CVE-1999-0767

Solaris - Buffer Overflow via LC_MESSAGES Environmental Variable

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-1999-0767. PoCs published by UNYUN, [email protected], Georgi Guninski.

AI-analyzed exploit summary This exploit targets a buffer overflow in libc's handling of the LC_MESSAGES environment variable on Solaris/SPARC systems. It crafts a malicious environment variable to overflow a buffer and execute shellcode, leading to local privilege escalation.

Description

Buffer overflow in Solaris libc, ufsrestore, and rcp via LC_MESSAGES environmental variable.

Exploits (5)

exploitdb WORKING POC VERIFIED
by UNYUN · clocalaix
https://www.exploit-db.com/exploits/19217

This exploit targets a buffer overflow in libc's handling of the LC_MESSAGES environment variable on Solaris/SPARC systems. It crafts a malicious environment variable to overflow a buffer and execute shellcode, leading to local privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Solaris libc (SPARC)
No auth needed
Prerequisites: Local access to a vulnerable Solaris/SPARC system · SUID binary linked against vulnerable libc
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by [email protected] · clocalaix
https://www.exploit-db.com/exploits/19216

This exploit leverages a buffer overflow in libc's handling of the LC_MESSAGES environment variable to execute arbitrary shellcode, granting root privileges on vulnerable Solaris systems. It crafts a malicious input file and manipulates environment variables to trigger the overflow in the `arp` command.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Solaris 7, 8 (x86) with vulnerable libc
No auth needed
Prerequisites: Local access to a vulnerable Solaris system · Presence of a setuid root binary linked against vulnerable libc
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by UNYUN · clocalaix
https://www.exploit-db.com/exploits/19215

This exploit targets a buffer overflow in libc's handling of the LC_MESSAGES environment variable on Solaris/SPARC systems. It leverages a stack-based overflow to execute arbitrary shellcode, granting root privileges via a vulnerable suid binary.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Solaris libc (versions 2.6, 2.7 on SPARC)
No auth needed
Prerequisites: Local access to a vulnerable Solaris/SPARC system · Presence of a suid root binary linked against vulnerable libc
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Georgi Guninski · clocalaix
https://www.exploit-db.com/exploits/19214

This exploit targets a buffer overflow in libc's handling of the LC_MESSAGES environment variable on AIX 4.2/4.1 and Solaris systems. It leverages a suid root program linked against libc to execute arbitrary code (shellcode) and gain root privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: IBM AIX 4.2/4.1, Sun Solaris (libc with LC_MESSAGES vulnerability)
No auth needed
Prerequisites: Local access to the system · Presence of a suid root program linked against vulnerable libc
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by UNYUN@ShadowPenguinSecurity · bashlocalaix
https://www.exploit-db.com/exploits/19213

This script exploits a buffer overflow in libc's handling of the LC_MESSAGES environment variable to gain root privileges on AIX or Solaris systems. It iterates through different buffer sizes to trigger the overflow in a suid root program linked against libc.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: IBM AIX, Sun Solaris (libc)
No auth needed
Prerequisites: Local access to the system · Presence of a suid root program linked against vulnerable libc
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

EPSS 0.0120
EPSS Percentile 64.1%

Details

Status published
Products (4)
sun/solaris 2.6
sun/solaris 7.0
sun/sunos
sun/sunos 5.7
Published Sep 08, 1999
Tracked Since Feb 18, 2026