CUPS Remote Command Execution via Shellshock

critical Nessus Plugin ID 79804

Language:

Synopsis

The remote printer service is affected by a remote command execution vulnerability via Shellshock.

Description

The remote host appears to be running CUPS with the web-based interface enabled. A remote attacker can exploit CUPS to execute arbitrary commands via crafted fields during the creation or modification of a printer. The 'PRINTER_INFO' and 'PRINTER_LOCATION' fields can be configured to contain arbitrary commands which will be executed when a print job is submitted, provided the remote host is running a vulnerable version of Bash.

This plugin attempts to exploit this flaw by using user-supplied credentials to access the CUPS server and create a printer, then submitting a print request.

Solution

Apply the referenced Bash patch.

See Also

http://seclists.org/oss-sec/2014/q3/650

http://www.nessus.org/u?dacf7829

https://www.invisiblethreat.ca/post/shellshock/

Plugin Details

Severity: Critical

ID: 79804

File Name: cups_bash_rce.nbin

Version: 1.73

Type: remote

Family: Misc.

Published: 12/8/2014

Updated: 7/19/2022

Risk Information

VPR

Risk Factor: Critical

Score: 9.5

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:H/RL:OF/RC:C

CVSS Score Source: CVE-2014-7169

Vulnerability Information

CPE: cpe:/a:apple:cups, cpe:/a:gnu:bash

Required KB Items: www/cups

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/26/2014

Vulnerability Publication Date: 9/24/2014

CISA Known Exploited Dates: 7/28/2022

Exploitable With

Core Impact

Metasploit (Qmail SMTP Bash Environment Variable Injection (Shellshock))

Reference Information

CVE: CVE-2014-6271, CVE-2014-7169

BID: 70103, 70137

CERT: 252743

EDB-ID: 34765, 34766, 34777

IAVA: 2014-A-0142