CVE-2000-0170

Linux - Buffer Overflow via MANPAGER Environmental Variable

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2000-0170. PoCs published by teleh0r, Babcia Padlina, mike182.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in Red Hat 6.1's 'man' command via the MANPAGER environment variable. It uses a NOP sled and shellcode to spawn a shell with elevated privileges (egid 15).

Description

Buffer overflow in the man program in Linux allows local users to gain privileges via the MANPAGER environmental variable.

Exploits (4)

exploitdb WORKING POC VERIFIED
by teleh0r · perllocallinux
https://www.exploit-db.com/exploits/255

This exploit targets a buffer overflow vulnerability in Red Hat 6.1's 'man' command via the MANPAGER environment variable. It uses a NOP sled and shellcode to spawn a shell with elevated privileges (egid 15).

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Red Hat Linux 6.1 (man command)
No auth needed
Prerequisites: Access to a vulnerable Red Hat 6.1 system · Ability to execute the 'man' command
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Babcia Padlina · clocallinux
https://www.exploit-db.com/exploits/19779

This exploit targets a buffer overflow vulnerability in the 'man' program (CVE-2000-0170) by overflowing the MANPAGER environment variable with shellcode to execute arbitrary commands. It uses a return-to-PLT technique to bypass non-executable stack protections.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: RedHat man 1.5, Turbolinux man 1.5, and other Linux distributions' man implementations
No auth needed
Prerequisites: Vulnerable version of 'man' program · Ability to set environment variables
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Babcia Padlina · clocallinux
https://www.exploit-db.com/exploits/19778

This exploit leverages a buffer overflow in the 'man' program (CVE-2000-0170) by setting a malicious MANPAGER environment variable. It executes shellcode to spawn a shell with elevated privileges (egid man) when a user runs 'man'.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: RedHat man 1.5, Turbolinux man 1.5, and other Linux distributions (RedHat 4.0-6.2, Turbolinux 3.5/4.2/4.4)
No auth needed
Prerequisites: Vulnerable version of 'man' installed · Ability to set environment variables
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by mike182 · poc
https://github.com/mike182/exploit

This repository contains a functional exploit for CVE-2000-0170, targeting a buffer overflow vulnerability in the `man` command via the `MANPAGER` environment variable. The exploit uses shellcode injection and return address manipulation to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: man (likely versions prior to patches addressing this vulnerability)
No auth needed
Prerequisites: Access to execute the `man` command on the target system · Environment variable manipulation permissions
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/1011

Scores

EPSS 0.0199
EPSS Percentile 78.0%

Details

Status published
Products (11)
redhat/linux 4.0
redhat/linux 4.1
redhat/linux 4.2
redhat/linux 5.0
redhat/linux 5.1
redhat/linux 5.2
redhat/linux 6.0
redhat/linux 6.2
turbolinux/turbolinux 3.5b2
turbolinux/turbolinux 4.2
... and 1 more
Published Feb 26, 2000
Tracked Since Feb 18, 2026