Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple Vendor CUPS texttops Integer Overflow Vulnerability #2919

Closed
michaelrsweet opened this issue Sep 3, 2008 · 3 comments

Comments

@michaelrsweet
Copy link
Collaborator

commented Sep 3, 2008

Version: 1.3-current
CUPS.org User: mike

Remote exploitation of an integer overflow vulnerability in CUPS, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code with the privileges of the affected service.

The Common Unix Printing System, more commonly referred to as CUPS, provides a standard printer interface for various Unix-based operating systems. 'texttops' is a part of CUPS responsible for creating PostScript representations of text files.

The vulnerability exists within the WriteProlog() function in the 'texttops' application. When calculating the page size used for storing PostScript data, multiple values that are derived from attacker controlled content are used in a multiplication operation. This calculation can overflow, resulting in an incorrect result for the total page size. This value is then used to allocate a heap buffer that is later filled with attacker controlled content, resulting in a heap buffer overflow.

Analysis:
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the affected service. Depending on the underlying operating system and distribution, CUPS may run as the lp, daemon, or a different user.

Exploiting heap overflow vulnerabilities on modern Unix systems can be difficult due to various heap protection schemes. However, iDefense has proof-of-concept exploit code that demonstrates code execution is possible.

To exploit this vulnerability remotely, the targeted host must be sharing a printer(s) on the network. If a printer is not being shared, CUPS only listens on the localhost interface, and the scope of this vulnerability would be limited to local privilege escalation.

Credit: regenrecht

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

commented Sep 3, 2008

CUPS.org User: mike

OK, added range checked for cpi, lpi, and columns.

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

commented Oct 9, 2008

CUPS.org User: mike

Fixed in Subversion repository.

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

commented Oct 9, 2008

"str2919.patch":

Index: texttops.c

--- texttops.c (revision 936)
+++ texttops.c (working copy)
@@ -173,6 +173,14 @@
SizeColumns = (PageRight - PageLeft) / 72.0 * CharsPerInch;
SizeLines = (PageTop - PageBottom) / 72.0 * LinesPerInch;

  • if (SizeColumns <= 0 || SizeColumns > 32767 ||
  •  SizeLines <= 0 || SizeLines > 32767)
    
  • {
  • _cupsLangPrintf(stderr, _("ERROR: Unable to print %dx%d text page!\n"),
  •                SizeColumns, SizeLines);
    
  • exit(1);
  • }

Page = calloc(sizeof(lchar_t *), SizeLines);
Page[0] = calloc(sizeof(lchar_t), SizeColumns * SizeLines);
for (i = 1; i < SizeLines; i ++)
@@ -187,6 +195,13 @@
else
ColumnWidth = SizeColumns;

  • if (ColumnWidth <= 0)
  • {
  • _cupsLangPrintf(stderr, _("ERROR: Unable to print %d text columns!\n"),
  •                PageColumns);
    
  • exit(1);
  • }

/*

  • Output the DSC header...
    */
    Index: textcommon.c

    --- textcommon.c (revision 936)
    +++ textcommon.c (working copy)
    @@ -3,7 +3,7 @@
    *

  • Common text filter routines for the Common UNIX Printing System (CUPS).
    *

  • * Copyright 2007 by Apple Inc.

    • Copyright 2007-2008 by Apple Inc.
    • Copyright 1997-2007 by Easy Software Products.
    • These coded instructions, statements, and computer programs are the
      @@ -605,14 +605,38 @@
      !strcasecmp(val, "yes");

    if ((val = cupsGetOption("columns", num_options, options)) != NULL)

  • {
    PageColumns = atoi(val);

  • if (PageColumns < 1)

  • {

  •  _cupsLangPrintf(stderr, _("ERROR: Bad columns value %d!\n"), PageColumns);
    
  •  return (1);
    
  • }

  • }

if ((val = cupsGetOption("cpi", num_options, options)) != NULL)

  • {
    CharsPerInch = atof(val);
  • if (CharsPerInch <= 0.0)
  • {
  •  _cupsLangPrintf(stderr, _("ERROR: Bad cpi value %f!\n"), CharsPerInch);
    
  •  return (1);
    
  • }
  • }

if ((val = cupsGetOption("lpi", num_options, options)) != NULL)

  • {
    LinesPerInch = atof(val);
  • if (LinesPerInch <= 0.0)
  • {
  •  _cupsLangPrintf(stderr, _("ERROR: Bad lpi value %f!\n"), LinesPerInch);
    
  •  return (1);
    
  • }
  • }

if (PrettyPrint)
PageTop -= 216.0f / LinesPerInch;

@michaelrsweet michaelrsweet added this to the Stable milestone Mar 17, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.