Mr. BitternessSep 26, 2024

So this "CVSS 9.9" "unauthenticated RCE vs all GNU/Linux systems (plus others)" thing...

- Does NOT affect all GNU/Linux systems.
- Is not CVSS 9.9. I put it at a 6.3

It also requires:
1) The victim system has no active firewall to block incoming connections.
2) A user on the victim system must print something to a printer that mysteriously appears on the system that has never been there before.

If these two things happen, then command execution can happen as the "lp" user.

<yawn>

We get it. You found a vulnerability.
Lying about it to try to stir up interest in it is not appreciated by anybody who takes themselves seriously in this industry.

CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177 have been assigned.

https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

Attacking UNIX Systems via CUPS, Part I

Hello friends, this is the first of two, possibly three (if and when I have time to finish the Windows research) writeups. We will start with targeting GNU/Linux systems with an RCE. As someone who’s

evilsocket
Show threadKevin Karhan 

@wdormann so basically all modern #distros are unaffected because they all have a built-in #firewall up and running...

  • Not to mention the few systems I'm aware of that don't are behind dedicaded #Firewalls if not #AirGapped per design...
Sep 26, 2024 at 11:54pmWeb
Show threadMr. BitternessSep 27, 2024
@kkarhan
Ubuntu doesn't give you a firewall that's enabled by default.
I'm pretty sure that Ubuntu is both modern and popular.
Show threadKevin Karhan Sep 27, 2024

@wdormann last time I checked #ufw is up and running on all my systems and I didn't choose to install it manually...

  • So I guess I've to dig deeper...

Needless to say that said #exploit isn't merely requiring #CUPS to be up running and and no firewall in place between attacker and target so pretty much never happening...

  • Compared to #Govware like #Windows, this is secure - but it'll obvioisly be mitigated and fixed anyway...

https://infosec.exchange/@malwaretech/113206765206139054

Marcus Hutchins :verified: (@[email protected])

Attached: 1 image Here's a cool little Windows quirk that's useful for red teaming. You can use the HTTP.sys API to start a kernel mode HTTP servers which relays requests to your code via IOCTL. You don't even need admin privileges to do it! Since the kernel handles all the socket operations for you, the listening port will show as belonging to the System process, as will the associated network traffic. Since all communication with HTTP.sys can be done via IOCTL, there's no need for sockets, pipes, or even any DLLs. All you need are syscalls. Best part is, if you're administrator and the server is running an application like IIS or Exchange, you can bind to the same port and add your own custom endpoint (url paths) to it. Normal requests will go to the original application, but requests to your custom endpoint are sent to your code instead.

Infosec Exchange