OpenPrinting CUPS Heap-Based Buffer Overflow Vulnerability in Scheduler

A heap-based buffer overflow vulnerability has been identified in OpenPrinting CUPS versions through 2.4.16. The issue arises in the CUPS scheduler when constructing filter option strings from job attributes. The vulnerability allows an attacker who can submit IPP jobs to exploit memory corruption in the CUPS daemon by creating maliciously large 'job-uuid' or 'job-authorization-uri' attributes. This exploitation can lead to a crash of the CUPS daemon, causing a denial-of-service condition, and may potentially be leveraged for arbitrary code execution.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow in the CUPS daemon, 'cupsd', leading to a segmentation fault and crashing the service. However, such heap-overflow vulnerabilities are often exploitable to execute arbitrary code under the context of the user running the CUPS service.

Reproduction

The vulnerability can be reproduced by sending a crafted IPP 'Print-Job' request that includes oversized 'job-uuid' or 'job-authorization-uri' attributes. This can be done using a Python script that constructs the IPP request with the maliciously large URI values, which are then sent to a CUPS server. The CUPS server will crash due to the induced memory corruption, demonstrating the vulnerability.