cbcvebase.
CVE-2006-5792
published 2006-11-07

CVE-2006-5792: Unspecified vulnerability in XLink Omni-NFS Enterprise allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by…

PriorityP354high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
59.96%
99.0th percentile
Unspecified vulnerability in XLink Omni-NFS Enterprise allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by vd_xlink2.pm, an "Omni-NFS Enterprise remote exploit." NOTE: this is probably a different vulnerability than CVE-2006-5780. As of 20061107, this disclosure has no actionable information. However, since it is from a reliable researcher, it is being assigned a CVE identifier for tracking purposes.

Detection & IOCsextracted from sources · hover to see the quote

filenamevd_xlink2.pm
filenameOmniEOM.DLL
other0x1001f09c
otherXLINK FTP Server
bytes
\x81\xc4\xff\xef\xff\xff\x44
  • Detect the Xlink FTP Server by matching the FTP banner string 'XLINK FTP Server'; the Metasploit module uses this exact banner check to confirm vulnerability.
  • Server-side exploit sends an oversized FTP request: payload (up to 260 bytes) + 4-byte little-endian return address (0x1001f09c) + random alpha-upper padding to 2024 bytes total, terminated with \r\n. Alert on FTP requests exceeding normal length thresholds against Xlink FTP Server.
  • Client-side exploit delivers an oversized FTP server response: 260 bytes random alpha-upper + 4-byte return address + payload (up to 550 bytes) + padding to 1024 bytes + \r\n. Monitor for anomalously large FTP server responses on port 21.
  • The stack-adjustment prepend encoder sequence \x81\xc4\xff\xef\xff\xff\x44 (ADD ESP,-0x1001 / INC ESP) appears at the start of shellcode in both server and client exploits; scan FTP traffic for this byte sequence.
  • Bad characters for the server-side payload are \x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e; encoded shellcode in FTP traffic will avoid these bytes.
  • The exploit targets OmniEOM.DLL version 1.0.0.1 (return address 0x1001f09c). Presence of this DLL version on a Windows host running Omni-NFS Enterprise 5.2 indicates a vulnerable configuration.
  • ·The NVD advisory explicitly states no actionable information was available at disclosure time; the Metasploit modules (dated Oct 3 2009) are the primary source of technical detail and may not reflect the original 2006 exploit vector referenced by vd_xlink2.pm.
  • ·CVE-2006-5792 is shared across both the server-side (xlink_server.rb) and client-side (xlink_client.rb) Metasploit modules, but these are likely distinct vulnerabilities; CVE-2006-5780 may cover one of them.
  • ·The server-side exploit payload space is limited to 260 bytes with EXITFUNC=thread; the client-side payload space is 550 bytes with EXITFUNC=process. Payload selection must respect these constraints.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.