CVE-2014-0476

chkrootkit < 0.50 - Local Privilege Escalation via Trojan Horse Executable

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2014-0476. PoCs published by Metasploit, Thomas Stangner, Thomas Stangner, Julien, Voisin, including Metasploit module exploits/unix/local/chkrootkit.

AI-analyzed exploit summary This Metasploit module exploits CVE-2014-0476 in Chkrootkit by placing a malicious executable at /tmp/update, which is executed as root during the next scheduled scan. The exploit leverages a cron job to escalate privileges.

Description

The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocallinux
https://www.exploit-db.com/exploits/38775

This Metasploit module exploits CVE-2014-0476 in Chkrootkit by placing a malicious executable at /tmp/update, which is executed as root during the next scheduled scan. The exploit leverages a cron job to escalate privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: Chkrootkit versions 0.1-0.49
No auth needed
Prerequisites: Write access to /tmp directory · Chkrootkit installed and running via cron
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Thomas Stangner · textlocallinux
https://www.exploit-db.com/exploits/33899

The vulnerability in chkrootkit's slapper() function allows local attackers to execute arbitrary code as root due to unquoted variable assignment. An attacker can exploit this by placing a malicious executable in /tmp, which gets executed when chkrootkit runs.

Classification
Writeup 100%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: chkrootkit (versions up to 2009)
No auth needed
Prerequisites: Write access to /tmp · /tmp not mounted with noexec
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC MANUAL
by Thomas Stangner, Julien, Voisin · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/local/chkrootkit.rb

This Metasploit module exploits a privilege escalation vulnerability in Chkrootkit before 0.50 by placing an executable named '/tmp/update' that is executed as root during a scheduled scan. The exploit waits for the cron job to trigger the payload.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: Chkrootkit < 0.50
No auth needed
Prerequisites: Write access to /tmp directory · Chkrootkit cron job configured to run
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Vendor Advisory x_refsource_confirm
http://www.chkrootkit.org/
Exploit mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2014/06/04/9
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201709-05
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2230-1
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/show/osvdb/107710
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2014/dsa-2945
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/38775/

Scores

EPSS 0.0383
EPSS Percentile 88.7%

Details

CWE
CWE-20
Status published
Products (5)
canonical/ubuntu_linux 10.04
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 13.10
canonical/ubuntu_linux 14.04
chkrootkit/chkrootkit < 0.49
Published Oct 25, 2014
Tracked Since Feb 18, 2026