SECURITY BLOG SECURITY DASHBOARD PARTNERS PRODUCTS JOBS SERVICES COMPANY HOME

Network Security Consulting Advisories Article

CUPS 'cupsFileOpen' function Symlink Attack Local Privilege Escalation Vulnerability

http://www.securityfocus.com/bid/41131

Security Info

Bugtraq ID:	41131
Class:	Unknown
CVE:	CVE-2010-2431
Remote:	No
Local:	Yes
Published:	Jun 17 2010 12:00AM
Updated:	Mar 17 2011 06:07AM
Credit:	wietse
Vulnerable:	Sun Solaris 11 Express RedHat Enterprise Linux Desktop Workstation 5 client RedHat Enterprise Linux 5 server Red Hat Enterprise Linux Desktop 5 client Pardus Linux 2009 0 MandrakeSoft Linux Mandrake 2010.0 x86_64 MandrakeSoft Linux Mandrake 2010.0 MandrakeSoft Linux Mandrake 2009.0 x86_64 MandrakeSoft Linux Mandrake 2009.0 MandrakeSoft Enterprise Server 5 x86_64 MandrakeSoft Enterprise Server 5 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 4.0 Easy Software Products CUPS 1.4.2 Easy Software Products CUPS 1.4.1 Easy Software Products CUPS 1.3.10 Easy Software Products CUPS 1.3.9 Easy Software Products CUPS 1.3.8 Easy Software Products CUPS 1.3.7 Easy Software Products CUPS 1.3.6 Easy Software Products CUPS 1.3.5 Easy Software Products CUPS 1.3.3 Easy Software Products CUPS 1.3.2 Easy Software Products CUPS 1.2.12 Easy Software Products CUPS 1.2.10 Easy Software Products CUPS 1.2.9 Easy Software Products CUPS 1.2.8 Easy Software Products CUPS 1.2.4 Easy Software Products CUPS 1.2.2 Easy Software Products CUPS 1.1.23 rc1 + Gentoo Linux Easy Software Products CUPS 1.1.23 + Gentoo Linux Easy Software Products CUPS 1.1.22 rc1 Easy Software Products CUPS 1.1.22 Easy Software Products CUPS 1.1.21 + MandrakeSoft Linux Mandrake 10.1 x86_64 + MandrakeSoft Linux Mandrake 10.1 Easy Software Products CUPS 1.1.20 + ALT Linux ALT Linux Compact 2.3 + ALT Linux ALT Linux Junior 2.3 + Gentoo Linux 1.4 _rc3 + Gentoo Linux 1.4 _rc2 + Gentoo Linux 1.4 _rc1 + MandrakeSoft apcupsd 2006.0 + MandrakeSoft Linux Mandrake 10.0 AMD64 + MandrakeSoft Linux Mandrake 10.0 + S.u.S.E. Linux Personal 9.1 + Ubuntu Ubuntu Linux 4.1 ppc + Ubuntu Ubuntu Linux 4.1 ia64 + Ubuntu Ubuntu Linux 4.1 ia32 Easy Software Products CUPS 1.1.19 rc5 Easy Software Products CUPS 1.1.19 + MandrakeSoft Linux Mandrake 9.2 amd64 + MandrakeSoft Linux Mandrake 9.2 + Turbolinux Appliance Server 1.0 Workgroup Edition + Turbolinux Appliance Server 1.0 Hosting Edition + Turbolinux Appliance Server Hosting Edition 1.0 + Turbolinux Appliance Server Workgroup Edition 1.0 + Turbolinux Home + Turbolinux Turbolinux Desktop 10.0 + Turbolinux Turbolinux Server 8.0 + Turbolinux Turbolinux Workstation 8.0 Easy Software Products CUPS 1.1.18 + Conectiva Linux 9.0 + MandrakeSoft Corporate Server 2.1 x86_64 + MandrakeSoft Corporate Server 2.1 + MandrakeSoft Linux Mandrake 9.0 + MandrakeSoft Multi Network Firewall 2.0 + S.u.S.E. Linux Personal 8.2 Easy Software Products CUPS 1.1.17 + RedHat Desktop 3.0 + RedHat Enterprise Linux AS 3 + RedHat Enterprise Linux ES 3 + RedHat Enterprise Linux WS 3 Easy Software Products CUPS 1.1.16 + MandrakeSoft Linux Mandrake 9.0 Easy Software Products CUPS 1.1.15 + Conectiva Linux Enterprise Edition 1.0 + S.u.S.E. Linux 8.1 Easy Software Products CUPS 1.1.14 + Conectiva Linux 8.0 + Debian Linux 3.0 sparc + Debian Linux 3.0 s/390 + Debian Linux 3.0 ppc + Debian Linux 3.0 mipsel + Debian Linux 3.0 mips + Debian Linux 3.0 m68k + Debian Linux 3.0 ia-64 + Debian Linux 3.0 ia-32 + Debian Linux 3.0 hppa + Debian Linux 3.0 arm + Debian Linux 3.0 alpha + Debian Linux 3.0 + MandrakeSoft Linux Mandrake 8.2 ppc + MandrakeSoft Linux Mandrake 8.2 Easy Software Products CUPS 1.1.13 Easy Software Products CUPS 1.1.12 + S.u.S.E. Linux 8.0 i386 + S.u.S.E. Linux 8.0 Easy Software Products CUPS 1.1.10 + Caldera OpenLinux Server 3.1.1 + Caldera OpenLinux Workstation 3.1.1 + Conectiva Linux 7.0 + Conectiva Linux 6.0 + MandrakeSoft Linux Mandrake 8.1 ia64 + MandrakeSoft Linux Mandrake 8.1 + S.u.S.E. Linux 7.3 sparc + S.u.S.E. Linux 7.3 ppc + S.u.S.E. Linux 7.3 i386 Easy Software Products CUPS 1.1.7 Easy Software Products CUPS 1.1.6 + Caldera OpenLinux Server 3.1 + Caldera OpenLinux Workstation 3.1 + MandrakeSoft Linux Mandrake 8.0 ppc + MandrakeSoft Linux Mandrake 8.0 + S.u.S.E. Linux 7.2 i386 + S.u.S.E. Linux 7.1 x86 + S.u.S.E. Linux 7.1 sparc + S.u.S.E. Linux 7.1 ppc + S.u.S.E. Linux 7.1 alpha Easy Software Products CUPS 1.1.4 -5 Easy Software Products CUPS 1.1.4 -3 + MandrakeSoft Linux Mandrake 7.2 Easy Software Products CUPS 1.1.4 -2 + Debian Linux 2.3 Easy Software Products CUPS 1.1.4 + Debian Linux 2.3 + MandrakeSoft Linux Mandrake 7.2 Easy Software Products CUPS 1.1.1 + RedHat PowerTools 7.0 Easy Software Products CUPS 1.0.4 -8 + Debian Linux 2.2 Easy Software Products CUPS 1.0.4 + Debian Linux 2.2 Debian Linux 5.0 sparc Debian Linux 5.0 s/390 Debian Linux 5.0 powerpc Debian Linux 5.0 mipsel Debian Linux 5.0 mips Debian Linux 5.0 m68k Debian Linux 5.0 ia-64 Debian Linux 5.0 ia-32 Debian Linux 5.0 hppa Debian Linux 5.0 armel Debian Linux 5.0 arm Debian Linux 5.0 amd64 Debian Linux 5.0 alpha Debian Linux 5.0 Avaya IQ 5.1 Avaya IQ 5 Avaya Communication Server 1000M Signaling Server 7.5 Avaya Communication Server 1000M Signaling Server 7.0 Avaya Communication Server 1000M 7.5 Avaya Communication Server 1000M 7.0 Avaya Communication Server 1000E Signaling Server 7.5 Avaya Communication Server 1000E Signaling Server 7.0 Avaya Communication Server 1000E 7.5 Avaya Communication Server 1000E 7.0 Avaya Aura System Platform 6.0 Avaya Aura System Platform 1.1 Avaya Aura System Manager 6.0 SP1 Avaya Aura System Manager 6.0 Avaya Aura System Manager 5.2 Avaya Aura Session Manager 6.0 SP1 Avaya Aura Session Manager 6.0 Avaya Aura Session Manager 5.2 Avaya Aura Session Manager 1.1 Avaya Aura Presence Services 6.0

Not Vulnerable:	Easy Software Products CUPS 1.4.4

Security Discussion

CUPS (Common UNIX Printing System) is prone to a local privilege-escalation vulnerability.

An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application.

Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible.

Versions prior to CUPS 1.4.4 are vulnerable.

Proof of Concept and Security Exploits

An attacker can use readily available commands to exploit the issue.

Security Solution(s)

Solution:
Updates are available. Please see the references for more information.

MandrakeSoft Linux Mandrake 2010.0

Mandriva libcups2-1.4.1-12.2mdv2010.0.i586.rpm
http://www.mandriva.com/en/download/

Mandriva libcups2-devel-1.4.1-12.2mdv2010.0.i586.rpm
http://www.mandriva.com/en/download/

Mandriva cups-1.4.1-12.2mdv2010.0.i586.rpm
http://www.mandriva.com/en/download/

Mandriva php-cups-1.4.1-12.2mdv2010.0.i586.rpm
http://www.mandriva.com/en/download/

Mandriva cups-common-1.4.1-12.2mdv2010.0.i586.rpm
http://www.mandriva.com/en/download/

Mandriva cups-serial-1.4.1-12.2mdv2010.0.i586.rpm
http://www.mandriva.com/en/download/

MandrakeSoft Linux Mandrake 2009.0 x86_64

Mandriva php-cups-1.3.10-0.4mdv2009.0.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva cups-common-1.3.10-0.4mdv2009.0.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva lib64cups2-1.3.10-0.4mdv2009.0.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva cups-serial-1.3.10-0.4mdv2009.0.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva cups-1.3.10-0.4mdv2009.0.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva lib64cups2-devel-1.3.10-0.4mdv2009.0.x86_64.rpm
http://www.mandriva.com/en/download/

MandrakeSoft Enterprise Server 5 x86_64

Mandriva cups-serial-1.3.10-0.4mdvmes5.1.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva lib64cups2-devel-1.3.10-0.4mdvmes5.1.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva lib64cups2-1.3.10-0.4mdvmes5.1.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva cups-1.3.10-0.4mdvmes5.1.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva cups-common-1.3.10-0.4mdvmes5.1.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva php-cups-1.3.10-0.4mdvmes5.1.x86_64.rpm
http://www.mandriva.com/en/download/

MandrakeSoft Enterprise Server 5

Mandriva libcups2-devel-1.3.10-0.4mdvmes5.1.i586.rpm
http://www.mandriva.com/en/download/

Mandriva cups-serial-1.3.10-0.4mdvmes5.1.i586.rpm
http://www.mandriva.com/en/download/

Mandriva cups-common-1.3.10-0.4mdvmes5.1.i586.rpm
http://www.mandriva.com/en/download/

Mandriva cups-1.3.10-0.4mdvmes5.1.i586.rpm
http://www.mandriva.com/en/download/

Mandriva php-cups-1.3.10-0.4mdvmes5.1.i586.rpm
http://www.mandriva.com/en/download/

Mandriva libcups2-1.3.10-0.4mdvmes5.1.i586.rpm
http://www.mandriva.com/en/download/

MandrakeSoft Linux Mandrake 2010.0 x86_64

Mandriva cups-serial-1.4.1-12.2mdv2010.0.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva php-cups-1.4.1-12.2mdv2010.0.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva cups-common-1.4.1-12.2mdv2010.0.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva cups-1.4.1-12.2mdv2010.0.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva lib64cups2-1.4.1-12.2mdv2010.0.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva lib64cups2-devel-1.4.1-12.2mdv2010.0.x86_64.rpm
http://www.mandriva.com/en/download/

MandrakeSoft Linux Mandrake 2009.0

Mandriva cups-serial-1.3.10-0.4mdv2009.0.i586.rpm
http://www.mandriva.com/en/download/

Mandriva libcups2-devel-1.3.10-0.4mdv2009.0.i586.rpm
http://www.mandriva.com/en/download/

Mandriva libcups2-1.3.10-0.4mdv2009.0.i586.rpm
http://www.mandriva.com/en/download/

Mandriva cups-1.3.10-0.4mdv2009.0.i586.rpm
http://www.mandriva.com/en/download/

Mandriva cups-common-1.3.10-0.4mdv2009.0.i586.rpm
http://www.mandriva.com/en/download/

Mandriva php-cups-1.3.10-0.4mdv2009.0.i586.rpm
http://www.mandriva.com/en/download/

MandrakeSoft Corporate Server 4.0

Mandriva libcups2-1.3.10-0.2.20060mlcs4.i586.rpm
http://www.mandriva.com/en/download/

Mandriva libcups2-devel-1.3.10-0.2.20060mlcs4.i586.rpm
http://www.mandriva.com/en/download/

Mandriva cups-serial-1.3.10-0.2.20060mlcs4.i586.rpm
http://www.mandriva.com/en/download/

Mandriva cups-common-1.3.10-0.2.20060mlcs4.i586.rpm
http://www.mandriva.com/en/download/

Mandriva php-cups-1.3.10-0.2.20060mlcs4.i586.rpm
http://www.mandriva.com/en/download/

Mandriva cups-1.3.10-0.2.20060mlcs4.i586.rpm
http://www.mandriva.com/en/download/

MandrakeSoft Corporate Server 4.0 x86_64

Mandriva lib64cups2-devel-1.3.10-0.2.20060mlcs4.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva cups-1.3.10-0.2.20060mlcs4.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva php-cups-1.3.10-0.2.20060mlcs4.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva cups-serial-1.3.10-0.2.20060mlcs4.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva cups-common-1.3.10-0.2.20060mlcs4.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva lib64cups2-1.3.10-0.2.20060mlcs4.x86_64.rpm
http://www.mandriva.com/en/download/

Security References(s)

References:

CUPS 1.4.4 (Easy Software Products)
CUPS Product Page (Easy Software Products)
STR #3510: cups overwrites files as root in a directory with non-root write perm (Easy Software Products)
ASA-2010-328 cups security update (RHSA-2010-0811) (Avaya)
Multiple Vulnerabilities in CUPS Printing System (Oracle)

Emagined Security Blog featuring Dr. Eugene Schultz

Secure Web Programming
by Vizual Services