On the one hand, we were impressed that a tiny Brother label maker actually uses CUPS to support printing. Like [Sdomi], we were less than impressed at how old a copy it was using – – 1.6.1. Of course, [Sdomi] managed to gain access to the OS and set things up the right way, and we get an over-the-shoulder view.
It wasn’t just the old copy of CUPS, either. The setup page was very dated and while that’s just cosmetic, it still strikes a nerve. The Linux kernel in use was also super old. Luckily, the URLs looked like good candidates for command injection.
Worst of all, the old version of CUPS had some known vulnerabilities, so there were several avenues of attack. The interface had some filtering, so slashes and spaces were not passed, but several other characters could get around the limitations. Very clever.
The post contains a few good tricks to file away for future use. It also turned out that despite the Brother branding, the printer is really from another company, which was useful to know, too. In the end, does the printer work any better? Probably not. But we get the urge to check some of the other devices we own.
The last time we saw CUPS save an old printer, it had to be bolted on. CUPS was meant to support 3D printers, but we never see anyone using it like that.