Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 10 Nov 2012 13:49:43 +0100
From: Yves-Alexis Perez <corsac@...ian.org>
To: oss-security@...ts.openwall.com
Cc: 692791@...s.debian.org, team@...urity.debian.org, cups-security@...le.com
Subject: Privilege escalation (lpadmin -> root) in cups

Hi,

a Debian user reported a bug in our BTS concerning cupsd. The bug is
available at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791 and
upstream bug at http://www.cups.org/str.php?L4223 (restricted because
it's tagged security).

I'm unsure right now if it's an upstream issue or specific to Debian.

Basically, members of the lpadmin group (which is the group having admin
rights to cups, meaning they're supposed to be able to add/remove
printeers etc.) have admin access to the web interface, where they can
edit the config file and set some “dangerous” directives (like the log
filenames), which enable them to read or write files as the user running
the cupsd webserver.

In Debian case at least, it's run as root, meaning we have a privilege
escalation issue from lpadmin group to root.

A fix would be to not run cupsd web server as root, and maybe to
restrict it to some kind of chroot so it doesn't have access to
sensitive files

Can a CVE be allocated for this?

Regards,
-- 
Yves-Alexis

Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.