CVE-2005-2072

Solaris 8-10 - Privilege Escalation via LD_AUDIT Environment Variable

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2005-2072. PoCs published by Przemyslaw Frasunek.

AI-analyzed exploit summary This exploit leverages the LD_AUDIT environment variable to load a malicious shared library, executing shellcode that spawns a root shell via setuid() and execve() on Solaris 9 SPARC systems.

Description

The runtime linker (ld.so) in Solaris 8, 9, and 10 trusts the LD_AUDIT environment variable in setuid or setgid programs, which allows local users to gain privileges by (1) modifying LD_AUDIT to reference malicious code and possibly (2) using a long value for LD_AUDIT.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Przemyslaw Frasunek · clocalsolaris

https://www.exploit-db.com/exploits/1074

View Code ZIP pw:eip

This exploit leverages the LD_AUDIT environment variable to load a malicious shared library, executing shellcode that spawns a root shell via setuid() and execve() on Solaris 9 SPARC systems.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Solaris 9 SPARC

No auth needed

Prerequisites: Access to a Solaris 9 SPARC system · Ability to set environment variables

MITRE ATT&CK

T1574.006 - Dynamic Linker Hijacking T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Przemyslaw Frasunek · clocalsolaris

https://www.exploit-db.com/exploits/1073

View Code ZIP pw:eip

This exploit leverages the LD_AUDIT environment variable to load a shared library containing shellcode, achieving local privilege escalation on vulnerable Solaris systems. The shellcode spawns a root shell when executed.