CVE-1999-0674
Description
The BSD profil system call allows local users to modify program data space via profiling and execve, potentially altering program behavior.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The BSD profil system call allows local users to modify program data space via profiling and execve, potentially altering program behavior.
Vulnerability
The profil(2) system call, present in older Unix versions and some BSD systems, allows a process to sample its program counter (PC) and increment an array element on each profile clock tick. The vulnerability arises because profiling is not disabled when a process uses execve(2) to execute a new program image. This allows a local user to control the size and location of the profiling array and scale factor, potentially arranging for an arbitrary 16-bit virtual address to be incremented. Affected systems include NetBSD 1.4, OpenBSD 2.5, and Solaris 7.0 [1].
Exploitation
An attacker with local access and knowledge of memory addresses used by privileged programs could construct an exploit. The profil(2) system call allows an attacker to arrange for an arbitrary 16-bit program virtual address to be incremented on each profile clock tick. If a program stores system call results in memory locations, this mechanism could theoretically alter the outcome of security-related system calls or library functions by changing values like -1 to 0 or 0 to 1 [1].
Impact
While unlikely, it is theoretically possible for an attacker to modify the internal data space of a program. This could lead to security failures if critical values, such as return codes from system calls, are stored in memory locations that are also used by the profiling array. The attacker could potentially turn a success into a failure or vice versa, impacting the program's security behavior [1].
Mitigation
It is recommended to upgrade to patched versions of the affected operating systems. Specific patched versions and release dates are not detailed in the available references. Some systems, like Solaris, may have partial fixes that do not disable profiling unless the new image is owned by a different user. No workarounds or EOL status are disclosed in the provided references [1].
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
27cpe:2.3:o:netbsd:netbsd:1.0:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:netbsd:netbsd:1.0:*:*:*:*:*:*:*
- cpe:2.3:o:netbsd:netbsd:1.1:*:*:*:*:*:*:*
- cpe:2.3:o:netbsd:netbsd:1.2:*:*:*:*:*:*:*
- cpe:2.3:o:netbsd:netbsd:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:o:netbsd:netbsd:1.3:*:*:*:*:*:*:*
- cpe:2.3:o:netbsd:netbsd:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:o:netbsd:netbsd:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:o:netbsd:netbsd:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:o:netbsd:netbsd:1.4:*:*:*:*:*:*:*
cpe:2.3:o:openbsd:openbsd:2.0:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:o:openbsd:openbsd:2.0:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:2.1:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:2.2:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:2.3:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:2.4:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:2.5:*:*:*:*:*:*:*
cpe:2.3:o:sun:solaris:2.4:*:x86:*:*:*:*:*+ 3 more
- cpe:2.3:o:sun:solaris:2.4:*:x86:*:*:*:*:*
- cpe:2.3:o:sun:solaris:2.5:*:x86:*:*:*:*:*
- cpe:2.3:o:sun:solaris:2.6:*:*:*:*:*:*:*
- cpe:2.3:o:sun:solaris:7.0:*:x86:*:*:*:*:*
cpe:2.3:o:sun:sunos:-:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:o:sun:sunos:-:*:*:*:*:*:*:*
- cpe:2.3:o:sun:sunos:5.1:*:*:*:*:*:*:*
- cpe:2.3:o:sun:sunos:5.2:*:*:*:*:*:*:*
- cpe:2.3:o:sun:sunos:5.3:*:*:*:*:*:*:*
- cpe:2.3:o:sun:sunos:5.4:*:*:*:*:*:*:*
- cpe:2.3:o:sun:sunos:5.5:*:*:*:*:*:*:*
- cpe:2.3:o:sun:sunos:5.5.1:*:*:*:*:*:*:*
- cpe:2.3:o:sun:sunos:5.7:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The profil system call does not disable profiling when a process executes a new program image."
Attack vector
A local user can exploit this vulnerability by leveraging the profil system call. The system call arranges for the kernel to sample the program counter (PC) and increment an element of an array on each profile clock tick. Since profiling is not turned off during execve, an attacker can control the size and location of this array to increment an arbitrary 16-bit program virtual address. This could potentially alter the behavior of security-sensitive system calls or library functions if their return values are stored in memory locations that the attacker can target.
Affected code
The vulnerability lies within the profil(2) system call, which is described as dating back to "version 6" Unix. The issue arises because profiling is not disabled when a process uses execve(2) to execute a new program image.
What the fix does
The advisory does not specify a patch or remediation steps. However, it implies that the vulnerability can be mitigated by ensuring that profiling is turned off when a process execve(2)s another program image, especially if the new image is owned by a different user.
Preconditions
- authThe attacker must have local access to the system.
- inputThe attacker needs knowledge of specific memory addresses used by privileged programs to construct a successful exploit.
Reproduction
The reference write-up provides C code that can be used to test for the vulnerability. If the program prints 'Counting!', the system is vulnerable. The code can be compiled and executed directly, or with modifications to test scenarios involving different user ownership and setuid programs.
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- www.securityfocus.com/bid/570nvdExploitPatchVendor Advisory
- www.ciac.org/ciac/bulletins/j-067.shtmlnvd
News mentions
0No linked articles in our index yet.