Lucene search
This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.SMB_NT_MS06-035.NASLHistoryJul 11, 2006 - 12:00 a.m.
MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)
2006-07-1100:00:00
This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
www.tenable.com
51
The remote host is vulnerable to heap overflow in the ‘Server’ service that could allow an attacker to execute arbitrary code on the remote host with the ‘System’ privileges.
In addition to this, the remote host is also vulnerable to an information disclosure attack in SMB that could allow an attacker to obtain portions of the memory of the remote host.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(22029);
script_version("1.36");
script_cvs_date("Date: 2018/11/15 20:50:30");
script_cve_id("CVE-2006-1314", "CVE-2006-1315");
script_bugtraq_id(18891, 18863);
script_xref(name:"TRA", value:"TRA-2006-01");
script_xref(name:"CERT", value:"189140");
script_xref(name:"MSFT", value:"MS06-035");
script_xref(name:"MSKB", value:"917159");
script_name(english:"MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)");
script_summary(english:"Determines the presence of update 917159");
script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host due to a flaw in the
'server' service.");
script_set_attribute(attribute:"description", value:
"The remote host is vulnerable to heap overflow in the 'Server' service that
could allow an attacker to execute arbitrary code on the remote host with
the 'System' privileges.
In addition to this, the remote host is also vulnerable to an
information disclosure attack in SMB that could allow an attacker to
obtain portions of the memory of the remote host.");
script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-035");
script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2006-01");
script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, XP and
2003.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2006/07/11");
script_set_attribute(attribute:"patch_publication_date", value:"2006/07/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
script_family(english:"Windows : Microsoft Bulletins");
script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
script_require_keys("SMB/MS_Bulletin_Checks/Possible");
script_require_ports(139, 445, 'Host/patch_management_checks');
exit(0);
}
include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");
get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
bulletin = 'MS06-035';
kb = '917159';
kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
if (hotfix_check_sp_range(win2k:'4,5', xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");
share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
if ( hotfix_is_vulnerable(os:"5.2", sp:0, file:"Srv.sys", version:"5.2.3790.526", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"5.2", sp:1, file:"Srv.sys", version:"5.2.3790.2691", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"5.1", sp:1, file:"Srv.sys", version:"5.1.2600.1832", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"5.1", sp:2, file:"Srv.sys", version:"5.1.2600.2893", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"5.0", file:"Srv.sys", version:"5.0.2195.7087", dir:"\system32\drivers", bulletin:bulletin, kb:kb) )
{
set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
hotfix_security_hole();
hotfix_check_fversion_end();
exit(0);
}
else
{
hotfix_check_fversion_end();
audit(AUDIT_HOST_NOT, 'affected');
}
Related
nessus
nessus
securityvulns
securityvulns
prion
prion
Heap overflow
2006-07-11 21:05:00
Information disclosure
2006-07-11 21:05:00
cvelist
cvelist
checkpoint_advisories
checkpoint_advisories
MS-RPC Programs Lookup (CVE-2006-1314)
2006-07-18 00:00:00
Microsoft Server Service MailSlot Heap Overflow (MS06-035; CVE-2006-1314)
2006-09-21 00:00:00
Microsoft Windows RASMAN Service Memory Corruption (MS06-025; CVE-2006-1314)
2006-07-18 00:00:00
cve
cve
cert
cert
Microsoft Server Service Mailslot vulnerable to heap overflow
2006-07-11 00:00:00
Microsoft Server Service may disclose information used to store SMB traffic
2006-07-20 00:00:00
Related for SMB_NT_MS06-035.NASL