CVE-2000-0666

Linux rpc.statd - Remote Code Execution via Format String Vulnerability

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2000-0666. PoCs published by ron1n, Doing, drow.

AI-analyzed exploit summary This exploit targets a format string vulnerability in rpc.statd (part of nfs-utils) to achieve remote code execution as root. It leverages a crafted format string to overwrite memory addresses and execute shellcode, binding a shell to port 39168.

Description

rpc.statd in the nfs-utils package in various Linux distributions does not properly cleanse untrusted format strings, which allows remote attackers to gain root privileges.

Exploits (3)

exploitdb WORKING POC VERIFIED
by ron1n · cremotelinux
https://www.exploit-db.com/exploits/20077

This exploit targets a format string vulnerability in rpc.statd (part of nfs-utils) to achieve remote code execution as root. It leverages a crafted format string to overwrite memory addresses and execute shellcode, binding a shell to port 39168.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: nfs-utils (rpc.statd) on Linux distributions (e.g., Red Hat 6.0/6.1/6.2)
No auth needed
Prerequisites: Network access to rpc.statd (typically UDP/TCP port 111 or a dynamic port) · Executable stack on the target host
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Doing · cremotelinux
https://www.exploit-db.com/exploits/20076

This exploit targets a format string vulnerability in rpc.statd (part of nfs-utils) to achieve remote code execution as root. It crafts a malicious payload using format specifiers to overwrite memory and execute arbitrary shellcode.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: rpc.statd (nfs-utils) on Linux
No auth needed
Prerequisites: Network access to the target's rpc.statd service · Knowledge of the target's stack address
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by drow · cremotelinux
https://www.exploit-db.com/exploits/20075

This exploit targets a format string vulnerability in rpc.statd (part of nfs-utils) to achieve remote code execution as root. It constructs a malicious format string to overwrite memory addresses and inject shellcode via RPC calls.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Racy
Target: rpc.statd (nfs-utils)
No auth needed
Prerequisites: Network access to vulnerable rpc.statd service · Target system running vulnerable nfs-utils
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2000-043.html
Exploit, Patch, Vendor Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-07/0206.html
Exploit, Patch, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/1480
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-07/0230.html
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-07/0236.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/4939
Vendor Advisory vendor-advisory x_refsource_caldera
http://www.calderasystems.com/support/security/advisories/CSSA-2000-025.0.txt
US Government Resource third-party-advisory x_refsource_cert
http://www.cert.org/advisories/CA-2000-17.html
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-07/0260.html

Scores

EPSS 0.2632
EPSS Percentile 97.7%

Details

Status published
Products (16)
conectiva/linux 4.0
conectiva/linux 4.0es
conectiva/linux 4.1
conectiva/linux 4.2
conectiva/linux 5.0
conectiva/linux 5.1
debian/debian_linux 2.2 (4 CPE variants)
debian/debian_linux 2.3 (4 CPE variants)
redhat/linux 6.0 (3 CPE variants)
redhat/linux 6.1 (3 CPE variants)
... and 6 more
Published Jul 16, 2000
Tracked Since Feb 18, 2026