CVE-2000-1009

Red Hat Linux 6.2 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2000-1009. PoCs published by mat.

AI-analyzed exploit summary This exploit leverages a vulnerability in dump/restore utilities (CVE-2000-1009) where the TAPE environment variable is improperly handled, allowing execution of arbitrary commands with elevated privileges. It creates a malicious script and executes it via the vulnerable binary to gain a SUID root shell.

Description

dump in Red Hat Linux 6.2 trusts the pathname specified by the RSH environmental variable, which allows local users to obtain root privileges by modifying the RSH variable to point to a Trojan horse program.

Exploits (2)

exploitdb WORKING POC VERIFIED
by mat · clocallinux
https://www.exploit-db.com/exploits/206

This exploit leverages a vulnerability in dump/restore utilities (CVE-2000-1009) where the TAPE environment variable is improperly handled, allowing execution of arbitrary commands with elevated privileges. It creates a malicious script and executes it via the vulnerable binary to gain a SUID root shell.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: dump/restore (versions 0.4b15 and earlier)
No auth needed
Prerequisites: Presence of vulnerable dump/restore binaries · Write access to /tmp directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by mat · bashlocallinux
https://www.exploit-db.com/exploits/193

This exploit leverages a vulnerability in the `dump` command (version 0.4b15) on Red Hat 6.2, where improper handling of the `TAPE` and `RSH` environment variables allows execution of arbitrary commands with root privileges. The script creates a malicious `/tmp/rsh` script that copies `/bin/sh` to `/tmp/sush` and sets the SUID bit, enabling a root shell.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: dump 0.4b15 on Red Hat 6.2
No auth needed
Prerequisites: Presence of vulnerable `dump` binary with SUID bit set · Write access to `/tmp` directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/5437
Exploit, Patch, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/1871
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-10/0438.html

Scores

EPSS 0.0115
EPSS Percentile 62.6%

Details

Status published
Products (2)
redhat/linux 6.2
trustix/secure_linux 1.1
Published Dec 11, 2000
Tracked Since Feb 18, 2026