cbcvebase.
CVE-2006-0992
published 2006-04-14

CVE-2006-0992: Stack-based buffer overflow in Novell GroupWise Messenger before 2.0 Public Beta 2 allows remote attackers to execute arbitrary code via a long Accept-Language…

PriorityP259critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
72.83%
99.4th percentile
Stack-based buffer overflow in Novell GroupWise Messenger before 2.0 Public Beta 2 allows remote attackers to execute arbitrary code via a long Accept-Language value without a comma or semicolon. NOTE: due to a typo, the original ZDI advisory accidentally referenced CVE-2006-0092. This is the correct identifier.

Affected

1 ranges
VendorProductVersion rangeFixed in
novellgroupwise_messenger

Detection & IOCsextracted from sources · hover to see the quote

port8300
other0x6103c3d3
other0x61041010
filenameDClient.dll
commandGET / HTTP/1.1 Accept-Language: <1900-byte payload>
  • Detect HTTP requests to port 8300 with an Accept-Language header exceeding 16 bytes that contains no comma or semicolon — this is the exact trigger condition for the overflow.
  • Flag Accept-Language headers that are abnormally long (e.g., ~1900 bytes) and lack the standard comma/semicolon delimiters used in legitimate language tags.
  • Monitor for exploit bad-character constraints: payload bytes 0x00, 0x0a, 0x2c (comma), 0x3b (semicolon), and uppercase A–Z are absent from the Accept-Language payload, which can help fingerprint this specific exploit in IDS signatures.
  • Presence of ROP/JMP gadget addresses 0x6103c3d3 or 0x61041010 within an Accept-Language header on port 8300 is a strong indicator of active exploitation against DClient.dll v10510.37.
  • ·The exploit requires a StackAdjustment of -3500 bytes, meaning the shellcode executes with a significantly shifted stack pointer; payloads that do not account for this will fail, limiting usable payload types.
  • ·Payload space is constrained to 500 bytes and uppercase A–Z characters are forbidden, severely limiting which Metasploit payloads are compatible with this exploit.
  • ·The ROP gadget addresses (0x6103c3d3, 0x61041010) are specific to DClient.dll version 10510.37; exploitation against other versions of the DLL will require different return addresses.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.