Readit News logoReadit News
bshipp commented on Attacking UNIX Systems via CUPS   evilsocket.net/2024/09/26... · Posted by u/NetBender
bongodongobob · a year ago
Well lots of people crash 600HP cars right after they buy them. If you haven't done your homework, you'll learn quickly.
bshipp · a year ago
The people who are crashing their 600HP Linux systems are, unfortunately, not the ones who are reading CVE listings in their spare time. Canonical and other distros are probably going to have to patch that default setting.
bshipp commented on Attacking UNIX Systems via CUPS   evilsocket.net/2024/09/26... · Posted by u/NetBender
andersa · a year ago
But why would such desktops be exposed to the public internet directly?
bshipp · a year ago
Likely no good reason. But he seemed to have identified many many systems that were, inexplicably, exposing port 631 to the internet. There is some reason people are doing it and, given the number of target systems, it must be some sort of default configuration.

  > "This thing is packaged for anything, in some cases it’s enabled by default, in others it’s not, go figure . Full disclosure, I’ve been scanning the entire public internet IPv4 ranges several times a day for weeks, sending the UDP packet and logging whatever connected back. And I’ve got back connections from hundreds of thousands of devices, with peaks of 200-300K concurrent devices. This file contains a list of the unique Linux systems affected. Note that everything that is not Linux has been filtered out. That is why I was getting increasingly alarmed during the last few weeks."

bshipp commented on Attacking UNIX Systems via CUPS   evilsocket.net/2024/09/26... · Posted by u/NetBender
amluto · a year ago
And, for some utterly and completely absurd reason, CUPS runs as a system daemon instead of a highly sandboxed user program.
bshipp · a year ago
This is the worry. It seems like a really unnecessary privilege escalation.
bshipp commented on Attacking UNIX Systems via CUPS   evilsocket.net/2024/09/26... · Posted by u/NetBender
bongodongobob · a year ago
Who doesn't block all unneeded ports on an internet facing server or have it behind a firewall of some sort?
bshipp · a year ago
I guess the important question is whether or not these things are blocked by default or require user intervention to disable cups? Sure, many of us block all ports by default and either route everything behind a reverse proxy or punch very specific holes in the firewall that we know are there and can monitor, but someone firing up an ubuntu distribution for their first foray into linux is probably not thinking that way.
bshipp commented on Attacking UNIX Systems via CUPS   evilsocket.net/2024/09/26... · Posted by u/NetBender
andersa · a year ago
So just to make sure I understand correctly, this is a nothingburger, right? No important server has a printer attached. Any basic firewall would block this traffic.
bshipp · a year ago
I don't know if I would say it's a nothing burger, but i don't see how it affects important servers. It might impact a number of linux desktops and, if they are linked to important servers, provide a backdoor access into important services.

Being able to run arbitrary code in a root account with no authentication would seem to be a pretty important security breach, although I don't think it's quite the level of danger it was built up to be.

bshipp commented on A 9.9 CVE has been announced for Linux   twitter.com/howardl3/stat... · Posted by u/alexzeitler
oskarkk · a year ago
A blog post dropped: https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems...
bshipp · a year ago
This is entertaining reading. Although I don't know how pervasive this issue is, from the chunk i have read so far I can see why he was concerned that it was relatively trivial to have a target system accept anything identifying itself as a printer and being able to inject malicious code into the machine.

I was going to make fun of him wasting his sabbatical on hacking a printer service but I gotta admit I'd have fallen down the same rabbit hole if I stumbled on it. It's a cool hack.

bshipp commented on A 9.9 CVE has been announced for Linux   twitter.com/howardl3/stat... · Posted by u/alexzeitler
bshipp · a year ago
https://gist.github.com/stong/c8847ef27910ae344a7b5408d9840e...

Original report

Affected Vendor:

  - OpenPrinting
Affected Product

  - Several components of the CUPS printing system: cups-browsed, libppd, libcupsfilters and cups-filters.
Affected Version

  - All versions <= 2.0.1 (latest release) and master.
Significant ICS/OT impact?

  - no
Reporter

  - Simone Margaritelli [evilsocket@gmail.com]
Vendor contacted?

  - yes The vendor has been notified trough Github Advisories and all bugs have been confirmed:
- https://github.com/OpenPrinting/cups-browsed/security/adviso...

- https://github.com/OpenPrinting/libcupsfilters/security/advi...

- https://github.com/OpenPrinting/libppd/security/advisories/G...

- https://github.com/OpenPrinting/cups-filters/security/adviso...

I'm also in contact with the Canonical security team about these issues.

Description

  - The vulnerability affects many GNU/Linux distributions:
[https://pkgs.org/download/cups-browsed]

Google ChromeOS:

https://chromium.googlesource.com/chromiumos/overlays/chromi...

Most BSDs:

https://man.freebsd.org/cgi/man.cgi?query=cups-browsed.conf&...

And possibly more.

<snip>

bshipp · a year ago
How does an attacker exploit this vulnerability?

  - An attacker can exploit this vulnerability if it can connect to the host via UDP port 631, which is by default bound to INADDR_ANY, in which case the attack can be entirely remote, or if it's on the same network of the target, by using mDNS advertisements.
What does an attacker gain by exploiting this vulnerability?

  - Remote execution of arbitrary commands when a print job is sent to the system printer.
How was the vulnerability discovered?

  - A lot of curiosity (when I noticed the \*:631 UDP bind I was like "wtf is this?!" and went down a rabbit hole ...) and good old source code auditing.
Is this vulnerability publicly known?

  - No, the bugs are not known and the FoomaticRIPCommandLine vulnerability is known to be already patched (it isn't).
Is there evidence that this vulnerability is being actively exploited?

  - Not to the best of my knowledge.

bshipp commented on A 9.9 CVE has been announced for Linux   twitter.com/howardl3/stat... · Posted by u/alexzeitler
bshipp · a year ago
https://gist.github.com/stong/c8847ef27910ae344a7b5408d9840e...

Original report

Affected Vendor:

  - OpenPrinting
Affected Product

  - Several components of the CUPS printing system: cups-browsed, libppd, libcupsfilters and cups-filters.
Affected Version

  - All versions <= 2.0.1 (latest release) and master.
Significant ICS/OT impact?

  - no
Reporter

  - Simone Margaritelli [evilsocket@gmail.com]
Vendor contacted?

  - yes The vendor has been notified trough Github Advisories and all bugs have been confirmed:
- https://github.com/OpenPrinting/cups-browsed/security/adviso...

- https://github.com/OpenPrinting/libcupsfilters/security/advi...

- https://github.com/OpenPrinting/libppd/security/advisories/G...

- https://github.com/OpenPrinting/cups-filters/security/adviso...

I'm also in contact with the Canonical security team about these issues.

Description

  - The vulnerability affects many GNU/Linux distributions:
[https://pkgs.org/download/cups-browsed]

Google ChromeOS:

https://chromium.googlesource.com/chromiumos/overlays/chromi...

Most BSDs:

https://man.freebsd.org/cgi/man.cgi?query=cups-browsed.conf&...

And possibly more.

<snip>

bshipp commented on A 9.9 CVE has been announced for Linux   twitter.com/howardl3/stat... · Posted by u/alexzeitler
frankjr · a year ago
Almost certainly CUPS related.
bshipp · a year ago
From an eating-popcorn perspective, I would find it truly entertaining that a printer package could somehow result in a 9.9 security vulnerability that is somehow worse than heartbleed. How many linux systems actually have cups installed and active?
bshipp commented on China Is Pressing Women to Have More Babies. Many Are Saying No   wsj.com/articles/china-po... · Posted by u/crhulls
jltsiren · 2 years ago
There is a theory that the US loses every prolonged conflict by default, because taxpayers eventually lose interest in winning.

China is probably watching the latest developments in US support for Ukraine with great interest. If the support proves insufficient for Ukraine to win, they may conclude that there is no need for a proper invasion of Taiwan. That there is no need for an all-out war. They could just isolate the island, try to shoot down every plane and sink every ship, and take whatever casualties Americans are willing to take. If their navy and air force can match their US counterparts, they just need to spend more and last longer.

bshipp · 2 years ago
Ukraine is (and will continue to be for decades) a fascinating case study for multiple reasons, but most impressively regarding NATO support. Although headlines detail billions upon billions in spending, the vast majority of those expenditures from the NATO side were for the notional values of stuff that was already just sitting around. This has got to be one if the cheapest conflicts--from a taxpayer perspective--they've ever supported, which is amazing considering the success Ukraine has experienced in bringing Russia's military to its metaphorical knees.

I think China would be far more aggressive with Taiwan if the West hadn't frozen Russia's central bank assets. That single move likely had the biggest impact in curtailing any expansionist dreams.

b

u/bshipp

KarmaCake day1738March 3, 2019View Original