ID CVE-2007-5849
Summary Integer underflow in the asn1_get_string function in the SNMP back end (backend/snmp.c) for CUPS 1.2 through 1.3.4 allows remote attackers to execute arbitrary code via a crafted SNMP response that triggers a stack-based buffer overflow.
References
Vulnerable Configurations
  • Apple Mac OS X 10.5.1
    cpe:2.3:o:apple:mac_os_x:10.5.1
  • cpe:2.3:a:easy_software_products:cups:1.2.10
    cpe:2.3:a:easy_software_products:cups:1.2.10
  • cpe:2.3:a:easy_software_products:cups:1.2.12
    cpe:2.3:a:easy_software_products:cups:1.2.12
  • cpe:2.3:a:easy_software_products:cups:1.2.4
    cpe:2.3:a:easy_software_products:cups:1.2.4
  • cpe:2.3:a:easy_software_products:cups:1.2.9
    cpe:2.3:a:easy_software_products:cups:1.2.9
  • cpe:2.3:a:easy_software_products:cups:1.3.3
    cpe:2.3:a:easy_software_products:cups:1.3.3
CVSS
Base: 9.3 (as of 20-12-2007 - 09:49)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description Common UNIX Printing System 1.2/1.3 SNMP 'asn1_get_string()' Remote Buffer Overflow Vulnerability. CVE-2007-5849. Dos exploit for linux platform
id EDB-ID:30898
last seen 2016-02-03
modified 2007-11-06
published 2007-11-06
reporter wei_wang
source https://www.exploit-db.com/download/30898/
title Common UNIX Printing System 1.2/1.3 SNMP 'asn1_get_string' Remote Buffer Overflow Vulnerability
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-563-1.NASL
    description Wei Wang discovered that the SNMP discovery backend did not correctly calculate the length of strings. If a user were tricked into scanning for printers, a remote attacker could send a specially crafted packet and possibly execute arbitrary code. Elias Pipping discovered that temporary files were not handled safely in certain situations when converting PDF to PS. A local attacker could cause a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 29919
    published 2008-01-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29919
    title Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : cupsys vulnerabilities (USN-563-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201412-11.NASL
    description The remote host is affected by the vulnerability described in GLSA-201412-11 (AMD64 x86 emulation base libraries: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in AMD64 x86 emulation base libraries. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker may be able to execute arbitrary code, cause a Denial of Service condition, or obtain sensitive information. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2016-11-11
    plugin id 79964
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79964
    title GLSA-201412-11 : AMD64 x86 emulation base libraries: Multiple vulnerabilities (Heartbleed)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2007-009.NASL
    description The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2007-009 applied. This update contains several security fixes for a large number of programs.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 29723
    published 2007-12-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29723
    title Mac OS X Multiple Vulnerabilities (Security Update 2007-009)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_CUPS-4806.NASL
    description This update fixes a buffer overflow that can be exploited by users that are allowed to configure CUPS. (CVE-2007-5848) Additionally a buffer overflow in the SNMP backend of CUPS was fixed that allowed remote attackers to execute arbitrary code by sending specially crafted SNMP responses. (CVE-2007-5849) This vulnerability affects 10.2 and 10.3 only.
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 29914
    published 2008-01-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29914
    title openSUSE 10 Security Update : cups (cups-4806)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200712-14.NASL
    description The remote host is affected by the vulnerability described in GLSA-200712-14 (CUPS: Multiple vulnerabilities) Wei Wang (McAfee AVERT Research) discovered an integer underflow in the asn1_get_string() function of the SNMP backend, leading to a stack-based buffer overflow when handling SNMP responses (CVE-2007-5849). Elias Pipping (Gentoo) discovered that the alternate pdftops filter creates temporary files with predictable file names when reading from standard input (CVE-2007-6358). Furthermore, the resolution of a Denial of Service vulnerability covered in GLSA 200703-28 introduced another Denial of Service vulnerability within SSL handling (CVE-2007-4045). Impact : A remote attacker on the local network could exploit the first vulnerability to execute arbitrary code with elevated privileges by sending specially crafted SNMP messages as a response to an SNMP broadcast request. A local attacker could exploit the second vulnerability to overwrite arbitrary files with the privileges of the user running the CUPS spooler (usually lp) by using symlink attacks. A remote attacker could cause a Denial of Service condition via the third vulnerability when SSL is enabled in CUPS. Workaround : To disable SNMP support in CUPS, you have have to manually delete the file '/usr/libexec/cups/backend/snmp'. Please note that the file is reinstalled if you merge CUPS again later. To disable the pdftops filter, delete all lines referencing 'pdftops' in CUPS' 'mime.convs' configuration file. To work around the third vulnerability, disable SSL support via the corresponding USE flag.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 29734
    published 2007-12-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29734
    title GLSA-200712-14 : CUPS: Multiple vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1437.NASL
    description Several local vulnerabilities have been discovered in the Common UNIX Printing System. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-5849 Wei Wang discovered that an buffer overflow in the SNMP backend may lead to the execution of arbitrary code. - CVE-2007-6358 Elias Pipping discovered that insecure handling of a temporary file in the pdftops.pl script may lead to local denial of service. This vulnerability is not exploitable in the default configuration.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 29803
    published 2007-12-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29803
    title Debian DSA-1437-1 : cupsys - several vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2008-036.NASL
    description Wei Wang found that the SNMP discovery backend in CUPS did not correctly calculate the length of strings. If a user could be tricked into scanning for printers, a remote attacker could send a specially crafted packet and possibly execute arbitrary code (CVE-2007-5849). As well, the fix for CVE-2007-0720 in MDKSA-2007:086 caused another denial of service regression within SSL handling (CVE-2007-4045). The updated packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 37571
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37571
    title Mandriva Linux Security Advisory : cups (MDVSA-2008:036)
  • NASL family Misc.
    NASL id CUPS_1_3_5.NASL
    description According to its banner, the version of CUPS installed on the remote host contains a stack-based integer overflow in 'asn1_get_string' in 'backend/snmp.c'. Provided the SNMP backend is configured in CUPS (true by default in CUPS 1.2 but not 1.3), an attacker may be able to exploit this issue by using specially crafted SNMP responses with negative lengths to overflow a buffer and execute arbitrary code on the affected system.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 29727
    published 2007-12-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29727
    title CUPS SNMP Back End (backend/snmp.c) asn1_get_string Function Crafted SNMP Response Remote Overflow
refmap via4
apple APPLE-SA-2007-12-17
bid
  • 26910
  • 26917
cert TA07-352A
confirm
debian DSA-1437
fedora FEDORA-2008-0322
gentoo GLSA-200712-14
mandriva MDVSA-2008:036
secunia
  • 28113
  • 28129
  • 28136
  • 28200
  • 28386
  • 28441
  • 28636
  • 28676
suse
  • SUSE-SA:2008:002
  • SUSE-SR:2008:002
ubuntu USN-563-1
vupen
  • ADV-2007-4238
  • ADV-2007-4242
xf
  • cups-asn1getstring-bo(39101)
  • macos-snmp-bo(39097)
statements via4
contributor Joshua Bressers
lastmodified 2008-01-02
organization Red Hat
statement Not vulnerable. This flaw does not affect the version of CUPS shipped in Red Hat Enterprise Linux 3 or 4. After a detailed analysis of this flaw, it has been determined it does not pose a security threat on Red Hat Enterprise Linux 5. For more details regarding this analysis, please see: https://bugzilla.redhat.com/show_bug.cgi?id=415131
Last major update 11-10-2011 - 00:00
Published 19-12-2007 - 16:46
Last modified 28-07-2017 - 21:33
Back to Top