DB: 2016-12-25

2016-12-25 05:01:18 +00:00 · 2016-12-25 05:01:18 +00:00 · 560fb055c7
commit 560fb055c7
parent 897e1fa191
2 changed files with 41 additions and 2 deletions
--- a/files.csv
+++ b/files.csv
@ -13085,7 +13085,7 @@ id,file,description,date,author,platform,type,port
 24687,platforms/windows/remote/24687.txt,"Microsoft Outlook Express 4.x/5.x/6.0 - Plaintext Email Security Policy Bypass",2004-10-18,http-equiv,windows,remote,0
 24688,platforms/windows/remote/24688.pl,"best software SalesLogix 2000.0 - Multiple Vulnerabilities",2004-10-18,"Carl Livitt",windows,remote,0
 24693,platforms/windows/remote/24693.txt,"Microsoft Internet Explorer 5.x - Valid File Drag and Drop Embedded Code (MS04-038)",2004-10-20,http-equiv,windows,remote,0
-24977,platforms/linux/remote/24977.txt,"CUPS 1.1.x - HPGL File Processor Buffer Overflow",2004-12-15,"Ariel Berkman",linux,remote,0
+24977,platforms/linux/remote/24977.txt,"CUPS 1.1.x - .HPGL File Processor Buffer Overflow",2004-12-15,"Ariel Berkman",linux,remote,0
 24978,platforms/linux/remote/24978.txt,"Xine-Lib 0.9/1 - Remote Client-Side Buffer Overflow",2004-12-16,"Ariel Berkman",linux,remote,0
 24701,platforms/multiple/remote/24701.txt,"OpenWFE 1.4.x - Cross-Site Scripting / Connection Proxy",2004-10-25,"Joxean Koret",multiple,remote,0
 24704,platforms/linux/remote/24704.c,"Libxml2 - Multiple Remote Stack Buffer Overflow Vulnerabilities",2004-10-26,Sean,linux,remote,0
--- a/platforms/linux/remote/24977.txt
+++ b/platforms/linux/remote/24977.txt
@ -4,4 +4,43 @@ CUPS is reported prone to a remote buffer overflow vulnerability. The issue is r

 A remote attacker may exploit this condition to execute arbitrary code in the context of the vulnerable CUPS daemon. 

-https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/24977.gz
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/24977.gz
+
+
+
+
+Ariel Berkman, a student in my Fall 2004 UNIX Security Holes course, has
+discovered a remotely exploitable security hole in CUPS. I'm publishing
+this notice, but all the discovery credits should be assigned to
+Berkman.
+
+A CUPS installation is at risk whenever it prints an HPGL file obtained
+from email (or a web page or any other source that could be controlled
+by an attacker). You are at risk if you print data through a CUPS
+installation at risk. The source of the HPGL file has complete control
+over the CUPS ``lp'' account; in particular, he can read and modify the
+files you are printing.
+
+Proof of concept: On an x86 computer running FreeBSD 4.10, as root, type
+
+   cd /usr/ports/print/cups
+   make install
+
+to download and compile the CUPS package, version 1.1.22 (current).
+Then, as any user, save the file 21.hpgl.gz attached to this message,
+and type
+
+   gunzip 21.hpgl
+   /usr/local/libexec/cups/filter/hpgltops \
+   15 $USER test-title 1 none 21.hpgl > 21.ps
+
+with the unauthorized result that a file named x is removed from the
+current directory. (I tested this with a 541-byte environment, as
+reported by printenv | wc -c.)
+
+Here's the bug: In hpgl-input.c, ParseCommand() reads any number of
+bytes into a 262144-byte buf[] array.
+
+---D. J. Bernstein, Associate Professor, Department of Mathematics,
+Statistics, and Computer Science, University of Illinois at Chicago
+Source: http://securesoftware.list.cr.yp.to/archive/0/25