Mr. BitternessSep 26, 2024

So this "CVSS 9.9" "unauthenticated RCE vs all GNU/Linux systems (plus others)" thing...

- Does NOT affect all GNU/Linux systems.
- Is not CVSS 9.9. I put it at a 6.3

It also requires:
1) The victim system has no active firewall to block incoming connections.
2) A user on the victim system must print something to a printer that mysteriously appears on the system that has never been there before.

If these two things happen, then command execution can happen as the "lp" user.

<yawn>

We get it. You found a vulnerability.
Lying about it to try to stir up interest in it is not appreciated by anybody who takes themselves seriously in this industry.

CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177 have been assigned.

https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

Attacking UNIX Systems via CUPS, Part I

Hello friends, this is the first of two, possibly three (if and when I have time to finish the Windows research) writeups. We will start with targeting GNU/Linux systems with an RCE. As someone who’s

evilsocket
Show threadPatrycja 🔜 V43

@wdormann

A user on the victim system must print something to a printer that mysteriously appears on the system that has never been there before.

i'm kinda wondering about this part - it makes sense from the vuln description, but on evilsocket's demo it happened automatically, did he actually omit the part where the exploit requires active input from the user? lol

Sep 26, 2024 at 8:27pmWeb
Show threadMr. BitternessSep 26, 2024
@ptrc
Somebody wanting to make something seem more important than it is will hand-wave over the part that they don't like.
Show threadFellowsSep 26, 2024

@ptrc @wdormann

On this evil guy’s write up he mentions print job being sent twice before he shows the video.

“Wait for a print job to be sent to our fake printer for the PPD directives, and therefore the command, to be executed.”

‘Inject the *cupsFilter2 : "application/pdf application/vnd.cups-postscript 0 foomatic-rip line directive to instruct CUPS to execute /usr/lib/cups/filter/foomatic-rip when a print job is sent.’

Show threadMr. BitternessSep 26, 2024
@fellows @ptrc
Yeah, it's the video that is apparently misleading.
TBH, I didn't have the mental fortitude to watch it myself.
Show threadFellowsSep 26, 2024
@wdormann @ptrc I personally didn’t watch it, I did read however.
Show threadCSDUMMISep 26, 2024
@ptrc @wdormann wondered about that too.