===================================================================== CERT-Renater Note d'Information No. 2023/VULN336 _____________________________________________________________________ DATE : 20/09/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running cups versions up to and including 2.4.6. ===================================================================== https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h _____________________________________________________________________ CUPS Heap-based buffer overflow Low zdohnal published GHSA-pf5r-86w9-678h Package cups Affected versions < 2.4.6 Patched versions None Description Hello -- below is a draft advisory that we plan to publish in about 60 days (around October 22, 2023), or sooner if you choose to disclose before then. Also, thanks for the incredibly easy mechanism to report security issues! We are a CNA, so no need to involve MITRE - we can take care of publishing and credit and all that. CVE-2023-4504: OpenPrinting CUPS Postscript Parsing Heap Overflow AHA! has discovered an issue with CUPS from OpenPrinting, and is publishing this disclosure in accordance with AHA!'s standard disclosure policy today, on $DATE. CVE-2023-4504 has been assigned to this issue. Any questions about this disclosure should be directed to cve@takeonme.org. Executive Summary Due to failure in validating the length provided by an attacker-crafted CUPS document, CUPS version v2.5b1 and prior, by default, is susceptible to a heap-based buffer overflow, and possibly code execution. CVE-2023-4504 appears to be an instance of CWE-122, a heap-based buffer overflow. Technical Details The scan_ps function in the CUPS codebase provides functionality that scans through a string looking for the next Postscript object. When iterating through a string which contains an open parenthesis and ends with a single backslash (0x5c) character, the code incorrectly iterates forward a character without properly checking the bounds of the string resulting in a 1 byte read beyond the allocated heap buffer. Snippet of the vulnerable code: cups/cups/raster-interpret.c 1039 static _cups_ps_obj_t * /* O - New object or NULL on EOF */ 1040 scan_ps(_cups_ps_stack_t *st, /* I - Stack */ 1041 char **ptr) /* IO - String pointer */ 1042 { ... 1085 switch (*cur) 1086 { 1087 case '(' : /* (string) */ 1088 obj.type = CUPS_PS_STRING; 1089 start = cur; 1090 1091 for (cur ++, parens = 1, valptr = obj.value.string, 1092 valend = obj.value.string + sizeof(obj.value.string) - 1; 1093 *cur; 1094 cur ++) 1095 { 1096 if (*cur == ')' && parens == 1) 1097 break; 1098 1099 if (*cur == '(') 1100 parens ++; 1101 else if (*cur == ')') 1102 parens --; 1103 1104 if (valptr >= valend) 1105 { 1106 *ptr = start; 1107 1108 return (NULL); 1109 } 1110 1111 if (*cur == '\\') 1112 { 1113 /* 1114 * Decode escaped character... 1115 */ 1116 1117 cur ++; 1118 1119 if (*cur == 'b') 1120 *valptr++ = '\b'; 1121 else if (*cur == 'f') 1122 *valptr++ = '\f'; 1123 else if (*cur == 'n') 1124 *valptr++ = '\n'; 1125 else if (*cur == 'r') 1126 *valptr++ = '\r'; 1127 else if (*cur == 't') 1128 *valptr++ = '\t'; 1129 else if (*cur >= '0' && *cur <= '7') 1130 { 1131 int ch = *cur - '0'; 1132 1133 if (cur[1] >= '0' && cur[1] <= '7') 1134 { 1135 cur ++; 1136 ch = (ch << 3) + *cur - '0'; 1137 } 1138 1139 if (cur[1] >= '0' && cur[1] <= '7') 1140 { 1141 cur ++; 1142 ch = (ch << 3) + *cur - '0'; 1143 } 1144 1145 *valptr++ = (char)ch; 1146 } 1147 else if (*cur == '\r') 1148 { 1149 if (cur[1] == '\n') 1150 cur ++; 1151 } 1152 else if (*cur != '\n') 1153 *valptr++ = *cur; 1154 } 1155 else 1156 *valptr++ = *cur; 1157 } Line 1085 contains the case statement which provides the logic used to iterate through the given string. On line 1091, the for loop within the case statement is used to iterate through each character after encountering an open paranthesis character (0x28), storing the pointer to the current character in cur. On line 1111, the code checks if the current character is a backslash and finally, in line 1117, the character index is incremented without checking the length, now pointing to the null byte terminating the string. Upon the next iteration of the loop, on line 1094, the loop now begins iterating through unallocated memory resulting in undefined behaviour. A Base64 encoded blob of an example PostScript document that can trigger the issue is below. L///KFwAY3V1ZQ== Attacker Value By providing this malformed PostScript document, an attacker could compromise the machine running the software. Once compromised, this can provide an attacker a unique, privileged position in the targeted network. Credit This issue is being disclosed through the AHA! CNA and is credited to: zenofex and WanderingGlitch Timeline 2023-07-27 (Thu): Initial findings presented at AHA! Meeting 0xffff 2023-08-21 (Monday): PoC validated and this disclosure drafted. 2023-08-23 (Day): Disclosed to the vendor per their GitHub repo's instructions. YYYY-MM-DD (Day): Vendor acknowledged the vulnerability. YYYY-MM-DD (Day): Vendor released fixed version X.Y.Z. YYYY-MM-DD (Day): Public disclosure of CVE-2023-4504. Severity Low 0.0/ 10 CVSS base metrics Attack vector Local Attack complexity Low Privileges required High User interaction None Scope Unchanged Confidentiality None Integrity None Availability None CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N CVE ID No known CVE Weaknesses CWE-122 Credits @todb todb ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================