Published: 26/06/2015 Updated: 23/09/2017

CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10

VMScore: 1000

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

The add_job function in scheduler/ipp.c in cupsd in CUPS prior to 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote malicious users to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code.

Vulnerable Product	Search on Vulmon	Subscribe to Product
cups cups

Several security issues were fixed in CUPS ...

A string reference count bug was found in cupsd, causing premature freeing of string objects An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CV ...

A string reference count bug was found in cupsd, causing premature freeing of string objects An attacker could submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded, which in turn allowed the attacker to run arbitrary code on the CUPS server ...

#!/usr/bin/python # Exploit Title: CUPS Reference Count Over Decrement Remote Code Execution # Google Dork: n/a # Date: 2/2/17 # Exploit Author: @0x00string # Vendor Homepage: cupsorg # Software Link: githubcom/apple/cups/releases/tag/release-202 # Version: <203 # Tested on: Ubuntu 14/15 # CVE : CVE-2015-1158 import os, re, socket, ...

Source: googleprojectzeroblogspotse/2015/06/owning-internet-printing-case-study-inhtml Abstract Modern exploit mitigations draw attackers into a game of diminishing marginal returns With each additional mitigation added, a subset of software bugs become unexploitable, and others become difficult to exploit, requiring application or eve ...

CUPS versions prior to 203 suffers from improper teardown and cross site scripting vulnerabilities ...

CUPS versions prior to 203 reference count over decrement remote code execution exploit ...

CWE-254 https://bugzilla.redhat.com/show_bug.cgi?id=1221641 https://code.google.com/p/google-security-research/issues/detail?id=455 http://googleprojectzero.blogspot.in/2015/06/owning-internet-printing-case-study-in.html http://www.cups.org/blog.php?L1082 https://bugzilla.opensuse.org/show_bug.cgi?id=924208 https://www.cups.org/str.php?L4609 http://www.kb.cert.org/vuls/id/810572 http://www.securityfocus.com/bid/75098 https://security.gentoo.org/glsa/201510-07 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10702 http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00003.html http://www.ubuntu.com/usn/USN-2629-1 http://www.debian.org/security/2015/dsa-3283 http://rhn.redhat.com/errata/RHSA-2015-1123.html https://github.com/0x00string/oldays/blob/master/CVE-2015-1158.py https://www.exploit-db.com/exploits/41233/https://www.exploit-db.com/exploits/37336/http://www.securitytracker.com/id/1032556 https://usn.ubuntu.com/2629-1/https://nvd.nist.gov https://www.exploit-db.com/exploits/41233/https://access.redhat.com/security/cve/cve-2015-1158

CVE-2015-1158

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

References

Vulmon Search

About

Products

Connect