The 9.9 CVE Linux RCE Security Bug!!

  Рет қаралды 57,558

ThePrimeTime

ThePrimeTime

Күн бұрын

Пікірлер: 383
@highvoltage3000
@highvoltage3000 Ай бұрын
Hi. Debian Developer here. I think that the one thing that we can agree on on all of this is that we need to make Root Jesus a thing.
@Alxdb
@Alxdb Ай бұрын
Top tier comment
@Alfred-Neuman
@Alfred-Neuman Ай бұрын
sudo Options -j Runs the command with Root Jesus privileges. 😄
@Hobbitstomper
@Hobbitstomper Ай бұрын
The last supper was significant, but the last ‘sudo’ before a system crash? Legendary.
@keeskaas9578
@keeskaas9578 Ай бұрын
Even if you did it wouldn't be in Debian until 2045.
@SoulExpension
@SoulExpension Ай бұрын
judo
@scar6073
@scar6073 Ай бұрын
This is why the kernel should have been made in Python
@johnc3403
@johnc3403 Ай бұрын
..or Scratch
@its_momo_5995
@its_momo_5995 Ай бұрын
Linux kernel has been made in scratch iirc ​@@johnc3403
@yohannnihalani5079
@yohannnihalani5079 Ай бұрын
⁠@@johnc3403Or BASIC
@jadencorr6897
@jadencorr6897 Ай бұрын
RustPython xD otherwise it will not be memory safe
@ownmind1127
@ownmind1127 Ай бұрын
Some idiot for sure would use eval somewhere
@KvapuJanjalia
@KvapuJanjalia Ай бұрын
If you can really pretend to be "Print to PDF" then this makes it CVE 9.9 for me.
@orbatos
@orbatos Ай бұрын
Unless you are sharing CUPS to your LAN then no, IT depends on your configuration and most desktops don't share out CUPS access by default because this is known behaviour.
@JaapVersteegh
@JaapVersteegh Ай бұрын
Than what score would you give an RCE in the kernel TCP stack?
@orbatos
@orbatos Ай бұрын
@@JaapVersteegh Are you incapable of understanding that this is nothing like a kernel level bug?
@gFamWeb
@gFamWeb Ай бұрын
The availability point Prime made is actually really interesting. Typically, in the score, if you can have a higher impact on availability, it's a worse score. But he makes a good point about how impacting availability could cause the exploitation to be discovered sooner.
@PassifloraCerulea
@PassifloraCerulea Ай бұрын
Back in the early-mid aughts, CUPS was a breath of fresh air compared to Windows network printer setup (speaking as a former admin). Hadn't thought about it since then. Sorry to hear that it was written with so little thought to security. Rust peeps will have their hands full if they really do try to rewrite the world of system software, including things like CUPS which are boring but extremely important for some people.
@orbatos
@orbatos Ай бұрын
You're misunderstanding the bug. The bug is basically use of foomatic scripts, but *very* simple security and network configuration prevents this from being exploited. The reason mitigations are mostly network configuration rather than CUPS itself is a legacy of print servers being separate devices. My simplest recommendation? Just use CUPS as a oer machine client, you can still use shared configuration.
@PassifloraCerulea
@PassifloraCerulea Ай бұрын
@@orbatos Errr...? I think you misunderstood me. I've never used CUPS to provide networked printing services; that's what our fancy ethernet networked HP printers were for :) The legacy of print servers being separate devices is from before my time. No, the problem is that if CUPS were designed in a more security-conscious manner, this particular bug wouldn't need mitigating in the first place. Any halfway competent programmer looking to make a more secure replacement today (e.g. the rewrite-it-in-rust crowd) surely wouldn't do something as silly as put in a scripting system that allows arbitrary user input on the command line. Wikipedia tells me CUPS came out in 1999, and I dare say they should have known better back then, too.
@EwanMarshall
@EwanMarshall Ай бұрын
2021, PrintNightmare on windows, wikipedia has page on it. And isn't totally solved either, just mitigated requiring Administrator account for the print driver to install. Also due to windows running such drivers as SYSTEM account, is actually more problematic than this where most distros do not run those scripts as root by default instead dropping to a less privilged user for the task cups-browsed and lp are users I've seen used for this. CUPS is still the easiest way to get a printer to work as long as it'll take one of several common formats for the data exchange.
@PassifloraCerulea
@PassifloraCerulea Ай бұрын
@@EwanMarshall Wow. PrintNightmare is similar (RCE) but even worse-running a provided DLL?! It's a continual wonder how terrible printing is, everywhere. I was also under the impression that if you had a modern, graphics-capable non-postscript printer there is literally no other option on Linux than to use CUPS, not that it's the easiest of multiple options. And a brief search isn't showing me anything else.
@EwanMarshall
@EwanMarshall Ай бұрын
@@PassifloraCerulea Technically there is other options for example LPRng, ultimately a print spooler is not acutally needed, but and this is a big but, with all these, getting the data into the right format for the printer is needed and that is where CUPS excels. If we are talking a network printer for instance, it is mostly a matter of just sending a document in a format the printer supports (PDF is one of the possible options) using IPP which is HTTP based.
@avwie132
@avwie132 Ай бұрын
The fact that there is a leak at VANCE is even more worrying….
@denravonska
@denravonska Ай бұрын
Consonants get an 'a' and vowels get an 'an'. What throws us foreigners off is that it's based on how it's pronounced, not how it's written :) The exploit author is Italian, I believe.
@avwie132
@avwie132 Ай бұрын
German
@monad_tcp
@monad_tcp Ай бұрын
I thought you were talking about german
@mike200017
@mike200017 Ай бұрын
They were mistaken, it's not a consonant/vowel thing. It's about how you say the letter. Like "U" is pronounced "you", which starts with a consonant sound, so it gets "a" (e.g., a UDP packet). While "S" is pronounced "ess", so it gets "an" (e.g., sending out an SOS). So, "U" and "Y" are the vowels that get "a", while many consonants get "an", like "F", "H", "L", "M", "N", "R", "S", and "X".
@DimkaTsv
@DimkaTsv Ай бұрын
​​@@mike200017 my repect to english rules (which barely existed before) is becoming less and less every day. Why based on pronounciation? Wtf? I would've been fine if rule was that it depends on referred noun and not adjectives, aka a UDP *packet* (that's how it would approximately work in my language)... But to think that it is so because "U" is being pronounced like "Yu"... It just sounds stupid.
@MNbenMN
@MNbenMN Ай бұрын
​@@DimkaTsvIt sounds how it literally sounds. The "n" separates the vowel sounds, so that the article doesn't mash into the following word when spoken.
@sokrar
@sokrar Ай бұрын
it is a 9.9, and you can take 5 minutes to look at it and discard it if you are not affected. Like you could discard log4shell in many cases.
@code-dredd
@code-dredd Ай бұрын
No be fair, after he got ignored and so on while trying to disclose _responsibly,_ no one has a right to criticize the "wrong" method of disclosure. He tried to do it right first and it was a waste of time. If people want to encourage responsible disclosures, they need to be paying 🤬 attention.
@orbatos
@orbatos Ай бұрын
Kind of? But a large part of the reason he was ignored is this is known behavior usually mitigated by configuration (we're talking decades here), and he was an ass. I'm not saying he's *completely* wrong, but does deserve criticism.
@code-dredd
@code-dredd Ай бұрын
@@orbatos I don't care and it's irrelevant. The idea that it's "justifiable" to ignore vulnerability reports, especially severe ones, just b/c you don't like "how" it was said or people pointing out that their code is _objectively garbage_ is absurd; it's not an excuse or valid justification.
@orbatos
@orbatos Ай бұрын
@@code-dredd It's absolutely relevant, researchers have an obligation to be professional. Did I say it should be ignored? No, he made it easy for them to ignore him. IS that a problem? Yes, but it's a problem for both these orgs and researchers.
@code-dredd
@code-dredd Ай бұрын
@@orbatos He was professional enough to follow the responsible disclosure process, apologize over email in case there were any issues, and so on. He _still_ got ignored. The result? Our PCs and servers vulnerable to attackers b/c some developers' egos were too hurt? No, sir, if the reality of what they've produced is so ugly that they get b-tthurt like that, then they should do better. I'm a developer myself and it vexes me to no end that I, also, have to clean up garbage code produced by _some_ coworkers. You can't keep creating tech debt by borrowing forever; sooner or later, the creditors come knocking. This mess is one example.
@orbatos
@orbatos Ай бұрын
@@code-dredd I feel like you missed a lot, but I do want you to realize I agree these orgs are a mess and much needs to change. It's not the first time.
@bobert3335
@bobert3335 Ай бұрын
CIA is most easily understood in regards to data: Confidentiality = Attackers can read the data Integrity = Attackers can change the data (but not necessarily read it) Availability = Attacker can prevent legitimate users from accessing the data
@WallaWallazz
@WallaWallazz Ай бұрын
Tbh i expected both of them to be a bit more prepared considering how much the cvss score contributed to the drama. And while the scoring system is helpful, it ultimately requires analysis and application to specific organization needs. Sometimes, confidentiality doesn't matter much at all but Availability is paramount. Other times, the opposite is true.
@ThisAMJ
@ThisAMJ 29 күн бұрын
Or you can semantically swap C and I to make Change, Inspect, and Availability
@wh33lers
@wh33lers Ай бұрын
Just wanted to point out that the CVSS meaning of S and C was explained not correctly at the beginning of the video. And low availability always lowers the score, so no interpretation there.
@WallaWallazz
@WallaWallazz Ай бұрын
That threw me at the beginning. Good reminder that the people/things that we watch and read don't know everything about everything. No fault, just that we should treat stuff critically!
@wh33lers
@wh33lers Ай бұрын
@@CommanderRiker0 i dont see it that way. The system is not perfect, but is at least a standard way to measure the severity of a vulnerability regarding a certain part of a system. It doesn’t capture context though which is the problem is this case.
@JPs-q1o
@JPs-q1o Ай бұрын
Why do these guys keep referencing heartbleed, a 7.5, from a decade ago when the xz vuln, a perfect 10, dropped *_this_* year.
@Exilum
@Exilum Ай бұрын
Because heartbleed was a huge deal and yet it was only rated 7.5.
@jambalaya974
@jambalaya974 Ай бұрын
heartbleed could actually be used back in the day on any system which had any openssl binding to any port to leak info instantly.. xz was not really used at all how widely an exploit is used is much more important, than a qualitative score
@ET_AYY_LMAO
@ET_AYY_LMAO Ай бұрын
Because heartbleed was actually super useful and affected every release of openSSL, where as the xz backdoor only affected a subset of releases that wasnt even the mostly used ones anyways.
@yon2004
@yon2004 Ай бұрын
I'm fairly sure that CUPS is used in MacOS and mac users do love to print.
@thekwoka4707
@thekwoka4707 Ай бұрын
It's in macos, as well, yes.
@autohmae
@autohmae Ай бұрын
Apple used to pay and employ the main developer of CUPS
@EwanMarshall
@EwanMarshall Ай бұрын
It is, in fact CUPS is an apple project, open-printing has a fork of that CUPS that a lot of linux distros use. So yeah, Apple CUPS vs Open-Printing CUPS is something not well covered here.
@ippsec
@ippsec Ай бұрын
Enjoyed the video - But some takes were poor, it seemed to downplay some aspects because it needs user interaction. Which isn't always the case, there are quite a few ways to print without user interaction. I'm guessing the author left those parts out due to the rushed disclosure due to poor git commit opsec leaking the exploit. It wasn't intended to be released yet, but the maintainer commited to public repos not the private ones created by the Github Security Advistory, thusly making the embargo of details about the exploit pointless. Additionally, about half way, its stated that code is executed as root, but article says the lp user which is pretty limited. There are likely pathways to root with the other bugs found by AFL, but nothing easy to exploit. There are a few other minor issues, but those were the main ones. That said, I really did enjoy the video and appreciate the attempt to cover it from a "first read" perspective. For something as significant as this, though, it would have been great if the guest had done a bit more research to stay aligned with the facts. I’ll admit, I’m probably being extra critical here because I normally love everything Low-Level Learning puts out. I was just a bit thrown off by the jab at operating systems not being secure due to not being written in memory-safe languages-especially since the bug being discussed wasn’t memory-related, which made me more nit-picky as the video went on. All this said, streaming is hard I get it, and I doubt I'd do a better job. Hopefully, ya'll take the feedback with love and it helps improve future videos!
@KevinLyda
@KevinLyda Ай бұрын
I've built Linux systems that do nightly print jobs. We never depended on CUPS autodiscovery to find printers on servers. In fact, it was deliberately turned off to avoid the possibility of print jobs being misdirected and generally to avoid confusing users or support. The few times I've done this it was in the implementation of billing systems (yes, I sadly had to do that a few times in my career). And the billing print jobs were huge - they would be done really early in the morning (like 3am) so that accounts could get them posted out by the afternoon. So accidentally sending them to some random printer in the building would likely kill that random printer if it had enough paper loaded.
@vilian9185
@vilian9185 Ай бұрын
maybe the point of the memory security languages, is that you need to think less about memory and focus on others securities issues, making easier to write safe code just because you need to think in less possibilities
@ippsec
@ippsec Ай бұрын
​@@vilian9185 That all sounds good on paper but I don't think its a safe bet that if someone saves time, then that extra time will be spent on security. There's really no fix to two of the four cve's that lead to this vulnerability, it's just bad design right out of the gate and its not a programming languages fault. The fix to cupsbrowsed was to disable it in the code as the codebase it isn't used anymore and I don't think there is a fix to foomatic because AFAIK its purpose is to exec whatever you put as the value. There's a time and place for rust/hate on c memes, this isn't one of those times. If the point is as you said (they have more time to think of security) that's the purpose of my comment. When I stream and a joke doesn't hit because of a reason. I would hope someone tells me so I can consider fixing how I tell jokes, in this case they know atleast one person would appreciate the context.
@bitcores
@bitcores Ай бұрын
49:34 The problem with not allowing printers from 2010 in 2024 is that the printers from 2010 don't require subscriptions while the 2024 printers do.
@Alxdb
@Alxdb Ай бұрын
People have not heard of evilsocket? Dude is goated. Creator of pwnagotchi, among many other accomplishments.
@l3lackoutsMedia
@l3lackoutsMedia Ай бұрын
This is really bad for one simple reason. Anyone can quickly plug a device in physically that can brute force attempt this in otherwise secured internal networks, if the network is not requiring mac address whitelisting of course.
@JPs-q1o
@JPs-q1o Ай бұрын
Awesome coverage of this bug and the accompanying discussion. It's what I've come to expect from this channel.
@gFamWeb
@gFamWeb Ай бұрын
"The organization couldn't keep its mouth shut." From the screenshot, it looks like it was posted on a hacking forum. Which means either someone who frequents hacking forums (or knows how to get there) works at the organization and had access to the report, or it made its way to someone like that. It definitely seems that however it made its way there, it wasn't legitimate.
@Exilum
@Exilum Ай бұрын
That's exactly what he meant by that. This leak came from someone inside organization.
@Theraot
@Theraot Ай бұрын
The good thing about printers from before 2010, is that they don't make them anymore. There is a finite set of printer models from before 2010 that are out there. So there is a finite list of foomatic commands that need support. Making a database is possible. I understand it might be a lot of effort... And I understand that asking the user every time a network printer comes online is a big hassle... So, a compromise: you could only have it happen once, when creating the PPD file, if it has foomatic commands, ask the user.
@orbatos
@orbatos Ай бұрын
There are plenty of old printers that don't need them, I've personally only used a couple ever despite handling some exotic machines.
@thesenamesaretaken
@thesenamesaretaken Ай бұрын
I'd have thought an option would be to prompt the user that "hey, there seems to be a printer connecting to us, and it needs to run this script in order to handle print jobs" and only allow the script if the user confirms it. Maybe also take a hash of the script at that point so it can't be altered afterwards.
@71Jay17
@71Jay17 Ай бұрын
Great video guys. Always know we are in for a good time when low level and prime get together
@dmp0x
@dmp0x Ай бұрын
raster image processor. former graphic designer here, RIP hardware was actually quite common many years ago in service bureaus with devices like image setters (high end printers that print to film)
@ra_0403
@ra_0403 Ай бұрын
Damn, I'm currently working on probability theory and fuzzing guarantees :)
@aryajpegasus
@aryajpegasus Ай бұрын
that's so cool :O do you have any articles and stuff?
@ra_0403
@ra_0403 Ай бұрын
not as of now, but i'll be doing my thesis paper soon! maybe once I understand enough of it I'll make a few articles :D
@aryajpegasus
@aryajpegasus Ай бұрын
that's amazing : DD I hope I get to read them : )
@Madinko12
@Madinko12 Ай бұрын
The 9.9 may be deserved *for CUPS* , but definitely not for "all GNU/Linux systems" as advertised by the reporter in their tweet. GNU and Linux have nothing to do with this. Reporter was either looking for fame or revenge against maintainers who (arguably) handled the issue poorly. In any case, that's kinda childish and petty.
@rnts08
@rnts08 Ай бұрын
Pretty common behavior in oss world. It's not a huge impact bug, if anyone is running their cups directly connected to the net, they're screwed anyways.
@harrytsang1501
@harrytsang1501 Ай бұрын
maybe 9.0 but if you needs the user to trigger a print job, it is not zero click. The attack factor is still larger than anything lower
@raatti
@raatti Ай бұрын
His stupid drama caused missed sleep and overtime/oncall on many parts for tens of thousands Linux admins, I was part of missed sleep crew because of his petty little drama.
@chrisjsewell
@chrisjsewell Ай бұрын
@@raattiwhy did this cause missed sleep, what did you have to do? Shouldn’t you be more annoyed at the people that wrote the 💩 code in the first place?
@Alxdb
@Alxdb Ай бұрын
@raatti you mean you missed some sleep to do the job of an IT admin, which you were paid to do. ftfy.
@marcosiebecke9991
@marcosiebecke9991 Ай бұрын
You're laughing about printing on UNIX. But that stuff literally what made up the invoice printing chain at my first job in a big corporation. I really hope that's different by now, it's about 11 years ago.
@tomorrow6
@tomorrow6 Ай бұрын
As for cups and Ghostscript they made pdf generation much easier and enabled more paperless offices -! Very useful tools but print drivers are a bane for both Microsoft Windows NT based Os’s , unixen and linuxen
@tomorrow6
@tomorrow6 Ай бұрын
Many drivers are poorly written and expose security holes because their implementation is so poor
@l3lackoutsMedia
@l3lackoutsMedia Ай бұрын
You could start by disabling foomatic rip as default.
@autohmae
@autohmae Ай бұрын
Yeah, definitely
@Ch0rr1s
@Ch0rr1s Ай бұрын
CVSS - Cascading vucking style sheets :)
@75hilmar
@75hilmar Ай бұрын
You two is one of the most amazing collaborations 25:20 well some programmers obfuscate the shit out of their code so nobody can ever replace them. It makes 300 lines of simple code into a week in hell.
@Exilum
@Exilum Ай бұрын
People are dismissing it like "oh it's not a 9.9 it's nothing", but if it's 9.1 it's still over 9, that's a huge flaw. You can't blaim the only guy who found a catastrophic issue in your 'product' for your own system's failure. Like the system failed him, he didn't fail the system.
@orbatos
@orbatos Ай бұрын
No, they're dismissing it because this configuration of CUPS barely exists anymore on desktop machines. Most of the exploitable configurations are *very* legacy, or old routers and IOT devices that have CUPS enabled, which is almost never a default option.
@Exilum
@Exilum Ай бұрын
@@orbatos Or default ubuntu?
@orbatos
@orbatos Ай бұрын
@@Exilum yep, exactly. And Fedora, etc. I'm not sure which desktop distros currently *don't* mitigate it out of the box, but as you see from the discussion this whole scenario seems to have been forgotten when everyone stopped using print servers 15+ years ago.
@Exilum
@Exilum Ай бұрын
@@orbatos The point was that default u ubuntu *doesn't* mitigate that out of the box, as the researcher demonstrated with his brand new laptop's fresh ubuntu install.
@quinndirks5653
@quinndirks5653 Ай бұрын
14:26 Whether or not an 'a' or an 'an' should be used depends on the sound that comes after it, e.g. an a, an i, an e, an o, a u, for the vowels, a b, a c, a d, an f, a g, an (aitch) h, a (haitch) h, a j, a k, an L, an m, an n, a p, a q, an r, an s, a t, a v, a w, an x, a y, and a z for the consonants. The reason it depends on the sound, is because it is easier to speak when the preceding word ends on a vowel sound and the succeeding word begins with a consonant sound, or vice versa. UDP stands for user datagram protocol, so not only did they get the abbreviated version wrong, they also got it wrong for the actual words of the abbreviation. However, if it was not just a simple mistake, then the only other way to make "an UDP" work is if you pronounce "UDP" as if it were a word (like uddip, an uddip) instead of spelling out the letters. But if you pronounce it as a word, that's a bit uncommon and weird, and I would think you should pronounce it as youdip, which again leads you to using a instead of an.
@KevinLyda
@KevinLyda Ай бұрын
I replaced my last HP printer with a Brother LED printer and it's been great.
@Kane0123
@Kane0123 Ай бұрын
I’ve printed about two pages per year… I like being the guy who asks for a quick print favour rather than the guy with the printer. Like Bill Burr says about boats… be the guy who brings the six pack!
@asaaki
@asaaki Ай бұрын
Dunder Mifflin mentioned. Thanks LL!
@simonfarre4907
@simonfarre4907 Ай бұрын
I'm not a security expert, just a regular old software engineer - but him overstating the danger with this bug, judging by what is called "layer 8" in this video, a vulnerability in and of itself? He's essentially "lying" which can cause IT departments/businesses to take a specific action that then can be used as an attack vector? Seeing as how social engineering is the most common and wildly the most wide spread attack? If that's the case I understand whatever backlash he got.
@Alxdb
@Alxdb Ай бұрын
> social engineering And? This type of bug is clearly exploitable in a social engineering scenario. "Hello Sara? Hi this is Max from HR. Could you do me a favor and print employeesalaries.pdf for me? My printer is not working..."
@Alxdb
@Alxdb Ай бұрын
Your comment truly misses the forest for the trees
@roamingremote
@roamingremote Ай бұрын
your highlighting methods drive me crazy
@LINUXDEVS
@LINUXDEVS Ай бұрын
Let's face it. We are all vulnerable at every turn whenever there are any improvements or updates. Someone has the potential to let something slip whether intentional or not, and the QC needs to trust but verify there are no vulnerabilities.
@Iggysdust
@Iggysdust Ай бұрын
My department of Veterans Affairs office in my city was just compromised and it's scary as shit, they sent a PDF, it was trying to get me to log in with my Gmail to view it and all I can think about is the older vets who probably didn't know any better. This video kinda just brought up that oh shit feeling because while I knew better, someone will definitely become a victim to it for sure
@Veptis
@Veptis Ай бұрын
I found a vulnerability, and didn't disclose it. But talked about it with someone else who had an even crazier vulnerability. Together we even got to a poc to exfiltrate some private data (not covertly). But I don't think either of use really disclosed it. we just talked about it on a public discord... Which the developer runs - but I don't think they saw it.
@jazzochannel
@jazzochannel Ай бұрын
14:35 English article an vs a; An is used when, a, followed by a word, would be difficult to pronounce. Generally an goes before words starting with a vowel (an echo, an umbrella, an octopus), but there are exceptions. For example "an HTML component". Even though H is a consonant, when read out loud, we hear aych-tee-em-ell. Thus "a aych" sounds awkward, but "an aych" does not. For the UDP example "a juu-dee-pee" sounds more reasonable rhythmically than "an juu-dee-pee" so "a UDP" is correct even though U is a vowel.
@beerfarmer1828
@beerfarmer1828 Ай бұрын
For everyone that thinks this vulnerability was overblown, just ask any redteamer you know about it. Just because a bunch of twitter infosec voices are restarted paper pushers, it doesnt mean nobody should take this seriously. Its a huge attack vector.
@thekwoka4707
@thekwoka4707 Ай бұрын
Hell, even arguing too much about the rating, when you still conclude "this is bad", does it REALLY matter? Like, yeah it's best to get the rating accurate, but if it is real, and is critical...
@yanidoesit
@yanidoesit Ай бұрын
You assume a printer is worth $300... old printers are the expensive ones.
@max-mr5xf
@max-mr5xf Ай бұрын
Printers are even more cursed than I thought 😮
@erintyres3609
@erintyres3609 Ай бұрын
He submitted "POC after POC" until they finally took him seriously. Last week I learned that POC stands for "Proof of Concept"; a program that demonstrates a security issue.
@ET_AYY_LMAO
@ET_AYY_LMAO Ай бұрын
The best way to solve the filter command is to have a filter whitelist in conf. Then legacy users could add their own printers to the whitelist and if a print request was denied it could be logged in syslog 'Print failed, foomatic command not in whitelist: '...'
@The1RandomFool
@The1RandomFool Ай бұрын
I'm going to start naming functions around foo and bar from now on, because apparently it's a good programming practice.
@thingsiplay
@thingsiplay Ай бұрын
Why not 10.0? What took the 0.1 out of it to make it 9.9?
@XxZeldaxXXxLinkxX
@XxZeldaxXXxLinkxX Ай бұрын
I'd wager it boils down to the question "could this be any worse" If an exploit was extremely widespread (affecting say, the scales of Crowdstrike incident), easily executable (as easy as shellshock or dirty pipe) , and was difficult to patch, and granted privileged access, then that could warrant a 10?
@rmidifferent8906
@rmidifferent8906 Ай бұрын
​@@XxZeldaxXXxLinkxXThis issue could easily be any worse. For example it could actually be a zero click
@PragMero
@PragMero Ай бұрын
i felt that edging score
@user-ge7yi1et5heli4s-b
@user-ge7yi1et5heli4s-b Ай бұрын
CVSS scoring formula is public information.
@jpf51286
@jpf51286 Ай бұрын
Wait, wouldn't this be a maintainer that was prevuously funded by the NSA that wouldnt want the backdoor removed? And, twitter would be the only way to bypass a gatekeeper that wants the bad code?
@aenguswright7336
@aenguswright7336 Ай бұрын
Presumably if this works on network discovery, you could find an improperly configured public network and just put your Save as PDF printer on that. Now anyone who connects to that network is infected. By the way, seems like the cvc score should just be published as THREAT/AVAILABILITY so this could have been 9.9/4.6 or whatever.
@anttilehtoranta3152
@anttilehtoranta3152 Ай бұрын
@14:20 The "sends _an_ UDP packet". It should be "sends _a_ UDP packet" The type of article (a/an) in english depends on whether the word when pronounced starts with a vowel or a consonant sound. If "UDP" is prounounced letter-by-letter it will be pronounced "you-dee-pee", and the "y" is pronounced with a glide sound making it a cononant for this purpose and thus requiring the article "a". Also, in the case that you interpret the "UDP" as an abbreviation for "user datagram protocol", i.e. you would read it our loud as "sends a user datagram protocol packet", then also the word "user" starts with the consonant sounding glide thus also requiring the "a" article and not the "an". In summary, it's the phonetic sound -- not the written letter -- of the word coming after the article that determines whether "a" or "an" should be used. Therefore, it's "an FBI agent" but "a Federal Bureau of Investigation agent"
Ай бұрын
4:00 I think "Availability" is regarding just the exploit itself. The chance or amount of affecting availability by doing the exploit itself is low - which is dangerous because it means it can be unnoticed. But possibility of affecting availability is still very high because after gaining root Jesus access you can make the system unavailable as you wish.
@colinstu
@colinstu Ай бұрын
46:15, if I had to guess, rip would have something to do with "Raster Imaging Processor", something run into in the printing industry, especially screen printing. A fluke that it's also rest-in-peace. But I haven't dug into code yet so not sure.
@Chris-on5bt
@Chris-on5bt Ай бұрын
Can confirm the guess, working in the Industrial Printing tech space (Digital Wide Format) RIP = "Raster Image Processing". RIP is a generic term for turning vector objects such post-script language (PS is used in most documents formats: PDFs, AIs, office formats) into raster forms ( Bitmaps, PNGs, JPGs, other raster representations). So I would find it likely that is the usage here. I am not a CUPS guru, so IDK if that's how they are using it.
@tmzilla
@tmzilla Ай бұрын
RIP also stands for Routing Information Protocol, a network discovery protocol
@colinstu
@colinstu Ай бұрын
@@tmzilla it does but in this context I believe it's for what I described.. I've since checked out the foomatic-configure man page - RIP indeed stands for Raster Image Processor and mentions foomatic-rip in the same sentence.
@lucaszapico926
@lucaszapico926 Ай бұрын
‘rootjesus’ permission is legendary
@MichaelDuder
@MichaelDuder Ай бұрын
Should we just disable cups? I don’t print anything anyways
@tomorrow6
@tomorrow6 Ай бұрын
Perhaps just don’t have it exposed as a listener on the network
@tomorrow6
@tomorrow6 Ай бұрын
At least containerise it
@autohmae
@autohmae Ай бұрын
I think we should make foomatic-rip an optional package.
@the-answer-is-42
@the-answer-is-42 Ай бұрын
It's what I did. I don't even have a printer, so having it running is a bit silly.
@the-answer-is-42
@the-answer-is-42 Ай бұрын
​@@autohmae Yeah, and possibly have some kind of security configuration that can define what it can do. That way, if you really need it, you can lock it down a bit at least.
@comosaycomosah
@comosaycomosah Ай бұрын
There is a suprising amount of quality comments
@AntranigVartanian
@AntranigVartanian Ай бұрын
In case you were wondering, yes, the user root does have a name, it’s Charlie! Charlie Root!
@MultiMrAsd
@MultiMrAsd Ай бұрын
This whole 9.9 discussion is fucked up. We are talking about multiple 8+ CVEs in a wildly used Unix subsystem. Doesn’t matter if its 9.9, 9.1 or just 7. This needs to result in everyone working to fix these as quickly as possible! Maintainers pushing new features and disregarding this completely destroys the trust millions of people blindly give them. And not only to them but also to the distributions that include their code. Triaging is not something that should be done with security bugs that have a proof of concept attached. If you get so many of them that they need triage then your project should not exist. I also don’t get why so many sysads are mad. No matter what any issue is, as long as there are no patches you can’t don anything anyway. Wait for public discourse, install patches (as you should anyway) and don’t loose your mind prior to this.
@nickfarley2268
@nickfarley2268 Ай бұрын
It is easy to say as a user “all security issues are equally important and must be dealt within 15 minutes”. This cups issue does need to be fixed but it is factually not a zero click rce exploit and is likely mitigated by basic network security thus does require ruining the weekend of countless professionals worldwide
@MultiMrAsd
@MultiMrAsd Ай бұрын
@@nickfarley2268Not all security issues, but definitely security issues that lead to rce or allow something outside the scope of the software. It’s not 0 click, but it’s still RCE. And the user interaction that’s required is only passive. It does not matter that it can be avoided with basic network security. If your software requires a secure network you already lost. Software like this is how we get these compliance nightmares with lists of thousands of checkboxes and still get hacked.
@Alxdb
@Alxdb Ай бұрын
Correct that focusing on the cvss score is foolish. This is very serious. People in these threads trust their firewalls too much...
@josephvictory9536
@josephvictory9536 Ай бұрын
THANK YOU FOR BEING THE VOICE OF REASON!
@monad_tcp
@monad_tcp Ай бұрын
I made the right decision to ALWAYS rip CUPS, and that Mail thing when I install any linux.
@binaryblade2
@binaryblade2 Ай бұрын
Its a bad bug, not a linux bug though. Thats entirely the disaster that is cups.
@thekwoka4707
@thekwoka4707 Ай бұрын
Sure, but if it's IN UNIX, it doesn't mater if the bug is upstream or not.
@autohmae
@autohmae Ай бұрын
@@thekwoka4707 it does matter for the rating and how people should interpret it: it's not a Linux bug, it's a CUPS bug, because most Linux systems out in the wild don't have CUPS installed.
@binaryblade2
@binaryblade2 Ай бұрын
@@thekwoka4707 you are using words that you clearly don't know the meaning of.
@thekwoka4707
@thekwoka4707 Ай бұрын
I think his example showed that it could execute without the user needing to activate a print job...
@FunkyELF
@FunkyELF Ай бұрын
Why would you return true if not allowed?... typically non-zero means error, and true is non-zero.
@Rivinwin
@Rivinwin Ай бұрын
This is really just a coding habit, and while it's best of all programmers have the same habits on a shared project, it doesn't matter from one codebase to another at a technical level.
@sub-harmonik
@sub-harmonik Ай бұрын
exit codes return non-zero if there's an error and 0 if there's not. Maybe that's why edit: I would think 'not allowed' is more of an error than 'ok'
@mike200017
@mike200017 Ай бұрын
Yep, and remember C doesn't have boolean values, so TRUE is typically just a define for 1. And it's pretty common to have lots of "if (do_something() != 0) { ..error.. }". But it's a very poor choice for readability to use TRUE as the "non-zero error code" when literally anything else would be nicer, including just the number 1.
@monad_tcp
@monad_tcp Ай бұрын
because its a stupid thing unix process do, they return 0 on success
@horazon_
@horazon_ Ай бұрын
function is question process udp packets, true means packet processed in any way, false means network related error happend and socket should be closed
@KvapuJanjalia
@KvapuJanjalia Ай бұрын
The Register's handling of this story reminds us once more why do we hate "journalists".
@Chris-on5bt
@Chris-on5bt Ай бұрын
Gold tier interpersonal communication insight at 1:04:50
@OwenIngraham
@OwenIngraham Ай бұрын
root jesus = sudo sudo
@xB-yg2iw
@xB-yg2iw Ай бұрын
The real issue highlighted here is that CVSS is a terrible metric for vulnerability severity that needs to be taken out back and put down.
@the-answer-is-42
@the-answer-is-42 Ай бұрын
I honestly disabled CUPS after this. I don't even have a printer, so even disregarding the security aspect, it's just wasting resources anyway (not many resources, but resources non the less).
@ridass.7137
@ridass.7137 Ай бұрын
CSS never had such problems
@monad_tcp
@monad_tcp Ай бұрын
13:32 finally, Linux is at the same level Windows was in 2008 !!! congratulations
@user-eg2oe7pv2i
@user-eg2oe7pv2i Ай бұрын
Foo is crazy in sound french , matic , you guessed it. Rip also .
@scottnoel-hemming6750
@scottnoel-hemming6750 Ай бұрын
How about the fact, that, for the longest time, RedHat, at least, included cups libraries (idk if those included are related to the vulnerabilities found, specifically) with httpd?
@Veptis
@Veptis Ай бұрын
Listening to this made me realize how easily exploitable the code I am writing right now is. I write a python script to a tempfile and the. Execute it. The user data I add is just in-between triple quotation... So trivial to bypass. and yes, that file gets run. No checks. And that's the only working solution I came up with to timeout the code and catch panics. It's shipping as part of my bachelor thesis... uff
@Alxdb
@Alxdb Ай бұрын
It's okay for now, probably, to do this in university, because your work is probably a proof-of-concept for some other topic, and you're (probably) not concerned with security. But you should also learn best practices in security. Needless to say, please never do this in industry.
@Veptis
@Veptis Ай бұрын
@@Alxdb I spent 1 year+ to find a better solution and sorta conceded to this being the only working solution. There is multiple upstream issues without a solution, and I will continue to write more issues as I find them. But without better education, I can't fix these issues myself... Spent a few nights trying.
@connorskudlarek8598
@connorskudlarek8598 Ай бұрын
1:20:35 lol, dude caught some strays because he got misread. Oof. :P
@Exilum
@Exilum Ай бұрын
Almost didn't notice xD. Happens quite often with Prime.
@connorskudlarek8598
@connorskudlarek8598 Ай бұрын
@@Exilum nature of the beast if you have dyslexia. Add on 1k+ eyeballs watching you read out loud, and needing to spot messages flying by at break neck pace... it's gonna happen, haha.
@Exilum
@Exilum Ай бұрын
@@connorskudlarek8598 Yeah I'm not blaming him for that. It just happens even without dyslexia
@nasenbaer4627
@nasenbaer4627 Ай бұрын
I stand by my previous assessment. This doesn't warrant a 9.9. You have to expose the CUPS port to the public AND need to use the fake printer. And I can't think of a single good reason to have the port exposed outside of your LAN/VPN.
@chupasaurus
@chupasaurus Ай бұрын
The one evilsocket already showed? Yep. The next one he announced doesn't need anything except CUPS with DNS-based discovery service AND exploits the same code.
@Alxdb
@Alxdb Ай бұрын
9.9 came from rhel. Evilsocket is a hacker, not a CEO cvss ratings. Forget about the rating. Instead, exercise mindfulness and be thankful that he was going to publish it instead of exploiting systems.
@Alxdb
@Alxdb Ай бұрын
Even if there's a firewall or NAT, this vuln could be used to go from initial penetration to persistent foothold. Learn about security concepts such as "defense in depth" rather than dismissing awesome work as nothing burger
@sindol3925
@sindol3925 Ай бұрын
It's certainly not a 9.9. But i think people forget that besides using a fake printer, you can just use an actual printer with malicious code inside. I wouldn't be surprised if some nation states(China) have been using this.
@Drenith
@Drenith Ай бұрын
@@Alxdb In fairness the other commenter didn't say it is a "nothing burger" they said it doesn't warrant a 9.9 which is fair. The 9.9 is partially predicated on ease of exploitability. If you need another attack vector to get in it's no longer a 9.9.
@yanidoesit
@yanidoesit Ай бұрын
Ghostscript is a Postscript Raster Image Processor... like Acrobat.
@szirsp
@szirsp Ай бұрын
What if printers were not allowed to run arbitrary commands??? Maybe that feature should be deprecated... A new filter package could be developed to support legacy printers that relied on this feature: get a database of these (perl formatting) command lines that printers inject into your OS (in the first years opt in to telemetry that sends these to some collection site), a security team validate each one and creates a whitelist, a lookup table of acceptable command lines (maybe god forbid regexp lines), then OS package managers update this table and the printer filter only accepts/executes command lines that are present in this validated list (if they are not, it sends it to reporting site for manual review). ... of course this would require resources and probably no one cares enough to support these legacy printers... so it will probably never happen. Printers have to be stopped! They should not have the ability to inject arbitrary code into the OS! Printer manufacturers cannot be trusted. There is a reason why Microsoft moved printer drivers to user space ;)
@matthewp4046
@matthewp4046 Ай бұрын
CIA = Cyan Is Absent 😂
@vincent_sz
@vincent_sz Ай бұрын
Even without RCE this is a Problem if I just can pretend to be the Office printer and people printing potentially sensible documenta to me and I forward them to the printer. In L2 and L3 you can detect and prevent this MITM (arpspoofing e.g.) but using totally legit L7 functionality will blend into the noise of Zeroconf and web-traffic.
@erykfromm
@erykfromm Ай бұрын
Printing with Linux has (had?) 2 steps: 1) plug in the printer 2) print My friends I try to win for Linux (so I have easier life supporting them), are always buffed, how easy it is to print, if you do not try to sell some BS with it.
@mattymerr701
@mattymerr701 Ай бұрын
I do not understand how FoomaticRIP isn't __at least__ running in a container or sandbox. Wild
@shampoable
@shampoable Ай бұрын
had to print something recently. managed to print one page, afterwards the printer decided to somehow nuke itself and would only print out random STL errors regardless of what pc or os would try to print
@rasi_rawss
@rasi_rawss Ай бұрын
Hilarious how this happens on the backside of the Rust in Linux drama. Donkeys
@glenby2u
@glenby2u Ай бұрын
I definitely think you guys are underestimating how this could impact. many companies have a public printer exposed and lets just say... "there's more" wait for the freee steak knives... linux is small bits individually maintained and supports stuff from way back. if you ever used perl in the old days... you will understand how many potential flaws there are. most people/companies will print to pdf and the adobe Post script driver stuff has been on ALL platforms for 30+ years. soo... I expect there will be more to follow. i.e. home routers.... and anything that supports network printing.
@chigozie123
@chigozie123 Ай бұрын
Printing seems to be the one task all the major operating systems seem to struggle the most with. If I were to rank them based on ease of printing, Android would be number one while Linux (with CUPS) would be dead last. Crazy how both came from the same family. BTW, I hope this revelation has opened your eyes. Yes, I'm looking at you Linux folks who swear up and down that Linux is more secure than Windows. I hope your eyes have been opened to how vulnerable you truly are. I mean, it shouldn't have taken this to make that clear to you. Installing any NPM package on your system has the ability to run arbitrary code upon installation, including deleting your user directory. I mean, the NPM package manager could literally be classified as a Trojan at this point, but just like CUPS, only when the people who use it have moved on, would we finally get to address it.
@autohmae
@autohmae Ай бұрын
Really ? I found Linux easier than Windows when it comes to printers.
@Kwazzaaap
@Kwazzaaap Ай бұрын
Why are you saying this after the ipv6 thing that happened to Windows? Do you not understand how limited in scope this issue is in comparison and you are telling me Windows is safer? Do you think an NPM package can't hurt Windows? Do you think Linux kernel and distro developers are responsible for foolproofing their system against dumb development practices in userland? Even with Windows Defender it would still be disingenuous to blame Windows for getting owned by a trojan NPM package, but here you are saying how Linux is unsafe because of NPM.
@EwanMarshall
@EwanMarshall Ай бұрын
Not all printers work with android... there is a weird service system it uses where it works with a lot of printers needing you to go and download and install a specific service app to connect to their printers, it also has actually 3 different systems it has gone through in the last 10 years. Ultimately CUPS, with a lot of printers it is just as easy as plug them in today. Especially now they can accept things like PDF documents directly and talk IPP directly and not custom stuff.
@CharlesBallowe
@CharlesBallowe Ай бұрын
The researcher's call for "they won't admit their code is crap" seems over the top. It sounds like the protocol is crap if it requires executing somewhat arbitrary external filters.
@MultiMrAsd
@MultiMrAsd Ай бұрын
Not only the protocol. Have you red the code in the article? It’s actually crap, too.
@CharlesBallowe
@CharlesBallowe Ай бұрын
I haven't yet. Does sound like it might be, though nothing in the vulnerabilities depended on the code being crap. Making the code amazing still wouldn't fix the filter protocol.
@aaksola
@aaksola Ай бұрын
That file was certainly not owned by root but "lp". So likely the command was not executed as root.
@szeredaiakos
@szeredaiakos Ай бұрын
If you print directly from the internet you don't need fax machines.
@KevinLyda
@KevinLyda Ай бұрын
"I don't know what ghostscript is" Wow. OK, kids today are missing so much UNIX history.
@monad_tcp
@monad_tcp Ай бұрын
56:07 that's why when I have fun with things like that that I randomly find I just pretend I didn't found them and ignore, not my problem. I don't even disclose it to not get into the boring politics, may God help someone find it by mistake like I have. Then I will only talk about it when drunk for fun in the parties, that's responsible disclosure.
@Drenith
@Drenith Ай бұрын
As I understand it this exploit requires 2 things 1. Ability to deliver a UDP packet on port 641 to a machine with CUPS 2. A print command referencing the malicious printer defined in step 1 Doesn't this effectively mean almost everyone behind a NAT (router) is safe (barring a bad actor within your network)? In the article it mentions "I’ve got back connections from hundreds of thousands of devices", but how many directly public facing machines are ever going to be printing? In my naive opinion I'd expect those to almost exclusively be servers - maybe there's servers with an automated process that prints, but you'd have to match their printer name or become the default printer. Something like "print to pdf" isn't something I'd expect to impact an automated process. edit: Another commenter mentioned portable devices and public wifi. I suppose if the default behavior on linux on an untrusted network is to accept incoming connections on that port (I could see wanting to auto detect a printer on the library network or whatever) it's a bit more of a concern than I had originally thought although still significantly below a 9.9/10 in my opinion.
@tonywalker8030
@tonywalker8030 Ай бұрын
Does this include bsd and mac ?
@michaelschmid2311
@michaelschmid2311 Ай бұрын
44:21 and if you absolutely need to? encrypting all code excecuted from a file with a self signed key so anything else cant be excecuted?
@jeremybobbin
@jeremybobbin Ай бұрын
“cups browse-D.” - Prime is it just me or is there something missing 🤔
@bill88t96
@bill88t96 Ай бұрын
Wait.. Priviledge escalation. WHY IS NOBODY TALKING ABOUT IT? Any user in group lp can elevate to root with this..
@ET_AYY_LMAO
@ET_AYY_LMAO Ай бұрын
So this is essentially a nothingburger since no one runs printer spool servers on their production environments.
@ninetydirectory3798
@ninetydirectory3798 Ай бұрын
Brother, may I have some cyan.
@heinzerbrew
@heinzerbrew Ай бұрын
Little embarrassed that two programmers don't know how to use A and An.
@OneBiOzZ
@OneBiOzZ Ай бұрын
there is just something about teasing what you believe to be a 9.9 CVE on linux intel agencies would literally kill for this, every bad actor would be trying to hack you or track down what you are doing. if you have a linux 9.9 CVE you contact redhat, you contact the maintainer of the problematic code and you keep your mouth shut until its fixed. After its fixed you do your showboating.
@dabbopabblo
@dabbopabblo Ай бұрын
Whys your screen tearing?
@craigmcfarland7295
@craigmcfarland7295 Ай бұрын
ngl, gonna start using 'root jesus' whenever I refer to 'root' from now on
@peterromfeld4091
@peterromfeld4091 Ай бұрын
i dont know im on NixOS i only define the printer is use in a declarative way
@yanidoesit
@yanidoesit Ай бұрын
It's Yellow not Cyan that runs out. You dudes really don't use printers. :)
@Tony-dp1rl
@Tony-dp1rl Ай бұрын
How the hell is Linux code not scanned for this sort of issue.
@nodopamine6243
@nodopamine6243 Ай бұрын
Hack the Box just dropped a machine where you can try the exploit out.
Why Does Everyone Love A Link to the Past?
10:04
Deeknom
Рет қаралды 122 М.
This Might Be The Best Advice I Have Ever Seen
40:02
ThePrimeTime
Рет қаралды 332 М.
When Cucumbers Meet PVC Pipe The Results Are Wild! 🤭
00:44
Crafty Buddy
Рет қаралды 41 МЛН
Haunted House 😰😨 LeoNata family #shorts
00:37
LeoNata Family
Рет қаралды 15 МЛН
The Singing Challenge #joker #Harriet Quinn
00:35
佐助与鸣人
Рет қаралды 37 МЛН
What GenZs Think Of Software Engineering
2:05:46
ThePrimeTime
Рет қаралды 254 М.
Sprints - The Biggest Mistake Of Software Engineering
26:26
ThePrimeTime
Рет қаралды 305 М.
Deno 2.0
1:05:44
ThePrimeTime
Рет қаралды 98 М.
They got away with this??
1:21:04
ThePrimeTime
Рет қаралды 1,6 МЛН
Oxide with Steve Klabnik
1:53:00
Hello Rust!
Рет қаралды 475
The Real 100x Dev
52:32
ThePrimeTime
Рет қаралды 210 М.
Replace Is Number Saves 440GB A WEEK
9:54
ThePrimeagenClips
Рет қаралды 288 М.
WTF Winamp
30:26
ThePrimeTime
Рет қаралды 222 М.
TMUX in 100 seconds | Prime Reacts
11:43
ThePrimeTime
Рет қаралды 74 М.
When Cucumbers Meet PVC Pipe The Results Are Wild! 🤭
00:44
Crafty Buddy
Рет қаралды 41 МЛН