CVE-2006-5478

Novell Netmail User Authentication Buffer Overflow Vulnerability

Severity Score

7.5

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Multiple stack-based buffer overflows in Novell eDirectory 8.8.x before 8.8.1 FTF1, and 8.x up to 8.7.3.8, and Novell NetMail before 3.52e FTF2, allow remote attackers to execute arbitrary code via (1) a long HTTP Host header, which triggers an overflow in the BuildRedirectURL function; or vectors related to a username containing a . (dot) character in the (2) SMTP, (3) POP, (4) IMAP, (5) HTTP, or (6) Networked Messaging Application Protocol (NMAP) Netmail services.

Múltiples desbordamientos de búfer basado en pila en Novell eDirectory 8.8.x anterior a 8.8.1 FTF1, y 8.x hasta 8.7.3.8, y Novell NetMail anterior a 3.52e FTF2, permite a atacantes remotos ejecutar código de su elección mediante (1) una cabecera HTTP Host larga, que provoca el desbordamiento en la función BuildRedirectURL; o vectores relacionados con un nombre de usuario que contiene un carácter . (punto) en los servicios Netmail (2) SMTP, (3) POP, (4) IMAP, (5) HTTP o (6) Networked Messaging Application Protocol (NMAP).

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell Netmail. Exploitation does not require authentication.
The specific flaw exists within the user authentication component of Novell Netmail. The routine responsible for authenticating Netmail users lacks adequate bounds checking when processing a username containing one or more period (.) characters. The affected code is reused by several Netmail services including SMTP, POP, IMAP, HTTP and the proprietary NMAP. Each of these services is vulnerable to an exploitable stack-based buffer overflow.

*Credits: Anonymous

CVSS Scores

NISTv2 7.5

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2006-10-21 First Exploit
2006-10-24 CVE Reserved
2006-10-24 CVE Published
2023-11-12 EPSS Updated
2024-08-07 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CAPEC

References (22)

URL	Tag	Source
http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/050382.html	Mailing List
http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/050388.html	Mailing List
http://securitytracker.com/id?1017125	Vdb Entry
http://securitytracker.com/id?1017141	Vdb Entry
http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=3723994&sliceId=SAL_Public&dialogID=16776123&stateId=1%200%202648401	X_refsource_confirm
http://www.securityfocus.com/archive/1/449899/100/0/threaded	Mailing List
http://www.securityfocus.com/archive/1/450017/100/0/threaded	Mailing List
http://www.securityfocus.com/archive/1/450520/100/100/threaded	Mailing List
http://www.securityfocus.com/bid/20655	Vdb Entry
http://www.securityfocus.com/bid/20853	Vdb Entry
http://www.zerodayinitiative.com/advisories/ZDI-06-035.html	X_refsource_misc
http://www.zerodayinitiative.com/advisories/ZDI-06-036.html	X_refsource_misc
https://secure-support.novell.com/KanisaPlatform/Publishing/134/3096026_f.SAL_Public.html	X_refsource_confirm

URL	Date	SRC
https://www.exploit-db.com/exploits/28835	2006-10-21
https://www.exploit-db.com/exploits/28836	2006-10-30
https://www.exploit-db.com/exploits/28837	2006-10-30
https://www.exploit-db.com/exploits/16773	2010-05-09
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/edirectory_host.rb	2006-10-21

URL	Date	SRC
http://secunia.com/advisories/22519	2018-10-17
http://support.novell.com/cgi-bin/search/searchtid.cgi?/2974600.htm	2018-10-17

URL	Date	SRC
http://www.mnin.org/advisories/2006_novell_httpstk.pdf	2018-10-17
http://www.vupen.com/english/advisories/2006/4141	2018-10-17

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Novell Search vendor "Novell"		Edirectory Search vendor "Novell" for product "Edirectory"				8.0 Search vendor "Novell" for product "Edirectory" and version "8.0"		-		Affected
Novell Search vendor "Novell"		Edirectory Search vendor "Novell" for product "Edirectory"				8.5 Search vendor "Novell" for product "Edirectory" and version "8.5"		-		Affected
Novell Search vendor "Novell"		Edirectory Search vendor "Novell" for product "Edirectory"				8.5.12a Search vendor "Novell" for product "Edirectory" and version "8.5.12a"		-		Affected
Novell Search vendor "Novell"		Edirectory Search vendor "Novell" for product "Edirectory"				8.5.27 Search vendor "Novell" for product "Edirectory" and version "8.5.27"		-		Affected
Novell Search vendor "Novell"		Edirectory Search vendor "Novell" for product "Edirectory"				8.6.2 Search vendor "Novell" for product "Edirectory" and version "8.6.2"		-		Affected
Novell Search vendor "Novell"		Edirectory Search vendor "Novell" for product "Edirectory"				8.7 Search vendor "Novell" for product "Edirectory" and version "8.7"		-		Affected
Novell Search vendor "Novell"		Edirectory Search vendor "Novell" for product "Edirectory"				8.7.1 Search vendor "Novell" for product "Edirectory" and version "8.7.1"		-		Affected
Novell Search vendor "Novell"		Edirectory Search vendor "Novell" for product "Edirectory"				8.7.1 Search vendor "Novell" for product "Edirectory" and version "8.7.1"		sp1		Affected
Novell Search vendor "Novell"		Edirectory Search vendor "Novell" for product "Edirectory"				8.7.3 Search vendor "Novell" for product "Edirectory" and version "8.7.3"		-		Affected
Novell Search vendor "Novell"		Edirectory Search vendor "Novell" for product "Edirectory"				8.7.3.8_presp9 Search vendor "Novell" for product "Edirectory" and version "8.7.3.8_presp9"		-		Affected