CVE-2006-0992
published 2006-04-14CVE-2006-0992: Stack-based buffer overflow in Novell GroupWise Messenger before 2.0 Public Beta 2 allows remote attackers to execute arbitrary code via a long Accept-Language…
PriorityP259critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
72.83%
99.4th percentile
Stack-based buffer overflow in Novell GroupWise Messenger before 2.0 Public Beta 2 allows remote attackers to execute arbitrary code via a long Accept-Language value without a comma or semicolon. NOTE: due to a typo, the original ZDI advisory accidentally referenced CVE-2006-0092. This is the correct identifier.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| novell | groupwise_messenger | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP requests to port 8300 with an Accept-Language header exceeding 16 bytes that contains no comma or semicolon — this is the exact trigger condition for the overflow. ↗
- →Flag Accept-Language headers that are abnormally long (e.g., ~1900 bytes) and lack the standard comma/semicolon delimiters used in legitimate language tags. ↗
- →Monitor for exploit bad-character constraints: payload bytes 0x00, 0x0a, 0x2c (comma), 0x3b (semicolon), and uppercase A–Z are absent from the Accept-Language payload, which can help fingerprint this specific exploit in IDS signatures. ↗
- →Presence of ROP/JMP gadget addresses 0x6103c3d3 or 0x61041010 within an Accept-Language header on port 8300 is a strong indicator of active exploitation against DClient.dll v10510.37. ↗
- ·The exploit requires a StackAdjustment of -3500 bytes, meaning the shellcode executes with a significantly shifted stack pointer; payloads that do not account for this will fail, limiting usable payload types. ↗
- ·Payload space is constrained to 500 bytes and uppercase A–Z characters are forbidden, severely limiting which Metasploit payloads are compatible with this exploit. ↗
- ·The ROP gadget addresses (0x6103c3d3, 0x61041010) are specific to DClient.dll version 10510.37; exploitation against other versions of the DLL will require different return addresses. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Novell Messenger Server 2.0 - Accept-Language Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2006-0992 Novell Messenger Server 2.0 - Accept-Language Overflow (Metasploit)
Novell Messenger Server 2.0 - Accept-Language Overflow (Metasploit)
---
##
# $Id: novell_messenger_acceptlang.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Novell Messenger Server 2.0 Accept-Language Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Novell GroupWise
Messenger Server v2.0. This flaw is triggered by any HTTP
request with an Accept-Language header greater than 16 bytes.
To overwrite the return address on the stack, we must first
pass a memcpy() operation tha
Metasploit
Novell Messenger Server 2.0 Accept-Language Overflow
metasploit
Novell Messenger Server 2.0 Accept-Language Overflow
Novell Messenger Server 2.0 Accept-Language Overflow
This module exploits a stack buffer overflow in Novell GroupWise Messenger Server v2.0. This flaw is triggered by any HTTP request with an Accept-Language header greater than 16 bytes. To overwrite the return address on the stack, we must first pass a memcpy() operation that uses pointers we supply. Due to the large list of restricted characters and the limitations of the current encoder modules, very few payloads are usable.
No writeups or analysis indexed.
http://cirt.dk/advisories/cirt-42-advisory.txthttp://metasploit.blogspot.com/2006/04/exploit-development-groupwise_14.htmlhttp://secunia.com/advisories/19663http://securitytracker.com/id?1015911http://support.novell.com/cgi-bin/search/searchtid.cgi?10100861.htmhttp://www.osvdb.org/24617http://www.securityfocus.com/archive/1/430911/100/0/threadedhttp://www.securityfocus.com/bid/17503http://www.vupen.com/english/advisories/2006/1355http://www.zerodayinitiative.com/advisories/ZDI-06-008.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/25828https://www.exploit-db.com/exploits/1679http://cirt.dk/advisories/cirt-42-advisory.txthttp://metasploit.blogspot.com/2006/04/exploit-development-groupwise_14.htmlhttp://secunia.com/advisories/19663http://securitytracker.com/id?1015911http://support.novell.com/cgi-bin/search/searchtid.cgi?10100861.htmhttp://www.osvdb.org/24617http://www.securityfocus.com/archive/1/430911/100/0/threadedhttp://www.securityfocus.com/bid/17503http://www.vupen.com/english/advisories/2006/1355http://www.zerodayinitiative.com/advisories/ZDI-06-008.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/25828https://www.exploit-db.com/exploits/1679
2006-04-14
Published