[cups.general] print job phishing

Michael Sweet mike at easysw.com
Thu Aug 9 07:56:33 PDT 2007


Johannes Meixner wrote:
> Hello,
> 
> I wonder if the current defaults "ImplicitClasses On"
> and "HideImplicitMembers Yes" are sufficiently secure.
> 
> Reasoning:
> 
> When printing in the network is done via usual CUPS Browsing,
> on the other workstations in the network all announced queues
> with the same name build automatically a so called "implicite class"
> so that a print job which is sent to the destination with this name
> is printed on an arbitrary printer in this class.
> 
> A malicious user who is allowed to do printing admin stuff
> on his workstation can set up queues on his workstation
> with the same name as queues on the official CUPS server
> and announce his queues in the network.
> ...

This is a long-known issue with CUPS browsing; more generally a
malicious user with physical access to the network can manipulate
shared printer queues leading to denial of service and redirection of
jobs.

Fortunately, such attacks are trivial to detect and track down - you
can't do an attack like that and remain anonymous.

More generally, a user with physical access to the network can
anonymously record all network traffic and obtain all unencrypted
print jobs with ease.

> Therefore I would like to know if a default "ImplicitClasses Off"
> and/or "HideImplicitMembers No" wouldn't be better so that it is
> by default more secure because it is then more obvious on the other
> workstations when there appear duplicated queues in the network.
> 
> If there are duplicated queues in the network intentionally,
> the above defaults woudn't hinder printing and furthermore the
> network admin could in this special case change the settings
> on the other workstations as he likes.
> 
> What do you think?

While such an attack is certainly possible, changing the defaults
will *not* offer any real improvement in security while defeating
an important CUPS feature, implicit classes.  Queues can be
advertised with "@server" in the name, and sending a 'delete'
packet followed by an advertisement for the malicious server's
queue will defeat any possible configuration you use to "improve"
security.

We could make spoofing attacks more difficult by adding a
crytographic signature to the browse packets.  You'd need to add a
(shared) signing key to every system on the network so that systems
sharing printers can sign their browse packets and clients can
validate the incoming packets using the signature.  Obviously, if
the attacker obtains the signing key then you don't get any extra
security, and managing a shared key is not trivial...

Another alternative is to disable the automatic use of advertised
printers, but instead have users manually add printers that are being
advertised using Bonjour/DNS-SD, LDAP, or SLP.  This is, IMHO, a step
backward in usability and makes setting up high-availability and fail-
safe printing that much harder since you have to create all of the
printer and class queues manually on each client system.  It is also
still not invulnerable to spoofing attacks since a user with
physical access to the network can still register their printers
with the corresponding protocols...

.....

To summarize:

     1. Once a malicious user gains access to a network, there are
        numerous ways to compromise that network.

     2. CUPS browsing attacks are easy to detect.

     3. Disabling key features of CUPS browsing does not offer any
        added security while making printing much less usable.

     4. Adding a signing key for browse packets would make CUPS
        browsing more secure but would require active configuration
        of every system on the network to be effective.

     5. Using alternate protocols and/or manual configuration of
        shared printers can offer improved security at the expense
        of usability/convenience.

-- 
______________________________________________________________________
Michael Sweet, Easy Software Products           mike at easysw dot com
Internet Printing and Publishing Software        http://www.easysw.com




More information about the cups mailing list