cups icon indicating copy to clipboard operation
cups copied to clipboard
verified publisher icon OpenPrinting

CUPS_DEBUG_LOG support for "%d" is not properly guarded

Open frostb1ten opened this issue 1 year ago • 2 comments

Description A format string vulnerability exists in CUPS when compiled with debugging enabled. The vulnerability arises from improper sanitization of the CUPS_DEBUG_LOG environment variable in the _cups_debug_set() function. Specifically, this variable is passed to snprintf() without validation, allowing user input with format specifiers (e.g., %p, %n) to be processed.

This can lead to:

  • Memory Address Leakage: The use of %p allows a regular user to leak memory addresses, potentially aiding in bypassing security mechanisms such as ASLR.
  • Memory Write Attempt via %n: Although %n is blocked in modern environments, it still presents a potential security issue where this protection is absent.

This finding was originally discovered while reviewing the code at: https://github.com/OpenPrinting/cups/blob/master/cups/debug.c#L98:

 _cups_debug_set(getenv("CUPS_DEBUG_LOG"), getenv("CUPS_DEBUG_LEVEL"), getenv("CUPS_DEBUG_FILTER"), 0);

In this code, the CUPS_DEBUG_LOG environment variable is passed to the _cups_debug_set() function, which processes the environment data. The vulnerability occurs when the function then reaches the following line: https://github.com/OpenPrinting/cups/blob/master/cups/debug.c#L278:

snprintf(buffer, sizeof(buffer), logfile, getpid());

Here, snprintf() is used to format the log file string, which can lead to a format string vulnerability if user-controlled input contains specifiers like %p or %n. This allows an attacker to leak memory addresses or attempt arbitrary memory writes in environments where protections like %n blocking may not be in place.

To Reproduce Steps to reproduce the behavior:

  1. Compile CUPS with debug mode enabled:
git clone https://github.com/OpenPrinting/cups.git
cd cups
./configure --enable-debug --enable-debug-printfs --disable-shared --disable-gssapi
make
  1. Set the CUPS_DEBUG_LOG environment variable with a format string and launch cupsd:
mkdir /tmp/test
export CUPS_DEBUG_LOG="/tmp/test/%p %p"
./scheduler/cupsd -f  # Break out of this after it starts running.
  1. Observe the output in /tmp/test2/, where the file is named using leaked memory addresses due to the %p specifiers. cca25949-59ac-43ce-904c-ccffa1ee6180

Expected behavior The CUPS_DEBUG_LOG variable should be treated as a plain string, and any format specifiers should not be interpreted by snprintf(). The log file should be created without leaking memory addresses or allowing unintended memory writes.

System Information:

  • Tested on Operating System: Linux 019ae0923308 5.15.153.1-microsoft-standard-WSL2 #1 SMP Fri Mar 29 23:14:13 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
  • CUPS version: v2.4.11 Latest

frostb1ten avatar Sep 30 '24 18:09 frostb1ten

Note: Not treating as a security issue because debug printfs are a developer tool that is not normally compiled into the library.

CUPS_DEBUG_LOG is defined as supporting only a single "%d" to insert the current process ID. Update the code to look for this and substitute manually rather than using snprintf to do the heavy lifting.

michaelrsweet avatar Sep 30 '24 19:09 michaelrsweet

Oh, and thank you for finding and reporting this issue... :)

michaelrsweet avatar Sep 30 '24 19:09 michaelrsweet

[master 0da38a5f7] Harden debug printf PID support (Issue #1066)

michaelrsweet avatar Nov 15 '24 17:11 michaelrsweet