runing linux, chrome os possibly mac os 9.9 cve in cups
Discussion
huge 9.9 cve get cups updated or just turned off
one udp packet and you can do what ever you want
https://www.rapid7.com/blog/post/2024/09/26/etr-mu...
one udp packet and you can do what ever you want
https://www.rapid7.com/blog/post/2024/09/26/etr-mu...
It's really bad but not as bad as it sounded prior to release. (It sounded at first like it was going to be a remote code execution exploit in the kernel itself.)
If my understanding of the chain of exploits used is correct, it requires:
- cups-browsed to be running, which not all distributions have by default
- no firewall configured or cups to be allowed through the firewall
- the port in question (631) exposed to the internet (which would be a very strange choice) or access to the LAN
- the victim to start a print job after the exploit has been executed
It's also not clear to me exactly which component actually executes the final PPD file, so i'm not sure if it's run as the lp user or root (which would obviously be a lot worse).
If my understanding of the chain of exploits used is correct, it requires:
- cups-browsed to be running, which not all distributions have by default
- no firewall configured or cups to be allowed through the firewall
- the port in question (631) exposed to the internet (which would be a very strange choice) or access to the LAN
- the victim to start a print job after the exploit has been executed
It's also not clear to me exactly which component actually executes the final PPD file, so i'm not sure if it's run as the lp user or root (which would obviously be a lot worse).
Edited by budgie smuggler on Friday 27th September 10:34
it depends it doesnt need to be exposed on the internet if your on the same lan as someone doing the exploit so many machines on public networks are exposed, yes most server deployments dont have cupsd running but desktop deployments do especially in Ubuntu and chrome os
its not as bad as it first seems i agree but its still bad
as they said " from a generic security point of view, a whole linux system as it is nowadays is just an endless and hopless mess of security holes waiting to be exploited"
its not as bad as it first seems i agree but its still bad
as they said " from a generic security point of view, a whole linux system as it is nowadays is just an endless and hopless mess of security holes waiting to be exploited"
budgie smuggler said:
It's really bad but not as bad as it sounded prior to release. (It sounded at first like it was going to be a remote code execution exploit in the kernel itself.)
If my understanding of the chain of exploits used is correct, it requires:
- cups-browsed to be running, which not all distributions have by default
- no firewall configured or cups to be allowed through the firewall
- the port in question (631) exposed to the internet (which would be a very strange choice) or access to the LAN
- the victim to start a print job after the exploit has been executed
It's also not clear to me exactly which component actually executes the final PPD file, so i'm not sure if it's run as the lp user or root (which would obviously be a lot worse).
Specifically the exploit creates a new printer and you would need to print to that printer, which then causes "foomatic-rip myexploithere" to run.If my understanding of the chain of exploits used is correct, it requires:
- cups-browsed to be running, which not all distributions have by default
- no firewall configured or cups to be allowed through the firewall
- the port in question (631) exposed to the internet (which would be a very strange choice) or access to the LAN
- the victim to start a print job after the exploit has been executed
It's also not clear to me exactly which component actually executes the final PPD file, so i'm not sure if it's run as the lp user or root (which would obviously be a lot worse).
Edited by budgie smuggler on Friday 27th September 10:34
https://youtu.be/lXljErWpcRQ
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff