CVE-2000-0917

LPRng 3.6.24 - Remote Code Execution

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2000-0917. PoCs published by Metasploit, VeNoMouS, sk8, including Metasploit module exploits/linux/misc/lprng_format_string.

AI-analyzed exploit summary This Metasploit module exploits a format string vulnerability in LPRng (CVE-2000-0917) to achieve remote code execution with root privileges. It uses brute-force techniques to overwrite memory addresses and execute shellcode.

Description

Format string vulnerability in use_syslog() function in LPRng 3.6.24 allows remote attackers to execute arbitrary commands.

Exploits (5)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/16842

This Metasploit module exploits a format string vulnerability in LPRng (CVE-2000-0917) to achieve remote code execution with root privileges. It uses brute-force techniques to overwrite memory addresses and execute shellcode.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: LPRng (versions affected include 3.6.22-24)
No auth needed
Prerequisites: Network access to the LPRng service (port 515)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by VeNoMouS · cremotelinux
https://www.exploit-db.com/exploits/230

This exploit targets a format string vulnerability in LPRng (versions 3.6.22-3.6.24) on RedHat 7.0 and Slackware 7.0, allowing remote root access via port 515/tcp. It constructs a malicious buffer with shellcode and format string specifiers to overwrite memory addresses.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: LPRng 3.6.22-3.6.24
No auth needed
Prerequisites: Target running vulnerable LPRng version · Network access to port 515/tcp
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by sk8 · cremotelinux
https://www.exploit-db.com/exploits/226

This exploit targets a buffer overflow vulnerability in LPRng (CVE-2000-0917) to achieve remote root access on x86 Linux systems. It uses a combination of format string manipulation and shellcode injection to overwrite the EIP and execute arbitrary code.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: LPRng 3.6.22/23/24
No auth needed
Prerequisites: Network access to the vulnerable LPRng service · Target system running a vulnerable version of LPRng
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by DiGiT · cremotelinux
https://www.exploit-db.com/exploits/227

This exploit targets a format string vulnerability in LPRng (CVE-2000-0917) to achieve remote code execution. It uses a crafted format string to overwrite memory addresses and execute shellcode, providing a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: LPRng (Linux LPD)
No auth needed
Prerequisites: Network access to the target's LPD service (port 515) · Vulnerable version of LPRng
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by jduck · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/lprng_format_string.rb

This Metasploit module exploits a format string vulnerability in LPRng (CVE-2000-0917) to achieve remote code execution (RCE) with root privileges. It uses brute-force techniques to overwrite memory addresses and execute shellcode via a format string attack.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Racy
Target: LPRng (tested on Caldera OpenLinux 2.3, among others)
No auth needed
Prerequisites: Network access to the LPRng service (port 515) · Vulnerable version of LPRng
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Various Sources vendor-advisory x_refsource_freebsd
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:56.lprng.asc
Vendor Advisory vendor-advisory x_refsource_caldera
http://www.calderasystems.com/support/security/advisories/CSSA-2000-033.0.txt
US Government Resource third-party-advisory x_refsource_cert
http://www.cert.org/advisories/CA-2000-22.html
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-09/0293.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2000-065.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/5287
Exploit, Patch, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/1712

Scores

EPSS 0.7866
EPSS Percentile 99.5%

Details

Status published
Products (7)
caldera/openlinux
caldera/openlinux_ebuilder 3.0
caldera/openlinux_edesktop 2.4
caldera/openlinux_eserver 2.3
redhat/linux 7.0
trustix/secure_linux 1.0
trustix/secure_linux 1.1
Published Dec 19, 2000
Tracked Since Feb 18, 2026