Members of lpadmin cat read /var/run/cups/certs/0. With this key it is possible to access the cups web interface as admin. You can edit the cups config file and set the page log to any filename you want (for example /etc/shadow). Then you can read the file contents by viewing the cups page log. By printing you can also write some random data to the given file.
As it is not possible to use the cups authentication with a normal webbrowser I created a simple shell script to show the effect. When called as any unprivileged user which is member of lpadmin it should display the contents of /etc/shadow:
#!/bin/sh
set -e
# backup cupsd.conf
cp /etc/cups/cupsd.conf /tmp
AUTH="Authorization: Local $(cat /var/run/cups/certs/0)"
POST -d -H "$AUTH" -H "Cookie: org.cups.sid="
http://localhost:631/admin/
(no description available)
ii foomatic-db 20100630-1 OpenPrinting printer support - dat
pn hplip
(no description available)
ii smbclient 2:3.6.6-2~bpo60+1 command-line SMB/CIFS clients for
ii udev 164-3 /dev/ and hotplug management daemo
pn xpdf-korean | xpdf-jap
(no description available)
-- Configuration Files:
/etc/cups/cupsd.conf changed [not included]
-- debconf information excluded
Message #10 received at 692791@bugs.debian.org (full text, mbox):
From: Jörg Ludwig
To: 692791@bugs.debian.org
Subject: Re: members of lpadmin can read every file on server via cups
Date: Fri, 09 Nov 2012 00:26:09 +0100
[Message part 1 (text/plain, inline)]
A line break got inserted into the script while posting. Here is the
correct one.
--
Mit freundlichen Grüßen,
Jörg Ludwig
IServ GmbH
Rebenring 33
38106 Braunschweig
Telefon: 0531-3804450
Fax: 0531-4287745
Mobil: 0179-9101055
E-Mail: joerg.ludwig@iserv.eu
Internet: www.iserv.eu
USt.-IdNr.: DE265149425
[cups_exploit (text/plain, attachment)]
Message #15 received at 692791@bugs.debian.org (full text, mbox):
From: "Didier 'OdyX' Raboud"
To: Jörg Ludwig
,
692791@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#692791: members of lpadmin can read every file on server via cups
Date: Sat, 10 Nov 2012 12:48:39 +0100
[Message part 1 (text/plain, inline)]
Control: found -1 1.5.3-2.6
Control: found -1 1.5.3-2.4
Hi Jörg, and thanks for your bugreport,
as far as I understand your report, there are two seperate issues:
a) members of the lpadmin group can login to the webinterface password-less,
using the /var/run/cups/certs/0 file that they can read. Granted, that's a
bug, but a non-severe one as these users can login to the webinterface using
their password.
b) members of the lpadmin group can change the /etc/cups/cupsd.conf file
completely and trigger a server restart. By that, they can get the cupsd
daemon (which runs as root) do almost what they want, e.g. read root-owned
files (/etc/shadow, …), run commands as other users, … This is basically an
lpadmin-to-root privilege escalation
I have successfully used your exploit script on the Sid version, tagging as
found there.
== Possible solutions
I see these possible solutions (to be investigated):
* Have cupsd run as lp user
* Forbid any changes to the config file from the webinterface
* Another idea ?
== Next actions
* Report bug to upstream tracker (I'll do it)
* Request a CVE ? (Security team members ?)
* Fix it :)
Security team members: any better idea / procedure?
Cheers, OdyX
Le jeudi, 8 novembre 2012 23.23:41, Jörg Ludwig a écrit :
> Members of lpadmin cat read /var/run/cups/certs/0. With this key it is
> possible to access the cups web interface as admin. You can edit the cups
> config file and set the page log to any filename you want (for example
> /etc/shadow). Then you can read the file contents by viewing the cups page
> log. By printing you can also write some random data to the given file.
>
> As it is not possible to use the cups authentication with a normal
> webbrowser I created a simple shell script to show the effect. When called
> as any unprivileged user which is member of lpadmin it should display the
> contents of /etc/shadow:
[signature.asc (application/pgp-signature, inline)]
Marked as found in versions cups/1.5.3-2.6. Request was from "Didier 'OdyX' Raboud"
to 692791-submit@bugs.debian.org. (Sat, 10 Nov 2012 11:51:03 GMT) Full text and rfc822 format available.
Marked as found in versions cups/1.5.3-2.4. Request was from "Didier 'OdyX' Raboud"
to 692791-submit@bugs.debian.org. (Sat, 10 Nov 2012 11:51:04 GMT) Full text and rfc822 format available.
Message #24 received at 692791@bugs.debian.org (full text, mbox):
From: "Didier 'OdyX' Raboud"
To: 692791@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#692791: members of lpadmin can read every file on server via cups
Date: Sat, 10 Nov 2012 13:19:23 +0100
[Message part 1 (text/plain, inline)]
Control: forwarded -1 https://www.cups.org/str.php?L4223
Le samedi, 10 novembre 2012 12.48:39, Didier 'OdyX' Raboud a écrit :
> * Report bug to upstream tracker (I'll do it)
This has now been done, to STR #4223, currently hidden from public view as it
is tagged as "security".
Cheers,
OdyX
[signature.asc (application/pgp-signature, inline)]
Set Bug forwarded-to-address to 'https://www.cups.org/str.php?L4223'. Request was from "Didier 'OdyX' Raboud"
to 692791-submit@bugs.debian.org. (Sat, 10 Nov 2012 12:21:06 GMT) Full text and rfc822 format available.
Message #31 received at 692791@bugs.debian.org (full text, mbox):
From: Martin Pitt
To: Didier 'OdyX' Raboud
, 692791@bugs.debian.org
Subject: Re: [Pkg-cups-devel] Bug#692791: members of lpadmin can read every
file on server via cups
Date: Sat, 10 Nov 2012 13:44:22 +0100
[Message part 1 (text/plain, inline)]
Didier 'OdyX' Raboud [2012-11-10 12:48 +0100]:
> * Have cupsd run as lp user
We had done that in Debian for several years for security reasons. We
had a huge patch to make most of cups work as user "lp", but at some
point I gave up: it caused too many bugs, didn't work with a lot of
third-party drivers, and broke with every new upstream release.
Upstream has never bought into the idea of running the main server as
an unprivileged system user unfortunately.
So this is possible in principle, but will mean a huge maintenance
overhead.
> * Forbid any changes to the config file from the webinterface
That would drop a huge piece of functionality.
> * Another idea ?
cupsd could temporarily drop privileges to lp when reading log files;
with that you are restricted to reading world-readable files as well
as cups' own files, which should be fine?
Martin
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
[signature.asc (application/pgp-signature, inline)]
Message #36 received at 692791@bugs.debian.org (full text, mbox):
From: Yves-Alexis Perez
To: oss-security@lists.openwall.com
Cc: 692791@bugs.debian.org, team@security.debian.org, cups-security@apple.com
Subject: Privilege escalation (lpadmin -> root) in cups
Date: Sat, 10 Nov 2012 13:49:43 +0100
[Message part 1 (text/plain, inline)]
Hi,
a Debian user reported a bug in our BTS concerning cupsd. The bug is
available at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791 and
upstream bug at http://www.cups.org/str.php?L4223 (restricted because
it's tagged security).
I'm unsure right now if it's an upstream issue or specific to Debian.
Basically, members of the lpadmin group (which is the group having admin
rights to cups, meaning they're supposed to be able to add/remove
printeers etc.) have admin access to the web interface, where they can
edit the config file and set some “dangerous” directives (like the log
filenames), which enable them to read or write files as the user running
the cupsd webserver.
In Debian case at least, it's run as root, meaning we have a privilege
escalation issue from lpadmin group to root.
A fix would be to not run cupsd web server as root, and maybe to
restrict it to some kind of chroot so it doesn't have access to
sensitive files
Regards,
--
Yves-Alexis
Source link: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise.Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
