Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

CUPS Security Vulnerabilities 155

Buck Naked writes "A slew of vulnerabilities was discovered in CUPS, from the advisory: 'Exploitation of multiple CUPS vulnerabilities allow local and remote attackers in the worst of the scenarios to gain root privileges...' The full advisory can be found at iDEFENSE."
This discussion has been archived. No new comments can be posted.

CUPS Security Vulnerabilities

Comments Filter:
  • by norculf ( 146473 ) on Thursday December 19, 2002 @09:40PM (#4927549) Journal
    Common sense applies. The outside world doesn't need access to your printers, so firewall it and remember to patch it once in a while and you might be safe...
    • I haven't been a fan of CUPS -- lprng or other alternatives might be a better choice.
      • FYI given enough time and enough circulation every software *WILL* have security vulnerabilities. I don't care who writes it or how many code reviews are held it will happen. So suggesting to switch to another package to avoid a fixable security flaw is stupid.

        Now saying that there are some package that are more inherantly more secure than others (i.e qmail vs sendmail) but I don't think this is a case of that more your personal views clouding the issue.

        -Ian
    • I agree with you at home no one should need to print to your printers from the outside world. In a corporate environment though there are many real world times when printing to different locations may be needed ...
    • At least one of these is exploitable via a url... I think that was mentioned somewhere in the advisory. (If not, that is what the remote method is, so you know.)

      If you get an email with a specially constructed image link in it, or visit a website with that url, you can be remotely exploited... it ignores the firewall because it is you doing the connecting to it. (Can even put every possible address you might have a printer on your LAN into a page, with every possible offset... or at least the most likely ones... too many malformed connections, and your daemon dies... remote denial of service maybe?)

      Filtering connections to port 631 in mozilla/netscape would protect you from this, but it would also stop you being able to use the administration via http features of CUPS, which gives you the proverbial choice between dancing elephants and security, it seems.

      Overview:

      You MUST patch it to be protected. Firewalling also won't protect you from malicious local users getting root, and it won't stop you being hacked by yourself.
      • Filtering connections to port 631 in mozilla/netscape would protect you from this, but it would also stop you being able to use the administration via http features of CUPS, which gives you the proverbial choice between dancing elephants and security, it seems.

        Our LAN's CUPS configuration allows port 631 connections only from administrative workstations. IMHO, that's just common-sense security. This could be enforced with a combination firewall and switch/router ACLs that segregate IP sources. If administrators need to perform administrative tasks while 'on the run', they can always VPN to an administrative area.

        As for a smaller LAN, just a simple ACL and firewall configuration should suffice. The biggest assumption, of course, is that those using the administrative workstations are clueful* enough to be wary about opening images in e-mail and what-not.

        You MUST patch it to be protected. Firewalling also won't protect you from malicious local users getting root, and it won't stop you being hacked by yourself.

        Oh, without question. Sadly, the CUPS website is severely lacking in documentation and security advisories. I tried to check the "More Info" for the December 19th release, but was returned to the homepage. So I've downloaded it and will check the ChangeLog instead.

        * (I can't believe I just used that term!)

    • That works fine for you, and a lot of home users, but what about those of us who run a network? Shall we all just assume that nobody that has access wants to break in? Why not just leave the root password blank and save them the trouble? /me Is glad he's using good ol' lpd.
    • No kidding. I recently set up CUPS on my system, and it automatically added four printers that were clearly not on my system. One of my neighbours (I'm on cable) is no doubt still scratching his head over the test page I sent. :-) I found it expeditious to add Allow from @IF and Deny from @IF statements. I don't have to worry (at the moment) about internal attacks -- my kids aren't that sophisticated (yet).

  • Its a good thing most new users can't setup CUPS and just disable ;)

    Until RedHat 8 came out that is!
  • by mao che minh ( 611166 ) on Thursday December 19, 2002 @09:46PM (#4927566) Journal
    While many might chime in here saying this story would be better suited on security sites, I for one just heard about it now. I also plugged about 3 vulnerabilities because of it.
  • by Erore ( 8382 ) on Thursday December 19, 2002 @09:46PM (#4927567)
    http://www.cups.org/news.php?V87

    Whew, I feel much safer now. It's always nice that someone feels ownership for the code, thus that someone takes quick action and fixes the problems. Thank you Michael Sweet for a great print system and quick action.
    • Yes, the quick reaction to this was great.

      But what is not so great is that there is no simple way of verifying that the patched code available for download in fact is the patched code.

      We really need some kind of digital signature system so that we can ensure that we are not downloading fixes from a hijacked ftp server.

      The best thing to do would of course to validate the code yourself. But many people doesn't have that kind of skills, so they would probably go for just trusting the auther, but without a digital signature how dow we know that the code we download is the real thing.
  • Vendor notes... (Score:5, Informative)

    by Anonymous Coward on Thursday December 19, 2002 @09:47PM (#4927570)

    Michael Sweet [mike@easysw.com] of Easy Software Products said CUPS 1.1.18 will be released December 19, 2002 which addresses all of these issues (http://www.cups.org [cups.org]).

    Mark J Cox (mjc@redhat.com) of Red Hat said the following:

    "Red Hat Linux 7.3 and 8.0 ship with CUPS, however it is not enabled by default. We are currently working on producing erratum packages. When complete, these will be available along with our advisory. At the same time, users of the Red Hat Network will be able to update their systems
    using the 'up2date' tool."

    Richard Blanchard (rblanchard@apple.com) of Apple said the following:

    "Affected Systems:
    Mac OS X 10.2 - Mac OS X 10.2.2
    Mac OS X Server 10.2 - Mac OS X Server 10.2.2

    Mitigating Factors:

    The described vulnerability can be remotely exploited only when Printer Sharing is enabled. Printer Sharing is not enabled by default on Mac OS X or Mac OS X Server.

    Fixed in: Mac OS X 10.2.3 and Mac OS X Server 10.2.3"
  • by goldid ( 310307 ) <matthew@go l d m a ninternet.com> on Thursday December 19, 2002 @09:47PM (#4927571) Homepage
    I'd just like to note how good the response is. The list of vulnerabilities is well stated and very complete. Furthermore, the time line of events is excellent and patching was superb and fast. My OS X box was patched before I even knew about the vulnerability. Thanks to iDEFENSE and zen-parse.
    • by Anonymous Coward
      Yes, but your OS X box was patched over a month after the first person to find these holes knew about them. How many people might've come to know about them in that time? But I spose it's a good thing your box was patched before you knew about it, no chance of that you 0wned your own box beforehand.
      • by zen parse ( 607603 ) on Friday December 20, 2002 @02:34AM (#4928302)
        > How many people might've come to know about them in that time?

        I would estimate that no more that 4 to 6 people had complete access to all of the problems before they were made public.

        To the best of my knowlege none of these problems were ever exploited in the wild. (And if they were, as long as people patch their systems, they won't be.)

        I found these problems by auditing the source, and not because of any rumors of active exploitation.

        Open source software is sometimes considered to be more secure than closed source because you can see the source code.... the same reason other people say that it is less secure.

        For being able to see the source code to make any difference at all, someone actually has to look at it, which doesn't appear to happen as often as either side claim does.

        All it takes for a piece of software to be insecure is one exploitable problem, whether it is open or closed source.

        What helps keep people secure is publicity that there is something wrong.

        It's no use there being patches made available if nobody knows there was a problem... this article has probably done more for getting peoples boxes patched than all the security lists combined.

        Anonymous Coward complained that it was a month between the holes being discovered and the patch being released... check out the problem's I found with the posterboy of open source in business, Netscape/Mozilla... 4 months to get some of them fixed... and when they released a buggy version and patched it 2 days later (or something like that) people actually CONGRATULATED THEM!!! Publicity over the bugs in Mozilla/Netscape was minimal to say the least...

        Look at Code Red. Publicity caused that to be much less of a problem than it could've been.

        The more exploits the 'bad guys' have, the more likely those exploits will be patched.

        Having an exploit for a vulnerability that is patched on 99% of boxes is pretty much useless... distributing an exploit with your advisory isn't 'a neccessary evil', it's a bloody good idea.

        A complete working script kiddie friendly exploit for every hole that is found should be given away, free of charge. Let the holes that people don't patch get exploited. If you know that within a day of a security advisory being released there will be an easy to use way for anyone in the world to use it against you, are you going to let your guard down?

        -- zen-parse
  • does this apply to the CUPS distributed with MAC OS X?

    If so... with the recent move by GNU-Darwin away from mac-proprietary development, what's the relationship of bugs like this being found in software that is part of OS X and the Apple developers working to fix said bugs?

    i use CUPS. i think it's neat.

    • i use CUPS. i think it's neat.

      I use CUPS too but it's not always neat; I haven't been able to fix the spilling bug that always occurs if I am using CUPS to transfer red wine or coffee while wearing white.

      OK, OK, I'll stop....

    • Yeah, it's covered in the OS X 10.2.3 update that was released last night (which also covers the recent fetchmail DOS issue).
      • would that be the "printing improvements" thing mentioned?

        I'd heard 10.2.3 was out, but I had a bunch of windows up that I wasn't willing to bring down until this morning, so I'm just getting the update now.
  • by jaymzter ( 452402 ) on Thursday December 19, 2002 @09:51PM (#4927580) Homepage
    CUPS, as far as I'm concerned is the killer app for printing in the *nix world. And just like another poster mentioned, why on earth would someone not be firewalling their printer? So once again it comes down to the competency of the system administrator. As for the MS trolls out there who will use this as an excuse to pan OSS, I'd like to point out that at least with CUPS and projects like it we won't have to wait for the maintainers to admit there's a problem, and then wait a month or more for a fix. This is news only in that security vulnerabilities need to be dissemenated as widely as possible
    • Agreed. In addition, CUPS can be set up to only accept local connections (unlike regular BSD lpd), so even if your firewall fails, the printer daemon should still refuse an incoming remote connection.
    • by berzerke ( 319205 ) on Friday December 20, 2002 @01:26AM (#4928142) Homepage

      ...why on earth would someone not be firewalling their printer?



      In addition to the firewalling, cups can also be portwalled too (see http://www.spotswood-computer.net/portwalling.html [spotswood-computer.net] for details on this concept). Make sure it's not listening on an internet interface (which it would by default). Assuming your internal interface is 192.168.1.1, comment out the lines

      Port 80

      Port 631
      and replace them with
      Listen 192.168.1.1:631

      Listen 192.168.1.1:80
      and restart the service. Warning: The cups init.d script in Mandrake (at least) will make changes to your configuration file, resulting in cups failing to start if you make the changes listed here. Edit the script and stop it from making the changes before you restart.

      • In addition to the firewalling, cups can also be portwalled too (see http://www.spotswood-computer.net/portwalling.html [spotswood-computer.net] for details on this concept). Make sure it's not listening on an internet interface (which it would by default)

        That's not necessarily enough. See this email [der-keiler.de] about "weak end host". The short version is attackers can access the IP of one interface through another on Linux unless you go out of your way to prohibit it.

        • ... about "weak end host". The short version is attackers can access the IP of one interface through another on Linux unless you go out of your way to prohibit it.

          This relies, of course, on having IP routing enabled on the Linux box (disabled per default) without having the wherewithall to run NetFilter (or another suitable firewall).

          • This relies, of course, on having IP routing enabled on the Linux box (disabled per default) without having the wherewithall to run NetFilter (or another suitable firewall).

            First, I think it's reasonable to assume that nearly anyone with multiple interfaces will have IP routing enabled.

            Second, I'd guess most NetFilter configurations wouldn't stop this. You have to have a rule that denies anything coming in from the external interface for the internal IP. (Or that denies the service specifically, but then there's no real point to binding to the inside interface only.) Binding only to "safe" interfaces is sometimes pointed to as an alternative to firewalling services, so it's important to point out where that can fail. With the one rule, it works well.

            • First, I think it's reasonable to assume that nearly anyone with multiple interfaces will have IP routing enabled.

              Not neccesarily. Sometimes computers are just on multiple networks.

              Second, I'd guess most NetFilter configurations wouldn't stop this. You have to have a rule that denies anything coming in from the external interface for the internal IP.

              That's part of any proper BOGON filter set, or any decent firewall. Much like I deny all connections claiming to be from/to 127.0.0.1, I deny incoming connections from/to the RFC1918 address space, from my local address space, and from/to any of the unassigned ARIN address space. Claiming that "most" NetFilter configurations don't have such safeguards is, IMHO, a little rash.

              Binding only to "safe" interfaces is sometimes pointed to as an alternative to firewalling services, so it's important to point out where that can fail.

              If I ever saw someone suggesting it as an alternative to firewalling, I'd call them on it. It's an additional security precaution; not a replacement. I thought it went without saying, but then again this is the world where MCSEs (and other similar paper-hatters) are administering corporate WANs (and by extension, speaking of BOGONs, why the 69.0.0.0/8 address space is presently largely unroutable.)

              • I wrote: First, I think it's reasonable to assume that nearly anyone with multiple interfaces will have IP routing enabled.

                Blkdeath wrote: Not neccesarily. Sometimes computers are just on multiple networks.

                Thus the "nearly". But I can't even think why you'd need to do that in a well-designed network.

                I wrote: Second, I'd guess most NetFilter configurations wouldn't stop this. You have to have a rule that denies anything coming in from the external interface for the internal IP.

                Blkdeath wrote: That's part of any proper BOGON filter set, or any decent firewall.

                I agree, but I'd still guess that most people don't. I often don't see it in tutorials for NetFilters and similar tools, and I imagine it's pretty common to end up with a firewall very similar to those.

                If I ever saw someone suggesting it as an alternative to firewalling, I'd call them on it.

                Did you read that portwalling draft that berzerke linked to? I quote:

                If you could configure your web server (and for Apache it is possible, and not that hard), to listen for connections on only 127.0.0.1 port 80 and 192.168.1.1 port 80, then no one from the internet could send packets to your web server even without a firewall running!

                It does not mention the need to prevent them from accessing one interface's IP from another interface.

                • Did you read that portwalling draft that berzerke linked to? I quote:

                  [...]

                  It does not mention the need to prevent them from accessing one interface's IP from another interface.

                  It does, however, continue to state the need for a firewall in an effective protection setup;

                  With a firewall and patching, an attacker would first have to get through the firewall, then find another way to connect to service / get around the port walling, and then find an unpatched exploitable vulnerability on that service. Not too likely to happen.

                  The preceeding paragraph (that you've paraphrased) was worded very poorly, that I'll give you, but this is a) a "Draft", and b) Merely one of the hundreds of thousands of sites offering advice on the Internet. Even still, if a person follows this through to the letter, they'll be atleast partially protected. Of course they'll have to look elsewhere to find documentation for configuring their particular firewall package, as that was wisely left out of that 'draft'.

                  If Joe Ignorant Homeuser's whiz-bang three computer home LAN is infiltrated because he didn't even implement the most basic safeguards and software patches, well, that's his own fault and I feel no pity for him.

                  My home LAN uses port and firewalling for all internal services, and that's almost the way it should be. Ideally the only machine with more than one interface on a multi-homed network should be the firewall which, as I'm sure you're well aware, shouldn't be running any daemons.

                  • I wrote: It does not mention the need to prevent them from accessing one interface's IP from another interface.

                    Blkdeath wrote: It does, however, continue to state the need for a firewall in an effective protection setup;

                    Sure, but you're not getting my point. It mentions that as "defense in depth"; redundant security. The draft implies throughout that these are totally independent methods. They aren't. It's not just a single poorly-worded paragraph; it's wrong.

                • ...It does not mention the need to prevent them from accessing one interface's IP from another interface...



                  You are absolutely correct and it will be corrected. However, it's not a total disaster. As I mention in another reply, if you are binding to a private address range (as the example does), then the attacker must be one hop away for the "attack" to work. This is assuming they know what your private address is. Thus, it's still good advice.

          • ...This relies, of course, on having IP routing enabled on the Linux box...



            I tested it and it still works even with routing disabled. Scary at first glance, but there is ray of hope. Exploiting the "weak end host" depends on several things being perfect.



            First, an attacker has to know the ip address of the "other side" (where the services you want to protect are listening). Second, assuming you are using the private address range for your "other side" (which is standard), the attacker must be one hop away. Otherwise, the routers between the two systems would not know how to route the packet and simply drop it. This one hop rule will kill most attacks (but not all!) without further effort on your part.



            Finally, this attack can be filtered by a firewall quite easily. Don't allow packets from the wrong interface through to that port. Or, if you are using a private address range, all packets with a destination to the private address range get dropped.

      • I've never heard of the term "portwalling" before, and google only returned 3 matches on the term.

        However, this idea is a useful and easy tool to make things a little more secure, especially if you are on a private lan. For completeness, it should be mentioned that xinetd , sendmail, apache, and most well writen daemons support this mechanism. See the bind(2) manpage, basically you provide the source address to be something specific besides INADDR_ANY.
  • Mac Users OK (Score:5, Informative)

    by mattvd ( 44096 ) on Thursday December 19, 2002 @09:52PM (#4927586) Homepage Journal
    From the linked article:
    "Fixed in: Mac OS X 10.2.3 and Mac OS X Server 10.2.3"
    Apple just released 10.2.3 today [macnn.com].
    • Was CUPS not present in earlier releases of Mac OS X?

      If it was present, will Apple release fixes for those, or just force everyone to buy the 10.2 upgrade?

      • Re:Mac Users OK (Score:2, Informative)

        by BJH ( 11355 )
        Apple switched to CUPS in Jaguar - earlier releases don't contain it.
      • Was CUPS not present in earlier releases of Mac OS X?
        CUPS was introduced to MacOS X in 10.2 - "Jaguar"
        If it was present, will Apple release fixes for those, or just force everyone to buy the 10.2 upgrade?
        It's irrelevant to folks prior to 10.2 (unless they've added it manually in which case they can update it the same way) and a free update to those with 10.2.n. Even comes in a combo patch so folks can skip intermediate releases.

        No forcing, no extra cost, the patch was released at the same time as the vulnerability announced, got anything else you wanna try and pick on?

  • Apple fixed it today on their Systems.

    "Affected Systems:
    Mac OS X 10.2 - Mac OS X 10.2.2
    Mac OS X Server 10.2 - Mac OS X Server 10.2.2
    Mitigating Factors: The described vulnerability can be remotely exploited only when Printer Sharing is enabled.
    Printer Sharing is not enabled by default on Mac OS X or Mac OS X Server.
    Fixed in: Mac OS X 10.2.3 and Mac OS X Server 10.2.3"
    (released today)
  • Whew! (Score:3, Funny)

    by DoctorPhish ( 626559 ) on Thursday December 19, 2002 @09:56PM (#4927601) Homepage
    I sure am glad I removed CUPS from my mom's debian box before I moved out last week (and took my firewall with me). I still think printing is the worst thing about unix in general (and about GNOME in particular...), but CUPS was relatively easy to set up. Sounds like it needs a serious security audit, though.
    • Well, if you had Debian set up correctly, Mom would be getting CUPS updated anyway, wouldn't she?

      CUPS simply kicks ass. You obviously haven't seen how powerful it is. CUPS on a Mac OS X laptop absolutely kicks the dingo's ass.

      I can go home and select print. None of the inherent bullshit problems with "Point and Print" or any other crap. I plug in at work and viola, I have a printer available. CUPS has pushed *nix printing far ahead of the Microsoft "printing" that (by the way) still hasn't gained sway in the print world (where computer printing is your lifeline).

      And if you're mom's machine really needed it updated, why not SSH into it and do it for her? That's the power you get with a true network OS.

    • Re:Whew! (Score:3, Interesting)

      by friedmud ( 512466 )
      Please don't take this as trolling....

      But have you seen KDE's print menu/system?? It works directly with cups and is actually easier to use than even MS's printer installer.

      KDE 3.1 improved things even more, and now the whole system is very sweet. Give it a try.

      Derek
      • Really. I could never get it to work, and ended up just telling it to use "lpr". It would fail mysteriously. Yes, I have CUPS running.

    • Re:Whew! (Score:3, Informative)

      by printman ( 54032 )
      Um, CUPS has been audited about a dozen times now by various vendors. The last such audit was conducted almost a year and a half ago and was the source of the last security advisory for CUPS. Yes, that's right, no advisories in a year and a half...

      We take security very seriously, and as soon as something comes to our attention (either internally or externally), we release a fix ASAP. This latest advisory exposed some integer overflows (previous ones were buffer overflow/DoS only) which could be used to gain access to the (unpriviledged) "lp" account, and in one case root access (but that required a local attack or a change in the default configuration for a remote attack...

      After the report we went through all of the related code as well to determine if there were any other problem spots like those reported; we found and fixed a few in the image file filters (which could only get you "lp" access anyways, one of the reasons we don't run everything as root like old LPD did...)

      Security advisories like this only improve the quality and "safety" of the CUPS code, and we welcome all reviews, criticisms, etc. - user/developer feedback has been the driving force behind CUPS development.
  • How come a security news that doesn't involve is on the front page? I thought you guys only post MS related security news. :))
    • Nope, you get the *nix security vulnerabilities here as well. You just see alot more microsoft vulnerabilities for some reason... there are also patches for the *nix problems. For some odd reason there is usually no announcement of a fix from microsoft and if there is it comes a couple dozen bugs later.
  • by johnlcallaway ( 165670 ) on Thursday December 19, 2002 @10:24PM (#4927664)
    ... do I use this ... uh ... no.

    OK, I'm done.

    Wish Windoze security updates were this easy......
    • They are ;-)
    • Heh. That was me too. Actually, I _do_ use CUPS at work, but only
      the client part of it; I never turned it on as a server, so...
    • Re:Lets see ... (Score:2, Informative)

      Really. Because I just happened to look in my system tray today and saw an icon. I double clicked this icon which said "Updates have been downloaded. Click 'Install' to install them'.

      I clicked, browsed slashdot a little, and in a minute or two it told me it was done.

      ...

      ...
      Yah, that wasn't too hard.
      • Of course... you don't mind a history of unstable updates, an update process that will undo configurations or re-install components that have been removed for security concerns, nor security updates that re-define your license to the entire product.

        To each their own. Click away.

        After all, who needs to know whats running on their system or their rights as consumers.
      • Uh ... the point was that if I don't need software, I don't have to install it, hence I never have to patch it.

        Like, if I have a server that never needs a browser, or a GUI, I never have to worry about patches for it. That's the nice thing about having a small OS with modules, instead of tying everything together.

        Of course, Windoze users wouldn't know the benefits about having highly configurable systems like that....
  • CUPS (Score:3, Funny)

    by rockwood ( 141675 ) on Thursday December 19, 2002 @10:48PM (#4927673) Homepage Journal
    An exploitation recently discovered in CUPS has globally rocked and baffled the scientific industry.

    It appears that a vulnerability has been found whereby a malicious user can covertly attach a second string to the midsection of the two originating CUPS and 'tap' into the communication between CUP "A" and CUP "B".

    Furthermore, said user can attach a third CUP to the end of his/her string and receive a secondary branch off of all data vibrating bwteen the two original CUPS.

    Saavy users can then vocally mimic the voice data being picked up and assume the identity of either CUP "A" or CUP "B".

    Agency around the world have been placed on full alert as they scramble for a patch to this unforseen security hole!

  • Damn (Score:2, Funny)

    by Strepsil ( 75641 )
    Couldn't I have seen this just TWO HOURS AGO while I was still at work, and not now when my holidays have officially started? Well, it's not like I didn't expect to be working occasionally during my holiday anyway. A sysadmin's work is never done ...

    I say again - damn. It a little blissful ignorance over the festive season too much to ask these days?
    • Re:Damn (Score:1, Insightful)

      by Anonymous Coward
      Shouldn't a sysadmin be subscribed to bugtraq, in which case you would have read about it while at work?
    • Erm - you use Slashdot to get all your info about holes/bugs etc?

      I simply use wget to mirror the updates dir from my local RedHat mirror each night, and log the results. I grep for "saved" in the log file, and if there's anything there apart from "index.html", the script runs RPM -K *.rpm to validate the checksums, and it emails me, and says that there is a new batch of RPMs to install.
      I export the updates dir over NFS, and I can mount them on all the other boxes, and update those too.
      • Erm - you use Slashdot to get all your info about holes/bugs etc?

        No, not at all. See - I'd left work today after spending the last couple of days just doing the "must happen this year" stuff. I got home, loaded up Slashdot looking for a bit of a diversion, and what do I see? Work! Just when I thought I'd left it behind. If Slashdot hadn't run this, I'd still be under the impression everything was OK, and that's what really matters, right? :)

        For the record, I use apt with RPM to maintain a bunch of RedHat boxes. I have my own internal repository that contains some internally maintained packages, plus a nightly updated RedHat mirror. It won't take me a lot of work to roll out the fixes - I have a script to execute commands on all the remote machines via SSH - but it wouldn't really have served the humour of the message to include that, would it? It would have helped even less than this over-analysis.

        I still call for the various security groups to impose a ban on vulnerability announcements between December 14 and January 14, just to give us all a bit of peace, though!

  • More info here [cups.org].

    I never really understood what made it better than straight up lpd. Perhaps one of you could enlighten me?

    • CUPS is to lpd as Unix is to MSDOS.

      You posted the link, print it, read it... (CUPS users should patch before printing)


    • In practical terms, it gives you decent print drivers if you don't have a Postscript printer.

      The previous printing available for something like a HP 6L was crappy for something like a typical web page. I used it only as text. With CUPS, I can use the HP4 driver package and click print from Netscape and see the page nicely.

      • That's sort of what I thought... Forgive me for being dense, but why do you need to replace the whole print subsystem to make up for bad drivers?
        • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Friday December 20, 2002 @01:14AM (#4928112) Homepage Journal
          In general Unix systems have assumed postscript for printing anything other than fixed-width text, which with most older printers, especially character printers, can be done (with no styles mind you) by simply sending the text out the printer port in ASCII.

          I really don't know where the dependence on postscript came from in the first place, but it definitely seems that that's how everything in the Unix world wants to print. I guess it was the most obfuscated language supported by lots of printers, so it was naturally desirable to the Unix crowd :) Also AFAIK PCL came a while after it, but maybe it's just that PCL got good enough to use much later.

    • I never really understood what made it better than straight up lpd.

      A configuration file format which is distinguishable from line noise.

      Daniel
  • by rabidcow ( 209019 ) on Thursday December 19, 2002 @11:41PM (#4927861) Homepage
    Good thing I use MUGS.

    I mean what use is a CUP with a HOLE in it?
  • Looks like another most-of-the-nighter upgrading CUPS, installing espgs because the version of cups I had installed didn't require it, recreating the configuration files that the @#$%^! installer just overwrite, and making the standard offerings to Cthulhu so the blasted thing will figure out where pstoraster is located. Of course, it will be my fault if someone manages to get a shell account on the router/firewall/printserver and proceeds to trash the read-writable netbios shares that my family is too lazy to set a password on. Isn't being a sysadmin great?
  • "Slew?" (Score:5, Informative)

    by printman ( 54032 ) on Friday December 20, 2002 @12:19AM (#4927987) Homepage
    OK, for folks that haven't read the advisory, a "slew" is apparently 9.

    Of those 9, only *1* of the issues could possibly be used to gain root access, and it depends entirely on the CUPS release, compiler, etc. you use, and for the exploit to work remotely you have to change the default CUPS configuration.

    Issue 6 was fixed back in CUPS 1.1.15 (released in June) and is old news.

    All but one issue was fixed within a few hours of the report, and the current CUPS release (1.1.18) does not have any of these vulnerabilities.
  • This is so dumb (Score:1, Insightful)

    by Anonymous Coward
    Why do daemons still run as root? All of these things should be running as unprivileged users, with lots of restrictions on what they can do. Processes need to be root to bind low ports? Then let's run these services on higher ports, or fix the kernel so any process can bind to lower ports. The unix "security model" is so brain-dead. The most dangerous input (stuff from the net) is handled at the highest privilege level (root). This is just idiotic.
  • The first thing that came to my mind was the silly game Chandler and Joey played on Friends, when I read about CUPS. :)
  • makes your root password VISIBLE by default when you print it out.
  • ceramic is so a thousand years ago...

    aluminum mugs secure on coasters much better and they aren't vulnerable to breaking on a tile floor should you drop one.

    Oh you mean Common Unix Printing System! My mistake...in a world of lpr and lpr-ng...oh them was fighting words!! I'll never walk the plank! Never!
  • Huh? (Score:1, Funny)

    by Anonymous Coward
    "Exploitation of multiple CUPS vulnerabilities"

    Sounds more like a description of senior prom night

  • VIII. DISCLOSURE TIMELINE

    10/27/2002 Initial discussion with contributor
    11/14/2002 Final contributor submission
    12/12/2002 CUPS author notified via e-mail to cups-support@cups.org
    12/12/2002 iDEFENSE clients notified
    12/12/2002 Response and preliminary patch received from
    CUPS author Michael Sweet (mike@easysw.com)
    12/12/2002 Apple, Linux Security List (vendor-sec@lst.de)
    12/13/2002 Updated patch received from Michael Sweet
    12/17/2002 Response received from Richard Blanchard
    (rblanchard@apple.com)
    12/19/2002 Coordinated Public Disclosure


    That's almost a month and a half since the exploit was intially known, to when even the author of the package was informed; it was almost a month just for that! The general public got to know about this even later.

    Maybe this is a good thing, but I wonder. Who had access to this dangerous knowledge while the rest of the world slept, unaware of their vulnerability to this. Sure, a truly secure setup wouldn't be running uncessary demons on anything important, but still...

    Magic lantern, anyone?
    • While this is true, it is also dangerous to release this info to quickly..

      By releasing the info about what is exploitable and how, you make a hackers life really easy.. he no longer has to go thru all the code and try 2 find an exploitable hole. Now he only has to code an exploit and he's done. Thus they decided the vendors need time to fix their software!

      On the other hand, a releasing this info after a N-timeframe presures the vendors into patching their software timely.

      However, your question assumes that no one could find this vunerability _before_ this company did! Ofcource this is nonsence.. a hacker couldve found this exploitable code many months ago, and as long as he doesnt make it 'to' public, chances are no one will know about it..

      Never, i repeat _never_ assume your software is 100% bug free and un-exploitable! A skilled hacker can find an exploit in almost all software given enough time!

      The thing to keep in mind is that a hacker is also submited to the rules of economy, the more hacking into the target is worth, the more time he is willing on finding a way in. For most common servers, the worth is not so high (plenty of targets of similar value, so pick out the easy one..) For banks and alike, this doesn
      t different ofcource ;-)
  • Geez, be honest about it already.

    The worst they can do is what ever they want to do, if they get root access. Say it like it is. An attacker can execute arbitrary code, get complete control over the machine. Security issues shouldn't be sugar coated like that.

  • OK mes amis...I'm waiting for the official security update, and it ain't here yet! C'mon! Get on the stick, man! Debian, Red Hat and Apple have the update NOW, why do we have to fsckn wait???

    I am seriously looking at paying my money and getting the newest version of Libranet. I am enjoying Mandrake 9 now but am getting very tired of waiting for packages getting onto urpmi. It took Linux-Mandrake two weeks to fix Samba, and that was a pretty important update.

    • Then fix it yourself, troll. There's nothing from stopping you from FTPing the source down, running ./configure, and running make install. Almost all OSS stuff is THAT easy these days.
      If you're using OSS, you need to be able to work it, not just sit there and whine for updates.
  • The problems of business administration in general, and database management in
    particular are much to difficult for people that think in IBMese, compounded
    with sloppy english.
    -- Edsger Dijkstra

    - this post brought to you by the Automated Last Post Generator...

/earth: file system full.

Working...