CVE-2000-1125

Red Hat Linux 6.2 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2000-1125. PoCs published by Tlabs, anonymous, fish.

AI-analyzed exploit summary This exploit targets CVE-2000-1125, leveraging environment variable manipulation in Red Hat Linux 6.2's dump/restore utilities to execute arbitrary code with root privileges. It compiles a SUID shell and uses a malicious 'hey' script to escalate privileges.

Description

restore 0.4b15 and earlier in Red Hat Linux 6.2 trusts the pathname specified by the RSH environmental variable, which allows local users to obtain root privileges by modifying the RSH variable to point to a Trojan horse program.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Tlabs · perllocallinux
https://www.exploit-db.com/exploits/184

This exploit targets CVE-2000-1125, leveraging environment variable manipulation in Red Hat Linux 6.2's dump/restore utilities to execute arbitrary code with root privileges. It compiles a SUID shell and uses a malicious 'hey' script to escalate privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Red Hat Linux 6.2 (dump/restore utilities)
No auth needed
Prerequisites: Presence of vulnerable dump/restore binaries · Ability to execute scripts on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by anonymous · bashlocallinux
https://www.exploit-db.com/exploits/182

This exploit leverages a vulnerability in the /sbin/restore command on Red Hat 6.2 systems to execute arbitrary commands as root. It creates a script that copies /bin/sh to the user's home directory and sets the SUID bit, allowing privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: Red Hat Linux 6.2 /sbin/restore
Auth required
Prerequisites: Access to a user account on the target system · The /sbin/restore binary must be present and vulnerable
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by fish · bashlocallinux
https://www.exploit-db.com/exploits/20385

This exploit leverages a vulnerability in the 'restore' program (version 0.4b15) distributed with RedHat Linux 6.2, where the RSH environment variable is used to execute arbitrary code with elevated privileges (EUID 0). The script compiles a C program to spawn a root shell and manipulates the RSH variable to execute a script that sets the SUID bit on the compiled binary.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: restore 0.4b15 (RedHat Linux 6.2)
No auth needed
Prerequisites: Access to a vulnerable RedHat Linux 6.2 system with the 'restore' program installed · Ability to execute scripts and compile C code
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/1914
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=97336034309944&w=2

Scores

EPSS 0.0111
EPSS Percentile 61.6%

Details

Status published
Products (2)
redhat/linux 6.2
redhat/linux 6.2e
Published Jan 09, 2001
Tracked Since Feb 18, 2026