Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple Vendor CUPS SGI imagetops Heap Overflow Vulnerability #2918

Closed
michaelrsweet opened this issue Sep 3, 2008 · 3 comments
Closed

Multiple Vendor CUPS SGI imagetops Heap Overflow Vulnerability #2918

michaelrsweet opened this issue Sep 3, 2008 · 3 comments
Labels
Milestone

Comments

@michaelrsweet
Copy link
Collaborator

@michaelrsweet michaelrsweet commented Sep 3, 2008

Version: 1.3-current
CUPS.org User: mike

iDefense VCP Submission V-686lae8cmo
09/02/2008
Multiple Vendor CUPS SGI imagetops Heap Overflow Vulnerability

Description:

Remote exploitation of a heap-based buffer overflow vulnerability in CUPS, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code with the privileges of the affected service.

The Common Unix Printing System, more commonly referred to as CUPS, provides a standard printer interface for various Unix-based operating systems. 'imagetops' is a part of CUPS responsible for creating PostScript representations of different graphic file formats.

The Silicon Graphics Image (SGI) file format parsing module is vulnerable to a heap based buffer overflow vulnerability when parsing malformed Run Length Encoded (RLE) data. The vulnerability exists within the read_rle16() function. This function doesn't correctly validate the row count value taken from the file, which is then used to control how many 16-bit integers to store into a heap based buffer. By providing small image dimensions and a large row count, it is possible to trigger a heap based buffer overflow.

Analysis:

=09Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the affected service. Depending on the underlying operating system and distribution, CUPS may run as the lp, daemon, or a different user.

Exploiting heap overflow vulnerabilities on modern Unix systems can be difficult due to various heap protection schemes. However, the attacker has very fine grained control over the overflow, which somewhat eases the difficulty of exploitation.

To exploit this vulnerability remotely, the targeted host must be sharing a printer(s) on the network. If a printer is not being shared, CUPS only listens on the localhost interface, and the scope of this vulnerability would be limited to local privilege escalation.

Credit:

regenrecht

@michaelrsweet
Copy link
Collaborator Author

@michaelrsweet michaelrsweet commented Sep 3, 2008

CUPS.org User: mike

OK, the problem also affects the read_rle8 function as well. Patch attached.

@michaelrsweet
Copy link
Collaborator Author

@michaelrsweet michaelrsweet commented Oct 9, 2008

CUPS.org User: mike

Fixed in Subversion repository.

@michaelrsweet
Copy link
Collaborator Author

@michaelrsweet michaelrsweet commented Oct 9, 2008

"str2918.patch":

Index: image-sgilib.c

--- image-sgilib.c (revision 936)
+++ image-sgilib.c (working copy)
@@ -640,13 +640,14 @@
if (ch & 128)
{
for (i = 0; i < count; i ++, row ++, xsize --, length ++)

  •    *row = getc(fp);
    
  •    if (xsize > 0)
    
  • *row = getc(fp);
    
    }
    else
    {
    ch = getc(fp);
    length ++;
  •  for (i = 0; i < count; i ++, row ++, xsize --)
    
  •  for (i = 0; i < count && xsize > 0; i ++, row ++, xsize --)
     *row = ch;
    
    }
    }
    @@ -685,14 +686,15 @@
    if (ch & 128)
    {
    for (i = 0; i < count; i ++, row ++, xsize --, length ++)
  •    *row = getshort(fp);
    
  •    if (xsize > 0)
    
  • *row = getshort(fp);
    
    }
    else
    {
    ch = getshort(fp);
    length ++;
  •  for (i = 0; i < count; i ++, row ++, xsize --)
    
  •    *row = ch;
    
  •  for (i = 0; i < count && xsize > 0; i ++, row ++, xsize --)
    
  • *row = ch;
    }
    }
@michaelrsweet michaelrsweet added this to the Stable milestone Mar 17, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.