| 26 Sep 2024 |
 Johann | Does the user has to print something? | 20:29:36 |
 K900 | No | 20:29:51 |
| K900 | But they do need to confirm adding the printer, as far as I can tell | 20:30:03 |
 Fabián Heredia | but would need to have a cups service running and listening to the network | 20:30:18 |
 vcunat | First of all, you need CUPS exposed to the attacker. That's "not everywhere". | 20:30:19 |
 hexa | you need browsed with the cups protocol enabled to be specific | 20:30:59 |
| vcunat | And them suggesting that people expose it to the whole internet. | 20:31:14 |
| hexa | browsed is enabled in nixos when printing and avahi are enabled on the system | 20:31:27 |
 f0x | In reply to @hexa:lossy.network
browsed is enabled in nixos when printing and avahi are enabled on the system but not actually listening on udp here, afaict | 20:38:38 |
| hexa | that seems to be correct | 20:39:24 |
 tgerbet | Hum, why do we even open FW ports for it 👀 | 20:40:29 |
| f0x | it only binds there when BrowseLocalProtocols CUPS or BrowseRemoteProtocols CUPS are set (and our default configuration for cups-browsed is empty) | 20:40:46 |
| tgerbet | Hum BrowseRemoteProtocols is supposed to default on dnssd cups by default | 20:42:11 |
| tgerbet | But yeah | 20:43:15 |
 Lily Foster | In reply to @tgerbet:matrix.org
Hum BrowseRemoteProtocols is supposed to default on dnssd cups by default Nope, not if you don't supply their default .conf file (which would do that on most distros): https://github.com/OpenPrinting/cups-browsed/blob/c12b9cf5a906ab16971f5d060f291f9a58edadac/daemon/cups-browsed.c#L472 | 20:44:01 |
| tgerbet | Amazing | 20:44:41 |
| tgerbet | Ok so at least we do not have the entry point of the current exploit enabled by default | 20:45:55 |
| Lily Foster | (https://github.com/OpenPrinting/cups-browsed/blob/c12b9cf5a906ab16971f5d060f291f9a58edadac/configure.ac#L188 and https://github.com/OpenPrinting/cups-browsed/blob/c12b9cf5a906ab16971f5d060f291f9a58edadac/daemon/cups-browsed.conf.in#L41 for reference to the .conf default. technically we're still packaging it from cups-filters rather than that new repo, but same deal) | 20:45:56 |
| tgerbet | So we only have the LAN issue for which the exploit has not yet been released | 20:48:51 |
| f0x | it's most likely a very similar exploit, where instead of cups-browsed receiving an UDP package causing it to HTTP lookup a new printer, there's just a fake printer being advertised over mdns | 20:58:25 |
| f0x | also a detail that seems to be missing from the CVE stuff, and only in the blog post at the end, is that the foomatic-rip RCE can only be triggered by actually sending a print job to the faked printer. Which would make user interaction: none incorrect? | 21:02:56 |
