CVE-1999-0209

SunOS - Unauthenticated Arbitrary File Read via SunView Selection Service

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-1999-0209. PoCs published by Metasploit, I)ruid, Peter Shipley, including Metasploit module exploits/solaris/sunrpc/ypupdated_exec.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in Solaris ypupdated via RPC, allowing remote command execution as root by appending commands to a MAP UPDATE request.

Description

The SunView (SunTools) selection_svc facility allows remote users to read files.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotesolaris
https://www.exploit-db.com/exploits/16326

This Metasploit module exploits a command injection vulnerability in Solaris ypupdated via RPC, allowing remote command execution as root by appending commands to a MAP UPDATE request.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Solaris ypupdated (versions 2.7, 8, 9, 10 with '-i' option)
No auth needed
Prerequisites: ypupdated running with '-i' option · network access to RPC port
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by I)ruid · rubyremotesolaris
https://www.exploit-db.com/exploits/5366

This is a Metasploit module exploiting CVE-1999-0209, a command injection vulnerability in Solaris ypupdated. It sends a crafted MAP UPDATE request with a payload in the format '|<command>' to execute arbitrary commands as root.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Solaris ypupdated (versions 2.7, 8, 9, 10)
No auth needed
Prerequisites: ypupdated running with the '-i' command-line option · Network access to the target's RPC service
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Peter Shipley · textremotesolaris
https://www.exploit-db.com/exploits/19040

This exploit leverages a vulnerability in SunView's selection_svc process, which persists after the user quits SunView, allowing remote systems to read files accessible to the last user who ran SunView. The PoC demonstrates how to hold a file for selection, enabling unauthorized file access.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: SunView (Sun3, Sun4, and 386i systems)
No auth needed
Prerequisites: SunView running on a vulnerable system · selection_svc process still active after user quits SunView
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/solaris/sunrpc/ypupdated_exec.rb

This Metasploit module exploits a command injection vulnerability in Solaris ypupdated (CVE-1999-0209) by sending a malicious MAP UPDATE request via SunRPC, allowing arbitrary command execution as root.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Solaris ypupdated (versions 2.7, 8, 9, 10 with '-i' option)
No auth needed
Prerequisites: Network access to vulnerable ypupdated service · ypupdated running with '-i' option
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/8

Scores

EPSS 0.4778
EPSS Percentile 98.7%

Details

Status published
Products (7)
sun/sunos 3.5
sun/sunos 4.0
sun/sunos 4.0.1
sun/sunos 4.0.2
sun/sunos 4.0.3
sun/sunos 4.1
sun/sunos 4.1.1
Published Aug 14, 1990
Tracked Since Feb 18, 2026