Vigil@nce: CUPS, privilege elevation via lppasswd
March 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can modify the LOCALEDIR environment variable, in
order to generate a format string attack in lppasswd, leading to
the execution of privileged code.
Severity: 2/4
Consequences: administrator access/rights
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 04/03/2010
IMPACTED PRODUCTS
– Debian Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The lppasswd command defines the password of users accessing to
the CUPS printing system. This program is installed suid root.
The LOCALEDIR environment variable defines the directory where
messages are translated. The _cupsLangprintf() function uses these
translated messages.
A local attacker can change LOCALEDIR, in order to force lppasswd
to display attacker’s messages with _cupsLangprintf(). As some
messages contain format characters, an attacker can thus directly
generate a format string attack, with lppasswd which runs with
root privileges.
A local attacker can therefore modify the LOCALEDIR environment
variable, in order to generate a format string attack in lppasswd,
leading to the execution of privileged code.
CHARACTERISTICS
Identifiers: BID-38524, CVE-2010-0393, DSA 2007-1,
VIGILANCE-VUL-9494
http://vigilance.fr/vulnerability/CUPS-privilege-elevation-via-lppasswd-9494