Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [thread-next>] [month] [year] [list] 
Date: Wed, 19 Nov 2008 15:14:43 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...re.org>
Subject: Re: CVE request: CUPS DoS via RSS subscriptions


----- "Kees Cook" <kees@...ntu.com> wrote:

> Hello!
> 
> I'd like to get a CVE assigned for the RSS subscription DoS mentioned
> here[1].  It seems that CUPS upstream already fixed[2] the issue[3]
> in
> their 1.3.8 release.  Prior to 1.3.8, the server can be made to crash
> when visiting a malicious website due to CUPS general CSRF issues.
> 
> Thanks,
> 
> -Kees
> 
> [1] https://bugs.launchpad.net/ubuntu/+source/cups/+bug/298241
>     http://www.gnucitizen.org/blog/pwning-ubuntu-via-cups/
> [2] http://www.cups.org/strfiles/2774/str2774.patch
> [3] http://www.cups.org/str.php?L2774
> 

So from looking at cups 1.3.7 on Fedora 8, here is what I see:

(gdb) bt
#0  create_subscription (con=0xb88975c0, uri=0xb889ae00) at ipp.c:5858
#1  0xb7facba7 in cupsdProcessIPPRequest (con=0xb88975c0) at ipp.c:615
#2  0xb7f88bfc in cupsdReadClient (con=0xb88975c0) at client.c:2253
#3  0xb7fc0606 in cupsdDoSelect (timeout=1) at select.c:537
#4  0xb7f98710 in main (argc=1, argv=0xbfdd6194) at main.c:817
(gdb) list
5853        else if (printer)
5854          cupsdLogMessage(CUPSD_LOG_DEBUG,
5855                          "Added subscription %d for printer \"%s\"",
5856                          sub->id, printer->name);
5857        else
5858          cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for server",
5859                          sub->id);
5860
5861        sub->interval = interval;
5862        sub->lease    = lease;
(gdb) print sub
$1 = (cupsd_subscription_t *) 0x0

It would appear to be a NULL pointer dereference.  It seems that this call a
few lines above the snippet shown above:
 sub = cupsdAddSubscription(mask, printer, job, recipient, 0);

will return NULL when the hardcoded value of 100 subscriptions is hit.  So really
the issu here is a lack of error checking which results in a NULL dereference
crash.  The upstream fix could still obviously let a local authenticated user
crash the server.

I'm not sure why yet, but this doesn't crash cups 1.2.4 for me (which it should).

-- 
    JB

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ