Vulnerability Details : CVE-2006-5745
Unspecified vulnerability in the setRequestHeader method in the XMLHTTP (XML HTTP) ActiveX Control 4.0 in Microsoft XML Core Services 4.0 on Windows, when accessed by Internet Explorer, allows remote attackers to execute arbitrary code via crafted arguments that lead to memory corruption, a different vulnerability than CVE-2006-4685. NOTE: some of these details are obtained from third party information.
Vulnerability category: Memory CorruptionExecute code
At least one public exploit which can be used to exploit this vulnerability exists!
Exploit prediction scoring system (EPSS) score for CVE-2006-5745
Probability of exploitation activity in the next 30 days: 97.39%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2006-5745
-
MS06-071 Microsoft Internet Explorer XML Core Services HTTP Request Handling
Disclosure Date : 2006-10-10exploit/windows/browser/ms06_071_xml_coreThis module exploits a code execution vulnerability in Microsoft XML Core Services which exists in the XMLHTTP ActiveX control. This module is the modified version of http://www.milw0rm.com/exploits/2743 - credit to str0ke. This module has been successfully tested on Windows 2000 SP4, Windows XP SP2, Windows 2003 Server SP0 with IE6 + Microsoft XML Core Services 4.0 SP2. Authors: - Trirat Puttaraksa <[email protected]>
CVSS scores for CVE-2006-5745
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
7.6
|
HIGH | AV:N/AC:H/Au:N/C:C/I:C/A:C |
4.9
|
10.0
|
[email protected] |
References for CVE-2006-5745
-
http://www.us-cert.gov/cas/techalerts/TA06-318A.html
US Government Resource
-
http://www.securityfocus.com/bid/20915
Exploit
-
https://www.exploit-db.com/exploits/2743
-
http://www.microsoft.com/technet/security/advisory/927892.mspx
-
http://xforce.iss.net/xforce/alerts/id/239
Vendor Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/30004
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A104
-
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-071
-
http://www.vupen.com/english/advisories/2006/4334
-
http://securitytracker.com/id?1017157
-
http://blogs.securiteam.com/?p=717
-
http://www.kb.cert.org/vuls/id/585137
US Government Resource
-
http://www.iss.net/threats/239.html
Products affected by CVE-2006-5745
- cpe:2.3:a:microsoft:xml_core_services:4.0:*:*:*:*:*:*:*