CVE-2015-1158 - OpenCVE

The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote attackers to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Cups	Cups

Configuration 1 [-]

cpe:2.3:a:cups:cups:*:*:*:*:*:*:*:*

References

Link	Resource
http://googleprojectzero.blogspot.in/2015/06/owning-internet-printing-case-study-in.html
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10702
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00003.html
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00006.html
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.html
http://rhn.redhat.com/errata/RHSA-2015-1123.html
http://www.cups.org/blog.php?L1082	Vendor Advisory
http://www.debian.org/security/2015/dsa-3283
http://www.kb.cert.org/vuls/id/810572	Third Party Advisory US Government Resource
http://www.securityfocus.com/bid/75098
http://www.securitytracker.com/id/1032556
http://www.ubuntu.com/usn/USN-2629-1
https://bugzilla.opensuse.org/show_bug.cgi?id=924208
https://bugzilla.redhat.com/show_bug.cgi?id=1221641
https://code.google.com/p/google-security-research/issues/detail?id=455
https://github.com/0x00string/oldays/blob/master/CVE-2015-1158.py
https://security.gentoo.org/glsa/201510-07
https://www.cups.org/str.php?L4609	Vendor Advisory
https://www.exploit-db.com/exploits/37336/
https://www.exploit-db.com/exploits/41233/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apple

Published: 2015-06-26T10:00:00

Updated: 2017-09-22T09:57:01

Reserved: 2015-01-16T00:00:00

Link: CVE-2015-1158

JSON object: View

NVD Information

Status : Modified

Published: 2015-06-26T10:59:00.093

Modified: 2017-09-23T01:29:00.717

Link: CVE-2015-1158

JSON object: View

Redhat Information

No data.

CWE

CWE-254

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-06-08T00:00:00", "descriptions": [{"lang": "en", "value": "The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote attackers to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-22T09:57:01", "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1221641"}, {"name": "DSA-3283", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2015/dsa-3283"}, {"name": "RHSA-2015:1123", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1123.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.opensuse.org/show_bug.cgi?id=924208"}, {"name": "USN-2629-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2629-1"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10702"}, {"name": "1032556", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1032556"}, {"name": "SUSE-SU-2015:1044", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00006.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.cups.org/blog.php?L1082"}, {"name": "VU#810572", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/810572"}, {"name": "75098", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/75098"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/0x00string/oldays/blob/master/CVE-2015-1158.py"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.cups.org/str.php?L4609"}, {"name": "GLSA-201510-07", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201510-07"}, {"tags": ["x_refsource_MISC"], "url": "https://code.google.com/p/google-security-research/issues/detail?id=455"}, {"name": "SUSE-SU-2015:1041", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00003.html"}, {"name": "37336", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/37336/"}, {"tags": ["x_refsource_MISC"], "url": "http://googleprojectzero.blogspot.in/2015/06/owning-internet-printing-case-study-in.html"}, {"name": "41233", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/41233/"}, {"name": "openSUSE-SU-2015:1056", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "product-security@apple.com", "ID": "CVE-2015-1158", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote attackers to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1221641", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1221641"}, {"name": "DSA-3283", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3283"}, {"name": "RHSA-2015:1123", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-1123.html"}, {"name": "https://bugzilla.opensuse.org/show_bug.cgi?id=924208", "refsource": "CONFIRM", "url": "https://bugzilla.opensuse.org/show_bug.cgi?id=924208"}, {"name": "USN-2629-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2629-1"}, {"name": "http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10702", "refsource": "CONFIRM", "url": "http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10702"}, {"name": "1032556", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1032556"}, {"name": "SUSE-SU-2015:1044", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00006.html"}, {"name": "http://www.cups.org/blog.php?L1082", "refsource": "CONFIRM", "url": "http://www.cups.org/blog.php?L1082"}, {"name": "VU#810572", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/810572"}, {"name": "75098", "refsource": "BID", "url": "http://www.securityfocus.com/bid/75098"}, {"name": "https://github.com/0x00string/oldays/blob/master/CVE-2015-1158.py", "refsource": "MISC", "url": "https://github.com/0x00string/oldays/blob/master/CVE-2015-1158.py"}, {"name": "https://www.cups.org/str.php?L4609", "refsource": "CONFIRM", "url": "https://www.cups.org/str.php?L4609"}, {"name": "GLSA-201510-07", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201510-07"}, {"name": "https://code.google.com/p/google-security-research/issues/detail?id=455", "refsource": "MISC", "url": "https://code.google.com/p/google-security-research/issues/detail?id=455"}, {"name": "SUSE-SU-2015:1041", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00003.html"}, {"name": "37336", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/37336/"}, {"name": "http://googleprojectzero.blogspot.in/2015/06/owning-internet-printing-case-study-in.html", "refsource": "MISC", "url": "http://googleprojectzero.blogspot.in/2015/06/owning-internet-printing-case-study-in.html"}, {"name": "41233", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/41233/"}, {"name": "openSUSE-SU-2015:1056", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.html"}]}}}}, "cveMetadata": {"assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "assignerShortName": "apple", "cveId": "CVE-2015-1158", "datePublished": "2015-06-26T10:00:00", "dateReserved": "2015-01-16T00:00:00", "dateUpdated": "2017-09-22T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cups:cups:*:*:*:*:*:*:*:*", "matchCriteriaId": "E16A5939-A072-4A0C-AD13-9A580B0DF4D3", "versionEndIncluding": "2.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote attackers to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code."}, {"lang": "es", "value": "La funci\u00f3n add_job en scheduler/ipp.c en cupsd en CUPS anterior a 2.0.3 realiza incorrectamente las operaciones libres para los atributos de los nombres de anfitriones que originan trabajos de m\u00faltiples valores, lo que permite a atacantes remotos provocar la corrupci\u00f3n de datos para las cadenas de referencias contadas a trav\u00e9s de una solicitud (1) IPP_CREATE_JOB o (2) IPP_PRINT_JOB manipulada, tal y como fue demostrado mediante el remplazo del fichero de configuraci\u00f3n y como consecuencia la ejecuci\u00f3n de c\u00f3digo arbitrario."}], "id": "CVE-2015-1158", "lastModified": "2017-09-23T01:29:00.717", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-06-26T10:59:00.093", "references": [{"source": "product-security@apple.com", "url": "http://googleprojectzero.blogspot.in/2015/06/owning-internet-printing-case-study-in.html"}, {"source": "product-security@apple.com", "url": "http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10702"}, {"source": "product-security@apple.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00003.html"}, {"source": "product-security@apple.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00006.html"}, {"source": "product-security@apple.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.html"}, {"source": "product-security@apple.com", "url": "http://rhn.redhat.com/errata/RHSA-2015-1123.html"}, {"source": "product-security@apple.com", "tags": ["Vendor Advisory"], "url": "http://www.cups.org/blog.php?L1082"}, {"source": "product-security@apple.com", "url": "http://www.debian.org/security/2015/dsa-3283"}, {"source": "product-security@apple.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/810572"}, {"source": "product-security@apple.com", "url": "http://www.securityfocus.com/bid/75098"}, {"source": "product-security@apple.com", "url": "http://www.securitytracker.com/id/1032556"}, {"source": "product-security@apple.com", "url": "http://www.ubuntu.com/usn/USN-2629-1"}, {"source": "product-security@apple.com", "url": "https://bugzilla.opensuse.org/show_bug.cgi?id=924208"}, {"source": "product-security@apple.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1221641"}, {"source": "product-security@apple.com", "url": "https://code.google.com/p/google-security-research/issues/detail?id=455"}, {"source": "product-security@apple.com", "url": "https://github.com/0x00string/oldays/blob/master/CVE-2015-1158.py"}, {"source": "product-security@apple.com", "url": "https://security.gentoo.org/glsa/201510-07"}, {"source": "product-security@apple.com", "tags": ["Vendor Advisory"], "url": "https://www.cups.org/str.php?L4609"}, {"source": "product-security@apple.com", "url": "https://www.exploit-db.com/exploits/37336/"}, {"source": "product-security@apple.com", "url": "https://www.exploit-db.com/exploits/41233/"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-254"}], "source": "nvd@nist.gov", "type": "Primary"}]}