Vigil@nce: CUPS, denial of service via browse
June 2009 by Vigil@nce
An attacker can connect to the CUPS service in order to stop it,
and eventually to execute code.
Severity: 2/4
Consequences: denial of service of service
Provenance: intranet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 04/06/2009
IMPACTED PRODUCTS
– Red Hat Enterprise Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
CUPS (Common UNIX Printing System) provides printers management
under Unix.
The CUPS server announces print queues, using broadcast packets
(named "browse") on the port 631/udp. Clients receive these
packets and keep a cache of available printers (in a chained list).
CUPS inferior to version 1.3.0 uses the ProcessBrowseData()
function of the scheduler/dirsvc.c file to analyze "browse"
packets and to update the chained list.
However, if a "browse" packet announces that a printer was
renamed, after the cache expiration, the chained list is
incorrectly handled, and a memory address is freed twice.
An attacker can therefore connect to the CUPS service in order to
stop it, and eventually to execute code.
CHARACTERISTICS
Identifiers: BID-35194, CVE-2009-1196, RHSA-2009:1083-01,
VIGILANCE-VUL-8760
http://vigilance.fr/vulnerability/CUPS-denial-of-service-via-browse-8760