| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by bshipp 623 days ago

https://gist.github.com/stong/c8847ef27910ae344a7b5408d9840e...

Original report

Affected Vendor:

  - OpenPrinting

Affected Product

  - Several components of the CUPS printing system: cups-browsed, libppd, libcupsfilters and cups-filters.

Affected Version

  - All versions <= 2.0.1 (latest release) and master.

Significant ICS/OT impact?

  - no

Reporter

  - Simone Margaritelli [evilsocket@gmail.com]

Vendor contacted?

  - yes The vendor has been notified trough Github Advisories and all bugs have been confirmed:

- https://github.com/OpenPrinting/cups-browsed/security/adviso...

- https://github.com/OpenPrinting/libcupsfilters/security/advi...

- https://github.com/OpenPrinting/libppd/security/advisories/G...

- https://github.com/OpenPrinting/cups-filters/security/adviso...

I'm also in contact with the Canonical security team about these issues.

Description

  - The vulnerability affects many GNU/Linux distributions:

[https://pkgs.org/download/cups-browsed]

Google ChromeOS:

https://chromium.googlesource.com/chromiumos/overlays/chromi...

Most BSDs:

https://man.freebsd.org/cgi/man.cgi?query=cups-browsed.conf&...

And possibly more.

<snip>

1 comments

bshipp 623 days ago

How does an attacker exploit this vulnerability?

  - An attacker can exploit this vulnerability if it can connect to the host via UDP port 631, which is by default bound to INADDR_ANY, in which case the attack can be entirely remote, or if it's on the same network of the target, by using mDNS advertisements.

What does an attacker gain by exploiting this vulnerability?

  - Remote execution of arbitrary commands when a print job is sent to the system printer.

How was the vulnerability discovered?

  - A lot of curiosity (when I noticed the \*:631 UDP bind I was like "wtf is this?!" and went down a rabbit hole ...) and good old source code auditing.

Is this vulnerability publicly known?

  - No, the bugs are not known and the FoomaticRIPCommandLine vulnerability is known to be already patched (it isn't).

Is there evidence that this vulnerability is being actively exploited?

  - Not to the best of my knowledge.