CVE-2001-0797

EXPLOITED

SGI IRIX - Buffer Overflow in Login via Telnet/Rlogin Arguments

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2001-0797 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 11 public exploits from researchers including Metasploit, Marco Ivaldi, snooq, including a Metasploit module exploits/solaris/telnet/ttyprompt.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in System V derived /bin/login by sending a large number of arguments via dialup. It includes shellcode for Solaris SPARC systems to achieve remote code execution.

Description

Buffer overflow in login in various System V based operating systems allows remote attackers to execute arbitrary commands via a large number of arguments through services such as telnet and rlogin.

Exploits (11)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/16928

This exploit targets a buffer overflow vulnerability in System V derived /bin/login by sending a large number of arguments via dialup. It includes shellcode for Solaris SPARC systems to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: System V derived /bin/login (Solaris 2.6 - 8 SPARC)
No auth needed
Prerequisites: Dialup access to the target system · Vulnerable version of /bin/login
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotesolaris
https://www.exploit-db.com/exploits/16327

This exploit targets a buffer overflow in Solaris in.telnetd (CVE-2001-0797) to bypass authentication by manipulating the TTYPROMPT environment variable. It sends a crafted payload to execute arbitrary commands via a reverse shell or command injection.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Solaris in.telnetd (login application)
No auth needed
Prerequisites: Network access to target's telnet service (port 23) · Vulnerable Solaris version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Marco Ivaldi · cremotesolaris
https://www.exploit-db.com/exploits/716

This exploit targets a buffer overflow in the Solaris/SPARC login utility (CVE-2001-0797) via rlogin, bypassing non-executable stack protections by returning into the .bss section. It uses a crafted payload with shellcode to achieve remote command execution as root.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Solaris 2.5.1/2.6/7/8 (SPARC) /bin/login
No auth needed
Prerequisites: Network access to target's rlogin service (port 513) · Target must be running vulnerable Solaris version without patches
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by snooq · perlremotesolaris
https://www.exploit-db.com/exploits/21179

This exploit targets a buffer overflow in the 'login' program (CVE-2001-0797) on UNIX systems descended from System V, such as Solaris/SunOS, HP-UX, AIX, IRIX, and Unixware. It manipulates environment variables to overwrite the 'fflag' and spawn a shell as the 'bin' user, potentially allowing privilege escalation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: UNIX login (System V derived)
No auth needed
Prerequisites: Vulnerable version of 'login' program · Network access to the target system (typically via telnet)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Jonathan S. · textremotesolaris
https://www.exploit-db.com/exploits/57

This exploit leverages an integer overflow in the Solaris login process by setting the TTYPROMPT environment variable and sending a malformed username to bypass authentication. It grants unauthorized access to any non-root account without requiring a password.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Solaris 5.8 (SunOS 5.8)
No auth needed
Prerequisites: Telnet access to the target system · Non-root account existence on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by MC · rubyremotesolaris
https://www.exploit-db.com/exploits/9917

This exploit targets a buffer overflow in Solaris in.telnetd (CVE-2001-0797) to bypass authentication by manipulating the TTYPROMPT environment variable. It sends a crafted payload to execute arbitrary commands via a reverse shell or command injection.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Solaris in.telnetd (login application)
No auth needed
Prerequisites: Network access to target's telnet service (port 23) · Vulnerable Solaris version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Teso · cremotelinux_sparc
https://www.exploit-db.com/exploits/346

This exploit targets a buffer overflow vulnerability in /bin/login on SPARC/x86 systems, allowing remote root access. It uses crafted telnet protocol negotiations and environment variables to trigger the overflow and execute shellcode.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: /bin/login (Solaris/SPARC/x86)
No auth needed
Prerequisites: Network access to vulnerable system · Vulnerable version of /bin/login
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by I)ruid · rubyremotesolaris
https://www.exploit-db.com/exploits/10036

This exploit targets a buffer overflow vulnerability in System V derived /bin/login via dialup. It sends a crafted buffer with a return address and shellcode to achieve remote code execution on vulnerable Solaris systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: System V derived /bin/login (Solaris 2.6 - 8 SPARC)
No auth needed
Prerequisites: Dialup access to the target system · Vulnerable version of /bin/login
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/0xdea/exploits

This repository contains functional exploit code for CVE-2001-0797, a buffer overflow in Solaris rlogin, along with other exploits. The code is well-documented and includes multiple variants for different architectures.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Solaris 2.5.1, 2.6, 7, 8
No auth needed
Prerequisites: Access to a vulnerable Solaris system with rlogin enabled
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by MC, cazz · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/solaris/telnet/ttyprompt.rb

This Metasploit module exploits a buffer overflow in Solaris in.telnetd (CVE-2001-0797) to bypass authentication by sending a malformed TTYPROMPT request followed by a crafted username. It then executes a payload via command injection.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Solaris in.telnetd (login application)
No auth needed
Prerequisites: Network access to target's telnet service (port 23) · Target running vulnerable Solaris version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by I)ruid · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/solaris/dialup/manyargs.rb

This Metasploit module exploits a buffer overflow in System V derived /bin/login by sending extraneous arguments over dialup. It targets Solaris 2.6-8 (SPARC) and delivers a shellcode payload to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: System V derived /bin/login (Solaris 2.6-8 SPARC)
No auth needed
Prerequisites: Dialup access to the target system · Vulnerable /bin/login version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (12)

Core 12
Core References
Vendor Advisory vendor-advisory x_refsource_sun
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/213
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2025
Patch, Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.cert.org/advisories/CA-2001-34.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/7284
Various Sources vendor-advisory x_refsource_aixapar
http://www-1.ibm.com/support/search.wss?rs=0&q=IY26221&apar=only
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=100844757228307&w=2
Vendor Advisory mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/246487
Vendor Advisory vendor-advisory x_refsource_sgi
ftp://patches.sgi.com/support/free/security/advisories/20011201-01-I
Exploit, Patch, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/3681
Patch, Vendor Advisory third-party-advisory x_refsource_iss
http://xforce.iss.net/alerts/advise105.php
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/569272

Scores

EPSS 0.8408
EPSS Percentile 99.3%

Details

VulnCheck KEV 2017-06-20
Status published
Products (42)
hp/hp-ux 10.00
hp/hp-ux 10.01
hp/hp-ux 10.10
hp/hp-ux 10.20
hp/hp-ux 10.24
hp/hp-ux 11.00
hp/hp-ux 11.0.4
hp/hp-ux 11.11
ibm/aix 4.3
ibm/aix 4.3.1
... and 32 more
Published Dec 12, 2001
Tracked Since Feb 18, 2026