1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
#
# This script was written by George A. Theall, <theall@tifaware.com>.
#
# See the Nessus Scripts License for details.
#
if (description) {
script_id(16141);
script_version("$Revision: 1.7 $");
script_cve_id("CVE-2004-1267","CVE-2004-1268","CVE-2004-1269","CVE-2004-1270", "CVE-2005-2874");
script_bugtraq_id(11968, 12004, 12005, 12007, 12200, 14265);
if (defined_func("script_xref")) {
script_xref(name:"OSVDB", value:"12439");
script_xref(name:"OSVDB", value:"12453");
script_xref(name:"OSVDB", value:"12454");
script_xref(name:"FLSA", value:"FEDORA-2004-559");
script_xref(name:"FLSA", value:"FEDORA-2004-560");
script_xref(name:"GLSA", value:"GLSA-200412-25");
}
name["english"] = "CUPS < 1.1.23 Multiple Vulnerabilities";
script_name(english:name["english"]);
desc["english"] = "
The remote host is running a CUPS server whose version number is
between 1.0.4 and 1.1.22 inclusive. Such versions are prone to
multiple vulnerabilities :
- A remotely exploitable buffer overflow in the 'hpgltops'
filter that enable specially crafted HPGL files can
execute arbitrary commands as the CUPS 'lp' account.
- A local user may be able to prevent anyone from changing
his or her password until a temporary copy of the new
password file is cleaned up ('lppasswd' flaw).
- A local user may be able to add arbitrary content to the
password file by closing the stderr file descriptor
while running lppasswd (lppasswd flaw).
- A local attacker may be able to truncate the CUPS
password file, thereby denying service to valid clients
using digest authentication. (lppasswd flaw).
- The application applys ACLs to incoming print jobs in a
case-sensitive fashion. Thus, an attacker can bypass
restrictions by changing the case in printer names when
submitting jobs. [Fixed in 1.1.21.]
***** Nessus has determined the vulnerability exists simply
***** by looking at the version number of CUPS installed on
***** the remote host.
See also : http://www.cups.org/str.php?L700
http://www.cups.org/str.php?L1024
http://www.cups.org/str.php?L1023
Solution : Upgrade to CUPS 1.1.23 or later.
Risk factor : High";
script_description(english:desc["english"]);
summary["english"] = "Checks version of CUPS";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2005 George A. Theall");
family["english"] = "Gain a shell remotely";
script_family(english:family["english"]);
script_dependencie("find_service.nes", "global_settings.nasl", "http_version.nasl");
script_require_keys("www/cups");
script_require_ports("Services/www", 631);
exit(0);
}
include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");
port = get_http_port(default:631);
if (!port) exit(0);
# Check as long as it corresponds to a CUPS server.
banner = get_http_banner(port:port);
banner = strstr(banner, "Server: CUPS");
if (banner != NULL) {
# Get the version number, if possible.
banner = banner - strstr(banner, string("\n"));
pat = "^Server: CUPS/?(.*)$";
ver = eregmatch(string:banner, pattern:pat);
if (isnull(ver)) exit(0);
ver = chomp(ver[1]);
if (ver =~ "^1\.(0(\.)?|1\.(1|2[0-2]))")
security_hole(port:port);
}
|
