CVE-2006-5156
published 2006-10-05CVE-2006-5156: Buffer overflow in McAfee ePolicy Orchestrator before 3.5.0.720 and ProtectionPilot before 1.1.1.126 allows remote attackers to execute arbitrary code via a…
PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
71.62%
99.3th percentile
Buffer overflow in McAfee ePolicy Orchestrator before 3.5.0.720 and ProtectionPilot before 1.1.1.126 allows remote attackers to execute arbitrary code via a request to /spipe/pkg/ with a long source header.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mcafee | epolicy_orchestrator | — | — |
| mcafee | epolicy_orchestrator | — | — |
| mcafee | protectionpilot | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8
- →Detect exploit attempts by inspecting HTTP requests to port 81 for a 'Source' header exceeding 260 bytes targeting the /spipe/pkg path. ↗
- →Flag HTTP requests containing the custom header 'AgentGuid=' combined with 'Source=' on the same connection to /spipe/pkg as exploit indicators. ↗
- →Detect the egghunter shellcode stub by scanning HTTP POST body or Source header for the byte sequence \x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8. ↗
- →Alert on HTTP GET requests to /spipe/pkg using User-Agent 'Mozilla/4.0 (compatible; SPIPE/1.0' — this is the spoofed agent used by the exploit. ↗
- →Monitor for GET requests to /SITEINFO.INI on port 81 as a pre-exploitation check/fingerprint step performed by the Metasploit module. ↗
- →The SEH overwrite occurs at offset 96 within the Source header; a Source header value of exactly 260 alphanumeric characters with embedded binary at offset 96 is a strong exploit indicator. ↗
- →Bad characters used in payload encoding are \x00\x09\x0a\x0b\x0d\x20\x26\x2b\x3d\x25\x8c\x3c\xff; shellcode in the Source header will avoid these bytes, which can aid in distinguishing exploit traffic. ↗
- ·The exploit targets port 81 by default (non-standard HTTP); ensure network monitoring covers this port for the McAfee ePO HTTP service (NAISERV.exe). ↗
- ·Two distinct ROP/SEH return addresses are used depending on target version: 0x601EDBDA (xmlutil.dll, ePO 3.5.0/ProtectionPilot 1.1.0) and 0x600741b5 (nahttp32.dll, ePO 2.5.1 SP1); detection rules should not rely solely on these static addresses as they may vary across patch levels. ↗
- ·The egghunter tag is randomly generated per session (AlphaNumText(4)), so the egg tag itself cannot be used as a static signature; focus detection on the egghunter stub bytes instead. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8494-c7m6-c38m: Buffer overflow in McAfee ePolicy Orchestrator before 3
ghsa_unreviewed·2022-05-01
CVE-2006-5156 [HIGH] GHSA-8494-c7m6-c38m: Buffer overflow in McAfee ePolicy Orchestrator before 3
Buffer overflow in McAfee ePolicy Orchestrator before 3.5.0.720 and ProtectionPilot before 1.1.1.126 allows remote attackers to execute arbitrary code via a request to /spipe/pkg/ with a long source header.
OSV
CVE-2007-5156: Incomplete blacklist vulnerability in editor/filemanager/upload/php/upload
osv·2007-10-01·CVSS 5.0
CVE-2007-5156 CVE-2007-5156: Incomplete blacklist vulnerability in editor/filemanager/upload/php/upload
Incomplete blacklist vulnerability in editor/filemanager/upload/php/upload.php in FCKeditor, as used in SiteX CMS 0.7.3.beta, La-Nai CMS, Syntax CMS, Cardinal Cms, and probably other products, allows remote attackers to upload and execute arbitrary PHP code via a file whose name contains ".php." and has an unknown extension, which is recognized as a .php file by the Apache HTTP server, a different vulnerability than CVE-2006-0658 and CVE-2006-2529.
No detection rules found.
Exploit-DB
McAfee ePolicy Orchestrator / ProtectionPilot - Remote Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2006-5156 McAfee ePolicy Orchestrator / ProtectionPilot - Remote Overflow (Metasploit)
McAfee ePolicy Orchestrator / ProtectionPilot - Remote Overflow (Metasploit)
---
##
# $Id: mcafee_epolicy_source.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'McAfee ePolicy Orchestrator / ProtectionPilot Overflow',
'Description' => %q{
This is an exploit for the McAfee HTTP Server (NAISERV.exe).
McAfee ePolicy Orchestrator 2.5.1
[
'muts ',
'xbxice[at]yahoo.com',
'hdm',
'patrick' # MSF3 rewrite, ePO v2.5.1 target
],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10394 $',
'References' =>
[
[
Exploit-DB
McAfee ePo 3.5.0 / ProtectionPilot 1.1.0 - Source Remote (Metasploit)
exploitdb·2006-10-01
CVE-2006-5156 McAfee ePo 3.5.0 / ProtectionPilot 1.1.0 - Source Remote (Metasploit)
McAfee ePo 3.5.0 / ProtectionPilot 1.1.0 - Source Remote (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::mcafee_epolicy_source;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'McAfee ePolicy Orchestrator / ProtPilot Source Overflow',
'Version' => '$Revision: 1.0 $',
'Authors' =>
[
'muts ',
'xbxice[at]yahoo.com',
'H D Moore '
],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'win2003' ],
Metasploit
McAfee ePolicy Orchestrator / ProtectionPilot Overflow
metasploit
McAfee ePolicy Orchestrator / ProtectionPilot Overflow
McAfee ePolicy Orchestrator / ProtectionPilot Overflow
This is an exploit for the McAfee HTTP Server (NAISERV.exe). McAfee ePolicy Orchestrator 2.5.1 <= 3.5.0 and ProtectionPilot 1.1.0 are known to be vulnerable. By sending a large 'Source' header, the stack can be overwritten. This module is based on the exploit by xbxice and muts. Due to size constraints, this module uses the Egghunter technique.
No writeups or analysis indexed.
http://download.nai.com/products/patches/ePO/v3.5/EPO3506.txthttp://download.nai.com/products/patches/protectionpilot/v1.1.1/PRP1113.txthttp://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&externalId=8611438&sliceId=SAL_Public&dialogID=2997768&stateId=0%200%202995803http://knowledge.mcafee.com/article/365/8611438_f.SAL_Public.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2006-October/049803.htmlhttp://secunia.com/advisories/22222http://securitytracker.com/id?1016970http://securitytracker.com/id?1016971http://www.kb.cert.org/vuls/id/842452http://www.osvdb.org/29421http://www.remote-exploit.org/advisories/mcafee-epo.pdfhttp://www.securityfocus.com/bid/20288http://www.vupen.com/english/advisories/2006/3861https://exchange.xforce.ibmcloud.com/vulnerabilities/29307http://download.nai.com/products/patches/ePO/v3.5/EPO3506.txthttp://download.nai.com/products/patches/protectionpilot/v1.1.1/PRP1113.txthttp://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&externalId=8611438&sliceId=SAL_Public&dialogID=2997768&stateId=0%200%202995803http://knowledge.mcafee.com/article/365/8611438_f.SAL_Public.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2006-October/049803.htmlhttp://secunia.com/advisories/22222http://securitytracker.com/id?1016970http://securitytracker.com/id?1016971http://www.kb.cert.org/vuls/id/842452http://www.osvdb.org/29421http://www.remote-exploit.org/advisories/mcafee-epo.pdfhttp://www.securityfocus.com/bid/20288http://www.vupen.com/english/advisories/2006/3861https://exchange.xforce.ibmcloud.com/vulnerabilities/29307
2006-10-05
Published