cbcvebase.
CVE-2006-3942
published 2006-07-31

CVE-2006-3942: The server driver (srv.sys) in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service (system crash) via an…

PriorityP349high7.8CVSS 2.0
AVNACLAuNCNINAC
EXPLOIT
EPSS
75.74%
99.5th percentile
The server driver (srv.sys) in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service (system crash) via an SMB_COM_TRANSACTION SMB message that contains a string without null character termination, which leads to a NULL dereference in the ExecuteTransaction function, possibly related to an "SMB PIPE," aka the "Mailslot DOS" vulnerability. NOTE: the name "Mailslot DOS" was derived from incomplete initial research; the vulnerability is not associated with a mailslot.

Affected

4 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server

Detection & IOCsextracted from sources · hover to see the quote

port445
commandSMB_COM_TRANSACTION
filenamesrv.sys
bytes
\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x88\x05\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00
bytes
\x00\x00\x00\x56\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x88\x05\x00\x08\x00\x00\x11\x00\x00\x01\x00\x00\x04\xe0\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x55\x00\x01\x00\x55\x00\x03\x00\x01\x00\x00\x00\x00\x00\x11\x00\x5c\x4d\x41\x49\x4c\x53\x4c\x4f\x54\x5c\x4c\x41\x4e\x4d\x41\x4e\x41
  • Detect SMB_COM_TRANSACTION (SMB command 0x25) packets targeting \MAILSLOT\ paths that lack null termination in the transaction name string — this triggers the NULL dereference in ExecuteTransaction in srv.sys.
  • Alert on SMB mailslot write responses where the two-byte field in the response packet is consistently set to 0xFFFF — indicative of the ms06-035 kernel pool corruption variant.
  • Inspect srv.sys kernel driver for unexpected NULL dereferences originating from the ExecuteTransaction function, which is the crash point for this vulnerability.
  • ·The vulnerability name 'Mailslot DOS' is a misnomer from incomplete initial research — the flaw is not actually associated with a mailslot in the traditional sense, so detection rules should not be scoped exclusively to mailslot traffic.
  • ·Two separate but related bugs exist under MS06-035: a kernel pool corruption via mailslot write (slow, two-byte overwrite) and a NULL pointer dereference via SMB PIPE transaction with no null termination (ms06_063_trans). Detection logic should cover both variants.
  • ·The NULL pointer dereference variant (ms06_063_trans) was independently discovered by CORE Security and ISS, meaning public exploit code from multiple sources may differ in structure.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.