Vigil@nce - CUPS: privilege escalation via RSS
August 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, member of the lp group, can create a symbolic link,
and then read the RSS feed of CUPS, in order to escalate his
privileges.
Impacted products: Debian, Fedora, Ubuntu, Unix (platform)
Severity: 2/4
Creation date: 21/07/2014
DESCRIPTION OF THE VULNERABILITY
The CUPS product offers a web service, with a RSS information feed.
RSS information originate from the /var/cache/cups/rss/ directory.
However, an attacker member of the lp group can create a symbolic
link in this directory pointing to an external file. This file is
then read with root privileges, and displayed in the RSS feed.
By linking /var/run/cups/certs/0, an attacker can also gain
privileges of the CUPS @SYSTEM group.
An attacker, member of the lp group, can therefore create a
symbolic link, and then read the RSS feed of CUPS, in order to
escalate his privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/CUPS-privilege-escalation-via-RSS-15074