ID CVE-2006-2370
Summary Buffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability."
References
Vulnerable Configurations
  • cpe:2.3:o:microsoft:windows_2000:-:advanced_server
    cpe:2.3:o:microsoft:windows_2000:-:advanced_server
  • cpe:2.3:o:microsoft:windows_2000:-:datacenter_server
    cpe:2.3:o:microsoft:windows_2000:-:datacenter_server
  • cpe:2.3:o:microsoft:windows_2000:-:professional
    cpe:2.3:o:microsoft:windows_2000:-:professional
  • cpe:2.3:o:microsoft:windows_2000:-:server
    cpe:2.3:o:microsoft:windows_2000:-:server
  • Microsoft Windows 2000 Advanced Server SP1
    cpe:2.3:o:microsoft:windows_2000:-:sp1:advanced_server
  • Microsoft Windows 2000 Datacenter Server SP1
    cpe:2.3:o:microsoft:windows_2000:-:sp1:datacenter_server
  • Microsoft Windows 2000 Professional SP1
    cpe:2.3:o:microsoft:windows_2000:-:sp1:professional
  • Microsoft Windows 2000 Server SP1
    cpe:2.3:o:microsoft:windows_2000:-:sp1:server
  • Microsoft Windows 2000 Advanced Server SP2
    cpe:2.3:o:microsoft:windows_2000:-:sp2:advanced_server
  • Microsoft Windows 2000 Datacenter Server SP2
    cpe:2.3:o:microsoft:windows_2000:-:sp2:datacenter_server
  • Microsoft Windows 2000 Professional SP2
    cpe:2.3:o:microsoft:windows_2000:-:sp2:professional
  • Microsoft Windows 2000 Server SP2
    cpe:2.3:o:microsoft:windows_2000:-:sp2:server
  • Microsoft Windows 2000 Advanced Server SP3
    cpe:2.3:o:microsoft:windows_2000:-:sp3:advanced_server
  • Microsoft Windows 2000 Datacenter Server SP3
    cpe:2.3:o:microsoft:windows_2000:-:sp3:datacenter_server
  • Microsoft Windows 2000 Professional SP3
    cpe:2.3:o:microsoft:windows_2000:-:sp3:professional
  • Microsoft Windows 2000 Server SP3
    cpe:2.3:o:microsoft:windows_2000:-:sp3:server
  • Microsoft Windows 2000 Advanced Server SP4
    cpe:2.3:o:microsoft:windows_2000:-:sp4:advanced_server
  • Microsoft Windows 2000 Datacenter Server SP4
    cpe:2.3:o:microsoft:windows_2000:-:sp4:datacenter_server
  • Microsoft Windows 2000 Professional SP4
    cpe:2.3:o:microsoft:windows_2000:-:sp4:professional
  • Microsoft Windows 2000 Server SP4
    cpe:2.3:o:microsoft:windows_2000:-:sp4:server
  • cpe:2.3:o:microsoft:windows_2003_server:datacenter_edition
    cpe:2.3:o:microsoft:windows_2003_server:datacenter_edition
  • cpe:2.3:o:microsoft:windows_2003_server:datacenter_edition:sp1
    cpe:2.3:o:microsoft:windows_2003_server:datacenter_edition:sp1
  • cpe:2.3:o:microsoft:windows_2003_server:datacenter_edition_64-bit
    cpe:2.3:o:microsoft:windows_2003_server:datacenter_edition_64-bit
  • cpe:2.3:o:microsoft:windows_2003_server:datacenter_edition_64-bit:sp1
    cpe:2.3:o:microsoft:windows_2003_server:datacenter_edition_64-bit:sp1
  • cpe:2.3:o:microsoft:windows_2003_server:enterprise_64-bit
    cpe:2.3:o:microsoft:windows_2003_server:enterprise_64-bit
  • cpe:2.3:o:microsoft:windows_2003_server:enterprise_edition:sp1
    cpe:2.3:o:microsoft:windows_2003_server:enterprise_edition:sp1
  • cpe:2.3:o:microsoft:windows_2003_server:enterprise_edition_64-bit
    cpe:2.3:o:microsoft:windows_2003_server:enterprise_edition_64-bit
  • cpe:2.3:o:microsoft:windows_2003_server:enterprise_edition_64-bit:sp1
    cpe:2.3:o:microsoft:windows_2003_server:enterprise_edition_64-bit:sp1
  • cpe:2.3:o:microsoft:windows_2003_server:r2:-:datacenter_64-bit
    cpe:2.3:o:microsoft:windows_2003_server:r2:-:datacenter_64-bit
  • cpe:2.3:o:microsoft:windows_2003_server:sp1:-:enterprise
    cpe:2.3:o:microsoft:windows_2003_server:sp1:-:enterprise
  • cpe:2.3:o:microsoft:windows_2003_server:standard
    cpe:2.3:o:microsoft:windows_2003_server:standard
  • cpe:2.3:o:microsoft:windows_2003_server:standard:sp1
    cpe:2.3:o:microsoft:windows_2003_server:standard:sp1
  • cpe:2.3:o:microsoft:windows_2003_server:standard_64-bit
    cpe:2.3:o:microsoft:windows_2003_server:standard_64-bit
  • cpe:2.3:o:microsoft:windows_2003_server:web
    cpe:2.3:o:microsoft:windows_2003_server:web
  • cpe:2.3:o:microsoft:windows_2003_server:web:sp1
    cpe:2.3:o:microsoft:windows_2003_server:web:sp1
  • cpe:2.3:o:microsoft:windows_xp:-:64-bit
    cpe:2.3:o:microsoft:windows_xp:-:64-bit
  • cpe:2.3:o:microsoft:windows_xp:-:home
    cpe:2.3:o:microsoft:windows_xp:-:home
  • cpe:2.3:o:microsoft:windows_xp:-:media_center
    cpe:2.3:o:microsoft:windows_xp:-:media_center
  • Microsoft Windows XP Professional Gold
    cpe:2.3:o:microsoft:windows_xp:-:gold:professional
  • Microsoft Windows XP Service Pack 1 Home Edition
    cpe:2.3:o:microsoft:windows_xp:-:sp1:home
  • Microsoft windows xp_sp1 media_center
    cpe:2.3:o:microsoft:windows_xp:-:sp1:media_center
  • Microsoft Windows XP Service Pack 2 Home Edition
    cpe:2.3:o:microsoft:windows_xp:-:sp2:home
  • Microsoft windows xp_sp2 media_center
    cpe:2.3:o:microsoft:windows_xp:-:sp2:media_center
  • Microsoft windows xp_sp2 tablet_pc
    cpe:2.3:o:microsoft:windows_xp:-:sp2:tablet_pc
CVSS
Base: 7.5 (as of 14-06-2006 - 10:18)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
  • description MS Windows RRAS RASMAN Registry Stack Overflow Exploit (MS06-025). CVE-2006-2370. Remote exploit for windows platform
    id EDB-ID:1965
    last seen 2016-01-31
    modified 2006-06-29
    published 2006-06-29
    reporter Pusscat
    source https://www.exploit-db.com/download/1965/
    title Microsoft Windows - RRAS RASMAN Registry Stack Overflow Exploit MS06-025
  • description Microsoft RRAS Service Overflow. CVE-2006-2370. Remote exploit for windows platform
    id EDB-ID:16364
    last seen 2016-02-01
    modified 2010-05-09
    published 2010-05-09
    reporter metasploit
    source https://www.exploit-db.com/download/16364/
    title Microsoft RRAS Service Overflow
  • description Microsoft RRAS Service RASMAN Registry Overflow. CVE-2006-2370. Remote exploit for windows platform
    id EDB-ID:16375
    last seen 2016-02-01
    modified 2010-08-25
    published 2010-08-25
    reporter metasploit
    source https://www.exploit-db.com/download/16375/
    title Microsoft RRAS Service RASMAN Registry Overflow
  • description MS Windows RRAS Remote Stack Overflow Exploit (MS06-025). CVE-2006-2370. Remote exploit for windows platform
    id EDB-ID:1940
    last seen 2016-01-31
    modified 2006-06-22
    published 2006-06-22
    reporter H D Moore
    source https://www.exploit-db.com/download/1940/
    title Microsoft Windows RRAS - Remote Stack Overflow Exploit MS06-025
metasploit via4
  • description This module exploits a registry-based stack buffer overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'. Exploiting this flaw involves two distinct steps - creating the registry key and then triggering an overwrite based on a read of this key. Once the key is created, it cannot be recreated. This means that for any given system, you only get one chance to exploit this flaw. Picking the wrong target will require a manual removal of the following registry key before you can try again: HKEY_USERS\\.DEFAULT\Software\Microsoft\RAS Phonebook
    id MSF:EXPLOIT/WINDOWS/SMB/MS06_025_RASMANS_REG
    last seen 2018-02-26
    modified 2017-07-24
    published 2006-06-20
    reliability Good
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms06_025_rasmans_reg.rb
    title MS06-025 Microsoft RRAS Service RASMAN Registry Overflow
  • description This module exploits a stack buffer overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.
    id MSF:EXPLOIT/WINDOWS/SMB/MS06_025_RRAS
    last seen 2019-02-12
    modified 2017-07-24
    published 2006-06-14
    reliability Average
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms06_025_rras.rb
    title MS06-025 Microsoft RRAS Service Overflow
nessus via4
  • NASL family Windows
    NASL id SMB_KB911280.NASL
    description The remote version of Windows contains a version of RRAS (Routing and Remote Access Service) that is affected by several memory corruption vulnerabilities. An attacker may exploit these flaws to execute code on the remote service.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 21696
    published 2006-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21696
    title MS06-025: Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280) (uncredentialed check)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS06-025.NASL
    description The remote version of Windows contains a version of RRAS (Routing and Remote Access Service) that has several memory corruption vulnerabilities. An attacker may exploit these flaws to execute code on the remote service.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 21689
    published 2006-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21689
    title MS06-025: Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280)
oval via4
  • accepted 2011-05-16T04:01:21.701-04:00
    class vulnerability
    contributors
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Shane Shaffer
      organization G2, Inc.
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    description Buffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability."
    family windows
    id oval:org.mitre.oval:def:1587
    status accepted
    submitted 2006-06-14T09:55:00.000-04:00
    title RRAS Memory Corruption Vulnerability (64-bit XP)
    version 67
  • accepted 2011-05-16T04:01:39.629-04:00
    class vulnerability
    contributors
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Jonathan Baker
      organization The MITRE Corporation
    • name Shane Shaffer
      organization G2, Inc.
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    description Buffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability."
    family windows
    id oval:org.mitre.oval:def:1720
    status accepted
    submitted 2006-06-14T09:55:00.000-04:00
    title RRAS Memory Corruption Vulnerability (WinS03)
    version 68
  • accepted 2011-05-16T04:01:41.863-04:00
    class vulnerability
    contributors
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Anna Min
      organization BigFix, Inc
    • name Shane Shaffer
      organization G2, Inc.
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    description Buffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability."
    family windows
    id oval:org.mitre.oval:def:1741
    status accepted
    submitted 2006-06-14T09:55:00.000-04:00
    title RRAS Memory Corruption Vulnerability (Win2K)
    version 68
  • accepted 2011-05-16T04:01:53.995-04:00
    class vulnerability
    contributors
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Dragos Prisaca
      organization Gideon Technologies, Inc.
    • name Shane Shaffer
      organization G2, Inc.
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    description Buffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability."
    family windows
    id oval:org.mitre.oval:def:1823
    status accepted
    submitted 2006-06-14T09:55:00.000-04:00
    title RRAS Memory Corruption Vulnerability (WinXP,SP2)
    version 68
  • accepted 2011-05-16T04:02:08.528-04:00
    class vulnerability
    contributors
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Shane Shaffer
      organization G2, Inc.
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    description Buffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability."
    family windows
    id oval:org.mitre.oval:def:1936
    status accepted
    submitted 2006-06-14T09:55:00.000-04:00
    title RRAS Memory Corruption Vulnerability (S03,SP1)
    version 67
  • accepted 2011-05-16T04:02:21.573-04:00
    class vulnerability
    contributors
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Shane Shaffer
      organization G2, Inc.
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    description Buffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability."
    family windows
    id oval:org.mitre.oval:def:2061
    status accepted
    submitted 2006-06-14T09:55:00.000-04:00
    title RRAS Memory Corruption Vulnerability (WinXP,SP1)
    version 67
packetstorm via4
refmap via4
bid 18325
cert TA06-164A
cert-vn VU#631516
ms MS06-025
osvdb 26437
sectrack 1016285
secunia 20630
vupen ADV-2006-2323
xf win-rras-bo(26812)
saint via4
bid 18325
description Windows RRAS memory corruption vulnerability
id win_patch_rasman
osvdb 26437
title windows_rras
type remote
Last major update 07-03-2011 - 21:36
Published 13-06-2006 - 15:06
Last modified 12-10-2018 - 17:39
Back to Top