CVE-2003-1167
Description
misc.cpp in KPopup 0.9.1 trusts the PATH variable when executing killall, which allows local users to elevate their privileges by modifying the PATH variable to reference a malicious killall program.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3cpe:2.3:a:gernot_stocker:kpopup:0.9.1:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:gernot_stocker:kpopup:0.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:gernot_stocker:kpopup:0.9.5_pre2:*:*:*:*:*:*:*
- (no CPE)range: = 0.9.1
Patches
Vulnerability mechanics
Root cause
"The application trusts the PATH environment variable when executing external commands."
Attack vector
Local attackers can exploit this vulnerability by modifying the PATH environment variable before executing KPopup. KPopup, installed setuid root, uses the system() function to call killall. By prepending a directory containing a malicious executable named 'killall' to the PATH, an attacker can cause their malicious program to be executed with root privileges. The exploit code demonstrates creating a malicious /tmp/killall script that compiles and executes a root shell [ref_id=1].
Affected code
The vulnerability exists in misc.cpp within KPopup version 0.9.1. Specifically, the application uses the system() C-library function to invoke the killall binary in a manner that relies on the PATH environment variable [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on how the vulnerability is fixed. However, it is recommended to upgrade to a non-vulnerable version of KPopup. The general remediation for this type of vulnerability involves ensuring that setuid programs do not rely on user-controlled environment variables like PATH for executing commands, or by using absolute paths to known-good binaries.
Preconditions
- authThe attacker must have local user access to the affected system.
- configKPopup must be installed and running on the system, and it must be installed setuid root.
Reproduction
The provided exploit code demonstrates how to reproduce the vulnerability by creating a malicious killall executable in /tmp and then triggering KPopup to execute it, ultimately leading to a root shell [ref_id=1].
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- secunia.com/advisories/10105nvdPatch
- www.osvdb.org/2742nvdPatch
- www.securityfocus.com/archive/1/342736nvdExploit
- www.securityfocus.com/bid/8915nvdExploitPatch
- exchange.xforce.ibmcloud.com/vulnerabilities/13540nvd
News mentions
0No linked articles in our index yet.