Vulnerabilities > CVE-2006-4689 - Denial-Of-Service vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
microsoft
nessus
NVD
Published: 2006-11-14
Updated: 2018-10-17

Summary

Unspecified vulnerability in the driver for the Client Service for NetWare (CSNW) in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 up to SP1 allows remote attackers to cause a denial of service (hang and reboot) via has unknown attack vectors, aka "NetWare Driver Denial of Service Vulnerability."

Vulnerable Configurations

Part Description Count
OS
Microsoft
3

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS06-066.NASL
descriptionThe remote host contains a version of the Client Service for NetWare that is vulnerable to a buffer overflow. An attacker may exploit this to cause a denial of service by sending a malformed IPX packet to the remote host, or to execute arbitrary code by exploiting a flaw in the NetWare client.
last seen2020-06-01
modified2020-06-02
plugin id23643
published2006-11-14
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/23643
titleMS06-066: Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution (923980)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(23643);
 script_version("1.31");
 script_cvs_date("Date: 2018/11/15 20:50:30");

 script_cve_id("CVE-2006-4688", "CVE-2006-4689");
 script_bugtraq_id(20984, 21023);
 script_xref(name:"MSFT", value:"MS06-066");
 script_xref(name:"MSKB", value:"923980");

 script_name(english:"MS06-066: Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution (923980)");
 script_summary(english:"Determines the presence of update 923980");

 script_set_attribute(attribute:"synopsis", value:
"A flaw in the client service for NetWare may allow an attacker to
execute arbitrary code on the remote host.");
 script_set_attribute(attribute:"description", value:
"The remote host contains a version of the Client Service for NetWare
that is vulnerable to a buffer overflow.  An attacker may exploit this
to cause a denial of service by sending a malformed IPX packet to the
remote host, or to execute arbitrary code by exploiting a flaw in the
NetWare client.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-066");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, XP and
2003.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'MS06-066 Microsoft Services nwwks.dll Module Exploit');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');

 script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/03");
 script_set_attribute(attribute:"patch_publication_date", value:"2006/11/14");
 script_set_attribute(attribute:"plugin_publication_date", value:"2006/11/14");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS06-066';
kb = '923980';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', xp:'2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if ( hotfix_is_vulnerable(os:"5.2", sp:0, arch:"x86", file:"nwrdr.sys", version:"5.2.3790.588", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.2", sp:1, arch:"x86", file:"nwrdr.sys", version:"5.2.3790.2783", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.1", sp:2, file:"nwrdr.sys", version:"5.1.2600.3015", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.0",       file:"nwrdr.sys", version:"5.0.2195.7110", dir:"\system32\drivers", bulletin:bulletin, kb:kb) )
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();

  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2007-02-20T13:40:30.055-05:00
classvulnerability
contributors
nameRobert L. Hollis
organizationThreatGuard, Inc.
definition_extensions
  • commentMicrosoft Windows 2000 SP4 or later is installed
    ovaloval:org.mitre.oval:def:229
  • commentMicrosoft Windows XP SP2 or later is installed
    ovaloval:org.mitre.oval:def:521
  • commentMicrosoft Windows Server 2003 (x86) Gold is installed
    ovaloval:org.mitre.oval:def:165
  • commentMicrosoft Windows Server 2003 SP1 (x86) is installed
    ovaloval:org.mitre.oval:def:565
descriptionUnspecified vulnerability in the driver for the Client Service for NetWare (CSNW) in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 up to SP1 allows remote attackers to cause a denial of service (hang and reboot) via has unknown attack vectors, aka "NetWare Driver Denial of Service Vulnerability."
familywindows
idoval:org.mitre.oval:def:413
statusaccepted
submitted2006-11-15T12:28:05
titleMicrosoft Client Service for NetWare Memory Corruption Vulnerability
version41

Saint

bid20984
descriptionMicrosoft Client Service for NetWare tree name buffer overflow
idwin_patch_netwaredrv
osvdb30260
titlemicrosoft_netware_treename
typeremote

References