Mastodawn

Anthony J. Fontanez Sep 27, 2024

So this "CVSS 9.9" "unauthenticated RCE vs all GNU/Linux systems (plus others)" thing...

- Does NOT affect all GNU/Linux systems.
- Is not CVSS 9.9. I put it at a 6.3

It also requires:
1) The victim system has no active firewall to block incoming connections.
2) A user on the victim system must print something to a printer that mysteriously appears on the system that has never been there before.

If these two things happen, then command execution can happen as the "lp" user.

<yawn>

We get it. You found a vulnerability.
Lying about it to try to stir up interest in it is not appreciated by anybody who takes themselves seriously in this industry.

CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177 have been assigned.

https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

Attacking UNIX Systems via CUPS, Part I

Hello friends, this is the first of two, possibly three (if and when I have time to finish the Windows research) writeups. We will start with targeting GNU/Linux systems with an RCE. As someone who’s

evilsocket

Mr. Bitterness Sep 27, 2024

This CUPS thing is a great example of how not to do vulnerability coordination/disclosure.

Even the CVE assignment is a failure. An independently fixable vulnerability gets a CVE. It's quite simple. It's a number that you assign to a vulnerability.
https://cve.mitre.org/cve/list_rules_and_guidance/counting_rules.html

GitHub (the CNA) for CVE-2024-47176:
"cups-browsed bugs and other bugs can combine, leading to info leak and remote code execution"
(lists three COMPLETELY UNRELATED CWEs)

You don't just assign a meta CVE for a set of different vulnerabilities because it's easier. 🤦‍♂️

CVE - CVE Counting Rules

The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.

Mr. Bitterness Sep 27, 2024

Or even the CVSS part of the CVE is highly inaccurate. GitHub gives it a 8.4, but I give it a 6.3 to the entire attack chain. Or if we follow CVE rules and have only one vulnerability per CVE, I'd give it a 5.3.

"scope": "CHANGED" ?

Get real! That sort of thing gets assigned to hypervisor escapes and the like, where resources beyond the security manager of the affected component can be modified. This vul allows assisted command execution as the "lp" user.

Even the Confidentiality, Availability, and Integrity ratings of "HIGH" by GitHub are highly suspect. Can I modify cupsd.conf with this vulnerability? No, it's owned by root.

Was this handled by somebody at the CNA who was unfamiliar with both CVE and CVSS?
Do better.

Mr. Bitterness Sep 27, 2024

Even the affected CUPS versions are wrong in the CVE entries. It currently says that ONLY version 2.0.1 is affected, and therefore all other versions of CUPS are NOT affected.

Do we win a prize if every single field in a CVE entry is wrong?

Seth Hanford 🐡Sep 27, 2024

@wdormann I wrote the CVSS v3 specification and I agree, that’s not how these metrics should be applied

(Edited bc while a funny riff on the message at the end of US political campaign ads, I shouldn’t speak to the entirety of Will’s post bc reasons)

@wdormann it escapes the printer though 👹

Bredroll Sep 26, 2024

@wdormann sometimes I wonder if inflated CVE severity isn't doing the same thing as social media disinformation, desensitisation and fuzz

eltheanine Sep 27, 2024

yup. If you're wondering, it's probably happening.

...something something, boy that cried wolf...

😕

pmelon Sep 26, 2024

@wdormann Somehow my gut instinct was correct on this one. I guessed it would be a dramatic overplay of whatever had been found. Tomorrow morning at work will be endless fighting the bullshit this type of nonsense creates as the execs see the 9.9…

Mr. Bitterness Sep 26, 2024

@pmelon
I would hope that the execs are taking CVSS scores from a reputable source as opposed to a JPEG in a Tweet. 😬

pmelon Sep 26, 2024

@wdormann Ha ha. I do hope so. The Register and Bleeping Computer are amongst their favourites. It’s not helped that people within the org have been hyping it due to the Twitter dribbles.

Mr. Bitterness Sep 26, 2024

@pmelon
Yes, the media telephone game hasn't helped at all.

sometimes ian Sep 26, 2024

@wdormann @wdormann this guy is a real bully, too. nobody should take him seriously: https://github.com/OpenPrinting/cups-browsed/issues/36#issuecomment-2377566373

Review locking/multi-threading implementation · Issue #36 · OpenPrinting/cups-browsed

According to @evilsocket, cups-browsed can be held up for an extended period of time: The lock acquired here doesn't get unlocked until the IPP server has responded. A malicious IPP server can keep...

GitHub

Mr. Bitterness Sep 26, 2024

@ecn
Indeed. When I first saw the post, I noticed that I had his account blocked on Twitter.

I can't recall when/why I did the blocking, but I see that they're unsurprisingly still a horrible person.

Ivo Damjanović Sep 26, 2024

@ecn @wdormann I thought strange, why do I seem familiar with his username? Turns out he maintains openSnitch. A GUI App firewall for linux.

Bredroll Sep 26, 2024

@wdormann ok ouch actually reading that its a cups disaster,

Patrycja 🔜 V43 Sep 26, 2024

A user on the victim system must print something to a printer that mysteriously appears on the system that has never been there before.

i'm kinda wondering about this part - it makes sense from the vuln description, but on evilsocket's demo it happened automatically, did he actually omit the part where the exploit requires active input from the user? lol

Mr. Bitterness Sep 26, 2024

@ptrc
Somebody wanting to make something seem more important than it is will hand-wave over the part that they don't like.

Fellows Sep 26, 2024

@ptrc @wdormann

On this evil guy’s write up he mentions print job being sent twice before he shows the video.

“Wait for a print job to be sent to our fake printer for the PPD directives, and therefore the command, to be executed.”

‘Inject the *cupsFilter2 : "application/pdf application/vnd.cups-postscript 0 foomatic-rip line directive to instruct CUPS to execute /usr/lib/cups/filter/foomatic-rip when a print job is sent.’

Mr. Bitterness Sep 26, 2024

@fellows @ptrc
Yeah, it's the video that is apparently misleading.
TBH, I didn't have the mental fortitude to watch it myself.

Fellows Sep 26, 2024

@wdormann @ptrc I personally didn’t watch it, I did read however.

CSDUMMI Sep 26, 2024

@ptrc @wdormann wondered about that too.

hackbyte Antifa (friendica) 13HB1 Sep 26, 2024

@wdormann OMFG .. it's about CUPS? ...hilarious...

Well i agree that it needs fixing, asap ... but .... oh man... ;)

The Bard At Work Sep 26, 2024

@wdormann thus far my favorite conversation about this was someone who asked if I'd seen all the articles about the crazy Linux RCE and i told them about the CUPS vuln and they went "okay well let me know if we hear about the one from the article it sounds bad"

Mr. Bitterness Sep 26, 2024

@bardicworks
Yes, misinformation travels faster than truth. 😕

renato Sep 26, 2024

@wdormann can't wait for the "are we vulnerable" messages on slack

Francis ☑️Sep 26, 2024

@wdormann There seemed like a lot of hype what with the author posting hourly teasers on twitter for 3 hours before the reveal...

@wdormann so basically all modern #distros are unaffected because they all have a built-in #firewall up and running...

Not to mention the few systems I'm aware of that don't are behind dedicaded #Firewalls if not #AirGapped per design...

Mr. Bitterness Sep 27, 2024

@kkarhan
Ubuntu doesn't give you a firewall that's enabled by default.
I'm pretty sure that Ubuntu is both modern and popular.

@wdormann last time I checked #ufw is up and running on all my systems and I didn't choose to install it manually...

So I guess I've to dig deeper...

Needless to say that said #exploit isn't merely requiring #CUPS to be up running and and no firewall in place between attacker and target so pretty much never happening...

Compared to #Govware like #Windows, this is secure - but it'll obvioisly be mitigated and fixed anyway...

https://infosec.exchange/@malwaretech/113206765206139054

Marcus Hutchins :verified: (@[email protected])

Attached: 1 image Here's a cool little Windows quirk that's useful for red teaming. You can use the HTTP.sys API to start a kernel mode HTTP servers which relays requests to your code via IOCTL. You don't even need admin privileges to do it! Since the kernel handles all the socket operations for you, the listening port will show as belonging to the System process, as will the associated network traffic. Since all communication with HTTP.sys can be done via IOCTL, there's no need for sockets, pipes, or even any DLLs. All you need are syscalls. Best part is, if you're administrator and the server is running an application like IIS or Exchange, you can bind to the same port and add your own custom endpoint (url paths) to it. Normal requests will go to the original application, but requests to your custom endpoint are sent to your code instead.

Infosec Exchange

Nicole ‘dyfa’ Britz Sep 27, 2024

@wdormann Some researchers believe that over exaggerating their findings impact earns them a good reputation in the industry, because THEY FOUND SOMETHING CRITICAL!!!! 🙄 Yeah.

ruff Sep 27, 2024

@wdormann oh come now, just create a 'Default Printer (Generic IPP Printer)' and sooner or later someone will print on it. With a slight touch of social engineering rather sooner.

Anton Piatek Sep 27, 2024

@wdormann do many Linux installs default to a firewall yet? I can say I've seen one, and in fact have hardly used a firewall on Linux.
Still seems a low scoring cve

MelHamnavoe Sep 27, 2024

@wdormann isn’t this more of an issue for MacOS users? #airprint

Mr. Bitterness Sep 27, 2024

@MelvilleSpence
macOS doesn't have cups-browsed.

0ddj0bb Sep 27, 2024

@wdormann can we call this vuln #CUPSHype?