New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cups overwrites files as root in a directory with non-root write permission #3510
Comments
CUPS.org User: mike OK, IMHO we should implement something like safe_open in cupsFileOpen (i.e. cupsFileOpen would only support a "safe open mode") so that it applies to all of the CUPS software (not just cupsd) and files (not just files in CacheDir). |
CUPS.org User: mike OK, can you review the attached patch? Basically, I've updated cupsFileOpen to not allow creating or appending to a file that is a symlink, much like you've done in Postfix. |
CUPS.org User: wietse Thanks. I haven't tested the code, but have a few comments.
I do not know if you intend to use cups_open for non-CUPS files, |
CUPS.org User: mike Thanks for you feedback! Re: st_gen, I have some pending autoconf stuff to add. Re: Windows support, I already have a few changes pending but haven't started looking at symlink support. However, since we don't actually run cupsd on Windows I am not making that support a "must fix" for this bug. Re: untrusted parent directories, this isn't an issue for directories used by cupsd in the default configuration, and we can add a check in cupsd (like we already do for the directories themselves) to make sure that world/group write permissions are not enabled for the parent directories. Re: writing to hard links and symlinks, that's never been a supported configuration anyways, but I'll add documentation to cupsFileOpen to make this explicit... Thanks again! |
CUPS.org User: mike Fixed in Subversion repository. |
CUPS.org User: mdeslaur Did this issue get a CVE number assigned? |
CUPS.org User: wietse I did not request a CVE, since this is latent. It depends on the existence of directly exploitable CUPS vulnerabilities. |
CUPS.org User: kurtseifried CVE-2010-2431 has been assigned for this. |
"str3510.patch": Index: cups/file.c--- cups/file.c (revision 9034)
#include "file-private.h" /* @@ -827,7 +829,8 @@
+#ifndef WIN32
+/*
|
Version: 1.4.2
CUPS.org User: wietse
The CUPS server saves state and overwrites files as root in a
directory that is writable by unprivileged processes.
This is a latent privilege escalation vulnerability. It can be
exploited only in the presence of other CUPS vulnerabilities.
Why this is privilege escalation
This is privilege escalation, because an unprivileged process can
trick the CUPS server into overwriting arbitrary files as root.
Example:
This file is opened with cupsFileOpen() which simply opens the file
with open(filename, O_WRONLY | O_TRUNC | O_CREAT | O_LARGEFILE |
O_BINARY, 0666).
If a CUPS "external" program has a vulnerability, an attacker can
use the group=lp privileges to replace /var/cache/cups/remote.cache
with a symlink to a root-writable file. CUPS will then overwrite
that file as root. A similar latent vulnerability exists for the
state file /var/cache/cups/job.cache.
Why this is a latent vulnerability
This is a latent vulnerability, because there is no known exploit
for CUPS "external" programs that run as user=lp, group=lp.
Possible solutions
privileged processes. Alternatively, log an error warning when
the directory has unprivileged write permission.
that unprivileged processes can write to. This is an option
when the information is not used for privileged decisions.
in an directory with unprivileged write access. To create a file
use O_CREAT|O_EXCL. To open an existing file use open/fstat/lstat
and verify that fstat results match lstat results. An example of
such code can be found in the Postfix safe_open() function.
The text was updated successfully, but these errors were encountered: