There seems to be a clever lpd exploit around which works at least on solaris.
It seems to work on to phases.
First it misuses local mail to listen on port 1524 using a special mail.cf and then it installs a shell listening on port 37777.
It needs an active cc.
Does somebody know something about it, is the code known?