CVE-2003-0849

cfengine 2.x - Remote Code Execution via Modified Packet Length Values

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2003-0849. PoCs published by snooq, kokanin, jsk.

AI-analyzed exploit summary This exploit targets a stack-based buffer overflow in cfservd (CVE-2003-0849) to achieve remote code execution. It includes shellcode for both bind and connect-back shells, demonstrating a functional proof-of-concept for Redhat 8.0 with cfservd 2.0.7.

Description

Buffer overflow in net.c for cfengine 2.x before 2.0.8 allows remote attackers to execute arbitrary code via certain packets with modified length values, which is trusted by the ReceiveTransaction function when using a buffer provided by the BusyWithConnection function.

Exploits (3)

exploitdb WORKING POC VERIFIED

by snooq · cremotelinux

https://www.exploit-db.com/exploits/23183

View Code ZIP pw:eip

This exploit targets a stack-based buffer overflow in cfservd (CVE-2003-0849) to achieve remote code execution. It includes shellcode for both bind and connect-back shells, demonstrating a functional proof-of-concept for Redhat 8.0 with cfservd 2.0.7.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: cfservd 2.0.7

No auth needed

Prerequisites: Network access to cfservd on port 5308 · Target running vulnerable cfservd version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by kokanin · perlremotebsd

https://www.exploit-db.com/exploits/105

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in cfengine 2.0.3 on FreeBSD. It sends a crafted payload with NOP sleds, shellcode, and a return address to execute a portbind shell on port 45295.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: cfengine 2.0.3

No auth needed

Prerequisites: Network access to the target · cfengine service running on port 5308

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by jsk · cremotelinux

https://www.exploit-db.com/exploits/23182

View Code ZIP pw:eip

This exploit targets a stack-based buffer overflow in cfservd (CVE-2003-0849) to execute arbitrary code with root privileges. It uses a bindshell payload on port 26112 and includes return addresses for multiple Red Hat Linux versions.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: cfengine 2.0.3

No auth needed

Prerequisites: Network access to cfservd (default port 5308) · Target system running vulnerable cfengine version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Mailing List mailing-list x_refsource_bugtraq

http://marc.info/?l=bugtraq&m=106451047819552&w=2

Mailing List mailing-list x_refsource_bugtraq

http://marc.info/?l=bugtraq&m=106485375218280&w=2

Mailing List mailing-list x_refsource_bugtraq

http://marc.info/?l=bugtraq&m=106546086216984&w=2

Scores

EPSS 0.1064

EPSS Percentile 95.2%

Details

Status published

Products (9)

gnu/cfengine 2.0.0

gnu/cfengine 2.0.1

gnu/cfengine 2.0.2

gnu/cfengine 2.0.3

gnu/cfengine 2.0.4

gnu/cfengine 2.0.5 (4 CPE variants)

gnu/cfengine 2.0.6

gnu/cfengine 2.0.7 (4 CPE variants)

gnu/cfengine 2.1.0 a6 (3 CPE variants)

Published Nov 17, 2003

Tracked Since Feb 18, 2026