National Vulnerability Database (NVD) National Vulnerability Database (CVE-2006-6696)

National Cyber-Alert System

Vulnerability Summary for CVE-2006-6696

Original release date:12/22/2006

Last revised:09/24/2009

Source: US-CERT/NIST

Overview

Double free vulnerability in Microsoft Windows 2000, XP, 2003, and Vista allows local users to gain privileges by calling the MessageBox function with a MB_SERVICE_NOTIFICATION message with crafted data, which sends a HardError message to Client/Server Runtime Server Subsystem (CSRSS) process, which is not properly handled when invoking the UserHardError and GetHardErrorText functions in WINSRV.DLL.

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:6.9 (MEDIUM) (AV:L/AC:M/Au:N/C:C/I:C/A:C) (legend)

Impact Subscore: 10.0

Exploitability Subscore: 3.4

CVSS Version 2 Metrics:

Access Vector: Locally exploitable

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type:Provides administrator access, Allows complete confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: VUPEN

Name: ADV-2006-5120

Type: Advisory; Patch Information

Hyperlink:http://www.frsirt.com/english/advisories/2006/5120

External Source: BID

Name: 23324

Hyperlink:http://www.securityfocus.com/bid/23324

External Source: BID

Name: 21688

Hyperlink:http://www.securityfocus.com/bid/21688

External Source: HP

Name: HPSBST02208

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/466331/100/200/threaded

External Source: HP

Name: HPSBST02208

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/466331/100/200/threaded

External Source: BUGTRAQ

Name: 20061230 csrss.exe double-free vulnerability - arbitrary DWORD overwrite exploit

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/455546/100/0/threaded

External Source: BUGTRAQ

Name: 20061222 Re: Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/455158/100/0/threaded

External Source: BUGTRAQ

Name: 20061221 Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/455104/100/0/threaded

External Source: BUGTRAQ

Name: 20061221 Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memorycorruption 0day

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/455088/100/0/threaded

External Source: BUGTRAQ

Name: 20061221 Microsoft Windows XP/2003/Vista memory corruption 0day

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/455061/100/0/threaded

External Source: MISC

Name: http://www.security.nnov.ru/Gnews944.html

Hyperlink:http://www.security.nnov.ru/Gnews944.html

External Source: MISC

Name: http://www.security.nnov.ru/files/messagebox.c

Hyperlink:http://www.security.nnov.ru/files/messagebox.c

External Source: MILW0RM

Name: 2967

Hyperlink:http://www.milw0rm.com/exploits/2967

External Source: MS

Name: MS07-021

Hyperlink:http://www.microsoft.com/technet/security/bulletin/ms07-021.mspx

External Source: MISC

Name: http://www.kuban.ru/forum_new/forum2/files/19124.html

Hyperlink:http://www.kuban.ru/forum_new/forum2/files/19124.html

External Source: VUPEN

Name: ADV-2007-1325

Type: Advisory

Hyperlink:http://www.frsirt.com/english/advisories/2007/1325

External Source: MISC

Name: http://www.determina.com/security.research/vulnerabilities/csrss-harderror.html

Hyperlink:http://www.determina.com/security.research/vulnerabilities/csrss-harderror.html

External Source: SECTRACK

Name: 1017433

Hyperlink:http://securitytracker.com/id?1017433

External Source: SECUNIA

Name: 23448

Type: Advisory

Hyperlink:http://secunia.com/advisories/23448

External Source: MISC

Name: http://research.eeye.com/html/alerts/zeroday/20061215.html

Hyperlink:http://research.eeye.com/html/alerts/zeroday/20061215.html

External Source: MILW0RM

Name: 2967

Hyperlink:http://milw0rm.com/exploits/2967

External Source: FULLDISC

Name: 20061221 Microsoft Windows XP/2003/Vista memory corruption 0day

Hyperlink:http://lists.grok.org.uk/pipermail/full-disclosure/2006-December/051394.html

External Source: MISC

Name: http://isc.sans.org/diary.php?n&storyid=1965

Hyperlink:http://isc.sans.org/diary.php?n&storyid=1965

External Source: MISC

Name: http://groups.google.ca/group/microsoft.public.win32.programmer.kernel/browse_thread/thread/c5946bf40f227058/7bd7b5d66a4e5aff

Hyperlink:http://groups.google.ca/group/microsoft.public.win32.programmer.kernel/browse_thread/thread/c5946bf40f227058/7bd7b5d66a4e5aff

External Source: CONFIRM

Name: http://blogs.technet.com/msrc/archive/2006/12/22/new-report-of-a-windows-vulnerability.aspx

Hyperlink:http://blogs.technet.com/msrc/archive/2006/12/22/new-report-of-a-windows-vulnerability.aspx

US Government Resource: oval:org.mitre.oval:def:1816

Name: oval:org.mitre.oval:def:1816

Type: Tool Signature

Hyperlink:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1816

Vulnerable software and versions

Configuration 1

* cpe:/o:microsoft:windows_2000:::advanced_server

* cpe:/o:microsoft:windows_2000:::datacenter_server

* cpe:/o:microsoft:windows_2000:::professional

* cpe:/o:microsoft:windows_2000::sp1:advanced_server

* cpe:/o:microsoft:windows_2000::sp1:datacenter_server

* cpe:/o:microsoft:windows_2000::sp1:professional

* cpe:/o:microsoft:windows_2000::sp1:server

* cpe:/o:microsoft:windows_2000::sp2:advanced_server

* cpe:/o:microsoft:windows_2000::sp2:datacenter_server

* cpe:/o:microsoft:windows_2000::sp2:professional

* cpe:/o:microsoft:windows_2000::sp2:server

* cpe:/o:microsoft:windows_2000::sp3:advanced_server

* cpe:/o:microsoft:windows_2000::sp3:datacenter_server

* cpe:/o:microsoft:windows_2000::sp3:professional

* cpe:/o:microsoft:windows_2000::sp3:server

* cpe:/o:microsoft:windows_2000::sp4:advanced_server

* cpe:/o:microsoft:windows_2000::sp4:datacenter_server

* cpe:/o:microsoft:windows_2000::sp4:professional

* cpe:/o:microsoft:windows_2000::sp4:server

* cpe:/o:microsoft:windows_2003_server:datacenter_edition

* cpe:/o:microsoft:windows_2003_server:datacenter_edition:sp1

* cpe:/o:microsoft:windows_2003_server:datacenter_edition:sp1_beta_1

* cpe:/o:microsoft:windows_2003_server:enterprise_edition:sp1

* cpe:/o:microsoft:windows_2003_server:enterprise_edition:sp1_beta_1

* cpe:/o:microsoft:windows_2003_server:sp1::enterprise

* cpe:/o:microsoft:windows_2003_server:standard

* cpe:/o:microsoft:windows_2003_server:standard:sp1

* cpe:/o:microsoft:windows_2003_server:standard:sp1_beta_1

* cpe:/o:microsoft:windows_2003_server:web

* cpe:/o:microsoft:windows_2003_server:web:sp1

* cpe:/o:microsoft:windows_2003_server:web:sp1_beta_1

* cpe:/o:microsoft:windows_vista:::december_ctp

* cpe:/o:microsoft:windows_vista::beta

* cpe:/o:microsoft:windows_vista::beta1

* cpe:/o:microsoft:windows_vista::beta2

* cpe:/o:microsoft:windows_xp:::home

* cpe:/o:microsoft:windows_xp:::media_center

* cpe:/o:microsoft:windows_xp::gold:professional

* cpe:/o:microsoft:windows_xp::sp1:home

* cpe:/o:microsoft:windows_xp::sp1:media_center

* cpe:/o:microsoft:windows_xp::sp2:home

* cpe:/o:microsoft:windows_xp::sp2:media_center

* cpe:/o:microsoft:windows_xp::sp2:tablet_pc

* Denotes Vulnerable Software

Technical Details

Vulnerability Type (View All)

Buffer Errors (CWE-119)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6696