Friend
Professional
- Messages
- 2,659
- Reaction score
- 865
- Points
- 113
Simone Margaritelli, the author of the OpenSnitch firewall and the bettercap network analyzer, has disclosed information about previously announced critical vulnerabilities that allow remote attacks on GNU/Linux distributions, Solaris, FreeBSD, and some other BSD systems. Initially, publication was scheduled for October 6, but due to a leak of information, the information had to be published ahead of schedule, before most distributions had time to prepare package updates. The vulnerabilities affect the CUPS print server and allow remote code execution in the system without authentication.
The researcher who identified the problem prepared a working prototype of the exploit that uses a combination of several vulnerabilities and allows remote code execution with the rights of the CUPS print job processing process (usually the user "lp"). The exploit allows you to silently change the user's printer settings or add a new printer associated with a running IPP server that sends a specially designed PPD description of the printer.
Systems with a CUPS print server and a running cups-browsed process that accepts network connections on port 631 (UDP) are affected. The attack can also be carried out from a local network that uses the zeroconf, mDNS, or DNS-SD protocols to access the print server. Only the cups-browsed configurations in which the BrowseRemoteProtocols parameter is set to "cups" in the /etc/cups/cups-browsed.conf file are vulnerable. In distributions with systemd, you can check the use of the cups-browsed service with the command "sudo systemctl status cups-browsed".
The vulnerability affects all CUPS-based print systems that use vulnerable versions of the cups-filters, libcupsfilters, libppd, and cups-browsed packages. Fixes are currently available only as patches - the current versions of cups-filters 2.0.1, libcupsfilters 2.1b1, libppd 2.1b1 and cups-browsed 2.0.1 are affected. In distributions, the problem remains unfixed. As a workaround, you can disable access to UDP port 631 for external networks before installing the update, disable the cups-browsed service, or set the BrowseRemoteProtocols setting to "none".
Vulnerabilities disclosed:
• CVE-2024-47176 - a vulnerability in the cups-browsed process that creates a network socket that accepts connections on port 631, attaches to all network interfaces in the system and accepts IPP requests "Get-Printer-Attributes" from any external systems. By manipulating this service, it is possible to add a printer controlled by the attacker to the system and exploit vulnerabilities in other CUPS components through the transfer of PPD configuration.
• CVE-2024-47177 is a permissibility vulnerability in the foomatic-rip handler from the cups-filters toolkit, which allows code execution by passing the FoomaticRIPCommandLine parameter in a PPD file, which an attacker can pass due to the above-described vulnerability in cups-browsed. The shell commands specified in the FoomaticRIPCommandLine parameter are executed as is, regardless of the fact that the parameter canTo put an outsider. For example, to write to a /tmp/VULNERABLE file, you can specify "FoomaticRIPCommandLine: "echo 1 > /tmp/VULNERABLE".
• CVE-2024-47175 is a vulnerability in libppd caused by the lack of validation of the ppdCreatePPDFromIPP2 value when writing IPP attributes to a temporary PPD file. The problem allows you to achieve the substitution of arbitrary data in the resulting PPD file by attaching attributes using a newline character. For example, you can bypass the check and substitute the FoomaticRIPCommandLine attribute along with the allowed attributes to exploit the above vulnerability in cups-filters.
• CVE-2024-47076 is a vulnerability in the libcupsfilters library from the cups-filters package due to the lack of validation of cfGetPrinterAttributes5 values returned by an external IPP server, which allows an attacker to organize the processing of arbitrary IPP attributes in other CUPS subsystems, for example, when generating PPD files.
The CUPS attack scenario boils down to the following steps:
• The attacker deploys his own IPP server.
• Sending a UDP packet to the victim with a link to a printer bound to the attacker's IPP server.
• After receiving this packet, the victim's system connects to the attacker's IPP server and requests printer attributes.
• In response to the victim's request, the attacker's IPP server returns a PPD file with attributes, including the FoomaticRIPCommandLine attribute. This attribute is attached to one of the valid attributes using the "\n" character on a single line (e.g., "cupsPrivacyURI: "https://www.google.com/\n*FoomaticRIPCommandLine:"), which bypasses validation and causes FoomaticRIPCommandLine to be recorded as a separate attribute when the received data is saved to a temporary file.
• As a result of processing the transmitted attributes, a PPD file is created on the victim's system:
• When printing to a printer substituted by the attacker, the command "echo 1 > /tmp/I_AM_VULNERABLE"
• Video: https://www.evilsocket.net/images/2024/cups1/exploit.mp4
The researcher who identified the vulnerabilities notes that it took him a couple of days to find the vulnerability, but then followed a 22-day correspondence with the developers of the OpenPrinting project in an attempt to convince them of the importance of the problem and the need for preparation of patches. The discussion was mired in disputes about whether it was worth correcting these problems at all, and the situation was reversed only by raising a public hype about identifying a critical problem. Also interesting is the appearance of an information leak, during which a confidential report and exploit submitted to CERT appeared on the forum breachforums.st in the public domain, despite the imposed disclosure embargo.
The researcher who identified the problem prepared a working prototype of the exploit that uses a combination of several vulnerabilities and allows remote code execution with the rights of the CUPS print job processing process (usually the user "lp"). The exploit allows you to silently change the user's printer settings or add a new printer associated with a running IPP server that sends a specially designed PPD description of the printer.
Systems with a CUPS print server and a running cups-browsed process that accepts network connections on port 631 (UDP) are affected. The attack can also be carried out from a local network that uses the zeroconf, mDNS, or DNS-SD protocols to access the print server. Only the cups-browsed configurations in which the BrowseRemoteProtocols parameter is set to "cups" in the /etc/cups/cups-browsed.conf file are vulnerable. In distributions with systemd, you can check the use of the cups-browsed service with the command "sudo systemctl status cups-browsed".
The vulnerability affects all CUPS-based print systems that use vulnerable versions of the cups-filters, libcupsfilters, libppd, and cups-browsed packages. Fixes are currently available only as patches - the current versions of cups-filters 2.0.1, libcupsfilters 2.1b1, libppd 2.1b1 and cups-browsed 2.0.1 are affected. In distributions, the problem remains unfixed. As a workaround, you can disable access to UDP port 631 for external networks before installing the update, disable the cups-browsed service, or set the BrowseRemoteProtocols setting to "none".
Vulnerabilities disclosed:
• CVE-2024-47176 - a vulnerability in the cups-browsed process that creates a network socket that accepts connections on port 631, attaches to all network interfaces in the system and accepts IPP requests "Get-Printer-Attributes" from any external systems. By manipulating this service, it is possible to add a printer controlled by the attacker to the system and exploit vulnerabilities in other CUPS components through the transfer of PPD configuration.
• CVE-2024-47177 is a permissibility vulnerability in the foomatic-rip handler from the cups-filters toolkit, which allows code execution by passing the FoomaticRIPCommandLine parameter in a PPD file, which an attacker can pass due to the above-described vulnerability in cups-browsed. The shell commands specified in the FoomaticRIPCommandLine parameter are executed as is, regardless of the fact that the parameter canTo put an outsider. For example, to write to a /tmp/VULNERABLE file, you can specify "FoomaticRIPCommandLine: "echo 1 > /tmp/VULNERABLE".
• CVE-2024-47175 is a vulnerability in libppd caused by the lack of validation of the ppdCreatePPDFromIPP2 value when writing IPP attributes to a temporary PPD file. The problem allows you to achieve the substitution of arbitrary data in the resulting PPD file by attaching attributes using a newline character. For example, you can bypass the check and substitute the FoomaticRIPCommandLine attribute along with the allowed attributes to exploit the above vulnerability in cups-filters.
• CVE-2024-47076 is a vulnerability in the libcupsfilters library from the cups-filters package due to the lack of validation of cfGetPrinterAttributes5 values returned by an external IPP server, which allows an attacker to organize the processing of arbitrary IPP attributes in other CUPS subsystems, for example, when generating PPD files.
The CUPS attack scenario boils down to the following steps:
• The attacker deploys his own IPP server.
• Sending a UDP packet to the victim with a link to a printer bound to the attacker's IPP server.
• After receiving this packet, the victim's system connects to the attacker's IPP server and requests printer attributes.
• In response to the victim's request, the attacker's IPP server returns a PPD file with attributes, including the FoomaticRIPCommandLine attribute. This attribute is attached to one of the valid attributes using the "\n" character on a single line (e.g., "cupsPrivacyURI: "https://www.google.com/\n*FoomaticRIPCommandLine:"), which bypasses validation and causes FoomaticRIPCommandLine to be recorded as a separate attribute when the received data is saved to a temporary file.
• As a result of processing the transmitted attributes, a PPD file is created on the victim's system:
Code:
...
*cupsSNMPSupplies: False
*cupsLanguages: "en"
*cupsPrivacyURI: "https://www.google.com/"
*FoomaticRIPCommandLine: "echo 1 > /tmp/I_AM_VULNERABLE"
*cupsFilter2 : "application/pdf application/vnd.cups-postscript 0 foomatic-rip"
*cupsSingleFile: True
*cupsFilter2: "application/vnd.cups-pdf application/pdf 0 -"
...• When printing to a printer substituted by the attacker, the command "echo 1 > /tmp/I_AM_VULNERABLE"
• Video: https://www.evilsocket.net/images/2024/cups1/exploit.mp4
The researcher who identified the vulnerabilities notes that it took him a couple of days to find the vulnerability, but then followed a 22-day correspondence with the developers of the OpenPrinting project in an attempt to convince them of the importance of the problem and the need for preparation of patches. The discussion was mired in disputes about whether it was worth correcting these problems at all, and the situation was reversed only by raising a public hype about identifying a critical problem. Also interesting is the appearance of an information leak, during which a confidential report and exploit submitted to CERT appeared on the forum breachforums.st in the public domain, despite the imposed disclosure embargo.
