CVE-1999-1158

Solaris <2.5.1-2.4 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-1999-1158. PoCs published by Cristian Schipor.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in the Solaris 2.4 and 2.5 passwd program, using shellcode to achieve remote code execution. The exploit constructs a malicious buffer with NOP sleds and shellcode to overwrite the return address and execute arbitrary code.

Description

Buffer overflow in (1) pluggable authentication module (PAM) on Solaris 2.5.1 and 2.5 and (2) unix_scheme in Solaris 2.4 and 2.3 allows local users to gain root privileges via programs that use these modules such as passwd, yppasswd, and nispasswd.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Cristian Schipor · clocalsolaris

https://www.exploit-db.com/exploits/341

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in the Solaris 2.4 and 2.5 passwd program, using shellcode to achieve remote code execution. The exploit constructs a malicious buffer with NOP sleds and shellcode to overwrite the return address and execute arbitrary code.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Solaris 2.4 and 2.5 passwd program

No auth needed

Prerequisites: Access to the target system to execute the exploit · Vulnerable version of Solaris passwd program

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Cristian Schipor · clocalsolaris

https://www.exploit-db.com/exploits/19158

View Code ZIP pw:eip

This exploit targets a buffer overflow in Pluggable Authentication Modules (PAM) and unix_scheme on Solaris 2.5.(1). It uses a stack-based overflow via the passwd program to execute shellcode, potentially granting root access.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Solaris 2.5.(1) PAM and unix_scheme

No auth needed

Prerequisites: Access to a vulnerable Solaris 2.5.(1) system · Ability to execute the passwd program

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Patch, Vendor Advisory vendor-advisory x_refsource_sun

http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/139&type=0&nav=sec.sba

Vendor Advisory third-party-advisory x_refsource_auscert

ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.09.Solaris.passwd.buffer.overrun.vul

Scores

EPSS 0.0084

EPSS Percentile 53.2%

Details

Status published

Products (4)

sun/sunos 5.3

sun/sunos 5.4

sun/sunos 5.5

sun/sunos 5.5.1

Published May 13, 1997

Tracked Since Feb 18, 2026