CVE-2004-1267

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

Buffer overflow in the ParseCommand function in hpgl-input.c in the hpgltops program for CUPS 1.1.22 allows remote attackers to execute arbitrary code via a crafted HPGL file.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-24977 remote linux verified text · 2 KB

Ariel Berkman · 2004-12-15

CUPS 1.1.x - '.HPGL' File Processor Buffer Overflow

text exploit Source: Exploit-DB

source: https://www.securityfocus.com/bid/11968/info

CUPS is reported prone to a remote buffer overflow vulnerability. The issue is reported to exist in the 'hpgl-input.c' source file and is because of a lack of sufficient boundary checks performed on data contained in HPGL files.

A remote attacker may exploit this condition to execute arbitrary code in the context of the vulnerable CUPS daemon. 

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/24977.gz




Ariel Berkman, a student in my Fall 2004 UNIX Security Holes course, has
discovered a remotely exploitable security hole in CUPS. I'm publishing
this notice, but all the discovery credits should be assigned to
Berkman.

A CUPS installation is at risk whenever it prints an HPGL file obtained
from email (or a web page or any other source that could be controlled
by an attacker). You are at risk if you print data through a CUPS
installation at risk. The source of the HPGL file has complete control
over the CUPS ``lp'' account; in particular, he can read and modify the
files you are printing.

Proof of concept: On an x86 computer running FreeBSD 4.10, as root, type

   cd /usr/ports/print/cups
   make install

to download and compile the CUPS package, version 1.1.22 (current).
Then, as any user, save the file 21.hpgl.gz attached to this message,
and type

   gunzip 21.hpgl
   /usr/local/libexec/cups/filter/hpgltops \
   15 $USER test-title 1 none 21.hpgl > 21.ps

with the unauthorized result that a file named x is removed from the
current directory. (I tested this with a 541-byte environment, as
reported by printenv | wc -c.)

Here's the bug: In hpgl-input.c, ParseCommand() reads any number of
bytes into a 262144-byte buf[] array.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago
Source: http://securesoftware.list.cr.yp.to/archive/0/25

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`1.1.22-2`
sid	Fixed	`1.1.22-2`
forky	Fixed	`1.1.22-2`
bullseye	Fixed	`1.1.22-2`
bookworm	Fixed	`1.1.22-2`

References

https://security-tracker.debian.org/tracker/CVE-2004-1267

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.