cbcvebase.
CVE-2006-4688
published 2006-11-14

CVE-2006-4688: Buffer overflow in Client Service for NetWare (CSNW) in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 up to SP1 allows remote attackers to execute…

PriorityP264high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
76.88%
99.5th percentile
Buffer overflow in Client Service for NetWare (CSNW) in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 up to SP1 allows remote attackers to execute arbitrary code via crafted messages, aka "Client Service for NetWare Memory Corruption Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server

Detection & IOCsextracted from sources · hover to see the quote

othere67ab081-9844-3521-9d32-834f038001c0 v1.0
commanddcerpc.call(0x09, stubdata)
commanddcerpc.call(0x01, stubdata)
path\srvsvc
path\nwwks
filenamenwapi32.dll
filenamenwwks.dll
bytes
\x04\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00
  • Detect exploit attempts by monitoring for DCERPC bind requests to interface UUID e67ab081-9844-3521-9d32-834f038001c0 v1.0 over named pipes (ncacn_np), particularly on pipes \srvsvc and \nwwks.
  • Alert on DCERPC opnum 0x09 calls to the above UUID over \srvsvc (nwapi32.dll exploit vector) with oversized UnicodeConformantVaryingString arguments beginning with '\\\\' (double backslash in Unicode).
  • Alert on DCERPC opnum 0x01 calls to the above UUID over \nwwks (nwwks.dll exploit vector) with oversized UnicodeConformantVaryingString arguments.
  • Monitor svchost.exe for unexpected child processes or shellcode execution when the NetWare Client Service (CSNW) is running, as the overflow occurs within svchost hosting nwapi32.dll/nwwks.dll.
  • Egghunter shellcode delivery pattern: look for large SMB named-pipe write payloads containing repeated random padding blocks (~1024 bytes) surrounding a tagged egg value, followed by a NOP sled and hunter stub.
  • The nwapi32.dll exploit uses a return address of 0x00EBEEEC for Windows XP SP2; the nwwks.dll exploit uses 0x616566fb (modemui.dll gadget). Presence of these values in network traffic or memory is a strong indicator of exploitation.
  • The nwwks.dll exploit uses return address 0x616566fb described as a 'popaw, ret' gadget in modemui.dll for Windows XP SP2.
  • ·The Metasploit modules only include a target for Windows XP SP2; Windows 2000 SP4 and Server 2003 up to SP1 are also vulnerable per the CVE but lack pre-built return addresses in these exploits.
  • ·The nwapi32.dll exploit payload space is only 296 bytes with a stack adjustment of -3500, requiring an egghunter stage; the nwwks.dll variant has 1000 bytes of payload space and delivers shellcode directly.
  • ·Both exploits require the target to have the NetWare Client Service (CSNW) actively running; systems without CSNW installed are not vulnerable to remote exploitation via this path.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.