CVE-2006-3440
published 2006-08-09CVE-2006-3440: Buffer overflow in the Winsock API in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via…
PriorityP264critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
59.92%
99.0th percentile
Buffer overflow in the Winsock API in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via unknown vectors, aka "Winsock Hostname Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x85\x80 (DNS Flags field in malicious response)
bytes↗
\x08\x50\x52\x4f\x54\x4f\x43\x4f\x4c (TXT RDATA: PROTOCOL) with zero-length follow-on RDATA fields
- →Monitor for services.exe crashing following DNS hostname resolution activity — this is the primary crash indicator for CVE-2006-3440 exploitation. ↗
- →Detect malicious DNS responses containing a TXT record with zero-length RDATA fields immediately following a non-zero-length RDATA string — this is the malformed structure that triggers the Winsock buffer overflow. ↗
- →Detect DNS responses with both an A record and a TXT record in the ANSWER section (Answer RR count = 0x0002) combined with an Authority RR, sent over UDP port 53 — characteristic of the PoC exploit packet structure. ↗
- →Flag DNS responses where the DNS flags field is 0x8580 (Response, Authoritative, Recursion Desired, Recursion Available) — this non-standard flag combination is used by the exploit's rogue DNS server. ↗
- ·The exploit may require multiple attempts before triggering the crash in services.exe — a single malformed DNS response may not be sufficient. ↗
- ·This PoC only demonstrates a Denial of Service (crash of services.exe); the NVD advisory notes the actual vulnerability allows remote code execution via unknown vectors beyond what the PoC demonstrates. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://secunia.com/advisories/21394http://securitytracker.com/id?1016653http://www.kb.cert.org/vuls/id/908276http://www.securityfocus.com/bid/19319http://www.us-cert.gov/cas/techalerts/TA06-220A.htmlhttp://www.vupen.com/english/advisories/2006/3211https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-041https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A747http://secunia.com/advisories/21394http://securitytracker.com/id?1016653http://www.kb.cert.org/vuls/id/908276http://www.securityfocus.com/bid/19319http://www.us-cert.gov/cas/techalerts/TA06-220A.htmlhttp://www.vupen.com/english/advisories/2006/3211https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-041https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A747
2006-08-09
Published