A boundary error in the ParseCommand() function of CUPS version 1.x allows for a buffer overflow attack.
9ccc61dd6cf89fb1b7ef2aaa8f5dfe79a4ba5c2dd48a1000eff91a3631981c4c
From djb@cr.yp.to Wed Dec 15 14:21:33 2004
Date: 15 Dec 2004 08:20:11 -0000
From: D. J. Bernstein <djb@cr.yp.to>
To: securesoftware@list.cr.yp.to, cups@easysw.com
Subject: [remote] [control] CUPS 1.1.22 hpgltops ParseCommand overflows buf
Ariel Berkman, a student in my Fall 2004 UNIX Security Holes course, has
discovered a remotely exploitable security hole in CUPS. I'm publishing
this notice, but all the discovery credits should be assigned to
Berkman.
A CUPS installation is at risk whenever it prints an HPGL file obtained
from email (or a web page or any other source that could be controlled
by an attacker). You are at risk if you print data through a CUPS
installation at risk. The source of the HPGL file has complete control
over the CUPS ``lp'' account; in particular, he can read and modify the
files you are printing.
Proof of concept: On an x86 computer running FreeBSD 4.10, as root, type
cd /usr/ports/print/cups
make install
to download and compile the CUPS package, version 1.1.22 (current).
Then, as any user, save the file 21.hpgl.gz attached to this message,
and type
gunzip 21.hpgl
/usr/local/libexec/cups/filter/hpgltops \
15 $USER test-title 1 none 21.hpgl > 21.ps
with the unauthorized result that a file named x is removed from the
current directory. (I tested this with a 541-byte environment, as
reported by printenv | wc -c.)
Here's the bug: In hpgl-input.c, ParseCommand() reads any number of
bytes into a 262144-byte buf[] array.
---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago
[ Part 2, Application/X-GUNZIP 692bytes. ]
[ Unable to print this part. ]