Wednesday, March 19, 2008

Fun with CUPS

This week Apple released a large set of patches, one that caught my eye was for CUPS. For those unfamiliar, the Common UNIX Printing System provides a portable printing layer for UNIX®-based operating systems AND listens on localhost port 631 (http). Check if you have it running (http://localhost:631/) HAH! No Firefox port blocking. :) According to the several advisory links there was some kind of heap overflow through a CGI.

I thought that was really interesting since CUPS is currently running on my MacBook Pro, I believe ever since I set up a printer. I’m fairly certain this is standard OS X behavior. Kurt Grutzmacher shared this info with me a long while back (after the intranet hacking talks) and we tried to locate a single XSS issue on the Web-interface. If we had been successful (we weren't) it would have made for a really nasty way to pull a list of someone completed print jobs (and maybe a little more). Maybe DNS Rebinding would do the trick?

Anyway, while I don’t know or have the exact HTTP request that would cause the overflow, it sounds technically possible that this could be exploited basically by visiting any random malicious web page. And there seems to be a lot of that sort of thing going on these days. To borrow the login detection trick from earlier, here's a quick way to tell if a user is running CUPS.
<* img src="http://localhost:631/images/navbar.gif" onload="alert('CUPS is listening')" onerror="alert('No CUPS')">


Anonymous said...

Interesting post. I have CUPS 1.3.2. running (on port 631 a well), yet there's no /images/navbar.gif. There are some other .gifs in /images/ and also a /favicon.ico which I would prefer for this purpose.

Jeremiah Grossman said...

Hmph, my install doesn't have a favicon. I guess we need to find something more universal. I'll try to get the list of everything under images for comparison.