CVE-2020-2944

HIGH

Oracle Solaris <11 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-2944. PoCs published by Marco Ivaldi.

AI-analyzed exploit summary This exploit leverages a buffer overflow in the _SanityCheck() function of Oracle Solaris Common Desktop Environment (CDE) 1.6 to achieve local privilege escalation. It uses the ret-into-ld.so technique to bypass non-executable stack protections and executes shellcode to gain root privileges.

Description

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Common Desktop Environment). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

Exploits (1)

exploitdb WORKING POC

by Marco Ivaldi · clocalsolaris

https://www.exploit-db.com/exploits/48359

View Code ZIP pw:eip

This exploit leverages a buffer overflow in the _SanityCheck() function of Oracle Solaris Common Desktop Environment (CDE) 1.6 to achieve local privilege escalation. It uses the ret-into-ld.so technique to bypass non-executable stack protections and executes shellcode to gain root privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Oracle Solaris Common Desktop Environment 1.6 (CDE) on Solaris 10 1/13 (Update 11) and earlier

No auth needed

Prerequisites: Local access to a vulnerable Solaris system with CDE installed · Ability to execute the exploit binary

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Patch, Vendor Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuapr2020.html

Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2020/04/15/3

Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2020/Apr/25

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/157280/Common-Desktop-Environment-1.6-Local-Privilege-Escalation.html

Scores

CVSS v3 8.8

EPSS 0.0059

EPSS Percentile 69.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-120

Status published

Products (2)

oracle/solaris 10

oracle/solaris 11

Published Apr 15, 2020

Tracked Since Feb 18, 2026