Summary
An unsafe deserialization and validation of printer attributes, causes null dereference in libcups library
Details
The combination of:
request = ippNewRequest(IPP_OP_GET_PRINTER_ATTRIBUTES)
response = cupsDoRequest(http_xyz, request, resource);
ippValidateAttributes(response)
Is shown in two places in OpenPrinting:
cups/scheduler/ipp.c
libcupsfilters/cupsfilters/ipp.c
Due to a logic error in ipp_read_io() which is called internally by cupsDoRequest(), ippValidateAttributes() has a null dereference.
The null dereference happens in these lines for (ptr = attr->values[i].string.text; *ptr; ptr ++)
This can happen if an attacker responds with a crafted printer attributes response.
PoC
- Have two machines on the same network. attacker_machine and target_machine. I used both Ubuntu 24.04.2 LTS
- Download and unzip attached zip on the attacker_machine
poc.zip
- On the target_machine, ensure cups and cups-browsed are running.
On my target_machine I had both:
$ cups-browsed --version
cups-browsed version 2.0.0
$ cups-config --version
2.4.7
And self built instances of versions:
cups-2.4.12
cups-browsed-2.1.1
libcupsfilters-2.1.1
libppd-2.1.1
The bug reproduced on both.
4. On attacker_machine stop cups service
5. On attacker machine install the needed python module specified in requirements.txt
6. On attacker machine run python printer.py {path to response file} {local ip}
7. Ensure that cups-browsed crashed on target_machine.
Another POC:
If you want to reproduce it locally, and to debug it easier, you can use : local_poc.zip
Compile this binary that uses the flow of ipp_read_io() & ippValidateAttributes() to reproduce the bug.
Impact
This is a remote DoS vulnerability available in local subnet in default configurations. It can cause the cups & cups-browsed to crash, on all the machines in local network who are listening for printers (so by default for all regular linux machines).
On systems where the vulnerability CVE-2024-47176 (cups-filters 1.x/cups-browsed 2.x vulnerability) was not fixed, and the firewall on the machine does not reject incoming communication to IPP port, and the machine is set to be available to public internet, attack vector "Network" is possible. The current versions of CUPS and cups-browsed projects have the attack vector "Adjacent" in their default configurations.
SilverPlate3 Reporter
Summary
An unsafe deserialization and validation of printer attributes, causes null dereference in libcups library
Details
The combination of:
Is shown in two places in OpenPrinting:
Due to a logic error in
ipp_read_io()which is called internally bycupsDoRequest(),ippValidateAttributes()has a null dereference.The null dereference happens in these lines
for (ptr = attr->values[i].string.text; *ptr; ptr ++)This can happen if an attacker responds with a crafted printer attributes response.
PoC
poc.zip
On my target_machine I had both:
And self built instances of versions:
The bug reproduced on both.
4. On attacker_machine stop cups service
5. On attacker machine install the needed python module specified in requirements.txt
6. On attacker machine run python
printer.py {path to response file} {local ip}7. Ensure that cups-browsed crashed on target_machine.
Another POC:
If you want to reproduce it locally, and to debug it easier, you can use : local_poc.zip
Compile this binary that uses the flow of
ipp_read_io()&ippValidateAttributes()to reproduce the bug.Impact
This is a remote DoS vulnerability available in local subnet in default configurations. It can cause the cups & cups-browsed to crash, on all the machines in local network who are listening for printers (so by default for all regular linux machines).
On systems where the vulnerability CVE-2024-47176 (cups-filters 1.x/cups-browsed 2.x vulnerability) was not fixed, and the firewall on the machine does not reject incoming communication to IPP port, and the machine is set to be available to public internet, attack vector "Network" is possible. The current versions of CUPS and cups-browsed projects have the attack vector "Adjacent" in their default configurations.