1048 - CUPS: incorrect whitelist permits DNS rebinding attacks - project-zero

Starred by 1 user

Status:	Fixed
Owner:	jannh@google.com
Closed:	Jan 2017
Cc:	project-...@google.com
Severity-Medium Deadline-90 Vendor-Apple CCProjectZeroMembers Finder-jannh Reported-2016-Dec-19 Product-CUPS Methodology-source-review

CUPS: incorrect whitelist permits DNS rebinding attacks

Project Member Reported by jannh@google.com, Dec 19 2016

Back to list

In valid_host() in scheduler/client.c, CUPS protects against DNS
rebinding attacks by checking the "Host" header. In particular, when
the HTTP connection is coming over the loopback interface, only the
following hostnames are permitted:

 - localhost
 - localhost.
 - localhost.localdomain (only on Linux)
 - 127.0.0.1
 - [::1]

The issue here is that localhost.localdomain is not actually
guaranteed to point to 127.0.0.1. While apparently e.g. Debian had an
entry in /etc/hosts at some point that resolved localhost.localdomain
to 127.0.0.1, that is not the case anymore, and so e.g. Firefox ends
up asking the DNS server from /etc/resolv.conf for the address of
localhost.localdomain. (This doesn't work in Chrome; Chrome has
special logic for handling localhost.localdomain and a few other
aliases for localhost.) A simple way to verify this is to monitor the
network traffic with "tcpdump -i <interface> udp port 53" while
attempting to navigate to http://localhost.localdomain/.

This means that, if a victim has configured CUPS to only listen on
127.0.0.1 and the victim is using Firefox, an attacker who controls
the network can still perform a DNS rebinding attack to gain access to
the CUPS web interface.


You can test this attack as follows:

 - ensure that CUPS is bound to 127.0.0.1
 - install dnsmasq and configure your machine to use it as DNS server
 - add the following config options to dnsmasq:
       host-record=localhost.localdomain,127.0.0.2
       host-record=localhost.localdomain,127.0.0.1
       # don't serve possible AAAA records for localhost.localdomain
       # from upstream
       local=/localhost.localdomain/
 - unpack the attacked cups-attack.tar, cd to "cups-attack"
 - run ./server.py with root privileges
 - in Firefox, navigate to
   "http://localhost.localdomain:632/redirect.html" (port 632, not
   port 631)
 - you should now see an SID that was generated by the CUPS
   webinterface in an alert dialog

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

cups-attack.tar
10.0 KB Download

Project Member Comment 1 by jannh@google.com, Dec 20 2016

Apple is tracking this issue as 655143910.

Project Member Comment 2 by jannh@google.com, Jan 12 2017

Fixed in commit https://github.com/apple/cups/commit/afa80cb2b457bf8d64f775bed307588610476c41 , but not in a release yet.

Project Member Comment 3 by jannh@google.com, Jan 19 2017

Status: Fixed

Fixed in CUPS 2.2.2, released 2017-01-17.

Project Member Comment 4 by jannh@google.com, Jan 23 2017

Labels: -Restrict-View-Commit

Project Member Comment 5 by jannh@google.com, Jun 2

Labels: Methodology-source-review

► Sign in to add a comment