CVE-1999-0433

XFree86 X11R6 - Symlink Attack via startx Command

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-1999-0433. PoCs published by Stealthf0rk.

AI-analyzed exploit summary This exploit leverages a symlink vulnerability in XFree86 3.3.3 to overwrite the /usr/bin/login binary with a malicious version, granting root access. It creates a symlink in /tmp/.X11-unix pointing to /usr/bin/login, then triggers X11 to follow the symlink and overwrite the target file.

Description

XFree86 startx command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Stealthf0rk · clocallinux
https://www.exploit-db.com/exploits/19257

This exploit leverages a symlink vulnerability in XFree86 3.3.3 to overwrite the /usr/bin/login binary with a malicious version, granting root access. It creates a symlink in /tmp/.X11-unix pointing to /usr/bin/login, then triggers X11 to follow the symlink and overwrite the target file.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: XFree86 3.3.3
No auth needed
Prerequisites: Local access to the target system · XFree86 3.3.3 installed · /tmp/.X11-unix writable by the attacker
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Third Party Advisory, VDB Entry x_refsource_misc
https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0433

Scores

EPSS 0.0071
EPSS Percentile 49.0%

Details

Status published
Products (14)
netbsd/netbsd 1.3.2
netbsd/netbsd 1.3.3
redhat/linux 5.1
redhat/linux 5.2
slackware/slackware_linux 3.3
slackware/slackware_linux 3.4
slackware/slackware_linux 3.5
slackware/slackware_linux 3.6
slackware/slackware_linux 4.0
suse/suse_linux 5.1
... and 4 more
Published Mar 21, 1999
Tracked Since Feb 18, 2026