CVE-2003-0740

Stunnel <4.00-3.24 - Local Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2003-0740. PoCs published by Steve Grubb.

AI-analyzed exploit summary This exploit leverages a signal handling flaw in stunnel to leak a file descriptor and maintain control after the parent process is killed. It forks, sends SIGUSR2 to the parent, and then uses the leaked descriptor to serve an HTTP response.

Description

Stunnel 4.00, and 3.24 and earlier, leaks a privileged file descriptor returned by listen(), which allows local users to hijack the Stunnel server.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Steve Grubb · clocallinux
https://www.exploit-db.com/exploits/91

This exploit leverages a signal handling flaw in stunnel to leak a file descriptor and maintain control after the parent process is killed. It forks, sends SIGUSR2 to the parent, and then uses the leaked descriptor to serve an HTTP response.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: stunnel (versions prior to fix for CVE-2003-0740)
No auth needed
Prerequisites: stunnel running with a vulnerable configuration · ability to execute arbitrary code via stunnel
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=106260760211958&w=2
Vendor Advisory vendor-advisory x_refsource_conectiva
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000736
Vendor Advisory vendor-advisory x_refsource_mandrake
http://www.mandriva.com/security/advisories?name=MDKSA-2003:108
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2003-297.html

Scores

EPSS 0.0070
EPSS Percentile 48.5%

Details

Status published
Products (23)
stunnel/stunnel 3.3
stunnel/stunnel 3.4a
stunnel/stunnel 3.7
stunnel/stunnel 3.8
stunnel/stunnel 3.9
stunnel/stunnel 3.10
stunnel/stunnel 3.11
stunnel/stunnel 3.12
stunnel/stunnel 3.13
stunnel/stunnel 3.14
... and 13 more
Published Oct 20, 2003
Tracked Since Feb 18, 2026