OpenPrinting CUPS Unauthorized Remote Code Execution Vulnerability via Shared PostScript Queue

A vulnerability in OpenPrinting CUPS versions through 2.4.16 allows unauthorized clients to send Print-Job requests to shared PostScript queues without authentication. This issue arises in network-exposed cupsd instances where the target queue is shared. The server accepts a page-border value as textWithoutLanguage, preserves embedded newlines through option escaping and re-parsing, and then interprets the resulting second-line PPD text as a trusted scheduler control record. Consequently, a follow-up raw print job can execute an attacker-chosen existing binary, such as /usr/bin/vim, as the lp user.

Impact

Exploitation of this vulnerability leads to unauthorized code execution on the CUPS server with lp-level privileges. When combined with certain other vulnerabilities, this could allow an unprivileged remote attacker to overwrite files with root privileges, effectively gaining root access on a typical Linux system.

Reproduction

To reproduce this vulnerability, send a Print-Job request to a shared PostScript queue on a network-exposed CUPS server running a vulnerable version. The server will accept the job without authentication. Once the job is processed, inject a page-border value that includes a newline, which will be re-parsed and executed as a trusted scheduler control record. Follow up with a raw print job that exploits this injection by executing a binary of choice, such as vim, as the lp user.