CVE-1999-0301
Description
A buffer overflow in the SunOS/Solaris ps command allows local users to gain root privileges by exploiting the setuid binary.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A buffer overflow in the SunOS/Solaris ps command allows local users to gain root privileges by exploiting the setuid binary.
Vulnerability
A buffer overflow vulnerability exists in the ps command on SunOS and Solaris systems. This flaw arises from insufficient bounds checking on arguments passed to the ps program, allowing an attacker to overwrite its internal data space. The ps command is typically setuid root, making it a target for privilege escalation.
Exploitation
An attacker with local user access to the affected system can exploit this vulnerability. The exploit involves crafting specific arguments to the ps command. The provided exploit code [1] demonstrates how to create a malicious message catalog file and then use ps with arguments that trigger the buffer overflow, ultimately leading to the execution of arbitrary code.
Impact
Successful exploitation of this vulnerability allows a local attacker to gain root privileges on the affected system. This means the attacker can execute any command with the highest level of system access, potentially compromising the entire system.
Mitigation
This vulnerability affects Solaris 2.5.1. Patches or updated versions that address this specific buffer overflow in the ps command are required. Users should upgrade to a secure version of the operating system. No specific fixed version or release date is available in the provided references, and no workarounds are detailed.
AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:o:sun:solaris:2.4:*:x86:*:*:*:*:*+ 3 more
- cpe:2.3:o:sun:solaris:2.4:*:x86:*:*:*:*:*
- cpe:2.3:o:sun:solaris:2.5.1:*:x86:*:*:*:*:*
- cpe:2.3:o:sun:solaris:2.5:*:x86:*:*:*:*:*
- (no CPE)
cpe:2.3:o:sun:sunos:5.3:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:o:sun:sunos:5.3:*:*:*:*:*:*:*
- cpe:2.3:o:sun:sunos:5.4:*:*:*:*:*:*:*
- cpe:2.3:o:sun:sunos:5.5:*:*:*:*:*:*:*
- cpe:2.3:o:sun:sunos:5.5.1:*:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `ps` command does not perform sufficient bounds checking on arguments, allowing a buffer overflow."
Attack vector
An attacker can exploit this vulnerability by supplying specially crafted arguments to the `ps` command. The `ps` command, being setuid root, is susceptible to this overflow. This allows an unprivileged user to overwrite the program's internal data space, potentially leading to arbitrary code execution with root privileges [ref_id=1]. The exploit involves creating a malicious `.po` file and a C program that leverages `execle` to call `ps` with a buffer containing the overflow data and a manipulated environment variable [ref_id=1].
Affected code
The vulnerability exists in the `ps` command, specifically in how it handles arguments. The exploit targets the `ps` program, which is typically located at `/usr/bin/ps` and is setuid root, making it a critical target for privilege escalation [ref_id=1]. The exploit code manipulates the `NLSPATH` environment variable to point to a crafted message catalog file, which `ps` then parses, leading to the overflow.
What the fix does
The advisory does not provide a patch. However, it suggests a workaround involving a wrapper program that filters environment variables and limits argument lengths passed to the `ps` command. This wrapper aims to prevent the exploitation of the buffer overflow vulnerability by sanitizing inputs before they reach the vulnerable `ps` binary [ref_id=1].
Preconditions
- inputSpecially crafted arguments supplied to the `ps` command.
- configThe `ps` command must be setuid root.
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.