[cups.general] print job phishing

Johannes Meixner jsmeix at suse.de
Fri Aug 10 00:50:23 PDT 2007 

Hello,

On Aug 9 07:56 Michael Sweet wrote (shortened):
> Johannes Meixner wrote:
> > ... I would like to know if a default "ImplicitClasses Off"
> > and/or "HideImplicitMembers No" wouldn't be better so that it is
> > by default more secure because it is then more obvious on the other
> > workstations when there appear duplicated queues in the network.
....
> While such an attack is certainly possible, changing the defaults
> will *not* offer any real improvement in security while defeating
> an important CUPS feature, implicit classes.  Queues can be
> advertised with "@server" in the name, and sending a 'delete'
> packet followed by an advertisement for the malicious server's
> queue will defeat any possible configuration you use to "improve"
> security.

Many thanks for the explanation!

Would it be sufficiently secure to have
  BrowseAllow <IP-of-the-official-CUPS-server>
on the other workstations in the network?

With "sufficiently secure" I mean secure except that the malicious
user sets the IP of his workstation to the IP of the official
CUPS server (or whatever else which requires root permissions).

To avoid possible misunderstandings:

I don't have in mind that the malicious user has root permissions
on his workstation - in this case it is clear that he can usually
fake whatever server and service in the network.

I have only in mind that a normal user has printer admin
permissions on his workstation via a CUPS policy.

I.e. the normal user cannot install arbitrary software on his
workstation or modify installed software on his workstation.

On the one hand "sending a 'delete' packet followed
by an advertisement for the malicious server's queue"
can be done via stuff like "echo ... | netcat ..." but
on the other hand a normal user cannot use source port 631
on his workstation when sending such fake packages.

Does the cupsd on the other workstations check if the source port
of incomming browsing packages is 631 (or whatever the BrowsePort
setting is on the other workstations)?

If yes, wouldn't this be sufficient to be safe against
CUPS Browsing fakes from normal users in the network?


Background information why I ask such questions:

We had and have several requests that "normal users must be able
to set up queues on their workstations" and therefore we think
about possible bad consequences when it is allowed.


Kind Regards
Johannes Meixner
-- 
SUSE LINUX Products GmbH, Maxfeldstrasse 5, 90409 Nuernberg, Germany
AG Nuernberg, HRB 16746, GF: Markus Rex

More information about the cups mailing list