unspecified document properties that are not verified when VBA is invoked to open documents.

Vulnerable Configurations

Part Description Count
Application
Microsoft
4

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS06-047.NASL
descriptionThe remote host is running a version of Microsoft Visual Basic for Applications that is vulnerable to a buffer overflow when handling malformed documents. An attacker may exploit this flaw to execute arbitrary code on this host by sending a malformed file to a user of the remote host.
last seen2020-06-01
modified2020-06-02
plugin id22189
published2006-08-08
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/22189
titleMS06-047: Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (921645)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(22189);
 script_version("1.39");
 script_cvs_date("Date: 2018/11/15 20:50:30");

 script_cve_id("CVE-2006-3649");
 script_bugtraq_id(19414);
 script_xref(name:"CERT", value:"159484");
 script_xref(name:"MSFT", value:"MS06-047");
 script_xref(name:"MSKB", value:"921645");

 script_name(english:"MS06-047: Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (921645)");
 script_summary(english:"Determines the version of vbe6.dll");

 script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host through VBA.");
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of Microsoft Visual Basic for
Applications that is vulnerable to a buffer overflow when handling
malformed documents.

An attacker may exploit this flaw to execute arbitrary code on this
host by sending a malformed file to a user of the remote host.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-047");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Office.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploited_by_malware", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2006/08/08");
 script_set_attribute(attribute:"patch_publication_date", value:"2006/08/08");
 script_set_attribute(attribute:"plugin_publication_date", value:"2006/08/08");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:access");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:project");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visio");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:works");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visual_basic_software_development_kit");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");

 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}


include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");


get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS06-047';
kb = '921645';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);


common = hotfix_get_commonfilesdir();
if ( ! common ) exit(1, "Failed to get the Common Files directory.");



#VBA 6- C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\vbe6.dll = 6.4.99.72
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:common);
vba6 =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\Microsoft Shared\VBA\VBA6\vbe6.dll", string:common);

port = kb_smb_transport();
if(! smb_session_init()) audit(AUDIT_FN_FAIL, "smb_session_init");

r = NetUseAdd(login:kb_smb_login(), password:kb_smb_password(), domain:kb_smb_domain(), share:share);
if ( r != 1 )
{
  NetUseDel();
  audit(AUDIT_SHARE_FAIL,share);
}

handle = CreateFile (file:vba6, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);

if ( ! isnull(handle) )
{
 v = GetFileVersion(handle:handle);
 CloseFile(handle:handle);
 if ( ! isnull(v) )
 {
 if ( v[0] == 6 && ( v[1] < 4 || ( v[1] == 4 && v[2] < 99 ) || ( v[1] == 4 && v[2] == 99 && v[3] < 72 ) ) )
	{
	 {
 hotfix_add_report('\nPath : '+share-'$'+':'+vba6+
                   '\nVersion : '+join(v, sep:'.')+
                   '\nShould be : 6.4.99.72\n',
                   bulletin:bulletin, kb:kb);
 set_kb_item(name:"SMB/Missing/MS06-047", value:TRUE);
 hotfix_security_warning();
 }
	NetUseDel();
	exit(0);
	}
 }
 else
 {
  NetUseDel();
  exit(1, "Failed to get file version.");
 }
}


NetUseDel();

Oval

accepted2015-08-10T04:01:08.526-04:00
classvulnerability
contributors
  • nameRobert L. Hollis
    organizationThreatGuard, Inc.
  • nameClifford Farrugia
    organizationGFI Software
  • nameMaria Mikhno
    organizationALTX-SOFT
definition_extensions
commentMicrosoft Visual Basic 6.0 is installed
ovaloval:org.mitre.oval:def:15369
descriptionBuffer overflow in Microsoft Visual Basic for Applications (VBA) SDK 6.0 through 6.4, as used by Microsoft Office 2000 SP3, Office XP SP3, Project 2000 SR1, Project 2002 SP1, Access 2000 Runtime SP3, Visio 2002 SP2, and Works Suite 2004 through 2006, allows user-assisted attackers to execute arbitrary code via unspecified document properties that are not verified when VBA is invoked to open documents.
familywindows
idoval:org.mitre.oval:def:694
statusaccepted
submitted2006-08-11T12:53:40
titleVisual Basic for Applications Vulnerability
version10

References