|
|
|
|
| |
Credit:
The original article can be found at: http://www.coresecurity.com/content/AppleCUPS-null-pointer-vulnerability
|
| |
Vulnerable Systems:
* Apple CUPS version 1.3.9
Immune Systems:
* Apple CUPS version 1.3.10
This vulnerability identified in CUPS is caused by a bad 'ip' structure initialization in the function 'ippReadIO()', located in 'cups/ipp.c', when processing a specially crafted IPP (Internet Printing Protocol) with two consecutives 'IPP_TAG_UNSUPPORTED' tags. This flaw could be exploited by attackers to crash the affected application.
At 'ipp.c' the function 'ippReadIO()' is in charge of the initialization of the 'ipp' structure, that represent the different tags of the current IPP request packet.
/-----------
1016 ipp_state_t /* O - Current state */
1017 ippReadIO(void *src, /* I - Data source */
1018 ipp_iocb_t cb, /* I - Read callback function */
1019 int blocking, /* I - Use blocking IO? */
1020 ipp_t *parent, /* I - Parent request, if any */
1021 ipp_t *ipp) /* I - IPP data */
1022 {
1023 int n; /* Length of data */
1024 unsigned char buffer[IPP_MAX_LENGTH + 1],
1025 /* Data buffer */
1026 string[IPP_MAX_NAME],
1027 /* Small string buffer */
1028 *bufptr; /* Pointer into buffer */
1029 ipp_attribute_t *attr; /* Current attribute */
1030 ipp_tag_t tag; /* Current tag */
1031 ipp_tag_t value_tag; /* Current value tag */
1032 ipp_value_t *value; /* Current value */
1035 DEBUG_printf(("ippReadIO(%p, %p, %d, %p, %p)\n", src, cb, blocking,
1036 parent, ipp));
1037 DEBUG_printf(("ippReadIO: ipp->state=%d\n", ipp->state));
1039 if (src == NULL || ipp == NULL)
1040 return (IPP_ERROR);
1041
1042 switch (ipp->state)
1043 {
1044 case IPP_IDLE :
1045 ipp->state ++; /* Avoid common problem... */
1046
1047 case IPP_HEADER :
1048 if (parent == NULL)
- -----------/
As we can see in the code above, the packets can count with a few different tag attributes.
When an 'IPP' packet is sent with a tag attribute lower than 0x10, it is considered by CUPS as an 'IPP_TAG_UNSUPPORTED' tag:
/-----------
else if (tag < IPP_TAG_UNSUPPORTED_VALUE) {
/*
* Group tag... Set the current group and continue...
*/
if (ipp->curtag == tag)
ipp->prev = ippAddSeparator(ipp);
else if (ipp->current)
ipp->prev = ipp->current;
ipp->curtag = tag;
ipp->current = NULL;
DEBUG_printf(("ippReadIO: group tag = %x, ipp->prev=%p\n", tag,
ipp->prev));
continue;
}
- -----------/
Because of the way that CUPS handles this kind of tags, if a packet contains two consecutives 'IPP_TAG_UNSUPPORTED', the last node of the IPP structure will be initialized as 'NULL'.
This will lead to a crash when the 'cupsdProcessIPPRequest' function tries to read the 'name' field of the 'attr' structure.
/-----------
/*
* 'cupsdProcessIPPRequest()' - Process an incoming IPP request.
*/
int /* O - 1 on success, 0 on
failure */
cupsdProcessIPPRequest( cupsd_client_t *con) /* I - Client connection */
...
if (!attr)
{
/*
* Then make sure that the first three attributes are:
*
* attributes-charset
* attributes-natural-language
* printer-uri/job-uri
*/
attr = con->request->attrs;
if (attr && !strcmp(attr->name, "attributes-charset") && (attr->value_tag & IPP_TAG_MASK) == IPP_TAG_CHARSET)
charset = attr;
else
charset = NULL;
...
- -----------/
CVE Information:
CVE-2009-0949
Disclosure Timeline:
2009-04-28:
Core Security Technologies notifies the Apple Product Security Team of the vulnerability and announces its initial plan to publish the advisory on May 20th, 2009. Technical details and Proof of Concept (PoC) are sent to Apple Security Team.
2009-04-28:
The vendor acknowledges reception of the technical report and PoC.
2009-05-11:
Core reminds Apple Security Team its initial plan to publish the advisory on May 20th, and asks the confirmation that patches will be released by then.
2009-05-12:
Core notifies Apple Security Team that this is a multi-vendor issue (affecting, for example, multiple Linux distributions), and asks if the patch process of the CUPS vulnerability will be coordinated using the vendor-sec mailing list.
2009-05-12:
Apple Product Security Team notifies Core they will contact vendor-sec about this issue very soon and proposes to reschedule the advisory publication date to June 2nd. The vendor also notifies the issue was addressed in Mac OS X 10.5.7 by updating CUPS to version 1.3.10.
2009-05-13:
Apple Product Security Team notifies the suggested fix would be to update to CUPS 1.3.10.
2009-05-15:
The Red Hat Security Response Team informs (via vendor-sec) CUPS 1.1.17 is the oldest version they still ship and it is affected too. This issue will probably affect even earlier CUPS versions too.
2009-05-25:
The Debian Team informs (via vendor-sec) there is a bug in the PoC provided by Core. The advisory PoC is changed according to the comments made by Debian Team.
2009-05-28:
Core notifies that the advisory is going to be released on June 2nd, and requests a confirmation from Apple Security Team and vendor-sec subscribers.
2009-05-29:
Apple Security Team, Red Hat Security Response Team and Debian Team confirm the proposed release date. There was no request for embargo date shift posted to vendor-sec.
. 2009-06-02:
The advisory CORE-2009-0420 is published.
|
|
|
|
|
