CVE-2000-0998

top <unknown> - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2000-0998. PoCs published by Kevin Finisterre, truefinder.

AI-analyzed exploit summary This exploit targets a format string vulnerability in the 'top' utility on BSD systems, allowing arbitrary code execution to escalate privileges to the 'kmem' group. It uses a crafted format string to overwrite memory addresses and execute shellcode.

Description

Format string vulnerability in top program allows local attackers to gain root privileges via the "kill" or "renice" function.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Kevin Finisterre · perllocallinux

https://www.exploit-db.com/exploits/20378

View Code ZIP pw:eip

This exploit targets a format string vulnerability in the 'top' utility on BSD systems, allowing arbitrary code execution to escalate privileges to the 'kmem' group. It uses a crafted format string to overwrite memory addresses and execute shellcode.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: top (versions prior to FreeBSD 4.2)

No auth needed

Prerequisites: Access to a vulnerable BSD system with 'top' installed setgid kmem · Ability to execute the exploit locally

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by truefinder · clocalfreebsd

https://www.exploit-db.com/exploits/20377

View Code ZIP pw:eip

This exploit targets a format string vulnerability in the 'top' utility on BSD systems (prior to FreeBSD 4.2) to achieve arbitrary code execution. It leverages environment variables and crafted input to overwrite memory addresses, leading to privilege escalation via the kmem group.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: top (versions prior to 3.5beta9 on BSD systems)

No auth needed

Prerequisites: Access to a vulnerable BSD system with 'top' installed setgid kmem · Ability to run 'objdump' to extract .dtors address

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Patch, Vendor Advisory vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/1895

Various Sources x_refsource_misc

ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch

Patch, Vendor Advisory vendor-advisory x_refsource_freebsd

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:62.top.v1.1.asc

Scores

EPSS 0.0088

EPSS Percentile 54.3%

Details

Status published

Products (5)

freebsd/freebsd 3.5 (2 CPE variants)

freebsd/freebsd 3.5.1 (3 CPE variants)

freebsd/freebsd 4.0 (2 CPE variants)

freebsd/freebsd 4.1

freebsd/freebsd 4.1.1

Published Dec 11, 2000

Tracked Since Feb 18, 2026