CVE-2004-1701

Cfengine 2.0.0-2.1.7p1 - Remote Code Execution via Long SAUTH Command

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2004-1701. PoCs published by jsk, Juan Pablo Martinez Kuhn.

AI-analyzed exploit summary This exploit targets a heap-based buffer overflow in cfengine cfservd's AuthenticationDialogue() function, allowing remote code execution via a crafted challenge. It includes a connect-back shellcode and bypasses IP-based access control.

Description

Heap-based buffer overflow in the AuthenticationDialogue function in cfservd for Cfengine 2.0.0 to 2.1.7p1 allows remote attackers to execute arbitrary code via a long SAUTH command during RSA authentication.

Exploits (2)

exploitdb WORKING POC VERIFIED
by jsk · cremotelinux
https://www.exploit-db.com/exploits/24361

This exploit targets a heap-based buffer overflow in cfengine cfservd's AuthenticationDialogue() function, allowing remote code execution via a crafted challenge. It includes a connect-back shellcode and bypasses IP-based access control.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: cfengine cfservd 2.0.0 to 2.1.7p1
No auth needed
Prerequisites: Network access to cfservd (port 5803 by default) · Bypass of IP-based access control
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Juan Pablo Martinez Kuhn · pythondoslinux
https://www.exploit-db.com/exploits/24360

This exploit targets a heap-based buffer overflow in GNU cfengine cfservd's AuthenticationDialogue() function. It sends malformed CAUTH and SAUTH commands with excessive data to trigger the vulnerability, potentially allowing remote code execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: GNU cfengine cfservd versions 2.0.0 to 2.1.7p1
No auth needed
Prerequisites: Network access to the target cfservd service · Bypass of IP-based access control
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Exploit, Patch, Vendor Advisory x_refsource_misc
http://www.coresecurity.com/common/showdoc.php?idx=387&idxseccion=10
Exploit, Patch, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/10899
Exploit, Patch, Vendor Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200408-08.xml
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=109208394910086&w=2
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/16935
Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/12251
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=110886670528775&w=2

Scores

EPSS 0.1951
EPSS Percentile 97.0%

Details

Status published
Products (11)
gnu/cfengine 2.0.0
gnu/cfengine 2.0.1
gnu/cfengine 2.0.2
gnu/cfengine 2.0.3
gnu/cfengine 2.0.4
gnu/cfengine 2.0.5 (4 CPE variants)
gnu/cfengine 2.0.6
gnu/cfengine 2.0.7 (4 CPE variants)
gnu/cfengine 2.0.8 (2 CPE variants)
gnu/cfengine 2.1.0 a6 (3 CPE variants)
... and 1 more
Published Aug 09, 2004
Tracked Since Feb 18, 2026