Vulnerabilities > CVE-2008-5183 - NULL Pointer Dereference vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
apple
opensuse
debian
CWE-476
nessus
exploit available

Summary

cupsd in CUPS 1.3.9 and earlier allows local users, and possibly remote attackers, to cause a denial of service (daemon crash) by adding a large number of RSS Subscriptions, which triggers a NULL pointer dereference. NOTE: this issue can be triggered remotely by leveraging CVE-2008-5184.

Vulnerable Configurations

Part Description Count
Application
Apple
80
OS
Apple
115
OS
Opensuse
1
OS
Debian
2

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionCUPS 1.3.7 CSRF (add rss subscription) Remote Crash Exploit. CVE-2008-5183. Dos exploit for linux platform
fileexploits/linux/dos/7150.html
idEDB-ID:7150
last seen2016-02-01
modified2008-11-18
platformlinux
port
published2008-11-18
reporterAdrian "pagvac" Pastor
sourcehttps://www.exploit-db.com/download/7150/
titleCUPS 1.3.7 - CSRF add rss subscription Remote Crash Exploit
typedos

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2176.NASL
    descriptionSeveral vulnerabilities have been discovered in the Common UNIX Printing System : - CVE-2008-5183 A NULL pointer dereference in RSS job completion notifications could lead to denial of service. - CVE-2009-3553 It was discovered that incorrect file descriptor handling could lead to denial of service. - CVE-2010-0540 A cross-site request forgery vulnerability was discovered in the web interface. - CVE-2010-0542 Incorrect memory management in the filter subsystem could lead to denial of service. - CVE-2010-1748 Information disclosure in the web interface. - CVE-2010-2431 Emmanuel Bouillon discovered a symlink vulnerability in handling of cache files. - CVE-2010-2432 Denial of service in the authentication code. - CVE-2010-2941 Incorrect memory management in the IPP code could lead to denial of service or the execution of arbitrary code.
    last seen2020-03-17
    modified2011-03-02
    plugin id52484
    published2011-03-02
    reporterThis script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/52484
    titleDebian DSA-2176-1 : cups - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-2176. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(52484);
      script_version("1.11");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2008-5183", "CVE-2009-3553", "CVE-2010-0540", "CVE-2010-0542", "CVE-2010-1748", "CVE-2010-2431", "CVE-2010-2432", "CVE-2010-2941");
      script_bugtraq_id(32419, 37048, 40889, 40897, 40943, 41126, 41131, 44530);
      script_xref(name:"DSA", value:"2176");
    
      script_name(english:"Debian DSA-2176-1 : cups - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in the Common UNIX
    Printing System :
    
      - CVE-2008-5183
        A NULL pointer dereference in RSS job completion
        notifications could lead to denial of service.
    
      - CVE-2009-3553
        It was discovered that incorrect file descriptor
        handling could lead to denial of service.
    
      - CVE-2010-0540
        A cross-site request forgery vulnerability was
        discovered in the web interface.
    
      - CVE-2010-0542
        Incorrect memory management in the filter subsystem
        could lead to denial of service.
    
      - CVE-2010-1748
        Information disclosure in the web interface.
    
      - CVE-2010-2431
        Emmanuel Bouillon discovered a symlink vulnerability in
        handling of cache files.
    
      - CVE-2010-2432
        Denial of service in the authentication code.
    
      - CVE-2010-2941
        Incorrect memory management in the IPP code could lead
        to denial of service or the execution of arbitrary code."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-5183"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2009-3553"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-0540"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-0542"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-1748"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-2431"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-2432"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2010-2941"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2011/dsa-2176"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the cups packages.
    
    For the oldstable distribution (lenny), this problem has been fixed in
    version 1.3.8-1+lenny9.
    
    The stable distribution (squeeze) and the unstable distribution (sid)
    had already been fixed prior to the initial Squeeze release."
      );
      script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cups");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2011/03/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/03/02");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"5.0", prefix:"cups", reference:"1.3.8-1+lenny9")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2008-1029.NASL
    descriptionFrom Red Hat Security Advisory 2008:1029 : Updated cups packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Common UNIX(r) Printing System (CUPS) provides a portable printing layer for UNIX operating systems. A NULL pointer dereference flaw was found in the way CUPS handled subscriptions for printing job completion notifications. A local user could use this flaw to crash the CUPS daemon by submitting a large number of printing jobs requiring mail notification on completion, leading to a denial of service. (CVE-2008-5183) Users of cups should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id67776
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67776
    titleOracle Linux 5 : cups (ELSA-2008-1029)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-10911.NASL
    descriptionSecurity update to fix CVE-2008-5183. Also included is a fix for incorrect form-feed handling in the textonly filter. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id35078
    published2008-12-10
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/35078
    titleFedora 8 : cups-1.3.9-2.fc8 (2008-10911)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2009-001.NASL
    descriptionThe remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2009-001 applied. This security update contains fixes for the following products : - AFP Server - Apple Pixlet Video - CarbonCore - CFNetwork - Certificate Assistant - ClamAV - CoreText - CUPS - DS Tools - fetchmail - Folder Manager - FSEvents - Network Time - perl - Printing - python - Remote Apple Events - Safari RSS - servermgrd - SMB - SquirrelMail - X11 - XTerm
    last seen2020-06-01
    modified2020-06-02
    plugin id35684
    published2009-02-13
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/35684
    titleMac OS X Multiple Vulnerabilities (Security Update 2009-001)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-10917.NASL
    descriptionSecurity update to fix CVE-2008-5183. Also fixed in this update are a bug that caused cups-polld to fail to resolve hostnames, a bug that could cause libcups to get stuck in a loop, and incorrect form-feed handling in the textonly filter. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id35079
    published2008-12-10
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/35079
    titleFedora 9 : cups-1.3.9-2.fc9 (2008-10917)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20081215_CUPS_ON_SL3_X.NASL
    descriptionA NULL pointer dereference flaw was found in the way CUPS handled subscriptions for printing job completion notifications. A local user could use this flaw to crash the CUPS daemon by submitting a large number of printing jobs requiring mail notification on completion, leading to a denial of service. (CVE-2008-5183) An integer overflow flaw, leading to a heap buffer overflow, was discovered in the Portable Network Graphics (PNG) decoding routines used by the CUPS image-converting filters,
    last seen2020-06-01
    modified2020-06-02
    plugin id60503
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60503
    titleScientific Linux Security Update : cups on SL3.x, SL5.x i386/x86_64
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2009-028.NASL
    descriptionSecurity vulnerabilities have been discovered and corrected in CUPS. CUPS before 1.3.8 allows local users, and possibly remote attackers, to cause a denial of service (daemon crash) by adding a large number of RSS Subscriptions, which triggers a NULL pointer dereference (CVE-2008-5183). The web interface (cgi-bin/admin.c) in CUPS before 1.3.8 uses the guest username when a user is not logged on to the web server, which makes it easier for remote attackers to bypass intended policy and conduct CSRF attacks via the (1) add and (2) cancel RSS subscription functions (CVE-2008-5184). CUPS 1.1.17 through 1.3.9 allows remote attackers to execute arbitrary code via a PNG image with a large height value, which bypasses a validation check and triggers a buffer overflow (CVE-2008-5286). CUPS shipped with Mandriva Linux allows local users to overwrite arbitrary files via a symlink attack on the /tmp/pdf.log temporary file (CVE-2009-0032). The updated packages have been patched to prevent this.
    last seen2020-06-01
    modified2020-06-02
    plugin id36414
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/36414
    titleMandriva Linux Security Advisory : cups (MDVSA-2009:028)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-1029.NASL
    descriptionUpdated cups packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Common UNIX(r) Printing System (CUPS) provides a portable printing layer for UNIX operating systems. A NULL pointer dereference flaw was found in the way CUPS handled subscriptions for printing job completion notifications. A local user could use this flaw to crash the CUPS daemon by submitting a large number of printing jobs requiring mail notification on completion, leading to a denial of service. (CVE-2008-5183) Users of cups should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id35183
    published2008-12-16
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/35183
    titleRHEL 5 : cups (RHSA-2008:1029)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_0_CUPS-081121.NASL
    descriptionlocal users could crash cups by adding a large number of RSS subscriptions (CVE-2008-5183, CVE-2008-5184).
    last seen2020-06-01
    modified2020-06-02
    plugin id39942
    published2009-07-21
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/39942
    titleopenSUSE Security Update : cups (cups-322)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-10895.NASL
    descriptionSecurity update to fix CVE-2008-5183. Also changed in this update: * a bug that caused cups-polld to fail to resolve hostnames has been fixed * a bug that could cause libcups to get stuck in a loop has been fixed * the dnssd backend has been removed as it is not working correctly and can prevent printers being added Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id38122
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/38122
    titleFedora 10 : cups-1.3.9-4.fc10 (2008-10895)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2008-1029.NASL
    descriptionUpdated cups packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Common UNIX(r) Printing System (CUPS) provides a portable printing layer for UNIX operating systems. A NULL pointer dereference flaw was found in the way CUPS handled subscriptions for printing job completion notifications. A local user could use this flaw to crash the CUPS daemon by submitting a large number of printing jobs requiring mail notification on completion, leading to a denial of service. (CVE-2008-5183) Users of cups should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id43720
    published2010-01-06
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43720
    titleCentOS 5 : cups (CESA-2008:1029)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-707-1.NASL
    descriptionIt was discovered that CUPS didn
    last seen2020-06-01
    modified2020-06-02
    plugin id38132
    published2009-04-23
    reporterUbuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/38132
    titleUbuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : cups, cupsys vulnerabilities (USN-707-1)

Oval

accepted2013-04-29T04:06:53.503-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
    ovaloval:org.mitre.oval:def:11414
  • commentThe operating system installed on the system is CentOS Linux 5.x
    ovaloval:org.mitre.oval:def:15802
  • commentOracle Linux 5.x
    ovaloval:org.mitre.oval:def:15459
descriptioncupsd in CUPS 1.3.9 and earlier allows local users, and possibly remote attackers, to cause a denial of service (daemon crash) by adding a large number of RSS Subscriptions, which triggers a NULL pointer dereference. NOTE: this issue can be triggered remotely by leveraging CVE-2008-5184.
familyunix
idoval:org.mitre.oval:def:10586
statusaccepted
submitted2010-07-09T03:56:16-04:00
titlecupsd in CUPS 1.3.9 and earlier allows local users, and possibly remote attackers, to cause a denial of service (daemon crash) by adding a large number of RSS Subscriptions, which triggers a NULL pointer dereference. NOTE: this issue can be triggered remotely by leveraging CVE-2008-5184.
version18

Redhat

advisories
bugzilla
id473901
titleCVE-2008-5183 cups: DoS (daemon crash) caused by the large number of subscriptions
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 5 is installed
      ovaloval:com.redhat.rhba:tst:20070331005
    • OR
      • AND
        • commentcups-devel is earlier than 1:1.2.4-11.18.el5_2.3
          ovaloval:com.redhat.rhsa:tst:20081029001
        • commentcups-devel is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20070123011
      • AND
        • commentcups-lpd is earlier than 1:1.2.4-11.18.el5_2.3
          ovaloval:com.redhat.rhsa:tst:20081029003
        • commentcups-lpd is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20070123015
      • AND
        • commentcups is earlier than 1:1.2.4-11.18.el5_2.3
          ovaloval:com.redhat.rhsa:tst:20081029005
        • commentcups is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20070123009
      • AND
        • commentcups-libs is earlier than 1:1.2.4-11.18.el5_2.3
          ovaloval:com.redhat.rhsa:tst:20081029007
        • commentcups-libs is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20070123013
rhsa
idRHSA-2008:1029
released2008-12-15
severityModerate
titleRHSA-2008:1029: cups security update (Moderate)
rpms
  • cups-1:1.2.4-11.18.el5_2.3
  • cups-debuginfo-1:1.2.4-11.18.el5_2.3
  • cups-devel-1:1.2.4-11.18.el5_2.3
  • cups-libs-1:1.2.4-11.18.el5_2.3
  • cups-lpd-1:1.2.4-11.18.el5_2.3

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 32419 CVE(CAN) ID: CVE-2008-5183 Common Unix Printing System(CUPS)是一款通用Unix打印系统,是Unix环境下的跨平台打印解决方案,基于Internet打印协议,提供大多数PostScript和raster打印机服务。 如果向默认监听于631/tcp端口的CUPS守护程序(/usr/sbin/cupsd)添加了多于100个RSS订阅的话,就会触发空指针引用,导致守护程序崩溃。 Easy Software Products CUPS &lt; 1.3.8 RedHat ------ RedHat已经为此发布了一个安全公告(RHSA-2008:1029-01)以及相应补丁: RHSA-2008:1029-01:Moderate: cups security update 链接:<a href=https://www.redhat.com/support/errata/RHSA-2008-1029.html target=_blank>https://www.redhat.com/support/errata/RHSA-2008-1029.html</a>
idSSV:4583
last seen2017-11-19
modified2008-12-23
published2008-12-23
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-4583
titleCUPS cupsd RSS订阅空指针引用本地拒绝服务漏洞

References