CVE-2006-3086
published 2006-06-19CVE-2006-3086: Stack-based buffer overflow in the HrShellOpenWithMonikerDisplayName function in Microsoft Hyperlink Object Library (hlink.dll) allows remote attackers to…
PriorityP351critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
56.46%
98.9th percentile
Stack-based buffer overflow in the HrShellOpenWithMonikerDisplayName function in Microsoft Hyperlink Object Library (hlink.dll) allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long hyperlink, as demonstrated using an Excel worksheet with a long link in Unicode, aka "Hyperlink COM Object Buffer Overflow Vulnerability." NOTE: this is a different issue than CVE-2006-3059.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | excel | — | — |
| microsoft | excel | — | — |
| microsoft | excel | — | — |
| microsoft | excel | — | — |
| microsoft | excel_viewer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger is a long Unicode hyperlink embedded in an Excel worksheet; look for XLS files containing abnormally long hyperlink URLs (e.g., repeated backslash-delimited segments ~500 iterations) targeting hlink.dll's HrShellOpenWithMonikerDisplayName function. ↗
- →Monitor for crashes or faults originating from hlink.dll, specifically in the HrShellOpenWithMonikerDisplayName function, when processing hyperlinks from Office documents. ↗
- →The PoC writes a URL of 500 repetitions of 'AAAAAAAAAAAAAAAAAAAAAA\' into cell (0,0) of an XLS file; inspect hyperlink record lengths in BIFF-format XLS files for oversized Unicode URL fields. ↗
- ·This is a PoC (Proof of Concept) demonstrating a crash/DoS; arbitrary code execution has not been confirmed in the PoC but is noted as possible in the CVE description. ↗
- ·CVE-2006-3086 is explicitly noted as a distinct issue from CVE-2006-3059, though both involve hyperlink handling in Excel. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m272-v93v-8ggr: Buffer overflow in certain Asian language versions of Microsoft Excel might allow user-assisted attackers to execute arbitrary code via a crafted STYL
ghsa_unreviewed·2022-05-01·CVSS 9.3
CVE-2006-3431 [CRITICAL] GHSA-m272-v93v-8ggr: Buffer overflow in certain Asian language versions of Microsoft Excel might allow user-assisted attackers to execute arbitrary code via a crafted STYL
Buffer overflow in certain Asian language versions of Microsoft Excel might allow user-assisted attackers to execute arbitrary code via a crafted STYLE record in a spreadsheet that triggers the overflow when the user attempts to repair the document or selects the "Style" option, as demonstrated by nanika.xls. NOTE: Microsoft has confirmed to CVE via e-mail that this is different than the other Excel vulnerabilities announced before 20060707, including CVE-2006-3059 and CVE-2006-3086.
GHSA
GHSA-43vm-vj9c-qch2: Stack-based buffer overflow in the HrShellOpenWithMonikerDisplayName function in Microsoft Hyperlink Object Library (hlink
ghsa_unreviewed·2022-05-01·CVSS 9.3
CVE-2006-3086 [CRITICAL] CWE-119 GHSA-43vm-vj9c-qch2: Stack-based buffer overflow in the HrShellOpenWithMonikerDisplayName function in Microsoft Hyperlink Object Library (hlink
Stack-based buffer overflow in the HrShellOpenWithMonikerDisplayName function in Microsoft Hyperlink Object Library (hlink.dll) allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long hyperlink, as demonstrated using an Excel worksheet with a long link in Unicode, aka "Hyperlink COM Object Buffer Overflow Vulnerability." NOTE: this is a different issue than CVE-2006-3059.
GHSA
GHSA-qfq4-v5cr-vvr4: Unspecified vulnerability in Microsoft Excel 2000 through 2004 allows remote user-assisted attackers to execute arbitrary code via unspecified vectors
ghsa_unreviewed·2022-05-01·CVSS 9.3
CVE-2006-3059 [CRITICAL] GHSA-qfq4-v5cr-vvr4: Unspecified vulnerability in Microsoft Excel 2000 through 2004 allows remote user-assisted attackers to execute arbitrary code via unspecified vectors
Unspecified vulnerability in Microsoft Excel 2000 through 2004 allows remote user-assisted attackers to execute arbitrary code via unspecified vectors. NOTE: this is a different vulnerability than CVE-2006-3086.
VulnCheck
Microsoft Excel Malformed file Vulnerability
vulncheck·2006·CVSS 9.3
CVE-2006-3059 [CRITICAL] Microsoft Excel Malformed file Vulnerability
Microsoft Excel Malformed file Vulnerability
Unspecified vulnerability in Microsoft Excel 2000 through 2004 allows remote user-assisted attackers to execute arbitrary code via unspecified vectors. NOTE: this is a different vulnerability than CVE-2006-3086.
Affected: Microsoft Excel
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-037
No detection rules found.
No writeups or analysis indexed.
http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspxhttp://marc.info/?l=full-disclosure&m=115067840426070&w=2http://secunia.com/advisories/20748http://securitytracker.com/id?1016339http://www.kb.cert.org/vuls/id/394444http://www.osvdb.org/26666http://www.securityfocus.com/archive/1/438057/100/0/threadedhttp://www.securityfocus.com/archive/1/438093/100/0/threadedhttp://www.securityfocus.com/archive/1/438096/100/0/threadedhttp://www.securityfocus.com/archive/1/438156/100/0/threadedhttp://www.securityfocus.com/archive/1/438373/100/0/threadedhttp://www.securityfocus.com/archive/1/442724/100/0/threadedhttp://www.securityfocus.com/bid/18500http://www.tippingpoint.com/security/advisories/TSRT-06-10.htmlhttp://www.vupen.com/english/advisories/2006/2431https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-050https://exchange.xforce.ibmcloud.com/vulnerabilities/27224https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A999http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspxhttp://marc.info/?l=full-disclosure&m=115067840426070&w=2http://secunia.com/advisories/20748http://securitytracker.com/id?1016339http://www.kb.cert.org/vuls/id/394444http://www.osvdb.org/26666http://www.securityfocus.com/archive/1/438057/100/0/threadedhttp://www.securityfocus.com/archive/1/438093/100/0/threadedhttp://www.securityfocus.com/archive/1/438096/100/0/threadedhttp://www.securityfocus.com/archive/1/438156/100/0/threadedhttp://www.securityfocus.com/archive/1/438373/100/0/threadedhttp://www.securityfocus.com/archive/1/442724/100/0/threadedhttp://www.securityfocus.com/bid/18500http://www.tippingpoint.com/security/advisories/TSRT-06-10.htmlhttp://www.vupen.com/english/advisories/2006/2431https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-050https://exchange.xforce.ibmcloud.com/vulnerabilities/27224https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A999
2006-06-19
Published