CVE-2007-5225

SunOS 8-10 - Unauthenticated Memory Read via FIFO I_PEEK ioctl

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2007-5225. PoCs published by Marco Ivaldi, qaaz.

AI-analyzed exploit summary This exploit leverages an integer signedness error in Solaris FIFO filesystems (named pipes) via a negative value passed to the I_PEEK ioctl, allowing local users to read kernel memory contents. The PoC dumps the leaked memory to a specified file.

Description

Integer signedness error in FIFO filesystems (named pipes) on Sun Solaris 8 through 10 allows local users to read the contents of unspecified memory locations via a negative maximum length value to the I_PEEK ioctl.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Marco Ivaldi · clocalsolaris
https://www.exploit-db.com/exploits/5227

This exploit leverages an integer signedness error in Solaris FIFO filesystems (named pipes) via a negative value passed to the I_PEEK ioctl, allowing local users to read kernel memory contents. The PoC dumps the leaked memory to a specified file.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Solaris 8, 9, 10 (SPARC and x86)
No auth needed
Prerequisites: Local access to a vulnerable Solaris system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by qaaz · clocalsolaris
https://www.exploit-db.com/exploits/4516

This exploit leverages a Solaris fifofs I_PEEK kernel memory disclosure vulnerability to read arbitrary kernel memory. It creates a FIFO, manipulates memory protections, and uses the I_PEEK ioctl to dump kernel memory contents.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Solaris (versions 8, 9, 10 without specific patches)
No auth needed
Prerequisites: Unpatched Solaris system (Solaris 8, 9, or 10 without the specified patches) · Ability to execute code on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (13)

Core 13
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/481501/100/0/threaded
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/27654
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/5227
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/27024
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/25905
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/3339
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/36918
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/4516
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2170
Vendor Advisory vendor-advisory x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103061-1
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1018766
Third Party Advisory third-party-advisory x_refsource_idefense
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=603

Scores

EPSS 0.0097
EPSS Percentile 57.3%

Details

CWE
CWE-189
Status published
Products (3)
sun/sunos 5.8
sun/sunos 5.9
sun/sunos 5.10
Published Oct 05, 2007
Tracked Since Feb 18, 2026