CVE-2010-3895

IBM OmniFind Enterprise Edition < 9.1 - Local Privilege Escalation via esRunCommand

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-3895. PoCs published by Fatih Kilic.

AI-analyzed exploit summary This exploit leverages two SUID binaries (`esRunCommand` and `estaskwrapper`) in IBM software to escalate privileges to root. The `esRunCommand` directly executes commands as root, while `estaskwrapper` can be tricked into executing a malicious binary named `estasklight` via environment variable manipulation.

Description

esRunCommand in IBM OmniFind Enterprise Edition before 9.1 allows local users to gain privileges by specifying an arbitrary command name as the first argument.

Exploits (1)

exploitdb WORKING POC

by Fatih Kilic · textlocalmultiple

https://www.exploit-db.com/exploits/15475

View Code ZIP pw:eip

This exploit leverages two SUID binaries (`esRunCommand` and `estaskwrapper`) in IBM software to escalate privileges to root. The `esRunCommand` directly executes commands as root, while `estaskwrapper` can be tricked into executing a malicious binary named `estasklight` via environment variable manipulation.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Trivial

Reliability

Reliable

Target: IBM software (specific version not mentioned)

No auth needed

Prerequisites: Access to the system with the vulnerable IBM software installed · Presence of SUID binaries `/opt/IBM/es/bin/esRunCommand` and `/opt/IBM/es/bin/estaskwrapper`

MITRE ATT&CK

T1548.001 - Setuid and Setgid T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →