VARIoT IoT vulnerabilities database

Aladdin Knowlege Systems eSafe Gateway 3.5.126.0 does not check the entire stream of Content Vectoring Protocol (CVP) data, which allows remote attackers to bypass virus protection. It has been reported that under some circumstances, eSafe Gateway does not properly scan messages in transit. This problem occurs when data is passed to eSafe via a Check Point OPSEC CVP compliant firewall. Because of this, malicious code may be able to circumvent the filters imposed by the software and enter, or exit the network. This could lead to further compromise of network resources. A remote attacker can exploit this vulnerability to bypass virus filtering. When Checkpoint installed with Feature Pack 3 receives more than 2M files, the scanning program will be unstable during CVP inspection. For example, if the SMTP message exceeds 2MB, FW-1 will perform the following operations: 1. Put the information into the buffer pool. 2. Send data to the CVP server. 3. It will stop when sending 1MB or nearly 2MB of data. 4. Sending will resume after 5 minutes. 5. The CVP server allows data to be placed in spool\d_resend and enters a loop operation until the information is marked as expired

Cross-site scripting (XSS) vulnerability in the Your_Account module for PHP-Nuke 5.0 through 6.0 allows remote attackers to inject arbitrary web script or HTML via the user_avatar parameter. A problem with PHP-Nuke could allow remote users to execute arbitrary code in the context of the web site. The problem is in the lack of sanitization of some types of input. PHP-Nuke does not sanitize code submitted to a site from the avatar select box. Due to this, a malicious user may be able to submit embedded code from their profile page instead of an avatar. This would result in code being executed in the location where a user's avatar should normally display. This code would be executed by a victim user's browser in the context of the site

The Apache HTTP Server in Apple Mac OS X before 10.6.2 enables the HTTP TRACE method, which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified web client software. The HTTP TRACE method returns the contents of client HTTP requests in the entity-body of the TRACE response. Attackers could leverage this behavior to access sensitive information, such as cookies or authentication data, contained in the HTTP headers of the request. The attacker may exploit this issue to steal cookie-based authentication credentials and carry out other attacks. NOTE: This issue was previously covered in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been assigned its own record to better document it. This update provides a solution to this vulnerability. Update: The wrong package was uploaded for 2009.1. This update addresses that problem. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2823 http://www.kb.cert.org/vuls/id/867593 _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.1: d20085bdf2db6c017ae2bbd1e66b95a3 2009.1/i586/apache-conf-2.2.11-5.1mdv2009.1.i586.rpm 528faefad6aa4272aa1f4eb028ffa738 2009.1/SRPMS/apache-conf-2.2.11-5.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 3621be7e9f192f73f0c0435891d5ee1e 2009.1/x86_64/apache-conf-2.2.11-5.1mdv2009.1.x86_64.rpm 528faefad6aa4272aa1f4eb028ffa738 2009.1/SRPMS/apache-conf-2.2.11-5.1mdv2009.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLRcf1mqjQ0CJFipgRAu1hAKD028okjckw8ACr/FJhfKYKLYaWKACfYIQK uxRECffkMfmnBqa56GkQhAA= =MP9m -----END PGP SIGNATURE----- . Update: Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers

The default configuration of the web server for the Solaris Management Console (SMC) in Solaris 8, 9, and 10 enables the HTTP TRACE method, which could allow remote attackers to obtain sensitive information such as cookies and authentication data from HTTP headers. The HTTP TRACE method returns the contents of client HTTP requests in the entity-body of the TRACE response. RFC 2616 According to TRACE Supports methods Web The server is set in the browser Cookie A vulnerability exists in which information is obtained.Set in browser Cookie Authentication information derived from (Basic Authentication: base64 Contains encoded user information ) May get you. Sun Solaris Management Console is prone to an information-disclosure vulnerability. The attacker may exploit this issue along with other attacks, such as cross-site scripting, to steal cookie-based authentication credentials. TITLE: Sun Solaris HTTP TRACE Response Cross-Site Scripting Issue SECUNIA ADVISORY ID: SA17334 VERIFY ADVISORY: http://secunia.com/advisories/17334/ CRITICAL: Not critical IMPACT: Cross Site Scripting WHERE: >From local network OPERATING SYSTEM: Sun Solaris 10 http://secunia.com/product/4813/ Sun Solaris 8 http://secunia.com/product/94/ Sun Solaris 9 http://secunia.com/product/95/ DESCRIPTION: Sun has acknowledged a security issue in Solaris, which potentially can be exploited by malicious people to conduct cross-site scripting attacks. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site when combined with certain browser vulnerabilities. It is reportedly not possible to disable the TRACE method. The security issue has been reported in Solaris 8, 9 and 10 on both SPARC and x86 platforms. SOLUTION: Apply patches when available. The vendor recommends that the SMC may be disabled as a workaround. -- SPARC Platform -- Solaris 9: Apply patch 116807-02 or later. -- x86 Platform -- Solaris 9: Apply patch 116808-02 or later. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102016-1 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

ZyXEL DSL Modem is a broadband MODEM device developed and maintained by ZyXEL. The ZyXEL DSL Modem management interface has a pre-configured account that allows remote attackers to obtain sensitive information on the device. The ZyXEL DSL Modem has a default username and password. The user name is \"root\" and the password is \"1234\". You can log in to the modem's built-in FTP server to download data files containing sensitive information, such as spt.dat. The file contains the following information: - 0x20 The root password in clear- 0x40 SNMP Location- 0x60 Device name- 0x80 SNMP Sys Contact- 0xac SNMP read community- 0xcc SNMP read community- 0xec SNMP read community - 0x188 SUA Server IP address- 0x1c54 First PPPoE Account config name (Default: ChangeMe )- 0x1dde First PPPoe Username- 0x1dfe First PPPoe Password- 0x21dc Second PPPeE Account config name Use this information to make changes and reconfigure the device. This default account information may also be present in other ZyXEL DSL Series Modems. It has been reported that the administration interface on some ZyXEL devices, including the 642 and 645 series, is remotely accessible and pre-set with a default username and password. It is important to note that other ZyXEL devices may share this default account

D-Link wireless access point DWL-900AP+ 2.2, 2.3 and possibly 2.5 allows remote attackers to set factory default settings by upgrading the firmware using AirPlus Access Point Manager.  If the user has installed the D-Link AirPlus access point management program for firmware wins, once the program starts, two pages will pop up, of which the lower page is "Aveliable AP", and you can find that the AP is running in the 2.5 firmware version on. The upper window is "Upgrage AP", which can list the firmware version you want to upgrade. After obtaining the relevant version and clicking upgrade, the management program will not prompt for any password, and simply tftp the new firmware to the AP, and once the firmware is uploaded, return the AP to the default settings

Efficient Networks 5861 DSL router, when running firmware 5.3.80 configured to block incoming TCP SYN, packets allows remote attackers to cause a denial of service (crash) via a flood of TCP SYN packets to the WAN interface using a port scanner such as nmap. A denial of service vulnerability has been reported for the Efficient Networks 5861 line of DSL routers. The vulnerability can be triggered when the router is configured to block incoming TCP SYN flags and is subsequently portscanned. An attacker can exploit this vulnerability by portscanning a vulnerable DSL router on its WAN interface. When this occurs the device will reportedly lock up and then restart after a period of time. The Efficient Networks DSL Router is a small ADSL router that offers features like firewall and VPN

Macromedia ColdFusion MX is an efficient web application server development environment with high ease of use and development efficiency, based on standard Java technology. Can be integrated with XML, Web Services, and the Microsoft .NET environment. ColdFusion MX does not properly handle cfinclude and cfmodule tags, and remote attackers can exploit this vulnerability to gain unauthorized access to system files. The <cfinclude> and <cfmodule> tags receive filenames using relative paths as arguments, and ColdFusion MX does not check Sandbox security file/directory permissions checks when including files that use these tags, which can result in unauthorized builds of malicious templates that use these tags. data. A vulnerability in the use of the cfinclude and cfmodule Tags exists in ColdFusion MX. In environments that are sandboxed, it may be possible for a script to access files outside of the sandboxed directory. This could lead to unauthorized access to files on the host

Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak. The network device driver fills in packet data for less than 46 bytes. The Ethernet standard (IEEE 802.3) defines that the minimum field of a packet is 46 bytes. If a higher layer protocol such as IP provides less than 46 bytes, the device driver must fill the data segment to meet the minimum frame size specification specified by IEEE 802. The padding value is generally NULL data. However, many Ethernet device drivers do not operate correctly in accordance with the standard implementation. The data is padded without using NULL bytes, and the previously transmitted frame data is reused for padding. Since the Ethernet frame buffer is allocated in the kernel memory space, some system sensitive information can be obtained by analyzing these padding data. Some device drivers fail to do this adequately, leaving the data that was stored in the memory comprising the buffer prior to its use intact. Consequently, this data may be transmitted within frames across Ethernet segments. Cisco has stated that the IOS 12.1 and 12.2 trains are not affected. National Semiconductor Ethernet controller chips are not vulnerable to this issue. This issue is described in CERT Vulnerability VU#412115 (see http://www.kb.cert.org/vuls/id/412115 and http://www.kb.cert.org/vuls/id/JPLA-5BGNYP). 2. Contributing Factors This issue can occur in the following releases: SPARC Platform * Solaris 2.6 without patch 105181-35 * Solaris 7 without patch 112604-02 * Solaris 8 without patch 112609-02 * Solaris 9 without patch 115172-01 Note: The Am7990 ("LANCE") Ethernet driver le(7D) is for SPARC platforms only, thus x86 platforms are not affected. This issue only occurs on SPARC systems that utilize the Am7990 ("LANCE") Ethernet driver (le(7D)). To determine if the Am7990 Ethernet driver is installed on your system, run the following command: $ ifconfig -a le0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.0 netmask ff000000 Any reference to "le0" would indicate an open Lance Ethernet (le) interface. 3. Symptoms There are no predictable symptoms that would show the described issue has been exploited. SOLUTION SUMMARY: 4. Relief/Workaround There is no workaround for this issue. Please see "Resolution" section below. 5. Resolution This issue is addressed in the following releases: SPARC Platform * Solaris 2.6 with patch 105181-35 or later * Solaris 7 with patch 112604-02 or later * Solaris 8 with patch 112609-02 or later * Solaris 9 with patch 115172-01 or later This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2003 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. _________________________________________________________________ _________________________________________________________________ APPLIES TO: ATTACHMENTS:

TFTP server in Longshine Wireless Access Point (WAP) LCS-883R-AC-B, and in D-Link DI-614+ 2.0 which is based on it, allows remote attackers to obtain the WEP secret and gain administrator privileges by downloading the configuration file (config.img) and other files without authentication. The Longshine LCS-883R-AC-B device will allow tftp connections. The configuration file contains sensitive information including the administrator password and WEP keys. ** The D-Link DI-614+ product, reportedly based on the Longshine device, appears to be vulnerable to this issue however, only some files were accessible

Symantec Firewall/VPN Appliance 100 through 200R hardcodes the administrator's MAC address inside the firewall's configuration, which allows remote attackers to spoof the administrator's MAC address and perform an ARP poisoning man-in-the-middle attack to obtain the administrator's password. Firewall/VPN Appliance 200 is prone to a remote security vulnerability

Unknown vulnerability in Parallel port powerSwitch (aka pp_powerSwitch) 0.1 does not properly enforce access controls, which allows local users to access arbitrary ports. Pp Powerswitch is prone to a local security vulnerability

Telindus 1100 ASDL router running firmware 6.0.x uses weak encryption for UDP session traffic, which allows remote attackers to gain unauthorized access by sniffing and decrypting the administrative password. A weakness has been discovered in the encryption algorithm used by Telindus ADSL routers. Due to the use of a weak algorithm, as well as various static values within an encrypted packet, it may be possible for a remote attacker to decipher sensitive router information. By sniffing sensitive network traffic sent by the router, it may be possible for an attacker to deduce the administrator password. It should be noted that this issue is partially derived from the vulnerability described in BID 4946. TELINDUS ADSL router can be used for ADSL network connection

Sygate personal firewall 5.0 could allow remote attackers to bypass firewall filters via spoofed (1) source IP address of 127.0.0.1 or (2) network address of 127.0.0.0. Sygate personal firewall 5.0 is vulnerable

The SkyStream Edge Media Router-5000 (EMR5000) is a DVB multicast router product. The Edge Media Router comes with shell support for client access, allowing users to manage and configure the system through this. An overflow vulnerability exists in the user shell implementation that could be exploited by a remote attacker to escalate its privileges. The shell program does not use the GNU readline library, but implements its own dedicated shell control process. There is a buffer overflow problem when reading and verifying user input. An attacker who has obtained shell access rights may use this vulnerability to execute arbitrary instructions. Your own permissions. It is possible to trigger this condition by supplying an overly long string from the command line of the client shell

Axis Network Cameras, Video Servers, and Network Digital Video Recorders contain an unchecked buffer in the authentication code of their embedded web server. Exploitation may result in a denial of service or potential execution of arbitrary code.

Extended Interior Gateway Routing Protocol (EIGRP), as implemented in Cisco IOS 11.3 through 12.2 and other products, allows remote attackers to cause a denial of service (flood) by sending a large number of spoofed EIGRP neighbor announcements, which results in an ARP storm on the local network. Internet Operating System (IOS) is the firmware developed and maintained by Cisco for Cisco Routers. A system sending spoofed EIGRP announcements may cause a denial of service to all routers and systems on a given network segment. Due to improper limits in the attempt to discover routers, a neighbor announcement received by routers on a given network segment will result in an address resolution protocol (ARP) storm, filling network capacity while routers attempt to contact the announcing neighbor. Additionally, resources on the router such as CPU will also become bound while the router attempts to reach the announcing neighbor. It should be noted that it is also possible to exploit this vulnerability on systems that accept EIGRP announcements via unicast. Remote attackers can use this vulnerability to carry out denial of service attacks on routers and consume all bandwidth. EIGRP uses automatic discovery of neighbor routers for route discovery. An EIGRP router announces its existence by multicasting on enabled interfaces. If two routers discover each other, they will exchange current topology information, and both sides also need to obtain the MAC address of the other router. When using a random source IP address to generate an EIGRP neighbor advertisement, and perform a \'\'flood\'\' attack on the router or the entire network, all receiving CISCO routers will try to contact the sender, and the sender's IP address must be in the current router configuration in the subnet. There is a loophole in CISCO IOS. When contacting the sender, it will continue to request to send the MAC address. There is no timeout operation in this process, unless the EIGRP neighbor keeping time expires. This value is provided by the sender and can exceed 18 hours at most. Multiple neighbor advertisements using non-existent source IP addresses can cause the router to consume a large amount of CPU utilization and consume a large amount of bandwidth, resulting in a denial of service attack. Using IP multicast and EIGRP announcements will have a better attack effect. CISCO IOS versions lower than 12.0 can receive EIGRP Neighbor Advertisement in unicast mode, resulting in the possibility of attacks through the Internet. Arhont Ltd.- Information Security Arhont Advisory by: Arhont Ltd Advisory: Unauthenticated EIGRP DoS Class: design bug Version: EIGRP version 1.2 Model Specific: Other versions might have the same bug DETAILS: We have used our custom EIGRP packet generator written on Perl to evaluate the security of the EIGRP routing protocol. In the initial generator testing stage we have successfully reproduced the known DoS against EIGRP discovered by FX and described at http://www.securityfocus.com/bid/6443. This attack is canned in the generator using the --hellodos flag. The testing network was completely brought down due to the ARP storm. Moving further, we have discovered a novel selective single peer - directed DoS attack employing the EIGRP "Goodbye Message". A goodbye message is sent when an EIGRP routing process is shutting down to tell the neighbors about the impending topology change to speed up the convergence. This feature is supported in Cisco IOS Releases later than 12.3(2), 12.3(3)B, and 12.3(2)T. A spoofed "goodbye message" can be sent to a peer claiming that it's neighbor is down, thus breaking the neighborhood: arhontus #/eigrp.pl --ipgoodbye 192.168.66.202 --as 65534 --source 192.168.66.191 469573: Aug 16 2005 03:08:11.773 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65534: Neighbor 192.168.66.111 (Ethernet0/0) is up: new adjacency c2611#sh ip eigrp neigh IP-EIGRP neighbors for process 65534 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 2 192.168.66.111 Et0/0 13 00:01:08 1 5000 1 0 0 192.168.30.191 Se0/0 12 00:05:06 1 4500 0 198 1 192.168.66.191 Et0/0 13 00:05:14 201 1206 0 199 469574: Aug 16 2005 03:09:31.299 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65534: Neighbor 192.168.66.111 (Ethernet0/0) is down: retry limit exceeded c2611# 469575: Aug 16 2005 03:09:32.818 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65534: Neighbor 192.168.66.111 (Ethernet0/0) is up: new adjacency c2611# 469576: Aug 16 2005 03:09:56.277 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65534: Neighbor 192.168.66.191 (Ethernet0/0) is down: Peer goodbye received c2611# 469577: Aug 16 2005 03:09:59.283 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65534: Neighbor 192.168.66.191 (Ethernet0/0) is down: Peer goodbye received 469578: Aug 16 2005 03:09:59.868 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65534: Neighbor 192.168.66.191 (Ethernet0/0) is up: new adjacency c2611# 469579: Aug 16 2005 03:10:02.288 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65534: Neighbor 192.168.66.191 (Ethernet0/0) is down: Peer goodbye received c2611# 469580: Aug 16 2005 03:10:04.676 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65534: Neighbor 192.168.66.191 (Ethernet0/0) is up: new adjacency 469581: Aug 16 2005 03:10:05.289 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65534: Neighbor 192.168.66.191 (Ethernet0/0) is down: Peer goodbye received c2611# 469582: Aug 16 2005 03:10:08.290 GMT: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65534: Neighbor 192.168.66.191 (Ethernet0/0) is down: Peer goodbye received c2611#sh ip eigrp neigh IP-EIGRP neighbors for process 65534 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 192.168.30.191 Se0/0 14 00:09:50 1 4500 0 286 This selective nighborhood breaking can be used for other purposes, than DoS. Re-initiating the EIGRP handshake helps a sniffing attacker to find information about the EIGRP routing domain topology. Possessing such information, a skilled attacker can selectively break the neighborhood to redirect traffic the way he wants. Of course, on an unportected EIGRP domain there is a much simpler way of traffic redirection, which is either directly injecting the routes using our packet generator or establishing a fake neighbourhood and supplying metric parameters to the legitimate peers, which would lead DUAL to favor the fake neighbor. Risk Factor: Medium Workarounds: Always use EIGRP MD5-based authentication. Communication History: sent to PSIRT on 10/10/05 *According to the Arhont Ltd. policy, all of the found vulnerabilities and security issues will be reported to the manufacturer at least 7 days before releasing them to the public domains (such as CERT and BUGTRAQ). If you would like to get more information about this issue, please do not hesitate to contact Arhont team.* _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 does not properly check the return values of various file and socket operations, which could allow a remote attacker to cause a denial of service (resource exhaustion) by causing file descriptors to be assigned and not released, as demonstrated by fanta. ------------ This vulnerability information is a comprehensive explanation of multiple vulnerabilities that were published at the same time. Please note that this document contains vulnerability information other than the title. ------------Common Unix Printing System (CUPS) is some UNIX included in the UNIX Universally usable in the environment Internet Printing Protocol version 1.1 (IPP/1.1) A printing system that supports Red Hat Linux 7.3 as well as 8.0 It is also included in the package. this CUPS has the following security issues: still, Red Hat Linux Then CUPS is disabled in the default installation. 1. Problem where overflow occurs due to overflow of integer digits It was [CAN-2002-1383]CUPS There are some problems where overflow occurs due to integer digit overflow. for example, HTTP By exploiting this issue via an interface, a remote attacker could CUPSd execution privileges ( A user lp) can execute arbitrary code. 2. Resource race condition in temporary file generation process (race condition) problems that cause It was [CAN-2002-1366]CUPS teeth /etc/cups/certs/ less than pid ( at the time of generation CUPS process of ID) creates a temporary file with a filename of , so a local attacker can predict how the temporary filename is determined. Therefore, by creating a file with the same name as the temporary file that points to the intended file, root You can overwrite or create any file with permissions. In addition, in order to execute this attack, the above 1. Take advantage of the problems in lp User permission required. 3. Printer addition mechanism / Access control function issues It was [CAN-2002-1367] maliciously created remotely UDP packet CUPS You can add a printer by bypassing authentication by sending it to . Additionally, there is an issue with the access control mechanism of the printer addition mechanism that fails to check validity. The added printer information is root Since it is interpreted based on permissions, you can add any print by using these issues together. As a result, a local attacker can root Elevation to privilege is possible. 4. intentionally created HTTP by communication CUPSd Problem with crashing [CAN-2002-1368]CUPS Then IPP for the backend to accept connections with HTTP server (CUPSd) is included in the package. this HTTP server's HTTP The handling part of the code lacks sufficient validation of the range of values ​​received, allowing a remote attacker to Contents-Length: Fields set to negative values ​​or intentionally assembled into chunks HTTP By attempting to communicate using the protocol, CUPS It is possible to cause a denial of service. In addition, to restore normal operation, CUPSd requires a restart. 5. strncat Problem where buffer overflow occurs due to function [CAN-2002-1369]CUPS contains a buffer overflow issue when receiving printer jobs with specific attribute values. By exploiting this issue, a remote attacker could root It is possible to execute arbitrary code with privileges. To take advantage of this problem, use the above 3. You need to take advantage of the problem. 6.GIF Problems when handling files in this format [CAN-2002-1371]CUPS for GIF Width in the part that handles files in the format (width) There is an issue with insufficient validation of values. This allows remote attackers to create intentionally constructed widths. (width) But '0' is GIF overwrite the allocated memory contents by interpreting the format file, CUPS may execute arbitrary code with execution privileges. 7. File descriptor issues with sockets and files It was [CAN-2002-1372]CUPS There is an issue in which file descriptors for sockets and files are not properly closed. Therefore, a local attacker can exploit this issue to cause a memory leak and CUPS It is possible to cause a denial of service for the entire system running the system.Please refer to the "Overview" for the impact of this vulnerability. A vulnerability has been discovered in CUPS that may, under some circumstances, leak file descriptor information. Exploitation of this issue may allow an attacker to bind a malicious server instead of the cupsd server. The system is based on the Internet Printing Protocol (IPP) and provides most PostScript and raster printer services

Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by causing negative arguments to be fed into memcpy() calls via HTTP requests with (1) a negative Content-Length value or (2) a negative length in a chunked transfer encoding. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Common Unix Printing System (CUPS) Some UNIX Included in the UNIX Can be used universally in the environment Internet Printing Protocol version 1.1 (IPP/1.1) Is a printing system that supports Red Hat Linux 7.3 as well as 8.0 It is also bundled with. this CUPS Has the following security issues: still, Red Hat Linux Then CUPS Is disabled in the default installation. 1. Overflow due to overflow of integer digits * [CAN-2002-1383] CUPS There are a few problems with overflowing integer digits. For example, HTTP By exploiting this issue through the interface, a remote attacker can CUPSd Execute permission ( A user lp) Can execute arbitrary code. 2. Resource race condition for temporary file generation processing (race condition) Problem * [CAN-2002-1366] CUPS Is /etc/cups/certs/ less than pid ( Generation time CUPS Process ID) Creates a temporary file with a file name of, so a local attacker can predict how the temporary file name is determined. Therefore, by creating a file with the same name as the temporary file that points to the intended file, root Any file can be overwritten or created with authority. In order to execute this attack, 1. In advance, lp User rights are required. 3. Printer addition mechanism / Problems with the access control function * [CAN-2002-1367] Malicious maliciously created remotely UDP Packet CUPS By sending to, you can bypass the authentication and add a printer. Furthermore, there is a problem that the access control mechanism of the printer addition mechanism neglects the validity check. The added printer information is root Since it is interpreted by the authority, any print can be added by using these problems together. As a result, local attackers root Elevation to privilege is possible. 4. Intentionally created HTTP By communication CUPSd That crashes [CAN-2002-1368] CUPS Then IPP To accept connections on the backend HTTP server (CUPSd) Is included. To restore normal operation CUPSd Needs to be restarted. 5. strncat Problem of buffer overflow caused by function [CAN-2002-1369] CUPS Has a buffer overflow problem when receiving a printer job with a specific attribute value. By using this issue, a remote attacker can root It is possible to execute arbitrary code with authority. To take advantage of this issue, 3. Need to take advantage of the problem. 6.GIF Problems when handling file formats [CAN-2002-1371] CUPS In GIF Width in the part that handles format files (width) There is a problem with the process of validating the value of. For this reason, remote attackers are deliberately assembled (width) But '0' Is GIF Overwrite the allocated memory contents by interpreting the format file, CUPS An arbitrary code may be executed with the execution right. 7. File descriptor issues with sockets and files * [CAN-2002-1372] CUPS Has a problem that does not properly close file descriptors for sockets and files. For this reason, local attackers can use this issue to cause memory leaks, CUPS It is possible to put the entire system running in a service out of service state.Please refer to the “Overview” for the impact of this vulnerability. A vulnerability has been reported for CUPS that if exploited may result in a DoS or the execute of code on affected systems. An attacker can exploit this vulnerability by connecting to a vulnerable system and issuing malformed HTTP headers with a negative value for some fields. When the cupsd service receives this request, it will crash. This vulnerability is very similar to the issue described in BID 5033. It may be very likely that this vulnerability may be exploited to execute malicious attacker-supplied code on BSD, and possibly other, platforms. *** January 05, 2003 There are reports of this vulnerability being actively exploited in the wild. Vulnerable users are advised to update immediately

filters/image-gif.c in Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 does not properly check for zero-length GIF images, which allows remote attackers to execute arbitrary code via modified chunk headers, as demonstrated by nogif. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Common Unix Printing System (CUPS) Some UNIX Included in the UNIX Can be used universally in the environment Internet Printing Protocol version 1.1 (IPP/1.1) Is a printing system that supports Red Hat Linux 7.3 as well as 8.0 It is also bundled with. this CUPS Has the following security issues: still, Red Hat Linux Then CUPS Is disabled in the default installation. 1. Overflow due to overflow of integer digits * [CAN-2002-1383] CUPS There are a few problems with overflowing integer digits. For example, HTTP By exploiting this issue through the interface, a remote attacker can CUPSd Execute permission ( A user lp) Can execute arbitrary code. 2. Resource race condition for temporary file generation processing (race condition) Problem * [CAN-2002-1366] CUPS Is /etc/cups/certs/ less than pid ( Generation time CUPS Process ID) Creates a temporary file with a file name of, so a local attacker can predict how the temporary file name is determined. Therefore, by creating a file with the same name as the temporary file that points to the intended file, root Any file can be overwritten or created with authority. In order to execute this attack, 1. In advance, lp User rights are required. 3. Printer addition mechanism / Problems with the access control function * [CAN-2002-1367] Malicious maliciously created remotely UDP Packet CUPS By sending to, you can bypass the authentication and add a printer. Furthermore, there is a problem that the access control mechanism of the printer addition mechanism neglects the validity check. The added printer information is root Since it is interpreted by the authority, any print can be added by using these problems together. As a result, local attackers root Elevation to privilege is possible. 4. Intentionally created HTTP By communication CUPSd That crashes [CAN-2002-1368] CUPS Then IPP To accept connections on the backend HTTP server (CUPSd) Is included. this HTTP Server HTTP The remote attacker is not able to verify the validity of the range of received values in the handling part of Contents-Length: The field was set to a negative value, or intentionally assembled and chunked HTTP By trying to communicate with the protocol, CUPS Can be put into a denial of service. To restore normal operation CUPSd Needs to be restarted. 5. strncat Problem of buffer overflow caused by function [CAN-2002-1369] CUPS Has a buffer overflow problem when receiving a printer job with a specific attribute value. By using this issue, a remote attacker can root It is possible to execute arbitrary code with authority. To take advantage of this issue, 3. Need to take advantage of the problem. 6.GIF Problems when handling file formats [CAN-2002-1371] CUPS In GIF Width in the part that handles format files (width) There is a problem with the process of validating the value of. 7. File descriptor issues with sockets and files * [CAN-2002-1372] CUPS Has a problem that does not properly close file descriptors for sockets and files. For this reason, local attackers can use this issue to cause memory leaks, CUPS It is possible to put the entire system running in a service out of service state.Please refer to the “Overview” for the impact of this vulnerability. As a result, if an attacker submits a properly malformed image, it may be possible to corrupt memory with attacker-supplied data. Successful exploitation will result in arbitrary code execution in the security context of CUPS. The attacker must be able to cause the malformed image to be processed by CUPS to exploit this issue. The system is based on the Internet Printing Protocol (IPP) and provides most PostScript and raster printer services. Remote attackers can exploit this vulnerability to conduct a denial of service attack on CUPS, and may execute arbitrary commands on the system with CUPS process privileges. xpos + +; temp += bpp; if (xpos == img->xsize) { ImagePutRow(img, 0, ypos, img->xsize, pixels); ..