CVE-2017-3631

MEDIUM

Oracle Sun Systems Products Suite 11 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-3631. PoCs published by Metasploit, Qualys Corporation.

AI-analyzed exploit summary This Metasploit module exploits the Stack Clash vulnerability (CVE-2017-3630) in Solaris RSH to achieve local privilege escalation by uploading and executing Qualys' Solaris_rsh.c exploit, which bypasses the stack guard page to create a SUID root shell.

Description

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel). The supported version that is affected is 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Solaris accessible data as well as unauthorized read access to a subset of Solaris accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Solaris. CVSS 3.0 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalsolaris
https://www.exploit-db.com/exploits/45625

This Metasploit module exploits the Stack Clash vulnerability (CVE-2017-3630) in Solaris RSH to achieve local privilege escalation by uploading and executing Qualys' Solaris_rsh.c exploit, which bypasses the stack guard page to create a SUID root shell.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Oracle Solaris 11.1 and 11.3 (x86)
No auth needed
Prerequisites: gcc installed · RSH binary setuid · writable directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Qualys Corporation · clocalsolaris_x86
https://www.exploit-db.com/exploits/42270

This exploit targets a buffer overflow vulnerability in Solaris rsh (CVE-2017-3631) to achieve local privilege escalation. It uses carefully crafted environment variables and stack manipulation to execute shellcode, potentially granting root access.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Oracle Solaris 11.1/11.3 (x86) rsh
No auth needed
Prerequisites: Local access to a vulnerable Solaris system · Presence of /usr/bin/rsh with specific versions
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45625/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/99151
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42270/

Scores

CVSS v3 5.3
EPSS 0.0940
EPSS Percentile 93.0%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-119
Status published
Products (2)
oracle/solaris 11
Oracle Corporation/Solaris Operating System 11
Published Jun 22, 2017
Tracked Since Feb 18, 2026