Microsoft Windows 2000/Server 2003/XP SMB File srv.sys input validation

CVSS Meta Temp Score
CVSS is a standardized scoring system to determine possibilities of attacks. The Temp Score considers temporal factors like disclosure, exploit and countermeasures. The unique Meta Score calculates the average score of different sources to provide a normalized scoring system.
Current Exploit Price (≈)
Our analysts are monitoring exploit markets and are in contact with vulnerability brokers. The range indicates the observed or calculated exploit price to be seen on exploit markets. A good indicator to understand the monetary effort required for and the popularity of an attack.
CTI Interest Score
Our Cyber Threat Intelligence team is monitoring different web sites, mailing lists, exploit markets and social media networks. The CTI Interest Score identifies the interest of attackers and the security community for this specific vulnerability in real-time. A high score indicates an elevated risk to be targeted for this vulnerability.
6.2$0-$5k0.00

Summaryinfo

A vulnerability was found in Microsoft Windows 2000/Server 2003/XP. It has been rated as critical. The affected element is an unknown function of the file srv.sys of the component SMB File Handler. Performing a manipulation results in input validation. This vulnerability is known as CVE-2006-3942. Furthermore, an exploit is available. It is suggested to use restrictive firewalling.

Detailsinfo

A vulnerability, which was classified as critical, was found in Microsoft Windows 2000/Server 2003/XP (Operating System). This affects an unknown function of the file srv.sys of the component SMB File Handler. The manipulation with an unknown input leads to a input validation vulnerability. CWE is classifying the issue as CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. This is going to have an impact on availability. The summary by CVE is:

The server driver (srv.sys) in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service (system crash) via an SMB_COM_TRANSACTION SMB message that contains a string without null character termination, which leads to a NULL dereference in the ExecuteTransaction function, possibly related to an "SMB PIPE," aka the "Mailslot DOS" vulnerability. NOTE: the name "Mailslot DOS" was derived from incomplete initial research; the vulnerability is not associated with a mailslot.

The bug was discovered 07/28/2006. The weakness was published 07/31/2006 by Tom Cross, David Means and Scott Warfield (ERNE) with ISS X-Force (Website). It is possible to read the advisory at xforce.iss.net. This vulnerability is uniquely identified as CVE-2006-3942 since 07/31/2006. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details and a public exploit are known.

A public exploit has been developed by cocoruder and been published even before and not after the advisory. The exploit is shared for download at exploit-db.com. It is declared as highly functional. The vulnerability was handled as a non-public zero-day exploit for at least 2356 days. During that time the estimated underground price was around $25k-$100k. The vulnerability scanner Nessus provides a plugin with the ID 22536 (MS06-063: Vulnerability in Server Service Could Allow Denial of Service (923414)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Windows : Microsoft Bulletins and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 90354 (Microsoft Server Service Denial of Service Vulnerability (MS06-063)).

Applying a patch is able to eliminate this problem. The bugfix is ready for download at windowsupdate.microsoft.com.It is possible to mitigate the weakness by firewalling . The best possible mitigation is suggested to be applying a restrictive firewalling. A possible mitigation has been published 3 months after the disclosure of the vulnerability. Attack attempts may be identified with Snort ID 7035. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 4637.

The vulnerability is also documented in the databases at X-Force (27999), Exploit-DB (2057), Tenable (22536), SecurityFocus (BID 19215†) and OSVDB (27644†). Similar entries are available at VDB-2370, VDB-2369, VDB-31236 and VDB-32694. Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Type

Vendor

Name

Version

License

Support

  • end of life (old version)

Website

CPE 2.3info

CPE 2.2info

CVSSv4info

VulDB Vector: 🔍
VulDB Reliability: 🔍

CVSSv3info

VulDB Meta Base Score: 6.5
VulDB Meta Temp Score: 6.2

VulDB Base Score: 6.5
VulDB Temp Score: 6.2
VulDB Vector: 🔍
VulDB Reliability: 🔍

CVSSv2info

AVACAuCIA
💳💳💳💳💳💳
💳💳💳💳💳💳
💳💳💳💳💳💳
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
UnlockUnlockUnlockUnlockUnlockUnlock
UnlockUnlockUnlockUnlockUnlockUnlock
UnlockUnlockUnlockUnlockUnlockUnlock

VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍

NVD Base Score: 🔍

Exploitinginfo

Class: Input validation
CWE: CWE-20
CAPEC: 🔍
ATT&CK: 🔍

Physical: No
Local: No
Remote: Yes

Availability: 🔍
Access: Public
Status: Highly functional
Author: cocoruder
Download: 🔍

EPSS Score: 🔍
EPSS Percentile: 🔍

Price Prediction: 🔍
Current Price Estimation: 🔍

0-DayUnlockUnlockUnlockUnlock
TodayUnlockUnlockUnlockUnlock

Nessus ID: 22536
Nessus Name: MS06-063: Vulnerability in Server Service Could Allow Denial of Service (923414)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍

Qualys ID: 🔍
Qualys Name: 🔍

MetaSploit ID: ms06_035_mailslot.rb
MetaSploit Name: Microsoft SRV.SYS Mailslot Write Corruption
MetaSploit File: 🔍

Exploit-DB: 🔍

Threat Intelligenceinfo

Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍

Countermeasuresinfo

Recommended: Firewall
Status: 🔍

Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍

Patch: windowsupdate.microsoft.com

Snort ID: 7035
TippingPoint: 🔍

McAfee IPS: 🔍
McAfee IPS Version: 🔍

SourceFire IPS: 🔍
ISS Proventia IPS: 🔍
PaloAlto IPS: 🔍
Fortigate IPS: 🔍

Timelineinfo

02/17/2000 🔍
07/21/2006 +2346 days 🔍
07/21/2006 +0 days 🔍
07/28/2006 +7 days 🔍
07/28/2006 +0 days 🔍
07/28/2006 +0 days 🔍
07/31/2006 +3 days 🔍
07/31/2006 +0 days 🔍
07/31/2006 +0 days 🔍
07/31/2006 +0 days 🔍
07/31/2006 +0 days 🔍
07/31/2006 +0 days 🔍
08/01/2006 +0 days 🔍
10/10/2006 +70 days 🔍
10/10/2006 +0 days 🔍
10/10/2006 +0 days 🔍
07/08/2024 +6481 days 🔍

Sourcesinfo

Vendor: microsoft.com
Product: microsoft.com

Advisory: xforce.iss.net
Researcher: Tom Cross, David Means, Scott Warfield (ERNE)
Organization: ISS X-Force
Status: Confirmed

CVE: CVE-2006-3942 (🔍)
GCVE (CVE): GCVE-0-2006-3942
GCVE (VulDB): GCVE-100-2415

OVAL: 🔍

X-Force: 27999 - Microsoft Windows SMB malformed PIPE denial of service, Medium Risk
SecurityFocus: 19215 - Microsoft Windows SMB PIPE Remote Denial of Service Vulnerability
Secunia: 21276 - Microsoft Windows Server Service DoS and Privilege Escalation, Less Critical
OSVDB: 27644 - Microsoft Windows Server Driver (srv.sys) Crafted SMB Packet NULL Dereference DoS
SecurityTracker: 1017035
Vulnerability Center: 12407 - [MS06-063] Microsoft Windows Remote Denial of Service via Crafted Packets on an SMB PIPE, High
Vupen: ADV-2006-3037

scip Labs: https://www.scip.ch/en/?labs.20161013
See also: 🔍

Entryinfo

Created: 07/31/2006 16:18
Updated: 07/08/2024 15:57
Changes: 07/31/2006 16:18 (120), 06/23/2019 17:34 (3), 07/08/2024 15:57 (17)
Complete: 🔍
Cache ID: 216:D34:103

Be aware that VulDB is the high quality source for vulnerability data.

Discussion

No comments yet. Languages: en.

Please log in to comment.

PreviousOverviewNext

Do you want to use VulDB in your project?

Use the official API to access entries easily!