Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Add exploit module for CUPS shellshock #4050
Add CUPS Filter Bash Environment Variable Code Injection exploit module.
The PRINTER_INFO and PRINTER_LOCATION printer properties (set when adding a printer to CUPS) are exported to environment variables when processing a print job. As such, it is possible for an authenticated CUPS user to add a printer with a shellshock payload in either of these properties then trigger the payload by queuing a print job.
Nice. This was the first thing I looked at, since i knew the http server in cups passes the request through env variables (but uses posix spawn process or execve so I stopped looking). Good idea on creating a printer.
If you know (or want to try a dictionary attack on) the username/password you could also serve this exploit to a browser to run against the loopback. There is no csrf token that i can see, besides the
@bcoles: Ah, that's what you meant by unreliable. That's why we used
FWIW, CVE-2014-6271 works on one of my test boxes, but CVE-2014-6278 doesn't work. Same reason.