CVE-2006-2389
published 2006-07-11CVE-2006-2389: Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute…
PriorityP352critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
38.84%
98.4th percentile
Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via an Office file with a malformed property that triggers memory corruption related to record lengths, aka "Microsoft Office Property Vulnerability," a different vulnerability than CVE-2006-1316.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x78\x9C (zlib-compressed malicious Office file payload)
- →The exploit embeds a zlib-compressed (magic bytes 0x78 0x9C) malicious Office file payload. Scanning for zlib-compressed streams inside Office documents that contain shellcode patterns (e.g., WinExec + ExitProcess stub) is a strong indicator of exploitation. ↗
- →The shellcode is an 'Allwin WinExec cmd.exe + ExitProcess' stub (195 bytes). Detection should look for this shellcode pattern beginning with \xFC\x33\xD2\xB2\x30\x64\xFF\x32 inside Office document streams. ↗
- →The vulnerability is triggered by a malformed property record length in an Office file. Anomalous or oversized property record lengths in OLE compound document streams (e.g., .doc, .xls, .ppt) should be flagged for CVE-2006-2389. ↗
- →The exploit targets Microsoft Office 2003 on Windows XP SP2. Process monitoring for cmd.exe spawned as a child of WINWORD.EXE, EXCEL.EXE, or POWERPNT.EXE is a strong post-exploitation indicator. ↗
- ·The exploit is user-assisted; the victim must open a specially crafted Office file. This limits automated delivery but makes phishing/email-attachment vectors the primary attack surface. ↗
- ·CVE-2006-2389 is a distinct vulnerability from CVE-2006-1316, though both involve malformed Office properties. Detection rules should not conflate the two. ↗
- ·Affected products span a wide range: Office 2003 SP1/SP2, Office XP SP3, Office 2000 SP3, and other products. Detection/patching scope should cover all listed versions. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q6ch-7835-jp5v: Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to
ghsa_unreviewed·2022-05-01·CVSS 9.3
CVE-2006-1316 [CRITICAL] CWE-94 GHSA-q6ch-7835-jp5v: Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to
Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via an Office file with malformed string that triggers memory corruption related to record lengths, aka "Microsoft Office Parsing Vulnerability," a different vulnerability than CVE-2006-2389.
GHSA
GHSA-mc3v-59x4-8r59: Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to
ghsa_unreviewed·2022-05-01·CVSS 9.3
CVE-2006-2389 [CRITICAL] CWE-94 GHSA-mc3v-59x4-8r59: Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to
Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via an Office file with a malformed property that triggers memory corruption related to record lengths, aka "Microsoft Office Property Vulnerability," a different vulnerability than CVE-2006-1316.
No detection rules found.
Exploit-DB
NetBSD 3.1 - 'FTPd / Tnftpd' Port Remote Buffer Overflow
exploitdb·2006-12-01
CVE-2006-6652 NetBSD 3.1 - 'FTPd / Tnftpd' Port Remote Buffer Overflow
NetBSD 3.1 - 'FTPd / Tnftpd' Port Remote Buffer Overflow
---
source: https://www.securityfocus.com/bid/21377/info
NetBSD ftpd and tnftpd are prone to a remote buffer-overflow vulnerability. This issue is due to an off-by-one error; it allows attackers to corrupt memory.
Remote attackers may execute arbitrary machine code in the context of the user running the affected application. Failed attempts will likely result in denial-of-service conditions.
#!perl
# $$$ NetBSD ftpd and ports *Remote ROOOOOT $HOLE$* $$$
#
# About
#
# tnftpd is a port of the NetBSD FTP server to other systems.
# It offers many enhancements over the traditional BSD ftpd,
# including per-class configuration directives via ftpd.conf(5),
# RFC 2389 and draft-ietf-ftpext-mlst-11 support, IPv6,
# transfer rate throttli
Exploit-DB
NetBSD - 'FTPd / Tnftpd' Remote Stack Overflow (PoC)
exploitdb·2006-11-30
CVE-2006-6652 NetBSD - 'FTPd / Tnftpd' Remote Stack Overflow (PoC)
NetBSD - 'FTPd / Tnftpd' Remote Stack Overflow (PoC)
---
#!perl
# $$$ NetBSD ftpd and ports *Remote ROOOOOT $HOLE$* $$$
#
# About
#
# tnftpd is a port of the NetBSD FTP server to other systems.
# It offers many enhancements over the traditional BSD ftpd,
# including per-class configuration directives via ftpd.conf(5),
# RFC 2389 and draft-ietf-ftpext-mlst-11 support, IPv6,
# transfer rate throttling, and more.
# tnftpd was formerly known as lukemftpd,
# and earlier versions are present in Mac OS X 10.2 (as ftpd)
# and FreeBSD 5.0 (as lukemftpd).
#
# Description
#
# The NetBSD ftpd and the tnftpd port suffer from a remote stack overrun,
# which can lead to a root compromise.
#
# The bug is in glob.c file. The globbing mechanism is flawed as back in
# 2001.
#
# To trigger the overflow you
Exploit-DB
Microsoft Office 2000/2002 - Property Code Execution
exploitdb·2006-07-11·CVSS 9.3
CVE-2006-2389 [CRITICAL] Microsoft Office 2000/2002 - Property Code Execution
Microsoft Office 2000/2002 - Property Code Execution
---
source: https://www.securityfocus.com/bid/18911/info
Microsoft Office is prone to a code-execution vulnerability. This is due to a failure to handle exceptional conditions.
Successfully exploiting this issue allows attackers to corrupt process memory and to execute arbitrary code in the context of targeted users.
#Microsoft Office Property Code Execution exploit (CVE-2006-2389)
#Author Abhishek Lyall - abhilyall[at]gmail[dot]com, info[at]aslitsecurity[dot]com
#Web - http://www.aslitsecurity.com/
#Blog - http://www.aslitsecurity.blogspot.com/
#Vulnerble application MS office 2003
#Tested on XP SP2 - MS Ofice 2003
#Greets Mila http://contagiodump.blogspot.com, Villy and ASL IT SECURITY TEAM
#!/usr/bin/python
import sys
import zl
No writeups or analysis indexed.
http://secunia.com/advisories/21012http://securitytracker.com/id?1016469http://www.kb.cert.org/vuls/id/409316http://www.osvdb.org/27149http://www.securityfocus.com/bid/18911http://www.us-cert.gov/cas/techalerts/TA06-192A.htmlhttp://www.vupen.com/english/advisories/2006/2756https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-038https://exchange.xforce.ibmcloud.com/vulnerabilities/27609https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A279http://secunia.com/advisories/21012http://securitytracker.com/id?1016469http://www.kb.cert.org/vuls/id/409316http://www.osvdb.org/27149http://www.securityfocus.com/bid/18911http://www.us-cert.gov/cas/techalerts/TA06-192A.htmlhttp://www.vupen.com/english/advisories/2006/2756https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-038https://exchange.xforce.ibmcloud.com/vulnerabilities/27609https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A279
2006-07-11
Published