CVE-2000-0506

Linux Kernel - Privilege Escalation via Setuid/Setcap Capabilities Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2000-0506. PoCs published by Florian Heinz, Wojciech Purczynski.

AI-analyzed exploit summary This exploit leverages a vulnerability in Linux POSIX capabilities where a parent process can manipulate capabilities to prevent a setuid program (like sendmail) from dropping privileges. This results in arbitrary command execution as root via a malicious .forward file.

Description

The "capabilities" feature in Linux before 2.2.16 allows local users to cause a denial of service or gain privileges by setting the capabilities to prevent a setuid program from dropping privileges, aka the "Linux kernel setuid/setcap vulnerability."

Exploits (2)

exploitdb WORKING POC VERIFIED
by Florian Heinz · clocallinux
https://www.exploit-db.com/exploits/20000

This exploit leverages a vulnerability in Linux POSIX capabilities where a parent process can manipulate capabilities to prevent a setuid program (like sendmail) from dropping privileges. This results in arbitrary command execution as root via a malicious .forward file.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel with POSIX capabilities (pre-2.2.14)
No auth needed
Prerequisites: Access to a vulnerable Linux system · Ability to compile and execute the exploit · Sendmail or procmail installed and configured to process .forward files
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Wojciech Purczynski · bashlocallinux
https://www.exploit-db.com/exploits/20001

This exploit leverages a Linux kernel capability handling flaw (CVE-2000-0506) to prevent setuid programs like sendmail from dropping privileges, resulting in local privilege escalation to root. It manipulates capabilities via LD_PRELOAD and crafts a malicious sendmail configuration to execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel 2.2.x (x<=15) and sendmail <= 8.10.1
Auth required
Prerequisites: Local access to a vulnerable Linux system · sendmail or procmail installed · Compilation tools (gcc, ld)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2000-037.html
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0062.html
Various Sources vendor-advisory x_refsource_sgi
ftp://sgigate.sgi.com/security/20000802-01-P
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0063.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/1322

Scores

EPSS 0.1140
EPSS Percentile 95.4%

Details

Status published
Products (17)
linux/linux_kernel 2.0
linux/linux_kernel 2.0.30
linux/linux_kernel 2.0.33
linux/linux_kernel 2.0.34
linux/linux_kernel 2.0.35
linux/linux_kernel 2.0.36
linux/linux_kernel 2.0.37
linux/linux_kernel 2.0.38
linux/linux_kernel 2.1
linux/linux_kernel 2.2.0
... and 7 more
Published Jun 09, 2000
Tracked Since Feb 18, 2026