I hope this goes without saying but please do not run this on machines you don’t own.

The good news:

  • the exploit seems to require user action

The bad news:

  • Device Firewalls are ineffective against this

  • if someone created a malicious printer on a local network like a library they could create serious issues

  • it is hard to patch without breaking printing

  • it is very easy to create printers that look legit

  • even if you don’t hit print the cups user agent can reveal lots of information. This may be blocked at the Firewall

TLDR: you should be careful hitting print

  • @[email protected]
    link
    fedilink
    9
    edit-2
    3 months ago

    The questionable commit:

        {
          // Add the first line of localized text...
          cupsFilePrintf(fp, "*%s.%s %s/", lang->language, ppd_option, ppd_choice);
          while (*text && *text != '\n')
          {
            // Escape ":" and "<"...
            if (*text == ':' || *text == '<')
              cupsFilePrintf(fp, "<%02X>", *text);
            else
              cupsFilePutChar(fp, *text);
            text ++;
          }
          cupsFilePuts(fp, ": \"\"\n");
        }
    

    Can someone explain to me how this allows arbitrary code execution? As far as I can see, all it does iterate through a string and markup some special characters.

    Edit: Okay, after reading the blog post, and this fantastic bug report, it sounds like to print to a CUPS server, you send it a message on port 631 using an IPP (some print protocol) server. CUPS then requests attributes of the IPP server, one of which being the print filter command to run (“Foomatic-rip”) to use to convert a PS or PDF into native print code. By requesting attributes, an exploit involving string escaping through the use of unexpected spaces or quotes can override the Foomatic print command. Arbitrary text can be supplanted, which will then be executed by the CUPS server.

    • @somtwo
      link
      43 months ago

      From what I understand, this allows arbitrary command execution. So, an attacker can specify a string of text that something on the affected system will just plop into a command line and execute.