Hi all,
there is important security vulnerability in CUPS:
Description
Summary
When the |AuthType| is set to anything but |Basic|, if the request
contains an |Authorization: Basic ...| header, the password is not checked.
Details
When the |Authorization| header is set to |Basic|, but in
|scheduler/auth.c| |cupsdAuthorize| |type| is not |CUPSD_AUTH_BASIC|,
the step with checking the password is skipped.
PoC
- Configure CUPS with |DefaultAuthType Negotiate|.
- Start CUPS
- curl -v -X PUT -d 'haha' -H "Authorization: Basic $(echo -n root:x |
base64)" http://127.0.0.1:631/admin/conf/cupsd.conf
- cat /etc/cups/cupsd.conf
haha
Impact
Authentication bypass. Any configuration that allows an |AuthType| that
is not |Basic| is affected.
Versions lower than 2.4.3 are affected in less serious way - if attacker
provides valid credentials for Basic authentication and cupsd requires
Kerberos authentication on resource (and vice versa), the attack is
still possible because cupsd ignores its own authentication settings if
the creds are valid. In those cases, the prerequisite for the attack is
the attacker would obtain allowed user credentials/Kerberos ticket,
which is more difficult.
Patch
https://github.com/OpenPrinting/cups/commit/595d691075b1d39
Have a nice day,
Zdenek Dohnal
--
Zdenek Dohnal
Senior Software Engineer
Red Hat, BRQ-TPBC
