Vulnerabilities > CVE-2006-4691 - Remote Code Execution vulnerability in Microsoft Windows 2000 and Windows XP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Stack-based buffer overflow in the NetpManageIPCConnect function in the Workstation service (wkssvc.dll) in Microsoft Windows 2000 SP4 and XP SP2 allows remote attackers to execute arbitrary code via NetrJoinDomain2 RPC messages with a long hostname.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 2 |
Exploit-Db
description MS Windows NetpManageIPCConnect Stack Overflow Exploit (py). CVE-2006-4691. Remote exploit for windows platform id EDB-ID:2809 last seen 2016-01-31 modified 2006-11-18 published 2006-11-18 reporter Winny Thomas source https://www.exploit-db.com/download/2809/ title Microsoft Windows NetpManageIPCConnect Stack Overflow Exploit py description Microsoft Workstation Service NetpManageIPCConnect Overflow. CVE-2006-4691. Remote exploit for windows platform id EDB-ID:16372 last seen 2016-02-01 modified 2010-10-05 published 2010-10-05 reporter metasploit source https://www.exploit-db.com/download/16372/ title Microsoft Workstation Service NetpManageIPCConnect Overflow description MS Windows NetpManageIPCConnect Stack Overflow Exploit (MS06-070). CVE-2006-4691. Remote exploit for windows platform id EDB-ID:2789 last seen 2016-01-31 modified 2006-11-16 published 2006-11-16 reporter cocoruder source https://www.exploit-db.com/download/2789/ title Microsoft Windows - NetpManageIPCConnect Stack Overflow Exploit MS06-070 description MS Windows Wkssvc NetrJoinDomain2 Stack Overflow Exploit (MS06-070). CVE-2006-4691. Remote exploit for windows platform id EDB-ID:2800 last seen 2016-01-31 modified 2006-11-17 published 2006-11-17 reporter S A Stevens source https://www.exploit-db.com/download/2800/ title Microsoft Windows - Wkssvc NetrJoinDomain2 - Stack Overflow Exploit MS06-070
Metasploit
description | This module exploits a stack buffer overflow in the NetApi32 NetpManageIPCConnect function using the Workstation service in Windows 2000 SP4 and Windows XP SP2. In order to exploit this vulnerability, you must specify the name of a valid Windows DOMAIN. It may be possible to satisfy this condition by using a custom DNS and LDAP setup, however that method is not covered here. Although Windows XP SP2 is vulnerable, Microsoft reports that Administrator credentials are required to reach the vulnerable code. Windows XP SP1 only requires valid user credentials. Also, testing shows that a machine already joined to a domain is not exploitable. |
id | MSF:EXPLOIT/WINDOWS/SMB/MS06_070_WKSSVC |
last seen | 2020-02-29 |
modified | 2017-09-17 |
published | 2009-12-29 |
references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4691 |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms06_070_wkssvc.rb |
title | MS06-070 Microsoft Workstation Service NetpManageIPCConnect Overflow |
Nessus
NASL family | Windows : Microsoft Bulletins |
NASL id | SMB_NT_MS06-070.NASL |
description | The remote host is vulnerable to a buffer overrun in the |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 23646 |
published | 2006-11-14 |
reporter | This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. |
source | https://www.tenable.com/plugins/nessus/23646 |
title | MS06-070: Vulnerability in Workstation Service Could Allow Remote Code Execution (924270) |
code |
|
Oval
accepted 2011-10-03T04:00:06.894-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Shane Shaffer organization G2, Inc. name Pradeep R B organization SecPod Technologies
definition_extensions comment Microsoft Windows 2000 SP4 or later is installed oval oval:org.mitre.oval:def:229 comment Microsoft Windows XP SP2 or later is installed oval oval:org.mitre.oval:def:521
description Stack-based buffer overflow in the NetpManageIPCConnect function in the Workstation service (wkssvc.dll) in Microsoft Windows 2000 SP4 and XP SP2 allows remote attackers to execute arbitrary code via NetrJoinDomain2 RPC messages with a long hostname. family windows id oval:org.mitre.oval:def:607 status accepted submitted 2006-11-15T12:28:05 title Workstation Service Memory Corruption Vulnerability version 73 accepted 2007-02-20T13:41:01.806-05:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Todd Dolinsky organization Opsware, Inc. name Pradeep R B organization SecPod Technologies
definition_extensions comment Windows 2000 SP4 is installed oval oval:org.mitre.oval:def:229 comment Windows XP, SP2 is installed oval oval:org.mitre.oval:def:521
description Stack-based buffer overflow in the NetpManageIPCConnect function in the Workstation service (wkssvc.dll) in Microsoft Windows 2000 SP4 and XP SP2 allows remote attackers to execute arbitrary code via NetrJoinDomain2 RPC messages with a long hostname. family windows id oval:org.mitre.oval:def:908 status deprecated submitted 2006-11-15T12:28:05 title Microsoft Client Service for NetWare Memory Corruption Vulnerability version 70
Packetstorm
data source | https://packetstormsecurity.com/files/download/84577/ms06_070_wkssvc.rb.txt |
id | PACKETSTORM:84577 |
last seen | 2016-12-05 |
published | 2009-12-31 |
reporter | jduck |
source | https://packetstormsecurity.com/files/84577/Microsoft-Workstation-Service-NetpManageIPCConnect-Overflow.html |
title | Microsoft Workstation Service NetpManageIPCConnect Overflow |
Saint
bid | 20985 |
description | Windows Workstation service NetpManageIPCConnect buffer overflow |
id | win_patch_workstationrce |
osvdb | 30263 |
title | windows_workstation_ipcconnect |
type | remote |
References
- http://research.eeye.com/html/advisories/published/AD20061114.html
- http://secunia.com/advisories/22883
- http://securitytracker.com/id?1017221
- http://www.kb.cert.org/vuls/id/778036
- http://www.securityfocus.com/archive/1/451588/100/0/threaded
- http://www.securityfocus.com/bid/20985
- http://www.us-cert.gov/cas/techalerts/TA06-318A.html
- http://www.vupen.com/english/advisories/2006/4508
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-070
- https://exchange.xforce.ibmcloud.com/vulnerabilities/29948
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A607
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A908