CVE-2006-2379
published 2006-06-13CVE-2006-2379: Buffer overflow in the TCP/IP Protocol driver in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote attackers to execute…
PriorityP263critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
58.03%
99.0th percentile
Buffer overflow in the TCP/IP Protocol driver in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via unknown vectors related to IP source routing.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_nt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect ICMP packets carrying IP Loose Source and Record Route (LSRR) options (IP option type 0x83) directed at Windows 2000/XP/Server 2003 hosts — this is the specific trigger for the tcpip.sys buffer overflow. ↗
- →Alert on traceroute/tracert traffic using a gateway of 0.0.0.0 (loose source route waypoint), which is the exploit's method of injecting the malicious IP option. ↗
- →Monitor Windows 2000 NAT/routing hosts for unexpected BSODs referencing tcpip.sys or ntoskrnl.exe, which are the crash signatures produced by successful exploitation. ↗
- →The vulnerability is triggered regardless of whether packets originate from internal or external networks — perimeter filtering alone is insufficient; also inspect intra-LAN traffic for LSRR-bearing ICMP packets. ↗
- ·The vulnerability requires NAT or IP routing to be enabled on the target Windows 2000 host; systems without routing/NAT active were not confirmed vulnerable in the original report. ↗
- ·Windows Server 2003 was reported as NOT affected by the NAT/routing-triggered BSOD variant, though Microsoft's advisory extends the CVE scope to Server 2003 SP1 and earlier for the broader RCE vector. ↗
- ·The PoC exploit is a DoS/BSOD proof-of-concept; remote code execution is noted as theoretically possible but was not demonstrated in this sample. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://secunia.com/advisories/20639http://securitytracker.com/id?1016290http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/46702http://www.kb.cert.org/vuls/id/722753http://www.osvdb.org/26433http://www.securityfocus.com/archive/1/438482/100/0/threadedhttp://www.securityfocus.com/archive/1/438609/100/0/threadedhttp://www.securityfocus.com/bid/18374http://www.us-cert.gov/cas/techalerts/TA06-164A.htmlhttp://www.vupen.com/english/advisories/2006/2329https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-032https://exchange.xforce.ibmcloud.com/vulnerabilities/26834https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1483https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1585https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1712https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1776https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1787https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2018http://secunia.com/advisories/20639http://securitytracker.com/id?1016290http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/46702http://www.kb.cert.org/vuls/id/722753http://www.osvdb.org/26433http://www.securityfocus.com/archive/1/438482/100/0/threadedhttp://www.securityfocus.com/archive/1/438609/100/0/threadedhttp://www.securityfocus.com/bid/18374http://www.us-cert.gov/cas/techalerts/TA06-164A.htmlhttp://www.vupen.com/english/advisories/2006/2329https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-032https://exchange.xforce.ibmcloud.com/vulnerabilities/26834https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1483https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1585https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1712https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1776https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1787https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2018
2006-06-13
Published