cbcvebase.
CVE-2006-5156
published 2006-10-05

CVE-2006-5156: Buffer overflow in McAfee ePolicy Orchestrator before 3.5.0.720 and ProtectionPilot before 1.1.1.126 allows remote attackers to execute arbitrary code via a…

PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
71.62%
99.3th percentile
Buffer overflow in McAfee ePolicy Orchestrator before 3.5.0.720 and ProtectionPilot before 1.1.1.126 allows remote attackers to execute arbitrary code via a request to /spipe/pkg/ with a long source header.

Affected

3 ranges
VendorProductVersion rangeFixed in
mcafeeepolicy_orchestrator
mcafeeepolicy_orchestrator
mcafeeprotectionpilot

Detection & IOCsextracted from sources · hover to see the quote

url/spipe/pkg
url/SITEINFO.INI
uaMozilla/4.0 (compatible; SPIPE/1.0
other0x601EDBDA
other0x600741b5
processNAISERV.exe
bytes
\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8
  • Detect exploit attempts by inspecting HTTP requests to port 81 for a 'Source' header exceeding 260 bytes targeting the /spipe/pkg path.
  • Flag HTTP requests containing the custom header 'AgentGuid=' combined with 'Source=' on the same connection to /spipe/pkg as exploit indicators.
  • Detect the egghunter shellcode stub by scanning HTTP POST body or Source header for the byte sequence \x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8.
  • Alert on HTTP GET requests to /spipe/pkg using User-Agent 'Mozilla/4.0 (compatible; SPIPE/1.0' — this is the spoofed agent used by the exploit.
  • Monitor for GET requests to /SITEINFO.INI on port 81 as a pre-exploitation check/fingerprint step performed by the Metasploit module.
  • The SEH overwrite occurs at offset 96 within the Source header; a Source header value of exactly 260 alphanumeric characters with embedded binary at offset 96 is a strong exploit indicator.
  • Bad characters used in payload encoding are \x00\x09\x0a\x0b\x0d\x20\x26\x2b\x3d\x25\x8c\x3c\xff; shellcode in the Source header will avoid these bytes, which can aid in distinguishing exploit traffic.
  • ·The exploit targets port 81 by default (non-standard HTTP); ensure network monitoring covers this port for the McAfee ePO HTTP service (NAISERV.exe).
  • ·Two distinct ROP/SEH return addresses are used depending on target version: 0x601EDBDA (xmlutil.dll, ePO 3.5.0/ProtectionPilot 1.1.0) and 0x600741b5 (nahttp32.dll, ePO 2.5.1 SP1); detection rules should not rely solely on these static addresses as they may vary across patch levels.
  • ·The egghunter tag is randomly generated per session (AlphaNumText(4)), so the egg tag itself cannot be used as a static signature; focus detection on the egghunter stub bytes instead.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.