Vulnerability in DNS Resolution Could Allow Remote Code Execution (MS06-041
Reporter | Title | Published | Views | Family All 13 |
---|---|---|---|---|
Exploit DB | Microsoft Windows - DNS Resolution Remote Denial of Service (PoC) (MS06-041) | 9 Dec 200600:00 | – | exploitdb |
securityvulns | Microsoft Security Bulletin MS06-041 Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683) | 8 Aug 200600:00 | – | securityvulns |
CERT | Microsoft Winsock buffer overflow | 8 Aug 200600:00 | – | cert |
CERT | Microsoft DNS Client buffer overflow | 8 Aug 200600:00 | – | cert |
CVE | CVE-2006-3441 | 9 Aug 200601:04 | – | cve |
CVE | CVE-2006-3440 | 9 Aug 200601:04 | – | cve |
Check Point Advisories | Microsoft Windows DNS Client Buffer Overrun (CVE-2006-3441) | 7 Jun 201000:00 | – | checkpoint_advisories |
Check Point Advisories | Microsoft DNS Client Malformed ATMA Resource Record Buffer Overrun (MS06-041; CVE-2006-3441) | 30 Aug 200600:00 | – | checkpoint_advisories |
Check Point Advisories | Preemptive Protection against Malformed DNS Resource Records Vulnerability (MS06-041) | 13 Aug 200600:00 | – | checkpoint_advisories |
Cvelist | CVE-2006-3441 | 9 Aug 200601:00 | – | cvelist |
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(22183);
script_version("1.35");
script_cvs_date("Date: 2018/11/15 20:50:30");
script_cve_id("CVE-2006-3440", "CVE-2006-3441");
script_bugtraq_id(19319, 19404);
script_xref(name:"CERT", value:"908276");
script_xref(name:"CERT", value:"794580");
script_xref(name:"MSFT", value:"MS06-041");
script_xref(name:"MSKB", value:"920683");
script_name(english:"MS06-041: Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683)");
script_summary(english:"Determines the presence of update 920683");
script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host due to a flaw in the
DNS client.");
script_set_attribute(attribute:"description", value:
"The remote host is vulnerable to a buffer overrun in the DNS client
service that could allow an attacker to execute arbitrary code on the
remote host with SYSTEM privileges.
To exploit this vulnerability, an attacker would need to set up a
rogue DNS server to reply to the client with a specially crafted
packet.");
script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-041");
script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, XP and
2003.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2006/08/08");
script_set_attribute(attribute:"patch_publication_date", value:"2006/08/08");
script_set_attribute(attribute:"plugin_publication_date", value:"2006/08/08");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
script_family(english:"Windows : Microsoft Bulletins");
script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
script_require_keys("SMB/MS_Bulletin_Checks/Possible");
script_require_ports(139, 445, 'Host/patch_management_checks');
exit(0);
}
include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");
get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
bulletin = 'MS06-041';
kb = '920683';
kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
if (hotfix_check_sp_range(win2k:'4,5', xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");
share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
if (
hotfix_is_vulnerable(os:"5.2", sp:0, file:"Dnsapi.dll", version:"5.2.3790.558", dir:"\system32", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"5.2", sp:1, file:"Dnsapi.dll", version:"5.2.3790.2745", dir:"\system32", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"5.1", sp:1, file:"Dnsapi.dll", version:"5.1.2600.1863", dir:"\system32", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"5.1", sp:2, file:"Dnsapi.dll", version:"5.1.2600.2938", dir:"\system32", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"5.0", file:"Dnsapi.dll", version:"5.0.2195.7100", dir:"\system32", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"5.2", sp:0, file:"Rasadhlp.dll", version:"5.2.3790.558", dir:"\system32", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"5.2", sp:1, file:"Rasadhlp.dll", version:"5.2.3790.2745", dir:"\system32", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"5.1", sp:1, file:"Rasadhlp.dll", version:"5.1.2600.1863", dir:"\system32", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"5.1", sp:2, file:"Rasadhlp.dll", version:"5.1.2600.2938", dir:"\system32", bulletin:bulletin, kb:kb) ||
hotfix_is_vulnerable(os:"5.0", file:"Rasadhlp.dll", version:"5.0.2195.7098", dir:"\system32", bulletin:bulletin, kb:kb) )
{
set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
hotfix_security_hole();
hotfix_check_fversion_end();
exit(0);
}
else
{
hotfix_check_fversion_end();
audit(AUDIT_HOST_NOT, 'affected');
}
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo