CVE-2006-3441
published 2006-08-09CVE-2006-3441: Buffer overflow in the DNS Client service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code…
PriorityP266critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
62.67%
99.1th percentile
Buffer overflow in the DNS Client service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via a crafted record response. NOTE: while MS06-041 implies that there is a single issue, there are multiple vectors, and likely multiple vulnerabilities, related to (1) a heap-based buffer overflow in a DNS server response to the client, (2) a DNS server response with malformed ATMA records, and (3) a length miscalculation in TXT, HINFO, X25, and ISDN records.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x85\x80 (DNS response flags: QR=1, AA=1, RD=1, RA=0 — crafted authoritative response)
bytes↗
TXT RDATA with zero-length strings and mismatched length field: \x00\x18 length followed by \x08PROTOCOL\x00\x00\x08PROTOCOL\x00\x00\x01\x41
- →A rogue DNS server (attacker-controlled) sends crafted UDP responses on port 53 containing malformed TXT records with zero-length RDATA strings and a mismatched declared length, triggering a heap-based buffer overflow in the Windows DNS Client service (services.exe). Monitor for DNS responses with anomalous TXT record structures. ↗
- →DNS responses containing both A and TXT answer records for the same name (pointer \xc0\x0c), with the TXT record containing multiple zero-length RDATA sub-strings, are characteristic of this exploit's crafted response pattern. ↗
- →Multiple vulnerability vectors exist: (1) heap-based buffer overflow in DNS server response to client, (2) malformed ATMA records in DNS response, (3) length miscalculation in TXT, HINFO, X25, and ISDN records. Detection rules should cover all record types. ↗
- ·The exploit is a Denial of Service (crash) PoC only; it does not demonstrate arbitrary code execution. The NVD entry notes the vulnerability allows RCE, but this PoC only triggers a crash of services.exe. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://secunia.com/advisories/21394http://securitytracker.com/id?1016653http://www.kb.cert.org/vuls/id/794580http://www.osvdb.org/27844http://www.securityfocus.com/bid/19404http://www.us-cert.gov/cas/techalerts/TA06-220A.htmlhttp://www.vupen.com/english/advisories/2006/3211http://xforce.iss.net/xforce/alerts/id/233http://xforce.iss.net/xforce/alerts/id/234http://xforce.iss.net/xforce/alerts/id/235https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-041https://exchange.xforce.ibmcloud.com/vulnerabilities/24586https://exchange.xforce.ibmcloud.com/vulnerabilities/28013https://exchange.xforce.ibmcloud.com/vulnerabilities/28240https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A723http://secunia.com/advisories/21394http://securitytracker.com/id?1016653http://www.kb.cert.org/vuls/id/794580http://www.osvdb.org/27844http://www.securityfocus.com/bid/19404http://www.us-cert.gov/cas/techalerts/TA06-220A.htmlhttp://www.vupen.com/english/advisories/2006/3211http://xforce.iss.net/xforce/alerts/id/233http://xforce.iss.net/xforce/alerts/id/234http://xforce.iss.net/xforce/alerts/id/235https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-041https://exchange.xforce.ibmcloud.com/vulnerabilities/24586https://exchange.xforce.ibmcloud.com/vulnerabilities/28013https://exchange.xforce.ibmcloud.com/vulnerabilities/28240https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A723
2006-08-09
Published