-
Notifications
You must be signed in to change notification settings - Fork 463
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CERT VU#810572: Privilege escalation through dynamic linker and isolated vulnerabilities #4609
Comments
CUPS.org User: mike OK, the proposed fixes are attached. Holding bug in pending state until I commit to the public repo... |
CUPS.org User: twaugh.redhat Patch looks good to me. How about this sort of thing, in cgi-bin/admin.c? Shouldn't that be changed too?: (line 767): (line 2948):
etc In cups/encode.c:768 there's also this:
[...] and cups/ipp.c uses _cupsStrAlloc() for IPP strings all over the place still. There's another instance in scheduler/job.c:5305: /*
and several in scheduler/printers.c: These three in systemv/lpadmin.c also look wrong: |
CUPS.org User: mike The IPP code still uses the global string pool - the only change was to make the config file strings (cupsdClear/SetString stuff) use strdup/free so they didn't share the same string pool. |
CUPS.org User: twaugh.redhat Alright. Don't we want all of scheduler/*.c to be using ippSetString() rather than _cupsStrAlloc() directly when setting IPP strings, for the extra checking it provides? |
CUPS.org User: mike Eventually, yes, but for now I just wanted to focus on the uses that needed to be changed (from cupsdSetString to ippSetString). The long-term goal is for cupsd to not depend on any private APIs. |
CUPS.org User: jsmeix.suse As far as I understand the initial comment An attacker from remote who is allowed to submit print jobs to Or do I misunderstand it and items 1. + 2. require that the Did Google provide a reproducer so that one could reproduce If I am right this is similar to When a remote attacker can upload a new config file for a service In the end I like to separate items 1. + 2. => 3. from the rest In this case here the further bad things are via DYLD_PRELOAD/LD_PRELOAD But I wonder if the attacker could also upload his evil library as print If this is possible it would mean: An attacker from remote who is allowed to submit print jobs to Regardless if "evil library upload" is also possible or not Therefore I wonder if we should perhaps gererally disable the |
CUPS.org User: jsmeix.suse Correction of my last paragraph ("from remote" was missing): I wonder if we should perhaps gererally disable Currently (for now only an untested idea) I am thinking about |
CUPS.org User: mike Johannes, There are still valid reasons to allow configuration for remote updates (think managed server environments using things like puppet), and restricting to localhost would not help in this case anyways - the exploit can be done through a malicious link to localhost or a locally-run program or script. |
CUPS.org User: mike Patch for CUPS 1.7 |
CUPS.org User: mike Patch for CUPS 1.6 |
CUPS.org User: mike Patch for CUPS 1.5 |
CUPS.org User: mike Patch for CUPS 1.4 |
CUPS.org User: mike Patch for CUPS 1.3 |
CUPS.org User: mike Patch for CUPS 1.2 |
CUPS.org User: mike Finally, the patch for CUPS 1.1.x which is much simpler since it doesn't have a string pool or the web interface vulnerability. |
CUPS.org User: twaugh.redhat Are there CVE names for any of these vulnerabilities? |
CUPS.org User: mike Not yet; I've asked for Apple Security to take care of it but they need to coordinate with Google... |
CUPS.org User: jsmeix.suse In str4609-1.1.patch the only actual change is in scheduler/ipp.c
+ if (!i && attr->values[i].string.charset)in the create_job function therein at "Free old strings..." The same "Free old strings..." functionality exists also As far as I know, create_job and print_job can both be used |
CUPS.org User: mike Johannes, You are right, I forgot to change print_job as well - that is all you need to add. (keep in mind that that this will just crash cupsd in 1.1 - it is not possible to exploit 1.1.x in the same way as the newer versions of CUPS since it did not use the string pool...) |
CUPS.org User: mike Assigned CERT VU#810572. |
CUPS.org User: carnil Hi Do you know if a CVE has been assigned in meanwhile to reference this issue? Regards, |
CUPS.org User: mike No CVE, just the VU#. |
CUPS.org User: mike Fixed in Subversion repository. |
"str4609.patch": Index: cgi-bin/ipp-var.c--- cgi-bin/ipp-var.c (revision 12557)
- char url[1024]; /* URL for class member... */
- sizeof(url), NULL);
Index: cgi-bin/template.c--- cgi-bin/template.c (revision 12557)
cupsdClearString(&con->command); Index: scheduler/conf.c--- scheduler/conf.c (revision 12557)
endif /* APPLE */Index: scheduler/env.c--- scheduler/env.c (revision 12557)
Index: scheduler/ipp.c--- scheduler/ipp.c (revision 12557)
@@ -1556,7 +1555,7 @@
if (con->username[0] || auth_info)
- */
- }
- }
- */
/* if (format)
- _cupsStrFree(format->values[0].string.text);
- attr->values[0].string.text = _cupsStrAlloc("no-hold");
@@ -9425,11 +9380,7 @@
- _cupsStrFree(jformat->values[0].string.text);
cupsdAddEvent(CUPSD_EVENT_JOB_STOPPED, p, job, if (attr)
ippSetString(job->attrs, &job->reasons, 0, "job-printing");
job->dirty = 1;
job->dirty = 1; Index: scheduler/main.c--- scheduler/main.c (revision 12557)
if (*s)
if (v)
if (olds)
@@ -1449,8 +1449,7 @@
|
"str4609-1.7.patch": Index: cgi-bin/template.c--- cgi-bin/template.c (revision 12548)
- */
- s += 9;
- putc(*s, out);
- }
- s ++;
- char url[1024]; /* URL for class member... */
- sizeof(url), NULL);
Index: scheduler/ipp.c--- scheduler/ipp.c (revision 12548)
@@ -1577,7 +1576,7 @@
if (con->username[0] || auth_info)
- */
- }
- }
- */
/* if (format)
- _cupsStrFree(format->values[0].string.text);
- attr->values[0].string.text = _cupsStrAlloc("no-hold");
@@ -9341,11 +9296,7 @@
- _cupsStrFree(jformat->values[0].string.text);
cupsdAddEvent(CUPSD_EVENT_JOB_STOPPED, p, job, if (attr)
ippSetString(job->attrs, &job->reasons, 0, "job-printing");
job->dirty = 1;
job->dirty = 1; Index: scheduler/client.c--- scheduler/client.c (revision 12548)
cupsdClearString(&con->command);
|
"str4609-1.6.patch": Index: cgi-bin/template.c--- cgi-bin/template.c (revision 12550)
- */
- s += 9;
- putc(*s, out);
- }
- s ++;
- char url[1024]; /* URL for class member... */
- sizeof(url), NULL);
Index: scheduler/ipp.c--- scheduler/ipp.c (revision 12550)
@@ -1665,7 +1664,7 @@
if (con->username[0] || auth_info)
- */
- }
- }
- */
/* if (format)
- _cupsStrFree(format->values[0].string.text);
- attr->values[0].string.text = _cupsStrAlloc("no-hold");
@@ -9617,11 +9572,7 @@
- _cupsStrFree(jformat->values[0].string.text);
cupsdAddEvent(CUPSD_EVENT_JOB_STOPPED, p, job, if (attr)
ippSetString(job->attrs, &job->reasons, 0, "job-printing");
job->dirty = 1;
job->dirty = 1; |
"str4609-1.5.patch": Index: cgi-bin/ipp-var.c--- cgi-bin/ipp-var.c (revision 12588)
- char url[1024]; /* URL for class member... */
- sizeof(url), NULL);
Index: cgi-bin/template.c--- cgi-bin/template.c (revision 12588)
- */
- s += 9;
- putc(*s, out);
- }
- s ++;
@@ -1648,7 +1648,10 @@
- */
- }
- }
- */
/* _cupsStrFree(format->values[0].string.text);
} if (attr)
cupsdAddEvent(CUPSD_EVENT_JOB_CONFIG_CHANGED, cupsdFindDest(job->dest), job, _cupsStrFree(jformat->values[0].string.text);
} Index: scheduler/job.c--- scheduler/job.c (revision 12588)
cupsdAddEvent(CUPSD_EVENT_JOB_STOPPED, p, job, if (attr)
cupsdSetJobState(job, IPP_JOB_PROCESSING, CUPSD_JOB_DEFAULT, NULL); if (job->state_value != IPP_JOB_PROCESSING &&
/*
|
"str4609-1.4.patch": Index: cgi-bin/ipp-var.c--- cgi-bin/ipp-var.c (revision 12588)
- char url[1024]; /* URL for class member... */
- sizeof(url), NULL);
Index: cgi-bin/template.c--- cgi-bin/template.c (revision 12588)
- */
- s += 9;
- putc(*s, out);
- }
- s ++;
@@ -1638,7 +1638,10 @@
- */
- }
- }
- */
/* _cupsStrFree(format->values[0].string.text);
} if (attr)
cupsdAddEvent(CUPSD_EVENT_JOB_CONFIG_CHANGED, cupsdFindDest(job->dest), job, _cupsStrFree(jformat->values[0].string.text);
} Index: scheduler/job.c--- scheduler/job.c (revision 12588)
cupsdAddEvent(CUPSD_EVENT_JOB_STOPPED, p, job, if (attr)
/*
if (job->state_value != IPP_JOB_PROCESSING &&
/*
|
"str4609-1.3.patch": Index: cgi-bin/ipp-var.c--- cgi-bin/ipp-var.c (revision 12588)
- char url[1024]; /* URL for class member... */
- sizeof(url), NULL);
Index: cgi-bin/template.c--- cgi-bin/template.c (revision 12588)
- */
- s += 9;
- putc(*s, out);
- }
- s ++;
@@ -1517,7 +1517,10 @@
- */
- }
- }
- */
/* _cupsStrFree(format->values[0].string.text);
} if (attr)
cupsdAddEvent(CUPSD_EVENT_JOB_CONFIG_CHANGED, job->printer, job, _cupsStrFree(jformat->values[0].string.text);
} Index: scheduler/job.c--- scheduler/job.c (revision 12588)
@@ -761,8 +765,8 @@
cupsdAddEvent(CUPSD_EVENT_JOB_STOPPED, p, job,
cupsdSaveJob(job); if (job->printer->state_message[0])
- job->printer->state_message);
|
"str4609-1.2.patch": Index: cgi-bin/ipp-var.c--- cgi-bin/ipp-var.c (revision 12588)
- char url[1024]; /* URL for class member... */
- sizeof(url), NULL);
Index: cgi-bin/template.c--- cgi-bin/template.c (revision 12588)
- */
- s += 9;
- putc(*s, out);
- }
- s ++;
for (attr = con->request->attrs; attr; attr = attr->next)
@@ -1268,7 +1268,7 @@
save_auth_info(con, job);
- */
- }
- }
- */
@@ -1559,7 +1525,8 @@
/* */
sizeof(host), &port, resource, sizeof(resource));if (strncmp(resource, "/jobs/", 6))
- _cupsStrFree(format->values[0].string.text);
if (attr)
cupsdAddEvent(CUPSD_EVENT_JOB_CONFIG_CHANGED, job->printer, job, Index: scheduler/job.c--- scheduler/job.c (revision 12588)
cupsdAddEvent(CUPSD_EVENT_JOB_STOPPED, p, job,
cupsdSaveJob(job); |
"str4609-1.1.patch": Index: scheduler/ipp.c--- scheduler/ipp.c (revision 12588)
@@ -3206,7 +3206,7 @@
@@ -5045,7 +5045,7 @@ job->sheets = attr;
|
CUPS.org User: jsmeix.suse FYI: Meanwhile the SUSE security team got the following info from CERT (excerpt):Furthermore, CVE IDs have been assigned as follows:
* Cross-Site Scripting -- CVE-2015-1159Perhaps you may like to add the CVEs to change logs and/or |
Version: 2.0.2
CUPS.org User: mike
We received a report from Google that cupsd can be exploited to perform a privilege escalation using a combination of bugs and the dynamic linker's support for (pre)loading or redirecting which shared libraries are used by the cups-exec helper program.
The exact attack does the following:
This attack can be done remotely when printer sharing and the web interface is enabled, using failed POST or PUT requests to collect stale request files in the CUPS spool directory containing the malicious code.
This bug tracks resolution of this privilege escalation issue through the following changes:
The text was updated successfully, but these errors were encountered: