cups: Improper Update of Reference Count and Cross-Site Scripting (CVE-2015-1158, CVE-2015-1159)
We received a report from Google that cupsd can be exploited to perform a privilege escalation using a combination of bugs and the dynamic linker’s support for (pre)loading or redirecting which shared libraries are used by the cups-exec helper program.
The exact attack does the following:
- Use the CGI template engine to inject malicious HTML in a hyperlink, which is executed by the browser (a similar attack could be performed by a specially written program)
- A specially-crafted print-job or create-job request is sent to cupsd containing the job-originating-host-name attribute with multiple nameWithLanguage values - this triggers a validation error in cupsd, which then tries to free the language strings multiple times.
- The language string passed in is /admin, which causes the cupsd.conf ACL’s copy of the string to become corrupted, allowing anyone to PUT a new cupsd.conf file.
- A new cupsd.conf file is uploaded to cupsd containing SetEnv directives (for DYLD_PRELOAD or LD_PRELOAD) pointing to a malicious dynamic library.
- The next job or request that triggers the execution of a helper program through cups-exec, and the dynamic linker loads the malicious code. Depending on the version of CUPS and platform, the code will execute either as the “lp” user or “root”.
This attack can be done remotely when printer sharing and the web interface is enabled, using failed POST or PUT requests to collect stale request files in the CUPS spool directory containing the malicious code.
This bug tracks resolution of this privilege escalation issue through the following changes:
- cupsd should use the ippSetCount and ippSetString APIs rather than manipulating the string values directly, particularly for the processing of the job-originating-host-name attribute.
- cupsd shouldn’t use string pool for config stuff
- cupsd should remove temp files on partial POST/PUT- cupsd shouldn’t support LD** and DYLD** variables when running as root
- Need to call cgiClearVariables in more places to prevent input from leaking into output
- Add new cgiSetVariable function to flag variables that are already encoded HTML, and only give them special treatment
Fix:
CUPS 2.0.3
Reference: http://www.cups.org/str.php?L4609
(from redmine: issue id 4351, created on 2015-06-15, closed on 2015-06-16)
- Relations:
- child #4352 (closed)
- child #4353 (closed)
- child #4354 (closed)
- child #4355 (closed)