This is entertaining reading. Although I don't know how pervasive this issue is, from the chunk i have read so far I can see why he was concerned that it was relatively trivial to have a target system accept anything identifying itself as a printer and being able to inject malicious code into the machine.
I was going to make fun of him wasting his sabbatical on hacking a printer service but I gotta admit I'd have fallen down the same rabbit hole if I stumbled on it. It's a cool hack.
> Full disclosure happening at 20:00 UTC today, in a bit more than 2 hours.
> Also, to temper some concern about @evilsocket recent research... His bugs are in a thing that none of you should have installed so when it's published, please just uninstall that junk. Hopefully the response of the developer shows how badly you need to remove it.
From an eating-popcorn perspective, I would find it truly entertaining that a printer package could somehow result in a 9.9 security vulnerability that is somehow worse than heartbleed. How many linux systems actually have cups installed and active?
> A 9.9 CVE has been announced for Linux Remote code execution. No details yet. Heartbleed was 7.5, for reference. This is one of the worst in history. All GNU/Linux systems impacted.
OP mentioned later in the thread that MacOS is supposedly impacted as well, so if its some underlying system I'd imagine de-GNU'd Linux is affected also.
Devs need to include security pervasively (like they have ops for deployments).
* Canonical, RedHat and others have confirmed the severity, a 9.9, check screenshot.
* Devs are still arguing about whether or not some of the issues have a security impact.
> I've spent the last 3 weeks of my sabbatical working full time on this research, reporting, coordination and so on with the sole purpose of helping and pretty much only got patronized because the devs just can't accept that their code is crap - responsible disclosure: no more.
With a confirmed 9.9 there's no need to argue, get the top priorities done, work on others on the possibility they need to be released as well. The act of working in them will usually give a clear answer if it could have security impact. Don't have armchair debates. You can't find loopholes if your mindset is that there are none.
- An attacker can exploit this vulnerability if it can connect to the host via UDP port 631, which is by default bound to INADDR_ANY, in which case the attack can be entirely remote, or if it's on the same network of the target, by using mDNS advertisements.
What does an attacker gain by exploiting this vulnerability?
- Remote execution of arbitrary commands when a print job is sent to the system printer.
How was the vulnerability discovered?
- A lot of curiosity (when I noticed the \*:631 UDP bind I was like "wtf is this?!" and went down a rabbit hole ...) and good old source code auditing.
Is this vulnerability publicly known?
- No, the bugs are not known and the FoomaticRIPCommandLine vulnerability is known to be already patched (it isn't).
Is there evidence that this vulnerability is being actively exploited?
