[cups.general] print job phishing

Johannes Meixner jsmeix at suse.de
Thu Aug 9 03:36:53 PDT 2007 

Hello,

I wonder if the current defaults "ImplicitClasses On"
and "HideImplicitMembers Yes" are sufficiently secure.

Reasoning:

When printing in the network is done via usual CUPS Browsing,
on the other workstations in the network all announced queues
with the same name build automatically a so called "implicite class"
so that a print job which is sent to the destination with this name
is printed on an arbitrary printer in this class.

A malicious user who is allowed to do printing admin stuff
on his workstation can set up queues on his workstation
with the same name as queues on the official CUPS server
and announce his queues in the network.

Because of "ImplicitClasses On" and "HideImplicitMembers Yes"
on the other workstations their users cannot notice that
duplicated queues exist so that the malicious user
could do "print job phishing".

If the malicious user is a bit smart, he would copy and forward
any phished job to the matching queue on the official CUPS server
so that the other users won't notice anything, just like
http://www.cups.org/str.php?L790

Even if the malicious user is dumb (or cannot set up his own
filters for whatever reason), very most other users would simply
re-submit a print job until it appears by chance on the official
printer.

Please note that I meant exactly "a malicious user who is allowed
to do printing admin stuff on his workstation".
I.e. the network admin may have allowed him printing admin stuff
via an appropriate policy in cupsd.conf on his workstation
but the network admin may not have expected that this is already
sufficient to cause security problems for the official printing
in the network.

Therefore I would like to know if a default "ImplicitClasses Off"
and/or "HideImplicitMembers No" wouldn't be better so that it is
by default more secure because it is then more obvious on the other
workstations when there appear duplicated queues in the network.

If there are duplicated queues in the network intentionally,
the above defaults woudn't hinder printing and furthermore the
network admin could in this special case change the settings
on the other workstations as he likes.

What do you think?

Kind Regards
Johannes Meixner
-- 
SUSE LINUX Products GmbH, Maxfeldstrasse 5, 90409 Nuernberg, Germany
AG Nuernberg, HRB 16746, GF: Markus Rex

More information about the cups mailing list