cbcvebase.
CVE-2001-1583
published 2001-12-31

CVE-2001-1583: lpd daemon (in.lpd) in Solaris 8 and earlier allows remote attackers to execute arbitrary commands via a job request with a crafted control file that is not…

PriorityP355critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
83.40%
99.6th percentile
lpd daemon (in.lpd) in Solaris 8 and earlier allows remote attackers to execute arbitrary commands via a job request with a crafted control file that is not properly handled when lpd invokes a mail program. NOTE: this might be the same vulnerability as CVE-2000-1220.

Affected

1 ranges
VendorProductVersion rangeFixed in
sunsunos<= 5.9

Detection & IOCsextracted from sources · hover to see the quote

port515
path/var/spool/print
command\x02metasploit:framework\n
command\x02localhost:metasploit\n
path/bin/sh
  • Monitor LPD (port 515/TCP) for incoming job requests containing a crafted 'P' field in the control file with embedded sendmail '-C' flag to specify an attacker-controlled mail configuration file (e.g., P field containing \"-C<path>/mail.cf\" nobody).
  • Detect LPD job requests using cascaded/forwarded job syntax (byte 0x02 followed by host:queue string) originating from external/untrusted hosts, particularly with queue names like 'metasploit:framework' or 'localhost:metasploit'.
  • Alert on files written to /var/spool/print with extensions or names matching patterns like <jid>mail.cf or <jid>script, which are staged by the exploit before triggering sendmail execution.
  • Detect sendmail invocations by in.lpd (or lpd) that include the '-C' flag pointing to a path under /var/spool/print, indicating abuse of the mail configuration file injection technique.
  • A valid printer does NOT need to be configured on the target for exploitation; do not rely on printer configuration checks as a detection or mitigation signal.
  • ·The exploit technique avoids needing to know the resolved name of the attacking system by using the cascaded job request mechanism, making reverse-DNS-based filtering ineffective as a sole defense.
  • ·Exploitation results in command execution with superuser privileges, not just the lpd daemon's user context.
  • ·The payload space is 8192 bytes and requires cmd-type payloads (generic, perl, or telnet); binary shellcode payloads are not compatible with this exploit path.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.