CVE-2000-1220
Description
The line printer daemon (lpd) in the lpr package allows local users to gain root privileges by passing arbitrary arguments to sendmail, such as -C to specify an alternate configuration file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The line printer daemon (lpd) in the lpr package allows local users to gain root privileges by passing arbitrary arguments to sendmail, such as -C to specify an alternate configuration file.
Vulnerability
The line printer daemon (lpd) in the lpr package on Linux systems (including Red Hat Linux 4.x, 5.x, and 6.x [2]) contains a flaw in how it processes control files for print jobs. The daemon allows an attacker to specify arbitrary command-line arguments to /usr/sbin/sendmail when delivering print job notifications. In particular, the -C option can be used to load an alternate sendmail configuration file, which can be crafted to execute arbitrary commands [1][2][3].
Exploitation
A local user can submit a print job with a specially crafted control file that includes the -C argument pointing to a malicious sendmail configuration. When lpd invokes sendmail to send a notification, the alternate configuration is loaded, leading to arbitrary command execution as root. Remote exploitation is also possible if the attacker can control DNS resolution to bypass host-based access controls, allowing them to send print jobs from an unauthorized host [2].
Impact
Successful exploitation allows an attacker to execute arbitrary commands with root privileges, resulting in full compromise of the affected system. The attacker can gain root shell access, install backdoors, or modify system files [2][3].
Mitigation
Red Hat released an advisory (RHSA-2000-002) with patches for affected versions [1]. Other vendors also provided fixes. Users should apply the appropriate patches from their Linux distribution. As a workaround, restrict network access to the lpd service (port 515) using firewalls, or disable the service if it is not required [3].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
32cpe:2.3:o:redhat:linux:4.0:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:o:redhat:linux:4.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:linux:4.1:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:linux:4.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:linux:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:linux:5.1:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:linux:5.2:*:i386:*:*:*:*:*
- cpe:2.3:o:redhat:linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:linux:6.1:*:i386:*:*:*:*:*
cpe:2.3:o:sgi:irix:6.5:*:*:*:*:*:*:*+ 23 more
- cpe:2.3:o:sgi:irix:6.5:*:*:*:*:*:*:*
- cpe:2.3:o:sgi:irix:6.5.1:*:*:*:*:*:*:*
- cpe:2.3:o:sgi:irix:6.5.10:*:*:*:*:*:*:*
- cpe:2.3:o:sgi:irix:6.5.11:*:*:*:*:*:*:*
- cpe:2.3:o:sgi:irix:6.5.12:*:*:*:*:*:*:*
- cpe:2.3:o:sgi:irix:6.5.13:*:*:*:*:*:*:*
- cpe:2.3:o:sgi:irix:6.5.14f:*:*:*:*:*:*:*
- cpe:2.3:o:sgi:irix:6.5.14m:*:*:*:*:*:*:*
- cpe:2.3:o:sgi:irix:6.5.15f:*:*:*:*:*:*:*
- cpe:2.3:o:sgi:irix:6.5.15m:*:*:*:*:*:*:*
- cpe:2.3:o:sgi:irix:6.5.16f:*:*:*:*:*:*:*
- cpe:2.3:o:sgi:irix:6.5.16m:*:*:*:*:*:*:*
- cpe:2.3:o:sgi:irix:6.5.17f:*:*:*:*:*:*:*
- cpe:2.3:o:sgi:irix:6.5.17m:*:*:*:*:*:*:*
- cpe:2.3:o:sgi:irix:6.5.18f:*:*:*:*:*:*:*
- cpe:2.3:o:sgi:irix:6.5.18m:*:*:*:*:*:*:*
- cpe:2.3:o:sgi:irix:6.5.2:*:*:*:*:*:*:*
- cpe:2.3:o:sgi:irix:6.5.3:*:*:*:*:*:*:*
- cpe:2.3:o:sgi:irix:6.5.4:*:*:*:*:*:*:*
- cpe:2.3:o:sgi:irix:6.5.5:*:*:*:*:*:*:*
- cpe:2.3:o:sgi:irix:6.5.6:*:*:*:*:*:*:*
- cpe:2.3:o:sgi:irix:6.5.7:*:*:*:*:*:*:*
- cpe:2.3:o:sgi:irix:6.5.8:*:*:*:*:*:*:*
- cpe:2.3:o:sgi:irix:6.5.9:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The line printer daemon (lpd) incorrectly trusts remote hosts and allows arbitrary sendmail arguments."
Attack vector
An attacker can exploit this vulnerability by sending specially crafted print jobs to an LPD server. The LPD server allows remote machines to print files without proper authentication if their reverse-resolved peer name matches the server's hostname [ref_id=1]. The attacker can then send multiple data files, including a disguised sendmail configuration file, and a control file that instructs LPD to invoke sendmail with specific options, such as '-C<alternateconfigfilepath>' [ref_id=1]. This allows sendmail to execute with arbitrary command-line arguments, potentially leading to privilege escalation.
Affected code
The vulnerability lies within the line printer daemon (lpd) in the lpr package. Specifically, the issues involve how LPD handles remote host verification, the ability to send arbitrary files to the spooler directory, the flexibility of control file entries, and the execution of sendmail with specified arguments [ref_id=1].
What the fix does
The advisory recommends downloading updated packages for Red Hat Linux versions 4.x, 5.x, and 6.x, or disabling the LPD service entirely due to potential unaddressed issues [ref_id=1]. The specific changes in the provided patches are not detailed in the bundle, but they are intended to address the vulnerabilities in how LPD handles remote print jobs and sendmail execution.
Preconditions
- configThe LPD service must be running and accessible.
- networkThe attacker must be able to send print jobs to the LPD server. This can be achieved by making their IP address reverse-resolve to the same hostname as the LPD server, bypassing access controls [ref_id=1].
Reproduction
http://www3.l0pht.com/~dildog/qib.tgz
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- www.kb.cert.org/vuls/id/39001nvdUS Government Resource
- patches.sgi.com/support/free/security/advisories/20021104-01-Pnvd
- seclists.org/lists/bugtraq/2000/Jan/0116.htmlnvd
- www.atstake.com/research/advisories/2000/lpd_advisory.txtnvd
- www.debian.org/security/2000/20000109nvd
- www.l0pht.com/advisories/lpd_advisorynvd
- www.redhat.com/support/errata/RHSA-2000-002.htmlnvd
- www.securityfocus.com/bid/927nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/3841nvd
News mentions
0No linked articles in our index yet.