CVE-1999-1158
published 1997-05-13CVE-1999-1158: Buffer overflow in (1) pluggable authentication module (PAM) on Solaris 2.5.1 and 2.5 and (2) unix_scheme in Solaris 2.4 and 2.3 allows local users to gain…
PriorityP425high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
0.84%
53.2th percentile
Buffer overflow in (1) pluggable authentication module (PAM) on Solaris 2.5.1 and 2.5 and (2) unix_scheme in Solaris 2.4 and 2.3 allows local users to gain root privileges via programs that use these modules such as passwd, yppasswd, and nispasswd.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sun | sunos | — | — |
| sun | sunos | — | — |
| sun | sunos | — | — |
| sun | sunos | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Solaris 2.4 passwd / yppasswd / nispasswd - Local Overflow
exploitdb·1997-07-12
CVE-1999-1158 Solaris 2.4 passwd / yppasswd / nispasswd - Local Overflow
Solaris 2.4 passwd / yppasswd / nispasswd - Local Overflow
---
---------------------------- file newpass.c -------------------------------
#include
#include
#define hidden_passwd "/bin/hpasswd" /*change here ...*/
#define MAX_LENGTH 32
void main(int argc, char *argv[])
{
int i;
char *args[10];
if(argc MAX_LENGTH)
{
printf("You reached the maximum length in
args\n");
exit(0);
}
else args[i]=argv[i];
}
args[i]=(char *)0;
execv(args[0],args);
}
else
{
printf("You reached the maximum number of args !\n");
}
}
---------------------------- end newpass.c -----------------------------------
------------------------------ EXPLOITS ----------------------------------
------------------------------ lemon24.c --------------------------------
/*
Exploit for Solaris 2.4 ( it is a little and sub
Exploit-DB
Sun Solaris 2.5.1 PAM / unix_scheme - 'passwd' Local Privilege Escalation
exploitdb·1997-02-25
CVE-1999-1158 Sun Solaris 2.5.1 PAM / unix_scheme - 'passwd' Local Privilege Escalation
Sun Solaris 2.5.1 PAM / unix_scheme - 'passwd' Local Privilege Escalation
---
/*
source: https://www.securityfocus.com/bid/201/info
There is a buffer overflow condition on arguments in Pluggable Authentication Modules (PAM) and unix_scheme (5.4 and 5.3). Therefore, an unauthorized user could exploit this vulnerability via the passwd program to gain root access. Under SunOS 5.5.1, 5.5.1_x86, 5.5, 5.5_x86, yppasswd and nispasswd are hard links to the passwd program and therefore are also vulnerable. Under SunOS 5.4 and 5.3, passwd, yppasswd, and nispasswd are separate programs but they dynamically link unix_scheme and are affected.
*/
/*
This is for Solaris 2.5.(1) !
With argv[1] you can modify the stack offset (+-500) if you have troubles
...
*/
#include
#include
#include
#include
#de
No writeups or analysis indexed.
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.09.Solaris.passwd.buffer.overrun.vulhttp://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/139&type=0&nav=sec.sbaftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.09.Solaris.passwd.buffer.overrun.vulhttp://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/139&type=0&nav=sec.sba
1997-05-13
Published