CVE-2006-4868

Stack-based buffer overflow in the Vector Graphics Rendering engine (vgx.dll), as used in Microsoft Outlook and Internet Explorer 6.0 on Windows XP SP2, and possibly other versions, allows remote attackers to execute arbitrary code via a Vector Markup Language (VML) file with a long fill parameter within a rect tag.

CVSS v2.0 9.3 HIGH

9.3^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 8.6 / Impact : 10.0

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html
http://www.kb.cert.org/vuls/id/416092	US Government Resource
http://www.securityfocus.com/bid/20096	Exploit Patch
http://secunia.com/advisories/21989	Patch Vendor Advisory
http://www.microsoft.com/technet/security/advisory/925568.mspx	Patch Vendor Advisory
http://securitytracker.com/id?1016879
http://blogs.securiteam.com/index.php/archives/624
http://www.osvdb.org/28946
http://www.us-cert.gov/cas/techalerts/TA06-262A.html	Patch US Government Resource
http://support.microsoft.com/kb/925486
http://www.vupen.com/english/advisories/2006/3679	Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/29004
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-055
http://www.securityfocus.com/archive/1/448552/100/0/threaded
http://www.securityfocus.com/archive/1/447070/100/0/threaded
http://www.securityfocus.com/archive/1/446881/100/200/threaded
http://www.securityfocus.com/archive/1/446528/100/0/threaded
http://www.securityfocus.com/archive/1/446523/100/0/threaded
http://www.securityfocus.com/archive/1/446505/100/0/threaded
http://www.securityfocus.com/archive/1/446378/100/0/threaded

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:o:microsoft:windows_2003_server::sp1::::::*
	cpe:2.3:o:microsoft:windows_xp::::::::
	cpe:2.3:o:microsoft:windows_xp::sp1::::::*
	cpe:2.3:o:microsoft:windows_xp::sp2::::::*
	cpe:2.3:o:microsoft:windows_2003_server:::x64:::::*
	cpe:2.3:o:microsoft:windows_2003_server::gold::::::*
	cpe:2.3:o:microsoft:windows_2000::sp4::::::*
	cpe:2.3:o:microsoft:windows_2003_server::::::::
	cpe:2.3:o:microsoft:windows_2003_server:::itanium:::::*

OR	cpe:2.3:a:microsoft:outlook:2003:::::::*
	cpe:2.3:a:microsoft:internet_explorer:6.0:::::::*

Configuration 2 (hide)

AND

cpe:2.3:o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*

cpe:2.3:a:microsoft:internet_explorer:5.0.1:sp4:*:*:*:*:*:*

Information

Published : 2006-09-19 12:07

Updated : 2021-07-23 05:55

NVD link : CVE-2006-4868

Mitre link : CVE-2006-4868

JSON object : View

CWE

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

Products Affected

microsoft

windows_2003_server
windows_xp
internet_explorer
windows_2000
outlook

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html", "name": "http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html", "tags": [], "refsource": "MISC"}, {"url": "http://www.kb.cert.org/vuls/id/416092", "name": "VU#416092", "tags": ["US Government Resource"], "refsource": "CERT-VN"}, {"url": "http://www.securityfocus.com/bid/20096", "name": "20096", "tags": ["Exploit", "Patch"], "refsource": "BID"}, {"url": "http://secunia.com/advisories/21989", "name": "21989", "tags": ["Patch", "Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://www.microsoft.com/technet/security/advisory/925568.mspx", "name": "http://www.microsoft.com/technet/security/advisory/925568.mspx", "tags": ["Patch", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://securitytracker.com/id?1016879", "name": "1016879", "tags": [], "refsource": "SECTRACK"}, {"url": "http://blogs.securiteam.com/index.php/archives/624", "name": "http://blogs.securiteam.com/index.php/archives/624", "tags": [], "refsource": "MISC"}, {"url": "http://www.osvdb.org/28946", "name": "28946", "tags": [], "refsource": "OSVDB"}, {"url": "http://www.us-cert.gov/cas/techalerts/TA06-262A.html", "name": "TA06-262A", "tags": ["Patch", "US Government Resource"], "refsource": "CERT"}, {"url": "http://support.microsoft.com/kb/925486", "name": "925486", "tags": [], "refsource": "MSKB"}, {"url": "http://www.vupen.com/english/advisories/2006/3679", "name": "ADV-2006-3679", "tags": ["Vendor Advisory"], "refsource": "VUPEN"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29004", "name": "ie-vml-bo(29004)", "tags": [], "refsource": "XF"}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100", "name": "oval:org.mitre.oval:def:100", "tags": [], "refsource": "OVAL"}, {"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-055", "name": "MS06-055", "tags": [], "refsource": "MS"}, {"url": "http://www.securityfocus.com/archive/1/448552/100/0/threaded", "name": "SSRT061254", "tags": [], "refsource": "HP"}, {"url": "http://www.securityfocus.com/archive/1/447070/100/0/threaded", "name": "20060926 Windows VML security update MS06-055 released", "tags": [], "refsource": "BUGTRAQ"}, {"url": "http://www.securityfocus.com/archive/1/446881/100/200/threaded", "name": "20060924 Windows VML Vulnerability FAQ (CVE-2006-4868) written", "tags": [], "refsource": "BUGTRAQ"}, {"url": "http://www.securityfocus.com/archive/1/446528/100/0/threaded", "name": "20060920 Internet Explorer VML Zero-Day Mitigation", "tags": [], "refsource": "BUGTRAQ"}, {"url": "http://www.securityfocus.com/archive/1/446523/100/0/threaded", "name": "20060920 RE: vml.c - Internet Explorer VML Buffer Overflow Download Exec Exploit", "tags": [], "refsource": "BUGTRAQ"}, {"url": "http://www.securityfocus.com/archive/1/446505/100/0/threaded", "name": "20060920 vml.c - Internet Explorer VML Buffer Overflow Download Exec Exploit", "tags": [], "refsource": "BUGTRAQ"}, {"url": "http://www.securityfocus.com/archive/1/446378/100/0/threaded", "name": "20060919 Yet another 0day for IE", "tags": [], "refsource": "BUGTRAQ"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Stack-based buffer overflow in the Vector Graphics Rendering engine (vgx.dll), as used in Microsoft Outlook and Internet Explorer 6.0 on Windows XP SP2, and possibly other versions, allows remote attackers to execute arbitrary code via a Vector Markup Language (VML) file with a long fill parameter within a rect tag."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-119"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2006-4868", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 9.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "severity": "HIGH", "impactScore": 10.0, "obtainAllPrivilege": true, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2006-09-19T19:07Z", "configurations": {"nodes": [{"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows_2003_server:*:sp1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_xp:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_xp:*:sp1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_2003_server:*:*:x64:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_2003_server:*:gold:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_2003_server:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_2003_server:*:*:itanium:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:microsoft:outlook:2003:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:microsoft:internet_explorer:6.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:microsoft:internet_explorer:5.0.1:sp4:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "operator": "AND", "cpe_match": []}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2021-07-23T12:55Z"}

9.3 /10