Vulnerabilities > CVE-2006-4704 - Code Execution vulnerability in Microsoft Visual Studio .Net 2005

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
microsoft
nessus
exploit available
metasploit
NVD
Published: 2006-11-01
Updated: 2018-10-17

Summary

Cross-zone scripting vulnerability in the WMI Object Broker (WMIScriptUtils.WMIObjectBroker2) ActiveX control (WmiScriptUtils.dll) in Microsoft Visual Studio 2005 allows remote attackers to bypass Internet zone restrictions and execute arbitrary code by instantiating dangerous objects, aka "WMI Object Broker Vulnerability."

Vulnerable Configurations

Part Description Count
Application
Microsoft
1

Exploit-Db

descriptionInternet Explorer COM CreateObject Code Execution. CVE-2006-0003,CVE-2006-4704. Remote exploit for windows platform
idEDB-ID:16561
last seen2016-02-02
modified2010-09-20
published2010-09-20
reportermetasploit
sourcehttps://www.exploit-db.com/download/16561/
titleMicrosoft Internet Explorer - COM CreateObject Code Execution

Metasploit

descriptionThis module exploits a generic code execution vulnerability in Internet Explorer by abusing vulnerable ActiveX objects.
idMSF:EXPLOIT/WINDOWS/BROWSER/IE_CREATEOBJECT
last seen2020-05-23
modified2017-07-24
published2009-07-22
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ie_createobject.rb
titleMS06-014 Microsoft Internet Explorer COM CreateObject Code Execution

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS06-073.NASL
descriptionThe remote host is running a version of Microsoft Visual Studio 2005 that is vulnerable to a buffer overflow when handling malformed WMI request in the ActiveX component. An attacker may exploit this flaw to execute arbitrary code on this host, by entice a use to visit a specially crafter web page.
last seen2020-06-01
modified2020-06-02
plugin id23836
published2006-12-12
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/23836
titleMS06-073: Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution (925674)
code
#
# Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(23836);
 script_version("1.35");
 script_cvs_date("Date: 2018/11/15 20:50:30");

 script_cve_id("CVE-2006-4704");
 script_bugtraq_id(20843);
 script_xref(name:"CERT", value:"854856");
 script_xref(name:"MSFT", value:"MS06-073");
 script_xref(name:"MSKB", value:"925674");

 script_name(english:"MS06-073: Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution (925674)");
 script_summary(english:"Determines the version of visual studio");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through the web
browser.");
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of Microsoft Visual Studio 2005
that is vulnerable to a buffer overflow when handling malformed WMI
request in the ActiveX component.

An attacker may exploit this flaw to execute arbitrary code on this
host, by entice a use to visit a specially crafter web page.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-073");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for VS2005.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploited_by_malware", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'MS06-014 Microsoft Internet Explorer COM CreateObject Code Execution');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/01");
 script_set_attribute(attribute:"patch_publication_date", value:"2006/12/12");
 script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/12");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visual_studio");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");

 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}


include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");


get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS06-073';
kb = '925674';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);


common = hotfix_get_commonfilesdir();
if ( ! common ) exit(1, "Failed to get the Common Files directory.");

if (!get_kb_item("SMB/Registry/Enumerated")) exit(0, "KB 'SMB/Registry/Enumerated' not set to TRUE.");

port    =  kb_smb_transport();
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();

if(! smb_session_init()) audit(AUDIT_FN_FAIL, "smb_session_init");

rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
  NetUseDel();
  audit(AUDIT_SHARE_FAIL,"IPC$");
}


# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
  NetUseDel();
  audit(AUDIT_REG_FAIL);
}


# Determine where it's installed.
key = "SOFTWARE\Microsoft\VisualStudio\8.0";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);


if (isnull(key_h))
{
 RegCloseKey(handle:hklm);
 NetUseDel();
 exit(0);
}
else
{
 RegCloseKey(handle:key_h);
 RegCloseKey(handle:hklm);
 NetUseDel (close:FALSE);
}

share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:common);
wmi =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\Microsoft Shared\WMI\wmiscriptutils.dll", string:common);


r = NetUseAdd(share:share);
if ( r != 1 )
{
  NetUseDel();
  audit(AUDIT_SHARE_FAIL,share);
}

handle = CreateFile (file:wmi, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);

if ( ! isnull(handle) )
{
 v = GetFileVersion(handle:handle);
 CloseFile(handle:handle);
 if ( ! isnull(v) )
 {
  if ( v[0] == 8 && v[1] == 0 && ( (v[2] < 50727 ) || ( v[2] == 50727 && v[3] < 236 ) ) )
 {
 hotfix_add_report('\nPath : '+share-'$'+':'+wmi+
                   '\nVersion : '+join(v, sep:'.')+
                   '\nShould be : 8.0.50727.236\n',
                   bulletin:bulletin, kb:kb);
 set_kb_item(name:"SMB/Missing/MS06-073", value:TRUE);
 hotfix_security_warning();
 }
 }
}


NetUseDel();

Oval

accepted2007-02-20T13:40:14.308-05:00
classvulnerability
contributors
nameRobert L. Hollis
organizationThreatGuard, Inc.
definition_extensions
commentMicrosoft Visual Studio 2005 is installed.
ovaloval:org.mitre.oval:def:426
descriptionCross-zone scripting vulnerability in the WMI Object Broker (WMIScriptUtils.WMIObjectBroker2) ActiveX control (WmiScriptUtils.dll) in Microsoft Visual Studio 2005 allows remote attackers to bypass Internet zone restrictions and execute arbitrary code by instantiating dangerous objects, aka "WMI Object Broker Vulnerability."
familywindows
idoval:org.mitre.oval:def:288
statusaccepted
submitted2006-12-13T08:17:04
titleWMI Object Broker Vulnerability
version6

Saint

bid20843
descriptionMicrosoft Visual Studio 2005 WMI Object Broker vulnerability
idmisc_vstudioax
osvdb30155
titlevisual_studio_wmi_object_broker
typeclient

References