CVE-2024-47177 – cups-filters vulnerable to Command injection via FoomaticRIPCommandLine
https://notcve.org/view.php?id=CVE-2024-47177
CUPS is a standards-based, open-source printing system, and cups-filters provides backends, filters, and other software for CUPS 2.x to use on non-Mac OS systems. Any value passed to `FoomaticRIPCommandLine` via a PPD file will be executed as a user controlled command. When combined with other logic bugs as described in CVE_2024-47176, this can lead to remote command execution. • https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8 https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47 https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5 https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6 https://www.cups.org https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2024-47175 – libppd's ppdCreatePPDFromIPP2 function does not sanitize IPP attributes when creating the PPD buffer
https://notcve.org/view.php?id=CVE-2024-47175
CUPS is a standards-based, open-source printing system, and `libppd` can be used for legacy PPD file support. The `libppd` function `ppdCreatePPDFromIPP2` does not sanitize IPP attributes when creating the PPD buffer. When used in combination with other functions such as `cfGetPrinterAttributes5`, can result in user controlled input and ultimately code execution via Foomatic. This vulnerability can be part of an exploit chain leading to remote code execution (RCE), as described in CVE-2024-47176. A security issue was found in OpenPrinting CUPS. The function ppdCreatePPDFromIPP2 in the libppd library is responsible for generating a PostScript Printer Description (PPD) file based on attributes retrieved from an Internet Printing Protocol (IPP) response. • https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8 https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47 https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5 https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6 https://www.cups.org https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I https://access.redhat.com/security/cve/CVE-2024-47175 https://b • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2024-47076 – libcupsfilters's cfGetPrinterAttributes5 does not validate IPP attributes returned from an IPP server
https://notcve.org/view.php?id=CVE-2024-47076
CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library functions to be used for the data format conversion tasks needed in Printer Applications. The `cfGetPrinterAttributes5` function in `libcupsfilters` does not sanitize IPP attributes returned from an IPP server. When these IPP attributes are used, for instance, to generate a PPD file, this can lead to attacker controlled data to be provided to the rest of the CUPS system. A flaw was found in OpenPrinting CUPS. In certain conditions, a remote attacker can add a malicious printer or directly hijack an existing printer by replacing the valid IPP URL with a malicious one. • https://github.com/mutkus/CVE-2024-47076 https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8 https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47 https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5 https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6 https://www.cups.org https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I https://access.redhat.c • CWE-20: Improper Input Validation •
CVE-2024-47176 – cups-browsed binds to `INADDR_ANY:631`, trusting any packet from any source
https://notcve.org/view.php?id=CVE-2024-47176
CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. Due to the service binding to `*:631 ( INADDR_ANY )`, multiple bugs in `cups-browsed` can be exploited in sequence to introduce a malicious printer to the system. This chain of exploits ultimately enables an attacker to execute arbitrary commands remotely on the target machine without authentication when a print job is started. This poses a significant security risk over the network. Notably, this vulnerability is particularly concerning as it can be exploited from the public internet, potentially exposing a vast number of systems to remote attacks if their CUPS services are enabled. • https://github.com/pearlmansara/CVE-2024-47176-CUPS https://github.com/workabhiwin09/CVE-2024-47176 https://github.com/tonyarris/CVE-2024-47176-Scanner https://github.com/mr-r3b00t/CVE-2024-47176 https://github.com/aytackalinci/CVE-2024-47176 https://github.com/nma-io/CVE-2024-47176 https://github.com/MalwareTech/CVE-2024-47176-Scanner https://github.com/l0n3m4n/CVE-2024-47176 https://github.com/AxthonyV/CVE-2024-47176 https://github.com/0x7556/CVE-2024-47176 https:/ • CWE-20: Improper Input Validation CWE-749: Exposed Dangerous Method or Function CWE-940: Improper Verification of Source of a Communication Channel CWE-1327: Binding to an Unrestricted IP Address •
CVE-2024-35235 – Cupsd Listen arbitrary chmod 0140777
https://notcve.org/view.php?id=CVE-2024-35235
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.8 and earlier, when starting the cupsd server with a Listen configuration item pointing to a symbolic link, the cupsd process can be caused to perform an arbitrary chmod of the provided argument, providing world-writable access to the target. Given that cupsd is often running as root, this can result in the change of permission of any user or system files to be world writable. Given the aforementioned Ubuntu AppArmor context, on such systems this vulnerability is limited to those files modifiable by the cupsd process. In that specific case it was found to be possible to turn the configuration of the Listen argument into full control over the cupsd.conf and cups-files.conf configuration files. • http://www.openwall.com/lists/oss-security/2024/06/11/1 http://www.openwall.com/lists/oss-security/2024/06/12/4 http://www.openwall.com/lists/oss-security/2024/06/12/5 https://git.launchpad.net/ubuntu/+source/apparmor/tree/profiles/apparmor.d/abstractions/user-tmp#n21 https://github.com/OpenPrinting/cups/blob/aba917003c8de55e5bf85010f0ecf1f1ddd1408e/cups/http-addr.c#L229-L240 https://github.com/OpenPrinting/cups/commit/ff1f8a623e090dee8a8aadf12a6a4b25efac143d https://github.com/OpenPrinting/cups • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-252: Unchecked Return Value CWE-277: Insecure Inherited Permissions •