Multiple Vendor CUPS SGI imagetops Heap Overflow Vulnerability

[michaelrsweet]

Version: 1.3-current
CUPS.org User: mike

iDefense VCP Submission V-686lae8cmo
09/02/2008
Multiple Vendor CUPS SGI imagetops Heap Overflow Vulnerability

Description:

Remote exploitation of a heap-based buffer overflow vulnerability in CUPS, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code with the privileges of the affected service.

The Common Unix Printing System, more commonly referred to as CUPS, provides a standard printer interface for various Unix-based operating systems. 'imagetops' is a part of CUPS responsible for creating PostScript representations of different graphic file formats.

The Silicon Graphics Image (SGI) file format parsing module is vulnerable to a heap based buffer overflow vulnerability when parsing malformed Run Length Encoded (RLE) data. The vulnerability exists within the read_rle16() function. This function doesn't correctly validate the row count value taken from the file, which is then used to control how many 16-bit integers to store into a heap based buffer. By providing small image dimensions and a large row count, it is possible to trigger a heap based buffer overflow.

Analysis:

=09Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the affected service. Depending on the underlying operating system and distribution, CUPS may run as the lp, daemon, or a different user.

Exploiting heap overflow vulnerabilities on modern Unix systems can be difficult due to various heap protection schemes. However, the attacker has very fine grained control over the overflow, which somewhat eases the difficulty of exploitation.

To exploit this vulnerability remotely, the targeted host must be sharing a printer(s) on the network. If a printer is not being shared, CUPS only listens on the localhost interface, and the scope of this vulnerability would be limited to local privilege escalation.

Credit:

regenrecht

[michaelrsweet]

CUPS.org User: mike

OK, the problem also affects the read_rle8 function as well. Patch attached.

[michaelrsweet]

CUPS.org User: mike

Fixed in Subversion repository.

[michaelrsweet]

"str2918.patch":

Index: image-sgilib.c

--- image-sgilib.c (revision 936)
+++ image-sgilib.c (working copy)
@@ -640,13 +640,14 @@
if (ch & 128)
{
for (i = 0; i < count; i ++, row ++, xsize --, length ++)

•    *row = getc(fp);
  

•    if (xsize > 0)
  

• *row = getc(fp);
  

  }
  else
  {
  ch = getc(fp);
  length ++;

•  for (i = 0; i < count; i ++, row ++, xsize --)
  

•  for (i = 0; i < count && xsize > 0; i ++, row ++, xsize --)
   *row = ch;
  

  }
  }
  @@ -685,14 +686,15 @@
  if (ch & 128)
  {
  for (i = 0; i < count; i ++, row ++, xsize --, length ++)

•    *row = getshort(fp);
  

•    if (xsize > 0)
  

• *row = getshort(fp);
  

  }
  else
  {
  ch = getshort(fp);
  length ++;

•  for (i = 0; i < count; i ++, row ++, xsize --)
  

•    *row = ch;
  

•  for (i = 0; i < count && xsize > 0; i ++, row ++, xsize --)
  

• *row = ch;
  }
  }