cbcvebase.
CVE-2006-5112
published 2006-10-03

CVE-2006-5112: Buffer overflow in InterVations NaviCOPA Web Server 2.01 allows remote attackers to execute arbitrary code via a long HTTP GET request.

PriorityP262high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
66.83%
99.2th percentile
Buffer overflow in InterVations NaviCOPA Web Server 2.01 allows remote attackers to execute arbitrary code via a long HTTP GET request.

Affected

2 ranges
VendorProductVersion rangeFixed in
intervationsnavicopa_web_server
intervationsnavicopa_web_server

Detection & IOCsextracted from sources · hover to see the quote

port4444
commandGET /<228 bytes alphanumeric><RET> HTTP/1.1
commandGET <pattern> HTTP/1.1
registryIV320009.dll
other0x1009b4ff
other0x1002c46f
other0x7d168877
other0x7ca58265
other0x7cb4d5ac
other0x77596433
other0x78326433
bytes
\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x91\xba\x06\x13\x83\xeb\xfc\xe2\xf4
  • Detect exploit attempts by matching HTTP GET requests with oversized URL parameters (~228+ bytes) sent to port 80 against NaviCOPA 2.0.1 servers; the buffer overflow triggers at 228–234 bytes of URL path data.
  • Fingerprint vulnerable NaviCOPA 2.0.1 servers by checking HTTP banner responses containing the string '2.01 11th September'.
  • The exploit payload bad characters for NaviCOPA GET overflow are: 0x00, 0x3a, 0x26, 0x3f, 0x25, 0x23, 0x20, 0x0a, 0x0d, 0x2f, 0x2b, 0x0b, 0x5c — these can help tune IDS rules to avoid false negatives.
  • The exploit uses a return address in IV320009.dll (NaviCOPA component DLL); presence of this DLL loaded in a web server process combined with anomalous GET requests is a strong indicator of exploitation.
  • Post-exploitation, the bind shellcode in the public PoC opens a shell on port 4444; monitor for unexpected inbound connections on TCP/4444 from NaviCOPA server hosts.
  • The exploit buffer structure is: 'GET ' + ('A' * 230) + RET + (NOP * 32) + shellcode + ' HTTP/1.1\r\n\r\n'; use this pattern for Snort/Suricata content matching on oversized GET URI with NOP sled.
  • ·The Metasploit module targets NaviCOPA 2.0.1 specifically; the return address 0x1009b4ff is hardcoded for IV320009.dll and will not work against other versions or patched builds.
  • ·CVE-2006-5112 is noted as probably a different issue from CVE-2007-2336 and CVE-2007-1733; detection rules should not conflate these three NaviCOPA vulnerabilities.
  • ·The older Metasploit (Perl) module uses a slightly different offset (227–228 bytes) and a different return address (0x1002c46f, push esp/ret in IV320009.dll) compared to the newer Ruby module (0x1009b4ff); both target the same vulnerability but may require different detection thresholds.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.