CVE-2000-0317

Solaris 7 - Local Buffer Overflow via lpset -r Option

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2000-0317. PoCs published by Theodor Ragnar Gislason, DiGiT.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in the undocumented -r option of the lpset program in Solaris 7. It crafts a malicious buffer to overwrite the stack and execute arbitrary commands as root by leveraging hardcoded addresses for system(), setuid(), and /bin/sh.

Description

Buffer overflow in Solaris 7 lpset allows local users to gain root privileges via a long -r option.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Theodor Ragnar Gislason · clocalsolaris

https://www.exploit-db.com/exploits/19874

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in the undocumented -r option of the lpset program in Solaris 7. It crafts a malicious buffer to overwrite the stack and execute arbitrary commands as root by leveraging hardcoded addresses for system(), setuid(), and /bin/sh.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Solaris 7 lpset

No auth needed

Prerequisites: Access to a vulnerable Solaris 7 system with lpset installed · Ability to execute the compiled exploit binary

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Theodor Ragnar Gislason · clocalsolaris

https://www.exploit-db.com/exploits/19873

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in the undocumented -r option of the lpset program in Solaris 7. It uses a crafted buffer with SPARC shellcode to execute arbitrary commands as root by overwriting the return address.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Solaris 7 lpset

No auth needed

Prerequisites: Access to a vulnerable Solaris 7 system with lpset installed

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by DiGiT · clocalsolaris

https://www.exploit-db.com/exploits/19872

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in the undocumented -r option of the lpset program in Solaris 2.7. It uses a crafted buffer with shellcode to execute arbitrary commands as root.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Solaris 2.7 lpset

No auth needed

Prerequisites: Access to a vulnerable Solaris 2.7 system · Ability to execute the lpset binary

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Mailing List mailing-list x_refsource_bugtraq

http://marc.info/?l=bugtraq&m=95729763119559&w=2

Exploit, Patch, Vendor Advisory vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/1138

Vendor Advisory mailing-list x_refsource_bugtraq

http://archives.neohapsis.com/archives/bugtraq/2000-04/0236.html

Exploit, Vendor Advisory mailing-list x_refsource_bugtraq

http://archives.neohapsis.com/archives/bugtraq/2000-04/0192.html

Scores

EPSS 0.0122

EPSS Percentile 64.8%

Details

Status published

Products (4)

sun/solaris 2.6

sun/solaris 7.0

sun/sunos

sun/sunos 5.7

Published Apr 24, 2000

Tracked Since Feb 18, 2026