Vulnerability CVE-2006-6696 - CERT Civis.Net

Vulnerability Name:

CVE-2006-6696 (CCN-31018)

Assigned:

2006-12-15

Published:

2006-12-15

Updated:

2019-04-30

Summary:

Double free vulnerability in Microsoft Windows 2000, XP, 2003, and Vista allows local users to gain privileges by calling the MessageBox function with a MB_SERVICE_NOTIFICATION message with crafted data, which sends a HardError message to Client/Server Runtime Server Subsystem (CSRSS) process, which is not properly handled when invoking the UserHardError and GetHardErrorText functions in WINSRV.DLL.

CVSS v3 Severity:

9.3 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

6.9 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C)
5.7 Medium (Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

7.2 High (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.9 Medium (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Gain Privileges

References:

Source: CCN
Type: Full-Disclosure Mailing List, Thu Dec 21 2006 - 05:58:17 CST
Microsoft Windows XP/2003/Vista memory corruption 0day

Source: CCN
Type: Microsoft Security Response Center Blog, Friday, December 22, 2006 1:05 AM
New report of a Windows vulnerability

Source: CONFIRM
Type: UNKNOWN
http://blogs.technet.com/msrc/archive/2006/12/22/new-report-of-a-windows-vulnerability.aspx

Source: MITRE
Type: CNA
CVE-2006-6696

Source: MISC
Type: UNKNOWN
http://groups.google.ca/group/microsoft.public.win32.programmer.kernel/browse_thread/thread/c5946bf40f227058/7bd7b5d66a4e5aff

Source: MISC
Type: UNKNOWN
http://isc.sans.org/diary.php?n&storyid=1965

Source: FULLDISC
Type: UNKNOWN
20061221 Microsoft Windows XP/2003/Vista memory corruption 0day

Source: MISC
Type: UNKNOWN
http://research.eeye.com/html/alerts/zeroday/20061215.html

Source: CCN
Type: SA23448
Microsoft Windows CSRSS MsgBox Memory Corruption Vulnerability

Source: SECUNIA
Type: Vendor Advisory
23448

Source: CCN
Type: SECTRACK ID: 1017433
Windows Client-Server Run-time Subsystem Lets Local Users Gain Elevated Privileges

Source: SECTRACK
Type: UNKNOWN
1017433

Source: CCN
Type: ASA-2007-159
MS07-021 Vulnerabilities in CSRSS Could Allow Remote Code Execution (930178)

Source: CCN
Type: Microsoft Security Bulletin MS12-054
Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution (2733594)

Source: CCN
Type: Microsoft Security Bulletin MS13-019
Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege (2790113)

Source: CCN
Type: Microsoft Security Bulletin MS13-033
Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege (2820917)

Source: CCN
Type: Microsoft Security Bulletin MS13-077
Vulnerability in Windows Service Control Manager Could Allow Elevation of Privilege (2872339)

Source: CCN
Type: Microsoft Security Bulletin MS16-087
Security Update for the Microsoft Print Spooler (3170005)

Source: CCN
Type: Determina Security Research
Windows CSRSS HardError Message Box Vulnerability

Source: MISC
Type: UNKNOWN
http://www.determina.com/security.research/vulnerabilities/csrss-harderror.html

Source: MISC
Type: UNKNOWN
http://www.kuban.ru/forum_new/forum2/files/19124.html

Source: CCN
Type: Microsoft Security Bulletin MS07-021
Vulnerabilities in CSRSS Could Allow Remote Code Execution (930178)

Source: CCN
Type: Microsoft Security Bulletin MS09-022
Vulnerabilities in the Windows Print Spooler Could Allow Remote Code Execution (961501)

Source: CCN
Type: Microsoft Security Bulletin MS10-069
Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege (2121546)

Source: CCN
Type: Microsoft Security Bulletin MS11-056
Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2507938)

Source: CCN
Type: Microsoft Security Bulletin MS11-063
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2567680)

Source: CCN
Type: Microsoft Security Bulletin MS12-003
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2646524)

Source: MISC
Type: UNKNOWN
http://www.security.nnov.ru/files/messagebox.c

Source: MISC
Type: UNKNOWN
http://www.security.nnov.ru/Gnews944.html

Source: BUGTRAQ
Type: UNKNOWN
20061221 Microsoft Windows XP/2003/Vista memory corruption 0day

Source: BUGTRAQ
Type: UNKNOWN
20061221 Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memorycorruption 0day

Source: BUGTRAQ
Type: UNKNOWN
20061221 Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day

Source: BUGTRAQ
Type: UNKNOWN
20061222 Re: Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day

Source: BUGTRAQ
Type: UNKNOWN
20061230 csrss.exe double-free vulnerability - arbitrary DWORD overwrite exploit

Source: HP
Type: UNKNOWN
HPSBST02208

Source: BID
Type: UNKNOWN
21688

Source: CCN
Type: BID-21688
Microsoft Windows CSRSS HardError Messages Denial of Service Vulnerability

Source: BID
Type: UNKNOWN
23324

Source: CCN
Type: BID-23324
Microsoft Windows CSRSS MSGBox Remote Code Execution Vulnerability

Source: VUPEN
Type: UNKNOWN
ADV-2006-5120

Source: VUPEN
Type: UNKNOWN
ADV-2007-1325

Source: MS
Type: UNKNOWN
MS07-021

Source: XF
Type: UNKNOWN
windows-messagebox-privilege-escalation(31018)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1816

Vulnerable Configuration:

Configuration 1:

cpe:/o:microsoft:windows_2000:*:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2000:*:sp1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2000:*:sp2:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2000:*:sp3:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:datacenter_edition:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:datacenter_edition:sp1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:datacenter_edition:sp1_beta_1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:enterprise_edition:sp1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:enterprise_edition:sp1_beta_1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:sp1:*:enterprise:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:standard:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:standard:sp1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:standard:sp1_beta_1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:web:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:web:sp1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:web:sp1_beta_1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_vista:*:*:december_ctp:*:*:*:*:*

OR cpe:/o:microsoft:windows_vista:*:beta:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_vista:*:beta1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_vista:*:beta2:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp:*:*:home:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp:*:*:media_center:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp:*:gold:professional:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp:*:sp1:home:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp:*:sp1:media_center:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp:*:sp2:home:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp:*:sp2:media_center:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp:*:sp2:tablet_pc:*:*:*:*:*

Configuration CCN 1:

cpe:/o:microsoft:windows_2000:-:sp4:*:*:*:*:*:*

OR cpe:/o:microsoft:windows:2003_server::x64:*:*:*:*:*

OR cpe:/o:microsoft:windows:xp:sp2:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:-::~~~~itanium~:*:*:*:*:*

OR cpe:/o:microsoft:windows:2003_server:sp1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows:2003_server:sp1_itanium:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_vista:*:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows:server_2003:sp2:*:*:*:*:*:*

OR cpe:/o:microsoft:windows:server_2003:sp2:itanium:*:*:*:*:*

OR cpe:/o:microsoft:windows:server_2003:sp2:x64:*:*:*:*:*

OR cpe:/o:microsoft:windows_vista:-:*:x64:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp::sp2:x64:*:professional:*:*:*

OR cpe:/a:microsoft:windows_2003:*:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:1816	V	MsgBox (CSRSS) Remote Code Execution Vulnerability	2012-11-19