CVE-1999-0689
CDE dtspcd - Unauthenticated Arbitrary Command Execution via Symlink Attack
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-1999-0689. PoCs published by Job de Haas of ITSX.
AI-analyzed exploit summary This exploit leverages a symlink attack and insufficient credential checks in the CDE subprocess daemon (dtspcd) to gain root privileges. It uses a shared library to override functions and create a file as root.
Description
The CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by Job de Haas of ITSX · bashlocalmultiple
https://www.exploit-db.com/exploits/19498
This exploit leverages a symlink attack and insufficient credential checks in the CDE subprocess daemon (dtspcd) to gain root privileges. It uses a shared library to override functions and create a file as root.
Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target:
CDE subprocess daemon (dtspcd) on Solaris 2.5.1, 2.6, and 7
No auth needed
Prerequisites:
DISPLAY environment variable set · Access to a vulnerable Solaris system with CDE installed
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1880
Various Sources vendor-advisory
x_refsource_hp
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9909-103
Vendor Advisory vendor-advisory
x_refsource_sun
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/192
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/636
Scores
EPSS
0.0080
EPSS Percentile
51.8%
Details
Status
published
Products (15)
cde/cde
1.0.1
cde/cde
1.0.2
cde/cde
1.1
cde/cde
1.2
cde/cde
2.0
cde/cde
2.1
cde/cde
2.120
sun/solaris
2.5
sun/solaris
2.5.1
sun/solaris
2.6
... and 5 more
Published
Sep 13, 1999
Tracked Since
Feb 18, 2026