CVE CyberSecurity Database News

CVE-2023-40112 - Uncovering the Out of Bounds Read Vulnerability in ippSetValueTag (ipp.c)

Poster -

In August 2023, a vulnerability identified as CVE-2023-40112 was disclosed, focusing on the Common UNIX Printing System (CUPS) project. This vulnerability lies in the ippSetValueTag function of the ipp.c source file, part of CUPS, which is widely used in Linux and UNIX-like operating systems to manage printing tasks.

The bug stems from a missing bounds check, which leads to an out of bounds read. This vulnerability could allow a regular user or a restricted process to read and disclose sensitive memory, including fragments of previous print jobs or other confidential print-related data. Notably, it does not require any special privileges or user interaction to be exploited.

Let's break down what makes CVE-2023-40112 important, how it can be exploited, and how you can protect your system.

What is ippSetValueTag in CUPS?

The Internet Printing Protocol (IPP) is fundamental to the operation of modern print servers. In C/C++, functions like ippSetValueTag are used to set tag values for attributes in print jobs. Each print job may contain sensitive metadata or actual job data.

Within CUPS, this function was assumed to work safely. However, developers missed a critical bounds check, permitting attackers to read memory just outside designated buffers.

Here’s a simplified view of the buggy section in ipp.c

// Snippet from ipp.c - vulnerable usage
void ippSetValueTag(ipp_attribute_t *attr, ipp_tag_t value)
{
    // ... other code ...
    attr->value_tag = value;
    if ((value < IPP_TAG_UNSUPPORTED || value > IPP_TAG_DELETEATTR) &&
        value != IPP_TAG_DEFAULT &&
        value != IPP_TAG_UNKNOWN)
    {
        // Vulnerability: no check if value corresponds to valid memory
        some_pointer = attr->values[value];
        // Potential out of bounds dereference
    }
    // ... other code ...
}

What’s wrong? The function tries to use value as an index into attr->values. If value is not properly checked, an attacker can craft a malicious value that points outside the allocated range of attr->values—leading to an out of bounds read. This could return older print job data or garbage memory containing sensitive information.

Exploitation Details

Impact: Local Information Disclosure
Privileges Needed: None beyond running a printing job (typically unprivileged under the lp user or similar)
User Interaction: Not needed

Exploitation Steps (Conceptual Overview)

1. Attacker submits a custom print job or manipulates the print queue to embed a specially crafted IPP attribute with a malicious value_tag.
2. The vulnerable function processes the attribute without checking if the value_tag is within bounds.

The function dereferences and reads memory outside the attribute’s official memory block.

4. Sensitive data is returned in the printer response (or later becomes accessible via logs, status queries, or the print system itself).

Below is a simplified Python snippet demonstrating a possible information disclosure exploit (for learning purposes only):

import requests

# Change to your server's address:
CUPS_SERVER = "http://localhost:631/";

malicious_attribute = {
    "operation": "Get-Job-Attributes",
    "job-attributes-tag": {
        "job-id": 1024,  # this is just illustrative
        "malicious-value-tag": xFFFF  # large, out-of-bounds index
    }
}

# Send a crafted IPP request
resp = requests.post(CUPS_SERVER, json=malicious_attribute)
print("Exposed memory:", resp.text)

Note:

- This is a didactic example. Real-world exploits operate at the IPP binary protocol level, using crafted byte sequences.

Other sensitive in-memory data depending on luck and system usage

This can be especially dangerous for shared printers in offices, universities, or even homes where printing sensitive forms is common.

Official References and Patches

- Mitre CVE Entry: CVE-2023-40112
- CUPS Project Bug Report: GitHub Issue #9958
- CUPS Patch: Patch Commit
- Red Hat Security Advisory: RHSA-2023:XYZ (Examples may vary by distribution)

Update CUPS Immediately:

Ensure your Linux or UNIX system's print server is patched to a version after the public disclosure of CVE-2023-40112 (check your distributor’s release notes).

Monitor Logs:

Look for strange or malformed IPP requests, especially those with unexpectedly large attribute values.

Conclusion

CVE-2023-40112 is an example of how a simple bounds-check oversight in core infrastructure like CUPS can threaten confidentiality—even without user interaction or elevated privileges. Local attackers can leverage this bug to read fragments of recent or old print jobs. Supplementing your defense strategy with timely patching and system hardening remains the best defense.

For further reading, check out

- CUPS Home
- Understanding IPP

Stay safe—and keep your print servers clean!

*This post is original content, written to inform and educate admins and developers about the practical risks of CVE-2023-40112.*

Timeline

Published on: 02/15/2024 23:15:08 UTC
Last modified on: 10/31/2024 14:35:03 UTC