CVE-2002-0740

slrn - Local Privilege Escalation via Long -d Argument

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2002-0740. PoCs published by zillion, alt3kx.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in slrnpull (part of the slrn package) by supplying an overly long spool directory name via the -d flag. It uses shellcode to spawn a shell and manipulates the return address to achieve arbitrary code execution, gaining setgid news privileges on Red Hat 6.2.

Description

Buffer overflow in slrnpull for the SLRN package, when installed setuid or setgid, allows local users to gain privileges via a long -d (SPOOLDIR) argument.

Exploits (2)

exploitdb WORKING POC VERIFIED
by zillion · perllocalunix
https://www.exploit-db.com/exploits/21408

This exploit targets a buffer overflow vulnerability in slrnpull (part of the slrn package) by supplying an overly long spool directory name via the -d flag. It uses shellcode to spawn a shell and manipulates the return address to achieve arbitrary code execution, gaining setgid news privileges on Red Hat 6.2.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: slrn/slrnpull (UNIX/Linux)
No auth needed
Prerequisites: slrnpull installed · Red Hat 6.2 or similar environment · setgid news permissions on slrnpull
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by alt3kx · poc
https://github.com/alt3kx/CVE-2002-0740

This repository contains a functional exploit for CVE-2002-0740, a buffer overflow vulnerability in SLRNPull's spool directory command line parameter. The exploit leverages a crafted buffer to overwrite the return address and execute shellcode, granting setgid news privileges on Red Hat 6.2.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: SLRNPull (version not specified, but likely older versions)
No auth needed
Prerequisites: Target system running vulnerable SLRNPull version · Ability to execute the exploit locally
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (5)

Core 5
Core References
Vendor Advisory vdb-entry x_refsource_xf
http://www.iss.net/security_center/static/8910.php
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0302.html
Exploit mailing-list x_refsource_bugtraq
http://online.securityfocus.com/archive/1/269667
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://online.securityfocus.com/archive/1/270235
Exploit, Patch, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/4569

Scores

EPSS 0.0147
EPSS Percentile 70.3%

Details

Status published
Products (3)
slrn_development_team/slrn 0.9.6.2
slrn_development_team/slrn 0.9.6.3
slrn_development_team/slrn 0.9.6.4
Published Aug 12, 2002
Tracked Since Feb 18, 2026