CVE-2001-0906

teTeX filter <1.0.7 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2001-0906. PoCs published by zen-parse.

AI-analyzed exploit summary This exploit leverages a race condition in teTeX's temporary file handling to create a symbolic link to a privileged configuration file, allowing arbitrary command execution with elevated privileges (e.g., lp user). The attack involves predicting the temporary file name and replacing it with a link to a configuration file sourced by the print system.

Description

teTeX filter before 1.0.7 allows local users to gain privileges via a symlink attack on temporary files that are produced when printing .dvi files using lpr.

Exploits (1)

exploitdb WORKING POC VERIFIED

by zen-parse · clocallinux

https://www.exploit-db.com/exploits/20990

View Code ZIP pw:eip

This exploit leverages a race condition in teTeX's temporary file handling to create a symbolic link to a privileged configuration file, allowing arbitrary command execution with elevated privileges (e.g., lp user). The attack involves predicting the temporary file name and replacing it with a link to a configuration file sourced by the print system.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Racy

Target: teTeX (1.0.7-7 or earlier) with LPRng (3.7.4-23 or earlier)

No auth needed

Prerequisites: Local access to the system · teTeX and LPRng installed with vulnerable versions · Ability to predict or brute-force the temporary file name

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.001 - Setuid and Setgid

devstral-2 · analyzed Feb 16, 2026 Full analysis →