cbcvebase.
CVE-2001-0803
published 2001-12-06

CVE-2001-0803: Buffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary…

PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
85.56%
99.7th percentile
Buffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commands.

Affected

6 ranges
VendorProductVersion rangeFixed in
open_groupcde_common_desktop_environment
open_groupcde_common_desktop_environment
open_groupcde_common_desktop_environment
open_groupcde_common_desktop_environment
open_groupcde_common_desktop_environment
open_groupcde_common_desktop_environment

Detection & IOCsextracted from sources · hover to see the quote

port6112
path/usr/dt/bin/dtspcd
commandspc_register('root', "\x00")
commandsprintf("%08x%02x%04x%04x %s", 2, cmd, buff.length, (@spc_seq += 1), buff)
bytes
\xa4\x1c\x40\x11
bytes
\xa4\x1c\x40\x11\x20\xbf\xff\xff
  • dtspcd listens on TCP port 6112; inbound connections to this port from untrusted hosts should be alerted on, especially where the service is CDE dtspcd on Solaris 8 SPARC.
  • Exploit sends a crafted SPC registration packet beginning with '4 \x00<user>\x00\x0010\x00<buf>'; detect anomalously large registration buffers (>4096 bytes) on port 6112.
  • Exploit wire format prefixes each message with a fixed 20-byte header: 8 hex channel + 2 hex cmd + 4 hex length + 4 hex seq + space. Anomalous message lengths (e.g. 0x103e / 4158 bytes) in this format on port 6112 indicate exploitation.
  • NOP sled equivalent for SPARC consists of repeated \xa4\x1c\x40\x11\x20\xbf\xff\xff byte sequences; presence of this pattern in network traffic to port 6112 is a strong shellcode indicator.
  • The exploit probes for a vulnerable dtspcd by sending a registration with user='root' and reading back a colon-delimited host:os:ver:arch banner; detection of this probe pattern (short registration followed by a 4-field colon-delimited response) can identify reconnaissance.
  • ·The Metasploit module only targets Solaris 8 SPARC; hardcoded return addresses and heap offsets are specific to this platform and will not work against other architectures or OS versions.
  • ·Payload bad characters are \x00 and \x0d; any detection signature or payload-based YARA rule must account for encoder wrapping that avoids these bytes.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.