CVE-2003-0834

Solaris 7/8/9 CDE LibDTHelp - Local Buffer Overflow

Severity Score

7.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Buffer overflow in CDE libDtHelp library allows local users to execute arbitrary code via (1) a modified DTHELPUSERSEARCHPATH environment variable and the Help feature, (2) DTSEARCHPATH, or (3) LOGNAME.

Desbordamiento de búfer en la librería libDtHelp de CDE permite a usuarios locales ejecutar código arbitrario mediante una variable de entorno DTHELPUSSEARCHPATH modificada en la característica "Help".

Exploitation of a buffer overflow in the libDtHelp library included with CDE can allow local attackers to gain root privileges. The vulnerability specifically exists due to a lack of bounds checking on the LOGNAME environment variable. Local attackers can specify a long LOGNAME to trigger a buffer overflow in any application linked with libDtHelp. The overflow is activated once the help subsystem is accessed by selecting any option under the Help menu.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2003-09-29 CVE Reserved
2003-11-06 CVE Published
2004-12-31 First Exploit
2024-08-08 CVE Updated
2025-07-11 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CAPEC

References (11)

URL	Tag	Source
http://www.idefense.com/application/poi/display?id=134&type=vulnerabilities&flashstatus=false	Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5141	Signature

URL	Date	SRC
https://packetstorm.news/files/id/35497	2004-12-31
https://packetstorm.news/files/id/35498	2004-12-31
https://www.exploit-db.com/exploits/713	2016-11-14
https://www.exploit-db.com/exploits/714	2016-11-14

URL	Date	SRC
http://www.kb.cert.org/vuls/id/575804	2018-05-03
http://www.securityfocus.com/bid/8973	2018-05-03

URL	Date	SRC
ftp://patches.sgi.com/support/free/security/advisories/20040801-01-P	2018-05-03
http://archives.neohapsis.com/archives/hp/2003-q4/0047.html	2018-05-03
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57414	2018-05-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sco Search vendor "Sco"		Open Unix Search vendor "Sco" for product "Open Unix"				8.0 Search vendor "Sco" for product "Open Unix" and version "8.0"		-		Affected
Sco Search vendor "Sco"		Unixware Search vendor "Sco" for product "Unixware"				7.1.1 Search vendor "Sco" for product "Unixware" and version "7.1.1"		-		Affected
Sco Search vendor "Sco"		Unixware Search vendor "Sco" for product "Unixware"				7.1.3 Search vendor "Sco" for product "Unixware" and version "7.1.3"		-		Affected