Vulnerabilities > CVE-2015-1158 - 7PK - Security Features vulnerability in Cups
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote attackers to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
description CUPS < 2.0.3 - Remote Command Execution. CVE-2015-1158. Remote exploit for Linux platform file exploits/linux/remote/41233.py id EDB-ID:41233 last seen 2017-02-03 modified 2017-02-03 platform linux port published 2017-02-03 reporter Exploit-DB source https://www.exploit-db.com/download/41233/ title CUPS < 2.0.3 - Remote Command Execution type remote description CUPS < 2.0.3 - Multiple Vulnerabilities. CVE-2015-1158. Remote exploits for multiple platform file exploits/multiple/remote/37336.txt id EDB-ID:37336 last seen 2016-02-04 modified 2015-06-22 platform multiple port published 2015-06-22 reporter Google Security Research source https://www.exploit-db.com/download/37336/ title CUPS < 2.0.3 - Multiple Vulnerabilities type remote
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2015-9726.NASL description New upstream bug-fix release. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-06-22 plugin id 84310 published 2015-06-22 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84310 title Fedora 22 : cups-2.0.3-1.fc22 (2015-9726) NASL family Scientific Linux Local Security Checks NASL id SL_20150617_CUPS_ON_SL6_X.NASL description A string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158) A cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the last seen 2020-03-18 modified 2015-06-18 plugin id 84259 published 2015-06-18 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84259 title Scientific Linux Security Update : cups on SL6.x, SL7.x i386/x86_64 (20150617) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2015-1123.NASL description From Red Hat Security Advisory 2015:1123 : Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. CUPS provides a portable printing layer for Linux, UNIX, and similar operating systems. A string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158) A cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the last seen 2020-06-01 modified 2020-06-02 plugin id 84256 published 2015-06-18 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84256 title Oracle Linux 6 / 7 : cups (ELSA-2015-1123) NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-418.NASL description This update fixes the following issues : - CVE-2015-1158 and CVE-2015-1159 fixes a possible privilege escalation via cross-site scripting and bad print job submission used to replace cupsd.conf on server (CUPS STR#4609 CERT-VU-810572 CVE-2015-1158 CVE-2015-1159 bugzilla.suse.com bsc#924208). In general it is crucial to limit access to CUPS to trustworthy users who do not misuse their permission to submit print jobs which means to upload arbitrary data onto the CUPS server, see https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_setti ngs and cf. the entries about CVE-2012-5519 below. last seen 2020-06-05 modified 2015-06-15 plugin id 84184 published 2015-06-15 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84184 title openSUSE Security Update : cups (openSUSE-2015-418) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_A40EC9700EFA11E590E4D050996490D0.NASL description CUPS development team reports : The new release addresses two security vulnerabilities, add localizations for German and Russian, and includes several general bug fixes. Changes include : Security: Fixed CERT VU #810572/CVE-2015-1158/CVE-2015-1159 exploiting the dynamic linker (STR #4609) Security: The scheduler could hang with malformed gzip data (STR #4602) last seen 2020-06-01 modified 2020-06-02 plugin id 84070 published 2015-06-10 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84070 title FreeBSD : cups -- multiple vulnerabilities (a40ec970-0efa-11e5-90e4-d050996490d0) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-239.NASL description Two critical vulnerabilities have been found in the CUPS printing system : CVE-2015-1158 - Improper Update of Reference Count Cupsd uses reference-counted strings with global scope. When parsing a print job request, cupsd over-decrements the reference count for a string from the request. As a result, an attacker can prematurely free an arbitrary string of global scope. They can use this to dismantle ACL’s protecting privileged operations, and upload a replacement configuration file, and subsequently run arbitrary code on a target machine. This bug is exploitable in default configurations, and does not require any special permissions other than the basic ability to print. CVE-2015-1159 - Cross-Site Scripting A cross-site scripting bug in the CUPS templating engine allows the above bug to be exploited when a user browses the web. This XSS is reachable in the default configuration for Linux instances of CUPS, and allows an attacker to bypass default configuration settings that bind the CUPS scheduler to the ‘localhost’ or loopback interface. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2015-06-10 plugin id 84061 published 2015-06-10 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84061 title Debian DLA-239-1 : cups security update NASL family Misc. NASL id CUPS_2_0_3.NASL description According to its banner, the CUPS printer service running on the remote host is a version prior to 2.0.3. It is, therefore, potentially affected by the following vulnerabilities : - A privilege escalation vulnerability exists due to a flaw in cupsd when handling printer job request errors. An unauthenticated, remote attacker can exploit this, with a specially crafted request, to prematurely free an arbitrary string of global scope, creating a dangling pointer to a repurposed block of memory on the heap, resulting ACL verification to fail when parsing last seen 2020-06-01 modified 2020-06-02 plugin id 84149 published 2015-06-12 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84149 title CUPS < 2.0.3 Multiple Vulnerabilities NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2015-188-01.NASL description New cups packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 84588 published 2015-07-08 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84588 title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : cups (SSA:2015-188-01) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-1123.NASL description Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. CUPS provides a portable printing layer for Linux, UNIX, and similar operating systems. A string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158) A cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the last seen 2020-06-01 modified 2020-06-02 plugin id 84258 published 2015-06-18 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84258 title RHEL 6 / 7 : cups (RHSA-2015:1123) NASL family Fedora Local Security Checks NASL id FEDORA_2015-9801.NASL description This update fixed 2 security flaws. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-06-22 plugin id 84311 published 2015-06-22 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84311 title Fedora 21 : cups-1.7.5-17.fc21 (2015-9801) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2015-0071.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - CVE-2015-1158, CVE-2015-1159, CVE-2014-9679 (bug #1229982). last seen 2020-06-01 modified 2020-06-02 plugin id 84257 published 2015-06-18 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84257 title OracleVM 3.3 : cups (OVMSA-2015-0071) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-1041-1.NASL description The following issues are fixed by this update : - CVE-2012-5519: privilege escalation via cross-site scripting and bad print job submission used to replace cupsd.conf on server (bsc#924208). - CVE-2015-1158: Improper Update of Reference Count - CVE-2015-1159: Cross-Site Scripting Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 84145 published 2015-06-12 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84145 title SUSE SLED12 / SLES12 Security Update : cups (SUSE-SU-2015:1041-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3283.NASL description It was discovered that CUPS, the Common UNIX Printing System, is vulnerable to a remotely triggerable privilege escalation via cross-site scripting and bad print job submission used to replace cupsd.conf on the CUPS server. last seen 2020-06-01 modified 2020-06-02 plugin id 84063 published 2015-06-10 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84063 title Debian DSA-3283-1 : cups - security update NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2629-1.NASL description It was discovered that CUPS incorrectly handled reference counting when handling localized strings. A remote attacker could use this issue to escalate permissions, upload a replacement CUPS configuration file, and execute arbitrary code. (CVE-2015-1158) It was discovered that the CUPS templating engine contained a cross-site scripting issue. A remote attacker could use this issue to bypass default configuration settings. (CVE-2015-1159). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 84117 published 2015-06-11 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84117 title Ubuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : cups vulnerabilities (USN-2629-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-1044-2.NASL description The following issues are fixed by this update : - CVE-2012-5519: privilege escalation via cross-site scripting and bad print job submission used to replace cupsd.conf on server (bsc#924208). - CVE-2015-1158: Improper Update of Reference Count - CVE-2015-1159: Cross-Site Scripting Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-24 modified 2019-01-02 plugin id 119966 published 2019-01-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119966 title SUSE SLES12 Security Update : cups154 (SUSE-SU-2015:1044-2) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2015-1123.NASL description Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. CUPS provides a portable printing layer for Linux, UNIX, and similar operating systems. A string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158) A cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the last seen 2020-06-01 modified 2020-06-02 plugin id 84276 published 2015-06-19 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84276 title CentOS 6 / 7 : cups (CESA-2015:1123) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-1044-1.NASL description The following issues are fixed by this update : - CVE-2012-5519: privilege escalation via cross-site scripting and bad print job submission used to replace cupsd.conf on server (bsc#924208). - CVE-2015-1158: Improper Update of Reference Count - CVE-2015-1159: Cross-Site Scripting Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-24 modified 2019-01-02 plugin id 119965 published 2019-01-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119965 title SUSE SLES12 Security Update : cups154 (SUSE-SU-2015:1044-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201510-07.NASL description The remote host is affected by the vulnerability described in GLSA-201510-07 (CUPS: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in cups. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 86692 published 2015-11-02 reporter This script is Copyright (C) 2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/86692 title GLSA-201510-07 : CUPS: Multiple vulnerabilities NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2015-559.NASL description A string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158) A cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the last seen 2020-06-01 modified 2020-06-02 plugin id 84595 published 2015-07-08 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84595 title Amazon Linux AMI : cups (ALAS-2015-559) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1432.NASL description According to the versions of the cups package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the last seen 2020-06-01 modified 2020-06-02 plugin id 124935 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124935 title EulerOS Virtualization 3.0.1.0 : cups (EulerOS-SA-2019-1432)
Packetstorm
data source https://packetstormsecurity.com/files/download/132389/cups-xss.txt id PACKETSTORM:132389 last seen 2016-12-05 published 2015-06-22 reporter Google Security Research source https://packetstormsecurity.com/files/132389/CUPS-XSS-String-Handling-Improper-Teardown.html title CUPS XSS / String Handling / Improper Teardown data source https://packetstormsecurity.com/files/download/140920/cups-exec.txt id PACKETSTORM:140920 last seen 2017-02-03 published 2017-02-03 reporter 0x00string source https://packetstormsecurity.com/files/140920/CUPS-Remote-Code-Execution.html title CUPS Remote Code Execution
Redhat
| advisories |
| ||||
| rpms |
|
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1221641
- https://code.google.com/p/google-security-research/issues/detail?id=455
- http://googleprojectzero.blogspot.in/2015/06/owning-internet-printing-case-study-in.html
- http://www.cups.org/blog.php?L1082
- https://bugzilla.opensuse.org/show_bug.cgi?id=924208
- https://www.cups.org/str.php?L4609
- http://www.kb.cert.org/vuls/id/810572
- http://www.securityfocus.com/bid/75098
- https://security.gentoo.org/glsa/201510-07
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10702
- http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00003.html
- http://www.ubuntu.com/usn/USN-2629-1
- http://www.debian.org/security/2015/dsa-3283
- http://rhn.redhat.com/errata/RHSA-2015-1123.html
- https://github.com/0x00string/oldays/blob/master/CVE-2015-1158.py
- https://www.exploit-db.com/exploits/41233/
- https://www.exploit-db.com/exploits/37336/
- http://www.securitytracker.com/id/1032556