CUPS printing system vulnerabilities

[Solar Designer <solar () openwall com>]

Hi,

Simone Margaritelli (evilsocket) has discovered multiple vulnerabilities
in the CUPS printing system and the way it's configured in some distros.

A lot of drama around the disclosure of those issues was going on for
maybe a month now, with public tweets about the disclosure process and
the issues affecting many distros but excluding detail on the issues
(not even CUPS was specifically mentioned until very recently).  Per
those tweets, the issues were communicated to some distro vendors via
CERT/CC VINCE and a vendor planned to bring them to the distros list on
September 30 with public disclosure on October 6.  Unfortunately, the
information leaked prematurely and thus Simone decided on full public
disclosure today at 20:00 UTC pre-announcing it only 2 hours in advance.

Here's Simone's blog post on the issues:

https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

I cannot easily convert the nicely formatted blog post into plain text,
but here's an excerpt:

> Summary
>
> * CVE-2024-47176 | cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631
>   trusting any packet from any source to trigger a
>   Get-Printer-Attributes IPP request to an attacker controlled URL.
> * CVE-2024-47076 | libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does
>   not validate or sanitize the IPP attributes returned from an IPP server,
>   providing attacker controlled data to the rest of the CUPS system.
> * CVE-2024-47175 | libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not
>   validate or sanitize the IPP attributes when writing them to a temporary
>   PPD file, allowing the injection of attacker controlled data in the
>   resulting PPD.
> * CVE-2024-47177 | cups-filters <= 2.0.1 foomatic-rip allows arbitrary
>   command execution via the FoomaticRIPCommandLine PPD parameter.
>
> (can you already see where this is going? :D)
>
> Plus a couple of other bugs that will be mentioned and that are arguably
> security issues but have been pretty much ignored during the conversation
> with the developers and the CERT. They are still there, along with several
> other bugs that are more or less exploitable.
>
> Impact
>
> A remote unauthenticated attacker can silently replace existing printers'
> (or install new ones) IPP urls with a malicious one, resulting in
> arbitrary command execution (on the computer) when a print job is started
> (from that computer).
>
> Entry Points
>
>   * WAN / public internet: a remote attacker sends an UDP packet to port
>     631. No authentication whatsoever.
>   * LAN: a local attacker can spoof zeroconf / mDNS / DNS-SD
>     advertisements (we will talk more about this in the next writeup) and
>     achieve the same code path leading to RCE.

Someone posted Simone's leaked pre-notification at:

https://gist.github.com/stong/c8847ef27910ae344a7b5408d9840ee1

Here's an excerpt:

> Original report
>
> * Affected Vendor: OpenPrinting
> * Affected Product: Several components of the CUPS printing system:
> cups-browsed, libppd, libcupsfilters and cups-filters.
> * Affected Version: All versions <= 2.0.1 (latest release) and master.
> * Significant ICS/OT impact? no
> * Reporter: Simone Margaritelli [evilsocket () gmail com]
> * Vendor contacted? yes The vendor has been notified trough Github
>
> Advisories and all bugs have been confirmed:
>
> https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8
> https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5
> https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6
> https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47

The GitHub advisories above have just been opened to the public.

Since it is in Markdown, I'll attach it to here.  Be aware that it's
somewhat out of date compared to the blog post, but OTOH it contains
some detail that isn't in the blog post, such as the exploit script.

After today's public disclosure, someone else has also posted an
exploit here:

https://github.com/RickdeJager/cupshax

Alexander

Attachment: cups-browsed.md
Description: