Surely a lot of people in blue will think what he did here was illegal hurr hurr you made my computer send a request Is not an ideal situation to be in
@@archersterling4044 Well, in this particular example it was done in more of a white hat manner but I guess if they really wanted they could make up some convoluted reasoning how it was illegal because muh exploit abuse and such
@@w花b it's basically the "Great Firewall" Lite edition. A compilation of apps, services and websites that are supposed to create a sovereign Russian internet that doesn't rely on outside services. That even includes their own root certificates. Many government services or banks won't work outside of Russia even today. Or their access will be very limited (like streaming platforms). That also means, that outsiders can't really do as much anymore since CIDRs outside of Russia will be dropped by default.
@@PvtAnonymous It also has the added "benefit" of russian government being able to decrypt any and all russian traffic using those certificates because they hold the keys. You know, for security reasons...
@@Ephicx yup, that's part of the problem. It goes both ways: they can also take control of domestic services and harvest all the data they need since they don't need to ask foreign companies anymore. It's both a blessing and a curse.
My server has seen more than 50 recent attempts to connect to CUPS port. This is now being exploited. Anyone who has not secured their systems is probably compromised by now.
So far I've only caught scanners in my honeypot, but I'm certain there is active exploitation happening. I'm not listed on Shodan, so I'm only seen attempts that scan the entire internet rather than targeting known CUPS servers.
Linux got CUPS patched up very soon after this came out, people just must not ignore the prompts for updates. On my MS system I print via a cable, the printer sitting next to me. I know what it is called so printing only there. And since keyboards and mouses (mice?) Can also be hacked wirelessly, considering going back to a wired mouse. Keyboard already is. Wireless one behaved strangely on Excel from time to time.
someone posted your video on mastodon -> first time watching this channel. really enjoyed your calm and easy to follow along explanation on the CUPS vulnerability.
@@m8_981 which is the real problem here. If the server is behind a nat someone would have to explicitly add a rule to forward the packets to that ip and port. Unless they just plugged the server directly to the internet.
That would be really interesting + It'd be interesting how the situation develops. Do the respective governments react? Do these systems stop being vulnerable after some time?
amazing video and discovery! you're a natural for deftly presenting complex ideas in a digestible manner; this is endlessly interesting, thanks for sharing :·)
I would bet you they already know. He just stumbled onto this thinking it is some unknown exploit. Meanwhile our government’s probably have been using this exploit on their own citizens for years.
A subset could be some distributed/microservice pdf/etc printers that were open to all instead of just the service/users they are supposed to provide capability for. Like an open bucket. e.g.: "hey, we need to have our xls export also output pdf, and I don't where to start, so I spun up a pdf printer docker and as networking is also not my cup of tea, opened the firewall. Task done, next ticket please!"
Marcus, any thoughts on the frustration of the vulnerability disclosure process and how responsible disclosure was dismissed the the researcher had to prove their technical prowess? It looked like a no-win. From the story I heard he told the Devs and they dismissed it as something that wasn't a concern to them and had a less than productive discourse. Researcher posts results and a proof of concept and the Dev's are all bent out of shape that this happened. It didn't appear there was much way for the researcher to win, except let 'security through obscurity' reign.
The map with all the potential victims is definitely quite worrisome... Definitely something other malicious actors have definitely taken advantage of...
student here: so does this mean that this vulnerability for network-printer discovery gave access to these peoples networks or no? If so could someone explain how so.
i remember when i setup my linux server for the first time in 2016... there was a lot of cupsd things happening and so i decided to shut the cupsd server down indefinitely and reboot.
Thanks for sharing your insight to this type of network setup. If you had to choose between one and two AV security suites, which would you choose and what makes those vendors better than the rest?
AV is garbage, borderline scam. If you insist on using 3rd party AV do research on the pros/cons of different vendors. If you're corporate use DeepFreeze with WindowsDefender.
classic example of SW guys fucking up thinking they know networking. FYI Marcus be careful, your skating close to the edge again my bro, I love the video but maybe consider taking it down ;-)
What? He's pointing out the flaws and giving the fixes. He already contacted all the governments. These flaws are several years old and should be patched. Can it really be that difficult for the ISPs to contact and get customer to fix? Should be a law that if you connect to the internet that you take reasonable steps not to become part of attacks.
@@freedustin ISPs should never block ports (for a whole raft of reasons) Admins should patch their stuff/block ports they dont need on their firewalls etc
Hi Marcus, love your content and your in-depth explanations. Your description how the binding IP address varies stuff is somewhat inaccurate/misleading. Was this deliberate comment bait for network nerds?
Pretty decent video other than the python statement being complete bullshit. I’ve made many pythons web servers that are capable of over 10GB/s on a single thread.
It's basic common sense that the less time spent per system call, the higher the throughput. I don't necessarily doubt that someone could create a 10gb/s web server in Python, but based on your response to the discussion at hand, I do doubt that you could.
🤷♂️ I’ll take that as a complement I guess I wasn’t saying that python isn’t slow. I was saying that it’s not a bad tool for this specific task. You said your self it took 40 minutes for the c code to run.. 1.8 million requests per second is 100% achievable with python if you are halfway decent at python. At least on the hardware you mentioned. We can make this a bit more constructive instead of an argument, I’ll write some code to do it when I get back from my trip to Europe.
It's nothing about "being decent with python" it's an interpreted language, there is a massive overhead with each call. It's not going to even come close to C in terms of requests per second given identical hardware. If the hardware is maxing out at 1.8 million RPS, how are you going to increase that by adding more CPU cycles?
@@MalwareTechBlog it is possible to write bad c code… Language is irrelevant if you write a pile of unoptimized slop. Good logic is more important than the speed of the language most of the time, especially in networking. The metrics you mention are fairly within reach from python based on my past experience. You are only doing 37,500 requests per second per thread on that system. If you are correct you would let me write the code and prove my self wrong.
Total noob here, but why would the systems have this port open in the first place? Is it for network printing or something along those lines? I wouldn't even know how to contact all of the authorities you had to, that is going above and beyond, well done sir.
this isn't fully how this works though, I worked with botnet development for a very long time before I was eventually caught up with law enforcement. For some reason, when doing a world scan with something like LRAB, or even just scanning SSH devices, no one knows why, but sometimes the devices just don't connect to your botnet, out of the maybe 10mil infectable devices you may have found, you might get 100 thousand and that is a very high estimate, and devices you can't seem to infect, other people will infect with no problem, but on your botnet it might be unstable or not connect at all, and people have tried fixing this by logging onto the devices and playing around with them, there seems to be no fix to this. Edit: Holy shit as I go back to finish the video you explain the literal problem I just commented about, like I get that you probably made a payload file that wasn't meant to re initiate itself, so it's sort of different but it's really not, this falls under the exact same issue.
inb4 FBI on Marcus again
Surely a lot of people in blue will think what he did here was illegal
hurr hurr you made my computer send a request
Is not an ideal situation to be in
@@archersterling4044 Well, in this particular example it was done in more of a white hat manner but I guess if they really wanted they could make up some convoluted reasoning how it was illegal because muh exploit abuse and such
Lol
JA! Je hoopt dat de FBI meekijkt
Bro too cool to just shodan
Wow, this certainly is a leg up on the old "change the text string displayed on the HP printer" attack ☺️
Ah, I do miss the number of times our college printers would declare themselves to be out of crayons or were having some form of existential crisis.
Link? Can't find a reference.
@@shivkokroo6180 used to be (back 2000/2001 at least) there was a utility to change the status display on HP printers, no authentication required.
@@shivkokroo6180same question here, I wanna make my own printer says one fuckshit lmao
Holy shit its the guy!!!!
Hope ppl in charge will hear your call, thanks for your service brother ❤
News soon leaks "Kremlin printers suddenly start auto printing".....
well, that's why Runet was created, so that this doesn't happen.
@@PvtAnonymouswhat's that
@@w花b it's basically the "Great Firewall" Lite edition. A compilation of apps, services and websites that are supposed to create a sovereign Russian internet that doesn't rely on outside services. That even includes their own root certificates. Many government services or banks won't work outside of Russia even today. Or their access will be very limited (like streaming platforms). That also means, that outsiders can't really do as much anymore since CIDRs outside of Russia will be dropped by default.
@@PvtAnonymous It also has the added "benefit" of russian government being able to decrypt any and all russian traffic using those certificates because they hold the keys. You know, for security reasons...
@@Ephicx yup, that's part of the problem. It goes both ways: they can also take control of domestic services and harvest all the data they need since they don't need to ask foreign companies anymore. It's both a blessing and a curse.
Next up: "I accidentally messed up the entire internet using fake BGP requests"
That's something I'm trying to learn more about. So many rabbit holes so little time!
you are a menace
Im sure, one day, a random Networking guy at a telecom would do that
@@crissuper20 it has happened a couple times already, something tells me it can happen again
My server has seen more than 50 recent attempts to connect to CUPS port. This is now being exploited. Anyone who has not secured their systems is probably compromised by now.
So far I've only caught scanners in my honeypot, but I'm certain there is active exploitation happening. I'm not listed on Shodan, so I'm only seen attempts that scan the entire internet rather than targeting known CUPS servers.
Linux got CUPS patched up very soon after this came out, people just must not ignore the prompts for updates. On my MS system I print via a cable, the printer sitting next to me. I know what it is called so printing only there. And since keyboards and mouses (mice?) Can also be hacked wirelessly, considering going back to a wired mouse. Keyboard already is. Wireless one behaved strangely on Excel from time to time.
@@D.von.N You mean someone broadcasts signal, sends🪟+R, and sends malicious comand?
You're a very good teacher. Easy to follow what you're saying.
Wonder why the default isn't setup tighter. 0.0.0.0 is full open door. Amazing.
that just means it listens on all network interfaces, he also didn't accidentally make a botnet either
I learned something today because I always thought 0.0.0.0 isn't much different from 127.0.0.1.
I just never thought into it much
Can’t wait for the “I accidentally turned off the internet” video, keep up the good work Marcus!
If it cameyou would have to wait anyway, given no internet.
I always knew that that bloody printer will be the end of me.
😂😂
someone posted your video on mastodon -> first time watching this channel. really enjoyed your calm and easy to follow along explanation on the CUPS vulnerability.
Just wait til you see his Wikipedia page.
Man, if I had a nickel for every time that happened to me ... I'd be flat broke.
an informative video explained calmly with no background music and with a soothing voice. Great production, love your work
A legend like u should be getting millions of views
Faxx he bet white hat
Hes getting mllions of hits for sure😂😂😂😂
@@5nowChain5 no cap them botnets spread faster den hiv
"Accidently"
came for this comment. 😊 thx for not disappointing!
lol. my first thought as well.
Bro did not learn his lesson the first time
No he aint he went from white to grey hat 🤣🤣🤣🤣
You are awesome Mr Marcus, have been looking at your videos for Manny years, and they are are absolutely awesome . My blessings to you 😊
You're a good person, I would have made a lot of money but you aren't me, you'e a good person indeed
Thanks Marcus for reigniting my desire to explore and curiosity ♥
This is sick!
Thank you for explaining every part of the process so clearly. It is thanks to people like you I develop an everdeepening interest in cyber security
Open the door 、its FBI
Lmaooo
that is not what 0.0.0.0 means, it means a listen is happening on every ip of the host on that port, the listen mask isn't a firewall
yea but he said "if the port is forwarded through the firewall".
@@m8_981 which is the real problem here. If the server is behind a nat someone would have to explicitly add a rule to forward the packets to that ip and port. Unless they just plugged the server directly to the internet.
You just created your own Orbitial Ion Cannon. Expect a knock on the door...
do not "scan the entire internet" kids
unless you know, badged three letter indemnity
Ya... guy's a quack really. You don't accidentally install malware to create a botnet either lol.
@@FreeLovingAmerican you didn't really understand the video
Glad someone at my university notified my of that issue. I don't know if I would have heard about it another way.
This needs more views. Great work. The world is in trouble 🤦♂️
Wow, you better get a Nobel peace prize soon mate!
"Accidentally" .. That's brave.
Jail Bait meant something different when I was growing up.
That amplification is incredible. Nice job chief
Nice, U not only great at performing but also great at presenting your work.
Oh he great at performing alright he gunna need to perform new speech for usa after this 😂😂😂😂
Would love to see a video covering, how you contacted the respective parties and how someone like me could go about it.
That would be really interesting + It'd be interesting how the situation develops. Do the respective governments react? Do these systems stop being vulnerable after some time?
@@einname9986 Could not agree more!
Probably just an email form on their websites
Thanks for such high quality content.
And that is why it was given a high rating…
I LOVE THESE VIDEOS!!! Please keep making more
Marcus's lawyer now:
👀! I feel a slight tingling in my arm.
Wow. Learnt alot. Thank you Marcus.
Great breakdown Marcus! Now do ipv6 :-)
10/10 video I watched it without skipping a second
Great video mate. Legend!
Dude what the hell I didn't know you uploaded the weeks ago. UA-cam sucks.
amazing video and discovery! you're a natural for deftly presenting complex ideas in a digestible manner; this is endlessly interesting, thanks for sharing :·)
Wrote a high performance C++ scanner.. presumably because it's about three decades quicker than understanding massscan configuration.
Probably 4
Still searching for the printer to finally pickup my printouts :D well done
bros trying to go back to jail
He cyber security genius
@@MaddoeGgasvywNah, anyone can learn this stuff being ignorant doesn't make everyone else a genius.
wait he was in jail?
@@ExperimentalKana he was almost in jail he almost got 10 years back n 2017
@@runed0s86 tbh ill say this hacking u kinda have to be genius not easy hack
Love your videos dude, thanks!
so unfortunate to know you just have 100k subscriber while I just came to know you as a WannaCry Hero.
it seems to me that you likely just stumbled onto an existing botnet
Bro just gave the government back door access to those systems (if they didn't already have it) lol
I would bet you they already know. He just stumbled onto this thinking it is some unknown exploit. Meanwhile our government’s probably have been using this exploit on their own citizens for years.
🤣🤣🤣
I want to be like you when i grow up. I like how you do amazing things accidently😂
As a hearing impaired user, this was a really fun video to attempt to listen to.
There are captions but you need to turn them on.
NSA field day
A subset could be some distributed/microservice pdf/etc printers that were open to all instead of just the service/users they are supposed to provide capability for. Like an open bucket. e.g.: "hey, we need to have our xls export also output pdf, and I don't where to start, so I spun up a pdf printer docker and as networking is also not my cup of tea, opened the firewall. Task done, next ticket please!"
Yeah FBI, he is at it again
Bro must like them awkward conversations with the alphabets boys 🤣
Marcus, any thoughts on the frustration of the vulnerability disclosure process and how responsible disclosure was dismissed the the researcher had to prove their technical prowess? It looked like a no-win. From the story I heard he told the Devs and they dismissed it as something that wasn't a concern to them and had a less than productive discourse. Researcher posts results and a proof of concept and the Dev's are all bent out of shape that this happened. It didn't appear there was much way for the researcher to win, except let 'security through obscurity' reign.
The map with all the potential victims is definitely quite worrisome...
Definitely something other malicious actors have definitely taken advantage of...
Good video Marcus , thanks for sharing
Now you gotta destroy another ransomware
You Are my Hero!
id love to set up 2 servers on different network connections and see what the 30,000+ servers would do to a setup.
Love your content, commenting for more
"Obviously i not do this"
Not sure how many ppl will create a botnet with some chatgpt knowledge just from your video about the cups exploit
You should have posted notice to these systems by sending a message to their printer.
thanks for that informative video. i really have to check if anything is port forwarded, which shouldnt be forwarded... ^^
Dude just accidently showed anyone how to ddos
FBI warrant round 2
"Hey guys look what I figured out how to do! Pretty cool huh? Guys?..."
Isn't this the guy that stopped one of the most infamous virusses of all time, ...
bro is building his own case file
edit : his
student here: so does this mean that this vulnerability for network-printer discovery gave access to these peoples networks or no? If so could someone explain how so.
Why are people not firewalling the cups port?!
Don't let the FBI see this video.😆
i remember when i setup my linux server for the first time in 2016... there was a lot of cupsd things happening and so i decided to shut the cupsd server down indefinitely and reboot.
Thanks for sharing your insight to this type of network setup. If you had to choose between one and two AV security suites, which would you choose and what makes those vendors better than the rest?
AV is garbage, borderline scam. If you insist on using 3rd party AV do research on the pros/cons of different vendors.
If you're corporate use DeepFreeze with WindowsDefender.
good luck with the SOAP
This might be the reason behind IA DDOS attack :(
classic example of SW guys fucking up thinking they know networking.
FYI Marcus be careful, your skating close to the edge again my bro, I love the video but maybe consider taking it down ;-)
I wholeheartedly agree. This seems very reckless.
What? He's pointing out the flaws and giving the fixes.
He already contacted all the governments.
These flaws are several years old and should be patched.
Can it really be that difficult for the ISPs to contact and get customer to fix?
Should be a law that if you connect to the internet that you take reasonable steps not to become part of attacks.
ISPs should just block the port. Who needs printing over the net but doesn't have VPN?
@@freedustin ISPs should never block ports (for a whole raft of reasons) Admins should patch their stuff/block ports they dont need on their firewalls etc
@@freedustin Some ISPs probably do. Mine NATs us. I had to request a static IP to get out of it.
Hi Marcus, love your content and your in-depth explanations.
Your description how the binding IP address varies stuff is somewhat inaccurate/misleading.
Was this deliberate comment bait for network nerds?
thanks for your comment, it really helps the channel grow.
It looked accurate to me, but I'm just average user.
What did you see inaccurate about it?
0.0.0.0 means no restrictions on the IP.
Is that not right?
4:23 320TB if my math is correct :D
Mad how much of a ballache it is to connect to my OWN printer sometimes
Oh No! Not again?! 😉🤷♂️
Up next “I accidentally used a zero day rce on the whole internet😂”
Wait... This wouldnt happen to be the 3.8Tbps "ddos" cloudflare detected?
easiest botnet tutorial I've found, thanks for the information. now I must collect my billion dollars from the russian gobberment.
Fascinating!
Great work
Next video " the fbi knock on my door again"
Ah, so it was YOU. FBI will be there shortly. ;)
Pretty decent video other than the python statement being complete bullshit. I’ve made many pythons web servers that are capable of over 10GB/s on a single thread.
It's basic common sense that the less time spent per system call, the higher the throughput. I don't necessarily doubt that someone could create a 10gb/s web server in Python, but based on your response to the discussion at hand, I do doubt that you could.
🤷♂️ I’ll take that as a complement I guess
I wasn’t saying that python isn’t slow. I was saying that it’s not a bad tool for this specific task. You said your self it took 40 minutes for the c code to run.. 1.8 million requests per second is 100% achievable with python if you are halfway decent at python. At least on the hardware you mentioned.
We can make this a bit more constructive instead of an argument, I’ll write some code to do it when I get back from my trip to Europe.
It's nothing about "being decent with python" it's an interpreted language, there is a massive overhead with each call. It's not going to even come close to C in terms of requests per second given identical hardware. If the hardware is maxing out at 1.8 million RPS, how are you going to increase that by adding more CPU cycles?
@@MalwareTechBlog it is possible to write bad c code… Language is irrelevant if you write a pile of unoptimized slop. Good logic is more important than the speed of the language most of the time, especially in networking. The metrics you mention are fairly within reach from python based on my past experience. You are only doing 37,500 requests per second per thread on that system.
If you are correct you would let me write the code and prove my self wrong.
You're free to prove yourself as wrong as you want. I already know my C code will be faster.
Was IPv4 or IPv6 blast
i’m just commenting to annoy the guy who got pissed at me for saying first
First
*4:34** Rookie mistake of not using a real language.*
"Accidentally" 😂😂😂
Total noob here, but why would the systems have this port open in the first place?
Is it for network printing or something along those lines?
I wouldn't even know how to contact all of the authorities you had to, that is going above and beyond, well done sir.
Don't be at it again bro I love you
is it already time to create the blackwall?
When will you make skynet?
Like Always amazing video
A laughed my arse off all the way through this lol
this isn't fully how this works though, I worked with botnet development for a very long time before I was eventually caught up with law enforcement. For some reason, when doing a world scan with something like LRAB, or even just scanning SSH devices, no one knows why, but sometimes the devices just don't connect to your botnet, out of the maybe 10mil infectable devices you may have found, you might get 100 thousand and that is a very high estimate, and devices you can't seem to infect, other people will infect with no problem, but on your botnet it might be unstable or not connect at all, and people have tried fixing this by logging onto the devices and playing around with them, there seems to be no fix to this.
Edit: Holy shit as I go back to finish the video you explain the literal problem I just commented about, like I get that you probably made a payload file that wasn't meant to re initiate itself, so it's sort of different but it's really not, this falls under the exact same issue.