CVE-2006-2371
CVSS7.5
发布时间 :2006-06-13 15:06:00
修订时间 :2011-03-07 21:36:04
NMCOS    

[原文]Buffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability."


[CNNVD]Microsoft Windows RASMAN服务 栈溢出漏洞(CNNVD-200606-276)

        Microsoft Windows是微软发布的非常流行的操作系统。
        Microsoft Windows远程访问连接管理器(RASMAN)存在可远程调用的RPC接口,其中RPC接口
        _RasRpcSubmitRequest存在若干安全漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
        函数_RasRpcSubmitRequest及其子函数对作为参数的函数指针的有效性检查不足;某些子函数对参数的处理存在缓冲区溢出漏洞;这些漏洞都可能被攻击者利用在服务器上执行任意指令,从而控制系统。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_2003_server:standard:sp1
cpe:/o:microsoft:windows_2000::sp1:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP1
cpe:/o:microsoft:windows_2003_server:datacenter_edition_64-bit:sp1
cpe:/o:microsoft:windows_2000::sp3:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP3
cpe:/o:microsoft:windows_2003_server:datacenter_edition
cpe:/o:microsoft:windows_xp::gold:professionalMicrosoft Windows XP Professional Gold
cpe:/o:microsoft:windows_2003_server:r2::datacenter_64-bit
cpe:/o:microsoft:windows_2000::sp2:advanced_serverMicrosoft Windows 2000 Advanced Server SP2
cpe:/o:microsoft:windows_2000::sp2:professionalMicrosoft Windows 2000 Professional SP2
cpe:/o:microsoft:windows_2000::sp3:serverMicrosoft Windows 2000 Server SP3
cpe:/o:microsoft:windows_2000:::advanced_server
cpe:/o:microsoft:windows_2003_server:standard_64-bit
cpe:/o:microsoft:windows_2000:::professional
cpe:/o:microsoft:windows_2003_server:standard
cpe:/o:microsoft:windows_2000::sp4:serverMicrosoft Windows 2000 Server SP4
cpe:/o:microsoft:windows_xp::sp1:home
cpe:/o:microsoft:windows_2003_server:enterprise_64-bit
cpe:/o:microsoft:windows_2000::sp1:professionalMicrosoft Windows 2000 Professional SP1
cpe:/o:microsoft:windows_2000:::datacenter_server
cpe:/o:microsoft:windows_2003_server:datacenter_edition_64-bit
cpe:/o:microsoft:windows_2003_server:sp1::enterprise
cpe:/o:microsoft:windows_xp:::media_center
cpe:/o:microsoft:windows_2000::sp3:professionalMicrosoft Windows 2000 Professional SP3
cpe:/o:microsoft:windows_2003_server:enterprise_edition:sp1
cpe:/o:microsoft:windows_xp:::home
cpe:/o:microsoft:windows_2000::sp1:serverMicrosoft Windows 2000 Server SP1
cpe:/o:microsoft:windows_2003_server:datacenter_edition:sp1
cpe:/o:microsoft:windows_2000::sp3:advanced_serverMicrosoft Windows 2000 Advanced Server SP3
cpe:/o:microsoft:windows_xp:::64-bit
cpe:/o:microsoft:windows_2003_server:enterprise_edition_64-bit:sp1
cpe:/o:microsoft:windows_2000::sp2:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP2
cpe:/o:microsoft:windows_xp::sp2:home
cpe:/o:microsoft:windows_xp::sp2:media_centerMicrosoft windows xp_sp2 media_center
cpe:/o:microsoft:windows_2003_server:web
cpe:/o:microsoft:windows_2003_server:enterprise_edition_64-bit
cpe:/o:microsoft:windows_2000:::server
cpe:/o:microsoft:windows_2000::sp4:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP4
cpe:/o:microsoft:windows_xp::sp2:tablet_pcMicrosoft windows xp_sp2 tablet_pc
cpe:/o:microsoft:windows_2000::sp1:advanced_serverMicrosoft Windows 2000 Advanced Server SP1
cpe:/o:microsoft:windows_2000::sp2:serverMicrosoft Windows 2000 Server SP2
cpe:/o:microsoft:windows_2003_server:web:sp1
cpe:/o:microsoft:windows_2000::sp4:professionalMicrosoft Windows 2000 Professional SP4
cpe:/o:microsoft:windows_xp::sp1:media_centerMicrosoft windows xp_sp1 media_center
cpe:/o:microsoft:windows_2000::sp4:advanced_serverMicrosoft Windows 2000 Advanced Server SP4

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1983RASMAN Registry Corruption Vulnerability (WinS03)
oval:org.mitre.oval:def:1907RASMAN Registry Corruption Vulnerability (XP,SP1)
oval:org.mitre.oval:def:1857RASMAN Registry Corruption Vulnerability (Win2K)
oval:org.mitre.oval:def:1851RASMAN Registry Corruption Vulnerability (S03,SP1)
oval:org.mitre.oval:def:1846RASMAN Registry Corruption Vulnerability (XP,SP2)
oval:org.mitre.oval:def:1674RASMAN Registry Corruption Vulnerability (64-bit XP)
oval:gov.nist.fdcc.patch:def:44MS06-025: Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280)
oval:gov.nist.USGCB.patch:def:44MS06-025: Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2371
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2371
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-276
(官方数据源) CNNVD

- 其它链接及资源

http://www.us-cert.gov/cas/techalerts/TA06-164A.html
(UNKNOWN)  CERT  TA06-164A
http://www.kb.cert.org/vuls/id/814644
(UNKNOWN)  CERT-VN  VU#814644
http://www.securityfocus.com/bid/18358
(PATCH)  BID  18358
http://www.securityfocus.com/archive/1/archive/1/436977/100/0/threaded
(PATCH)  BUGTRAQ  20060613 High Risk Vulnerability in Microsoft Windows RASMAN Service
http://www.microsoft.com/technet/security/bulletin/ms06-025.mspx
(VENDOR_ADVISORY)  MS  MS06-025
http://secunia.com/advisories/20630
(VENDOR_ADVISORY)  SECUNIA  20630
http://www.vupen.com/english/advisories/2006/2323
(UNKNOWN)  VUPEN  ADV-2006-2323
http://securitytracker.com/id?1016285
(UNKNOWN)  SECTRACK  1016285
http://xforce.iss.net/xforce/xfdb/26814
(UNKNOWN)  XF  win-rras-rasman-bo(26814)
http://www.osvdb.org/26436
(UNKNOWN)  OSVDB  26436
http://securityreason.com/securityalert/1096
(UNKNOWN)  SREASON  1096

- 漏洞信息

Microsoft Windows RASMAN服务 栈溢出漏洞
高危 缓冲区溢出
2006-06-13 00:00:00 2006-11-30 00:00:00
远程  
        Microsoft Windows是微软发布的非常流行的操作系统。
        Microsoft Windows远程访问连接管理器(RASMAN)存在可远程调用的RPC接口,其中RPC接口
        _RasRpcSubmitRequest存在若干安全漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
        函数_RasRpcSubmitRequest及其子函数对作为参数的函数指针的有效性检查不足;某些子函数对参数的处理存在缓冲区溢出漏洞;这些漏洞都可能被攻击者利用在服务器上执行任意指令,从而控制系统。

- 公告与补丁

        临时解决方法:
        * 禁用远程访问连接管理器服务。
        * 在防火墙阻断:
         UDP端口135、137、138、445,以及TCP端口135、139、445、593
         所有大于1024端口上的未经请求的入站通讯
         任何其他明确配置的RPC端口
        * 使用个人防火墙,如Windows XP和Windows Server 2003捆绑的Internet连接防火墙。
        * 在支持的系统上启用高级TCP/IP过滤功能。
        * 在受影响的系统上使用IPSec阻断受影响的端口。
        Microsoft已经为此发布了一个安全公告(MS06-025)以及相应补丁:
        MS06-025:Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280)
        链接:
        http://www.microsoft.com/technet/security/Bulletin/MS06-025.mspx临时解决方法:
        * 如果正在使用Outlook 2002或之后版本,或Outlook Express 6 SP1或之后版本的话,以纯文本读取邮件。
        Microsoft已经为此发布了一个安全公告(MS06-021)以及相应补丁:
        MS06-021:Cumulative Security Update for Internet Explorer (916281)
        链接:
        http://www.microsoft.com/technet/security/Bulletin/MS06-021.mspx

- 漏洞信息

26436
Microsoft Windows RASMAN RPC Request Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Commercial Vendor Verified

- 漏洞描述

Windows contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered when a sequence of specially crafted packets are sent to one of the RPC interfaces provided by the RASMAN service, which leads to memory corruption. It is possible that the flaw may allow arbitrary code execution resulting in a loss of integrity.

- 时间线

2006-06-13 Unknow
2006-07-28 2006-07-13

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Windows Routing and Remote Access RASMAN Registry Remote Code Execution Vulnerability
Boundary Condition Error 18358
Yes No
2006-06-13 12:00:00 2006-07-14 06:53:00
Peter Winter-Smith of NGS Software discovered this vulnerability.

- 受影响的程序版本

Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP Gold 0
Microsoft Windows XP 0
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server

- 漏洞讨论

Microsoft Windows Routing and Remote Access is prone to a memory-corruption vulnerability. This issue is due to the software's failure to properly bounds-check user-supplied network data before copying it to an insufficiently sized memory buffer.

This issue allows remote attackers to execute arbitrary machine code on affected computers with SYSTEM-level privileges. This facilitates the complete compromise of affected computers.

Exploiting this issue on Microsoft Windows XP SP2 or Windows Server 2003 requires valid login credentials. Anonymous attacks are possible with Windows 2000 and Windows XP versions prior to SP2.

- 漏洞利用

A proof-of-concept exploit is available to members of the Immunity Partner's Program. No publicly available exploit is known to exist at this time.

The exploit is available from the following location:

https://www.immunityinc.com/downloads/immpartners/ms06_025b.tar

It is currently unknown if this exploit targets the vulnerability reported in this BID or the one described in BID 18325, since they were both addressed in Microsoft Security Advisory MS06-025.

- 解决方案

Microsoft has released an advisory along with fixes to address this issue. Please see the referenced advisory for more information.


Microsoft Windows Server 2003 Datacenter Edition SP1

Microsoft Windows Server 2003 Datacenter x64 Edition

Microsoft Windows Server 2003 Enterprise Edition SP1

Microsoft Windows XP Media Center Edition SP2

Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows 2000 Advanced Server SP4

Microsoft Windows Server 2003 Enterprise Edition Itanium SP1

Microsoft Windows XP Tablet PC Edition SP1

Microsoft Windows Server 2003 Enterprise Edition

Microsoft Windows XP Home SP2

Microsoft Windows 2000 Datacenter Server SP4

Microsoft Windows XP Tablet PC Edition SP2

Microsoft Windows XP Media Center Edition SP1

Microsoft Windows Server 2003 Web Edition

Microsoft Windows XP Home SP1

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 Web Edition SP1

Microsoft Windows Server 2003 Enterprise Edition Itanium 0

Microsoft Windows Server 2003 Standard Edition SP1

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows XP Professional SP2

Microsoft Windows Server 2003 Datacenter Edition Itanium SP1

Microsoft Windows Server 2003 Standard x64 Edition

Microsoft Windows 2000 Server SP4

Microsoft Windows 2000 Professional SP4

Microsoft Windows Server 2003 Enterprise x64 Edition

Microsoft Windows XP Professional SP1

Microsoft Windows Server 2003 Datacenter Edition Itanium 0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站