CVE-2015-1158
published 2015-06-26CVE-2015-1158: The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name…
PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
29.91%
98.0th percentile
The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote attackers to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | cups | >= 0 < 1.7.5-12 | 1.7.5-12 |
| apple | cups | >= 0 < 1.7.5-12 | 1.7.5-12 |
| apple | cups | >= 0 < 1.7.5-12 | 1.7.5-12 |
| apple | cups | >= 0 < 1.7.5-12 | 1.7.5-12 |
| apple | cups | >= 0 < 1.7.2-0ubuntu1.6 | 1.7.2-0ubuntu1.6 |
| apple | os_x_yosemite_v10.10.3_and_security_update_2015-004 | — | — |
| cups | cups | <= 2.0.2 | — |
| debian | cups | < cups 1.7.5-12 (bookworm) | cups 1.7.5-12 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://localhost:631/help/?QUERY=%3Ca%20href=%22%20%3E%3Cscript%3Ealert%28%27Linux%20crickets%20chirping%20for%20a%20patch%27%29%3C/script%3E%3C!--&SEARCH=Search↗
- →Detect IPP_CREATE_JOB or IPP_PRINT_JOB requests containing a multi-value 'job-originating-host-name' attribute (op-id 0x0005 or 0x0002 with repeated 0x42 tag and zero-length name field) — the number of extra values (name-len=0x0000) controls how many times the reference count is decremented, triggering the heap corruption. ↗
- →Monitor for HTTP POST requests to the CUPS IPP endpoint (port 631) with Content-Type: application/ipp and User-Agent: CUPS/2.0.2, which is the spoofed UA used by the public exploit. ↗
- →Alert on CUPS configuration file modifications that add 'SetEnv LD_PRELOAD' pointing to a path under /var/spool/cups/, which is the post-exploitation persistence mechanism used after ACL stomping. ↗
- →Detect reflected XSS probe against CUPS web interface: HTTP GET requests to /help/ where the QUERY parameter begins with URL-encoded '<a href="' (i.e. %3Ca%20href%3D%22). ↗
- →The exploit sends a GET /printers HTTP/1.1 request to enumerate available printer URIs before launching the IPP attack — this reconnaissance step can be detected as an unauthenticated GET to /printers on port 631. ↗
- →Disabling the CUPS web interface significantly reduces attack surface; if WebInterface is enabled, treat any external access to port 631 as elevated risk. ↗
- ·The exploit targets CUPS versions before 2.0.3; CUPS 2.0.3+ separates configuration value strings from the string pool (allocated via strdup) and blocks LD_*/DYLD_* environment variables when running as root, which breaks the primary exploitation chain. ↗
- ·CUPS 2.1 beta additionally removes the localhost listener when 'WebInterface' is disabled, further reducing the remote attack surface beyond what 2.0.3 provides. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
vendor_ubuntu10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f3f2-vc32-jrrx: The add_job function in scheduler/ipp
ghsa_unreviewed·2022-05-17
CVE-2015-1158 [HIGH] GHSA-f3f2-vc32-jrrx: The add_job function in scheduler/ipp
The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote attackers to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code.
OSV
CVE-2015-1158: The add_job function in scheduler/ipp
osv·2015-06-26·CVSS 10.0
CVE-2015-1158 [CRITICAL] CVE-2015-1158: The add_job function in scheduler/ipp
The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote attackers to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code.
OSV
cups vulnerabilities
osv·2015-06-10·CVSS 10.0
CVE-2015-1158 [CRITICAL] cups vulnerabilities
cups vulnerabilities
It was discovered that CUPS incorrectly handled reference counting when
handling localized strings. A remote attacker could use this issue to
escalate permissions, upload a replacement CUPS configuration file, and
execute arbitrary code. (CVE-2015-1158)
It was discovered that the CUPS templating engine contained a cross-site
scripting issue. A remote attacker could use this issue to bypass default
configuration settings. (CVE-2015-1159)
Project0
Owning Internet Printing - A Case Study in Modern Software Exploitation - Project Zero
project_zero·2015-06-01·CVSS 10.0
CVE-2015-1158 [CRITICAL] Owning Internet Printing - A Case Study in Modern Software Exploitation - Project Zero
Guest posted by Neel Mehta ([email protected]) - June 19th, 2015
Abstract
Modern exploit mitigations draw attackers into a game of diminishing marginal returns. With each additional mitigation added, a subset of software bugs become unexploitable, and others become difficult to exploit, requiring application or even bug-specific knowledge that cannot be reused. The practical effect of exploit mitigations against any given bug or class of bugs is the subject of great debate amongst security researchers.
Despite mitigations, skilled and determined attackers alike remain undeterred. They cope by finding more bugs, and by crafting increasingly complex exploit chains. Attackers treat these exploits as closely-guarded, increasingly valuable secrets, and it's rare to see publicly-available f
Red Hat
cups: incorrect string reference counting (VU#810572)
vendor_redhat·2015-06-10·CVSS 10.0
CVE-2015-1158 [CRITICAL] cups: incorrect string reference counting (VU#810572)
cups: incorrect string reference counting (VU#810572)
The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote attackers to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code.
A string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker could submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded, which in turn allowed the attacker to run arbitrary code on th
Ubuntu
CUPS vulnerabilities
vendor_ubuntu·2015-06-10·CVSS 10.0
CVE-2015-1158 [CRITICAL] CUPS vulnerabilities
Title: CUPS vulnerabilities
Summary: Several security issues were fixed in CUPS.
It was discovered that CUPS incorrectly handled reference counting when
handling localized strings. A remote attacker could use this issue to
escalate permissions, upload a replacement CUPS configuration file, and
execute arbitrary code. (CVE-2015-1158)
It was discovered that the CUPS templating engine contained a cross-site
scripting issue. A remote attacker could use this issue to bypass default
configuration settings. (CVE-2015-1159)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2015-1158: cups - The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs i...
vendor_debian·2015·CVSS 10.0
CVE-2015-1158 [CRITICAL] CVE-2015-1158: cups - The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs i...
The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote attackers to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code.
Scope: local
bookworm: resolved (fixed in 1.7.5-12)
bullseye: resolved (fixed in 1.7.5-12)
forky: resolved (fixed in 1.7.5-12)
sid: resolved (fixed in 1.7.5-12)
trixie: resolved (fixed in 1.7.5-12)
Apple
CVE-2015-1158: OS X Yosemite v10.10.3 and Security Update 2015-004
vendor_apple·CVSS 10.0
CVE-2015-1158 [CRITICAL] CVE-2015-1158: OS X Yosemite v10.10.3 and Security Update 2015-004
Apple Security Update: About the security content of OS X Yosemite v10.10.3 and Security Update 2015-004
Product: OS X Yosemite v10.10.3 and Security Update 2015-004
CVE: CVE-2015-1158
Component: CVE-ID
No detection rules found.
Exploit-DB
CUPS < 2.0.3 - Remote Command Execution
exploitdb·2017-02-03·CVSS 10.0
CVE-2015-1158 [CRITICAL] CUPS < 2.0.3 - Remote Command Execution
CUPS \n"
" -h, --help: Show this message\n"
" -a, --rhost: Target IP address\n"
" -b, --rport: Target IPP service port\n"
" -c, --lib /path/to/payload.so\n"
" -f, --stomp-only Only stomp the ACL (no postex)\n"
"\n"
"Examples:\n"
"python script.py -a 10.10.10.10 -b 631 -f\n"
"python script.py -a 10.10.10.10 -b 631 -c /tmp/x86reverseshell.so\n")
exit()
def pretty (t, m):
if (t is "+"):
print "\x1b[32;1m[+]\x1b[0m\t" + m + "\n",
elif (t is "-"):
print "\x1b[31;1m[-]\x1b[0m\t" + m + "\n",
elif (t is "*"):
print "\x1b[34;1m[*]\x1b[0m\t" + m + "\n",
elif (t is "!"):
print "\x1b[33;1m[!]\x1b[0m\t" + m + "\n",
def createDump (input):
d, b, h = '', [], []
u = list(input)
for e in u:
h.append(e.encode("hex"))
if e == '0x0':
b.append('0')
elif 30 > ord(e) or ord(e) > 128:
b.append('.')
elif 30 = 16
Exploit-DB
CUPS < 2.0.3 - Multiple Vulnerabilities
exploitdb·2015-06-22·CVSS 10.0
CVE-2015-1158 [CRITICAL] CUPS < 2.0.3 - Multiple Vulnerabilities
CUPS num_values; i ++)
{
_cupsStrFree(attr->values[i].string.text);
attr->values[i].string.text = NULL;
if (attr->values[i].string.language) ← for all values in an attribute
{
_cupsStrFree(attr->values[i].string.language); ← free the 'language' string
attr->values[i].string.language = NULL;
}
}
In this case, 'language' field comes from the value of the 'attributes-natural-language' attribute in the request.
To specifically target a string and free it, we send a 'IPP_CREATE_JOB' or 'IPP_PRINT_JOB' request with a multi-value 'job-originating-host-name' attribute. The number of 'job-originating-host-name' values controls how many times the reference count is decremented. For a 10-value attribute, the reference count for 'language' is increased once, but decremented 10 times.
The over-decre
Bugzilla
CVE-2015-1158 CVE-2015-1159 cups: various flaws [fedora-all]
bugzilla·2015-06-10·CVSS 10.0
CVE-2015-1158 [CRITICAL] CVE-2015-1158 CVE-2015-1159 cups: various flaws [fedora-all]
CVE-2015-1158 CVE-2015-1159 cups: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While onl
Bugzilla
CVE-2015-1158 cups: incorrect string reference counting (VU#810572)
bugzilla·2015-05-14·CVSS 10.0
CVE-2015-1158 [CRITICAL] CVE-2015-1158 cups: incorrect string reference counting (VU#810572)
CVE-2015-1158 cups: incorrect string reference counting (VU#810572)
The following flaw was found in CUPS:
Cupsd uses reference-counted strings with global scope. When parsing a print job request, cupsd over-decrements the reference count for a string from the request. As a result, an attacker can prematurely free an arbitrary string of global scope. They can use this to dismantle ACLs protecting privileged operations, and upload a replacement configuration file, and subsequently run arbitrary code on a target machine.
This bug is exploitable in default configurations, and does not require any special permissions other than the basic ability to print.
Acknowledgements:
Red Hat would like to thank the CERT/CC for reporting this issue.
Discussion:
Public via:
https://www.cups.org/str.
http://googleprojectzero.blogspot.in/2015/06/owning-internet-printing-case-study-in.htmlhttp://kb.juniper.net/InfoCenter/index?page=content&id=JSA10702http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-06/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1123.htmlhttp://www.cups.org/blog.php?L1082http://www.debian.org/security/2015/dsa-3283http://www.kb.cert.org/vuls/id/810572http://www.securityfocus.com/bid/75098http://www.securitytracker.com/id/1032556http://www.ubuntu.com/usn/USN-2629-1https://bugzilla.opensuse.org/show_bug.cgi?id=924208https://bugzilla.redhat.com/show_bug.cgi?id=1221641https://code.google.com/p/google-security-research/issues/detail?id=455https://github.com/0x00string/oldays/blob/master/CVE-2015-1158.pyhttps://security.gentoo.org/glsa/201510-07https://www.cups.org/str.php?L4609https://www.exploit-db.com/exploits/37336/https://www.exploit-db.com/exploits/41233/http://googleprojectzero.blogspot.in/2015/06/owning-internet-printing-case-study-in.htmlhttp://kb.juniper.net/InfoCenter/index?page=content&id=JSA10702http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-06/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1123.htmlhttp://www.cups.org/blog.php?L1082http://www.debian.org/security/2015/dsa-3283http://www.kb.cert.org/vuls/id/810572http://www.securityfocus.com/bid/75098http://www.securitytracker.com/id/1032556http://www.ubuntu.com/usn/USN-2629-1https://bugzilla.opensuse.org/show_bug.cgi?id=924208https://bugzilla.redhat.com/show_bug.cgi?id=1221641https://code.google.com/p/google-security-research/issues/detail?id=455https://github.com/0x00string/oldays/blob/master/CVE-2015-1158.pyhttps://security.gentoo.org/glsa/201510-07https://www.cups.org/str.php?L4609https://www.exploit-db.com/exploits/37336/https://www.exploit-db.com/exploits/41233/
2015-06-26
Published