CVE-2015-1158

The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote attackers to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code.

CVSS v2.0 10.0 HIGH

10.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://googleprojectzero.blogspot.in/2015/06/owning-internet-printing-case-study-in.html
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10702
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00003.html
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00006.html
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.html
http://rhn.redhat.com/errata/RHSA-2015-1123.html
http://www.cups.org/blog.php?L1082	Vendor Advisory
http://www.debian.org/security/2015/dsa-3283
http://www.kb.cert.org/vuls/id/810572	Third Party Advisory US Government Resource
http://www.securityfocus.com/bid/75098
http://www.securitytracker.com/id/1032556
http://www.ubuntu.com/usn/USN-2629-1
https://bugzilla.opensuse.org/show_bug.cgi?id=924208
https://bugzilla.redhat.com/show_bug.cgi?id=1221641
https://code.google.com/p/google-security-research/issues/detail?id=455
https://github.com/0x00string/oldays/blob/master/CVE-2015-1158.py
https://security.gentoo.org/glsa/201510-07
https://www.cups.org/str.php?L4609	Vendor Advisory
https://www.exploit-db.com/exploits/37336/
https://www.exploit-db.com/exploits/41233/

Configurations

Configuration 1 (hide)

cpe:2.3:a:cups:cups:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2015-06-26 10:59

Updated : 2017-09-23 01:29

NVD link : CVE-2015-1158

Mitre link : CVE-2015-1158

CVE.ORG link : CVE-2015-1158

JSON object : View

Products Affected

cups

cups

CWE

CWE-254

7PK - Security Features

{"id": "CVE-2015-1158", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2015-06-26T10:59:00.093", "references": [{"url": "http://googleprojectzero.blogspot.in/2015/06/owning-internet-printing-case-study-in.html", "source": "product-security@apple.com"}, {"url": "http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10702", "source": "product-security@apple.com"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00003.html", "source": "product-security@apple.com"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00006.html", "source": "product-security@apple.com"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.html", "source": "product-security@apple.com"}, {"url": "http://rhn.redhat.com/errata/RHSA-2015-1123.html", "source": "product-security@apple.com"}, {"url": "http://www.cups.org/blog.php?L1082", "tags": ["Vendor Advisory"], "source": "product-security@apple.com"}, {"url": "http://www.debian.org/security/2015/dsa-3283", "source": "product-security@apple.com"}, {"url": "http://www.kb.cert.org/vuls/id/810572", "tags": ["Third Party Advisory", "US Government Resource"], "source": "product-security@apple.com"}, {"url": "http://www.securityfocus.com/bid/75098", "source": "product-security@apple.com"}, {"url": "http://www.securitytracker.com/id/1032556", "source": "product-security@apple.com"}, {"url": "http://www.ubuntu.com/usn/USN-2629-1", "source": "product-security@apple.com"}, {"url": "https://bugzilla.opensuse.org/show_bug.cgi?id=924208", "source": "product-security@apple.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1221641", "source": "product-security@apple.com"}, {"url": "https://code.google.com/p/google-security-research/issues/detail?id=455", "source": "product-security@apple.com"}, {"url": "https://github.com/0x00string/oldays/blob/master/CVE-2015-1158.py", "source": "product-security@apple.com"}, {"url": "https://security.gentoo.org/glsa/201510-07", "source": "product-security@apple.com"}, {"url": "https://www.cups.org/str.php?L4609", "tags": ["Vendor Advisory"], "source": "product-security@apple.com"}, {"url": "https://www.exploit-db.com/exploits/37336/", "source": "product-security@apple.com"}, {"url": "https://www.exploit-db.com/exploits/41233/", "source": "product-security@apple.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-254"}]}], "descriptions": [{"lang": "en", "value": "The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote attackers to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code."}, {"lang": "es", "value": "La funci\u00f3n add_job en scheduler/ipp.c en cupsd en CUPS anterior a 2.0.3 realiza incorrectamente las operaciones libres para los atributos de los nombres de anfitriones que originan trabajos de m\u00faltiples valores, lo que permite a atacantes remotos provocar la corrupci\u00f3n de datos para las cadenas de referencias contadas a trav\u00e9s de una solicitud (1) IPP_CREATE_JOB o (2) IPP_PRINT_JOB manipulada, tal y como fue demostrado mediante el remplazo del fichero de configuraci\u00f3n y como consecuencia la ejecuci\u00f3n de c\u00f3digo arbitrario."}], "lastModified": "2017-09-23T01:29:00.717", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cups:cups:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E16A5939-A072-4A0C-AD13-9A580B0DF4D3", "versionEndIncluding": "2.0.2"}], "operator": "OR"}]}], "sourceIdentifier": "product-security@apple.com"}