Microsoft Windows Workstation Service NetpManageIPCConnect Remote Code Execution Vulnerability
BID:20985
Info
Microsoft Windows Workstation Service NetpManageIPCConnect Remote Code Execution Vulnerability
| Bugtraq ID: | 20985 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2006-4691 |
| Remote: | Yes |
| Local: | No |
| Published: | Nov 14 2006 12:00AM |
| Updated: | Apr 18 2008 12:28AM |
| Credit: | JeongWook Matt Oh discovered this issue. Derek Soeder provided additional research. |
| Vulnerable: |
Nortel Networks Web-Centric Voice Application Development Suite 0 Nortel Networks Web Centric Self-Svc VoiceXML Nortel Networks Web Centric Self-Svc CCXML Nortel Networks Self-Service Speech Server 0 Nortel Networks Self-Service Peri Application 0 Nortel Networks Self-Service MPS 500 0 Nortel Networks Self-Service MPS 1000 0 Nortel Networks Self-Service MPS 100 0 Nortel Networks MCS5100 - Sun Platform 0 Nortel Networks Enterprise VoIP TM-CS1000 Nortel Networks Enterprise Network Management System Nortel Networks Contact Center Manager Server 0 Nortel Networks Centrex IP Element Manager 9.0 Nortel Networks Centrex IP Element Manager 8.0 Nortel Networks Centrex IP Element Manager 7.0 Microsoft Windows XP Tablet PC Edition SP2 Microsoft Windows XP Tablet PC Edition SP1 Microsoft Windows XP Tablet PC Edition Microsoft Windows XP Professional SP2 Microsoft Windows XP Professional SP1 Microsoft Windows XP Professional Microsoft Windows XP Media Center Edition SP2 Microsoft Windows XP Media Center Edition SP1 Microsoft Windows XP Media Center Edition Microsoft Windows XP Home SP2 Microsoft Windows XP Home SP1 Microsoft Windows XP Home Microsoft Windows XP Gold 0 Microsoft Windows XP 0 Microsoft Windows 2000 Server SP4 Microsoft Windows 2000 Server SP3 Microsoft Windows 2000 Server SP2 Microsoft Windows 2000 Server SP1 Microsoft Windows 2000 Server Microsoft Windows 2000 Professional SP4 Microsoft Windows 2000 Professional SP3 Microsoft Windows 2000 Professional SP2 Microsoft Windows 2000 Professional SP1 Microsoft Windows 2000 Professional Microsoft Windows 2000 Datacenter Server SP4 Microsoft Windows 2000 Datacenter Server SP3 Microsoft Windows 2000 Datacenter Server SP2 Microsoft Windows 2000 Datacenter Server SP1 Microsoft Windows 2000 Datacenter Server Microsoft Windows 2000 Advanced Server SP4 Microsoft Windows 2000 Advanced Server SP3 Microsoft Windows 2000 Advanced Server SP2 Microsoft Windows 2000 Advanced Server SP1 Microsoft Windows 2000 Advanced Server HP Storage Management Appliance 2.1 Avaya S8100 Media Servers R9 Avaya S8100 Media Servers R8 Avaya S8100 Media Servers R7 Avaya S8100 Media Servers R6 Avaya S8100 Media Servers R12 Avaya S8100 Media Servers R11 Avaya S8100 Media Servers R10 Avaya S8100 Media Servers 0 Avaya Messaging Application Server 0 |
| Not Vulnerable: | |
Discussion
Microsoft Windows Workstation Service NetpManageIPCConnect Remote Code Execution Vulnerability
Microsoft Windows Workstation service is prone to a remote code-execution vulnerability.
Exploiting this issue allows remote, anonymous attackers to execute arbitrary machine code on affected computers with SYSTEM-level privileges. This facilitates the complete compromise of affected computers.
Attackers require administrative privileges to exploit this issue on Windows XP SP2 computers. Anonymous attackers may exploit this issue on Windows 2000 computers.
Microsoft Windows Workstation service is prone to a remote code-execution vulnerability.
Exploiting this issue allows remote, anonymous attackers to execute arbitrary machine code on affected computers with SYSTEM-level privileges. This facilitates the complete compromise of affected computers.
Attackers require administrative privileges to exploit this issue on Windows XP SP2 computers. Anonymous attackers may exploit this issue on Windows 2000 computers.
Exploit / POC
Microsoft Windows Workstation Service NetpManageIPCConnect Remote Code Execution Vulnerability
A proof-of-concept and full exploit are available to members of the Immunity Partner's program:
https://www.immunityinc.com/downloads/immpartners/ms06_070.tar
https://www.immunityinc.com/downloads/immpartners/ms06_070-2.tar
https://www.immunityinc.com/downloads/immpartners/ms06_070a.tar
Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.
The following public exploits are available:
A proof-of-concept and full exploit are available to members of the Immunity Partner's program:
https://www.immunityinc.com/downloads/immpartners/ms06_070.tar
https://www.immunityinc.com/downloads/immpartners/ms06_070-2.tar
https://www.immunityinc.com/downloads/immpartners/ms06_070a.tar
Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.
The following public exploits are available:
Solution / Fix
Microsoft Windows Workstation Service NetpManageIPCConnect Remote Code Execution Vulnerability
Solution:
Microsoft has released an advisory along with fixes to address this issue. Please see the referenced advisory for more information.
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows XP Home SP2
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Professional SP2
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Professional SP4
Solution:
Microsoft has released an advisory along with fixes to address this issue. Please see the referenced advisory for more information.
Microsoft Windows XP Media Center Edition SP2
-
Microsoft Security Update for Windows XP (KB924270)
http://www.microsoft.com/downloads/details.aspx?familyid=f4c8e767-4ed2 -4e36-aa43-612f3017efc7
Microsoft Windows 2000 Advanced Server SP4
-
Microsoft Security Update for Windows 2000 (KB924270)
http://www.microsoft.com/downloads/details.aspx?familyid=3ad5c57d-d3f6 -46a1-8dee-3e16d0977f80
Microsoft Windows XP Home SP2
-
Microsoft Security Update for Windows XP (KB924270)
http://www.microsoft.com/downloads/details.aspx?familyid=f4c8e767-4ed2 -4e36-aa43-612f3017efc7
Microsoft Windows 2000 Datacenter Server SP4
-
Microsoft Security Update for Windows 2000 (KB924270)
http://www.microsoft.com/downloads/details.aspx?familyid=3ad5c57d-d3f6 -46a1-8dee-3e16d0977f80
Microsoft Windows XP Tablet PC Edition SP2
-
Microsoft Security Update for Windows XP (KB924270)
http://www.microsoft.com/downloads/details.aspx?familyid=f4c8e767-4ed2 -4e36-aa43-612f3017efc7
Microsoft Windows XP Professional SP2
-
Microsoft Security Update for Windows XP (KB924270)
http://www.microsoft.com/downloads/details.aspx?familyid=f4c8e767-4ed2 -4e36-aa43-612f3017efc7
Microsoft Windows 2000 Server SP4
-
Microsoft Security Update for Windows 2000 (KB924270)
http://www.microsoft.com/downloads/details.aspx?familyid=3ad5c57d-d3f6 -46a1-8dee-3e16d0977f80
Microsoft Windows 2000 Professional SP4
-
Microsoft Security Update for Windows 2000 (KB924270)
http://www.microsoft.com/downloads/details.aspx?familyid=3ad5c57d-d3f6 -46a1-8dee-3e16d0977f80
References
Microsoft Windows Workstation Service NetpManageIPCConnect Remote Code Execution Vulnerability
References:
References:
- Microsoft Security Advisory (928604) (Microsoft)
- Microsoft Security Bulletin MS06-070 (Microsoft)
- Microsoft Windows Homepage (Microsoft)
- Microsoft Windows Update (Microsoft)
- Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow (MS06-070, Exploit) (cocoruder)
- EEYE: Workstation Service NetpManageIPCConnect Buffer Overflow ("eEye Advisories"
) - Avaya: Microsoft Security Bulletin Summary for November 2006 MS06-66 - MS06-71 (Avaya)
- CENTREX IP CLIENT MANAGER (CICM) RESPONSE TO MICROSOFT (Nortel Networks)
- NORTEL RESPONSE TO MICROSOFT SECURITY BULLETIN MS06-070 (Nortel Networks)