Rather than trying to come up with a printer brand just call it "Print to PDF". I guarantee most enteprise workers would fall for it. You can even make the command actually produce a pdf file and they wouldn't notice the impact.
31:58 Your telnet expects " " newline sequences while the remote terminal only prints " ". After skimming the manpage, I think the onlcr option in stty can address that.
Why this is so highly rated? Well I could bet on "now printers work fine, we will fix issue later". Later comes never and everybody forgets about it. :)
Actually yes. I've found clues of this attack style at an enterprise and ive spot checked all of the printers and some managers reported this issue a year ago and nothing happened.
Thank you dude. First time messing with commands in the terminal. Cups-browsed service removed. This happened at a strange time. Kind of new to Linux and someone else in the house just bought a printer which I noticed popping up in the network lol. I didn't feel very at risk although the status command did indicate vulnerable.
Awesome demo. Great narration. Thank you! I am not a linux person, what surprised me is that apparently it seems common practice that network printers located outside your LAN can simply advertise themselves to your linux box. Mitigation imho would be fixing firewall settings or adding OS specific protection against accepting IPs outside your home turf. If this exploit is based on mDNS, I would doubt though that mDNS would be sble to cross your subnet in the first place. Or did I miss a crucial point? I have to admit I have definitely blind spots when it comes to Linux 😊 Thanks anyway for taking the time & explaining the mechanics behind this in such a well paced way, I am sure it helps many people better judge their personal risk.
@twr4641 thanks! Yeah there is a way to exploit internet facing systems that doesn't use the mDNS method just by sending over a UDP port 631 packet. This video demonstrates that LAN / local network method since it was a bit easier to lab, but the original blog I linked shows the WAN entry point method as well :)
@@MalwareCubeThat makes sense. I am sure the service might be triggerable in a variety of ways. Thanks for demoing this vulnerability at just the right pace.
You didn't really do anything wrong except not align xterm with your terminal sizing. You I believe were using xterm-256-color but regardless you can fix it with exporting the terminal size with stty rows and columns. Good video.
CUPS is the generic print system. I purposely uninstall it. Since I use HP printers, I use HP Linux Imaging and Printer system (HPLIP) and foomatic is not installed either.
hey malwarecube, awesome explanation. I am trying to replicate the same on my mac m2 pro, running a vmware fusion with ubuntu server, but am not able to do it. Can you help with that ? Also, how do you have your lab setup ( i need help setting this up on m2 arm chips, as some packages don't work on arm the way it works on x64 processors ).
Very nice! Thanks for sharing. Still: please put your image/cam on your lower right instead as it covers up stuff that you are trying to present and it beats the point of presenting something since only you can see it while presenting it.
The devs HAVE played this down. I get where they are coming from. It's a lot o work to fix this. They just don't have the will or resources to tackle this fix.
Not interesting really. Problem is.. cups.. desktop.. NAT.. != normally on public IP... So it makes it incredibly boring.. and no one in their right mind put it on the internet.. But as a horizontal vector.. sure
correct, but at least 75k had put it on the Internet. Actually, according to Marcus Hutchins' research, he found 107,287 Internet exposed cups-browsed instances. Not really a nothingburger but I wouldn't clock it as a 9.9 either.
Totally over rated, Most distributions have fixed it by ether removing the daemon, or disabling it. This is not Windows were it takes them for weeks to fix anything.
![Kumamoto Masters Japan 2024 | Gregoria Mariska Tunjung (INA) [5] vs. Akane Yamaguchi (JPN) [2] | F](http://i.ytimg.com/vi/EIjZybhsWqA/mqdefault.jpg)
Awesome stuff. Thank you for covering this!
@@TylerRamsbey thanks for watching Tyler!! 🙏
I was a bit confused on how this exploit worked. But this video really helped me out to understand it.
Thanks again!
Thanks man! 😀 I'm glad you enjoyed it.
Rather than trying to come up with a printer brand just call it "Print to PDF". I guarantee most enteprise workers would fall for it. You can even make the command actually produce a pdf file and they wouldn't notice the impact.
@@MartinWoad fantastic idea, you're right.
Dude, I was watching this video 2 days ago when you had 999 subscribers. Now you have 1.41k. Nice!! Great explanation indeed. Loved it
@@Abhinav-MR thank you so much!
31:58 Your telnet expects "
" newline sequences while the remote terminal only prints "
". After skimming the manpage, I think the onlcr option in stty can address that.
@pierrecolin6376 nice catch :)
Proper NAT, and keeping your local network secure is important, obviously port 631 should be blocked on your public network facing nics.
Why this is so highly rated?
Well I could bet on "now printers work fine, we will fix issue later". Later comes never and everybody forgets about it. :)
@@erglaligzda2265 considering one of the CVEs has basically been around since 2011, you're probably right 😅
Actually yes. I've found clues of this attack style at an enterprise and ive spot checked all of the printers and some managers reported this issue a year ago and nothing happened.
Thanks for the thorough demo.
Amazing video man.
Loved the way you went into detail and explained everything.
Thank you dude. First time messing with commands in the terminal. Cups-browsed service removed. This happened at a strange time. Kind of new to Linux and someone else in the house just bought a printer which I noticed popping up in the network lol. I didn't feel very at risk although the status command did indicate vulnerable.
Loved the lab demo. Great video!
great explanation, thank you
Awesome demo. Great narration. Thank you! I am not a linux person, what surprised me is that apparently it seems common practice that network printers located outside your LAN can simply advertise themselves to your linux box. Mitigation imho would be fixing firewall settings or adding OS specific protection against accepting IPs outside your home turf. If this exploit is based on mDNS, I would doubt though that mDNS would be sble to cross your subnet in the first place. Or did I miss a crucial point? I have to admit I have definitely blind spots when it comes to Linux 😊 Thanks anyway for taking the time & explaining the mechanics behind this in such a well paced way, I am sure it helps many people better judge their personal risk.
@twr4641 thanks! Yeah there is a way to exploit internet facing systems that doesn't use the mDNS method just by sending over a UDP port 631 packet. This video demonstrates that LAN / local network method since it was a bit easier to lab, but the original blog I linked shows the WAN entry point method as well :)
@@MalwareCubeThat makes sense. I am sure the service might be triggerable in a variety of ways. Thanks for demoing this vulnerability at just the right pace.
Nice explanation! Thanks
Great video. Thanks for sharing
this channel is such a gem bro hope you get more subs soon! Edit: btw do you know your site is down it may be my filters but i dont think so
Thank you so much! me too :) lol
thx for the nice explanation and POC \o/
Really great explanation!
Great video and explanation
awesome poc. thanks for the video
Great vid and POC
hey congrats on hitting 1000 subscriber. I'm the 1000th subscriber
Woot! that's huge, thank you for being 1k. 🥳
You didn't really do anything wrong except not align xterm with your terminal sizing. You I believe were using xterm-256-color but regardless you can fix it with exporting the terminal size with stty rows and columns.
Good video.
@ADudeOnTheInternet ahhh yes, that's what it was. Good catch lol. And thank you :)
Great video, earned a sub bro!!!
Awesome. Thanks. 🥲
So, for a user behind NAT, there's nothing to worry about?
Ubuntu had the patched CUPS packages out early that morning ( West Coast US )
thanks
subbed
CUPS is the generic print system. I purposely uninstall it. Since I use HP printers, I use HP Linux Imaging and Printer system (HPLIP) and foomatic is not installed either.
Great video
@ramseyibe2844 thank you :)
wow cool 😀 please more like that Stuff(P😀C) please
hey malwarecube, awesome explanation. I am trying to replicate the same on my mac m2 pro, running a vmware fusion with ubuntu server, but am not able to do it. Can you help with that ?
Also, how do you have your lab setup ( i need help setting this up on m2 arm chips, as some packages don't work on arm the way it works on x64 processors ).
Very nice! Thanks for sharing. Still: please put your image/cam on your lower right instead as it covers up stuff that you are trying to present and it beats the point of presenting something since only you can see it while presenting it.
Yeah, I've since found a way to record the screen and camera separately so I can manually hide it in editing as needed.
The vulnerability is concerning, but of more concern is THE LINUX COMMUNITY (not the developers) trying to play down the seriousness.
I think it will be interesting to see how it plays out. The CVEs have already been downgraded slightly from what it was originally hyped up to be.
The devs HAVE played this down. I get where they are coming from. It's a lot o work to fix this. They just don't have the will or resources to tackle this fix.
Not interesting really. Problem is.. cups.. desktop.. NAT.. != normally on public IP... So it makes it incredibly boring.. and no one in their right mind put it on the internet.. But as a horizontal vector.. sure
correct, but at least 75k had put it on the Internet. Actually, according to Marcus Hutchins' research, he found 107,287 Internet exposed cups-browsed instances. Not really a nothingburger but I wouldn't clock it as a 9.9 either.
Totally over rated, Most distributions have fixed it by ether removing the daemon, or disabling it. This is not Windows were it takes them for weeks to fix anything.
Apakah bisa menolong kami yang kena penipuan kak. 🥹🙏🙏