EDIT: Original post seems to have been removed, try this Nitter mirror instead.
Looks like its out there now:
https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
Short version (correct me if I’m wrong):
If you have CUPS service cups-browsed on your machine and you for some reason exposed that to the internet (port 631), you are about to get pwned.
EDIT: It also requires the user to print to the malicious fake printer.
Yeah, what a disappointment. This guy brought shame to the security community because he was salty that his vulnerability didn’t get the attention it “deserved”.
Disappointment? Only if you mean the person that came up with FoomaticRIP.
For those who did not read the entire thing, it’s a so called “filter” that converts the document before it’s sent to certain nasty types of printers. Except it’s not executed on the print server. The unauthenticated print server can just ask a client to run it on their side. And it’s designed to be able to execute ANY command.
Gotta wonder how many state actors have been using it for years.
More important question is - how this nitter instance is still working!!
I can’t think of anything except the kernel that is genuinely obligatory on all Linux systems, including embedded. Not glibc (musl). Not udev (mdev). Not systemd (OpenRC/runit/etc). My guess is that this is another exploit of something the reporter hasn’t realized isn’t mandatory because they’re not familiar with non-mainstream distros. I suppose it could be a kernel issue that Android has specifically patched, but if that’s it it’ll be fixed in short order.
In other words, not exactly holding my breath.
I’m switching off my internet until this gets fixed holy shit
We can see you totally didn’t do that. Also how would you even get the update?
