Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.SMB_NT_MS06-055.NASL
HistorySep 26, 2006 - 12:00 a.m.

MS06-055: Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486)

2006-09-2600:00:00
This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
www.tenable.com
33

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.18 Low

EPSS

Percentile

96.2%

JSON

The remote host is running a version of Internet Explorer or Outlook Express that is vulnerable to a bug in the Vector Markup Language (VML) handling routine that could allow an attacker execute arbitrary code on the remote host by sending a specially crafted email or by luring a user on the remote host into visiting a rogue website.

#
# Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(22449);
 script_version("1.42");
 script_cvs_date("Date: 2018/11/15 20:50:30");

 script_cve_id("CVE-2006-4868");
 script_bugtraq_id(20096);
 script_xref(name:"CERT", value:"416092");
 script_xref(name:"MSFT", value:"MS06-055");
 script_xref(name:"MSKB", value:"925486");

 script_name(english:"MS06-055: Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486)");
 script_summary(english:"Determines the presence of update 925486");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through the email client or
the web browser.");
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of Internet Explorer or Outlook Express
that is vulnerable to a bug in the Vector Markup Language (VML) handling routine
that could allow an attacker execute arbitrary code on the remote host by sending
a specially crafted email or by luring a user on the remote host into visiting
a rogue website.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-055");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, XP and
2003.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"exploited_by_malware", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'MS06-055 Microsoft Internet Explorer VML Fill Method Code Execution');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');

 script_set_attribute(attribute:"vuln_publication_date", value:"2006/09/18");
 script_set_attribute(attribute:"patch_publication_date", value:"2006/09/26");
 script_set_attribute(attribute:"plugin_publication_date", value:"2006/09/26");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS06-055';
kb = '925486';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

dir = hotfix_get_commonfilesdir();
if (!dir) exit(1, "Failed to get the common files directory.");

share = hotfix_path2share(path:dir);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if ( hotfix_is_vulnerable(os:"5.2", sp:0, file:"Vgx.dll", version:"6.0.3790.593", dir:"\Microsoft Shared\VGX", path:dir, bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.2", sp:1, file:"Vgx.dll", version:"6.0.3790.2794", dir:"\Microsoft Shared\VGX", path:dir, bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.1", sp:1, file:"Vgx.dll", version:"6.0.2800.1580", dir:"\Microsoft Shared\VGX", path:dir, bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.1", sp:2, file:"Vgx.dll", version:"6.0.2900.2997", dir:"\Microsoft Shared\VGX", path:dir, bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.0", file:"Vgx.dll", version:"6.0.2800.1580", min_version:"6.0.0.0", dir:"\Microsoft Shared\VGX", path:dir, bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.0", file:"Vgx.dll", version:"5.0.3845.1800", dir:"\Microsoft Shared\VGX", path:dir, bulletin:bulletin, kb:kb) )
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();

  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}
VendorProductVersionCPE
microsoftwindowscpe:/o:microsoft:windows

Related

packetstorm 1
saint 4
nvd 2
cvelist 1
checkpoint_advisories 2
securityvulns 1
cve 2
canvas 1
cert 1
symantec 1
packetstorm
packetstorm
Internet Explorer VML Fill Method Code Execution
2009-11-26 00:00:00
saint
saint
Internet Explorer VML rect fill buffer overflow
2006-09-20 00:00:00
Internet Explorer VML rect fill buffer overflow
2006-09-20 00:00:00
Internet Explorer VML rect fill buffer overflow
2006-09-20 00:00:00
nvd
nvd
CVE-2006-4868
2006-09-19 19:07:00
CVE-2006-3866
2006-09-19 21:07:00
cvelist
cvelist
CVE-2006-4868
2006-09-19 19:00:00
checkpoint_advisories
checkpoint_advisories
Internet Explorer VML Rect Fill Method Buffer Overflow (MS06-055; CVE-2006-4868)
2006-10-18 00:00:00
Internet Explorer Heap Spray Shell Code Execution (MS06-055 MS06-067; CVE-2006-4446; CVE-2006-4777; CVE-2006-4868; CVE-2009-2991)
2006-10-18 00:00:00
securityvulns
securityvulns
Microsoft Security Bulletin MS06-055 Vulnerability in Vector Markup Language Could Allow Remote Code Execution &#40;925486&#41;
2006-09-27 00:00:00
cve
cve
CVE-2006-4868
2006-09-19 19:07:00
CVE-2006-3866
2022-10-03 16:21:17
canvas
canvas
Immunity Canvas: MS06_055
2006-09-19 19:07:00
cert
cert
Microsoft Internet Explorer VML stack buffer overflow
2006-09-19 00:00:00
symantec
symantec
Microsoft Internet Explorer Vector Markup Language Buffer Overflow Vulnerability
2006-09-19 00:00:00

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.18 Low

EPSS

Percentile

96.2%

JSON
Related for SMB_NT_MS06-055.NASL
packetstorm1saint4nvd2cvelist1checkpoint_advisories2securityvulns1cve2canvas1cert1symantec1