CVE-2001-0803
published 2001-12-06CVE-2001-0803: Buffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary…
PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
85.56%
99.7th percentile
Buffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commands.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| open_group | cde_common_desktop_environment | — | — |
| open_group | cde_common_desktop_environment | — | — |
| open_group | cde_common_desktop_environment | — | — |
| open_group | cde_common_desktop_environment | — | — |
| open_group | cde_common_desktop_environment | — | — |
| open_group | cde_common_desktop_environment | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xa4\x1c\x40\x11
bytes↗
\xa4\x1c\x40\x11\x20\xbf\xff\xff
- →dtspcd listens on TCP port 6112; inbound connections to this port from untrusted hosts should be alerted on, especially where the service is CDE dtspcd on Solaris 8 SPARC. ↗
- →Exploit sends a crafted SPC registration packet beginning with '4 \x00<user>\x00\x0010\x00<buf>'; detect anomalously large registration buffers (>4096 bytes) on port 6112. ↗
- →Exploit wire format prefixes each message with a fixed 20-byte header: 8 hex channel + 2 hex cmd + 4 hex length + 4 hex seq + space. Anomalous message lengths (e.g. 0x103e / 4158 bytes) in this format on port 6112 indicate exploitation. ↗
- →NOP sled equivalent for SPARC consists of repeated \xa4\x1c\x40\x11\x20\xbf\xff\xff byte sequences; presence of this pattern in network traffic to port 6112 is a strong shellcode indicator. ↗
- →The exploit probes for a vulnerable dtspcd by sending a registration with user='root' and reading back a colon-delimited host:os:ver:arch banner; detection of this probe pattern (short registration followed by a 4-field colon-delimited response) can identify reconnaissance. ↗
- ·The Metasploit module only targets Solaris 8 SPARC; hardcoded return addresses and heap offsets are specific to this platform and will not work against other architectures or OS versions. ↗
- ·Payload bad characters are \x00 and \x0d; any detection signature or payload-based YARA rule must account for encoder wrapping that avoids these bytes. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Solaris dtspcd - Remote Heap Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2001-0803 Solaris dtspcd - Remote Heap Overflow (Metasploit)
Solaris dtspcd - Remote Heap Overflow (Metasploit)
---
##
# $Id: heap_noir.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Solaris dtspcd Heap Overflow',
'Description' => %q{
This is a port of noir's dtspcd exploit. This module should
work against any vulnerable version of Solaris 8 (sparc).
The original exploit code was published in the book
Shellcoder's Handbook.
},
'Author' => [ 'noir ', 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'CVE', '2001-0803'],
[ 'OS
Exploit-DB
Solaris 8 dtspcd - Remote Heap Overflow (Metasploit)
exploitdb·2002-06-10
CVE-2001-0803 Solaris 8 dtspcd - Remote Heap Overflow (Metasploit)
Solaris 8 dtspcd - Remote Heap Overflow (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Solaris dtspcd Heap Overflow',
'Description' => %q{
This is a port of noir's dtspcd exploit. This module should
work against any vulnerable version of Solaris 8 (sparc).
The original exploit code was published in the book
Shellcoder's Handbook.
},
'Author' => [ 'noir ', 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2001-0803'],
[ 'OSVDB', '4503'],
[ 'BID', '3517'],
[ 'URL', 'http:/
Metasploit
Solaris dtspcd Heap Overflow
metasploit
Solaris dtspcd Heap Overflow
Solaris dtspcd Heap Overflow
This is a port of noir's dtspcd exploit. This module should work against any vulnerable version of Solaris 8 (sparc). The original exploit code was published in the book Shellcoder's Handbook.
No writeups or analysis indexed.
ftp://patches.sgi.com/support/free/security/advisories/20011107-01-Pftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.30/http://ftp.support.compaq.com/patches/.new/html/SSRT-541.shtmlhttp://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/214http://www.cert.org/advisories/CA-2001-31.htmlhttp://www.cert.org/advisories/CA-2002-01.htmlhttp://www.kb.cert.org/vuls/id/172583http://www.securityfocus.com/advisories/3651http://www.securityfocus.com/bid/3517http://xforce.iss.net/alerts/advise101.phphttps://exchange.xforce.ibmcloud.com/vulnerabilities/7396https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A70https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A74ftp://patches.sgi.com/support/free/security/advisories/20011107-01-Pftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.30/http://ftp.support.compaq.com/patches/.new/html/SSRT-541.shtmlhttp://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/214http://www.cert.org/advisories/CA-2001-31.htmlhttp://www.cert.org/advisories/CA-2002-01.htmlhttp://www.kb.cert.org/vuls/id/172583http://www.securityfocus.com/advisories/3651http://www.securityfocus.com/bid/3517http://xforce.iss.net/alerts/advise101.phphttps://exchange.xforce.ibmcloud.com/vulnerabilities/7396https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A70https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A74
2001-12-06
Published