Cups-browsed daemon exploitation – CVE-2024-47176

Vendor Description:-

CUPS is a standards-based, open-source printing system used by Apple’s Mac OS® and other UNIX®-like
operating systems, especially also Linux. CUPS uses the Internet Printing Protocol (“IPP”) and provide
System V and Berkeley command-line interfaces, a web interface, and a C API to manage printers and
print jobs.

Vulnerability Description:-

The first vulnerability in the chain, CVE-2024-47176, is a security flaw in the cups-browsed daemon,
which is part of the Common UNIX Printing System (CUPS). The vulnerability stems from the fact that
cups-browsed binds its control port (UDP port 631) to INADDR_ANY, exposing it to external networks.
Since requests made to this port are not authenticated, anyone who can reach the control port has the
ability to instruct cups-browsed to discover printers.
In scenarios where the port is not directly exposed to the internet due to firewall or NAT restrictions, it
may still be accessible from the local network. This accessibility could potentially lead to privilege
escalation and lateral movement within the network. To address this risk, I have developed a scanner
tool designed to detect vulnerable cup-browsed instances on your local network.

How CVE-2024-47176 Scanning Works

In typical exploitation, an attacker would craft a malicious request directed at the cups-browsed service
on UDP port 631. This request triggers cups-browsed to connect to a malicious URL controlled by the
attacker. For example, a specially crafted UDP packet like this:
0 3 http:///printers/malicious_printer

would cause cups-browsed to send an HTTP request to the URL
http:///printers/malicious_printer. If the URL points to a malicious printer, it could
trigger further vulnerabilities, ultimately leading to remote code execution.
Using this approach, we can trigger vulnerable cups-browsed instances to send an HTTP callback to our
own server, indicating their vulnerability.

In typical exploitation, an attacker would craft a malicious request directed at the cups-browsed service
on UDP port 631. This request triggers cups-browsed to connect to a malicious URL controlled by the
attacker. For example, a specially crafted UDP packet like this:
0 3 http:///printers/malicious_printer

would cause cups-browsed to send an HTTP request to the URL
http:///printers/malicious_printer. If the URL points to a malicious printer, it could
trigger further vulnerabilities, ultimately leading to remote code execution.
Using this approach, we can trigger vulnerable cups-browsed instances to send an HTTP callback to our
own server, indicating their vulnerability.

Scanning Process

The scanning procedure is as follows:

1. Set up a basic HTTP server (there is no need to simulate a printer, as we are not exploiting the
   RCE vulnerability).
2. Craft a UDP packet that instructs cups-browsed to connect to our HTTP server.
3. Send this UDP packet to every IP in a specified range on port 631.
4. Log any POST requests made to the /printers/ endpoint, which are triggered by vulnerable cups-
   browsed instances.

For instance, if our HTTP server is hosted at 10.0.0.1:1337, the UDP packet would be crafted like this:
0 3 http://10.0.0.1:1337/printers/test1234
This scanning process helps identify vulnerable instances and mitigate the associated risks within your
network.

Impact:

• Remote Code Execution (RCE): An attacker can exploit this vulnerability to run arbitrary
  commands on the target machine without authentication when a malicious printer is printed.
• System Compromise: Successful exploitation can lead to unauthorized access, data theft, or
  further compromise of the affected system

Update CUPS: Ensure that your system is running the most recent version of CUPS. To resolve the
vulnerability, apply the official fixes published by the vendor.
Disable cups-browsed: If the cups-browsed service isn’t required, consider turning it off to limit the
attack surface. This prevents unauthorized access to the susceptible component.
Restrict Network Access: To avoid unauthorized remote exploitation, restrict access to CUPS services
using firewall rules that specify which devices can connect.
Regularly Monitor Logs: Keep an eye on logs for any suspicious activity related to CUPS and ensure
timely responses to any potential indicators of compromise.
Use Least Privilege: Ensure that only necessary users and services have access to CUPS resources to
minimize potential attack vectors.

Automating Scans with cups_scanner.py

The cups_scanner.py script automates the scanning process by handling both the HTTP server and the
scanning. It launches a temporary HTTP server using http.server on a specified IP and port, then sends
crafted UDP packets to all IPs within the specified range. The HTTP server captures any callbacks from
vulnerable cups-browsed instances and logs them to disk.
The logs are saved in two files: user-friendly logs in logs/cups.log and raw HTTP requests in
logs/requests.log.

Example:
python3 cups_scanner.py –targets 10.0.0.0/24 –callback 10.0.0.1:1337