Summary

A heap buffer overflow vulnerability would allow a remote attacker to lauch a dos attack.

Details

A buffer overflow vulnerability in the function format_log_line could allow remote attackers to cause a denial-of-service(DoS) on the affected system (not verified for possible arbitrary code execution).

The vulnerability affects the commit #c0c4037 and the latest commit #4310a07 on the GitHub master branch as well as the latest release version v2.4.2. I have only tested these versions so far.

Exploitation of the vulnerability can be triggered when the configuration file cupsd.conf sets the value of loglevel to DEBUG.

Please refer to the ASAN information for the location of the vulnerability:

Reproduce

git clone https://github.com/OpenPrinting/cups.git cd cups ./configure -with-tls=no CC=clang CXX=clang+ --disable-shared

Then modify the Makedef

add "-fPIE" to CFLAGS CXXFLAGS

add asan option like "-g -fsanitize=address" to CFLAGS CXXFLAGS LDFALGS

Now complile cups

make -j

We then use make test to get the configuration file, or use the default cupsd.conf in ./conf/ directory (but remember to change loglevel)

make test # or timeout -k 0 --preserve-status 1m make test

Run cups and replay the crash.raw

./scheduler/cupsd -c /tmp/cups-ubuntu/cupsd.conf -f
# or /scheduler/cupsd -c ./conf/cupsd.conf -f # bug remember to change the log level in conf

nc 127.0.0.1 8631 < ./crash.raw

PoC

Sorry I couldn’t upload the zip and the original packet, so I changed the suffix to jpg.
But github doesn’t seem to change the jpg file, so you can just replay this jpg file, which I tested.

Impact

Heap buffer overflow.