[plug] new CUPS exploit or an old one?

Gavin Chester gavinchester1 at hotmail.com
Sun May 15 11:56:49 WST 2005 

Is there a new exploit via CUPS that anyone knows about?  I am running
CUPS 1.1.22, which is one version behind the latest stable, on a FC3
system. I googled and found no news of anything new and I should be okay
since this version is newer than the version given after the last cups
security advisory in Jan 2005.  Nevertheless, I saw an attempt to use
CUPS for the first time as shown in this packet capture in my ethereal
logs this morning:  


---- small, edited portion of capture ----------------
			
(Source) 203-129-128-88.rev.dft.net.au 	(Destination) 255.255.255.255
(Protocol) CUPS (Info) ipp://local.compaq:631/printers/HPLaserjet2200D
(idle)

Frame 45784 (196 bytes on wire, 196 bytes captured)
Linux cooked capture
Internet Protocol, Src Addr: 203-129-128-88.rev.dft.net.au
(203.129.128.88), Dst Addr: 255.255.255.255 (255.255.255.255)
User Datagram Protocol, Src Port: ipp (631), Dst Port: ipp (631)
Common Unix Printing System (CUPS) Browsing Protocol
------------------------------------------------------

This happened about a dozen times over the morning, with a concentration
of effort just before my connection dropped - by coincidence. 

I did a whois on the originating IP address and it gave this:

inetnum:      203.129.128.0 - 203.129.159.255
netname:      PDOX-DIGITAL
descr:        Paradox Digital Pty Ltd
descr:        193 Gt. Eastern Hwy,
descr:        Belmont, Western Australia, 6014.
country:      AU
admin-c:      DM65-AP
tech-c:       DM65-AP
remarks:      Paradox Digital is a wholesaler of bandwidth and related
remarks:      services to Internet service providers. If you wish to
remarks:      make a complaint to us regarding a client of our clients
remarks:      please use the abuse at paradox.net.au email address.
mnt-by:       APNIC-HM
mnt-lower:    MAINT-AU-EFTEL
status:       ALLOCATED PORTABLE
changed:      hm-changed at apnic.net 20000706
changed:      hm-changed at apnic.net 20041130
source:       APNIC

person:       DNS Master
address:      Level 8, 250 St Georges Terrace
address:      Perth  WA  6000
country:      AU
phone:        +61-8-94814999
fax-no:       +61-8-93224924
e-mail:       domain_techs at team.eftel.com
nic-hdl:      DM65-AP
mnt-by:       MAINT-AU-EFTEL
changed:      mark.dignam at team.eftel.com 20011203
source:       APNIC


Eftel is my ISP, so am I right in believing that it looks like someone
on my ISP network is trying to exploit me?  

Should I be worried?

Should I send a complaint to their abuse at paradox.net.au ?

Your experienced hacker opinions welcomed :-) 

Regards, Gavin.

More information about the plug mailing list