CVE-1999-0971

Exim < 1.62 - Local Privilege Escalation via Long :include: Option in .forward File

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-1999-0971. PoCs published by D. J. Bernstein.

AI-analyzed exploit summary This exploit targets a local buffer overflow in Exim 1.62 by overflowing a filename buffer for message attachments, overwriting the return address to execute shellcode. The shellcode calls seteuid(0) and spawns a shell via execl("/bin/sh").

Description

Buffer overflow in Exim allows local users to gain root privileges via a long :include: option in a .forward file.

Exploits (1)

exploitdb WORKING POC VERIFIED

by D. J. Bernstein · clocalunix

https://www.exploit-db.com/exploits/20333

View Code ZIP pw:eip

This exploit targets a local buffer overflow in Exim 1.62 by overflowing a filename buffer for message attachments, overwriting the return address to execute shellcode. The shellcode calls seteuid(0) and spawns a shell via execl("/bin/sh").

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Exim 1.62

No auth needed

Prerequisites: Local access to the target system · Exim 1.62 installed · Ability to execute the exploit binary

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/7301

Scores

EPSS 0.0069

EPSS Percentile 48.1%

Details

Status published

Products (1)

university_of_cambridge/exim < 1.62

Published Jul 22, 1997

Tracked Since Feb 18, 2026