A local unprivileged user can coerce "cupsd" into authenticating to an attacker-controlled localhost IPP service with a reusable "Authorization: Local" token. That token is enough to drive "/admin/" requests on "localhost", and the attacker can combine "CUPS-Create-Local-Printer" with "printer-is-shared=true" to persist a "file:///" queue even though the normal "FileDevice" policy rejects such URIs. Printing to that queue gives an arbitrary root file overwrite; allowing root command execution. This module uses the previous vulnerability to escalate privileges and deploy a new agent that will run with root user privileges. The module starts a local capture server on the port given by the CAPTURE_PORT parameter. If no parameter is provided, the module will use 9189 as the default port value. Also, the IPP port can be set with the IPP_PORT parameter. If no parameter is provided, the module will use 631 as the default port value. Then it will find and use the "ipptool" executable to trigger the local admin print to leak the auth token. The module will try to leak the token 5 times. Once the token is leaked, the module will create a temporary directory and upload the trigger and agent executables. Then it will locate the "sudo" and "whoami" executables and proceed to trigger the vulnerability to create a file inside the "/etc/sudoers.d/" directory that will allow the current user to use the "sudo" command without a password. If the attack succeeds, the agent will be executed via "sudo" which will deploy a new agent with root user privileges. Once the agent is deployed, the module will delete the trigger executable and the root file in the "/etc/sudoers.d/" directory.
CVE Link
Exploit Platform
Exploit Type
Product Name