SNMP backend integer underflow/stack overflow in asn1_get_string() #2589
A brief summary:
TITLE: CUPS Backend SNMP Remote Stack Overflow Vulnerability
VERSION: version 1.3.4 and Prior
PLATFORM: Many UNIX platforms
DESCRIPTION: There is a stack based integer overflow in asn1_get_string() in backend/snmp.c
RESULTS: An attacker could remotely execute code in the privilege level that CUPS runs in.
Complete details (including crash PoC):
The vulnerability is caused by a signedness error within the "asn1_get_string()" function in backend/snmp.c when backend SNMP program processes SNMP responses with an asn1 encoded string. This is exploitable in some OS environments. Successful exploitation woul
This problem can be exploited to cause a stack-based buffer overflow. The backend SNMP program broadcasts SNMP requests to discover network print servers. An attacker can reply with malformed SNMP responses to trigger this issue.
CUPS version 1.3.4 and Prior
(gdb) r 192.168.15.129
Program received signal SIGSEGV, Segmentation fault.
backend_snmp_poc.pl write by firstname.lastname@example.org
snmp.c asn1_get_string integer overflow cups 1.3.4
packet->error = "No community name";
else if ((length = asn1_get_length(&bufptr, bufend)) == 0)
packet->error = "Community name uses indefinite length";
asn1_get_string(&bufptr, bufend, length, packet->community,
if ((packet->request_type = asn1_get_type(&bufptr, bufend))
002a: 30 38 tag=0x30 len=0x38
002c: 02 01 00 version:1 (0)
002f: 04 84 ff ff ff ff 69 63 community:public
len is 0xffffffff
my $payload ="\x30\x38\x02\x01\x00\x04\x84\xff\xff\xff\xff\x41\x41";
The text was updated successfully, but these errors were encountered:
CUPS.org User: mike
To clarify the issue, this is an integer underflow which leads to an overflow of the string buffer.
The attached patch (good for both CUPS 1.2.x and 1.3.x) addresses this issue by flagging strings with negative lengths as errors and returning an empty string instead.
CUPS.org User: mike
Further clarification on this bug:
--- backend/snmp.c (revision 530)
memcpy(string, buffer, strsize - 1);