cbcvebase.
CVE-2003-0127
published 2003-03-31

CVE-2003-0127: The kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to…

PriorityP276high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.58%
72.5th percentile
The kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel.

Affected

47 ranges· showing 25
VendorProductVersion rangeFixed in
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel

Detection & IOCsextracted from sources · hover to see the quote

path/tmp/w00w00w
path/dev/dsp3
port4112
commandsocket(AF_SECURITY, SOCK_STREAM, 1)
path/proc/self/exe
path/usr/bin/passwd
bytes
\x90\x90\xeb\x1f\xb8\xb6\x00\x00\x00\x5b\x31\xc9\x89\xca\xcd\x80\xb8\x0f\x00\x00\x00\xb9\xed\x0d\x00\x00\xcd\x80\x89\xd0\x89\xd3\x40\xcd\x80\xe8\xdc\xff\xff\xff
bytes
\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\x31\xc0\x50\x40\x50\x40\x50\x8d\x58\xff\x89\xe1\xb0\x66\xcd\x80
  • Monitor for unprivileged processes issuing socket(AF_SECURITY, SOCK_STREAM, 1) as a trigger to force kernel module loading (kmod), which is the exploit's mechanism to spawn the privileged child process.
  • Alert on creation of world-executable scripts at /tmp/w00w00w, which is the hardcoded payload drop path used by one exploit variant.
  • Detect processes writing shellcode via PTRACE_POKETEXT into a process whose /proc/<pid>/status shows uid=0/euid=0 while the tracing process is unprivileged.
  • Watch for rapid sequential ptrace(PTRACE_ATTACH) attempts across a range of PIDs (chldpid+1 through chldpid+10, or 1 through 30000 in randomized mode) from a single process, indicative of PID-brute-forcing exploit variants.
  • Detect inbound connections on port 4112 or 24876 from a host running a vulnerable kernel, as exploit variants bind a root shell on these ports post-exploitation.
  • Temporary mitigation indicator: writing a non-executable path to /proc/sys/kernel/modprobe disables kmod and closes the attack vector.
  • ·The exploit has a hardcoded 10-second alarm timeout; if the race is not won within that window, it aborts. Detection logic should account for repeated short-lived exploit process executions.
  • ·Affected kernel versions are Linux 2.2.x before 2.2.25 and 2.4.x before 2.4.21. Systems running patched versions are not vulnerable.

CVSS provenance

nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
vendor_redhat7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.