cbcvebase.
CVE-2006-2370
published 2006-06-13

CVE-2006-2370: Buffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote…

PriorityP264high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
72.97%
99.4th percentile
Buffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability."

Affected

10 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server

Detection & IOCsextracted from sources · hover to see the quote

registryHKEY_USERS\.DEFAULT\Software\Microsoft\RAS Phonebook
port445/tcp
commanddcerpc.call(0x0C, stb)
commanddcerpc.call(0xA, stubdata)
otherSMB named pipe: \ROUTER
otherSMB named pipe: \SRVSVC
bytes
\x81\xc4\xff\xef\xff\xff\x44
bytes
\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x41\x41\x41\x41\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7
  • Detect DCERPC bind requests to the RRAS interface UUID 20610036-fa22-11cf-9823-00a0c911e5df version 1.0 over SMB named pipes \ROUTER or \SRVSVC, which is the attack vector for CVE-2006-2370.
  • Alert on DCERPC opcode 0x0C calls to the RRAS interface (UUID 20610036-fa22-11cf-9823-00a0c911e5df) with oversized request buffers (~0x4000 bytes), indicative of the stack overflow exploit.
  • Alert on DCERPC opcode 0x0A calls to the RRAS interface (UUID 20610036-fa22-11cf-9823-00a0c911e5df) sent twice in rapid succession, indicative of the RASMAN registry overflow exploit (key creation then trigger).
  • Monitor for creation or presence of the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\RAS Phonebook, which is written by the RASMAN registry overflow exploit and persists after a failed attempt.
  • Detect the egghunter shellcode byte pattern \x66\x81\xca\xff\x0f\x42 in SMB/DCERPC traffic, used by the RASMAN registry overflow exploit.
  • Detect the stack adjustment prepend bytes \x81\xc4\xff\xef\xff\xff\x44 in DCERPC payloads over SMB, used by RRAS exploit shellcode to adjust ESP before execution.
  • Flag anomalous svchost.exe network activity on TCP 445 involving large DCERPC stub data (~16 KB) to the RRAS interface, as the exploit payload is padded to 0x4000 bytes.
  • ·The RASMAN registry overflow exploit can only be attempted once per target system without manual cleanup. A failed attempt (wrong target offset) leaves a persistent registry key that prevents re-exploitation until manually removed.
  • ·On Windows 2000, exploitation requires valid SMB credentials (authenticated attack). On Windows XP SP1, the SMB pipe must be \SRVSVC instead of the default \ROUTER.
  • ·A failed exploit attempt targets svchost.exe (which hosts the RRAS service), so a crash will also bring down other services sharing that svchost.exe process.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.