[Pkg-cups-devel] Bug#692791: members of lpadmin can read every file on server via cups
Didier 'OdyX' Raboud
odyx at debian.org
Sat Nov 10 11:48:39 UTC 2012
Control: found -1 1.5.3-2.6
Control: found -1 1.5.3-2.4
Hi Jörg, and thanks for your bugreport,
as far as I understand your report, there are two seperate issues:
a) members of the lpadmin group can login to the webinterface password-less,
using the /var/run/cups/certs/0 file that they can read. Granted, that's a
bug, but a non-severe one as these users can login to the webinterface using
their password.
b) members of the lpadmin group can change the /etc/cups/cupsd.conf file
completely and trigger a server restart. By that, they can get the cupsd
daemon (which runs as root) do almost what they want, e.g. read root-owned
files (/etc/shadow, …), run commands as other users, … This is basically an
lpadmin-to-root privilege escalation
I have successfully used your exploit script on the Sid version, tagging as
found there.
== Possible solutions
I see these possible solutions (to be investigated):
* Have cupsd run as lp user
* Forbid any changes to the config file from the webinterface
* Another idea ?
== Next actions
* Report bug to upstream tracker (I'll do it)
* Request a CVE ? (Security team members ?)
* Fix it :)
Security team members: any better idea / procedure?
Cheers, OdyX
Le jeudi, 8 novembre 2012 23.23:41, Jörg Ludwig a écrit :
> Members of lpadmin cat read /var/run/cups/certs/0. With this key it is
> possible to access the cups web interface as admin. You can edit the cups
> config file and set the page log to any filename you want (for example
> /etc/shadow). Then you can read the file contents by viewing the cups page
> log. By printing you can also write some random data to the given file.
>
> As it is not possible to use the cups authentication with a normal
> webbrowser I created a simple shell script to show the effect. When called
> as any unprivileged user which is member of lpadmin it should display the
> contents of /etc/shadow:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-cups-devel/attachments/20121110/e2e7e104/attachment.pgp>
More information about the Pkg-cups-devel
mailing list