CVE-2003-0609

Solaris 2.6-9 - Local Privilege Escalation via LD_PRELOAD Environment Variable

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2003-0609. PoCs published by Marco Ivaldi, osker178.

AI-analyzed exploit summary This exploit leverages a stack-based buffer overflow in Solaris' ld.so.1 via a long LD_PRELOAD environment variable to achieve local privilege escalation. It uses a ret-into-ld.so technique to bypass non-executable stack protections and executes shellcode to spawn a root shell.

Description

Stack-based buffer overflow in the runtime linker, ld.so.1, on Solaris 2.6 through 9 allows local users to gain root privileges via a long LD_PRELOAD environment variable.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Marco Ivaldi · clocalsolaris
https://www.exploit-db.com/exploits/1182

This exploit leverages a stack-based buffer overflow in Solaris' ld.so.1 via a long LD_PRELOAD environment variable to achieve local privilege escalation. It uses a ret-into-ld.so technique to bypass non-executable stack protections and executes shellcode to spawn a root shell.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Solaris 2.6/7/8/9 (ld.so.1)
No auth needed
Prerequisites: Local access to a vulnerable Solaris system · GCC to compile the exploit
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by osker178 · clocalsolaris
https://www.exploit-db.com/exploits/114

This exploit targets a buffer overflow in the Solaris runtime linker (ld.so.1) on SPARC architecture, leveraging the LD_PRELOAD environment variable to execute arbitrary shellcode. The shellcode performs privilege escalation by calling setuid(0) and setreuid(0) before spawning a shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Solaris ld.so.1 (SPARC)
No auth needed
Prerequisites: Access to a vulnerable SPARC-based Solaris system · Ability to set environment variables (LD_PRELOAD)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/12755
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=105951760418667&w=2
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3601
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/8722
Vendor Advisory vendor-advisory x_refsource_sunalert
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/55680
Vendor Advisory third-party-advisory x_refsource_idefense
http://www.idefense.com/advisory/07.29.03.txt

Scores

EPSS 0.0352
EPSS Percentile 87.7%

Details

Status published
Products (7)
sun/solaris 2.6
sun/solaris 7.0
sun/solaris 8.0
sun/solaris 9.0 (2 CPE variants)
sun/sunos
sun/sunos 5.7
sun/sunos 5.8
Published Aug 27, 2003
Tracked Since Feb 18, 2026