Apple CUPS Daemon: unauthenticated SIGSEGV crash via RSS subscriptions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cups (Debian) |
Fix Released
|
Unknown
|
|||
cups (Fedora) |
Fix Released
|
Medium
|
|||
cups (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Gutsy |
Fix Released
|
Undecided
|
Unassigned | ||
Hardy |
Fix Released
|
Undecided
|
Ubuntu Security Team | ||
cups (openSUSE) |
New
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: cups
The CUPS daemon (/usr/sbin/cupsd) which listens by default on port 631/tcp, crashes when more than 100 RSS Subscriptions are added. No authentication is required to perform such action. The caveat is that by default - at least on Ubuntu and openSuse - the daemon only accepts connections from localhost as specified by the default configuration settings (/etc/cups/
The CUPS daemon runs by default on Ubuntu, openSuse and probably other GNU/Linux distributions. Additionally, this vulnerability can be replicated against CUPS daemons using default settings. Since no authentication is required to add new RSS subscriptions, the CUPS administrator does not need to be logged in during exploitation.
It is not known whether the crash can lead to command execution, further debugging/
_Please see the attached file for more details._
Related branches
Changed in cups: | |
status: | Unknown → Confirmed |
Changed in cups: | |
status: | Unknown → Fix Released |
Changed in cups (Ubuntu): | |
assignee: | Martin Pitt (pitti) → nobody |
Changed in cups (Fedora): | |
importance: | Unknown → Medium |
status: | Confirmed → Fix Released |
no problem. thanks!
On Wed, Nov 19, 2008 at 6:59 PM, Kees Cook <email address hidden> wrote: /bugs.launchpad .net/bugs/ 298241 cupsd.conf) . However, the attack can be of remote nature by tricking the victim user to visit a specially-crafted page. Such page would forge the 'add rss subscription' request 101 times which causes the CUPS daemon to crash. investigation is required. However, the daemon runs as root on both Ubuntu and openSuse (and probably other distributions), which means that given that command execution is possible, this bug would lead to a full compromise of the targeted system.
> ** Visibility changed to: Public
>
> --
> Apple CUPS Daemon: unauthenticated SIGSEGV crash via RSS subscriptions
> https:/
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in "cups" source package in Ubuntu: New
>
> Bug description:
> Binary package hint: cups
>
> The CUPS daemon (/usr/sbin/cupsd) which listens by default on port 631/tcp, crashes when more than 100 RSS Subscriptions are added. No authentication is required to perform such action. The caveat is that by default - at least on Ubuntu and openSuse - the daemon only accepts connections from localhost as specified by the default configuration settings (/etc/cups/
>
> The CUPS daemon runs by default on Ubuntu, openSuse and probably other GNU/Linux distributions. Additionally, this vulnerability can be replicated against CUPS daemons using default settings. Since no authentication is required to add new RSS subscriptions, the CUPS administrator does not need to be logged in during exploitation.
>
> It is not known whether the crash can lead to command execution, further debugging/
>
> _Please see the attached file for more details._
>
--
Adrian 'pagvac' Pastor | GNUCITIZEN | gnucitizen.org
PGP Key ID: 0x6B232C7C