CVE-2017-3630

MEDIUM

Solaris RSH Stack Clash Privilege Escalation

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2017-3630. PoCs published by Metasploit, Qualys Corporation, Qualys Corporation, bcoles, including Metasploit module exploits/solaris/local/rsh_stack_clash_priv_esc.

AI-analyzed exploit summary This Metasploit module exploits the Stack Clash vulnerability (CVE-2017-3630) in Solaris RSH to achieve local privilege escalation by uploading and executing Qualys' Solaris_rsh.c exploit, which bypasses the stack guard page to create a SUID root shell.

Description

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Solaris accessible data as well as unauthorized read access to a subset of Solaris accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Solaris. CVSS 3.0 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalsolaris
https://www.exploit-db.com/exploits/45625

This Metasploit module exploits the Stack Clash vulnerability (CVE-2017-3630) in Solaris RSH to achieve local privilege escalation by uploading and executing Qualys' Solaris_rsh.c exploit, which bypasses the stack guard page to create a SUID root shell.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Oracle Solaris 11.1 and 11.3 (x86)
No auth needed
Prerequisites: gcc installed · RSH binary setuid · writable directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Qualys Corporation · clocalsolaris_x86
https://www.exploit-db.com/exploits/42270

This exploit targets a buffer overflow vulnerability in Solaris rsh (CVE-2017-3631) to achieve local privilege escalation. It uses carefully crafted environment variables and stack manipulation to execute shellcode, potentially granting root access.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Oracle Solaris 11.1/11.3 (x86) rsh
No auth needed
Prerequisites: Local access to a vulnerable Solaris system · Presence of /usr/bin/rsh with specific versions
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by Qualys Corporation, bcoles · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/solaris/local/rsh_stack_clash_priv_esc.rb

This Metasploit module exploits the Stack Clash vulnerability (CVE-2017-3630) in Solaris RSH to achieve local privilege escalation by uploading and executing Qualys' Solaris_rsh.c exploit, which bypasses stack guard pages to create a SUID root shell.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Oracle Solaris 11.1 and 11.3 (x86) with vulnerable RSH
No auth needed
Prerequisites: Setuid RSH binary · GCC installed on target · Write access to a directory (e.g., /tmp)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/99153
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45625/
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42270/

Scores

CVSS v3 5.3
EPSS 0.0940
EPSS Percentile 93.0%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-787
Status published
Products (4)
oracle/solaris 10
oracle/solaris 11
Oracle Corporation/Solaris Operating System 10
Oracle Corporation/Solaris Operating System 11
Published Jun 22, 2017
Tracked Since Feb 18, 2026