Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13484
HistoryJul 11, 2006 - 12:00 a.m.

TSRT-06-02: Microsoft SRV.SYS Mailslot Ring0 Memory Corruption Vulnerability

2006-07-1100:00:00
vulners.com
23
JSON

TSRT-06-02: Microsoft SRV.SYS Mailslot Ring0
Memory Corruption
Vulnerability
http://www.tippingpoint.com/security/advisories/TSRT-06-02.html
July 11, 2006

– CVE ID:
CVE-2006-1314

– Affected Vendor:
Microsoft

– Affected Products:
Windows 2000
Windows XP SP1
Windows XP SP2
Windows 2003
Windows 2003 SP1

– TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected
against this
vulnerability since July 11, 2006 by Digital
Vaccine protection
filter ID 4266. For further product information
on the TippingPoint IPS:

http://www.tippingpoint.com

– Vulnerability Details:
This vulnerability allows remote attackers to
execute arbitrary code on
vulnerable installations of the Microsoft Windows
operating system.
Authentication is not required to exploit this
vulnerability and code
execution occurs within the context of the kernel.

According to the Microsoft Developer Network
(MSDN) documentation,
Mailslot communications are divided into two
classes. First-class
Mailslots are connection oriented and operate
over SMB/TCP.
Second-class Mailslots provide connectionless
messaging for broadcast
messages and operate over SMB/UDP. Second-class
Mailslots are limited
to 424 bytes per message. First-class Mailslots
are officially
unsupported in the Windows 2000, XP and 2003
operating systems.

The specific flaw exists within the SRV.SYS
driver, which is
responsible for handling all Server Message Block
(SMB) traffic. During
the processing of first-class Mailslot messages,
an exploitable memory
corruption condition is created. As a side
effect, attackers are also
capable of exceeding the second-class Mailslot
message size
limitation.

It is important to note that this vulnerability
affects more than just
the Windows kernel. Applications built on
Mailslot communications that
rely on the message size restriction of
second-class Mailslots are
likely to be affected by this vulnerability.

– Vendor Response:
Microsoft has issued an update to correct this
vulnerability. More
details can be found at:

http://www.microsoft.com/technet/security/bulletin/MS06-035.mspx

– Disclosure Timeline:
2006.03.01 - Vulnerability reported to vendor
2006.07.11 - Digital Vaccine released to
TippingPoint customers
2006.07.11 - Coordinated public release of
advisory

– Credit:
This vulnerability was discovered by Pedram
Amini, TippingPoint Security
Research Team in collaboration with HD Moore,
Metasploit.

Related

prion 1
checkpoint_advisories 3
cert 1
cve 2
nessus 3
securityvulns 1
prion
prion
Heap overflow
2006-07-11 21:05:00
checkpoint_advisories
checkpoint_advisories
Microsoft Windows RASMAN Service Memory Corruption (MS06-025; CVE-2006-1314)
2006-07-18 00:00:00
MS-RPC Programs Lookup (CVE-2006-1314)
2006-07-18 00:00:00
Microsoft Server Service MailSlot Heap Overflow (MS06-035; CVE-2006-1314)
2006-09-21 00:00:00
cert
cert
Microsoft Server Service Mailslot vulnerable to heap overflow
2006-07-11 00:00:00
cve
cve
CVE-2006-1314
2006-07-11 21:05:00
CVE-2006-3439
2006-08-09 01:04:00
nessus
nessus
MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159) (uncredentialed check)
2006-07-12 00:00:00
MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)
2006-07-11 00:00:00
MS06-063: Vulnerability in Server Service Could Allow Denial of Service (923414)
2006-10-10 00:00:00
securityvulns
securityvulns
Microsoft Security Bulletin MS06-035 Vulnerability in Server Service Could Allow Remote Code Execution (917159)
2006-07-11 00:00:00
JSON
Related for SECURITYVULNS:DOC:13484
prion1checkpoint_advisories3cert1cve2nessus3securityvulns1