87265 2002-12-23  23:11  /151 rader/ iDEFENSE Labs <labs@idefense.com>
Importerad: 2002-12-23  23:11  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: labs@idefense.com
Mottagare: Bugtraq (import) <2877>
Ärende: iDEFENSE Security Advisory 12.23.02: Integer Overflow in pdftops
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 12.23.02:
http://www.idefense.com/advisory/12.23.02.txt
Integer Overflow in pdftops
December 23, 2002

Reference Advisory: http://www.idefense.com/advisory/12.19.02.txt
[Multiple Security Vulnerabilities in Common Unix Printing System
(CUPS)]

I. BACKGROUND

Easy Software Products' Common Unix Printing System (CUPS) is a
cross-platform printing solution for Unix environments. It is based
on the "Internet Printing Protocol," and provides complete printing
services to most PostScript and raster printers. CUPS has a web-based
graphical interface for printer management and is available on most
Linux systems.  More information is available at http://www.cups.org .

Xpdf is an open source viewer for Portable Document Format (PDF)
files.  The Xpdf project also includes a PDF text extractor,
PDF-to-PostScript converter, and various other utilities.  It also
comes with two other programs: pdftops and pdftotext which convert
PDF files to postscript and plain text respectively.  More
information is available at http://www.foolabs.com/xpdf/ .

II. DESCRIPTION

The pdftops filter in the Xpdf and CUPS packages contains an integer
overflow that can be exploited to gain the privileges of the target
user or in some cases the increased privileges of the 'lp' user if
installed setuid. There are multiple ways of exploiting this
vulnerability. The following is just one example:

A ColorSpace with 1,431,655,768 elements is created, each element
having three components. 1,431,655,768 is too large to store within a
32-bit integer so the high bit is cut off leaving only 8 which is how
much that is actually allocated.

... 
 /CS 
 [
  /Indexed
  /RGB 
  1431655768
  7 0 R 
 ] 
... 

The '7 0 R' from above refers to a stream that is read into an array
that is allocated as above. The stream is read until it has reached
the highest index number, or the stream ends. If the filter supplies
enough data the application will crash when trying to access bad
memory. It is possible to exploit this condition by supplying the
right length of bad memory, and stop the stream breaking the
reading. A function pointer can then be overwritten to execute
arbitrary code. Example:

...
7 0 obj <<
/Length 229
>>
stream
content to write into memory....endstream
endobject
... 

The following is a sample run of the cups-pdf exploit running with the
user's privileges: 

$ ./cups-pdf | lp
request id is lp-108 (1 file(s))
$ ls -l /tmp/pdfexploit-worked 
- - -rw-rw-r-- 1 farmer farmer 0 Dec 4 13:41 /tmp/pdfexploit-worked 

III. ANALYSIS

This vulnerability is locally exploitable.  In order to perform
"remote" exploitation, an attacker must trick a user into printing a
malformed PDF file from the command line.  In the implementation
cases where "lp" user privileges are attainable, more advanced
attacks can be performed to gain local root access (see iDEFENSE
Advisory 12.19.02).

IV. DETECTION

The vulnerability exists in the latest stable version of Xpdf (Xpdf
2.01) and all prior versions.  The vulnerability was verified on Red
Hat Linux 7.0 running CUPS-1.1.14-5 (RPM).

V. VENDOR RESPONSES/FIXES

A patch supplied by the author of Xpdf is available from
ftp://ftp.foolabs.com/pub/xpdf/xpdf-2.01-patch1 which fixes this
issue in pdftops when applied to the latest source code version,
2.01.  Additionally, the latest version of CUPS, 1.1.18, should also
fix this issue within the included pdftops utility.  It is available
from http://www.cups.org .

VI. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
assigned the identification number CAN-2002-1384 to this issue.

VII. DISCLOSURE TIMELINE

10/27/2002      Initial discussion with contributor
11/14/2002      Final contributor submission
12/12/2002      CUPS author and Xdf author notified via e-mail to 
                 cups-support@cups.org and Derek B. Noonburg 
                 (derekn@glyphandcog.com)
12/12/2002      iDEFENSE clients notified
12/12/2002      Response and preliminary patch received from
                 CUPS author Michael Sweet (mike@easysw.com)
12/12/2002      Apple, Linux Security List (vendor-sec@lst.de)
12/13/2002      Updated patch received from Michael Sweet
12/17/2002      Patch received from Derek B. Noonburg
12/23/2002      Coordinated Public Disclosure

IX. CREDIT

zen-parse (zen-parse@gmx.net) discovered this issue.


Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to listserv@idefense.com, subject line: "subscribe"


About iDEFENSE:

iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world — from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide 
decision-makers, frontline security professionals and network 
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com .

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE4A96E4F

iQA/AwUBPgeADfrkky7kqW5PEQIU4ACglDPjTQOxzgReoVTJPzXSOiS2/0sAoJtn
vExhR59MXKCVfUFm1sr5SSIC
=PNwe
-----END PGP SIGNATURE-----
(87265) /iDEFENSE Labs <labs@idefense.com>/(Ombruten)