exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

iDEFENSE Security Advisory 2002-12-23.t

iDEFENSE Security Advisory 2002-12-23.t
Posted Dec 24, 2002
Authored by Zen-Parse, iDefense Labs | Site idefense.com

iDEFENSE Security Advisory 12.23.02 - Easy Software Products' Common Unix Printing System (CUPS) and Xpdf contains an integer overflow which allows local users to access to privileges of the lp user.

tags | advisory, overflow, local
systems | unix
SHA-256 | e81e2a28739ce0e03f0d90790fd5da01dbb23ef7ab8ffd101528dfb6b83c6577

iDEFENSE Security Advisory 2002-12-23.t

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 12.23.02:
http://www.idefense.com/advisory/12.23.02.txt
Integer Overflow in pdftops
December 23, 2002

Reference Advisory: http://www.idefense.com/advisory/12.19.02.txt
[Multiple Security Vulnerabilities in Common Unix Printing System (CUPS)]

I. BACKGROUND

Easy Software Products' Common Unix Printing System (CUPS) is a
cross-platform printing solution for Unix environments. It is based on the
"Internet Printing Protocol," and provides complete printing services to
most PostScript and raster printers. CUPS has a web-based graphical
interface for printer management and is available on most Linux systems.
More information is available at http://www.cups.org .

Xpdf is an open source viewer for Portable Document Format (PDF) files.
The Xpdf project also includes a PDF text extractor, PDF-to-PostScript
converter, and various other utilities. It also comes with two other
programs: pdftops and pdftotext which convert PDF files to postscript and
plain text respectively. More information is available at
http://www.foolabs.com/xpdf/ .

II. DESCRIPTION

The pdftops filter in the Xpdf and CUPS packages contains an integer
overflow that can be exploited to gain the privileges of the target user
or in some cases the increased privileges of the 'lp' user if installed
setuid. There are multiple ways of exploiting this vulnerability. The
following is just one example:

A ColorSpace with 1,431,655,768 elements is created, each element having
three components. 1,431,655,768 is too large to store within a 32-bit
integer so the high bit is cut off leaving only 8 which is how much that
is actually allocated.

...
/CS
[
/Indexed
/RGB
1431655768
7 0 R
]
...

The '7 0 R' from above refers to a stream that is read into an array that
is allocated as above. The stream is read until it has reached the highest
index number, or the stream ends. If the filter supplies enough data the
application will crash when trying to access bad memory. It is possible to
exploit this condition by supplying the right length of bad memory, and
stop the stream breaking the reading. A function pointer can then be
overwritten to execute arbitrary code. Example:

...
7 0 obj <<
/Length 229
>>
stream
content to write into memory....endstream
endobject
...

The following is a sample run of the cups-pdf exploit running with the
user's privileges:

$ ./cups-pdf | lp
request id is lp-108 (1 file(s))
$ ls -l /tmp/pdfexploit-worked
- - - - -rw-rw-r-- 1 farmer farmer 0 Dec 4 13:41 /tmp/pdfexploit-worked

III. ANALYSIS

This vulnerability is locally exploitable. In order to perform "remote"
exploitation, an attacker must trick a user into printing a malformed PDF
file from the command line. In the implementation cases where "lp" user
privileges are attainable, more advanced attacks can be performed to gain
local root access (see iDEFENSE Advisory 12.19.02).

IV. DETECTION

The vulnerability exists in the latest stable version of Xpdf (Xpdf 2.01)
and all prior versions. The vulnerability was verified on Red Hat Linux
7.0 running CUPS-1.1.14-5 (RPM).

V. VENDOR RESPONSES/FIXES

A patch supplied by the author of Xpdf is available from
ftp://ftp.foolabs.com/pub/xpdf/xpdf-2.01-patch1 which fixes this issue in
pdftops when applied to the latest source code version, 2.01.
Additionally, the latest version of CUPS, 1.1.18, should also fix this
issue within the included pdftops utility. It is available from
http://www.cups.org .

VI. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
assigned the identification number CAN-2002-1384 to this issue.

VII. DISCLOSURE TIMELINE

10/27/2002 Initial discussion with contributor
11/14/2002 Final contributor submission
12/12/2002 CUPS author and Xdf author notified via e-mail to
cups-support@cups.org and Derek B. Noonburg
(derekn@glyphandcog.com)
12/12/2002 iDEFENSE clients notified
12/12/2002 Response and preliminary patch received from
CUPS author Michael Sweet (mike@easysw.com)
12/12/2002 Apple, Linux Security List (vendor-sec@lst.de)
12/13/2002 Updated patch received from Michael Sweet
12/17/2002 Patch received from Derek B. Noonburg
12/23/2002 Coordinated Public Disclosure

VIII. CREDIT

zen-parse (zen-parse@gmx.net) discovered this issue.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE4A96E4F

iQA/AwUBPgeHYPrkky7kqW5PEQJ2igCfZJs34ppgXYClSPNsKowQnNs9oeYAnjxB
7p/j6GfSJ1GogNDrUIpt4eba
=OdHx
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close