cbcvebase.
CVE-2006-2086
published 2006-04-29

CVE-2006-2086: Buffer overflow in JuniperSetupDLL.dll, loaded from JuniperSetup.ocx by the Juniper SSL-VPN Client when accessing a Juniper NetScreen IVE device running IVE OS…

PriorityP358high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
67.31%
99.2th percentile
Buffer overflow in JuniperSetupDLL.dll, loaded from JuniperSetup.ocx by the Juniper SSL-VPN Client when accessing a Juniper NetScreen IVE device running IVE OS before 4.2r8.1, 5.0 before 5.0r6.1, 5.1 before 5.1r8, 5.2 before 5.2r4.1, or 5.3 before 5.3r2.1, allows remote attackers to execute arbitrary code via a long argument in the ProductName parameter.

Detection & IOCsextracted from sources · hover to see the quote

filenameJuniperSetupDLL.dll
filenameJuniperSetup.ocx
ip0x77ae7f99
commandProductName=<overly long string>
  • Detect exploitation attempts by monitoring for HTTP responses serving an HTML page that instantiates the JuniperSetup.ocx ActiveX control (classid) with an anomalously long ProductName parameter (>220 bytes), consistent with the stack overwrite offset used in the Metasploit module.
  • The exploit delivers a buffer of 2200 bytes with a return address written at offset 220 and shellcode at offset 240; network signatures should look for a ProductName value exceeding ~220 characters delivered via an ActiveX object tag for JuniperSetup.ocx.
  • The return address used for Windows XP Pro SP3 English targets points into crypt32.dll (jmp esp gadget at 0x77ae7f99); monitor for execution flow redirected to this address from within the browser process.
  • The exploit calls startSession() on the instantiated ActiveX object after setting the malicious ProductName; network/host detection should correlate ActiveX object instantiation of JuniperSetup.ocx followed immediately by a startSession() call.
  • ·The vulnerable IVE OS versions are: before 4.2r8.1, 5.0 before 5.0r6.1, 5.1 before 5.1r8, 5.2 before 5.2r4.1, and 5.3 before 5.3r2.1. Detection rules should be scoped to environments running these versions of Juniper NetScreen IVE.
  • ·The Metasploit module's payload bad characters include null bytes, newlines, carriage returns, spaces, and several special characters; shellcode in the wild may vary but must avoid these bytes, which can inform byte-signature tuning.
  • ·The return address 0x77ae7f99 (crypt32.dll jmp esp) is specific to Windows XP Pro SP3 English; exploitation against other OS versions or patch levels would require a different return address and the detection hint for this specific value is OS-version-dependent.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.