Vulnerabilities > CVE-2006-5745 - Remote Code Execution vulnerability in Microsoft XML Core Services 4.0

CVSS 7.6 - HIGH

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

high complexity

microsoft

nessus

exploit available

metasploit

NVD

Published: 2006-11-06

Updated: 2018-10-12

Summary

Unspecified vulnerability in the setRequestHeader method in the XMLHTTP (XML HTTP) ActiveX Control 4.0 in Microsoft XML Core Services 4.0 on Windows, when accessed by Internet Explorer, allows remote attackers to execute arbitrary code via crafted arguments that lead to memory corruption, a different vulnerability than CVE-2006-4685. NOTE: some of these details are obtained from third party information.

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft XML Core Services 4.0	1

Exploit-Db

description	Internet Explorer XML Core Services HTTP Request Handling. CVE-2006-5745. Remote exploit for windows platform
id	EDB-ID:16532
last seen	2016-02-02
modified	2010-07-03
published	2010-07-03
reporter	metasploit
source	https://www.exploit-db.com/download/16532/
title	Microsoft Internet Explorer - XML Core Services HTTP Request Handling

id EDB-ID:2743

Metasploit

description	This module exploits a code execution vulnerability in Microsoft XML Core Services which exists in the XMLHTTP ActiveX control. This module is the modified version of http://www.milw0rm.com/exploits/2743 - credit to str0ke. This module has been successfully tested on Windows 2000 SP4, Windows XP SP2, Windows 2003 Server SP0 with IE6 \+ Microsoft XML Core Services 4.0 SP2.
id	MSF:EXPLOIT/WINDOWS/BROWSER/MS06_071_XML_CORE
last seen	2020-06-13
modified	2017-09-09
published	2007-10-24
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5745
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ms06_071_xml_core.rb
title	MS06-071 Microsoft Internet Explorer XML Core Services HTTP Request Handling

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS06-071.NASL
description	The remote host is running a version of Windows that contains a flaw in the Windows XML Core Services. An attacker may be able to execute arbitrary code on the remote host by constructing a malicious script and enticing a victim to visit a website or view a specially crafted email message.
last seen	2020-06-01
modified	2020-06-02
plugin id	23647
published	2006-11-14
reporter	This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/23647
title	MS06-071: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (928088)
code	# # Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(23647); script_version("1.38"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2006-5745"); script_bugtraq_id(20915); script_xref(name:"CERT", value:"585137"); script_xref(name:"MSFT", value:"MS06-071"); script_xref(name:"MSKB", value:"927978"); script_xref(name:"MSKB", value:"928088"); script_name(english:"MS06-071: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (928088)"); script_summary(english:"Determines the presence of update 928088"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through the web or email client."); script_set_attribute(attribute:"description", value: "The remote host is running a version of Windows that contains a flaw in the Windows XML Core Services. An attacker may be able to execute arbitrary code on the remote host by constructing a malicious script and enticing a victim to visit a website or view a specially crafted email message."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-071"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS06-071 Microsoft Internet Explorer XML Core Services HTTP Request Handling'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/04"); script_set_attribute(attribute:"patch_publication_date", value:"2006/11/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/11/14"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS06-071'; kbs = make_list("927978", "928088"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', xp:'2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); kb = '928088'; if ( ( hotfix_check_fversion(file:"system32\Msxml4.dll", version:"4.20.9841.0", bulletin:bulletin, kb:'927978') == HCF_OLDER ) \|\| ( hotfix_check_fversion(file:"system32\Msxml6.dll", version:"6.0.3890.0", bulletin:bulletin, kb:'927977') == HCF_OLDER ) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Oval

accepted

2007-02-20T13:39:27.419-05:00

class

vulnerability

contributors

name	Robert L. Hollis
organization	ThreatGuard, Inc.

definition_extensions

comment Microsoft XML Core Services 4 is installed
oval oval:org.mitre.oval:def:1002
comment Microsoft XML Core Services 6 is installed
oval oval:org.mitre.oval:def:454

description

family

windows

oval:org.mitre.oval:def:104

status

accepted

submitted

2006-11-15T12:28:05

title

Microsoft XML Core Services Vulnerability

version

Packetstorm

data source	https://packetstormsecurity.com/files/download/83032/ms06_071_xml_core.rb.txt
id	PACKETSTORM:83032
last seen	2016-12-05
published	2009-11-26
reporter	Trirat Puttaraksa
source	https://packetstormsecurity.com/files/83032/Internet-Explorer-XML-Core-Services-HTTP-Request-Handling.html
title	Internet Explorer XML Core Services HTTP Request Handling

Saint

bid	20915
description	Microsoft XMLHTTP ActiveX control setRequestHeader vulnerability
id	win_patch_ie_xmlsetrequestheader
osvdb	30208
title	microsoft_xmlhttp_setrequestheader
type	client

Summary

Vulnerable Configurations

Exploit-Db

Metasploit

Nessus

Oval

Packetstorm

Saint

References