CVE-2005-1394

ArcGIS for ESRI ArcInfo Workstation 9.0 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2005-1394. PoCs published by Kevin Finisterre.

AI-analyzed exploit summary This exploit leverages a format string vulnerability in ESRI ArcGIS 9.x's wservice binary to overwrite the thr_jmp_table and achieve local privilege escalation on Solaris 10. It uses a carefully crafted environment variable to trigger the vulnerability and execute shellcode that spawns a root shell.

Description

Format string vulnerability in ArcGIS for ESRI ArcInfo Workstation 9.0 allows local users to gain privileges via format string specifiers in the ARCHOME environment variable to (1) wservice or (2) lockmgr.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Kevin Finisterre · clocalsolaris

https://www.exploit-db.com/exploits/972

View Code ZIP pw:eip

This exploit leverages a format string vulnerability in ESRI ArcGIS 9.x's wservice binary to overwrite the thr_jmp_table and achieve local privilege escalation on Solaris 10. It uses a carefully crafted environment variable to trigger the vulnerability and execute shellcode that spawns a root shell.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: ESRI ArcGIS 9.x (wservice binary)

No auth needed

Prerequisites: Local access to the target system · Presence of vulnerable ESRI ArcGIS 9.x installation · Solaris 10 environment

MITRE ATT&CK