CVE-2017-3629

HIGH

Oracle Sun Systems Products Suite Kernel - Takeover

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-3629. PoCs published by Metasploit, Qualys Corporation.

AI-analyzed exploit summary This Metasploit module exploits the Stack Clash vulnerability (CVE-2017-3630) in Solaris RSH to achieve local privilege escalation by uploading and executing Qualys' Solaris_rsh.c exploit, which bypasses the stack guard page to create a SUID root shell.

Description

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in takeover of Solaris. CVSS 3.0 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocalsolaris

https://www.exploit-db.com/exploits/45625

View Code ZIP pw:eip

This Metasploit module exploits the Stack Clash vulnerability (CVE-2017-3630) in Solaris RSH to achieve local privilege escalation by uploading and executing Qualys' Solaris_rsh.c exploit, which bypasses the stack guard page to create a SUID root shell.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Oracle Solaris 11.1 and 11.3 (x86)

No auth needed

Prerequisites: gcc installed · RSH binary setuid · writable directory

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.001 - Setuid and Setgid

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Qualys Corporation · clocalsolaris_x86

https://www.exploit-db.com/exploits/42270

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in Solaris rsh (CVE-2017-3631) to achieve local privilege escalation. It uses carefully crafted environment variables and stack manipulation to execute shellcode, potentially granting root access.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Oracle Solaris 11.1/11.3 (x86) rsh

No auth needed

Prerequisites: Local access to a vulnerable Solaris system · Presence of /usr/bin/rsh with specific versions

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/45625/

Patch, Vendor Advisory x_refsource_confirm

http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-3629-3757403.html

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/42270/

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/99150

Scores

CVSS v3 7.8

EPSS 0.3207

EPSS Percentile 97.0%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-119

Status published

Products (4)

oracle/solaris 10

oracle/solaris 11

Oracle Corporation/Solaris Operating System 10

Oracle Corporation/Solaris Operating System 11

Published Jun 22, 2017

Tracked Since Feb 18, 2026