CVE-1999-1191

Solaris 2.5.1 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-1999-1191. PoCs published by Adam Morrison, Joe Zbiciak.

AI-analyzed exploit summary This exploit leverages a buffer overflow in the `chkey` program (setuid root) to overwrite stdio's `iob[]` array, enabling arbitrary memory writes and execution of a shellcode payload. It targets SPARC systems and requires precise calculation of library addresses and PLT offsets.

Description

Buffer overflow in chkey in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Adam Morrison · clocalsolaris
https://www.exploit-db.com/exploits/19160

This exploit leverages a buffer overflow in the `chkey` program (setuid root) to overwrite stdio's `iob[]` array, enabling arbitrary memory writes and execution of a shellcode payload. It targets SPARC systems and requires precise calculation of library addresses and PLT offsets.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: chkey (Solaris)
No auth needed
Prerequisites: SPARC architecture · Knowledge of library addresses · Access to vulnerable `chkey` binary
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Joe Zbiciak · bashlocalsolaris
https://www.exploit-db.com/exploits/332

This exploit targets a buffer overflow vulnerability in Solaris 2.5.1's /usr/bin/ps. It manipulates environment variables and crafted input to overwrite critical structures, leading to arbitrary code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Solaris 2.5.1 /usr/bin/ps
No auth needed
Prerequisites: Access to a vulnerable Solaris 2.5.1 system · Ability to compile and execute the exploit code
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory vdb-entry x_refsource_xf
http://www.iss.net/security_center/static/7442.php
Patch, Vendor Advisory vendor-advisory x_refsource_sun
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/144
Exploit, Patch, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/207
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=87602167418335&w=2
Patch, Third Party Advisory, US Government Resource third-party-advisory x_refsource_auscert
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.18.solaris.chkey.buffer.overflow.vul

Scores

EPSS 0.0194
EPSS Percentile 77.5%

Details

Status published
Products (6)
sun/solaris 2.4
sun/solaris 2.5
sun/solaris 2.5.1
sun/sunos 5.4
sun/sunos 5.5
sun/sunos < 5.5.1
Published May 19, 1997
Tracked Since Feb 18, 2026