Linux

48208 readers

1004 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

[email protected]

184

The CUPS explout is here: GitHub - RickdeJager/cupshax (github.com)

submitted 1 month ago* (last edited 1 month ago) by [email protected] to c/[email protected]

14 comments fedilink hide all child comments

I hope this goes without saying but please do not run this on machines you don't own.

The good news:

the exploit seems to require user action

The bad news:

Device Firewalls are ineffective against this
if someone created a malicious printer on a local network like a library they could create serious issues
it is hard to patch without breaking printing
it is very easy to create printers that look legit
even if you don't hit print the cups user agent can reveal lots of information. This may be blocked at the Firewall

TLDR: you should be careful hitting print

all 15 comments

sorted by: hot top controversial new old

[–] [email protected] 9 points 1 month ago* (last edited 1 month ago) (2 children)

The questionable commit:

    {
      // Add the first line of localized text...
      cupsFilePrintf(fp, "*%s.%s %s/", lang->language, ppd_option, ppd_choice);
      while (*text && *text != '\n')
      {
        // Escape ":" and "<"...
        if (*text == ':' || *text == '<')
          cupsFilePrintf(fp, "<%02X>", *text);
        else
          cupsFilePutChar(fp, *text);
        text ++;
      }
      cupsFilePuts(fp, ": \"\"\n");
    }

Can someone explain to me how this allows arbitrary code execution? As far as I can see, all it does iterate through a string and markup some special characters.

Edit: Okay, after reading the blog post, and this fantastic bug report, it sounds like to print to a CUPS server, you send it a message on port 631 using an IPP (some print protocol) server. CUPS then requests attributes of the IPP server, one of which being the print filter command to run ("Foomatic-rip") to use to convert a PS or PDF into native print code. By requesting attributes, an exploit involving string escaping through the use of unexpected spaces or quotes can override the Foomatic print command. Arbitrary text can be supplanted, which will then be executed by the CUPS server.

[–] [email protected] 2 points 1 month ago

Take a look at the exploit code

[–] [email protected] 4 points 1 month ago

From what I understand, this allows arbitrary command execution. So, an attacker can specify a string of text that something on the affected system will just plop into a command line and execute.

[–] [email protected] 27 points 1 month ago (1 children)

CUPS facing the public internet sounds a bit crazy. Why would you print when not physicly near the printer?

[–] [email protected] 9 points 1 month ago (1 children)

I think this would likely be most troublesome on some of the OG internet users that got a whole freaking /8, /10, or /12 or something like AT&T or universities. Up until very recently, and possibly even to the present, these organizations had such large IPv4 space, that there was no need to do NAT, and each device had a publicly addressable IP.

https://en.wikipedia.org/wiki/List_of_assigned_/8_IPv4_address_blocks

[–] [email protected] 8 points 1 month ago (1 children)

Everything would still be behind a firewall though

[–] [email protected] 5 points 1 month ago

everything should be behind a firewall

[–] [email protected] 2 points 1 month ago

Man, this is such a silly and unfortunate exploit. Damn! I hope it gets patched quick.