The "9.9" Linux Vulnerability Revealed: It's The Printers

00:00

the details of that 9.9 out of 10 remote

00:04

code execution vulnerability that we

00:06

found out about yesterday has been

00:09

revealed much sooner than anticipated

00:12

because there was a

00:14

link out of Vince uh going to get to all

00:18

of that in a minute but first let's talk

00:19

about exactly what this vulnerability is

00:23

high Lev yes it is a massive

00:26

vulnerability and it does allow people

00:29

to execute code on remote machines not

00:32

just Linux without authentication by

00:36

simply sending a sing a UDP packet by

00:39

sending a UDP packet to the remote

00:42

machine you can then execute code

00:46

arbitrary code this is very very much a

00:49

very bad thing I absolutely would rank

00:52

this a 9.9 out of 10 this is not good at

00:54

all uh the researcher that found this uh

00:57

Simon margaritelli uh has published all

01:00

of the details wasn't going to have this

01:03

this information published until October

01:05

I believe it is 5th but because it was

01:08

leaking out there

01:09

anyway it really it it was it was more

01:12

reasonable to get it out there I I agree

01:14

with with Simon margar tell's uh

01:17

reasoning for why he published this this

01:19

information now if it's already leaked

01:21

out and potential Bad actors have access

01:23

to this anyway why not get this

01:25

information widespread so that people

01:27

can at least mitigate against the

01:29

possible problems now the core of the

01:31

system here is entirely around the

01:34

printing subsystem it's around cups the

01:37

common Unix printing system baby that

01:40

almost every Linux machine has um I'm

01:44

going to read a couple of quotes here

01:46

from from Simon's post this is over at

01:48

evil socket.net which is his

01:51

website um Hello friends this is the

01:53

first of two possibly three if and when

01:55

I have the time to finish these W this

01:57

Windows research writeups we will start

01:59

with the with targeting gnu Linux

02:01

systems with a remote code execution

02:04

exploit as someone who's directly

02:06

involved in the cups project set and

02:08

again cups is responsible for printing

02:10

it's used on Linux systems it's used on

02:13

Chrome uh Chrome OS uh even even Apple

02:17

systems have variations on cups I don't

02:19

know if their specific versions are

02:21

impacted with this but they have them as

02:23

well quote from a generic security point

02:26

of view a whole Linux systems is as it

02:29

is now is just an endless and hopeless

02:31

mess of security holes waiting to be

02:33

exploited we all know this

02:35

extraordinarily complex and

02:37

interconnected systems breed an almost

02:39

endless number of of of possible uh

02:43

access points for for any sort of

02:45

exploit that's just that's just how it

02:47

is with the increasingly complex systems

02:50

um so the the specific vulnerabilities

02:53

that are being listed here today there

02:55

are four of them um uh issues in cups

02:59

browse d lib cups filters lib pppd and

03:03

cs- filters uh he's got the cve numbers

03:07

here published for all of them however

03:08

those cves are not yet made public but

03:11

you can grab them copy them and and

03:13

search for them and as soon as they get

03:15

made public additional uh information

03:17

will be available on them but again this

03:20

is all around the printing system

03:23

specifically as it relates to network

03:26

printing right Network printing which

03:28

means it impacts a lot of systems just

03:31

to give you an example here both auntu

03:34

and Fedora and many other extremely

03:37

popular Linux distributions ship with

03:41

cups browse D on and enabled by default

03:45

so when we're talking about uh Linux

03:48

desktop systems and honestly even most

03:51

Linux server systems you're going to be

03:54

wanting to check to see if you've got

03:55

that on by default uh it's just it's a

03:58

lot of systems so the entry points for

04:01

this particular attack the first is that

04:04

if you were on a the public internet

04:06

just on the Internet or on a wide area

04:09

network a remote attacker sends a UDP

04:12

packet to Port

04:13

631 no authentication whatsoever is

04:17

required on that that's an entry point

04:20

again a a UDP packet a UDP packet that

04:26

is Holy Heavens more details on how that

04:29

works or if you're on a local area

04:32

network a local T attacker can spoof

04:34

zero comp um um and achieve the same

04:38

code path leading to a remoto code

04:40

execution so it's incredibly simple uh

04:43

to to accomplish this um uh quoting one

04:47

of the first comments from the only guy

04:49

from the guy who literally wrote the

04:51

book about cups while trying to explain

04:53

to me why this is not why this is not

04:56

that bad this is crazy quote I am just

05:00

pointing out that the public internet

05:02

attack is limited to servers that are

05:05

directly connected to the

05:08

internet the picture that Simon margar

05:11

Deli uh included here was brilliant

05:14

because yeah again I'm going to repeat

05:16

that this is this is this is a reason

05:19

why this this attack is not that

05:22

bad the the public internet attack is

05:25

limited to servers that are directly

05:27

connected to the internet

05:31

that's like saying um the issue with the

05:34

cars driving on the road is only limited

05:36

to the cars driving on the road it's

05:39

like okay um let's go ahead and Rewind

05:42

and and reread that yourself um so he

05:45

lists here uh some affected systems um

05:48

so cups brows D are packaged for most

05:50

Unix system he says so most genu Linux

05:52

distribution yes that's true some bsds

05:55

also true chromium and Chrome OS also

05:58

true uh Solara

06:00

yes uh he says possibly more and and the

06:02

answer is yes to that uh this is going

06:04

to impact a lot of system systems uh he

06:06

goes on to say this thing is packaged

06:08

for anything and in some cases it's

06:10

enabled by default in others it's not go

06:12

figure it is more often than not enabled

06:16

by default it's not enabled by default

06:18

in every system and there are ways to

06:21

button down this which we'll get into as

06:23

we go along but on assume assume that

06:27

browse

06:30

uh cups browse D is enabled by default

06:32

on your system um so he checked this out

06:36

I've been scanning this is what he said

06:38

the entire public internet ipv4 ranges

06:41

several times a day for week sending the

06:43

UDP packet and logging whatever

06:45

connected back and I've gotten back

06:47

connections from hundreds of thousands

06:49

of devices with peaks of 200 to 300

06:52

concurrent devices this file he

06:55

published a file contains a list of the

06:57

unique Linux systems affected all the

06:59

different uh uh specific Linux version

07:02

numbers uh kernel numbers and whatnot

07:04

note that everything that is not Linux

07:08

has been filtered out uh and if you go

07:11

check out the file on his website it

07:12

literally is just a list of all Linux

07:14

version kernel

07:16

versions right it's just everything and

07:18

the reason he knows that is because the

07:21

response you get back by sending that

07:23

UDP packet actually tells you what kind

07:27

of what kind of system you're running so

07:29

you just send this UDP packet and you

07:31

get back the colel the colonel version

07:33

that you're you're you're pinging

07:35

basically it's crazy how much

07:37

information you can get um so

07:39

remediation so ways you can work around

07:42

this uh first uh disable and remove cups

07:45

browse D service if you don't need it

07:47

and probably you don't it's only

07:49

necessary if you're printing right and

07:51

if you've got a a network attached

07:53

printer update the cups package on your

07:55

systems and in case your system can't be

07:58

updated for some reason uh and for some

08:00

reason you rely on the c s some reason

08:03

you rely on the service block all

08:05

traffic to UDP Port 631 and possibly all

08:10

DNS SD traffic good luck if you use

08:12

zeroc comp okay he also says his

08:15

personal

08:16

recommendation I've seen and attacked

08:19

enough of this code base to remove any

08:22

cup service binary and library from any

08:24

of my systems and never again use a Unix

08:27

system to print oh man I'm also removing

08:31

every zero aahi bonjour listener you

08:35

might consider doing the same all right

08:38

I'm going to skip through I'm not going

08:39

to greet his whole story here but I want

08:41

to point out a couple of things that he

08:44

found along the way so you understand

08:47

exactly how much power this particular

08:51

remote code execution exploit can have

08:54

so he noticed this cups brows D was

08:57

running he noticed that that process C

09:00

was running as root and listening to you

09:04

on UDP Port

09:06

631 uh he says that uh after some

09:09

Googling I found out that cups browse D

09:10

is indeed part of the cups system and is

09:13

responsible for discovering new printers

09:15

and automatically adding them to the

09:17

system right so that's what CBS CBS

09:20

browse D does all right let's just jump

09:23

jump ahead a little bit because he goes

09:24

through the technical details if you

09:25

want those technical details go grab it

09:28

if all checks pass so if you you you uh

09:31

you know you send in that udb packet and

09:33

you start communication if all checks

09:35

pass which they're probably going to two

09:37

text fields parsed from the packet are

09:39

passed to the found cups printer

09:41

function right then it goes through a

09:43

series of of various functions as it as

09:46

it goes along and then we get to here um

09:49

uh both of these issues uh so and he

09:51

gets through a number of issues that he

09:53

hits uh issues have been reported and

09:55

thoroughly documented to the devs and

09:57

the cert but nobody seems to give a damn

10:00

I can tell you that there there are

10:02

other more easily exploitable code paths

10:05

going on not just the the functions he

10:07

outlines not just in the discovery

10:09

mechanism also reported and ignored to

10:13

this day they have not been acknowledged

10:15

rep patched happy

10:16

hunting

10:18

so um he the Simon margari uh

10:23

margaritelli he definitely has some

10:27

strong feelings about how this is has

10:29

been handled right out of the bat um he

10:32

feels like this hasn't been taken

10:33

seriously enough and looking at things

10:36

initially not seeing some of the sort of

10:39

secret Communications that have happened

10:41

and have not been opened up it does seem

10:44

like yeah maybe this hasn't been taken

10:46

as seriously as it should uh he

10:47

continues quote so I tell myself there's

10:50

no freaking way that if I send this

10:52

packet to a public IP address running

10:55

cups that computer will connect back to

10:57

the server I specified no way and he you

11:00

know holy beep not only it connected

11:03

back immediately but it also reported

11:05

the exact kernel version and

11:06

architecture in the user agent header uh

11:09

it also reports the requesting username

11:12

on the target for some of the requests

11:14

that you can send in again via plain old

11:17

UDP baby um he says I went back to

11:21

writing some code and by using the IP

11:24

server python package I was now able to

11:26

respond properly with attributes I

11:29

controlled to the service request my

11:32

fake printer was immediately added to

11:34

the local printers with no notification

11:35

whatsoever to the user then he posted a

11:37

screenshot of him um post of creating a

11:40

new printer uh called God God God God

11:44

God in the with the location of In Your

11:47

Butt um which is clearly a real

11:51

printer and that's very very crazy right

11:54

that you can do that without any

11:57

authentication from the end user then

11:59

user doesn't get to choose it you just

12:01

send some packets at a machine

12:03

unauthenticated and you can add printers

12:05

to that machine and he goes on to say it

12:08

looks like the service fetches these

12:09

attributes uh when it it creates some

12:11

sort of temporary file uh with the

12:14

attributes he was pointing out uh that

12:16

were that were created uh a PPD file on

12:20

which these attributes are possibly

12:21

saved so he's like okay so I can send

12:23

some attributes for a printer it's it's

12:25

added into a PPD file that's saved loow

12:29

Al on the user's machine all right so

12:32

what is exactly is a PPD file well this

12:35

is commonly not known I used to work at

12:37

hulet Packard like in the 90s I worked

12:40

at huet Packard and and I I'm pretty

12:42

intimately aware with this but he writes

12:43

a pretty decent description of exactly

12:45

what a PPD is a PPD file is a text file

12:48

provided by a vendor that describes a

12:51

domain specific in a domain specific

12:52

language the printer capabilities to

12:55

cups and instructs it on how to use it

12:57

properly it's it's basically a here's

12:59

this printer here's the details about it

13:01

here's how you use it it's a real simple

13:02

file that way

13:04

right um I spent a few hours just

13:07

reading the PPD specs and studying cup

13:10

specific extensions in order to find

13:11

something I could rely I could I could

13:14

really try to perform an attack and then

13:17

I found out about cups Filter 2

13:19

directive okay here's where the remote

13:22

code execution from all this comes in

13:24

because up until now you're just sending

13:26

UDP packets and being annoying because

13:28

you're creating a printer that's fake on

13:30

someone's machine that's annoying but

13:32

that's not 9.9 severity right here's

13:35

where it gets gnarly a filter is any

13:38

executable contained in the user lib

13:41

cups filter path um which will get

13:45

executed when a print job is sent to the

13:48

printer and I think several of you are

13:50

going uhoh I I see where this is going

13:53

uh now it uses something called

13:55

fumatic um and quote they have to ow

13:59

fumatic the command line program to

14:02

accept pretty much anything including

14:04

Pearl or many printers will stop working

14:07

on Unix basically there's this this old

14:10

chunk of code that's there to handle um

14:13

called fumatic all of these different

14:15

printing scenarios and different types

14:17

of printer Hardware especially older

14:19

printers newer ones not quite as often

14:22

and you have to basically allow it to to

14:25

execute darn near anything in order for

14:27

it to happen so in theory be using that

14:32

we should now be able to this was him

14:34

theorizing about what he could do before

14:36

he tested it Force the target machine to

14:38

connect back to our malicious IP server

14:42

return an IP attribute string that will

14:45

inject controlled PPD directives to the

14:49

temporary file basically send some udb

14:52

packets make a connection send some

14:55

attributes just some some custom created

14:59

malicious attributes that will be

15:00

created into a PPD text file on the on

15:03

the target's machine and wait for a

15:06

print job to be sent to that fake

15:08

printer for the PPD directives and

15:10

therefore run the command right kicks

15:13

off the command and you can kick off

15:15

that printer the same way so let's so

15:17

let's let's see how this plays out uh

15:19

and uh well it worked it worked he tried

15:23

it it worked he provided the details

15:25

here on how you can do it so if any

15:27

viewer looking to do it wouldn't take

15:29

too much work to create the the empty

15:31

things that he didn't mention in here um

15:35

uh he says uh uh one additional thing he

15:38

included here and this is about how this

15:40

is all played out since he revealed this

15:44

to to uh uh the printing group right so

15:48

are the printer developers while the

15:50

research only took a couple of days this

15:52

part talking with the developers of of

15:56

the projects took 22 and this part was

15:59

not fun I will only say that to my

16:02

personal experience the responsible

16:04

disclosure process is broken that a lot

16:07

is expected and taken for granted from

16:09

the security researchers by triers that

16:11

believe like you have to prove to be

16:15

worth listening to while in reality they

16:17

barely care to process and understand

16:19

what you are saying only to realize you

16:21

were right all along 3 weeks later if at

16:24

all 2 days for the research 249 lines of

16:27

text for the fully working exploit 22

16:30

days of arguments condescension several

16:33

gaslighting attempts uh more or less

16:36

subtle personal attacks dozens of emails

16:38

and messages more than 100 pages of text

16:41

in total hours and hours and hours and

16:44

woo lots of swear words there he's

16:45

feeling salty about it is what I'm

16:48

saying um and the the 9.9

16:51

rating uh he goes on to to show some

16:54

screenshots how the 9.9 rating was

16:56

actually given by engineers at Red Hat

16:59

uh who uh who rated it as such and I'm

17:02

going to be honest this is pretty I

17:05

agree that this is this should have a

17:07

very high rating I I don't care if you

17:08

call it a 10 I don't care if you call it

17:10

a nine a 9 point something whatever this

17:12

is not like some middle of the road 5

17:14

point something exploit uh you have the

17:17

ability to remote code execute as root

17:21

because that's what cups brows D run as

17:25

it runs as root you have the ability to

17:27

run as root AR code

17:30

execution to any

17:32

system mostly via just some simple UDP

17:36

it's it's uh it's too trivial it's it's

17:40

too trivial and it's too widespread now

17:43

there's a lot of machines that don't

17:44

currently have cups browse de enabled by

17:47

default and that's probably good um if

17:50

you haven't blocked uh let's go back up

17:52

here a little ways about what you can do

17:54

to block this if you have not blocked

17:56

was it Port uh 623 3 632 I'm going to go

18:00

look it up for you real quick um Port

18:02

631 Port 631 block it uh block it now uh

18:09

because it's uh yeah yeah yeah yeah this

18:12

is too easy to exploit and now that this

18:13

is out in the wild which um this uh

18:17

Simone margaritelli he's not really the

18:20

one that put it out in the wild it was

18:21

leaked out there now here's where here's

18:25

where things get a little weird this was

18:27

leaked

18:29

over on uh breach forums. St I'm not

18:33

going to show it here but if you go log

18:35

into there you can you can get into it

18:38

and it looks like because of the

18:40

information that was

18:43

leaked it was specifically information

18:46

that Simone margaritelli had given to

18:50

Vince now what is Vince Vince is the

18:52

vulnerability information and

18:53

coordination environment um over at

18:56

Carnegie melan at C and um that means

19:01

and they're really the ones who handle

19:04

all of this stuff right all right all of

19:08

all of this all of the um hold on let me

19:10

scroll down here so you can see here all

19:12

the CV cves and whatnot you'll go find

19:15

those over with with certain Vince and

19:17

um there was a leak within Vince so

19:21

someone at

19:22

Vince if Simone margaritelli is to be be

19:25

believed which so far he's proven

19:29

he's followed through I mean he's

19:31

claimed everything he claimed previously

19:33

has proven to be true um then then Vince

19:35

does have a leak the other possibility

19:37

is that Simone marar telli is the leak

19:40

those are the those are kind of the two

19:41

obvious options or someone else was

19:44

given

19:46

this that we're not hearing about but

19:48

either way there clearly was a a leak in

19:52

all of this that is worth looking into

19:55

um so once this was already leaked out

19:58

there it's good that we now have the

20:00

details around it and we know to disable

20:02

cups you know get rid of of Cups d uh

20:05

cups browse D disable it completely

20:07

uninstall it from your system if you

20:08

don't use printers uh block Port 6 uh

20:11

631 um just all sorts of things that you

20:15

can do to mediate against this potential

20:18

attack however as as Simon margaritelli

20:20

pointed out um this is pretty widespread

20:24

I mean having cups brows D enabled by

20:28

Def fault on an open port is incredibly

20:32

common he found hundreds of thousands of

20:34

examples and I have no reason to doubt

20:35

that just simply knowing how these

20:37

printers work and knowing how networking

20:39

works and knowing these distributions as

20:41

intimately as I do I can I can say yeah

20:44

auntu Has It by default Fedora Has It by

20:46

default so many distributions have Cubs

20:50

browse on by default for convenience you

20:52

want to make printers work well out of

20:54

the box for end users otherwise they're

20:56

going to start

20:57

complaining so oh it's on by default I

21:00

mean that's how you discover and add

21:02

printers it's like oh there's a network

21:04

printer on your thing here it's added

21:05

for you so you can now print with it

21:08

right so there you go um so is this a

21:11

9.9 I would I would say so you're

21:14

probably over the coming days going to

21:16

hear a lot of argument about the the

21:19

severity ratings of this one about um

21:23

whether or not certain dros are

21:25

vulnerable at all um how overblown it

21:28

might have been or

21:30

under discussed it might have been I

21:32

think you're going to hear a lot of

21:33

yelling from both sides on that but

21:36

regardless this is a pretty major issue

21:39

and uh it's going to be difficult to fix

21:44

this issue fully uh and and the reasons

21:47

for that are the the ability to do the

21:51

code execution with inside of the cup

21:54

system is a critical component of of

21:58

using a hundreds and hundreds of models

22:01

of printers and so in order to fix this

22:05

fully that needs to be patched and

22:08

that's going to break the the Linux

22:11

compatibility with a lot of printers

22:13

unless a new system is is put in place

22:16

and new ways of working with those uh

22:19

those driver those printers is is

22:21

developed which is going to just be an

22:23

absolute massive amount of work I mean

22:26

considering this code has been around

22:28

for decades now and is a giant spider

22:32

web it is not uh an easy codebase to

22:35

understand the individual uh printer

22:38

drivers such as they are are a funky

22:42

mismatch of executable files uh uh Pearl

22:46

scripts all sorts of things in order to

22:49

uh format files correctly when they're

22:51

sent to the printer so fixing them for

22:54

all of these printers is going to be a a

22:56

mild Nightmare and I'm I'm sure

22:59

that the cups and uh the open printing

23:02

developers and whatnot have been

23:04

hesitant to do that because it is a

23:06

nightmare it's not a it's not a mild

23:08

thing it's a complete re architecture in

23:10

some ways of how a lot of these systems

23:13

work um so going forward in the very

23:17

near future my guess is we're going to

23:19

see printing support on Linux hindered

23:24

significantly in the name of securing

23:26

our systems I mean that seems like the

23:28

the reasonable way to go we can't leave

23:31

all these vulnerabilities in place and

23:33

and we can't simply expect that everyone

23:37

on a device is going to be behind a

23:40

firewall blocking Port 631 I

23:44

I there there it's a good temporary

23:47

measure but uh but really this needs to

23:49

be tackled with inside cups so there you

23:52

go there you have it uh there's all the

23:53

details again you can read all the

23:55

details posted over at evil socket which

23:59

is a great domain. net uh so thank you

24:02

to Simon margaritelli for posting all of

24:04

that uh and uh letting us

24:07

know what to do to lock our systems down

24:10

and with that ladies and gentlemen boys

24:12

and girls nerds and nerds across the

24:14

inner tubes I do declare and broadcast