CVE-2000-0949

Exploitation Summary

EIP tracks 4 public exploits for CVE-2000-0949. PoCs published by Michel Kaempf, Perry Harrington, Dvorak.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in LBNL traceroute (CVE-2000-0949) to achieve local privilege escalation. It manipulates heap metadata and injects shellcode to spawn a root shell.

Description

Heap overflow in savestr function in LBNL traceroute 1.4a5 and earlier allows a local user to execute arbitrary commands via the -g option.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Michel Kaempf · clocallinux

https://www.exploit-db.com/exploits/178

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in LBNL traceroute (CVE-2000-0949) to achieve local privilege escalation. It manipulates heap metadata and injects shellcode to spawn a root shell.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: LBNL traceroute (version not specified)

No auth needed

Prerequisites: Local access to the vulnerable system · Presence of vulnerable traceroute binary at /usr/sbin/traceroute

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Michel Kaempf · clocallinux

https://www.exploit-db.com/exploits/20252

View Code ZIP pw:eip

This exploit targets a heap-based vulnerability in LBNL traceroute (CVE-2000-0949) by manipulating the `-g` argument to trigger a double-free condition, allowing arbitrary memory manipulation and local privilege escalation to root. It includes architecture-specific shellcode for i386 and SPARC systems.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: LBNL traceroute 1.4a5-2 (Debian GNU/Linux 2.2)

No auth needed

Prerequisites: Local access to a vulnerable system · Traceroute binary must be setuid root

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Perry Harrington · clocallinux

https://www.exploit-db.com/exploits/20251

View Code ZIP pw:eip

This exploit targets a double-free vulnerability in LBNL traceroute (CVE-2000-0949) by manipulating the `-g` argument to overwrite heap structures, potentially achieving local root access. It constructs a malicious malloc header and injects shellcode to spawn a shell.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Theoretical

Target: LBNL traceroute (setuid root versions)

No auth needed

Prerequisites: Local access to a vulnerable system · Traceroute binary installed setuid root

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Dvorak · clocallinux

https://www.exploit-db.com/exploits/20250

View Code ZIP pw:eip

This exploit leverages a double-free vulnerability in LBNL traceroute's `savestr()` function to manipulate heap memory and achieve arbitrary write, potentially leading to local root access. The PoC demonstrates controlled corruption of malloc chunks to overwrite a return address with shellcode.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Complex

Reliability

Theoretical

Target: LBNL traceroute (versions using savestr)

No auth needed

Prerequisites: Local access to a vulnerable system with traceroute installed setuid root

MITRE ATT&CK