Go show Simone some love. Also, disable cupsd. x.com/evilsocket www.evilsocket... 🏫 COURSES 🏫 Learn to code in C at lowlevel.academy 🔥 SOCIALS 🔥 Come hang out at lowlevel.tv
So, just to clarify for myself, if I (roughly) understood how this works: Attacker: Hi, I am a printer! Victim: Hi, nice to meet you, what files can you print? Attacker: I support the ThisIsAVirus format. Victim: Oh, interesting. How do I decode that file format? Attacker: It's super easy, barely an inconvenience, here you have the appropriate ExecuteThisVirus decoder. Victim: Thanks, I will implement the ExecuteThisVirus decoder the next time I need to print something.
@cdoublejj
5 сағат бұрын
Thank you! Just saved me 13 minutes!
@marianarlt
5 сағат бұрын
Best summary! Could be a children's book ❤
@redo1700
5 сағат бұрын
@@highdefinist9697 Does the attacker need to be at the victim’s house?
@revanisalive
5 сағат бұрын
super easy! barely an inconvenience!
@ImSquiggs
5 сағат бұрын
Love to start my day off with a random Ryan George reference, haha
@krityaan
6 сағат бұрын
RIP HP Printer. You didn't achieve much at all.
@sparquisdesade
6 сағат бұрын
And nothing of value was lost
@grostoss4259
5 сағат бұрын
Lets hope ilo is next
@alc5440
4 сағат бұрын
It doesn't deserve to rest in peace.
@davester4545
4 сағат бұрын
Rip could also mean "rest in pieces" which for hp, would be accurate xD
@execration_texts
4 сағат бұрын
@@davester4545 *Cut to scene from Office Space
@RobertFerentz
5 сағат бұрын
I will call this the '2 hackers 1 CUPS` CVE.
@Vinnie_PT
4 сағат бұрын
That is both disgusting and hilarious. I approve 👍
@lightyagami1752
4 сағат бұрын
2 geeks 1 CUPS
@tablettablete186
3 сағат бұрын
OH NO, DON'T DO IT!!! NNNOOOOOO
@rumplstiltztinkerstein
Сағат бұрын
gonna get some chocolate icecream now
@WarkWarbly
Сағат бұрын
This comment is definitely a 9.9
@keco185
5 сағат бұрын
I tried watching this video but I ran out of cyan
@ssmith5048
5 сағат бұрын
nah, just really really likes black
@thewhitefalcon8539
5 сағат бұрын
Need yellow to print the tracking dots
@Hezeri
5 сағат бұрын
Tried switching to black&white, but still didn't allow it due to lack of cyan.
@keyboard_g
4 сағат бұрын
This is why Windows is more secure. Printers just never work on it.
@EwanMarshall
3 сағат бұрын
In truth, printer provides binary driver which is run as system on windows. Though it does try to find an uptodate one on windows update first, of which there are several with known vulnerabilities in them.
@JPs-q1o
5 минут бұрын
LOL
@Uerdue
5 сағат бұрын
But... the important question is of course... does this exploit work on Tuesdays?
@CrypticBore
4 сағат бұрын
@Uerdue considering you could use a print to pdf imposter yes
@Yadobler
4 сағат бұрын
Only with OpenOffice
@ninetydirectory3798
4 сағат бұрын
@@Yadobler Such an OOO scenario.
@dantenotavailable
2 сағат бұрын
Probably works more often than my freaking printer does.
@miguelu4186
59 минут бұрын
based
@AlexSwanson-rw7cv
5 сағат бұрын
Wow, executing arbitrary commands *by design*.
@Imperial_Squid
2 сағат бұрын
Remember kids, never exec arbitrary code, unless you're a core part of the Linux kernel I guess, real "do as I say, not as I do" vibes lol
@AlexSwanson-rw7cv
2 сағат бұрын
@@Imperial_Squid I thought this was userspace?
@framegrace1
Сағат бұрын
@@AlexSwanson-rw7cv It is. That file is still executed as the nobody user (some distros have a cups user). So the exploit is not dangerous by itself. It can be the entry method for any other local attack thou..
@nnnik3595
Сағат бұрын
@@framegrace1 cups is run as root on some systems
@cfillion
6 минут бұрын
@@Imperial_Squid CUPS is not part of nor related to the Linux kernel.
@mattilindstrom
6 сағат бұрын
Released 25 years ago, approaching net security like it was still Arpanet days. Way to go CUPS!
@itskdog
5 сағат бұрын
And it's made by Apple, as well
@qdaniele97
4 сағат бұрын
To be fair, it's like that mostly because it has to support all the weird and/or obsolete shit that printers still do thse days 😅
@truckerallikatuk
6 сағат бұрын
...And as I'm watching this, my Mint updater pushes a CUPS update...
@ChronoNewton
5 сағат бұрын
same😂😂
@jmvr
5 сағат бұрын
My Kubuntu snap store did the exact same
@radical-nation9729
5 сағат бұрын
got mine last night
@chrisnelson414
4 сағат бұрын
Fedora updated. Will check my Debian, Parrot and Steam Deck machines later. My OpenBSD or my NetBSD machines don't have CUPS installed.
@EwanMarshall
3 сағат бұрын
yep, ubuntu released patch yesterday, pretty sure other distros did too.
@QuantumScribe
5 сағат бұрын
Not good but since I don't have a printer: sudo systemctl stop cups sudo systemctl stop cups-browsed sudo systemctl disable cups sudo systemctl disable cups-browsed
@BrunodeSouzaLino
5 сағат бұрын
Linux uses CUPS to create PDF files, though, so you'll lose that functionality.
@MrAdeelAH
4 сағат бұрын
Would closing the port not be enough?
@cyberpunk1618
4 сағат бұрын
you can use: sudo systemctl disable cups --now sudo systemctl disable cups-browsed --now
@whatever990
4 сағат бұрын
@@MrAdeelAH It would Doing: sudo systemctl disable --now cups sudo systemctl disable --now cups-browsed would also stop the services
@matjer2800
3 сағат бұрын
@@BrunodeSouzaLino No, print to PDF does not need the services to run. I never enabled cups, but I'm still can create PDF no problems.
@talhaakram
6 сағат бұрын
Ah, yes! foomatic-rip the state mandated backdoor.
@HagenvonEitzen
2 сағат бұрын
Well, it has RIP in the name ...
@JamieBainbridge
5 сағат бұрын
The biggest thing I learnt here is how NOT to interact with the software security community.
@engineeranonymous
6 сағат бұрын
This is pretty bad for places where you are already on the network like universities. You'll hop on to other systems from your primary ingress point.
@sush7117
4 сағат бұрын
printer autoconnects to new PC normal person: oh cool security researcher: *squints*
@edoardottt
6 сағат бұрын
although you got the name pronunciation wrong😅 ( search for the Italian pronunciation of the Italian name Simone), great explanation !! thanks❤
@alek002
6 сағат бұрын
Very cool
@p99chan99
5 сағат бұрын
I guessed he was Italian, cool
@alphadexxa
5 сағат бұрын
Could have been a female, Simone is a common female name in Scandinavia
@3msEEv
5 сағат бұрын
In german it'd be a female name
@happydawg2663
5 сағат бұрын
@@alphadexxa In Italian Simone is for male, while Simona or Simonetta is for female.
@marianarlt
5 сағат бұрын
I find it funny how the internet just assumes that businesses never expose unnecessary services to anybody in their networks or the internet and that your usual employee would never ever consider clicking messages away or use the wrong printer that magically appeared in their settings. Good luck!
@deefdragon
5 сағат бұрын
I saw a lot of people dissing this because a user had to print and I was looking at face-palming. imagine a user seeing "use this printer!" in the printer list. at minimum one user is going to use it to print. and that's all it takes.
@smiths7317
5 сағат бұрын
"Arm chair people assumes businesses."
@chicomojo
3 сағат бұрын
@@deefdragon Most people *here* would just use that printer, myself included.
@imax9000
3 сағат бұрын
@@deefdragon even better - just copy the name of another boring printer you've found on the same network. Nobody will be surprised at all to see two printers with the same name.
@lizardkeeper100
2 сағат бұрын
@deefdragon I would 100% click the wrong printer at some point because I don't think I have ever used a printer when there weren't 10 people trying to ask me 100 questions about their technical issues.
@harrytsang1501
5 сағат бұрын
Although it is indeed overhyped and none of my Debian servers are affected, Ubuntu is affected by default and the word "Ubuntu" showed up over 150 times in our on-prem server list. What a day
@AlexSwanson-rw7cv
5 сағат бұрын
@@harrytsang1501 Is Ubuntu Server affected by default? Mine don't have any cups on, though maybe I deselected it on install or removed it at some point...
@rbgtk
4 сағат бұрын
I feel a fun little honeypot idea coming up by setting up a dummy cups server, expose it publicly and see what kind of printers get added
@the-answer-is-42
Сағат бұрын
You can even put it in the cloud. I heard that Azure data centers are routinely scanned by malicious actors, so if you put it in a VM there, someone might notice your dummy cups server and spend time to investigate (not sure if it was specifically SSH and RDP that were attacked or more things, though). Of course, other cloud providers may be in a similar situation, I just heard about it in the context of Azure.
@YaySyu
5 сағат бұрын
Hey you guys remember that PrinterNightmare exploit for windows that was discovered in 2021? Yeah its still vulnerable...
@o0Donuts0o
57 минут бұрын
Is it? Is it really? I’m asking sarcastically because I know you don’t know what you’re talking about.
@JessicaFEREM
4 сағат бұрын
If you're ever in the market for a printer, get a brother. Those things are so easy to use and they just work no matter the OS, except Android which requires mopria, but that's just android being weird. I had my printer up and running within 10 minutes and that was it. No custom bloatware or Linux incompatibility. I can't rate my experience with brother highly enough. The only silly thing is that it makes my power flicker when it runs but I just unplug the printer when im not using it. If you dont use color then get a b+w laser printer. If you only print color once every 5 years you can just go to a store and get it printed, the $.15 a page or whatever will likely be cheaper than buying color ink anyways, or you can get a color lazer printer by brother, so you dont have to waste ink because toner doesnt dry out.
@darmandez
3 сағат бұрын
Instructions unclear, parents got me a sister instead
@connorkolan2597
5 сағат бұрын
Me and my product manager just talked about implementing a cve tracker for our custom cups project and thought it was low priority xD. The timing
@mechwarrior83
6 сағат бұрын
thank you for the great explanation!
@dmi3mis
4 сағат бұрын
If you open 631/tcp port from all over internet and allow unauthenticed traffic, you are made a mistake.
@chocolate_squiggle
3 сағат бұрын
You think no-one ever got hacked as long as they had a basic network-level packet-filtering firewall? Geeze.....
@janzibansi9218
5 сағат бұрын
as an arch user without a printer, i dont have this
@Jack-vk5ko
2 сағат бұрын
as an arch user, you have fulfilled your EULA mandate to inform the greater public, that you are in fact, an arch user.
@NikFernandez
2 сағат бұрын
@@Jack-vk5ko it's in the EULA, can confirm
@the-answer-is-42
Сағат бұрын
@@Jack-vk5ko I have a Steam Deck, does that count as using Arch?
@adamz01h
5 сағат бұрын
Turns out a feature I've known for years is a security bug. 🎉
@nasenbaer4627
3 сағат бұрын
100% over hyped. If your devices are connected to the internet without a firewall (and a drop all by default rule) in between, you've got much bigger problems.
@johnpublic6582
Сағат бұрын
My gun safe has a 9.9 vuln where if I go on vacation and leave my front door standing open, and while the door is open there is a grid power failure longer than 24 hours, and I left the gun safe door also standing wide open, an attacker can walk in, bypass the now offline cameras, use some hand tools to take apart the safe door inside panel, and the lock cover and then manipulate the dial to recover the combination of the lock. Finally he can put everything back together and there is no evidence of the attack. The fix is to apply a tamper evident sticker for the lock cover. The short term work around is don't be the dumbest person in the Northern Hemisphere.
@snooks5607
5 сағат бұрын
stop clickbaiting cvss scores, they're meaningless without the context of what the software is and who the user is. it's not a damn richter scale
@rayjaymor8754
2 сағат бұрын
It's definitely a great and fantastic find. It's just that Simone's tweet tried to suggest he found something that was equivalent (or worse) than Log4j and the fact is, no. Not even close. It's very big, just, a little bit overhyped.
@ailivac
3 сағат бұрын
I hope this gets a fix soon instead of everyone just disabling browsed, because IPP Everywhere (the stupidly-named protocol that enables this) is honestly the best thing to ever happen to printers for Linux users. It's basically a simple extension of IPP that instead of just allowing the printer to advertise itself but still need a vendor-specific driver unless it's some huge PostScript-enabled office machine, there's now a standard raster format printers are required to support that uses a driver that CUPS has built in. This isn't even a new thing - a large number of network printers have implemented it for well over a decade now, but software support only started appearing recently. Of course, the entire point of the protocol is that the printer doesn't need to instruct CUPS to execute any specific commands, just advertise support for a data format that it already knows how to handle, so it may be enough to just block foomatic-rip execution for PPDs loaded from the network (it sounds like the feature can't be removed altogether, but other use cases would involve a PPD provided by a locally-installed driver package that is more trusted).
@BobDerFlossmeister-zj1qk
3 сағат бұрын
I could see state actors being VERY interested in this exploit or maybe even already using it for a long time Something like the recent supply chain attack by Israel comes to mind: Set up a proxy company that sells printers with modified firmware and your victim even invites you in
@santiago4773
4 сағат бұрын
Someone at NSO group will be extremely angry edit: please don't make me explode 🙏
@-Engineering01-
17 минут бұрын
NSO' website down for months.
@FurqanHun
3 сағат бұрын
While reading the blog before most of the technical stuff went over my head but i did understood that the attacker needed to disguide the system as printer using port 631 and the vitcim needs to use it for it to work, so 9.9 CCVE obv didn't made any sense for a normal user however it does make sense for companies where there are more printers and its easier to disguise… and a company would also be the one to take the most damage of off the attack…
@locust76
5 сағат бұрын
5:00 no CVE writeup is complete without a meme .jpg inserted in there somewhere 😂
@FamilyYoutubeTV-x6d
5 сағат бұрын
and sort of summarizes what's wrong with this society of memes. Memes are a waste of time, are predictable, not so funny after a while. And yes I am very funny at parties and I am not the police. See what I did there?
@ticler
5 сағат бұрын
@@FamilyKZitemTV-x6d everyone is a comedian nowadays
@imax9000
4 сағат бұрын
This is absolutely a huge deal for government and enterprise sectors. They often purchase printers in bulk, so you can easily pick a name that won't raise any eyebrows. Especially in govt, where security can be atrocious. You just walk into a court building, sit down in the waiting area, connect to Wi-Fi, add yourself as a printer to every host you can reach and wait a few minutes. There are tons of paperwork constantly being printed out, so you very quickly get your code running on a machine that has access to a lot of court data, and can modify most of it as well. Want a fancy registration plate for your car? Go to DMV and do the same. Want your speeding tickets dropped? Go to your police department and just delete them from the system.
@chocolate_squiggle
3 сағат бұрын
Well, one would hope public wifi in court buildings (and your other examples) doesn't allow access to internal networks where printers are attached.
@imax9000
3 сағат бұрын
@@chocolate_squiggle yeah, but it's a slim hope. People in IT dept are probably not paid enough to actually care
@Spartan322
17 минут бұрын
@@chocolate_squiggle You'd be surprised how crap government IT is.
@resist_or_die
4 сағат бұрын
Another way I can see to exploit this potentially is to become their printer, tee that to the real one and capture the data. One client I have thinks it's super convenient to copy-paste their credit card numbers, and those of their customers, into lots of forms and spreadsheets. They print these. Identifying as a printer might not be so harmless. edit: This is not behind their main firewall for automation systems, it's front office and basically unlocked because derps work in there.
@cohan88
5 сағат бұрын
Y'all know Simone is the guy that gave us Bettercap & Pwnagotchi, right?
@Alfred-Neuman
5 сағат бұрын
Is it really a guy? In french "Simone" is a very female name.
@thewhitefalcon8539
5 сағат бұрын
@@Alfred-Neuman In English too. But different languages are different.
@BlueEyesWhiteTeddy
5 сағат бұрын
@@Alfred-Neuman i looked it up. He's italian and in italian Simone is masculine pronounced using 3 syllables.
@Alfred-Neuman
4 сағат бұрын
@@BlueEyesWhiteTeddy Okay thanks, I was just curious. It's like the name "Sasha" for Russian guys, the first time I heard this I was a bit confused but it's a very common name for males in Russia...
@Alfred-Neuman
4 сағат бұрын
@@thewhitefalcon8539 Yep, that's why I was asking... ;) Apparently he's Italian. (The more you know)
@JPs-q1o
37 секунд бұрын
foomatic-rip had it's purpose a decade and a half ago, I remember those days. Printer manufacturers, other than HP, were being little twits and not even sharing postscript and capabilities used by their printers with open source devs and users. foomatic-rip allowed you to use printers not officially supported without a PPD file by using the PPD from a similar printer and tweaking it on the fly with the aforementioned tool.
@garanceadrosehn9691
3 сағат бұрын
A very helpful walkthrough of what's involved here. I've been a printer-support person at my college for many years, and due to that I'm quite aware that CUPS is a mess wrt security. I just did a quick check, and of some 220 linux hosts that I have some responsibility for, about six *might* be effected by this. And I think only one of those needs to have CUPS running at all. Good work by the security-researcher guy. It's a shame that this got pre-announced as 9.9, as the "letdown" (???) from that claim makes people upset with the whole event.
@JPs-q1o
9 минут бұрын
So every admin cancelled their weekend plans for nothing [kills CUPS service and goes home for the weekend].
@framegrace1
Сағат бұрын
Clarify, that script is executed as whatever the cups daemon user is. (nobody on most places). So all it does by itself, at most, is to execute a random script as the same user as the cups daemon. This is usually the first stage of an ownage, but just to clarify.
@jasoncampbell4532
5 сағат бұрын
My macs seem to completely lack foomatic-rip in their cups filter dirs 1:00 , oldest I looked at is 13.6.9 Ventura
@JPs-q1o
13 минут бұрын
netstat told me that there's nothing listening on port 361 so I'm totally safe 😮💨
@CU.SpaceCowboy
4 сағат бұрын
tou said you could use same command but if aslr is enabled the memory offset would be different right and how would you know that anyways? sorry if this is a dumb question
@danielckw0206
Сағат бұрын
Just dont use printer is fine, it is also good for environment Save the papers 👇🏻👍
@electricengine8407
4 сағат бұрын
How does someone design a system like this? They must have not known the basics of security
@ai-aniverse
3 сағат бұрын
no, i didnt see this tweet but when i see a video i click lol
@Globss
4 сағат бұрын
People were getting so mad over this I watched someone call this guy a wife beater on their stream for 30 minutes
@nathanl2966
4 сағат бұрын
source?
@Globss
4 сағат бұрын
@@nathanl2966 of what?
@bloofle674
3 сағат бұрын
@@Globss wife
@Jack-vk5ko
2 сағат бұрын
Called him a wife beater because of the "9.9" score? Guessing the justification is "see what can happen if you overinflate facts"?
@tuerkismelon8483
4 сағат бұрын
I like that the author of the article talks about a Part II or even a Part III.
@Maramowicz
5 сағат бұрын
So you need to have a foomatic-filters on your PC. What about not even /usr/libs/cups/filter? Because if there is no way to even run that, that is no problem, my Steam Deck is safe ;) Oh wait, not only does the Steam Deck have no filter, it also has no cups... Critical hit :D
@chrisnelson414
4 сағат бұрын
Who prints or does anythng but gaming from a Steam Deck? 🤔
@yigitorhan7654
4 сағат бұрын
@@chrisnelson414 Believe it or not, some people hook their Steam Decks up to a monitor and use it like a PC.
@Maramowicz
4 сағат бұрын
@@yigitorhan7654 Actually me now. I even burned a CD twice.
@chrisnelson414
2 сағат бұрын
@@yigitorhan7654 Just because you can, doesn't mean you should.
@yigitorhan7654
Сағат бұрын
@@chrisnelson414 I personally wouldn't, for sure. But it does happen out in the wild.
@kuhluhOG
3 сағат бұрын
As far as I understand CUPS, shouldn't you be able to trigger a print job to a specific printer yourself if you can reach port 631?
@fomxgorl
56 минут бұрын
iirc, it should ask for your login when you connect. it's been a while, so could be wrong
Hmm... I have vanilla Ubuntu 22.04 and I don't have cups browsed running at all. Cupsd is listening tcp port 631 from 127.0.0.1.
@BenjiWhiskerBiscuit
2 сағат бұрын
IOC did you mean Port 631* ? @ 3:58 "361" was communicated verbally. SOLID content! Appreciate your contributions.
@NobbsAndVagene
5 сағат бұрын
"... so don't shit on him on Twitter" but wait, isn't that what Shitter is for? 🤔
@tehmoros
12 минут бұрын
Printsr-related code always had a label of crap code. That being said, it's not a Linux-related vulnerability but rather a CUPS-based one. As such doesn't it affect MacOS as well?
@erintyres3609
49 минут бұрын
A new version of CUPS became available on Linux Mint on the evening of Thursday September 27th. Does it fix one or all of these vulnerabilities?
@kuhluhOG
3 сағат бұрын
Why do people still use Print to PDF functionality of printing? From a script, yeah, ok, maybe, but from e.g. LaTeX or LibreOffice? You loose quite a lot of PDF functionality that way (e.g. hyperlinks). Use the direct version in your software.
@mawnkey
31 секунд бұрын
If you open/forward ports for services only intended for LAN use, you deserve this exploit.
@HagenvonEitzen
Сағат бұрын
Who would expose theri printer systems to the outside? Well, several years ago, I tried out what happens if I connect to outside my home het - my ISP provided me with modem and router/firewall in two separate devices, i.e., I quickly wiresharked the net directly at the modem, no longer behind the router's NAT. Lo and behold, apparently there was another RFC1918 net there (so a seond NAT at the transition fro ISP to the Internet). Normally, this should not have mattered much because all other customers are also behind their CPE router and at least somewhat protected by their NAT. Or are they? I immediately observed a few printers advertising themselves. I refrained from printing-related pranks, though ... (I think they advertised directly as LPRs with no foomaticRIP involved)
@KevinDay
53 минут бұрын
We should just drop the number rating from CVE's. It's utterly pointless at this point.
@vladlu6362
3 сағат бұрын
LL(L): "All Linux systems affected" Half the comments: "My pc doesn't even have CUPS" Me: "Well... To add wood to fire... I run Gentoo, no cups for me if I don't wanna, and printers are the most evil thing that exists, so i don't wanna."
@arashai
2 сағат бұрын
THANK YOU for using a video title that actually describes the video ❤
@toxyl3915
3 сағат бұрын
the name RIP suggests it's about a Raster Image Processor. those are used between a computer and a large format plotter, basically a server that takes control of, e.g., color profile transformations like RGB->CMYK (the printer is CMYK and doesn't know what to do with RGB).
@c4llv07e
Сағат бұрын
"All linux my ass" Why everyone keeps saying that it affects all Linuxes? None of my Linux machines has a CUPS service.
@CalgarGTX
59 минут бұрын
I have a deep rooted hatred for all things printing in general (99% of people who print things don't actually need to and just do it by force of habit or just enjoy destroying the planet at this point idk) It is one of the 3 prime evils of IT along with 'anything made by apple' and wifi after all. And it's one of the things I've often wondered, why even a VM install or server, headless linux(or 'the other' OS) variant install often have these fking printing services and drivers always present and on by default. Same deal on client side devices. But in my blissfull ignorance and blind trust in devs I've always thought 'meh its a printing listener, whats the worst that could happen ? No point worrying about it right ?' But then we always get these kinds of stories like, how the fk code made to handle a particular thing ie here printing a file, ends up with 'code that accepts and execute any code in existence and if we can with superadmin/kernel level permissions so it can bypass any other security feature of the OS while we're at it' Also just at looking at this video I wonder if it's not possible to man in the middle attack the response from an actual HP(or whatever) printer, just replacing parts of it to replace the actual pdf printing code payload or whatever you wanna call it, by your malware payload instead. Nothing at first glance seems to establish a secure connection at any point of the process.
@michawisniewski4654
Сағат бұрын
one simple question: is CUPS still open to unauthorized print jobs by default? It used to be. If it is - then after installing malicious "printer" you just have to hit print queue with another packet.
@philswaim392
Сағат бұрын
Yeah its a big deal for cups but...... not really a big deal for most environments. At least not bigger than most other vulns i would care about. Hypetweeting hurts security research and remediators. Either fully disclose or dont.
@KillianTwew
16 минут бұрын
Idk, Cyan gives more of a, "Hey gurlll we're outta ink" vibes
@vladislavkaras491
2 сағат бұрын
Darn... Quite interesting way to be hacked! Thanks for the video!
@VioFax
Сағат бұрын
Bluetooth has gotten really unsafe to use in my neighborhood. I had an ESP 32 device kick my headset, spoof the headset. set up a virtual LAN connection, and then started trying other vulnerabilities before i caught it. It spread to 2 other systems on my network. And started trying to exfiltrate data. Stay off bluetooth. Its not worth the convenience.
@rsdyeahh
8 минут бұрын
Just a little of history. The Foomatic interface emerged when there was a bit of competition over the printing standard on Linux: LPD, LPRNG and CUPS. Cups being the new kid on the block. The problem start that many printers do not have a drive for Linux or the closed drivers are worse than the open source ones (e.g. ghostscript). Other issues comes to the fact that many printers are are just a rebrand of another model and mapping what working with which was needed. So this is what the Linux Printing Database did and Foomatic came out of it (like a winehq`s database for apps). It started with a band-aid to get the printer to work on Linux and it is astonishing to find out that even today it has not being improved. Also worth mentioning that Cups was bought by Apple a long time ago and is branded as a Apple product.
@dantenotavailable
2 сағат бұрын
I'm confused why, if everyone agrees foomatic-rip is a problem, it's enabled by default. I mean i'm not saying delete it from the binary (ok that'd be *an* answer but ...) but at the same time, at least make people who have no idea what a foomatic-rip is or why they should care have to modify config files to become vulnerable.
@EwanMarshall
3 сағат бұрын
I have a lot of questions, like does this affect both apple CUPS and openprinting's fork? Is OSX affected given original CUPS is an apple project, if not, why not (mac is not listed at all on his writeup but freebsd is)? And some of Simone's comments regarding the state of CUPS, and I go and look at windows print driver vulnerabilities which run as system (most CUPS implementations are running the affected component as it's own user and group at least) and has open vulnerabilities for several years now (which is almost the same thing with providing the conversion drivers to windows automatically)... Simone's writeup starts with a paragraph on how linux security is so bad. Personally there is a lot of seemingly trying to target this as being a very serious linux issue when distros can and are patching it even if upstream isn't and well, as said, it is an apple project so why are we not mentioning OSX? In my opinion, this is partially a flaw in how printers work entirely on any platform. And part of the problem is not breaking old printers.
@davidfrischknecht8261
4 сағат бұрын
Well, I disable cups-browsed on all my Linux installations because I prefer adding my printers manually.
@hackdesigner
35 минут бұрын
After I read it yesterday, y'know, it's not just a bug or "bugs". It's the entire grandma's matrass😅
@elly.b
58 минут бұрын
Loved watching you live with the primeagen. I need more cyan 😂😂😂
@rallisf1
6 минут бұрын
cups-browsed is a desktop package, this doesn't affect servers at all. There's close to zero desktop linux PCs with a public IP. Even homelab/IoT devices are mostly behind NAT with certain ports open, certainly not UDP/631. That said; it's still a major backdoor for anyone already inside a LAN with Linux Desktops.
@mikee.
Сағат бұрын
Someone just decided to implement arbitrary command execution for a printer service. How the hell does that happen, this is barely even an exploit, this is a feature
@mateuszjasek
5 сағат бұрын
Good, none of servers i'm administrating has cups installed. I guess mainly workstations are compromised.
@adriankozakiewicz8248
4 сағат бұрын
It won't be patched, right? How would it? If people responsible doesn't want to change their filter responsible for rce, cups is propably not going to disable this filter by default so it just stays the way it is I guess, maybe av will start to filter it. Exposing CUPS can become legit rootkit for some time
@AnWe79
Сағат бұрын
Yeah, I saw that tweet, and it seemed a bit too rich to literally be true. Not every system will even have Cups installed. And you'd have to be a bit crazy or super-sloppy if you have it exposed to the internet. So meh for me personally, but serious bugs still, not something to be sweeped under the carpet. So I get why they hyped it as they did if they were being ignored by maintainers. I think the correct thing for the maintainer is to break whatever driver relies on arbitrary code exeuction via foomatic-rip. No excuse to let that shit stand. Who cares if some printer drivers break, then the maintainers of those drivers will need to do better, however hard that maybe.
@7marcus8
3 минут бұрын
I don't care what score this thing has or if it's assigned correctly. But i care when some kid is ruining my mood by telling me i am going to have some bad time with emergency stuff and at the end it was just a lie. You said at 0:07 that he claimed to have an 9.9 in all Linux distributions. That is not correct. As you can read in his Tweet he claimed to have a unauthenticated RCE in ">ALL< GNU/Linux >SYSTEMS
@hawk_7000
3 сағат бұрын
I do think the *combination* of Mr Socket explicitly stating that he's hyping the heck out of this because sensationalism works wonders and then it turning out to not quite be as exciting as the hype suggested (but still valuable findings!) is relevant to understanding the backlash of essentially "you made yourself part of the problem".
@blazernitrox6329
2 сағат бұрын
My dad pointed out that while yes, most servers _should_ (not necessarily _are_ ) be secure against this bug because it _probably_ doesn't need CUPS and it _definitely_ should be denying external access on anything other than the intended ports, it's likely that many of the devices that Simone was able to hit where poorly configured home routers, which in theory means an attacker could get access to your LAN and launch attacks against your machines from there.
@erintyres3609
51 минут бұрын
10:42 The user has to print something using the printer definition that was created by the attacker. However, if the attacker knew the name of the existing printer definition, the user would not notice anything out of the ordinary.
@llawliet3996
5 сағат бұрын
Hey ia dhcpc on udp 68 sus too? I mean that fucker should be safe right ? ..but does it leak any interesting info? I never know what do with dhcpc on HTB. I'm glad we can get target arch using cups.. someone should create a nmap scan for that ❤
@MartinWoad
2 сағат бұрын
The question is, why the hell is cups and avahi on by default in so many distributions? The first thing I did after setting up my Debian was getting rid of it. What do I need it for? Anything that is a daemon and is not critical should be opt-in only.
@Bvic3
4 сағат бұрын
TLDR: it's not a zero click exploit. You need to print a file using a fake printer for the infected code to be executed If the server never prints files, it's not vulnerable.
@lizardkeeper100
2 сағат бұрын
of course it is printers that make linux vulnerable is anyone surprised? I can't think of a device I hate more than printers.
@robertjenkins6132
Сағат бұрын
Wouldn't the firewall block packets from the public Internet directed to that port number? I have a firewall on my router and another on my computer. Why would I want to print over the Internet to a printer on the other side of the world?
@PeterDragonPPG
3 сағат бұрын
it annoyed me that Ubuntu would populate all the printers on the network without asking, so I got in the habit of removing cups years ago... glad I did
@asksearchknock
4 сағат бұрын
Great discovery of a dangerous exploit, it’s a shame he over hyped it - things like this remind me of the boy who cried wolf as ever single security professional who saw this leak, perked up and paid attention before realising it was not a 9.9.
@feedthechunk9836
3 сағат бұрын
Ed I wish you would have talked about how to restrict access to cupsd. You mentioned that it's open to everyone by default but not how to restrict to local traffic only.
@PtolemyPetrie
3 сағат бұрын
The crazy thing to me is that Ubuntu firewall is not enabled by default. 🥴😳
@Veptis
5 сағат бұрын
Someone shared this on discord and most people were sceptical. I just knew the LLL video would be a great summary, so I am here now. thanks!
@Oler-yx7xj
4 сағат бұрын
Does that mean, that every printer has an access to arbitrary command execution, I'm waiting for spy printers
@Teukka72
2 сағат бұрын
Thanks for the heads-up, buttoned by CUPS'es up.
@alexhiatt3374
Сағат бұрын
"fuzzing is when you scream at a program and see what happens" that's such a good description oh my god
@mattymerr701
3 сағат бұрын
Security researchers seem to quite often be such extreme personalities with big egos and power trips. I guess it makes sense with the adrenaline of getting a big find with real world implications, anyone would act like that when it feels like you have the safety of the world in your hands.
Пікірлер: 427