Vulnerabilities > CVE-2006-4691 - Remote Code Execution vulnerability in Microsoft Windows 2000 and Windows XP

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
microsoft
critical
nessus
exploit available
metasploit

Summary

Stack-based buffer overflow in the NetpManageIPCConnect function in the Workstation service (wkssvc.dll) in Microsoft Windows 2000 SP4 and XP SP2 allows remote attackers to execute arbitrary code via NetrJoinDomain2 RPC messages with a long hostname.

Vulnerable Configurations

Part Description Count
OS
Microsoft
2

Exploit-Db

  • descriptionMS Windows NetpManageIPCConnect Stack Overflow Exploit (py). CVE-2006-4691. Remote exploit for windows platform
    idEDB-ID:2809
    last seen2016-01-31
    modified2006-11-18
    published2006-11-18
    reporterWinny Thomas
    sourcehttps://www.exploit-db.com/download/2809/
    titleMicrosoft Windows NetpManageIPCConnect Stack Overflow Exploit py
  • descriptionMicrosoft Workstation Service NetpManageIPCConnect Overflow. CVE-2006-4691. Remote exploit for windows platform
    idEDB-ID:16372
    last seen2016-02-01
    modified2010-10-05
    published2010-10-05
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16372/
    titleMicrosoft Workstation Service NetpManageIPCConnect Overflow
  • descriptionMS Windows NetpManageIPCConnect Stack Overflow Exploit (MS06-070). CVE-2006-4691. Remote exploit for windows platform
    idEDB-ID:2789
    last seen2016-01-31
    modified2006-11-16
    published2006-11-16
    reportercocoruder
    sourcehttps://www.exploit-db.com/download/2789/
    titleMicrosoft Windows - NetpManageIPCConnect Stack Overflow Exploit MS06-070
  • descriptionMS Windows Wkssvc NetrJoinDomain2 Stack Overflow Exploit (MS06-070). CVE-2006-4691. Remote exploit for windows platform
    idEDB-ID:2800
    last seen2016-01-31
    modified2006-11-17
    published2006-11-17
    reporterS A Stevens
    sourcehttps://www.exploit-db.com/download/2800/
    titleMicrosoft Windows - Wkssvc NetrJoinDomain2 - Stack Overflow Exploit MS06-070

Metasploit

descriptionThis module exploits a stack buffer overflow in the NetApi32 NetpManageIPCConnect function using the Workstation service in Windows 2000 SP4 and Windows XP SP2. In order to exploit this vulnerability, you must specify the name of a valid Windows DOMAIN. It may be possible to satisfy this condition by using a custom DNS and LDAP setup, however that method is not covered here. Although Windows XP SP2 is vulnerable, Microsoft reports that Administrator credentials are required to reach the vulnerable code. Windows XP SP1 only requires valid user credentials. Also, testing shows that a machine already joined to a domain is not exploitable.
idMSF:EXPLOIT/WINDOWS/SMB/MS06_070_WKSSVC
last seen2020-02-29
modified2017-09-17
published2009-12-29
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4691
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms06_070_wkssvc.rb
titleMS06-070 Microsoft Workstation Service NetpManageIPCConnect Overflow

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS06-070.NASL
descriptionThe remote host is vulnerable to a buffer overrun in the
last seen2020-06-01
modified2020-06-02
plugin id23646
published2006-11-14
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/23646
titleMS06-070: Vulnerability in Workstation Service Could Allow Remote Code Execution (924270)
code
#
# Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(23646);
 script_version("1.32");
 script_cvs_date("Date: 2018/11/15 20:50:30");

 script_cve_id("CVE-2006-4691");
 script_bugtraq_id(20985);
 script_xref(name:"MSFT", value:"MS06-070");
 script_xref(name:"MSKB", value:"924270");

 script_name(english:"MS06-070: Vulnerability in Workstation Service Could Allow Remote Code Execution (924270)");
 script_summary(english:"Determines the presence of update 924270");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host due to a flaw in the
'workstation' service.");
 script_set_attribute(attribute:"description", value:
"The remote host is vulnerable to a buffer overrun in the 'workstation' service
that could allow an attacker to execute arbitrary code on the remote host
with the 'System' privileges.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-070");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000 and XP.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'MS06-070 Microsoft Workstation Service NetpManageIPCConnect Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');

 script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/14");
 script_set_attribute(attribute:"patch_publication_date", value:"2006/11/14");
 script_set_attribute(attribute:"plugin_publication_date", value:"2006/11/14");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS06-070';
kb = '924270';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', xp:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if ( hotfix_is_vulnerable(os:"5.1", sp:2, file:"Netapi32.dll", version:"5.1.2600.2976", dir:"\system32", bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.0", file:"Netapi32.dll", version:"5.0.2195.7108", dir:"\system32", bulletin:bulletin, kb:kb) )
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();

  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

  • accepted2011-10-03T04:00:06.894-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameShane Shaffer
      organizationG2, Inc.
    • namePradeep R B
      organizationSecPod Technologies
    definition_extensions
    • commentMicrosoft Windows 2000 SP4 or later is installed
      ovaloval:org.mitre.oval:def:229
    • commentMicrosoft Windows XP SP2 or later is installed
      ovaloval:org.mitre.oval:def:521
    descriptionStack-based buffer overflow in the NetpManageIPCConnect function in the Workstation service (wkssvc.dll) in Microsoft Windows 2000 SP4 and XP SP2 allows remote attackers to execute arbitrary code via NetrJoinDomain2 RPC messages with a long hostname.
    familywindows
    idoval:org.mitre.oval:def:607
    statusaccepted
    submitted2006-11-15T12:28:05
    titleWorkstation Service Memory Corruption Vulnerability
    version73
  • accepted2007-02-20T13:41:01.806-05:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameTodd Dolinsky
      organizationOpsware, Inc.
    • namePradeep R B
      organizationSecPod Technologies
    definition_extensions
    • commentWindows 2000 SP4 is installed
      ovaloval:org.mitre.oval:def:229
    • commentWindows XP, SP2 is installed
      ovaloval:org.mitre.oval:def:521
    descriptionStack-based buffer overflow in the NetpManageIPCConnect function in the Workstation service (wkssvc.dll) in Microsoft Windows 2000 SP4 and XP SP2 allows remote attackers to execute arbitrary code via NetrJoinDomain2 RPC messages with a long hostname.
    familywindows
    idoval:org.mitre.oval:def:908
    statusdeprecated
    submitted2006-11-15T12:28:05
    titleMicrosoft Client Service for NetWare Memory Corruption Vulnerability
    version70

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/84577/ms06_070_wkssvc.rb.txt
idPACKETSTORM:84577
last seen2016-12-05
published2009-12-31
reporterjduck
sourcehttps://packetstormsecurity.com/files/84577/Microsoft-Workstation-Service-NetpManageIPCConnect-Overflow.html
titleMicrosoft Workstation Service NetpManageIPCConnect Overflow

Saint

bid20985
descriptionWindows Workstation service NetpManageIPCConnect buffer overflow
idwin_patch_workstationrce
osvdb30263
titlewindows_workstation_ipcconnect
typeremote