CVE-2003-1366

OpenBSD 2.0-3.2 - Unauthorized File Read via chpass Hard Link Attack

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2003-1366. PoCs published by Marc Bevand.

AI-analyzed exploit summary This exploit leverages a race condition in OpenBSD's chpass utility to read arbitrary files by manipulating the temporary file used during password changes. The attacker creates a symlink to a target file, tricking chpass into displaying its contents.

Description

chpass in OpenBSD 2.0 through 3.2 allows local users to read portions of arbitrary files via a hard link attack on a temporary file used to store user database information.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Marc Bevand · textlocalopenbsd

https://www.exploit-db.com/exploits/22210

View Code ZIP pw:eip

This exploit leverages a race condition in OpenBSD's chpass utility to read arbitrary files by manipulating the temporary file used during password changes. The attacker creates a symlink to a target file, tricking chpass into displaying its contents.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Racy

Target: OpenBSD chpass (and chfn, chsh)

Auth required

Prerequisites: local access · ability to suspend and resume processes

MITRE ATT&CK

T1083 - File and Directory Discovery T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/6748

Various Sources x_refsource_misc

http://www.epita.fr/~bevand_m/asa/asa-0001

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id?1006035

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/309962

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/11233

Third Party Advisory third-party-advisory x_refsource_sreason

http://securityreason.com/securityalert/3238

Scores

EPSS 0.0050

EPSS Percentile 38.8%

Details

CWE

CWE-200

Status published

Products (13)

openbsd/openbsd 2.0

openbsd/openbsd 2.1

openbsd/openbsd 2.2

openbsd/openbsd 2.3

openbsd/openbsd 2.4

openbsd/openbsd 2.5

openbsd/openbsd 2.6

openbsd/openbsd 2.7

openbsd/openbsd 2.8

openbsd/openbsd 2.9

... and 3 more

Published Dec 31, 2003

Tracked Since Feb 18, 2026