CVE-2004-0360
Description
A non-specific vulnerability in Solaris passwd(1) allows local users to gain root privileges on Solaris 8.0 and 9.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A non-specific vulnerability in Solaris passwd(1) allows local users to gain root privileges on Solaris 8.0 and 9.0.
Vulnerability
The passwd(1) utility in Solaris 8.0 and 9.0 contains an unspecified vulnerability that can be leveraged by a local unprivileged user to escalate privileges. The exact nature of the bug is not disclosed but it resides in the passwd command, which is used to update authentication tokens. Patches resolve the issue: SPARC Solaris 8 requires patch 108993-32 or later, Solaris 9 requires 113476-11 or later; x86 Solaris 8 requires 108994-32 or later, and Solaris 9 requires 114242-07 or later [1][2].
Exploitation
A local unprivileged user can exploit this vulnerability. The specific attack vectors are not disclosed in available references, but the impact indicates that the user can gain root privileges. No network access or additional authentication beyond local system access is required [1].
Impact
Successful exploitation allows a local unprivileged user to gain root privileges on the affected system, resulting in full compromise of confidentiality, integrity, and availability [1].
Mitigation
Sun Microsystems released patches to address this issue. For SPARC Solaris 8, apply patch 108993-32 or later; for SPARC Solaris 9, apply patch 113476-11 or later. For x86 Solaris 8, apply patch 108994-32 or later; for x86 Solaris 9, apply patch 114242-07 or later. The original release date of the advisory was 2004-03-05 [1][2]. No workaround is provided in the references.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6cpe:2.3:o:sun:solaris:8.0:*:x86:*:*:*:*:*+ 3 more
- cpe:2.3:o:sun:solaris:8.0:*:x86:*:*:*:*:*
- cpe:2.3:o:sun:solaris:9.0:*:sparc:*:*:*:*:*
- cpe:2.3:o:sun:solaris:9.0:*:x86:*:*:*:*:*
- (no CPE)range: = 9.0
- cpe:2.3:o:sun:sunos:5.8:*:*:*:*:*:*:*
- Range: = 8.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The passwd program in Solaris 8 and 9 is vulnerable to privilege escalation through an unspecified attack vector."
Attack vector
A local user can exploit this vulnerability by providing specially crafted input to the `passwd` command. The exploit uses a ret-into-ld.so technique to bypass non-executable stack protection. This involves sending parameters to `passwd` that overwrite memory, leading to the execution of arbitrary code. The exploit requires the attacker to know the current password of a user on the system [ref_id=1].
Affected code
The vulnerability resides within the `passwd(1)` binary on Solaris 8.0 and 9.0. The exploit code references the `circ()` function indirectly and targets the `strcpy()` function within the dynamic linker (`ld.so.1`) as part of its exploitation technique [ref_id=1].
What the fix does
The advisory does not provide details on a specific patch or fix. However, it indicates that Solaris 8 systems with patch 108993-32 and Solaris 9 systems with patch 113476-11 are not vulnerable, suggesting these patches address the issue. The exact nature of the fix is not detailed in the provided information.
Preconditions
- authThe attacker must have local access to the affected system and know the current password of a user.
- inputThe attacker must be able to execute the `passwd` command with crafted arguments.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- www.securityfocus.com/bid/9757nvdPatchVendor Advisory
- www.kb.cert.org/vuls/id/694782nvdThird Party AdvisoryUS Government Resource
- marc.infonvd
- sunsolve.sun.com/pub-cgi/retrieve.plnvd
- www.ciac.org/ciac/bulletins/o-088.shtmlnvd
- exchange.xforce.ibmcloud.com/vulnerabilities/15327nvd
News mentions
0No linked articles in our index yet.