cbcvebase.
CVE-2015-1158
published 2015-06-26

CVE-2015-1158: The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name…

PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
29.91%
98.0th percentile
The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote attackers to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code.

Affected

8 ranges
VendorProductVersion rangeFixed in
applecups>= 0 < 1.7.5-121.7.5-12
applecups>= 0 < 1.7.5-121.7.5-12
applecups>= 0 < 1.7.5-121.7.5-12
applecups>= 0 < 1.7.5-121.7.5-12
applecups>= 0 < 1.7.2-0ubuntu1.61.7.2-0ubuntu1.6
appleos_x_yosemite_v10.10.3_and_security_update_2015-004
cupscups<= 2.0.2
debiancups< cups 1.7.5-12 (bookworm)cups 1.7.5-12 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

port631
urlhttp://localhost:631/help/?QUERY=%3Ca%20href=%22%20%3E%3Cscript%3Ealert%28%27Linux%20crickets%20chirping%20for%20a%20patch%27%29%3C/script%3E%3C!--&SEARCH=Search
uaCUPS/2.0.2
path/var/spool/cups/d000
commandSetEnv LD_PRELOAD /var/spool/cups/d000<jobid>-001
  • Detect IPP_CREATE_JOB or IPP_PRINT_JOB requests containing a multi-value 'job-originating-host-name' attribute (op-id 0x0005 or 0x0002 with repeated 0x42 tag and zero-length name field) — the number of extra values (name-len=0x0000) controls how many times the reference count is decremented, triggering the heap corruption.
  • Monitor for HTTP POST requests to the CUPS IPP endpoint (port 631) with Content-Type: application/ipp and User-Agent: CUPS/2.0.2, which is the spoofed UA used by the public exploit.
  • Alert on CUPS configuration file modifications that add 'SetEnv LD_PRELOAD' pointing to a path under /var/spool/cups/, which is the post-exploitation persistence mechanism used after ACL stomping.
  • Detect reflected XSS probe against CUPS web interface: HTTP GET requests to /help/ where the QUERY parameter begins with URL-encoded '<a href="' (i.e. %3Ca%20href%3D%22).
  • The exploit sends a GET /printers HTTP/1.1 request to enumerate available printer URIs before launching the IPP attack — this reconnaissance step can be detected as an unauthenticated GET to /printers on port 631.
  • Disabling the CUPS web interface significantly reduces attack surface; if WebInterface is enabled, treat any external access to port 631 as elevated risk.
  • ·The exploit targets CUPS versions before 2.0.3; CUPS 2.0.3+ separates configuration value strings from the string pool (allocated via strdup) and blocks LD_*/DYLD_* environment variables when running as root, which breaks the primary exploitation chain.
  • ·CUPS 2.1 beta additionally removes the localhost listener when 'WebInterface' is disabled, further reducing the remote attack surface beyond what 2.0.3 provides.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
vendor_ubuntu10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.