News
Vigil@nce: CUPS, privilege elevation via lppasswd
March 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can modify the LOCALEDIR environment variable, in order to generate a format string attack in lppasswd, leading to the execution of privileged code.
Severity: 2/4
Consequences: administrator access/rights
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 04/03/2010
IMPACTED PRODUCTS
Debian Linux
Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The lppasswd command defines the password of users accessing to the CUPS printing system. This program is installed suid root.
The LOCALEDIR environment variable defines the directory where messages are translated. The _cupsLangprintf() function uses these translated messages.
A local attacker can change LOCALEDIR, in order to force lppasswd to display attacker’s messages with _cupsLangprintf(). As some messages contain format characters, an attacker can thus directly generate a format string attack, with lppasswd which runs with root privileges.
A local attacker can therefore modify the LOCALEDIR environment variable, in order to generate a format string attack in lppasswd, leading to the execution of privileged code.
CHARACTERISTICS
Identifiers: BID-38524, CVE-2010-0393, DSA 2007-1, VIGILANCE-VUL-9494
