[cups.general] print job phishing

Michael R Sweet msweet at apple.com
Fri Aug 10 09:53:21 PDT 2007


Johannes Meixner wrote:
> Hello,
> 
> On Aug 9 07:56 Michael Sweet wrote (shortened):
>> Johannes Meixner wrote:
>>> ... I would like to know if a default "ImplicitClasses Off"
>>> and/or "HideImplicitMembers No" wouldn't be better so that it is
>>> by default more secure because it is then more obvious on the other
>>> workstations when there appear duplicated queues in the network.
> ...
>> While such an attack is certainly possible, changing the defaults
>> will *not* offer any real improvement in security while defeating
>> an important CUPS feature, implicit classes.  Queues can be
>> advertised with "@server" in the name, and sending a 'delete'
>> packet followed by an advertisement for the malicious server's
>> queue will defeat any possible configuration you use to "improve"
>> security.
> 
> Many thanks for the explanation!
> 
> Would it be sufficiently secure to have
>   BrowseAllow <IP-of-the-official-CUPS-server>
> on the other workstations in the network?

That is certainly one way to do it, yes.  If you have sufficient
physical security and use encryption for remote jobs, limiting to
subnet(s) is probably good enough, too.  Just depends on how
paranoid you are...

> With "sufficiently secure" I mean secure except that the malicious
> user sets the IP of his workstation to the IP of the official
> CUPS server (or whatever else which requires root permissions).

That's the main issue, and keep in mind that "requiring root" isn't
really security.  For "secure" network printing you need a secure
network using a combination of encryption and physical measures.

> To avoid possible misunderstandings:
> 
> I don't have in mind that the malicious user has root permissions
> on his workstation - in this case it is clear that he can usually
> fake whatever server and service in the network.
> 
> I have only in mind that a normal user has printer admin
> permissions on his workstation via a CUPS policy.
> 
> I.e. the normal user cannot install arbitrary software on his
> workstation or modify installed software on his workstation.
> 
> On the one hand "sending a 'delete' packet followed
> by an advertisement for the malicious server's queue"
> can be done via stuff like "echo ... | netcat ..." but
> on the other hand a normal user cannot use source port 631
> on his workstation when sending such fake packages.

You don't need a source port of 631, just the destination (which
isn't limited to root).

> Does the cupsd on the other workstations check if the source port
> of incomming browsing packages is 631 (or whatever the BrowsePort
> setting is on the other workstations)?

No.

> If yes, wouldn't this be sufficient to be safe against
> CUPS Browsing fakes from normal users in the network?

Again, root access != security.  LPD tried that, and to my knowledge
is has not prevented unauthorized users from printing.

FWIW, I *think* the source port will be 631 from any current CUPS
host since we bind for listening, but since you can configure CUPS
to use any port for browsing I'm not sure we could enable such a
check anyways...

> Background information why I ask such questions:
> 
> We had and have several requests that "normal users must be able
> to set up queues on their workstations" and therefore we think
> about possible bad consequences when it is allowed.

That's the main area where implicit classes can have unwanted side-
effects, but defaulting printers to unpublished
(printer-is-shared=false) on queue creation can mitigate accidental
issues.

 From the standpoint of implementation, I'd look at using group
membership and add the notion of "administrative" vs. "normal" users.
Groups can be used to do fine-grained privilege granting, particularly
for printing...

-- 
______________________________________________________________________
Michael R Sweet                        Senior Printing System Engineer





More information about the cups mailing list