Apple CUPS Daemon: unauthenticated SIGSEGV crash via RSS subscriptions

Bug #298241 reported by ap on 2008-11-15
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cups (Debian)
Fix Released
Unknown
cups (Fedora)
Fix Released
Medium
cups (Ubuntu)
High
Unassigned
Gutsy
Undecided
Unassigned
Hardy
Undecided
Ubuntu Security Team
cups (openSUSE)
New
Undecided
Unassigned

Bug Description

Binary package hint: cups

The CUPS daemon (/usr/sbin/cupsd) which listens by default on port 631/tcp, crashes when more than 100 RSS Subscriptions are added. No authentication is required to perform such action. The caveat is that by default - at least on Ubuntu and openSuse - the daemon only accepts connections from localhost as specified by the default configuration settings (/etc/cups/cupsd.conf). However, the attack can be of remote nature by tricking the victim user to visit a specially-crafted page. Such page would forge the 'add rss subscription' request 101 times which causes the CUPS daemon to crash.

The CUPS daemon runs by default on Ubuntu, openSuse and probably other GNU/Linux distributions. Additionally, this vulnerability can be replicated against CUPS daemons using default settings. Since no authentication is required to add new RSS subscriptions, the CUPS administrator does not need to be logged in during exploitation.

It is not known whether the crash can lead to command execution, further debugging/investigation is required. However, the daemon runs as root on both Ubuntu and openSuse (and probably other distributions), which means that given that command execution is possible, this bug would lead to a full compromise of the targeted system.

_Please see the attached file for more details._

CVE References

ap (a.p) wrote :

no problem. thanks!

On Wed, Nov 19, 2008 at 6:59 PM, Kees Cook <email address hidden> wrote:
> ** Visibility changed to: Public
>
> --
> Apple CUPS Daemon: unauthenticated SIGSEGV crash via RSS subscriptions
> https://bugs.launchpad.net/bugs/298241
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in "cups" source package in Ubuntu: New
>
> Bug description:
> Binary package hint: cups
>
> The CUPS daemon (/usr/sbin/cupsd) which listens by default on port 631/tcp, crashes when more than 100 RSS Subscriptions are added. No authentication is required to perform such action. The caveat is that by default - at least on Ubuntu and openSuse - the daemon only accepts connections from localhost as specified by the default configuration settings (/etc/cups/cupsd.conf). However, the attack can be of remote nature by tricking the victim user to visit a specially-crafted page. Such page would forge the 'add rss subscription' request 101 times which causes the CUPS daemon to crash.
>
> The CUPS daemon runs by default on Ubuntu, openSuse and probably other GNU/Linux distributions. Additionally, this vulnerability can be replicated against CUPS daemons using default settings. Since no authentication is required to add new RSS subscriptions, the CUPS administrator does not need to be logged in during exploitation.
>
> It is not known whether the crash can lead to command execution, further debugging/investigation is required. However, the daemon runs as root on both Ubuntu and openSuse (and probably other distributions), which means that given that command execution is possible, this bug would lead to a full compromise of the targeted system.
>
> _Please see the attached file for more details._
>

--
Adrian 'pagvac' Pastor | GNUCITIZEN | gnucitizen.org
PGP Key ID: 0x6B232C7C

Martin Pitt (pitti) wrote :

I'll deal with the jaunty/Debian update. I was fairly sure that http://www.cups.org/strfiles/2774/str2774.patch fixed it (in cups 1.3.8), I just get a live-locked browser (tons of message boxes), but cupsd stays alive. I followed up to the Debian bug.

Changed in cups:
assignee: nobody → pitti
importance: Undecided → High
status: New → In Progress
ap (a.p) wrote :

@Martin: check out the comments on http://www.gnucitizen.org/blog/pwning-ubuntu-via-cups/

someone figured out why ubuntu hardy does NOT require auth to add rss subscriptions (cupsd dies completely when visiting "evil" page), whereas ubuntu intrepid DOES require auth.

copied and pasted:

"
TH responds:

Problem solved:

Hardy’s version: 1.3.7-1ubuntu3.1
Intrepid’s version: 1.3.9-2
http://packages.ubuntu.com/intrepid/cups
http://packages.ubuntu.com/hardy/cupsys

From cups-1.3.8 CHANGES.txt:
- The scheduler now ensures that the RSS directory has the correct permissions.
"

hope that helps.

Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5183 to
the following vulnerability:

cupsd in CUPS before 1.3.8 allows local users, and possibly remote
attackers, to cause a denial of service (daemon crash) by adding a
large number of RSS Subscriptions, which triggers a NULL pointer
dereference. NOTE: this issue can be triggered remotely by leveraging
CVE-2008-5184.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5183
http://www.gnucitizen.org/blog/pwning-ubuntu-via-cups/
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/298241
http://www.openwall.com/lists/oss-security/2008/11/19/3
http://www.openwall.com/lists/oss-security/2008/11/19/4

Patch: See attachment -- cups-1.3-max-subscriptions.patch

Martin Pitt (pitti) wrote :

CVE-2008-5183
CVE-2008-5184

cups-1.3.9-4.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/cups-1.3.9-4.fc10

cups-1.3.9-2.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/cups-1.3.9-2.fc9

cups-1.3.9-2.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/cups-1.3.9-2.fc8

Kees Cook (kees) wrote :

Is CVE-2008-5183 fixed upstream yet?

cups-1.3.9-4.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.

cups-1.3.9-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.

cups-1.3.9-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.

Martin Pitt (pitti) wrote :

This is fixed in >= 1.3.8 and only affects >= 1.3, thus it is not an issue for intrepid, jaunty, and dapper.

Changed in cups:
status: In Progress → Fix Released
Martin Pitt (pitti) wrote :

http://www.cups.org/str.php?L2774 has a patch for CVE-2008-5184.

CVE-2008-5183 is not fixed anywhere, not even latest upstream. However, it is just an authenticated local DoS, and thus very low-priority.

Changed in cups:
status: New → Triaged
assignee: nobody → ubuntu-security
status: New → Triaged
Martin Pitt (pitti) wrote :

RedHat has a patch for CVE-2008-5183, linked bug.

Changed in cups:
status: Unknown → Confirmed
Marc Deslauriers (mdeslaur) wrote :

This issue was fixed for Dapper, Gutsy, Hardy and Intrepid by:

http://www.ubuntu.com/usn/usn-707-1

Changed in cups:
status: Triaged → Fix Released
status: Triaged → Fix Released
Changed in cups:
status: Unknown → Fix Released

This was addressed via:

Red Hat Enterprise Linux version 5 (RHSA-2008:1029)

koeman (mmndoank) on 2012-06-08
Changed in cups (Ubuntu):
assignee: Martin Pitt (pitti) → nobody
Changed in cups (Fedora):
importance: Unknown → Medium
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.