Ubuntu
cupsys package

[feisty] CSRF allows test page printing

Bug #106245 reported by Amnon Aaronsohn
4
Affects Status Importance Assigned to Milestone
cupsys (Ubuntu)
Invalid
Low
Unassigned

Bug Description

Binary package hint: cupsys

I just found out cups is set up to listen to http requests on port 631. Some commands require authentication but others don't, which I guess can be exploited. Take for example this html code:

<html>
<body>
Testing.
<img src="http://localhost:631/printers/DeskJet-XXX?op=print-test-page">
</body>
</html>

If you have a printer with the given model, browsing to this page will make cups print a test page.

Of course, this code can be extended to include a list of multiple models, other operations, etc. Even operations which need authentication can be exploited if the username and password are cached.

Revision history for this message
Brian Murray (brian-murray) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. With which version of cupsys and Ubuntu did you notice this? Thanks in advance.

Changed in cupsys:
assignee: nobody → brian-murray
status: Unconfirmed → Needs Info
Revision history for this message
Amnon Aaronsohn (bla-cs) wrote : Re: [Bug 106245] Re: [feisty] web vulnerability

On 4/13/07, Brian Murray <email address hidden> wrote:
> With which version of cupsys and Ubuntu did you notice this?

ubuntu feisty (as the subject line says...), cupsys version 1.2.8-0ubuntu8.

Amnon

Revision history for this message
Martin Pitt (pitti) wrote : Re: [feisty] web vulnerability

Please elaborate about this. By default, cupsd only listens on localhost. Local users can do printing operations much easier.

On top of that, administrative operations are restricted to localhost:

  # Restrict access to the admin pages...
  <Location /admin>
    Order allow,deny
    Allow localhost
  </Location>

If you manually enable cupsd to listen on all ports (as gnome-cups-manager's 'Share printer' menu option), remote printing is probably exactly what you want. :)

So, what is the vulnerability here?

Revision history for this message
Amnon Aaronsohn (bla-cs) wrote : Re: [Bug 106245] Re: [feisty] web vulnerability

On 4/16/07, Martin Pitt <email address hidden> wrote:
> Please elaborate about this. By default, cupsd only listens on
> localhost. Local users can do printing operations much easier.

cupsd listens on localhost but remote web pages can make the browser
access it, , as in the example above. Note that the remote web server
doesn't contact cupsd, the locally running web browser does, without
user intervention.

Even if you enable cupsd to listen on all ports, you probably don't
want remote web pages to execute commands which require
authentication, but AFAIK this attack can also work for this commands
since the browser will send the credentials if they're cached.

This can be considered a simple case of CSRF
(http://en.wikipedia.org/wiki/Csrf).

BTW, I'm not sure if the URL always contains the printer's model (as
in my configuration) or some other simple name. To reproduce the bug
you may have to browse first to localhost:631 and copy the URL for a
command into the html code. (The remote attacker doesn't have to do
this if he can guess the URL).

Revision history for this message
Kees Cook (kees) wrote : Re: [feisty] web vulnerability

Yes, this is a design flaw in how CUPS handles its URLs. As described, I think this is a only a minor issue, since the printer name must be known, and no attacker-input is used (it prints the pre-configured test page, and not text that the attacker can control). However, further investigation into CUPS is needed, in case there are additional vectors.

Changed in cupsys:
assignee: brian-murray → keescook
importance: Undecided → Low
status: Needs Info → Confirmed
Kees Cook (kees)
Changed in cupsys:
assignee: keescook → nobody
Revision history for this message
Phillip Susi (psusi) wrote :

Hardy has reached end of life, and this package is not present in later releases. Closing all related bugs.

Changed in cupsys (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.