CVE-2003-1071

rpc.walld - Solaris 2.6-9 - Local Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2003-1071. PoCs published by Brant Roman.

AI-analyzed exploit summary This exploit leverages a vulnerability in the Solaris 'wall' client where closing stderr allows spoofing the 'From' field in broadcast messages. It writes a crafted message to a temporary file and uses 'wall' to send it, appearing as if it originated from a specified user@host.

Description

rpc.walld (wall daemon) for Solaris 2.6 through 9 allows local users to send messages to logged on users that appear to come from arbitrary user IDs by closing stderr before executing wall, then supplying a spoofed from header.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Brant Roman · clocalsolaris

https://www.exploit-db.com/exploits/22120

View Code ZIP pw:eip

This exploit leverages a vulnerability in the Solaris 'wall' client where closing stderr allows spoofing the 'From' field in broadcast messages. It writes a crafted message to a temporary file and uses 'wall' to send it, appearing as if it originated from a specified user@host.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Solaris wall client (versions affected by CVE-2003-1071)

No auth needed

Prerequisites: Access to a Solaris system with the vulnerable 'wall' client · Ability to execute arbitrary commands on the target system

MITRE ATT&CK