[Pkg-cups-devel] Bug#692791: [oss-security] Privilege escalation (lpadmin -> root) in cups

Kurt Seifried kseifried at redhat.com
Sun Nov 11 07:18:13 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/10/2012 05:49 AM, Yves-Alexis Perez wrote:
> Hi,
> 
> a Debian user reported a bug in our BTS concerning cupsd. The bug
> is available at
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791 and 
> upstream bug at http://www.cups.org/str.php?L4223 (restricted
> because it's tagged security).
> 
> I'm unsure right now if it's an upstream issue or specific to
> Debian.

On Red Hat Enterprise 6 and Fedora 16 the file is owned by root:sys,
and the cupsd.conf defaults to:

<Location /admin/conf>
  AuthType Default
  Require user @SYSTEM
  Order allow,deny
</Location>

so that should be like "root", "bin" and "adm" so yeah it would appear
to be vendor specific.

> Basically, members of the lpadmin group (which is the group having
> admin rights to cups, meaning they're supposed to be able to
> add/remove printeers etc.) have admin access to the web interface,
> where they can edit the config file and set some “dangerous”
> directives (like the log filenames), which enable them to read or
> write files as the user running the cupsd webserver.
> 
> In Debian case at least, it's run as root, meaning we have a
> privilege escalation issue from lpadmin group to root.

I think as a rule cupsd runs as root, to touch the various files/dirs/etc.

> A fix would be to not run cupsd web server as root, and maybe to 
> restrict it to some kind of chroot so it doesn't have access to 
> sensitive files

Tricky, /dev/*, log dirs, etc. Probably better to just use a print
specific user/group and make all the standard locations owned by it,
and require the admin to setup anything like say
/non-standard/log/printers/ and so on.

> Can a CVE be allocated for this?

Please use CVE-2012-5519 for this issue. Also if other vendors could
check the permissions/configs/etc. and reply if they are vulnerable
that would be good.

> Regards,
> 



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQn1E1AAoJEBYNRVNeJnmTAk0QAJzI9+STxsFAL7YJm4obCLAY
PhVVZYau19qUxMlMEIahfvcV46/36zYZPKYtNJCNtH7G30lPqC2gfZ3upNbri8+u
71tZw15UMU6qAt/WNpfe9URjSNHRcO8tJ6OqN6u6er13YhdVkls6/Yudty1hAZoU
wqd1xcBDv2uhaOsI5SswfSHC61JkBLRD7f13T6eWfSz5VT1TBwzJyP5yLTygx4jt
wRnF/dBUSToSSqlLyP1gdSJWs6ksTtaVc7vHkCD2NVCZMPOn9lm9RiVj52Q1e/eR
osbqbCwx8P3FC4w+MvN29+GbfRxdFA6ik4IHrpzR3Q+j105aQwIm0pubsENA2Lr3
YHnvoD4oysfr3zUGYs5dbH1qITTw2t5c2oAP1wfG7C52jjblg3AaDDSgACyJFciQ
kqcmSnDdBdcpc9dpGFo02LSOkh1jyVmBUCjTfXiNkpTtMv++CtgGdQM6j/UgAh1Q
28yf5WhxuhdGPo28XNWbYj9ELAe4aDAssggTL+ysM8Xjc23hfBXowCNbkO4LqrlQ
S14M04wi4eHrd8sj+DpzODm9ttOrnCCmzuNc5UBlxH2Mxk6LUVczU5RwDJ/wFPKA
DoHFiCldax69zjRsLv/wgu3oNfn8Hi3Piyn/TfGmFEnnnejCUe5lDUIRzZgj+LoB
62nQOCDF/bsxQWwJdDPl
=zMgY
-----END PGP SIGNATURE-----

More information about the Pkg-cups-devel mailing list