CVE-2000-1221

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

The line printer daemon (lpd) in the lpr package in multiple Linux operating systems authenticates by comparing the reverse-resolved hostname of the local machine to the hostname of the print server as returned by gethostname, which allows remote attackers to bypass intended access controls by modifying the DNS for the attacking IP.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-19722 remote unix verified text · 1 KB

anonymous · 2000-01-11

RedHat 6.1 / IRIX 6.5.18 - 'lpd' Command Execution

text exploit Source: Exploit-DB

source: https://www.securityfocus.com/bid/927/info

Multiple vulnerabilities have been discovered in lpd, shipped with various Linux and Unix distributions.

It has been reported that lpd fails to properly authenticate hostnames. This could allow an unauthenticated user to gain access to lpd services by supplying a spoofed hostname.

It is also possible for a local user to pass arguments to sendmail, through the vulnerable print daemon. This could allow an unauthorized user to execute commands with elevated privileges.

By exploiting multiple vulnerabilities in lpd, it may be possible for a remote attacker to gain root privileges on a target server.

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19722.tgz

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`1:0.48-1`
sid	Fixed	`1:0.48-1`
forky	Fixed	`1:0.48-1`
bullseye	Fixed	`1:0.48-1`
bookworm	Fixed	`1:0.48-1`

References

https://security-tracker.debian.org/tracker/CVE-2000-1221

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.