CVE-2001-0095

Solaris 2.7-2.8 - Local Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2001-0095. PoCs published by lwc, Shane Hird, Vapid Labs.

AI-analyzed exploit summary This exploit targets a race condition in catman (CVE-2001-0095) by monitoring the process list for catman, predicting its PID, and creating a symlink in /tmp to overwrite /etc/passwd. It relies on system speed and process load timing.

Description

catman in Solaris 2.7 and 2.8 allows local users to overwrite arbitrary files via a symlink attack on the sman_PID temporary file.

Exploits (4)

exploitdb WORKING POC VERIFIED
by lwc · perldossolaris
https://www.exploit-db.com/exploits/235

This exploit targets a race condition in catman (CVE-2001-0095) by monitoring the process list for catman, predicting its PID, and creating a symlink in /tmp to overwrite /etc/passwd. It relies on system speed and process load timing.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: catman on Solaris 2.7 (and possibly other versions)
No auth needed
Prerequisites: Access to a system with vulnerable catman · Ability to execute scripts and create symlinks in /tmp
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Shane Hird · perldoswindows
https://www.exploit-db.com/exploits/233

This exploit leverages a race condition in the `catman` utility on Solaris 2.7, which insecurly creates files in `/tmp` based on the PID. The script creates symlinks in `/tmp` to a target file (e.g., `/etc/passwd`) and monitors for `catman` execution to overwrite the target file.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Solaris 2.7 catman (August 2000 patch cluster)
No auth needed
Prerequisites: Access to a system with vulnerable `catman` · Ability to create symlinks in `/tmp` · Timing alignment with `catman` execution by root
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Vapid Labs · perllocalsolaris
https://www.exploit-db.com/exploits/20521

This exploit leverages a symbolic link race condition in Solaris's catman utility to overwrite arbitrary files. It monitors the process list for catman, predicts the temporary file name based on PID, and creates a symlink to a target file (e.g., /etc/passwd) to achieve file corruption or privilege escalation.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Solaris catman (Solaris 2.7 and earlier)
No auth needed
Prerequisites: Local access to the Solaris system · catman utility installed · Write access to /tmp directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Vapid Labs · perllocalsolaris
https://www.exploit-db.com/exploits/20520

This exploit targets a symbolic link vulnerability in Solaris catman (CVE-2001-0095), allowing local users to overwrite arbitrary files by creating symlinks in /tmp. The script generates multiple symlinks to a target file (e.g., /etc/passwd) and monitors for catman execution to trigger the overwrite.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Solaris catman (Solaris 2.7 and earlier)
Auth required
Prerequisites: Local access to the target system · Ability to create symlinks in /tmp · Knowledge of when catman will be executed by a privileged user
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/6024
Vendor Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-12/0313.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/5788

Scores

EPSS 0.0057
EPSS Percentile 42.7%

Details

Status published
Products (2)
sun/sunos 5.7
sun/sunos 5.8
Published Feb 12, 2001
Tracked Since Feb 18, 2026