Vulnerabilities > CVE-2004-1267 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Buffer overflow in the ParseCommand function in hpgl-input.c in the hpgltops program for CUPS 1.1.22 allows remote attackers to execute arbitrary code via a crafted HPGL file.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
| description | CUPS 1.1.x HPGL File Processor Buffer Overflow Vulnerability. CVE-2004-1267. Remote exploit for linux platform |
| id | EDB-ID:24977 |
| last seen | 2016-02-03 |
| modified | 2004-12-15 |
| published | 2004-12-15 |
| reporter | Ariel Berkman |
| source | https://www.exploit-db.com/download/24977/ |
| title | CUPS 1.1.x - HPGL File Processor Buffer Overflow Vulnerability |
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-50-1.NASL description CAN-2004-1125 : The recent USN-48-1 fixed a buffer overflow in xpdf. Since CUPS contains xpdf code to convert incoming PDF files to the PostScript format, this vulnerability applies to cups as well. In this case it could even lead to privilege escalation: if an attacker submitted a malicious PDF file for printing, he could be able to execute arbitrary commands with the privileges of the CUPS server. Please note that the Ubuntu version of CUPS runs as a minimally privileged user last seen 2020-06-01 modified 2020-06-02 plugin id 20668 published 2006-01-15 reporter Ubuntu Security Notice (C) 2004-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20668 title Ubuntu 4.10 : cupsys vulnerabilities (USN-50-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-50-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(20668); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:33:00"); script_cve_id("CVE-2004-1125", "CVE-2004-1267", "CVE-2004-1268", "CVE-2004-1269", "CVE-2004-1270", "CVE-2004-2467"); script_xref(name:"USN", value:"50-1"); script_name(english:"Ubuntu 4.10 : cupsys vulnerabilities (USN-50-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "CAN-2004-1125 : The recent USN-48-1 fixed a buffer overflow in xpdf. Since CUPS contains xpdf code to convert incoming PDF files to the PostScript format, this vulnerability applies to cups as well. In this case it could even lead to privilege escalation: if an attacker submitted a malicious PDF file for printing, he could be able to execute arbitrary commands with the privileges of the CUPS server. Please note that the Ubuntu version of CUPS runs as a minimally privileged user 'cupsys' by default, so there is no possibility of root privilege escalation. The privileges of the 'cupsys' user are confined to modifying printer configurations, altering print jobs, and controlling printers. CAN-2004-1267 : Ariel Berkman discovered a buffer overflow in the ParseCommand() function of the HPGL input driver. If an attacker printed a malicious HPGL file, they could exploit this to execute arbitrary commands with the privileges of the CUPS server. CAN-2004-1268, CAN-2004-1269, CAN-2004-1270 : Bartlomiej Sieka discovered three flaws in lppasswd. These allowed users to corrupt the new password file by filling up the disk, sending certain signals, or closing the standard output and/or error streams. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(20, 119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cupsys"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cupsys-bsd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cupsys-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcupsimage2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcupsimage2-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcupsys2-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcupsys2-gnutls10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10"); script_set_attribute(attribute:"patch_publication_date", value:"2004/12/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2004-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(4\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"4.10", pkgname:"cupsys", pkgver:"1.1.20final+cvs20040330-4ubuntu16.3")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"cupsys-bsd", pkgver:"1.1.20final+cvs20040330-4ubuntu16.3")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"cupsys-client", pkgver:"1.1.20final+cvs20040330-4ubuntu16.3")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"libcupsimage2", pkgver:"1.1.20final+cvs20040330-4ubuntu16.3")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"libcupsimage2-dev", pkgver:"1.1.20final+cvs20040330-4ubuntu16.3")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"libcupsys2-dev", pkgver:"1.1.20final+cvs20040330-4ubuntu16.3")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"libcupsys2-gnutls10", pkgver:"1.1.20final+cvs20040330-4ubuntu16.3")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cupsys / cupsys-bsd / cupsys-client / libcupsimage2 / etc"); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_40A3BCA2680911D9A9E70001020EED82.NASL description Ariel Berkman has discovered a buffer overflow vulnerability in CUPS last seen 2020-06-01 modified 2020-06-02 plugin id 18916 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/18916 title FreeBSD : cups-base -- HPGL buffer overflow vulnerability (40a3bca2-6809-11d9-a9e7-0001020eed82) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(18916); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:37"); script_cve_id("CVE-2004-1267"); script_bugtraq_id(11968); script_name(english:"FreeBSD : cups-base -- HPGL buffer overflow vulnerability (40a3bca2-6809-11d9-a9e7-0001020eed82)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "Ariel Berkman has discovered a buffer overflow vulnerability in CUPS's HPGL input driver. This vulnerability could be exploited to execute arbitrary code with the permission of the CUPS server by printing a specially crated HPGL file." ); # http://tigger.uic.edu/~jlongs2/holes/cups.txt script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?f172fa2d" ); # http://www.cups.org/str.php?L1024 script_set_attribute( attribute:"see_also", value:"https://github.com/apple/cups/issues/1024" ); # https://vuxml.freebsd.org/freebsd/40a3bca2-6809-11d9-a9e7-0001020eed82.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?3360ff16" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:cups-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:fr-cups-base"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/15"); script_set_attribute(attribute:"patch_publication_date", value:"2005/01/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"cups-base<1.1.22.0_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"fr-cups-base<1.1.22.0_2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200412-25.NASL description The remote host is affected by the vulnerability described in GLSA-200412-25 (CUPS: Multiple vulnerabilities) CUPS makes use of vulnerable Xpdf code to handle PDF files (CAN-2004-1125). Furthermore, Ariel Berkman discovered a buffer overflow in the ParseCommand function in hpgl-input.c in the hpgltops program (CAN-2004-1267). Finally, Bartlomiej Sieka discovered several problems in the lppasswd program: it ignores some write errors (CAN-2004-1268), it can leave the passwd.new file in place (CAN-2004-1269) and it does not verify that passwd.new file is different from STDERR (CAN-2004-1270). Impact : The Xpdf and hpgltops vulnerabilities may be exploited by a remote attacker to execute arbitrary code by sending specific print jobs to a CUPS spooler. The lppasswd vulnerabilities may be exploited by a local attacker to write data to the CUPS password file or deny further password modifications. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 16067 published 2004-12-28 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16067 title GLSA-200412-25 : CUPS: Multiple vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200412-25. # # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(16067); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:32:42"); script_cve_id("CVE-2004-1125", "CVE-2004-1267", "CVE-2004-1268", "CVE-2004-1269", "CVE-2004-1270"); script_xref(name:"GLSA", value:"200412-25"); script_name(english:"GLSA-200412-25 : CUPS: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200412-25 (CUPS: Multiple vulnerabilities) CUPS makes use of vulnerable Xpdf code to handle PDF files (CAN-2004-1125). Furthermore, Ariel Berkman discovered a buffer overflow in the ParseCommand function in hpgl-input.c in the hpgltops program (CAN-2004-1267). Finally, Bartlomiej Sieka discovered several problems in the lppasswd program: it ignores some write errors (CAN-2004-1268), it can leave the passwd.new file in place (CAN-2004-1269) and it does not verify that passwd.new file is different from STDERR (CAN-2004-1270). Impact : The Xpdf and hpgltops vulnerabilities may be exploited by a remote attacker to execute arbitrary code by sending specific print jobs to a CUPS spooler. The lppasswd vulnerabilities may be exploited by a local attacker to write data to the CUPS password file or deny further password modifications. Workaround : There is no known workaround at this time." ); # http://tigger.uic.edu/~jlongs2/holes/cups.txt script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?f172fa2d" ); # http://tigger.uic.edu/~jlongs2/holes/cups2.txt script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?afff57c3" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200412-25" ); script_set_attribute( attribute:"solution", value: "All CUPS users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-print/cups-1.1.23'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(20, 119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:cups"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2004/12/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/12/28"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/16"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-print/cups", unaffected:make_list("ge 1.1.23"), vulnerable:make_list("lt 1.1.23"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "CUPS"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-053.NASL description Updated CUPS packages that fix several security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Common UNIX Printing System provides a portable printing layer for UNIX(R) operating systems. During a source code audit, Chris Evans and others discovered a number of integer overflow bugs that affected all versions of Xpdf, which also affects CUPS due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause CUPS to crash or possibly execute arbitrary code when opened. This issue was assigned the name CVE-2004-0888 by The Common Vulnerabilities and Exposures project (cve.mitre.org). Red Hat Enterprise Linux 4 contained a fix for this issue, but it was found to be incomplete and left 64-bit architectures vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0206 to this issue. A buffer overflow flaw was found in the Gfx::doImage function of Xpdf which also affects the CUPS pdftops filter due to a shared codebase. An attacker who has the ability to send a malicious PDF file to a printer could possibly execute arbitrary code as the last seen 2020-06-01 modified 2020-06-02 plugin id 17174 published 2005-02-22 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/17174 title RHEL 4 : CUPS (RHSA-2005:053) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2005:053. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(17174); script_version ("1.23"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2004-0888", "CVE-2004-1125", "CVE-2004-1267", "CVE-2004-1268", "CVE-2004-1269", "CVE-2004-1270", "CVE-2005-0064", "CVE-2005-0206"); script_xref(name:"RHSA", value:"2005:053"); script_name(english:"RHEL 4 : CUPS (RHSA-2005:053)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated CUPS packages that fix several security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Common UNIX Printing System provides a portable printing layer for UNIX(R) operating systems. During a source code audit, Chris Evans and others discovered a number of integer overflow bugs that affected all versions of Xpdf, which also affects CUPS due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause CUPS to crash or possibly execute arbitrary code when opened. This issue was assigned the name CVE-2004-0888 by The Common Vulnerabilities and Exposures project (cve.mitre.org). Red Hat Enterprise Linux 4 contained a fix for this issue, but it was found to be incomplete and left 64-bit architectures vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0206 to this issue. A buffer overflow flaw was found in the Gfx::doImage function of Xpdf which also affects the CUPS pdftops filter due to a shared codebase. An attacker who has the ability to send a malicious PDF file to a printer could possibly execute arbitrary code as the 'lp' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1125 to this issue. A buffer overflow flaw was found in the ParseCommand function in the hpgltops program. An attacker who has the ability to send a malicious HPGL file to a printer could possibly execute arbitrary code as the 'lp' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1267 to this issue. A buffer overflow flaw was found in the Decrypt::makeFileKey2 function of Xpdf which also affects the CUPS pdftops filter due to a shared codebase. An attacker who has the ability to send a malicious PDF file to a printer could possibly execute arbitrary code as the 'lp' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0064 to this issue. The lppasswd utility was found to ignore write errors when modifying the CUPS passwd file. A local user who is able to fill the associated file system could corrupt the CUPS password file or prevent future uses of lppasswd. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-1268 and CVE-2004-1269 to these issues. The lppasswd utility was found to not verify that the passwd.new file is different from STDERR, which could allow local users to control output to passwd.new via certain user input that triggers an error message. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1270 to this issue. All users of cups should upgrade to these updated packages, which contain backported patches to resolve these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-1125" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-1267" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-1268" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-1269" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-1270" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2005-0064" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2005-0206" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2005:053" ); script_set_attribute( attribute:"solution", value:"Update the affected cups, cups-devel and / or cups-libs packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(20, 119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:cups"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:cups-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:cups-libs"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/01/10"); script_set_attribute(attribute:"patch_publication_date", value:"2005/02/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 4.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2005:053"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL4", reference:"cups-1.1.22-0.rc1.9.6")) flag++; if (rpm_check(release:"RHEL4", reference:"cups-devel-1.1.22-0.rc1.9.6")) flag++; if (rpm_check(release:"RHEL4", reference:"cups-libs-1.1.22-0.rc1.9.6")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cups / cups-devel / cups-libs"); } }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-008.NASL description A buffer overflow was discovered in the ParseCommand function in the hpgltops utility. An attacker with the ability to send malicious HPGL files to a printer could possibly execute arbitrary code as the last seen 2020-06-01 modified 2020-06-02 plugin id 16184 published 2005-01-18 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16184 title Mandrake Linux Security Advisory : cups (MDKSA-2005:008) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2005:008. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(16184); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:47"); script_cve_id("CVE-2004-1267", "CVE-2004-1268", "CVE-2004-1269", "CVE-2004-1270"); script_xref(name:"MDKSA", value:"2005:008"); script_name(english:"Mandrake Linux Security Advisory : cups (MDKSA-2005:008)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A buffer overflow was discovered in the ParseCommand function in the hpgltops utility. An attacker with the ability to send malicious HPGL files to a printer could possibly execute arbitrary code as the 'lp' user (CVE-2004-1267). Vulnerabilities in the lppasswd utility were also discovered. The program ignores write errors when modifying the CUPS passwd file. A local user who is able to fill the associated file system could corrupt the CUPS passwd file or prevent future use of lppasswd (CVE-2004-1268 and CVE-2004-1269). As well, lppasswd does not verify that the passwd.new file is different from STDERR, which could allow a local user to control output to passwd.new via certain user input that could trigger an error message (CVE-2004-1270). The updated packages have been patched to prevent these problems." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:cups"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:cups-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:cups-serial"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64cups2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64cups2-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libcups2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libcups2-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.2"); script_set_attribute(attribute:"patch_publication_date", value:"2005/01/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/01/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.0", reference:"cups-1.1.20-5.5.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"cups-common-1.1.20-5.5.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"cups-serial-1.1.20-5.5.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"lib64cups2-1.1.20-5.5.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"lib64cups2-devel-1.1.20-5.5.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"libcups2-1.1.20-5.5.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"libcups2-devel-1.1.20-5.5.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"cups-1.1.21-0.rc1.7.3.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"cups-common-1.1.21-0.rc1.7.3.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"cups-serial-1.1.21-0.rc1.7.3.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", cpu:"x86_64", reference:"lib64cups2-1.1.21-0.rc1.7.3.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", cpu:"x86_64", reference:"lib64cups2-devel-1.1.21-0.rc1.7.3.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"libcups2-1.1.21-0.rc1.7.3.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"libcups2-devel-1.1.21-0.rc1.7.3.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"cups-1.1.19-10.5.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"cups-common-1.1.19-10.5.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"cups-serial-1.1.19-10.5.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"amd64", reference:"lib64cups2-1.1.19-10.5.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"amd64", reference:"lib64cups2-devel-1.1.19-10.5.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"libcups2-1.1.19-10.5.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"libcups2-devel-1.1.19-10.5.92mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-013.NASL description Updated CUPS packages that fix several security issues are now available. The Common UNIX Printing System provides a portable printing layer for UNIX(R) operating systems. A buffer overflow was found in the CUPS pdftops filter, which uses code from the Xpdf package. An attacker who has the ability to send a malicious PDF file to a printer could possibly execute arbitrary code as the last seen 2020-06-01 modified 2020-06-02 plugin id 16146 published 2005-01-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/16146 title RHEL 3 : cups (RHSA-2005:013) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2005:013. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(16146); script_version ("1.25"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2004-1125", "CVE-2004-1267", "CVE-2004-1268", "CVE-2004-1269", "CVE-2004-1270"); script_xref(name:"RHSA", value:"2005:013"); script_name(english:"RHEL 3 : cups (RHSA-2005:013)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated CUPS packages that fix several security issues are now available. The Common UNIX Printing System provides a portable printing layer for UNIX(R) operating systems. A buffer overflow was found in the CUPS pdftops filter, which uses code from the Xpdf package. An attacker who has the ability to send a malicious PDF file to a printer could possibly execute arbitrary code as the 'lp' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1125 to this issue. A buffer overflow was found in the ParseCommand function in the hpgltops program. An attacker who has the ability to send a malicious HPGL file to a printer could possibly execute arbitrary code as the 'lp' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1267 to this issue. Red Hat believes that the Exec-Shield technology (enabled by default since Update 3) will block attempts to exploit these buffer overflow vulnerabilities on x86 architectures. The lppasswd utility ignores write errors when modifying the CUPS passwd file. A local user who is able to fill the associated file system could corrupt the CUPS password file or prevent future uses of lppasswd. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-1268 and CVE-2004-1269 to these issues. The lppasswd utility does not verify that the passwd.new file is different from STDERR, which could allow local users to control output to passwd.new via certain user input that triggers an error message. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1270 to this issue. In addition to these security issues, two other problems not relating to security have been fixed : Resuming a job with 'lp -H resume', which had previously been held with 'lp -H hold' could cause the scheduler to stop. This has been fixed in later versions of CUPS, and has been backported in these updated packages. The cancel-cups(1) man page is a symbolic link to another man page. The target of this link has been corrected. All users of cups should upgrade to these updated packages, which resolve these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-1125" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-1267" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-1268" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-1269" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-1270" ); # http://www.cups.org/str.php?L1023 script_set_attribute( attribute:"see_also", value:"https://github.com/apple/cups/issues/1023" ); # http://www.cups.org/str.php?L1024 script_set_attribute( attribute:"see_also", value:"https://github.com/apple/cups/issues/1024" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2005:013" ); script_set_attribute( attribute:"solution", value:"Update the affected cups, cups-devel and / or cups-libs packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(20, 119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:cups"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:cups-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:cups-libs"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/01/10"); script_set_attribute(attribute:"patch_publication_date", value:"2005/01/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/01/13"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 3.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2005:013"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL3", reference:"cups-1.1.17-13.3.22")) flag++; if (rpm_check(release:"RHEL3", reference:"cups-devel-1.1.17-13.3.22")) flag++; if (rpm_check(release:"RHEL3", reference:"cups-libs-1.1.17-13.3.22")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cups / cups-devel / cups-libs"); } }NASL family Misc. NASL id CUPS_MULTIPLE_VULNERABILITIES.NASL description According to its banner, the version of CUPS installed on the remote host is between 1.0.4 and 1.1.22 inclusive. Such versions are prone to multiple vulnerabilities : - A remotely exploitable buffer overflow in the last seen 2020-06-01 modified 2020-06-02 plugin id 16141 published 2005-01-12 reporter This script is Copyright (C) 2005-2018 George A. Theall source https://www.tenable.com/plugins/nessus/16141 title CUPS < 1.1.23 Multiple Vulnerabilities code # # This script was written by George A. Theall, <[email protected]>. # # See the Nessus Scripts License for details. # include("compat.inc"); if (description) { script_id(16141); script_version("1.26"); script_cvs_date("Date: 2018/07/06 11:26:08"); script_cve_id( "CVE-2004-1267", "CVE-2004-1268", "CVE-2004-1269", "CVE-2004-1270", "CVE-2005-2874" ); script_bugtraq_id(11968, 12004, 12005, 12007, 12200, 14265); script_xref(name:"FLSA", value:"FEDORA-2004-559"); script_xref(name:"FLSA", value:"FEDORA-2004-560"); script_xref(name:"GLSA", value:"GLSA-200412-25"); script_name(english:"CUPS < 1.1.23 Multiple Vulnerabilities"); script_summary(english:"Checks version of CUPS"); script_set_attribute(attribute:"synopsis", value:"The remote print service is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the version of CUPS installed on the remote host is between 1.0.4 and 1.1.22 inclusive. Such versions are prone to multiple vulnerabilities : - A remotely exploitable buffer overflow in the 'hpgltops' filter that enable specially crafted HPGL files can execute arbitrary commands as the CUPS 'lp' account. - A local user may be able to prevent anyone from changing their password until a temporary copy of the new password file is cleaned up (lppasswd flaw). - A local user may be able to add arbitrary content to the password file by closing the stderr file descriptor while running lppasswd (lppasswd flaw). - A local attacker may be able to truncate the CUPS password file, thereby denying service to valid clients using digest authentication. (lppasswd flaw). - The application applies ACLs to incoming print jobs in a case-sensitive fashion. Thus, an attacker can bypass restrictions by changing the case in printer names when submitting jobs. [Fixed in 1.1.21.]"); script_set_attribute(attribute:"see_also", value:"http://www.cups.org/str.php?L700"); script_set_attribute(attribute:"see_also", value:"http://www.cups.org/str.php?L1024"); script_set_attribute(attribute:"see_also", value:"http://www.cups.org/str.php?L1023"); script_set_attribute(attribute:"solution", value:"Upgrade to CUPS 1.1.23 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/01/12"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:cups"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 George A. Theall"); script_family(english:"Misc."); script_dependencie("http_version.nasl"); script_require_keys("www/cups", "Settings/ParanoidReport"); script_require_ports("Services/www", 631); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); # nb: banner checks of open source software are prone to false- # positives so only run the check if reporting is paranoid. if (report_paranoia < 2) audit(AUDIT_PARANOID); if (!get_kb_item("www/cups")) exit(1, "The 'www/cups' KB item is missing."); port = get_http_port(default:631, embedded: 1); # Check the version in the banner. banner = get_http_banner(port:port); if (!banner) exit(1, "Failed to retrieve the banner from the web server on port "+ port +"."); banner = strstr(banner, "Server:"); banner = banner - strstr(banner, '\r\n'); if (!ereg(pattern:"^Server:.*CUPS($|/)", string:banner)) exit(0, "The banner from port "+port+" is not from CUPS."); if (!ereg(pattern:"CUPS/[0-9]", string:banner)) exit(0, "The CUPS server on port "+port+" does not include its version in the banner."); version = strstr(banner, "CUPS/") - "CUPS/"; if (" " >< version) version = version - strstr(version, " "); if (version =~ "^1\.(0|1\.(1|2[0-2]))($|[^0-9])") { if (report_verbosity > 0) { report = '\n' + 'CUPS version ' + version + ' appears to be running on the remote host based\n' + 'on the following Server response header :\n' + '\n'+ ' ' + banner + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else if (version =~ "^(1|1\.3)($|[^0-9.])") exit(1, "The banner from the CUPS server listening on port "+port+" - "+banner+" - is not granular enough to make a determination."); else exit(0, "CUPS version "+ version + " is listening on port "+port+" and thus not affected.");
Oval
| accepted | 2013-04-29T04:07:09.538-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||
| description | Buffer overflow in the ParseCommand function in hpgl-input.c in the hpgltops program for CUPS 1.1.22 allows remote attackers to execute arbitrary code via a crafted HPGL file. | ||||||||||||||||||||
| family | unix | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:10620 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
| title | Buffer overflow in the ParseCommand function in hpgl-input.c in the hpgltops program for CUPS 1.1.22 allows remote attackers to execute arbitrary code via a crafted HPGL file. | ||||||||||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||||||
| rpms |
|
References
- http://tigger.uic.edu/~jlongs2/holes/cups.txt
- http://www.gentoo.org/security/en/glsa/glsa-200412-25.xml
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:008
- http://www.redhat.com/support/errata/RHSA-2005-013.html
- http://www.redhat.com/support/errata/RHSA-2005-053.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/18604
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10620
- https://usn.ubuntu.com/50-1/