Vulnerability CVE-2006-4071 - CERT Civis.Net

Vulnerability Name:

CVE-2006-4071 (CCN-28281)

Assigned:

2006-08-06

Published:

2006-08-06

Updated:

2018-10-17

Summary:

Sign extension vulnerability in the createBrushIndirect function in the GDI library (gdi32.dll) in Microsoft Windows XP, Server 2003, and possibly other versions, allows user-assisted attackers to cause a denial of service (application crash) via a crafted WMF file.

CVSS v3 Severity:

3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

2.6 Low (CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:N/A:P)
2.2 Low (Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:N/A:P/E:POC/RL:U/RC:UR)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:N/A:P)
2.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:N/A:P/E:POC/RL:U/RC:UR)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Denial of Service

References:

Source: CCN
Type: BugTraq Mailing List, Wed Jan 10 2007 - 21:23:07 CST
WMF CreateBrushIndirect vulnerability (DoS)

Source: CCN
Type: Full-Disclosure Mailing List, Sat Aug 05 2006 - 20:03:18 CDT
0-day XP SP2 wmf exploit

Source: CCN
Type: Full-Disclosure Mailing List, Sun Aug 06 2006 - 18:34:29 CDT
0-day XP SP2 wmf exploit (some details)

Source: MITRE
Type: CNA
CVE-2006-4071

Source: CCN
Type: Determina Security Blog, Wednesday, January 10, 2007
What's wrong with WMF?

Source: MISC
Type: UNKNOWN
http://determina.blogspot.com/2007/01/whats-wrong-with-wmf.html

Source: FULLDISC
Type: Exploit
20060806 0-day XP SP2 wmf exploit

Source: FULLDISC
Type: UNKNOWN
20060807 0-day XP SP2 wmf exploit (some details)

Source: CCN
Type: SA21377
Microsoft Windows WMF File Handling Denial of Service

Source: SECUNIA
Type: Exploit, Vendor Advisory
21377

Source: SREASON
Type: UNKNOWN
1353

Source: CCN
Type: OSVDB ID: 27797
Microsoft Windows GDI library (gdi32.dll) createBrushIndirect Function WMF Parsing DoS

Source: BUGTRAQ
Type: UNKNOWN
20060807 0-day XP SP2 wmf exploit (some details)

Source: BUGTRAQ
Type: UNKNOWN
20060806 0-day XP SP2 wmf exploit

Source: BUGTRAQ
Type: UNKNOWN
20070111 WMF CreateBrushIndirect vulnerability (DoS)

Source: BID
Type: UNKNOWN
19365

Source: CCN
Type: BID-19365
Microsoft Windows GDI32.DLL WMF Remote Denial of Service Vulnerability

Source: BID
Type: UNKNOWN
21992

Source: CCN
Type: BID-21992
Microsoft Windows Explorer WMF File Denial of Service Vulnerability

Source: VUPEN
Type: UNKNOWN
ADV-2006-3180

Source: XF
Type: UNKNOWN
windows-wmf-gdi32-dos(28281)

Source: XF
Type: UNKNOWN
windows-wmf-gdi32-dos(28281)

Source: EXPLOIT-DB
Type: UNKNOWN
3111

Vulnerable Configuration:

Configuration 1:

cpe:/o:microsoft:windows_2003_server:r2:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:sp1:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp:*:gold:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp:*:sp1:tablet_pc:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp:*:sp2:tablet_pc:*:*:*:*:*

Configuration CCN 1:

cpe:/o:microsoft:windows:xp:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp:-:sp1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows:xp:sp2:*:*:*:*:*:*

OR cpe:/o:microsoft:windows:2003_server:sp1:*:*:*:*:*:*

OR cpe:/a:microsoft:windows_2003:*:*:*:*:*:*:*:*

Denotes that component is vulnerable