Apple CUPS Daemon: unauthenticated SIGSEGV crash via RSS subscriptions

no problem. thanks!

On Wed, Nov 19, 2008 at 6:59 PM, Kees Cook <email address hidden> wrote:
> ** Visibility changed to: Public
>
> --
> Apple CUPS Daemon: unauthenticated SIGSEGV crash via RSS subscriptions
> https://bugs.launchpad.net/bugs/298241
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in "cups" source package in Ubuntu: New
>
> Bug description:
> Binary package hint: cups
>
> The CUPS daemon (/usr/sbin/cupsd) which listens by default on port 631/tcp, crashes when more than 100 RSS Subscriptions are added. No authentication is required to perform such action. The caveat is that by default - at least on Ubuntu and openSuse - the daemon only accepts connections from localhost as specified by the default configuration settings (/etc/cups/cupsd.conf). However, the attack can be of remote nature by tricking the victim user to visit a specially-crafted page. Such page would forge the 'add rss subscription' request 101 times which causes the CUPS daemon to crash.
>
> The CUPS daemon runs by default on Ubuntu, openSuse and probably other GNU/Linux distributions. Additionally, this vulnerability can be replicated against CUPS daemons using default settings. Since no authentication is required to add new RSS subscriptions, the CUPS administrator does not need to be logged in during exploitation.
>
> It is not known whether the crash can lead to command execution, further debugging/investigation is required. However, the daemon runs as root on both Ubuntu and openSuse (and probably other distributions), which means that given that command execution is possible, this bug would lead to a full compromise of the targeted system.
>
> _Please see the attached file for more details._
>

--
Adrian 'pagvac' Pastor | GNUCITIZEN | gnucitizen.org
PGP Key ID: 0x6B232C7C

More info here: http://www.gnucitizen.org/blog/pwning-ubuntu-via-cups/

I'll deal with the jaunty/Debian update. I was fairly sure that http://www.cups.org/strfiles/2774/str2774.patch fixed it (in cups 1.3.8), I just get a live-locked browser (tons of message boxes), but cupsd stays alive. I followed up to the Debian bug.

@Martin: check out the comments on http://www.gnucitizen.org/blog/pwning-ubuntu-via-cups/

someone figured out why ubuntu hardy does NOT require auth to add rss subscriptions (cupsd dies completely when visiting "evil" page), whereas ubuntu intrepid DOES require auth.

copied and pasted:

"
TH responds:

Problem solved:

Hardy’s version: 1.3.7-1ubuntu3.1
Intrepid’s version: 1.3.9-2
http://packages.ubuntu.com/intrepid/cups
http://packages.ubuntu.com/hardy/cupsys

From cups-1.3.8 CHANGES.txt:
- The scheduler now ensures that the RSS directory has the correct permissions.
"

hope that helps.

CVE-2008-5183
CVE-2008-5184

Is CVE-2008-5183 fixed upstream yet?

This is fixed in >= 1.3.8 and only affects >= 1.3, thus it is not an issue for intrepid, jaunty, and dapper.

http://www.cups.org/str.php?L2774 has a patch for CVE-2008-5184.

CVE-2008-5183 is not fixed anywhere, not even latest upstream. However, it is just an authenticated local DoS, and thus very low-priority.

RedHat has a patch for CVE-2008-5183, linked bug.

This issue was fixed for Dapper, Gutsy, Hardy and Intrepid by:

http://www.ubuntu.com/usn/usn-707-1