CVE-2006-0992

Novell GroupWise Messenger - Stack-Based Buffer Overflow via Accept-Language Header

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2006-0992. PoCs published by Metasploit, H D Moore, hdm, including Metasploit module exploits/windows/http/novell_messenger_acceptlang.

AI-analyzed exploit summary This exploit targets a stack buffer overflow in Novell GroupWise Messenger Server v2.0 via an HTTP request with an oversized Accept-Language header. It leverages a memcpy operation to overwrite the return address and execute payloads, with specific bad character restrictions.

Description

Stack-based buffer overflow in Novell GroupWise Messenger before 2.0 Public Beta 2 allows remote attackers to execute arbitrary code via a long Accept-Language value without a comma or semicolon. NOTE: due to a typo, the original ZDI advisory accidentally referenced CVE-2006-0092. This is the correct identifier.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16757

This exploit targets a stack buffer overflow in Novell GroupWise Messenger Server v2.0 via an HTTP request with an oversized Accept-Language header. It leverages a memcpy operation to overwrite the return address and execute payloads, with specific bad character restrictions.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Novell GroupWise Messenger Server v2.0
No auth needed
Prerequisites: Network access to the target server on port 8300 · Target server running Novell GroupWise Messenger Server v2.0
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by H D Moore · remotenovell
https://www.exploit-db.com/exploits/1679

This exploit targets a stack overflow vulnerability in Novell GroupWise Messenger Server v2.0 by sending an HTTP request with an overly long Accept-Language header. It leverages a JMP ESP instruction to redirect execution to the shellcode, which is placed in the data section.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Novell GroupWise Messenger Server v2.0 (DClient.dll v10510.37)
No auth needed
Prerequisites: Network access to the target server on port 8300 (or configured port) · Target software must be vulnerable (unpatched Novell GroupWise Messenger Server v2.0)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by hdm · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/novell_messenger_acceptlang.rb

This exploit targets a stack buffer overflow in Novell GroupWise Messenger Server v2.0 via an overly long Accept-Language HTTP header. It leverages a memcpy operation to overwrite the return address and execute arbitrary payloads, with specific bad character restrictions.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Novell GroupWise Messenger Server v2.0
No auth needed
Prerequisites: Network access to the target server on port 8300 · Target software running with vulnerable DClient.dll v10510.37
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (12)

Core 12
Core References
Patch, Vendor Advisory x_refsource_misc
http://www.zerodayinitiative.com/advisories/ZDI-06-008.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/24617
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/1355
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/25828
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/19663
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/430911/100/0/threaded
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/1679
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1015911
Various Sources x_refsource_misc
http://cirt.dk/advisories/cirt-42-advisory.txt
Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/17503

Scores

EPSS 0.7283
EPSS Percentile 99.4%

Details

Status published
Products (1)
novell/groupwise_messenger 2.0
Published Apr 14, 2006
Tracked Since Feb 18, 2026