CVE-2007-5208
published 2007-10-13CVE-2007-5208: hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip) 1.x and 2.x before 2.7.10 allows context-dependent attackers to execute arbitrary commands…
PriorityP264high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
67.26%
99.2th percentile
hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip) 1.x and 2.x before 2.7.10 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a from address, which is not properly handled when invoking sendmail.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | hplip | < hplip 1.6.10-4.3 (bookworm) | hplip 1.6.10-4.3 (bookworm) |
| hp | linux_imaging_and_printing_project | <= 2.7.10 | — |
| hp | linux_imaging_and_printing_project | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor network traffic to port 2207 (hpssd default config port) for messages containing 'msg=setalerts' with shell metacharacters (e.g., semicolons) in the 'email-from-address' field. ↗
- →Detect exploitation attempt by inspecting hpssd protocol messages for 'msg=testemail' immediately following a 'setalerts' message with a suspicious 'email-from-address' value containing shell metacharacters. ↗
- →Alert on hpssd/hpssd.py spawning unexpected child processes (e.g., shells or network tools), as the daemon runs with root privileges and the injected command executes in that context. ↗
- →The exploit requires 'sendmail' to be present on the target; correlate hpssd process activity with unexpected sendmail invocations containing shell metacharacters in the from-address argument. ↗
- ·The hpssd daemon is configured to listen on port 2207 but actually binds to a dynamic/ephemeral port at runtime, making static port-based detection unreliable. ↗
- ·The daemon is localhost-only by default, so exploitation is limited to local or already-compromised network access; external network detections will not apply. ↗
CVSS provenance
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
osv7.6HIGH
vendor_debian7.6MEDIUM
vendor_redhat7.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
hplip vulnerability
vendor_ubuntu·2007-10-12
CVE-2007-5208 hplip vulnerability
Title: hplip vulnerability
Summary: hplip vulnerability
It was discovered that the hpssd tool of hplip did not correctly handle
shell meta-characters. A local attacker could exploit this to execute
arbitrary commands as the hplip user.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
hplip arbitrary command execution
vendor_redhat·2007-10-11·CVSS 7.6
CVE-2007-5208 [HIGH] CWE-78 hplip arbitrary command execution
hplip arbitrary command execution
hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip) 1.x and 2.x before 2.7.10 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a from address, which is not properly handled when invoking sendmail.
Debian
CVE-2007-5208: hplip - hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip) 1.x and 2.x ...
vendor_debian·2007·CVSS 7.6
CVE-2007-5208 [HIGH] CVE-2007-5208: hplip - hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip) 1.x and 2.x ...
hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip) 1.x and 2.x before 2.7.10 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a from address, which is not properly handled when invoking sendmail.
Scope: local
bookworm: resolved (fixed in 1.6.10-4.3)
bullseye: resolved (fixed in 1.6.10-4.3)
sid: resolved (fixed in 1.6.10-4.3)
trixie: resolved (fixed in 1.6.10-4.3)
GHSA
GHSA-qjxj-rc6r-r77w: hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip) 1
ghsa_unreviewed·2022-05-01
CVE-2007-5208 [HIGH] CWE-20 GHSA-qjxj-rc6r-r77w: hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip) 1
hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip) 1.x and 2.x before 2.7.10 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a from address, which is not properly handled when invoking sendmail.
OSV
CVE-2007-5208: hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip) 1
osv·2007-10-13·CVSS 7.6
CVE-2007-5208 [HIGH] CVE-2007-5208: hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip) 1
hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip) 1.x and 2.x before 2.7.10 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a from address, which is not properly handled when invoking sendmail.
No detection rules found.
Exploit-DB
hplip - 'hpssd.py' From Address Arbitrary Command Execution (Metasploit)
exploitdb·2010-10-09
CVE-2007-5208 hplip - 'hpssd.py' From Address Arbitrary Command Execution (Metasploit)
hplip - 'hpssd.py' From Address Arbitrary Command Execution (Metasploit)
---
##
# $Id: hplip_hpssd_exec.rb 10617 2010-10-09 06:55:52Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'hplip hpssd.py From Address Arbitrary Command Execution',
'Description' => %q{
This module exploits a command execution vulnerable in the hpssd.py
daemon of the Hewlett-Packard Linux Imaging and Printing Project.
According to MITRE, versions 1.x and 2.x before 2.7.10 are vulnerable.
This module was written and tested using the Fedora 6 Linux distribut
Metasploit
HPLIP hpssd.py From Address Arbitrary Command Execution
metasploit
HPLIP hpssd.py From Address Arbitrary Command Execution
HPLIP hpssd.py From Address Arbitrary Command Execution
This module exploits a command execution vulnerable in the hpssd.py daemon of the Hewlett-Packard Linux Imaging and Printing Project. According to MITRE, versions 1.x and 2.x before 2.7.10 are vulnerable. This module was written and tested using the Fedora 6 Linux distribution. On the test system, the daemon listens on localhost only and runs with root privileges. Although the configuration shows the daemon is to listen on port 2207, it actually listens on a dynamic port. NOTE: If the target system does not have a 'sendmail' command installed, this vulnerability cannot be exploited.
Bugzilla
CVE-2007-5208 hplip arbitrary command execution [F7]
bugzilla·2007-10-12·CVSS 7.6
CVE-2007-5208 [HIGH] CVE-2007-5208 hplip arbitrary command execution [F7]
CVE-2007-5208 hplip arbitrary command execution [F7]
F7 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
hplip-1.7.4a-6.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Bugzilla
CVE-2007-5208 hplip arbitrary command execution [FC6]
bugzilla·2007-10-12·CVSS 7.6
CVE-2007-5208 [HIGH] CVE-2007-5208 hplip arbitrary command execution [FC6]
CVE-2007-5208 hplip arbitrary command execution [FC6]
FC6 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
Fixed in FEDORA-2007-724: http://lwn.net/Alerts/254683/
Bugzilla
CVE-2007-5208 hplip arbitrary command execution
bugzilla·2007-10-05·CVSS 7.6
CVE-2007-5208 [HIGH] CVE-2007-5208 hplip arbitrary command execution
CVE-2007-5208 hplip arbitrary command execution
Kees Cook of the Ubuntu Security Team has informed us of following security
vulnerability in hplip:
I just discovered that the hpssd daemon of hplip is vulnerable to
arbitrary command injection via its use of popen3. Other local users
can run commands as the invoker of hpssd (usually root, hplip, or a
local user). By default, it only listens on localhost, but this is
configurable via /etc/hp/hplip.conf, so in the worst-case it is possible
this could allow remote root command execution.
Both 2.x and 1.x series appear vulnerable (but not 0.x which used SMTP).
The bug for this is: https://launchpad.net/bugs/149121
Discussion:
Created attachment 217201
Patch provided by Kees
---
hplip is shipped with Red Hat Enterprise Linux 5. This is de
http://bugs.gentoo.org/show_bug.cgi?id=195565http://lists.opensuse.org/opensuse-security-announce/2007-10/msg00006.htmlhttp://qa.mandriva.com/show_bug.cgi?id=30719http://secunia.com/advisories/27202http://secunia.com/advisories/27221http://secunia.com/advisories/27224http://secunia.com/advisories/27232http://secunia.com/advisories/27271http://secunia.com/advisories/27332http://secunia.com/advisories/27397http://secunia.com/advisories/28453http://security.gentoo.org/glsa/glsa-200710-26.xmlhttp://www.debian.org/security/2008/dsa-1462http://www.mandriva.com/en/security/advisories?name=MDKSA-2007:201http://www.redhat.com/support/errata/RHSA-2007-0960.htmlhttp://www.securityfocus.com/bid/26054http://www.securitytracker.com/id?1018806http://www.vupen.com/english/advisories/2007/3479https://bugzilla.redhat.com/show_bug.cgi?id=319921https://exchange.xforce.ibmcloud.com/vulnerabilities/37183https://launchpad.net/bugs/149121https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10692https://usn.ubuntu.com/530-1/https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00200.htmlhttp://bugs.gentoo.org/show_bug.cgi?id=195565http://lists.opensuse.org/opensuse-security-announce/2007-10/msg00006.htmlhttp://qa.mandriva.com/show_bug.cgi?id=30719http://secunia.com/advisories/27202http://secunia.com/advisories/27221http://secunia.com/advisories/27224http://secunia.com/advisories/27232http://secunia.com/advisories/27271http://secunia.com/advisories/27332http://secunia.com/advisories/27397http://secunia.com/advisories/28453http://security.gentoo.org/glsa/glsa-200710-26.xmlhttp://www.debian.org/security/2008/dsa-1462http://www.mandriva.com/en/security/advisories?name=MDKSA-2007:201http://www.redhat.com/support/errata/RHSA-2007-0960.htmlhttp://www.securityfocus.com/bid/26054http://www.securitytracker.com/id?1018806http://www.vupen.com/english/advisories/2007/3479https://bugzilla.redhat.com/show_bug.cgi?id=319921https://exchange.xforce.ibmcloud.com/vulnerabilities/37183https://launchpad.net/bugs/149121https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10692https://usn.ubuntu.com/530-1/https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00200.html
2007-10-13
Published