Comments on: Pwning Ubuntu via CUPS

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Sat, 22 Nov 2008 18:46:21 +0000

@georgeperez: the fact that RSS subscriptions can be added/deleted without auth had been reported before I think, but the fact that the daemon crashes when more than 100 subscriptions are added is a *different* issue.

As I said dude, if you are on Ubuntu 8.04 LTS _fully patched_, the cups daemon crashes when visiting the PoC webpage without needing to be authenticated on the CUPS interface. Granted it’s just a NULL pointer dereference crash, so no code exec is possible. But still, a daemon that runs as root shouldn’t just crash because you visited a webpage IMHO.

By: georgeperez

georgeperez — Sat, 22 Nov 2008 17:00:42 +0000

It is certainly FUD beacause it wasnt never an 0Day, vuln was patched on last version of CUPS,or am I wrong ?

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Fri, 21 Nov 2008 21:41:34 +0000

@CO: simply, you are a restricted user by default on Ubuntu. just like on mac osx and vista. if you are on the command line and need to perform an action with root privileges, then you launch a ’sudo’ command which will ask you for your password. if the privileged action is performed via a GUI, then you’ll also have to reauthenticate, similar to vista’s UAC.

@redb0ne:yeah, noticed that vuln when it came out. requires printer sharing though, which i believe is disabled by default? btw, have u worked on a PoC for this bug? seems idefense was able to exploit it reliably.

btw, it appears that the crash included in this post has been categorized as two issues:

1) cupds crash due to NULL pointer dereference when more than 100 RSS subscriptions are added

http://cve.mitre.org/cgi-bin/c.....-2008-5183

2) RSS subscriptions can be modified without auth and forged (CSRF) remotely via a specially-crafted page

http://cve.mitre.org/cgi-bin/c.....-2008-5184

By: redb0ne

redb0ne — Thu, 20 Nov 2008 13:14:16 +0000

If you are interested in code execution vulns via this attack vector then look at CVE-2008-0047, IIRC it is in the CGI interface as well and can be exploited via a similar means.

By: CO

CO — Thu, 20 Nov 2008 10:50:49 +0000

Could you elaborate on this highlight feature called “sudo”? You mean, I don’t have to run my browser and mail client as root anymore?

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Thu, 20 Nov 2008 08:20:53 +0000

oops, typo!: “malicoius” -> “malicious”

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Thu, 20 Nov 2008 08:19:37 +0000

@Kees and @redb0ne: as I said, all I knew for sure is that a crash can be caused reliably. I was hoping someone could maybe do something more interesting than crashing the CUPS daemon. it seems redb0ne figured out it’s just a null pointer dereference.

I still think it’s interesting how someone could potentially attack the CUPS daemon remotely via malicoius webpages, as a way to bypass the restriction of the daemon only listening to localhost.

@Martin: Bug #298241

@Jason: good idea to do it via JS rather than bash. your JS code broke though, due to the anti XSS filter

@TH: thanks for figuring out why authentication is required on intrepid but not hardy!

By: pdp

pdp — Thu, 20 Nov 2008 01:40:42 +0000

nobody is spreading fud! May I use the opportunity to remind everybody that it is our decision what to publish on this blog. if you don’t like it than move on and unsubscribe. it is as simple as that.

thanks for the feedback btw.

By: redb0ne

redb0ne — Wed, 19 Nov 2008 23:57:56 +0000

This is a NULL pointer dereference from an unchecked pointer, about 5-10 minutes of debugging could have revealed that. Please stop spreading FUD, crashing CUPS is hardly ‘pwning’ anything.

By: djTeller

djTeller — Wed, 19 Nov 2008 13:22:33 +0000

Tested on Ubuntu 8.10 authentication is required.
Crashed as expected.

I’m looking at cupsd.conf on some other installation to figure out the changes.

By: Martin Pitt

Martin Pitt — Wed, 19 Nov 2008 12:07:17 +0000

Any chance you could tell me the Launchpad bug number for this? I am unable to find it. Thanks!

By: Steve

Steve — Wed, 19 Nov 2008 11:41:24 +0000

I have a confirmation that on 8.10 it asks for authentication. Still, this is a poor excuse for defense, it should cap the RSS feeds so that it does not crash even if the user did enter authentication. Also, I wonder why it needs to run as root.

Codename: intrepid

P.S. ps -U root -u root u | wc-l
returns 59 for me

By: TH

TH — Wed, 19 Nov 2008 10:28:13 +0000

Problem solved:

Hardy’s version: 1.3.7-1ubuntu3.1
Intrepid’s version: 1.3.9-2
http://packages.ubuntu.com/intrepid/cups
http://packages.ubuntu.com/hardy/cupsys

From cups-1.3.8 CHANGES.txt:
- The scheduler now ensures that the RSS directory has the correct permissions.

By: <malicious></markup>

<malicious></markup> — Wed, 19 Nov 2008 10:06:21 +0000

Nice article! And yes - the CUPS web front end carries a plethora of vulnerabilities. The ‘print test page’ CSRF alone is classic… Loop this request and block a printer for a very long time wasting paper and ink…

By: TH

TH — Wed, 19 Nov 2008 10:01:44 +0000

Previously I only tried to open “add subscription” URL in browser, and it asked me for credentials. But now I actually tested PoC and it totally blocked my Ubuntu! Opening 101 popup windows asking for credentials isn’t very healthy for the system, especially if you forgot to mount swap partition ;-) If I didn’t kill firefox soon enough only the reset button helped.

So now you have PoC:
- Ubuntu 8.04 - cups crash
- Ubuntu 8.10 - possible denial of service

Great job :-)

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Wed, 19 Nov 2008 08:15:01 +0000

OK, I did further investigation on why some people need authentication to add RSS feeds and others dont. I tested the crash by booting from both the Ubuntu 8.04 LTS (hardy) and Ubuntu 8.10 (intrepid) CD.

Results:

- Ubuntu 8.04.1 LTS (hardy): no authentication required to add RSS subscriptions on CUPS
- Ubuntu 8.10 (intrepid): authentication *is* required to add RSS subscriptions on CUPS

tbh, I have no idea why this is the case.

btw, for those who are too lazy to upload the PoC to a web server, you can test it directly from: http://snipurl.com/5vp46

please let me know if your CUPS daemon crashes: http://localhost:631/ . It should work if you are on Hardy

@pdp: since it also worked for you, I’m assuming you’re on hardy?

$ lsb_release -c
Codename: hardy

By: Jason Soh

Jason Soh — Wed, 19 Nov 2008 08:09:47 +0000

Just realised that I didn’t had curl installed in my ubuntu and network is down at my work place.. So I just hacked up a quick javascript to do the clearing of the RSS subscriptions for me..

for (var i=1;i<=101;++i) {
document.write(”");
}

By: Kees Cook

Kees Cook — Wed, 19 Nov 2008 05:01:09 +0000

This is certainly a bug, but just because something crashes doesn’t mean it’s a security issue.

As others have mentioned, creating an RSS feed requires authentication, so it’s unlikely this is an issue is most environments. Also, even though the CUPS daemon is running as root, it is still confined with an AppArmor profile, isolating any otherwise-successful exploits.

By: anonymous coward

anonymous coward — Tue, 18 Nov 2008 16:15:25 +0000

i dont need authentication either. also running Ubuntu 8.04.1 as mentioned on the gnucitizen labs link and this post:

$ cat /etc/issue.net
Ubuntu 8.04.1

By: pdp

pdp — Tue, 18 Nov 2008 15:29:11 +0000

funny! actually it works for me. but I guess someone needs to have a better look at why it happens, but I cannot be bothered right now :)