| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.9 | $0-$5k | 0.00 |
Summary
A vulnerability marked as critical has been reported in Sun Solaris 2.6/7.0/8.0. Affected by this issue is the function syslog of the component RPC Wall Daemon. Performing a manipulation results in format string.
This vulnerability was named CVE-2002-0573. In addition, an exploit is available.
Details
A vulnerability was found in Sun Solaris 2.6/7.0/8.0 (Operating System). It has been classified as critical. This affects the function syslog of the component RPC Wall Daemon. The manipulation with an unknown input leads to a format string vulnerability. CWE is classifying the issue as CWE-134. The product uses a function that accepts a format string as an argument, but the format string originates from an external source. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:
Format string vulnerability in RPC wall daemon (rpc.rwalld) for Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary code via format strings in a message that is not properly provided to the syslog function when the wall command cannot be executed.
The weakness was presented 04/30/2002 by Gobbles as confirmed advisory (CERT.org). The advisory is shared at cert.org. This vulnerability is uniquely identified as CVE-2002-0573. The exploitability is told to be easy. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details and a exploit are known. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 09/16/2025). It is expected to see the exploit prices for this product decreasing in the near future.
After immediately, there has been an exploit disclosed. It is declared as proof-of-concept. The vulnerability scanner Nessus provides a plugin with the ID 10950 (Solaris rpc.rwalld Remote Format String Arbitrary Code Execution), which helps to determine the existence of the flaw in a target environment. It is assigned to the family RPC and running in the context r. The commercial vulnerability scanner Qualys is able to test this issue with plugin 68531 (Sun Solaris rpc.rwalld Daemon Format String Vulnerability).
There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product. Attack attempts may be identified with Snort ID 12608. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 3504.
The vulnerability is also documented in the databases at X-Force (8971), Tenable (10950), SecurityFocus (BID 4639†), OSVDB (778†) and Vulnerability Center (SBV-1202†). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Type
Vendor
Name
Version
License
Support
- end of life (old version)
Website
- Vendor: https://www.oracle.com/sun/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.3VulDB Meta Temp Score: 6.9
VulDB Base Score: 7.3
VulDB Temp Score: 6.9
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Format stringCWE: CWE-134 / CWE-119
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Proof-of-Concept
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 10950
Nessus Name: Solaris rpc.rwalld Remote Format String Arbitrary Code Execution
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
OpenVAS ID: 855227
OpenVAS Name: Solaris Update for in.dhcpd libresolv and BIND9 112837-20
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: no mitigation knownStatus: 🔍
0-Day Time: 🔍
Exploit Delay Time: 🔍
Snort ID: 12608
TippingPoint: 🔍
McAfee IPS: 🔍
McAfee IPS Version: 🔍
ISS Proventia IPS: 🔍
PaloAlto IPS: 🔍
Timeline
04/30/2002 🔍04/30/2002 🔍
04/30/2002 🔍
05/02/2002 🔍
07/03/2002 🔍
07/03/2002 🔍
09/12/2002 🔍
06/16/2003 🔍
07/11/2014 🔍
09/16/2025 🔍
Sources
Vendor: oracle.comAdvisory: cert.org
Researcher: Gobbles
Status: Confirmed
CVE: CVE-2002-0573 (🔍)
GCVE (CVE): GCVE-0-2002-0573
GCVE (VulDB): GCVE-100-18393
OVAL: 🔍
CERT: 🔍
X-Force: 8971
SecurityFocus: 4639 - Sun Solaris RWall Daemon Syslog Format String Vulnerability
OSVDB: 778 - Solaris rpc.rwalld Remote Format String Arbitrary Code Execution
Vulnerability Center: 1202 - Solaris RPC walld Allows Arbitrary Code Execution, Critical
scip Labs: https://www.scip.ch/en/?labs.20161013
Entry
Created: 07/11/2014 14:22Updated: 09/16/2025 02:20
Changes: 07/11/2014 14:22 (81), 05/09/2019 22:29 (3), 01/21/2025 07:48 (17), 09/16/2025 02:20 (4)
Complete: 🔍
Cache ID: 216::103
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
No comments yet. Languages: en.
Please log in to comment.