OpenPrinting CUPS Local Privilege Escalation Vulnerability via Coerced IPP Authentication

A local unprivileged user can manipulate the CUPS daemon into authenticating with a reusable authorization token to an attacker-controlled IPP service on localhost. This vulnerability exists in CUPS versions through 2.4.16. The authenticated IPP requests can be used to create a persistent printer queue that bypasses normal restrictions, allowing for arbitrary file overwrites with root privileges. The vulnerability can be exploited to execute commands as root by manipulating the sudoers file.

Impact

Exploitation of this vulnerability allows for arbitrary file overwrites with root privileges, enabling unauthorized command execution as the root user.

Reproduction

To reproduce this vulnerability, first create a temporary printer queue using a file URI that is normally rejected by CUPS. Once the queue is created, an authorization token is obtained that allows for administrative requests to be sent to the CUPS daemon. The next step is to persist the temporary queue by making it permanent, effectively bypassing the restrictions on file URIs. After the queue is established, print to it, which will overwrite a file with root privileges. This process can be automated with a script that handles the timing and retries necessary to successfully exploit the vulnerability.