Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <c37ab2bd-375c-4963-c570-44be9c4b2d81@redhat.com>
Date: Thu, 1 Jun 2023 12:35:16 +0200
From: Zdenek Dohnal <zdohnal@...hat.com>
To: oss-security@...ts.openwall.com
Subject: [vs] CVE-2023-32324 heap buffer overflow in cupsd

Hi all,

there is currently embargoed CVE-2023-32324 in cups project:


      Summary

A heap buffer overflow vulnerability would allow a remote attacker to 
lauch a dos attack.


      Details

A buffer overflow vulnerability in the function |format_log_line| could 
allow remote attackers to cause a denial-of-service(DoS) on the affected 
system (not verified for possible arbitrary code execution).

The vulnerability affects the commit #c0c4037 and the latest commit 
#4310a07 on the GitHub master branch as well as the latest release 
version v2.4.2. I have only tested these versions so far.

Exploitation of the vulnerability can be triggered when the 
configuration file |cupsd.conf| sets the value of |loglevel |to |DEBUG| 
if the log location is set to a file.


      Reproduce

$ git clonehttps://github.com/OpenPrinting/cups.git
$ cd  cups
$ CFLAGS="-g -fsanitize=address -fPIE" CXXFLAGS="-g -fsanitize=address -fPIE" LDFLAGS="-fsanitize=address" ./configure -with-tls=no --disable-shared

# Now compile cups
$ make -j

# Adjust conf/cupsd.conf to reproduce the crash - enable debug logging to a file and set cupsd to listen on port 8631
$ sed -i 's,LogLevel warn,LogLevel debug,' conf/cupsd.conf
$ sed -i 's,Listen localhost:631,Listen localhost:8631,' conf/cupsd.conf

Run cups and replay the crash.raw

|$ sudo ./scheduler/cupsd -c conf/cupsd.conf -f $ nc 127.0.0.1 8631 < 
./crash.raw |||

cupsd crashes after the last command and generates the attached ASAN report.

||

||


      PoC

crash.raw attached


      Impact

Heap buffer overflow.

*Patch*

Committed as 
https://github.com/OpenPrinting/cups/commit/fd8bc2d32589d1fd91fe1c0521be2a7c0462109e


For OpenPriniting CUPS community,

Zdenek Dohnal (CUPS 2.4.x release manager)

-- 
Zdenek Dohnal
Senior Software Engineer
Red Hat, BRQ-TPBC

Content of type "text/html" skipped

View attachment "0001-Consensus-fix.patch" of type "text/x-patch" (804 bytes)

View attachment "asan_report.txt" of type "text/plain" (3254 bytes)

Download attachment "crash.raw" of type "application/octet-stream" (37881 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.