Redhat 4.2 uses the "printfilter" software package called by lpd to determine the type of a file, unfortunately this program calls others which were not made to handle malicious data (such as groff).
Redhat Linux 4.2 (maybe earlier)
6 October 1997
Date: Sat, 25 Oct 1997 08:22:39 -0700
From: "KSR[T]" <email@example.com>
Subject: BoS: KSR[T] Advisory #004: printfilter / groff / lpd
KSR[T] Website : http://www.dec.net/ksrt
KSR[T] Advisory #004
Date: Oct 6, 1997
ID #: lin-lpdg-004
Operating System(s): Redhat Linux 4.2
Affected Program: lpd / printfilter / groff
Problem Description: The printfilter software package that comes with
Redhat Linux is called by lpd to determine the type
of file that is being printed, and then to apply
the appropriate 'filter' so that the file will be
The 'filters' are usually shell scripts that call
a helper application. The first problem is that
some of these filters use /tmp as scratch space,
which opens up a symlink attack for file creation
and file overwriting. ( lpd is running as user bin,
group root )
The second problem is that a lot of the helper
applications were not built with security in mind.
One example of this is groff.
There are several troff/groff 'requests' that allow
commands to be executed. The result is that anyone
with a simple understanding of troff can send
a troff document to a remote server, causing the
remote server to execute arbitrary commands as
user bin, group root.
It is important to note that other operating systems
may use a print filter that will use applications
like troff. They are just as susceptible to attack as
the operating systems listed above.
Compromise: local users can overwrite files writable by user bin
and/or group root.
local and remote users can execute commands as user
bin, group root. From this point, a clever attacker
can obtain root.
Erik Troan <firstname.lastname@example.org> has put updated RPMS online at:
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: