CVE-2006-6652

NetBSD-current <20050914 - NetBSD libc - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2006-6652. PoCs published by kcope, kingcope.

AI-analyzed exploit summary This exploit targets a remote buffer overflow vulnerability in NetBSD ftpd and tnftpd due to an off-by-one error in the globbing mechanism. It attempts to overwrite the stack with controlled data to achieve arbitrary code execution, though the exploit notes challenges in full EIP control.

Description

Buffer overflow in the glob implementation (glob.c) in libc in NetBSD-current before 20050914, NetBSD 2.* and 3.* before 20061203, and Apple Mac OS X before 2007-004, as used by the FTP daemon and tnftpd, allows remote authenticated users to execute arbitrary code via a long pathname that results from path expansion.

Exploits (2)

exploitdb WORKING POC VERIFIED
by kcope · perldosnetbsd_x86
https://www.exploit-db.com/exploits/29204

This exploit targets a remote buffer overflow vulnerability in NetBSD ftpd and tnftpd due to an off-by-one error in the globbing mechanism. It attempts to overwrite the stack with controlled data to achieve arbitrary code execution, though the exploit notes challenges in full EIP control.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: NetBSD ftpd, tnftpd (versions up to 20050303 and 20040810 respectively)
Auth required
Prerequisites: Network access to the target FTP service · Valid credentials for authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by kingcope · perldosbsd
https://www.exploit-db.com/exploits/2874

This exploit targets a remote stack overflow in NetBSD ftpd and tnftpd via malformed directory names with globbing characters. It sends a crafted MKD and NLST command sequence to trigger the vulnerability, potentially leading to remote code execution as root.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: NetBSD ftpd, tnftpd (versions up to 20050303, 20040810)
Auth required
Prerequisites: Network access to the FTP service · Valid FTP credentials
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (12)

Core 12
Core References
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/24966
Patch, Vendor Advisory vendor-advisory x_refsource_netbsd
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2006-027.txt.asc
Patch, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1017386
Vendor Advisory x_refsource_confirm
http://docs.info.apple.com/article.html?artnum=305391
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/30670
Broken Link vdb-entry x_refsource_osvdb
http://www.osvdb.org/31781
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA07-109A.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/23178
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://lists.grok.org.uk/pipermail/full-disclosure/2006-December/051009.html
Vendor Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/Security-announce/2007/Apr/msg00001.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/21377
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/1470

Scores

EPSS 0.1941
EPSS Percentile 97.0%

Details

CWE
CWE-119
Status published
Products (45)
apple/mac_os_x 10.0
apple/mac_os_x 10.0.1
apple/mac_os_x 10.0.2
apple/mac_os_x 10.0.3
apple/mac_os_x 10.0.4
apple/mac_os_x 10.1
apple/mac_os_x 10.1.1
apple/mac_os_x 10.1.2
apple/mac_os_x 10.1.3
apple/mac_os_x 10.1.4
... and 35 more
Published Dec 20, 2006
Tracked Since Feb 18, 2026