Vulnerabilities > CVE-2006-6797 - Unspecified vulnerability in Microsoft Windows XP

CVSS 6.6 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

NONE

Availability impact

COMPLETE

local

low complexity

microsoft

nessus

NVD

Published: 2006-12-28

Updated: 2018-10-17

Summary

The Client Server Run-Time Subsystem (CSRSS) in Microsoft Windows allows local users to cause a denial of service (crash) or read arbitrary memory from csrss.exe via crafted arguments to the NtRaiseHardError function with status 0x50000018, a different vulnerability than CVE-2006-6696.

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows XP *	1

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS07-021.NASL
description	The remote host is running a version of Windows containing a bug in the CSRSS error message handling routine that could allow an attacker to execute arbitrary code on the remote host by luring a user on the remote host into visiting a rogue website. Additionally, the system is prone to the following types of attack : - Local Privilege Elevation - Denial of Service (Local)
last seen	2020-06-01
modified	2020-06-02
plugin id	25024
published	2007-04-10
reporter	This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/25024
title	MS07-021: Vulnerabilities in CSRSS Could Allow Remote Code Execution (930178)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(25024); script_version("1.31"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2006-6696", "CVE-2006-6797", "CVE-2007-1209"); script_bugtraq_id(21688, 23324, 23338); script_xref(name:"MSFT", value:"MS07-021"); script_xref(name:"MSKB", value:"930178"); script_xref(name:"CERT", value:"740636"); script_xref(name:"CERT", value:"219848"); script_xref(name:"EDB-ID", value:"2967"); script_name(english:"MS07-021: Vulnerabilities in CSRSS Could Allow Remote Code Execution (930178)"); script_summary(english:"Determines the presence of update 930178"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through the web browser."); script_set_attribute(attribute:"description", value: "The remote host is running a version of Windows containing a bug in the CSRSS error message handling routine that could allow an attacker to execute arbitrary code on the remote host by luring a user on the remote host into visiting a rogue website. Additionally, the system is prone to the following types of attack : - Local Privilege Elevation - Denial of Service (Local)"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-021"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP, 2003 and Vista."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(119); script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/15"); script_set_attribute(attribute:"patch_publication_date", value:"2007/04/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/04/10"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS07-021'; kb = "930178"; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', xp:'2', win2003:'0,2', vista:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"6.0", sp:0, file:"Winsrv.dll", version:"6.0.6000.16445", dir:"\System32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:0, file:"Winsrv.dll", version:"6.0.6000.20522", min_version:"6.0.6000.20000", dir:"\System32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", sp:2, file:"Winsrv.dll", version:"5.2.3790.4043", dir:"\System32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", sp:1, file:"Winsrv.dll", version:"5.2.3790.2902", dir:"\System32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", sp:0, file:"Winsrv.dll", version:"5.2.3790.658", dir:"\System32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", file:"Winsrv.dll", version:"5.1.2600.3103", dir:"\System32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.0", file:"Winsrv.dll", version:"5.0.2195.7135", dir:"\System32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Oval

accepted

2012-11-19T04:00:33.510-05:00

class

vulnerability

contributors

name Sudhir Gandhe
organization Secure Elements, Inc.
name Robert L. Hollis
organization ThreatGuard, Inc.
name Sudhir Gandhe
organization Secure Elements, Inc.
name Josh Turpin
organization Symantec Corporation
name Shane Shaffer
organization G2, Inc.
name Chandan S
organization SecPod Technologies
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment Microsoft Windows 2000 SP4 or later is installed
oval oval:org.mitre.oval:def:229
comment Microsoft Windows XP (x86) SP2 is installed
oval oval:org.mitre.oval:def:754
comment Microsoft Windows XP SP1 (64-bit) is installed
oval oval:org.mitre.oval:def:480
comment Microsoft Windows XP x64 Edition SP2 is installed
oval oval:org.mitre.oval:def:4193
comment Microsoft Windows Server 2003 (x86) Gold is installed
oval oval:org.mitre.oval:def:165
comment Microsoft Windows Server 2003 (ia64) Gold is installed
oval oval:org.mitre.oval:def:396
comment Microsoft Windows Server 2003 SP1 (x86) is installed
oval oval:org.mitre.oval:def:565
comment Microsoft Windows Server 2003 SP1 (x64) is installed
oval oval:org.mitre.oval:def:4386
comment Microsoft Windows Server 2003 SP1 for Itanium is installed
oval oval:org.mitre.oval:def:1205
comment Microsoft Windows Server 2003 SP2 (x86) is installed
oval oval:org.mitre.oval:def:1935
comment Microsoft Windows Server 2003 SP2 (x64) is installed
oval oval:org.mitre.oval:def:2161
comment Microsoft Windows Server 2003 (ia64) SP2 is installed
oval oval:org.mitre.oval:def:1442
comment Microsoft Windows Vista is installed
oval oval:org.mitre.oval:def:228
comment Microsoft Windows Vista x64 Edition is installed
oval oval:org.mitre.oval:def:2041

description

family

windows

oval:org.mitre.oval:def:2013

status

accepted

submitted

2007-04-10T16:31:02

title

CSRSS DoS Vulnerability

version

Summary

Vulnerable Configurations

Nessus

Oval

References