ID CVE-2006-6307 Type cve Reporter NVD Modified 2011-03-07T21:45:45
Description
srvloc.sys in Novell Client for Windows before 4.91 SP3 allows remote attackers to cause an unspecified denial of service via a crafted packet to port 427 that triggers an access of pageable or invalid addresses using a higher interrupt request level (IRQL) than necessary.
{"href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-6307", "history": [], "references": ["http://www.vupen.com/english/advisories/2006/4840", "http://www.securityfocus.com/bid/21430", "https://secure-support.novell.com/KanisaPlatform/Publishing/859/3480790_f.SAL_Public.html"], "lastseen": "2016-09-03T07:57:46", "bulletinFamily": "NVD", "title": "CVE-2006-6307", "cpe": ["cpe:/a:novell:client:4.91:sp2"], "viewCount": 0, "id": "CVE-2006-6307", "hash": "c87f63a9a77957647bd8c222ed89e8daae8bf8a1d7d64dfeb0b22e9dee8ebeb2", "description": "srvloc.sys in Novell Client for Windows before 4.91 SP3 allows remote attackers to cause an unspecified denial of service via a crafted packet to port 427 that triggers an access of pageable or invalid addresses using a higher interrupt request level (IRQL) than necessary.", "edition": 1, "assessment": {"name": "", "href": "", "system": ""}, "cvelist": ["CVE-2006-6307"], "scanner": [], "modified": "2011-03-07T21:45:45", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "objectVersion": "1.2", "reporter": "NVD", "type": "cve", "published": "2006-12-05T06:28:00", "enchantments": {"score": {"value": 5.0, "vector": "NONE", "modified": "2016-09-03T07:57:46"}, "dependencies": {"references": [{"type": "osvdb", "idList": ["OSVDB:31354"]}, {"type": "nessus", "idList": ["NOVELL_CLIENT_SRVLOC_DOS.NASL"]}], "modified": "2016-09-03T07:57:46"}, "vulnersScore": 5.0}}
{"osvdb": [{"lastseen": "2017-04-28T13:20:27", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nVendor Specific News/Changelog Entry: https://secure-support.novell.com/KanisaPlatform/Publishing/859/3480790_f.SAL_Public.html\n[Secunia Advisory ID:23244](https://secuniaresearch.flexerasoftware.com/advisories/23244/)\nKeyword: TCP port 427\nFrSIRT Advisory: ADV-2006-4840\n[CVE-2006-6307](https://vulners.com/cve/CVE-2006-6307)\nBugtraq ID: 21430\n", "modified": "2006-11-29T03:18:58", "published": "2006-11-29T03:18:58", "href": "https://vulners.com/osvdb/OSVDB:31354", "id": "OSVDB:31354", "title": "Novell Client srvloc.sys Crafted Packet Unspecified Remote DoS", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:09:40", "bulletinFamily": "scanner", "description": "The file 'srvloc.sys' included with the Novell Client software is reportedly vulnerable to a denial of service attack when processing malformed SLP packets to port 427.\n\nNote that it is not currently known whether this involves the TCP or UDP service or both.", "modified": "2018-07-16T00:00:00", "id": "NOVELL_CLIENT_SRVLOC_DOS.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=23970", "published": "2007-01-03T00:00:00", "title": "Novell Client srvloc.sys Crafted Packet Unspecified Remote DoS", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(23970);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/07/16 14:09:15\");\n\n script_cve_id(\"CVE-2006-6307\");\n script_bugtraq_id(21430);\n\n script_name(english:\"Novell Client srvloc.sys Crafted Packet Unspecified Remote DoS\");\n script_summary(english:\"Checks file versions of srvloc.sys / nwgina.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a service that is susceptible to a\ndenial of service attack.\");\n script_set_attribute(attribute:\"description\", value:\n\"The file 'srvloc.sys' included with the Novell Client software is\nreportedly vulnerable to a denial of service attack when processing\nmalformed SLP packets to port 427.\n\nNote that it is not currently known whether this involves the TCP or\nUDP service or both.\");\n\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Novell Client 4.91 SP3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/11/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/10/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/01/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\n\nif (!get_kb_item(\"SMB/Registry/Enumerated\")) exit(1, \"KB 'SMB/Registry/Enumerated' not set to TRUE.\");\n\n# Unless we're being paranoid, check whether the software's installed.\nif (report_paranoia < 2)\n{\n subkey = \"{Novell Client for Windows}\";\n key = string(\"SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/\", subkey, \"/DisplayName\");\n get_kb_item_or_exit(key);\n}\n\n\n# Connect to the appropriate share.\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\n# Check the version of srvloc.sys.\nwinroot = hotfix_get_systemroot();\nif (!winroot) exit(1);\n\nshare = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:winroot);\nsys = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\System32\\Netware\\srvloc.sys\", string:winroot);\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\nif (rc != 1)\n{\n NetUseDel();\n audit(AUDIT_SHARE_FAIL,\"IPC$\");\n}\n\nfh = CreateFile(\n file:sys,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n);\nver = NULL;\nif (!isnull(fh))\n{\n ver = GetFileVersion(handle:fh);\n CloseFile(handle:fh);\n}\n\n\n# NB: make sure the version is 4.91.3.0, which is true of 4.91 Support\n# Pack 2 w/ 491psp2_pkc.exe. For some reason, Novell didn't update\n# the file version when it changed this for SP3, so we have to rely\n# another file which did change between them; eg, nwgina.dll.\nif (\n !isnull(ver) &&\n int(ver[0]) == 4 && int(ver[1]) == 91 && int(ver[2]) == 3 && int(ver[3]) == 0\n)\n{\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\System32\\nwgina.dll\", string:winroot);\n fh = CreateFile(\n file:file,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n );\n ver = NULL;\n if (!isnull(fh))\n {\n ver = GetFileVersion(handle:fh);\n CloseFile(handle:fh);\n }\n\n # File version is 4.91.1.36 w/ SP3.\n if (!isnull(ver))\n {\n fix = split(\"4.91.1.36\", sep:'.', keep:FALSE);\n for (i=0; i<4; i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(ver); i++)\n if ((ver[i] < fix[i]))\n {\n security_warning(port);\n break;\n }\n else if (ver[i] > fix[i])\n break;\n }\n}\n\n\n# Clean up.\nNetUseDel();\n\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}]}
