CVE-2000-0949
published 2000-12-19CVE-2000-0949: Heap overflow in savestr function in LBNL traceroute 1.4a5 and earlier allows a local user to execute arbitrary commands via the -g option.
PriorityP424high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
1.18%
63.7th percentile
Heap overflow in savestr function in LBNL traceroute 1.4a5 and earlier allows a local user to execute arbitrary commands via the -g option.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lbl | lbl_traceroute | — | — |
| sun | sunos | — | — |
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
security flaw
vendor_redhat·2000-09-28·CVSS 7.2
CVE-2000-0949 [HIGH] security flaw
security flaw
Heap overflow in savestr function in LBNL traceroute 1.4a5 and earlier allows a local user to execute arbitrary commands via the -g option.
Statement: This issue was fixed in the following products:
- Red Hat Linux 5.0 - RHSA-2000:078 (2000-10-13)
- Red Hat Linux 5.1 - RHSA-2000:078 (2000-10-13)
- Red Hat Linux 5.2 - RHSA-2000:078 (2000-10-13)
- Red Hat Linux 6.0 - RHSA-2000:078 (2000-10-13)
- Red Hat Linux 6.1 - RHSA-2000:078 (2000-10-13)
- Red Hat Linux 6.2 - RHSA-2000:078 (2000-10-13)
GHSA
GHSA-qw66-x6vv-xrg3: Heap overflow in savestr function in LBNL traceroute 1
ghsa_unreviewed·2022-04-30
CVE-2000-0949 [HIGH] GHSA-qw66-x6vv-xrg3: Heap overflow in savestr function in LBNL traceroute 1
Heap overflow in savestr function in LBNL traceroute 1.4a5 and earlier allows a local user to execute arbitrary commands via the -g option.
No detection rules found.
Exploit-DB
LBL Traceroute - Local Privilege Escalation
exploitdb·2000-11-15
CVE-2000-0949 LBL Traceroute - Local Privilege Escalation
LBL Traceroute - Local Privilege Escalation
---
/*
* MasterSecuritY
*
* openwall.c - Local root exploit in LBNL traceroute
* Copyright (C) 2000 Michel "MaXX" Kaempf
*
* Updated versions of this exploit and the corresponding advisory will
* be made available at:
*
* ftp://maxx.via.ecp.fr/traceroot/
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* Yo
Exploit-DB
LBL Traceroute 1.4 a5 - Heap Corruption (1)
exploitdb·2000-09-28
CVE-2000-0949 LBL Traceroute 1.4 a5 - Heap Corruption (1)
LBL Traceroute 1.4 a5 - Heap Corruption (1)
---
// source: https://www.securityfocus.com/bid/1739/info
Traceroute is a well-known network diagnostic tool used for analyzing the path on a network between two hosts. On unix systems, traceroute is typically installed setuid root because of its use of raw sockets. Certain versions of LBNL traceroute are vulnerable to an interesting attack involving freeing of pointers pointing to unallocated memory.
When traceroute is executed with the arguments "-g x -g x", the function "savestr()" is called twice. savestr() does what strdup() does without the extra malloc() call and is used when parsing the hostname or "dotted quad notation" ip address argument to the -g parameter. It uses a block of pre-allocated memory instead of allocating memory itse
Exploit-DB
LBL Traceroute 1.4 a5 - Heap Corruption (2)
exploitdb·2000-09-28
CVE-2000-0949 LBL Traceroute 1.4 a5 - Heap Corruption (2)
LBL Traceroute 1.4 a5 - Heap Corruption (2)
---
// source: https://www.securityfocus.com/bid/1739/info
Traceroute is a well-known network diagnostic tool used for analyzing the path on a network between two hosts. On unix systems, traceroute is typically installed setuid root because of its use of raw sockets. Certain versions of LBNL traceroute are vulnerable to an interesting attack involving freeing of pointers pointing to unallocated memory.
When traceroute is executed with the arguments "-g x -g x", the function "savestr()" is called twice. savestr() does what strdup() does without the extra malloc() call and is used when parsing the hostname or "dotted quad notation" ip address argument to the -g parameter. It uses a block of pre-allocated memory instead of allocating memory itse
Exploit-DB
LBL Traceroute 1.4 a5 - Heap Corruption (3)
exploitdb·2000-09-28
CVE-2000-0949 LBL Traceroute 1.4 a5 - Heap Corruption (3)
LBL Traceroute 1.4 a5 - Heap Corruption (3)
---
// source: https://www.securityfocus.com/bid/1739/info
Traceroute is a well-known network diagnostic tool used for analyzing the path on a network between two hosts. On unix systems, traceroute is typically installed setuid root because of its use of raw sockets. Certain versions of LBNL traceroute are vulnerable to an interesting attack involving freeing of pointers pointing to unallocated memory.
When traceroute is executed with the arguments "-g x -g x", the function "savestr()" is called twice. savestr() does what strdup() does without the extra malloc() call and is used when parsing the hostname or "dotted quad notation" ip address argument to the -g parameter. It uses a block of pre-allocated memory instead of allocating memory itse
http://archives.neohapsis.com/archives/bugtraq/2000-09/0344.htmlhttp://archives.neohapsis.com/archives/bugtraq/2000-09/0357.htmlhttp://www.calderasystems.com/support/security/advisories/CSSA-2000-034.0.txthttp://www.debian.org/security/2000/20001013http://www.linux-mandrake.com/en/security/MDKSA-2000-053.php3?dis=7.1http://www.redhat.com/support/errata/RHSA-2000-078.htmlhttp://www.securityfocus.com/bid/1739http://www.turbolinux.com/pipermail/tl-security-announce/2000-October/000025.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/5311http://archives.neohapsis.com/archives/bugtraq/2000-09/0344.htmlhttp://archives.neohapsis.com/archives/bugtraq/2000-09/0357.htmlhttp://www.calderasystems.com/support/security/advisories/CSSA-2000-034.0.txthttp://www.debian.org/security/2000/20001013http://www.linux-mandrake.com/en/security/MDKSA-2000-053.php3?dis=7.1http://www.redhat.com/support/errata/RHSA-2000-078.htmlhttp://www.securityfocus.com/bid/1739http://www.turbolinux.com/pipermail/tl-security-announce/2000-October/000025.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/5311
2000-12-19
Published