Microsoft Windows RASMAN服务 栈溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1194567 漏洞类型 缓冲区溢出
发布时间 2006-06-13 更新时间 2006-07-14
CVE编号 CVE-2006-2371 CNNVD-ID CNNVD-200606-276
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://www.securityfocus.com/bid/18358
https://cxsecurity.com/issue/WLB-2006060101
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200606-276
|漏洞详情
MicrosoftWindows是美国微软(Microsoft)公司发布的一系列操作系统。MicrosoftWindows远程访问连接管理器(RASMAN)存在可远程调用的RPC接口,其中RPC接口_RasRpcSubmitRequest存在若干安全漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。函数_RasRpcSubmitRequest及其子函数对作为参数的函数指针的有效性检查不足;某些子函数对参数的处理存在缓冲区溢出漏洞;这些漏洞都可能被攻击者利用在服务器上执行任意指令,从而控制系统。
|漏洞EXP
Peter Winter-Smith of NGSSoftware has discovered a high risk vulnerability
in the Microsoft Windows Remote Access Connection Manager (RASMAN) service
which (under certain versions of the OS) can allow a remote, anonymous
attacker to gain complete control over a vulnerable system.

The vulnerability is specific to one of the RPC interfaces provided by the
RASMAN service. A sequence of specially crafted RPC calls to a given
function exposed through the interface can lead to registry corruption,
which can - in turn - lead to stack memory corruption within the Service
Host instance hosting the RASMAN service.

Under a default install of Windows 2000 SP4 the vulnerability can be reached
by an anonymous user, under Windows XP SP2 and Windows 2003 Server the
vulnerability can only be used for local privilege elevation.

This issue has been resolved in the Microsoft security bulletin MS06-025
which can be downloaded from:

http://www.microsoft.com/technet/security/Bulletin/MS06-025.mspx

NGSSoftware are going to withhold details of this flaw for three months.
Full details will be published on the 13th September 2006. This three month
window will allow users of Microsoft Windows the time needed to apply the
patch before the details are released to the general public. This reflects
NGSSoftware's approach to responsible disclosure.

NGSSoftware Insight Security Research
http://www.ngssoftware.com
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070
|受影响的产品
Microsoft Windows XP Tablet PC Edition SP2 Microsoft Windows XP Tablet PC Edition SP1 Microsoft Windows XP Tablet PC Edition Microsoft Windows XP Professional x64 Edition Microsoft Wind
|参考资料

来源:US-CERT
名称:TA06-164A
链接:http://www.us-cert.gov/cas/techalerts/TA06-164A.html
来源:US-CERT
名称:VU#814644
链接:http://www.kb.cert.org/vuls/id/814644
来源:BID
名称:18358
链接:http://www.securityfocus.com/bid/18358
来源:BUGTRAQ
名称:20060613HighRiskVulnerabilityinMicrosoftWindowsRASMANService
链接:http://www.securityfocus.com/archive/1/archive/1/436977/100/0/threaded
来源:MS
名称:MS06-025
链接:http://www.microsoft.com/technet/security/bulletin/ms06-025.mspx
来源:VUPEN
名称:ADV-2006-2323
链接:http://www.frsirt.com/english/advisories/2006/2323
来源:SECUNIA
名称:20630
链接:http://secunia.com/advisories/20630
来源:SECTRACK
名称:1016285
链接:http://securitytracker.com/id?1016285
来源:XF
名称:win-rras-rasman-bo(26814)
链接:http://xforce.iss.net/xforce/xfdb/26814
来源:OSVDB
名称:26436
链接:http://www.osvdb.org/26436
来源:SREASON
名称:1096
链接:http://securityreason.com/securityalert/1096
来源:USGovernmentResource:oval:org.mitre.oval:def:1983
名称:oval:org.mitre.oval:def:1983
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1983