CVE-2000-0993

BSD libutil - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2000-0993. PoCs published by caddis.

AI-analyzed exploit summary This exploit targets a format string vulnerability in the BSD chpass utility (CVE-2000-0993) to achieve remote code execution. It uses environment variables to inject shellcode and manipulate memory addresses via format string specifiers.

Description

Format string vulnerability in pw_error function in BSD libutil library allows local users to gain root privileges via a malformed password in commands such as chpass or passwd.

Exploits (1)

exploitdb WORKING POC VERIFIED

by caddis · clocalbsd

https://www.exploit-db.com/exploits/243

View Code ZIP pw:eip

This exploit targets a format string vulnerability in the BSD chpass utility (CVE-2000-0993) to achieve remote code execution. It uses environment variables to inject shellcode and manipulate memory addresses via format string specifiers.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: BSD chpass (OpenBSD 2.5-2.7, FreeBSD 3.4-4.0, NetBSD 1.4.2)

No auth needed

Prerequisites: Access to execute chpass on a vulnerable BSD system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Mailing List mailing-list x_refsource_bugtraq

http://marc.info/?l=bugtraq&m=97068555106135&w=2

Exploit, Patch, Vendor Advisory vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/1744

Various Sources vendor-advisory x_refsource_openbsd

http://www.openbsd.org/errata27.html#pw_error

Vendor Advisory vendor-advisory x_refsource_netbsd

ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-015.txt.asc

Various Sources vendor-advisory x_refsource_freebsd

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:58.chpass.asc

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/5339

Scores

EPSS 0.0167

EPSS Percentile 73.9%

Details

Status published

Products (13)

freebsd/freebsd 3.2

freebsd/freebsd 3.3

freebsd/freebsd 3.4

freebsd/freebsd 3.5

freebsd/freebsd 4.0

netbsd/netbsd 1.4

netbsd/netbsd 1.4.1

netbsd/netbsd 1.4.2

openbsd/openbsd 2.3

openbsd/openbsd 2.4

... and 3 more

Published Dec 19, 2000

Tracked Since Feb 18, 2026