Re: CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777

[Solar Designer <solar () openwall com>]

On Wed, Jun 12, 2024 at 10:49:28PM -0000, Tavis Ormandy wrote:
> On 2024-06-11, Zdenek Dohnal wrote:
> >  ???????? Impact
> >
> > Given that cupsd is often running as root, this can result in the change
> > of permission of any user or system files to be world writable.
> >
> >
> > https://github.com/OpenPrinting/cups/commit/a436956f3
>
> This is a pretty confusing description... if we accept the premise that an
> attacker can somehow get root to run cupsd with a modified configuration
> file (how???), then this patch doesn't seem sufficient. They can still
> get root to unlink() an arbitrary file, no?
>
> I guess someone from CUPS has seen a working Ubuntu exploit that did
> this, but this really feels like fixing the bug in the wrong place?

Yes, here's a blog post on the Ubuntu exploit chain:

Abusing Ubuntu 24.04 features for root privilege escalation
Written by: Rory McNamara
September 9, 2024
40 mins read

https://snyk.io/blog/abusing-ubuntu-root-privilege-escalation/

This is a lot.  I only skimmed.  wpa_supplicant and CUPS got CVEs, but
really it's not so obvious what component(s) to blame/fix.

I've attached my plain text export of the blog post to this message.

Alexander

Attachment: snyk-abusing-ubuntu-root-privilege-escalation.txt
Description: