Posted in Apple, Blog, csrf, cups, security on June 16th, 2010 by pagvac
Some time ago, we released a proof-of-concept (PoC) that would crash CUPS when visiting a webpage containing a specially-crafted payload. The POC was tested on Ubuntu 8.04.1 LTS (hardy) and would crash the CUPS daemon which listens to localhost on port TCP/631 – even when the user would not currently be logged into CUPS.
The crash was only possible for the following reasons:
- By default CUPS <1.3.8 did not require authentication to add new RSS subscriptions (CVE-2008-5184)
- A NULL pointer dereference condition was triggered when more than 100 RSS subscriptions were added (CVE-2008-5183)
- Adding RSS subscriptions (among other configuration changes) did not require random tokens within HTTP requests. In other words, all HTTP requests submitted to the CUPS daemon were vulnerable to CSRF (also known as Session Riding).
Issue #1 and #2 were fixed around the time we released our findings. Today Apple has also resolved issue #3. This is great news as it means that the vector where it was possible to probe CUPS functionalities via a specially-crafted webpage has been closed. As far as I know, this was the only way to remotely probe CUPS and bypass the listen-to-localhost-only default setting.
Kudos to the Apple Product Security team for further locking down CUPS and thanks for crediting us!
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Heads-up
Acidbrowser: 24h Later
Landing Acidbrowser 0.8
Plans for Websecurify Server Edition
Having fun with BeEF, the browser exploitation framework
