Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140401140600.GA18969@suse.de>
Date: Tue, 1 Apr 2014 16:06:00 +0200
From: Sebastian Krahmer <krahmer@...e.de>
To: oss-security@...ts.openwall.com
Subject: cups-browsed remote exploit

Hi

Cups printer discovery seems to have changed in recent versions.
Discovery is now done by cups-browsed.c which is part of cups-filters.
It creates local queues based on information it extracts from the LAN via

a) proprietary packets (udp port 631)
b) mdns (by utilizing avahi functions)

It creates the local queue by accessing localhost's cups
admin interface like ipp://localhost:631/printers/<queue name>
and setting it up as if entered by local user.

For this it creates a filter-script

snprintf(buffer, sizeof(buffer),
             "#!/bin/sh\n"
             "# System V interface script for printer %s generated by cups-browsed\n"
             "\n"
             "if [ $# -lt 5 -o $# -gt 6 ]; then\n"
             "  echo \"ERROR: $0 job-id user title copies options [file]\" >&2\n"
             "  exit 1\n"
             "fi\n"
             "\n"
             "# Read from given file\n"
             "if [ -n \"$6\" ]; then\n"
             "  exec \"$0\" \"$1\" \"$2\" \"$3\" \"$4\" \"$5\" < \"$6\"\n"
             "fi\n"
             "\n"
             "extra_options=\"output-format=%s make-and-model=%s\"\n"
             "\n"
             "%s/filter/pdftoippprinter \"$1\" \"$2\" \"$3\" \"$4\" \"$5 $extra_options\"\n",
             p->name, pdl, make_model, cups_serverbin);

that it POSTs to above URL to become effective for this queue (I did not check the cups admin backend code
parsing this POST though, but I assume its stored as filter for this queue).

As can be seen, its easy to inject code to the script e.g. via model name or pdl key which is taken from
the LAN packets.

(This isnt an Aprils fool.)

regards
Sebastian

-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@...e.de - SuSE Security Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.