Control: found -1 1.5.3-2.6 Control: found -1 1.5.3-2.4 Hi Jörg, and thanks for your bugreport,
as far as I understand your report, there are two seperate issues: a) members of the lpadmin group can login to the webinterface password-less, using the /var/run/cups/certs/0 file that they can read. Granted, that's a bug, but a non-severe one as these users can login to the webinterface using their password. b) members of the lpadmin group can change the /etc/cups/cupsd.conf file completely and trigger a server restart. By that, they can get the cupsd daemon (which runs as root) do almost what they want, e.g. read root-owned files (/etc/shadow, …), run commands as other users, … This is basically an lpadmin-to-root privilege escalation I have successfully used your exploit script on the Sid version, tagging as found there. == Possible solutions I see these possible solutions (to be investigated): * Have cupsd run as lp user * Forbid any changes to the config file from the webinterface * Another idea ? == Next actions * Report bug to upstream tracker (I'll do it) * Request a CVE ? (Security team members ?) * Fix it :) Security team members: any better idea / procedure? Cheers, OdyX Le jeudi, 8 novembre 2012 23.23:41, Jörg Ludwig a écrit : > Members of lpadmin cat read /var/run/cups/certs/0. With this key it is > possible to access the cups web interface as admin. You can edit the cups > config file and set the page log to any filename you want (for example > /etc/shadow). Then you can read the file contents by viewing the cups page > log. By printing you can also write some random data to the given file. > > As it is not possible to use the cups authentication with a normal > webbrowser I created a simple shell script to show the effect. When called > as any unprivileged user which is member of lpadmin it should display the > contents of /etc/shadow:
signature.asc
Description: This is a digitally signed message part.
