CVE-2003-0102

file - Buffer Overflow in readelf.c tryelf() via ELF Header

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2003-0102. PoCs published by lem0nxx, lem0n.

AI-analyzed exploit summary This exploit leverages a stack overflow in the `file` program (CVE-2003-0102) to execute arbitrary shellcode. It crafts a malicious ELF file that, when processed by `file`, triggers the overflow and executes a payload that copies `/bin/sh` to `/tmp/.sh` with SUID permissions.

Description

Buffer overflow in tryelf() in readelf.c of the file command allows attackers to execute arbitrary code as the user running file, possibly via a large entity size value in an ELF header (elfhdr.e_shentsize).

Exploits (2)

exploitdb WORKING POC VERIFIED

by lem0nxx · clocalunix

https://www.exploit-db.com/exploits/22325

View Code ZIP pw:eip

This exploit leverages a stack overflow in the `file` program (CVE-2003-0102) to execute arbitrary shellcode. It crafts a malicious ELF file that, when processed by `file`, triggers the overflow and executes a payload that copies `/bin/sh` to `/tmp/.sh` with SUID permissions.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: file (version unspecified, likely older *BSD/Linux versions)

No auth needed

Prerequisites: Ability to write a malicious file to the target system · Victim must execute `file` on the crafted file

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by lem0n · clocalunix

https://www.exploit-db.com/exploits/22324

View Code ZIP pw:eip

This exploit leverages a stack overflow in the `file` utility (versions <= 3.39) by manipulating the ELF header's `e_shentsize` field to trigger a buffer overflow, allowing arbitrary code execution. The shellcode is placed in the file's initial bytes, exploiting the `HOWMANY` read operation to ensure reliable execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: file <= 3.39

No auth needed

Prerequisites: Valid ELF binary to patch · Victim must execute `file` on the patched binary

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (12)

Core 12

Core References

Exploit, Patch, Vendor Advisory x_refsource_misc

http://www.idefense.com/advisory/03.04.03.txt

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/11469

Vendor Advisory vendor-advisory x_refsource_netbsd

ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-003.txt.asc

Vendor Advisory vendor-advisory x_refsource_redhat

http://www.redhat.com/support/errata/RHSA-2003-087.html

Vendor Advisory vendor-advisory x_refsource_suse

http://www.novell.com/linux/security/advisories/2003_017_file.html

Patch, Vendor Advisory vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/7008

Mailing List mailing-list x_refsource_bugtraq

http://marc.info/?l=bugtraq&m=104680706201721&w=2

Various Sources vendor-advisory x_refsource_immunix

http://lwn.net/Alerts/34908/

Vendor Advisory vendor-advisory x_refsource_redhat

http://www.redhat.com/support/errata/RHSA-2003-086.html

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2003/dsa-260

US Government Resource third-party-advisory x_refsource_cert-vn

http://www.kb.cert.org/vuls/id/611865

Various Sources vendor-advisory x_refsource_mandrake

http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:030

Scores

EPSS 0.0198

EPSS Percentile 78.0%

Details

Status published

Products (15)

file/file 3.28

file/file 3.30

file/file 3.32

file/file 3.33

file/file 3.34

file/file 3.35

file/file 3.36

file/file 3.37

file/file 3.39

file/file 3.40

... and 5 more

Published Mar 18, 2003

Tracked Since Feb 18, 2026