Multiple Vendor CUPS texttops Integer Overflow Vulnerability

[michaelrsweet]

Version: 1.3-current
CUPS.org User: mike

Remote exploitation of an integer overflow vulnerability in CUPS, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code with the privileges of the affected service.

The Common Unix Printing System, more commonly referred to as CUPS, provides a standard printer interface for various Unix-based operating systems. 'texttops' is a part of CUPS responsible for creating PostScript representations of text files.

The vulnerability exists within the WriteProlog() function in the 'texttops' application. When calculating the page size used for storing PostScript data, multiple values that are derived from attacker controlled content are used in a multiplication operation. This calculation can overflow, resulting in an incorrect result for the total page size. This value is then used to allocate a heap buffer that is later filled with attacker controlled content, resulting in a heap buffer overflow.

Analysis:
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the affected service. Depending on the underlying operating system and distribution, CUPS may run as the lp, daemon, or a different user.

Exploiting heap overflow vulnerabilities on modern Unix systems can be difficult due to various heap protection schemes. However, iDefense has proof-of-concept exploit code that demonstrates code execution is possible.

To exploit this vulnerability remotely, the targeted host must be sharing a printer(s) on the network. If a printer is not being shared, CUPS only listens on the localhost interface, and the scope of this vulnerability would be limited to local privilege escalation.

Credit: regenrecht

[michaelrsweet]

CUPS.org User: mike

OK, added range checked for cpi, lpi, and columns.

[michaelrsweet]

CUPS.org User: mike

Fixed in Subversion repository.

[michaelrsweet]

"str2919.patch":

Index: texttops.c

--- texttops.c (revision 936)
+++ texttops.c (working copy)
@@ -173,6 +173,14 @@
SizeColumns = (PageRight - PageLeft) / 72.0 * CharsPerInch;
SizeLines = (PageTop - PageBottom) / 72.0 * LinesPerInch;

• if (SizeColumns <= 0 || SizeColumns > 32767 ||

•  SizeLines <= 0 || SizeLines > 32767)
  

• {
• _cupsLangPrintf(stderr, _("ERROR: Unable to print %dx%d text page!\n"),

•                SizeColumns, SizeLines);
  

• exit(1);
• }

Page = calloc(sizeof(lchar_t *), SizeLines);
Page[0] = calloc(sizeof(lchar_t), SizeColumns * SizeLines);
for (i = 1; i < SizeLines; i ++)
@@ -187,6 +195,13 @@
else
ColumnWidth = SizeColumns;

• if (ColumnWidth <= 0)
• {
• _cupsLangPrintf(stderr, _("ERROR: Unable to print %d text columns!\n"),

•                PageColumns);
  

• exit(1);
• }

/*

• Output the DSC header...
  */
  Index: textcommon.c

  --- textcommon.c (revision 936)
  +++ textcommon.c (working copy)
  @@ -3,7 +3,7 @@
  *

• Common text filter routines for the Common UNIX Printing System (CUPS).
  *

• * Copyright 2007 by Apple Inc.

• • Copyright 2007-2008 by Apple Inc.
  • Copyright 1997-2007 by Easy Software Products.
  • These coded instructions, statements, and computer programs are the
    @@ -605,14 +605,38 @@
    !strcasecmp(val, "yes");

  if ((val = cupsGetOption("columns", num_options, options)) != NULL)

• {
  PageColumns = atoi(val);

• if (PageColumns < 1)

• {

•  _cupsLangPrintf(stderr, _("ERROR: Bad columns value %d!\n"), PageColumns);
  

•  return (1);
  

• }

• }

if ((val = cupsGetOption("cpi", num_options, options)) != NULL)

• {
  CharsPerInch = atof(val);
• if (CharsPerInch <= 0.0)
• {

•  _cupsLangPrintf(stderr, _("ERROR: Bad cpi value %f!\n"), CharsPerInch);
  

•  return (1);
  

• }
• }

if ((val = cupsGetOption("lpi", num_options, options)) != NULL)

• {
  LinesPerInch = atof(val);
• if (LinesPerInch <= 0.0)
• {

•  _cupsLangPrintf(stderr, _("ERROR: Bad lpi value %f!\n"), LinesPerInch);
  

•  return (1);
  

• }
• }

if (PrettyPrint)
PageTop -= 216.0f / LinesPerInch;