CVE-2006-5854

Novell Netware Client 4.91-4.91 SP2 - Remote Code Execution via Spooler Service Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2006-5854. PoCs published by Andres Tarasco, Andres Tarasco Acuna.

AI-analyzed exploit summary This exploit targets a vulnerability in the Windows spooler service (CVE-2006-5854) by leveraging insecure EnumPrintersW() calls to achieve local privilege escalation (LPE) to SYSTEM. It uses a shared memory section and a bind shell payload to gain control.

Description

Multiple buffer overflows in the Spooler service (nwspool.dll) in Novell Netware Client 4.91 through 4.91 SP2 allow remote attackers to execute arbitrary code via a long argument to the (1) EnumPrinters and (2) OpenPrinter functions.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Andres Tarasco · clocalwindows
https://www.exploit-db.com/exploits/3220

This exploit targets a vulnerability in the Windows spooler service (CVE-2006-5854) by leveraging insecure EnumPrintersW() calls to achieve local privilege escalation (LPE) to SYSTEM. It uses a shared memory section and a bind shell payload to gain control.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows spooler service (affecting Citrix Metaframe, DiskAccess NFS Client, Novell)
No auth needed
Prerequisites: Vulnerable printer provider DLLs (e.g., dapcnfsd.dll, cpprov.dll, nwspool.dll) · Access to the local system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Andres Tarasco Acuna · cremotewindows
https://www.exploit-db.com/exploits/29146

This exploit targets a buffer overflow vulnerability in Novell Client (CVE-2006-5854) via insecure EnumPrintersW() calls in the spooler service. It leverages shared memory manipulation to achieve arbitrary code execution, specifically a bind shell on port 51477 with SYSTEM privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Novell Client 4.91 (nwspool.dll)
No auth needed
Prerequisites: Access to the target system's spooler service · Vulnerable printer provider (e.g., nwspool.dll) installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (13)

Core 13
Core References
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/300636
Third Party Advisory, VDB Entry x_refsource_misc
http://www.securityfocus.com/data/vulnerabilities/exploits/testlpc.c
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1017263
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/21220
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/4631
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/453012/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1017315
Patch, Vendor Advisory x_refsource_misc
http://www.zerodayinitiative.com/advisories/ZDI-06-043.html
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/653076
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/30461
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/23027

Scores

EPSS 0.5704
EPSS Percentile 98.9%

Details

Status published
Products (1)
novell/netware_client 4.91 (3 CPE variants)
Published Dec 03, 2006
Tracked Since Feb 18, 2026