the new "9.9" Severity Linux Vunlerability

00:00

hello buddy my name is Eric and today

00:01

we're going to be looking at the CVSs

00:04

9.9 vulnerability that affects all g/

00:08

Linux systems so well that's sort of how

00:10

it was initially spread and we'll go

00:12

through the reality of it is it

00:14

overblown and what does it actually do

00:17

so what we have here is attacking Unix

00:20

systems via cups now cups is the common

00:23

Unix printing system it's actually

00:24

developed by Apple and was intended to

00:27

make printing on Unix spaced systems

00:30

easier so we'll read the preface so this

00:32

quote is interesting from a generic

00:34

security point of view a whole Linux

00:36

system as it is nowadays is just an

00:38

endless and hopeless mess of security

00:40

holes waiting to be exploited I wouldn't

00:43

go that far but Linux security

00:44

definitely especially on the desktop is

00:46

not as good as many people assume it is

00:49

and uh this security incident is

00:52

relatively

00:54

severe so what's happened here is a

00:57

combination of vulnerabilities leads to

00:59

OTE code execution so first of all we

01:02

have this one cups browsed binds on this

01:06

IP address trusting any packet from any

01:08

source to trigger a get printer

01:10

attributes request which then goes to an

01:12

attacker controlled URL so this gets the

01:16

vulnerable system so this gets the

01:19

vulnerable system to connect

01:22

back then this does not validate or

01:25

sanitize those attributes so and and

01:28

this is how uh the

01:30

actual execution happens is you can

01:33

inject a command line parameter into

01:36

this so you can add a printer to

01:39

someone's computer without

01:42

authentication and if they ever try and

01:44

print through that printer that's how

01:46

the actual vulnerability

01:47

works so this is substantially less bad

01:51

than something like Eternal blue which

01:52

allows you to take over a system with

01:55

zero authentication or interaction if

01:57

you want to see that you can go see my

01:58

Windows XP or ser 2003 videos where

02:01

malware just installs itself it's not

02:03

that bad but it's still pretty severe so

02:05

a remote unauthenticated attacker can

02:08

silently replace existing printers or

02:10

install new ones with a malicious one

02:13

resulting in arbitrary command execution

02:15

when a print job is started now on the

02:17

public internet you just send a UDP

02:20

packet now there is a problem this

02:22

course which is much like why the

02:24

Eternal blue isn't a huge issue these

02:26

days unless you're running a server your

02:29

computer is probably not directly

02:30

exposed to the internet and if you have

02:33

a properly configured firewall this port

02:34

should not be exposed the other way this

02:36

can be triggered is overl you can spoof

02:39

a zero comp mdns advertisement and

02:43

achieve a similar code path and then you

02:45

get a very very bad uh security takech I

02:47

actually saw this one on a a few month a

02:49

month ago and I thought oh yikes yeah I

02:53

mean any uh Network worm is only a

02:57

problem if the port is exposed to the

02:59

internet or the network but yeah that's

03:02

that's not quite right now of course

03:03

this vulnerability is going to be very

03:05

broad because cops is used on

03:07

essentially every modern Unix system and

03:10

of course Mac OS is also on the list

03:12

because I mean it was Apple who

03:14

developed it although I don't know if

03:16

they Shi the browsed extension now here

03:19

as a result of Port scanning he's

03:21

discovered that hundreds of thousands of

03:24

devices do have this enabled on the

03:27

public internet and this file contains a

03:29

list of of systems that have cooled now

03:33

this works because the kernel

03:34

information is actually cooled back when

03:36

you when you send this request so wow

03:39

all the way back to 2.6 where you could

03:41

probably find a myriad of other problems

03:44

uh two going down oh wow yeah all the

03:47

way to the very latest version across a

03:49

wide variety someone exposed a gentu

03:51

system you can find out some of these

03:53

actually cuz xan mod Licor these are

03:57

usually installed by Gamers so some

03:59

people are definitely exposing their

04:00

Linux PCS to the entire internet so you

04:02

can get rid of the cups browsed so this

04:05

update

04:06

cups and if you can't update it just put

04:09

that on the firewall you can also do

04:11

that I think that's a bit far I mean

04:14

it's not like Windows hasn't had uh

04:16

vulnerabilities with printing but what

04:18

is a bit concerning here was how the

04:19

developers of this initially responded

04:21

now here they discover how this was

04:23

initially discovered this is something

04:26

that's always interesting to do is see

04:28

what ports are open by default and in

04:29

terms of network vulnerabilities an open

04:31

p can be a

04:33

vulnerability now I checked and my Arch

04:36

desktop system does not have this

04:37

vulnerability because I I never

04:39

installed cups browsed and none of my

04:41

servers have it but if you installed a

04:44

desktop Dro on a server you may be at

04:46

risk and here is the code that binds it

04:50

and of course we've got the joy of

04:53

memory unsafe C where any number of

04:55

things can potentially get

04:57

in we've got some paing code that of

05:01

course the Allowed by default will just

05:03

always return

05:04

true and here is the paing so first of

05:09

all me check that of course what you can

05:12

then do is fuzz this and this is where

05:15

as several things were discovered but

05:17

this vulnerability or potential

05:19

vulnerability is not even the main

05:21

problem now here is where the main

05:24

problem comes I just thought I would

05:25

provide a somewhat happy update to this

05:27

so This security researcher has done

05:30

some analysis of this function it's

05:34

unlikely to result in any interesting

05:36

information which is very good news

05:40

still a problem still embarrassing uh

05:43

but the good news is that nothing

05:45

terrible is going to come

05:48

because on every relevant architecture

05:52

it's just going to get a null

05:56

bite you could maybe get a timing attack

06:00

but this is unlikely to result in

06:03

anything drastic especially because it

06:05

is going to be

06:07

patched still important to check because

06:11

that wasn't immediately knowable Now by

06:13

using uh and slightly modifying this IP

06:16

server package they were able to quickly

06:19

enough design an exploit and an

06:22

execution path is found with

06:26

this fumatic rip filter which apparently

06:30

has been exploited many times before and

06:32

this security problem was apparently

06:34

just kind of ignored and this is fmatic

06:38

Rip so okay so it does some sort of

06:42

print translation and because of how

06:44

that works it seems to just kind of rely

06:47

on what are essentially arbitrary

06:49

scripts that's a bit scary and there's

06:52

even a video of this exploiting process

07:22

successfully created a

07:25

file so that was kind of according to

07:28

this person that was the easy part now

07:30

what wasn't so easy was going through

07:32

and trying to report this

07:34

vulnerability first of all the

07:36

difficulty was getting the developers to

07:38

accept that there was a vulnerability so

07:40

they submitted a Vince report and then

07:43

the worst thing that happened

07:46

was it got

07:49

leaked from Vince uh it got leaked over

07:54

onto breach

07:56

forms not even for money someone just

07:59

copy and pasted it I would almost wonder

08:02

given this is a new user on breach

08:03

forums if this was uh someone who was

08:05

just upset about the whole so that's the

08:08

conclusion of this article so how bad is

08:11

this vulnerability well it's definitely

08:14

less bad than Eternal blue or any of the

08:18

windows netw worm vulnerabilities but

08:20

it's still very bad and of course the

08:22

worst thing was the amount of pain that

08:24

this person went through trying to

08:27

disclose it they've said they're not

08:29

going to do any more uh of this with

08:32

because it was such a pain which is a

08:34

terrible terrible situation and it is

08:36

the trouble is with an open Soul system

08:39

or or more of a modular system rather

08:42

than an open Soul system is sometimes

08:44

there are pieces of the system that are

08:46

not wellmaintained or documented where

08:49

these things can come through and of

08:50

course the most alarming thing is that

08:54

this Vince system had a leak so this was

08:57

actually able to escape

09:00

and be sold on breach forms before it

09:02

was disclosed or worse yet uh it could

09:05

have actually made its way into being

09:07

exploited before it was disclosed cuz

09:08

the exploit here is very simple now

09:10

heading on over to Shodan we can

09:12

actually get a list of all of the

09:14

different services that have an open uh

09:16

Port 631 exposed to the internet and we

09:19

get over a Million results with 700,000

09:22

in the United States followed by China

09:24

followed by Israel followed by Korea and

09:27

all sorts of different ISP with Google

09:30

having a staggering number most of these

09:32

are in fact CS but then there are

09:35

other things some people seem to be

09:38

running HTTP servers on that

09:41

poort and most of the operating systems

09:43

are unidentified I'm going to assume

09:45

that the windows uh reports are going to

09:48

be mostly false positives now for

09:50

reference another insecure Port that has

09:54

caused trouble uh SMB uh well that's got

09:57

1.7 million and hopefully all of these

10:00

are patched against Eternal

10:02

blue maybe not all of them I mean we

10:04

just got an lce notice here but

10:07

hopefully a lot of them are so is it

10:09

worthy of a 9.9 well I think the only

10:12

real I I don't buy into the argument

10:14

that it would have to be exposed to the

10:15

internet or that a firewall could stop

10:17

it because that is a common

10:18

misconfiguration just like with eternal

10:20

blue which is still being exploited by

10:22

the way I saw a Windows Server host

10:25

selling a server that came with an image

10:27

that was vulnerable to Eternal blue out

10:29

of the box and would probably get taken

10:31

over by a an internal blow exploit

10:34

before you would even be able to log

10:35

into it so that is absolutely still a

10:37

problem but the main benefit for servers

10:41

and basically anything exposed to the

10:43

internet these days is a server because

10:45

it costs too much like IP addresses are

10:47

now valuable so you're not going to have

10:49

your home computer exposed to the

10:51

Internet so given that the fact that A

10:54

online servers may not have this

10:56

installed and B they're probably not

10:57

printing anything means that known

10:59

exploit is probably not a going to cause

11:02

a massive amount of disruption but the

11:06

good thing is hopefully this entire

11:08

category of vulnerabilities will be

11:10

fixed before it becomes widely used but

11:14

as we often see with hosting providers

11:18

using out-of-date uh server

11:21

images this vulnerability is going to

11:23

have a long tail so that's going to be

11:25

all for me for now let me know what you

11:27

think in the comments

11:29

bye