OpenPrinting CUPS Privilege Escalation Vulnerability via Malicious Configuration Update

A vulnerability in OpenPrinting CUPS prior to version 2.4.15 allows a user in the lpadmin group to exploit the cups web interface. By inserting a malicious line into the configuration, the cupsd process, which operates with root privileges, can be manipulated to perform an out-of-bounds write. This issue has been addressed in version 2.4.15.

Impact

Exploitation of this vulnerability leads to a stack-based out-of-bounds write, which can cause a denial-of-service or potentially escalate privileges. In some configurations, it may allow remote code execution.

Reproduction

To reproduce this vulnerability, create a user and add it to the lpadmin group. Then, build CUPS with address sanitizers enabled and install it. After that, add a malicious IPv6 address into the cupsd.conf file through the CUPS web interface. The address should be crafted to exploit the vulnerability by controlling the out-of-bounds write. Finally, run the CUPS daemon with the modified configuration file and observe the exploitation.

Remediation

Users can update to CUPS version 2.4.15, which addresses this vulnerability.