Vulnerabilities > CVE-2006-4688 - Unspecified vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
microsoft
nessus
exploit available
metasploit
NVD
Published: 2006-11-14
Updated: 2024-11-21

Summary

Buffer overflow in Client Service for NetWare (CSNW) in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 up to SP1 allows remote attackers to execute arbitrary code via crafted messages, aka "Client Service for NetWare Memory Corruption Vulnerability."

Vulnerable Configurations

Part Description Count
OS
Microsoft
3

Exploit-Db

  • descriptionMicrosoft Services MS06-066 nwwks.dll. CVE-2006-4688. Remote exploit for windows platform
    idEDB-ID:16369
    last seen2016-02-01
    modified2010-05-09
    published2010-05-09
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16369/
    titleMicrosoft Services - nwwks.dll MS06-066
  • descriptionMicrosoft Services MS06-066 nwapi32.dll. CVE-2006-4688. Remote exploit for windows platform
    idEDB-ID:16373
    last seen2016-02-01
    modified2010-08-25
    published2010-08-25
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16373/
    titleMicrosoft Services - nwapi32.dll MS06-066

Metasploit

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS06-066.NASL
descriptionThe remote host contains a version of the Client Service for NetWare that is vulnerable to a buffer overflow. An attacker may exploit this to cause a denial of service by sending a malformed IPX packet to the remote host, or to execute arbitrary code by exploiting a flaw in the NetWare client.
last seen2020-06-01
modified2020-06-02
plugin id23643
published2006-11-14
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/23643
titleMS06-066: Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution (923980)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(23643);
 script_version("1.31");
 script_cvs_date("Date: 2018/11/15 20:50:30");

 script_cve_id("CVE-2006-4688", "CVE-2006-4689");
 script_bugtraq_id(20984, 21023);
 script_xref(name:"MSFT", value:"MS06-066");
 script_xref(name:"MSKB", value:"923980");

 script_name(english:"MS06-066: Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution (923980)");
 script_summary(english:"Determines the presence of update 923980");

 script_set_attribute(attribute:"synopsis", value:
"A flaw in the client service for NetWare may allow an attacker to
execute arbitrary code on the remote host.");
 script_set_attribute(attribute:"description", value:
"The remote host contains a version of the Client Service for NetWare
that is vulnerable to a buffer overflow.  An attacker may exploit this
to cause a denial of service by sending a malformed IPX packet to the
remote host, or to execute arbitrary code by exploiting a flaw in the
NetWare client.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-066");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, XP and
2003.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'MS06-066 Microsoft Services nwwks.dll Module Exploit');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');

 script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/03");
 script_set_attribute(attribute:"patch_publication_date", value:"2006/11/14");
 script_set_attribute(attribute:"plugin_publication_date", value:"2006/11/14");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS06-066';
kb = '923980';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', xp:'2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if ( hotfix_is_vulnerable(os:"5.2", sp:0, arch:"x86", file:"nwrdr.sys", version:"5.2.3790.588", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.2", sp:1, arch:"x86", file:"nwrdr.sys", version:"5.2.3790.2783", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.1", sp:2, file:"nwrdr.sys", version:"5.1.2600.3015", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.0",       file:"nwrdr.sys", version:"5.0.2195.7110", dir:"\system32\drivers", bulletin:bulletin, kb:kb) )
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();

  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2007-02-20T13:40:29.545-05:00
classvulnerability
contributors
nameRobert L. Hollis
organizationThreatGuard, Inc.
definition_extensions
  • commentMicrosoft Windows 2000 SP4 or later is installed
    ovaloval:org.mitre.oval:def:229
  • commentMicrosoft Windows XP SP2 or later is installed
    ovaloval:org.mitre.oval:def:521
  • commentMicrosoft Windows Server 2003 (x86) Gold is installed
    ovaloval:org.mitre.oval:def:165
  • commentMicrosoft Windows Server 2003 SP1 (x86) is installed
    ovaloval:org.mitre.oval:def:565
descriptionBuffer overflow in Client Service for NetWare (CSNW) in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 up to SP1 allows remote attackers to execute arbitrary code via crafted messages, aka "Client Service for NetWare Memory Corruption Vulnerability."
familywindows
idoval:org.mitre.oval:def:404
statusaccepted
submitted2006-11-15T12:28:05
titleMicrosoft Client Service for NetWare Memory Corruption Vulnerability
version41

Packetstorm

Saint

bid20984
descriptionMicrosoft Client Service for NetWare tree name buffer overflow
idwin_patch_netwaredrv
osvdb30260
titlemicrosoft_netware_treename
typeremote

References