CVE-1999-0828

UnixWare - Arbitrary File Read via pkg Commands

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-1999-0828. PoCs published by Brock Tellier.

AI-analyzed exploit summary This exploit leverages a buffer overflow in UnixWare 7.1's `pkgcat` to execute arbitrary code with `dacread` privileges, allowing unauthorized access to `/etc/shadow`. It generates shellcode to spawn a program that reads the shadow file.

Description

UnixWare pkg commands such as pkginfo, pkgcat, and pkgparam allow local users to read arbitrary files via the dacread permission.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Brock Tellier · clocalsco

https://www.exploit-db.com/exploits/19660

View Code ZIP pw:eip

This exploit leverages a buffer overflow in UnixWare 7.1's `pkgcat` to execute arbitrary code with `dacread` privileges, allowing unauthorized access to `/etc/shadow`. It generates shellcode to spawn a program that reads the shadow file.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: UnixWare 7.1 /usr/sbin/pkgcat

No auth needed

Prerequisites: Access to execute `/usr/sbin/pkgcat` · Ability to compile and run the exploit binary

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Brock Tellier · textlocalsco

https://www.exploit-db.com/exploits/19658

View Code ZIP pw:eip

The exploit demonstrates an information leakage vulnerability in SCO UnixWare 7.1's package utilities (e.g., pkgparam), which can read arbitrary files (e.g., /etc/shadow) due to improper Discretionary Access Controls (DAC) via /etc/security/tcb/privs.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: SCO UnixWare 7.1

No auth needed

Prerequisites: Access to a system running SCO UnixWare 7.1

MITRE ATT&CK

T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

clocalsco

https://www.exploit-db.com/exploits/19661

View Code ZIP pw:eip

This exploit leverages a buffer overflow in UnixWare 7.1's `pkginstall` to execute arbitrary code with `dacread` privileges, allowing unauthorized access to `/etc/shadow`. The shellcode spawns a helper program that reads the shadow file.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: UnixWare 7.1 /usr/sbin/pkginstall

No auth needed

Prerequisites: UnixWare 7.1 system with vulnerable `pkginstall` binary · Ability to execute the exploit locally

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/853

Scores

EPSS 0.0035

EPSS Percentile 58.2%

Details

Status published

Products (2)

sco/unixware 7.0

sco/unixware 7.1

Published Dec 02, 1999

Tracked Since Feb 18, 2026