Signature Detail

DNS: ATMA Overflow

This signature detects attempts to exploit a known vulnerability in the Microsoft DNS client. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the service.

Extended Description

Microsoft Windows is prone to a remotely exploitable buffer overrun condition in the DNS client. This issue is exposed when a client handles a malicious response from a DNS server. Attackers may leverage this to execute arbitrary code and launch a complete compromise of the affected computer.

Affected Products

• Microsoft windows_2000_advanced_server SP1
• Microsoft windows_2000_advanced_server SP2
• Microsoft windows_2000_advanced_server SP3
• Microsoft windows_2000_advanced_server SP4
• Microsoft windows_2000_advanced_server
• Microsoft windows_2000_datacenter_server SP1
• Microsoft windows_2000_datacenter_server SP2
• Microsoft windows_2000_datacenter_server SP3
• Microsoft windows_2000_datacenter_server SP4
• Microsoft windows_2000_datacenter_server
• Microsoft windows_2000_professional SP1
• Microsoft windows_2000_professional SP2
• Microsoft windows_2000_professional SP3
• Microsoft windows_2000_professional SP4
• Microsoft windows_2000_professional
• Microsoft windows_2000_server SP1
• Microsoft windows_2000_server SP2
• Microsoft windows_2000_server SP3
• Microsoft windows_2000_server SP4
• Microsoft windows_2000_server
• Microsoft windows_server_2003_datacenter_edition SP1
• Microsoft windows_server_2003_datacenter_edition
• Microsoft windows_server_2003_datacenter_edition_itanium SP1
• Microsoft windows_server_2003_datacenter_edition_itanium
• Microsoft windows_server_2003_datacenter_x64_edition
• Microsoft windows_server_2003_enterprise_edition SP1
• Microsoft windows_server_2003_enterprise_edition
• Microsoft windows_server_2003_enterprise_edition_itanium SP1
• Microsoft windows_server_2003_enterprise_edition_itanium
• Microsoft windows_server_2003_enterprise_x64_edition
• Microsoft windows_server_2003_standard_edition SP1
• Microsoft windows_server_2003_standard_edition
• Microsoft windows_server_2003_standard_x64_edition
• Microsoft windows_server_2003_web_edition SP1
• Microsoft windows_server_2003_web_edition
• Microsoft windows_xp
• Microsoft windows_xp_64-bit_edition SP1
• Microsoft windows_xp_64-bit_edition
• Microsoft windows_xp_64-bit_edition_version_2003 SP1
• Microsoft windows_xp_64-bit_edition_version_2003
• Microsoft windows_xp_home SP1
• Microsoft windows_xp_home SP2
• Microsoft windows_xp_home
• Microsoft windows_xp_media_center_edition SP1
• Microsoft windows_xp_media_center_edition SP2
• Microsoft windows_xp_media_center_edition
• Microsoft windows_xp_professional SP1
• Microsoft windows_xp_professional SP2
• Microsoft windows_xp_professional
• Microsoft windows_xp_professional_x64_edition
• Microsoft windows_xp_tablet_pc_edition SP1
• Microsoft windows_xp_tablet_pc_edition SP2
• Microsoft windows_xp_tablet_pc_edition
• Nortel_networks bcm 1000
• Nortel_networks bcm 200
• Nortel_networks bcm 400
• Nortel_networks callpilot 1002Rp
• Nortel_networks callpilot 200I
• Nortel_networks callpilot 201I
• Nortel_networks callpilot 702T
• Nortel_networks callpilot 703T
• Nortel_networks centrex_ip_client_manager
• Nortel_networks centrex_ip_element_manager
• Nortel_networks contact_center
• Nortel_networks contact_center-agent_desktop_display
• Nortel_networks contact_center-cct
• Nortel_networks contact_center_express
• Nortel_networks contact_center_manager
• Nortel_networks contact_center_manager_server
• Nortel_networks contact_center-tapi_server
• Nortel_networks srg 1.0.0
• Nortel_networks symposium_agent
• Nortel_networks tapi_desktop

References

• BugTraq: 19404
• CVE: CVE-2006-3441
• URL: http://www.microsoft.com/technet/security/Bulletin/MS06-041.mspx
• URL: http://www.us-cert.gov/cas/techalerts/TA06-220A.html