CVE-1999-0032

IRIX - Local Buffer Overflow via lpr -C Option

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-1999-0032.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in the lpr program (CVE-1999-0032) by supplying a maliciously crafted argument to the -C option. It overwrites the stack with NOP sleds and shellcode to execute /bin/sh, potentially gaining elevated privileges if lpr is setuid/setgid.

Description

Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option.

Exploits (2)

exploitdb WORKING POC

clocallinux

https://www.exploit-db.com/exploits/19544

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in the lpr program (CVE-1999-0032) by supplying a maliciously crafted argument to the -C option. It overwrites the stack with NOP sleds and shellcode to execute /bin/sh, potentially gaining elevated privileges if lpr is setuid/setgid.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: lpr (BSD/OS 2.1, FreeBSD 2.1.5, NeXTstep 4.0/4.1, SGI IRIX 6.4, SunOS 4.1.3/4.1.4)

No auth needed

Prerequisites: lpr installed with setuid/setgid privileges · ability to execute lpr on the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

exploitdb WORKING POC

clocalbsd

https://www.exploit-db.com/exploits/19545

View Code ZIP pw:eip

This exploit leverages a stack-based buffer overflow in the lpr program (CVE-1999-0032) by supplying a maliciously crafted argument to the -C option. The payload includes NOP sleds and shellcode to spawn a /bin/sh, demonstrating arbitrary command execution with the privileges of the lpr process.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: lpr (likely older versions, pre-2000)

No auth needed

Prerequisites: lpr installed (potentially setuid/setgid) · ability to execute lpr with crafted arguments

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory vendor-advisory x_refsource_sgi

ftp://patches.sgi.com/support/free/security/advisories/19980402-01-PX

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/707

Third Party Advisory, US Government Resource third-party-advisory government-resource x_refsource_ciac

http://www.ciac.org/ciac/bulletins/i-042.shtml

Scores

EPSS 0.0018

EPSS Percentile 39.6%

Details

Status published

Products (21)

bsdi/bsd_os 2.1

freebsd/freebsd 2.0

freebsd/freebsd 2.0.5

freebsd/freebsd 2.1.0

freebsd/freebsd 2.1.5

next/nextstep 4.0

next/nextstep 4.1

sgi/irix 5.0

sgi/irix 5.0.1

sgi/irix 5.1

... and 11 more

Published Oct 25, 1996

Tracked Since Feb 18, 2026