hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip) 1.x and 2.x before 2.7.10 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a from address, which is not properly handled when invoking sendmail.

From Red Hat Security Advisory 2007:0960 :

An updated hplip package to correct a security flaw is now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The hplip (Hewlett-Packard Linux Imaging and Printing Project) package provides drivers for HP printers and multi-function peripherals.

Kees Cook discovered a flaw in the way the hplip hpssd daemon handled user input. A local attacker could send a specially crafted request to the hpssd daemon, possibly allowing them to run arbitrary commands as the root user. (CVE-2007-5208). On Red Hat Enterprise Linux 5, the SELinux targeted policy for hpssd which is enabled by default, blocks the ability to exploit this issue to run arbitrary code.

Users of hplip are advised to upgrade to this updated package, which contains backported patches to resolve this issue.

Kees Cook discovered a flaw in the way the hplip hpssd daemon handled user input. A local attacker could send a specially crafted request to the hpssd daemon, possibly allowing them to run arbitrary commands as the root user. (CVE-2007-5208). On Scientific Linux 5, the SELinux targeted policy for hpssd which is enabled by default, blocks the ability to exploit this issue to run arbitrary code.

An updated hplip package to correct a security flaw is now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The hplip (Hewlett-Packard Linux Imaging and Printing Project) package provides drivers for HP printers and multi-function peripherals.

Kees Cook discovered a flaw in the way the hplip hpssd daemon handled user input. A local attacker could send a specially crafted request to the hpssd daemon, possibly allowing them to run arbitrary commands as the root user. (CVE-2007-5208). On Red Hat Enterprise Linux 5, the SELinux targeted policy for hpssd which is enabled by default, blocks the ability to exploit this issue to run arbitrary code.

Users of hplip are advised to upgrade to this updated package, which contains backported patches to resolve this issue.

Kees Cook discovered that the hpssd tool of the HP Linux Printing and Imaging System (HPLIP) performs insufficient input sanitising of shell meta characters, which may result in local privilege escalation to the hplip user.

The deamon 'hpssd' could be exploited by users to execute arbitrary commands as root. hpssd only runs on systems that have HP all-in-one devices configured. In the default configuration the problem is not remotely exploitable as hpssd only listens on local interfaces.
(CVE-2007-5208)

It was discovered that the hpssd tool of hplip did not correctly handle shell meta-characters. A local attacker could exploit this to execute arbitrary commands as the hplip user.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes a vulnerability in the hpssd daemon.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A vulnerability in the hpssd tool was discovered where it did not correctly handle shell meta-characters. A local attacker could use this flaw to execute arbitrary commands as the hplip user.

As well, this update fixes a problem with some HP scanners on Mandriva Linux 2007.1, particularly HP PSC 1315, which wouldn't be detected and also fixes a problem with HP 1220 and possibly other models when scanning via the OpenOffice.org suite.

Updated packages have been patched to prevent these issues.

The remote host is affected by the vulnerability described in GLSA-200710-26 (HPLIP: Privilege escalation)

    Kees Cook from the Ubuntu Security team discovered that the hpssd     daemon does not correctly validate user-supplied data before passing it     to a 'popen3()' call.
  Impact :

    A local attacker may be able to exploit this vulnerability by sending a     specially crafted request to the hpssd daemon to execute arbitrary     commands with the privileges of the user running hpssd, usually root.
  Workaround :

    There is no known workaround at this time.

The deamon 'hpssd' could be exploited by users to execute arbitrary commands as root. hpssd only runs on systems that have HP all-in-one devices configured. In the default configuration the problem is not remotely exploitable as hpssd only listens on local interfaces (CVE-2007-5208).

The version of the HP Linux Imaging and Printing System hpssd daemon on the remote host fails to sanitize user-supplied input before appending it to a commandline when calling sendmail.  Using a specially crafted email address, an unauthenticated, remote attacker can leverage this issue to execute arbitrary shell commands on the remote host subject to the permissions under which the daemon operates, typically root.

ID	Name	Product	Family	Severity
67583	Oracle Linux 5 : hplip (ELSA-2007-0960)	Nessus	Oracle Linux Local Security Checks	high
60266	Scientific Linux Security Update : hplip on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
43657	CentOS 5 : hplip (CESA-2007:0960)	Nessus	CentOS Local Security Checks	high
29939	Debian DSA-1462-1 : hplip - missing input sanitising	Nessus	Debian Local Security Checks	high
29460	SuSE 10 Security Update : hplip17 and hplip17-hpijs (ZYPP Patch Number 4507)	Nessus	SuSE Local Security Checks	high
28135	Ubuntu 6.10 / 7.04 : hplip vulnerability (USN-530-1)	Nessus	Ubuntu Local Security Checks	high
27776	Fedora 7 : hplip-1.7.4a-6.fc7 (2007-2527)	Nessus	Fedora Local Security Checks	high
27562	Mandrake Linux Security Advisory : hplip (MDKSA-2007:201)	Nessus	Mandriva Local Security Checks	high
27558	GLSA-200710-26 : HPLIP: Privilege escalation	Nessus	Gentoo Local Security Checks	high
27267	openSUSE 10 Security Update : hplip (hplip-4516)	Nessus	SuSE Local Security Checks	high
27054	HP Linux Imaging and Printing Project (hplip) hpssd from Address Command Injection	Nessus	Gain a shell remotely	high
27036	RHEL 5 : hplip (RHSA-2007:0960)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2007-5208

critical

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high