CVE-2006-6723
published 2006-12-26CVE-2006-6723: The Workstation service in Microsoft Windows 2000 SP4 and XP SP2 allows remote attackers to cause a denial of service (memory consumption) via a large maxlen…
PriorityP339high7.8CVSS 2.0
AVNACLAuNCNINAC
EXPLOIT
EPSS
37.98%
98.4th percentile
The Workstation service in Microsoft Windows 2000 SP4 and XP SP2 allows remote attackers to cause a denial of service (memory consumption) via a large maxlen value in an NetrWkstaUserEnum RPC request.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect oversized NetrWkstaUserEnum RPC requests over SMB named pipe \pipe\browser — a large `max_len` field (e.g. hundreds of MB) in the RPC request body is the exploit trigger. ↗
- →Monitor for NULL Session SMB connections (unauthenticated) to port 445 that subsequently bind to RPC UUID 6bffd098-a112-3610-9833-46c3f87e345a (Workstation service) via the browser named pipe. ↗
- →Alert on rapid, abnormal memory growth in svchost.exe following inbound SMB/RPC activity on port 445, which is the observable symptom of successful exploitation. ↗
- →Look for RPC opnum 2 calls on the Workstation service interface (UUID 6bffd098-a112-3610-9833-46c3f87e345a) with a `max_len` value far exceeding normal enumeration sizes. ↗
- ·The exploit targets only Windows 2000 SP4 and Windows XP SP2; later OS versions are not affected, so detection rules should be scoped to these legacy platforms. ↗
- ·The attack is a pure DoS (memory exhaustion) with no code execution; detection focus should be on availability impact rather than compromise indicators. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://secunia.com/advisories/23487http://securitytracker.com/id?1017441http://www.eeye.com/Resources/Security-Center/Research/Zero-Day-Tracker/2005/20051116http://www.vupen.com/english/advisories/2006/5142https://www.exploit-db.com/exploits/3013http://secunia.com/advisories/23487http://securitytracker.com/id?1017441http://www.eeye.com/Resources/Security-Center/Research/Zero-Day-Tracker/2005/20051116http://www.vupen.com/english/advisories/2006/5142https://www.exploit-db.com/exploits/3013
2006-12-26
Published