CVE-2006-2086
published 2006-04-29CVE-2006-2086: Buffer overflow in JuniperSetupDLL.dll, loaded from JuniperSetup.ocx by the Juniper SSL-VPN Client when accessing a Juniper NetScreen IVE device running IVE OS…
PriorityP358high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
67.31%
99.2th percentile
Buffer overflow in JuniperSetupDLL.dll, loaded from JuniperSetup.ocx by the Juniper SSL-VPN Client when accessing a Juniper NetScreen IVE device running IVE OS before 4.2r8.1, 5.0 before 5.0r6.1, 5.1 before 5.1r8, 5.2 before 5.2r4.1, or 5.3 before 5.3r2.1, allows remote attackers to execute arbitrary code via a long argument in the ProductName parameter.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for HTTP responses serving an HTML page that instantiates the JuniperSetup.ocx ActiveX control (classid) with an anomalously long ProductName parameter (>220 bytes), consistent with the stack overwrite offset used in the Metasploit module. ↗
- →The exploit delivers a buffer of 2200 bytes with a return address written at offset 220 and shellcode at offset 240; network signatures should look for a ProductName value exceeding ~220 characters delivered via an ActiveX object tag for JuniperSetup.ocx. ↗
- →The return address used for Windows XP Pro SP3 English targets points into crypt32.dll (jmp esp gadget at 0x77ae7f99); monitor for execution flow redirected to this address from within the browser process. ↗
- →The exploit calls startSession() on the instantiated ActiveX object after setting the malicious ProductName; network/host detection should correlate ActiveX object instantiation of JuniperSetup.ocx followed immediately by a startSession() call. ↗
- ·The vulnerable IVE OS versions are: before 4.2r8.1, 5.0 before 5.0r6.1, 5.1 before 5.1r8, 5.2 before 5.2r4.1, and 5.3 before 5.3r2.1. Detection rules should be scoped to environments running these versions of Juniper NetScreen IVE. ↗
- ·The Metasploit module's payload bad characters include null bytes, newlines, carriage returns, spaces, and several special characters; shellcode in the wild may vary but must avoid these bytes, which can inform byte-signature tuning. ↗
- ·The return address 0x77ae7f99 (crypt32.dll jmp esp) is specific to Windows XP Pro SP3 English; exploitation against other OS versions or patch levels would require a different return address and the detection hint for this specific value is OS-version-dependent. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Juniper
CVE-2006-2086: Buffer overflow in JuniperSetupDLL.dll, loaded from JuniperSetup.ocx by the Juniper SSL-VPN Client when accessing a Juniper NetScreen IVE device runni
vendor_juniper·2006-04-29·CVSS 7.5
CVE-2006-2086 [HIGH] CVE-2006-2086: Buffer overflow in JuniperSetupDLL.dll, loaded from JuniperSetup.ocx by the Juniper SSL-VPN Client when accessing a Juniper NetScreen IVE device runni
CVE-2006-2086: Buffer overflow in JuniperSetupDLL.dll, loaded from JuniperSetup.ocx by the Juniper SSL-VPN Client when accessing a Juniper NetScreen IVE device running IVE OS before 4.2r8.1, 5.0 before 5.0r6.1, 5.1 before 5.1r8, 5.2 before 5.2r4.1, or 5.3 before 5.3r2.1, allows remote attackers to execute arbitrary code via a long argument in the ProductName parameter.
GHSA
GHSA-jgcp-49rc-q8xp: Buffer overflow in JuniperSetupDLL
ghsa_unreviewed·2022-05-01
CVE-2006-2086 [HIGH] GHSA-jgcp-49rc-q8xp: Buffer overflow in JuniperSetupDLL
Buffer overflow in JuniperSetupDLL.dll, loaded from JuniperSetup.ocx by the Juniper SSL-VPN Client when accessing a Juniper NetScreen IVE device running IVE OS before 4.2r8.1, 5.0 before 5.0r6.1, 5.1 before 5.1r8, 5.2 before 5.2r4.1, or 5.3 before 5.3r2.1, allows remote attackers to execute arbitrary code via a long argument in the ProductName parameter.
No detection rules found.
Exploit-DB
Juniper SSL-VPN IVE - 'JuniperSetupDLL.dll' ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2006-2086 Juniper SSL-VPN IVE - 'JuniperSetupDLL.dll' ActiveX Control Buffer Overflow (Metasploit)
Juniper SSL-VPN IVE - 'JuniperSetupDLL.dll' ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: juniper_sslvpn_ive_setupdll.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Juniper SSL-VPN IVE JuniperSetupDLL.dll ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the JuniperSetupDLL.dll
library which is called by the JuniperSetup.ocx ActiveX control,
as part of the Juniper SSL-VPN (IVE) appliance. By specifying an
overly long string to the Produc
Exploit-DB
cPanel WebHost Manager 3.1 - 'park?ndomain' Cross-Site Scripting
exploitdb·2006-11-25
CVE-2006-6198 cPanel WebHost Manager 3.1 - 'park?ndomain' Cross-Site Scripting
cPanel WebHost Manager 3.1 - 'park?ndomain' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/21288/info
WebHost Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
WebHost Manager version 3.1.0 is vulnerable; other versions may also be affected.
http://www.example.com:2086/scripts/park?domain=demo.com&ndomain=XSS
Exploit-DB
cPanel WebHost Manager 3.1 - 'addon_configsupport.cgi?supporturl' Cross-Site Scripting
exploitdb·2006-11-25
CVE-2006-6198 cPanel WebHost Manager 3.1 - 'addon_configsupport.cgi?supporturl' Cross-Site Scripting
cPanel WebHost Manager 3.1 - 'addon_configsupport.cgi?supporturl' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/21288/info
WebHost Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
WebHost Manager version 3.1.0 is vulnerable; other versions may also be affected.
http://www.example.com:2086/cgi/addon_configsupport.cgi?cgiaction=save&supportaddy=Domain.name&emailpipecmd=Domain.name&displaybrowserbody=1&displaybrowsersubject=1&displaydomainbody=1
Exploit-DB
cPanel WebHost Manager 3.1 - 'dofeaturemanager?feature' Cross-Site Scripting
exploitdb·2006-11-25
CVE-2006-6198 cPanel WebHost Manager 3.1 - 'dofeaturemanager?feature' Cross-Site Scripting
cPanel WebHost Manager 3.1 - 'dofeaturemanager?feature' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/21288/info
WebHost Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
WebHost Manager version 3.1.0 is vulnerable; other versions may also be affected.
http://www.example.com:2086/scripts2/dofeaturemanager?action=addfeature&feature=XSS
Exploit-DB
cPanel WebHost Manager 3.1 - 'dochangeemail?email' Cross-Site Scripting
exploitdb·2006-11-25
CVE-2006-6198 cPanel WebHost Manager 3.1 - 'dochangeemail?email' Cross-Site Scripting
cPanel WebHost Manager 3.1 - 'dochangeemail?email' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/21288/info
WebHost Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
WebHost Manager version 3.1.0 is vulnerable; other versions may also be affected.
http://www.example.com:2086/scripts2/dochangeemail?user=demo&domain=demo.com&email=XSS
Exploit-DB
cPanel WebHost Manager 3.1 - 'editzone?domain' Cross-Site Scripting
exploitdb·2006-11-25
CVE-2006-6198 cPanel WebHost Manager 3.1 - 'editzone?domain' Cross-Site Scripting
cPanel WebHost Manager 3.1 - 'editzone?domain' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/21288/info
WebHost Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
WebHost Manager version 3.1.0 is vulnerable; other versions may also be affected.
http://www.example.com:2086/scripts/editzone?domain=XSS
Exploit-DB
cPanel WebHost Manager 3.1 - 'domts2?domain' Cross-Site Scripting
exploitdb·2006-11-25
CVE-2006-6198 cPanel WebHost Manager 3.1 - 'domts2?domain' Cross-Site Scripting
cPanel WebHost Manager 3.1 - 'domts2?domain' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/21288/info
WebHost Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
WebHost Manager version 3.1.0 is vulnerable; other versions may also be affected.
http://www.example.com:2086/scripts2/domts2?domain=XSS
Exploit-DB
cPanel WebHost Manager 3.1 - 'editpkg?pkg' Cross-Site Scripting
exploitdb·2006-11-25
CVE-2006-6198 cPanel WebHost Manager 3.1 - 'editpkg?pkg' Cross-Site Scripting
cPanel WebHost Manager 3.1 - 'editpkg?pkg' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/21288/info
WebHost Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
WebHost Manager version 3.1.0 is vulnerable; other versions may also be affected.
http://www.example.com:2086/scripts/editpkg?pkg=XSS
Metasploit
Juniper SSL-VPN IVE JuniperSetupDLL.dll ActiveX Control Buffer Overflow
metasploit
Juniper SSL-VPN IVE JuniperSetupDLL.dll ActiveX Control Buffer Overflow
Juniper SSL-VPN IVE JuniperSetupDLL.dll ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in the JuniperSetupDLL.dll library which is called by the JuniperSetup.ocx ActiveX control, as part of the Juniper SSL-VPN (IVE) appliance. By specifying an overly long string to the ProductName object parameter, the stack is overwritten.
No writeups or analysis indexed.
http://secunia.com/advisories/19842http://securityreason.com/securityalert/819http://securitytracker.com/id?1016000http://www.eeye.com/html/research/advisories/AD20060424.htmlhttp://www.juniper.net/support/security/alerts/PSN-2006-03-013.txthttp://www.kb.cert.org/vuls/id/477604http://www.osvdb.org/25001http://www.securityfocus.com/archive/1/432155/100/0/threadedhttp://www.securityfocus.com/bid/17712http://www.vupen.com/english/advisories/2006/1543https://exchange.xforce.ibmcloud.com/vulnerabilities/26077http://secunia.com/advisories/19842http://securityreason.com/securityalert/819http://securitytracker.com/id?1016000http://www.eeye.com/html/research/advisories/AD20060424.htmlhttp://www.juniper.net/support/security/alerts/PSN-2006-03-013.txthttp://www.kb.cert.org/vuls/id/477604http://www.osvdb.org/25001http://www.securityfocus.com/archive/1/432155/100/0/threadedhttp://www.securityfocus.com/bid/17712http://www.vupen.com/english/advisories/2006/1543https://exchange.xforce.ibmcloud.com/vulnerabilities/26077
2006-04-29
Published