module
CUPS 1.6.1 Root File Read
| Disclosed | Created |
|---|---|
| 11/20/2012 | 05/30/2018 |
Disclosed
11/20/2012
Created
05/30/2018
Description
This module exploits a vulnerability in CUPS CUPS allows members of the lpadmin group to make changes to the cupsd.conf
configuration, which can specify an Error Log path. When the user visits the
Error Log page in the web interface, the cupsd daemon (running with setuid root)
reads the Error Log path and echoes it as plaintext.
This module is known to work on Mac OS X as long as the session is in the lpadmin group.
Warning: if the user has set up a custom path to the CUPS error log,
this module might fail to reset that path correctly. You can specify
a custom error log path with the ERROR_LOG datastore option.
configuration, which can specify an Error Log path. When the user visits the
Error Log page in the web interface, the cupsd daemon (running with setuid root)
reads the Error Log path and echoes it as plaintext.
This module is known to work on Mac OS X as long as the session is in the lpadmin group.
Warning: if the user has set up a custom path to the CUPS error log,
this module might fail to reset that path correctly. You can specify
a custom error log path with the ERROR_LOG datastore option.
Authors
Jann Hornjoev
Platform
Linux,OSX
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use post/multi/escalate/cups_root_file_read
msf /(d) > show actions
...actions...
msf /(d) > set ACTION < action-name >
msf /(d) > show options
...show and set options...
msf /(d) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.