Following recent vulnerabilities in the CUPS server, I created two signatures alerting you if your server is vulnerable on the two following CVE:
  • CVE-2008-0047: Heap-based buffer overflow in the cgiCompileSearch function in CUPS 1.3.5, and other versions including the version bundled with Apple Mac OS X 10.5.2, when printer sharing is enabled, allows remote attackers to execute arbitrary code via crafted search expressions.
  • CVE-2008-0882: Double free vulnerability in the process_browse_data function in CUPS 1.3.5 allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via crafted UDP Browse packets to the cupsd port (631/udp), related to an unspecified manipulation of a remote printer. NOTE: some of these details are obtained from third party information.

These signatures are:
alert tcp any 631 -> any any (msg:"PVR - CUPS Heap-based buffer overflow in the cgiCompileSearch function"; flags:PA; flow:established; content:"Server: CUPS/1.3.5"; reference:cve,2008-0047; sid:200804021; rev:2;)
alert udp any 631 -> any any (msg:"PVR - CUPS Double free vulnerability in the process_browse_data function"; flags:PA; flow:established; content:"Server: CUPS/1.3.5"; reference:cve,2008-0882; sid:200804031; rev:1;)

And are of course available from the snort Passive Vulnerability Rulesets from the Signatures.NU project:

svn co http://svn.signatures.nu/snort/pvr/unstable pvr