CVE-1999-0192

EXPLOITED

Linux - Buffer Overflow in Telnet Daemon via TERMCAP Environment Variable

Title source: llm

Exploitation Summary

CVE-1999-0192 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including sk8, m0f0.

AI-analyzed exploit summary This exploit targets a buffer overflow in libtermcap's tgetent() function (CVE-1999-0192), allowing local privilege escalation via a crafted termcap file. It leverages shellcode injection and stack manipulation to spawn a root shell when executed against vulnerable setuid programs like xterm.

Description

Buffer overflow in telnet daemon tgetent routing allows remote attackers to gain root access via the TERMCAP environmental variable.

Exploits (2)

exploitdb WORKING POC VERIFIED

by sk8 · clocallinux

https://www.exploit-db.com/exploits/19465

View Code ZIP pw:eip

This exploit targets a buffer overflow in libtermcap's tgetent() function (CVE-1999-0192), allowing local privilege escalation via a crafted termcap file. It leverages shellcode injection and stack manipulation to spawn a root shell when executed against vulnerable setuid programs like xterm.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: libtermcap < 2.0.8-15 (e.g., Red Hat Linux 5.2/4.2)

No auth needed

Prerequisites: Vulnerable libtermcap version · Setuid program linked to libtermcap (e.g., xterm) · Write access to /tmp

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by m0f0 · clocallinux

https://www.exploit-db.com/exploits/19464

View Code ZIP pw:eip

This exploit targets a buffer overflow in libtermcap's tgetent() function (CVE-1999-0192) to achieve local privilege escalation via xterm. It crafts a malicious termcap file with NOPs, a return address, and shellcode to spawn a shell.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: libtermcap 2.0.8 and earlier (via xterm)

No auth needed

Prerequisites: xterm linked against vulnerable libtermcap · ability to set TERMCAP environment variable

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory, VDB Entry x_refsource_misc

https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0192

Scores

EPSS 0.0666

EPSS Percentile 91.5%

Details

VulnCheck KEV 2017-06-20

Status published

Products (14)

redhat/linux 4.0

redhat/linux 4.1

redhat/linux 4.2

redhat/linux 5.0

redhat/linux 5.1

redhat/linux 5.2

redhat/linux 6.0

slackware/slackware_linux 3.2

slackware/slackware_linux 3.3

slackware/slackware_linux 3.4

... and 4 more

Published Oct 18, 1997

Tracked Since Feb 18, 2026