Discovered by Tyler Bohan of Cisco Talos. Talos would also like to thank NYU Osiris Lab for helping out with these vulnerabilities.

Pharos PopUp Printer is printing software that is widely used to manage multiple connections to a single printing point. Services that run with root privileges that are open to network connections are a tempting target for attackers. Talos is disclosing the presence of three code execution vulnerabilities and a denial of service vulnerability in the psnotifyd application of the Pharos PopUp printer client version 9.0

TALOS-2017-0280, TALOS-2017-0283 Code Execution Vulnerabilities (CVE-2017-2785, CVE-2017-2788)

TALOS-2017-0282 Memcpy Code Execution Vulnerability (CVE-2017-2787)

TALOS-2017-0281 DecodeString Denial of Service Vulnerability (CVE-2017-2786)
 

Details

TALOS-2017-0280, TALOS-2017-0283

Exploitable buffer overflow vulnerabilities exists in the DecodeString and DecodeBinary functions of the application. In both cases a malicious packet can be crafted and sent to the victim’s computer that contains binary or string data along with an attacker controlled value describing the length of the data. Supplying an overly large value for the length of the data causes a loop in the respective functions to write outside of the allocated buffer resulting in a buffer overflow and ultimately to remote code execution. More details can be found here and here

TALOS-2017-0282

Blob data is encoded data returned to the client upon making the connection. It is partially controlled by the data passed in from the attacker to start. The BlobData function parses this data, continuously decrementing a register until the packet's end is reached. However there is no check to prevent the register decrementing past zero. If this happens, memcpy causes an out of bounds write. By causing multiple connections to the victim’s computer at once, it is possible to use this vulnerability to execute attacker supplied code. More details can be found here

TALOS-2017-0281

The DecodeString function accepts the length of data to be decoded as supplied by a value in the packet. An attacker is able to craft a malicious packet that supplies an invalid length of data value. The results in an invalid pointer pointing to an out of bounds memory location being dereferenced. This leads to an out of bounds access and a denial of service condition. More details can be found here

Tested Version

Pharos PopUp printer client version 9.0

Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.
 Snort Rules: 41505 - 41510