CVE-2000-0972

MEDIUM

HP-UX 11.00 - Arbitrary File Read via crontab Symlink Attack

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2000-0972. PoCs published by dubhe, Kyong-won Cho.

AI-analyzed exploit summary This exploit leverages a vulnerability in HP-UX 11.00/10.20 crontab by manipulating the EDITOR environment variable to execute arbitrary commands. It creates a malicious script that symlinks a specified file, then invokes crontab -e to trigger the exploit.

Description

HP-UX 11.00 crontab allows local users to read arbitrary files via the -e option by creating a symlink to the target file during the crontab session, quitting the session, and reading the error messages that crontab generates.

Exploits (2)

exploitdb WORKING POC VERIFIED
by dubhe · bashdoshp-ux
https://www.exploit-db.com/exploits/195

This exploit leverages a vulnerability in HP-UX 11.00/10.20 crontab by manipulating the EDITOR environment variable to execute arbitrary commands. It creates a malicious script that symlinks a specified file, then invokes crontab -e to trigger the exploit.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: HP-UX crontab 11.00/10.20
Auth required
Prerequisites: User access to crontab -e · EDITOR environment variable not restricted
MITRE ATT&CK
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Kyong-won Cho · bashlocalhp-ux
https://www.exploit-db.com/exploits/20329

This exploit leverages a vulnerability in HP-UX's crontab implementation to read arbitrary files by creating a symbolic link via a custom editor script. It abuses the temporary file handling in vi to expose file contents through error messages.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: HP-UX 11.00 cron
Auth required
Prerequisites: Access to a user account with crontab permissions · Presence of the vulnerable HP-UX cron implementation
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/5410
Broken Link, Exploit, Vendor Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-10/0317.html

Scores

CVSS v3 5.5
EPSS 0.0128
EPSS Percentile 66.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-59
Status published
Products (1)
hp/hp-ux 11.00
Published Dec 19, 2000
Tracked Since Feb 18, 2026